Password Security Policies – Part 3 – Manage the Mobile Morass

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place. Here is the last of a three part series – managing your mobile devices.

7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring–or at least strongly encouraging–staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.

8. Don’t jailbreak or root phones. This one’s likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That’s a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.

Password Security Policies – Part 2 – Go Beyond Basics

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place. Here is the second part of this series – going beyond the basics.

4. Double-down on email accounts. Too many SMBs get lazy with their email passwords, leading to larger-scale problems. Those are the holy grail for thieves particularly for online applications that use the ubiquitous “Forgot Password” feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet–particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.

5. Restrict application settings. Particularly for online and mobile applications, it’s a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.

6. Consider a password wallet. One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. That way it’s easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are.

next up – Manage the Mobile Morass

Password Security Policies – Part 1 – Refresh the Fundamentals

A state-of-the-art security system won’t much matter if a hacker gets a hold of an employee’s password. That’s much more likely to happen if you take a laissez-faire approach–or none at all–to creating and protecting passwords.

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place.

1. Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters–at least eight in total. Use memorable phrases broken up by spaces, special characters, and/or numbers. Those can create pretty robust passwords that are a lot easier to remember.

2. Don’t reuse passwords. This one’s a must, yet it remains a common danger. Employees that use the same password across multiple systems–often both professional and personal–to keep things simple can turn a minor, isolated issue into a major security breach.

Unique passwords help stop the bleeding much faster if a password is leaked or stolen–otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice should be to not re-use credentials for sensitive applications such as financial information across less sensitive–and often less secure–areas such as a blog publishing tool.

3. Change passwords regularly. It’s the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.

next up – Go Beyond the Basics

Uncle Sam Can Demand You Decrypt Laptop

A Colorado woman argued that surrendering her full-disk encryption password would violate her Fifth Amendment right against self-incrimination, but a judge disagreed.

A judge has ruled that a Colorado woman accused by federal authorities of real estate fraud must surrender a copy of her laptop’s hard drive to prosecutors, even though the drive is protected with full-disk encryption software.

FBI agents had seized three desktops and three laptops during a search of the house where Fricosu was living with her mother and two children. Only one of the computers, a Toshiba Satellite M305 laptop, was protected by full-disk encryption, and agents couldn’t access its contents. Accordingly, prosecutors sought a warrant to search the computer, based on evidence that Fricosu owned it.

Antivirus programmer turned Kelihos botnet hacker

Several months ago there was a massive spam operation by the name of Kelihos botnet that both Microsoft and partners took offline, this menace having already sent 3.8 billion spam emails a day for some time. What you should know, and perhaps much more importantly, is the following fact: the controller and creator of that spam factory was no less than a former employee of several Antivirus firms.

Andrey N. Sabelnikov from the Russian Federation worked most notably with antivirus vendor Agnitum. Once he began his work on this Kelihos operation, he embedded debug codes into the source of the virus which then allowed the software to download and install the Kelihos machine. It’s undoubtably clear that the fellow in question here got his knowhow from working with the firms he’d worked with in the past whose main goal it is to do away with the viruses he now slung. His LinkedIn page also noted that he’d worked for security vendor Returnil between 2008 and 2011, his stint with Agnitum taking place between 2005 and 2008.

How many hackers do you think studied with the protection agencies they’d hope to bypass in the future? Imagine the ease!

Megaupload Bust Causes Cyberlocker Panic

No longer will we be able to host a large file somewhere for free and have someone else download it.

Actually, it’s not quite so dire, but it’s true that a number of major file hosts have either shut down, closed part of their service, or changed the way they operate. It’s not the first time that file-sharing tools have received a shock to the system, though, and this little contraction is less the end of an era and more a winnowing of the herd. That’s a good thing.

A few sites have been tracking the changes and shutdowns. At Fileserve and Filesonic you can only download items you’ve uploaded yourself. Sites like Filejungle, 4shared, and Uploadstation are deleting premium accounts and affiliate programs. Uploaded.to has banned all US IP addresses. And the list goes on. There are dozens, some taking more serious actions than others. TorrentFreak has been keeping track, and the ever-zealous commenters there are full of information as well.

Services that have operated more cautiously from the beginning, things like Yousendit and Mediafire, aren’t feeling the heat. The restrictions they’ve placed on their service, and their more rigorous attention to enforcing copyright infringement, means that they can go on as they have done for years. It’s sites that have built a model with sharing as the currency that are spooked. That just means that this model is done for. It was never going to last forever. Neither did Napster.

Symantec Confirms Norton AV Source Code Exposed

An unidentified hacker, going by the handle YamaTough, appears to have source code for the 2006 version of Symantec’s Norton antivirus product.

Symantec’s response has been the following:

“Symantec can confirm that a segment of its source code has been accessed.  Symantec’s own network was not breached, but rather that of a third party entity.”

“We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”

“Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions.  Furthermore, there are no indications that customer information has been impacted or exposed at this time.”

“However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information.  We will communicate that process once the steps have been finalized.”

“Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

Though the code is for an older version of the Norton antivirus product, the impact of the exposure is still as of yet undetermined, and several questions remain:

• As the file provided to Symantec was merely a sample of the material YamTough claimed to be in possession of, does that mean that code for more recent editions have not been compromised as well?

• What was the “third party” – presumably some entity related to the Indian government – doing in possession of the source code for the Symantec product?

• How much information would source code from 2006 provide to malware authors assuming that the entire product has not been reinvented from scratch since the time this code was produced?

Stay tuned for more as this story develops into what could be one of the biggest data loss events of 2012, and just less than one week into the new year.

Microsoft Finally Says Goodbye to IE 6 in the U.S.

The company has for years literally begged consumers to update older versions of Internet Explorer, warning that it would reduce the (high) risk of acquiring viruses and other malicious malware. The company even just recently introduced a feature in Windows Update that will automatically update Internet Explorer, seemingly pushing users into staying current rather than ignoring browser revisions and risking infection.

But now the company employees are seemingly dancing in the streets, as the official U.S.-based Internet Explorer 6 numbers have rolled in, and they report well below 1-percent. Worldwide, the number still hovers just below 8-percent as of December 2011, with China serving as the biggest IE6 offender followed by South Korea and Japan. Norway has the least number of IE6 users followed by Finland and the United States.

For the record, Internet Explorer 9.0.8112.16421 is the latest official release from Microsoft as of this writing.

Microsoft’s Dumbest And Smartest Moves Of 2011

The past year was one of highs and lows for the world’s biggest software company. Here are seven reasons why.

Microsoft’s struggle to adapt to a computing market in which the PC is taking a back seat to tablets and smartphones is well known, and much of the company’s troubles of late have arisen directly from that market shift. But don’t count Redmond out just yet–it had some solid wins in 2011. There were also a number of clunkers. Here’s a look at 7 of Microsoft’s dumbest and smartest moves of the past year.

1. Skype buy (Smart). Microsoft announced in May that it had reached a deal to acquire Skype for $8.5 billion. Why was that smart? Skype’s VoiP tools and services will add simple, widely-used video chat features to a whole host of Microsoft’s products, including Office and Office 365, Windows Phone, and Xbox, and, in the future, Windows 8 tablets. That could give Microsoft a leg up on rivals like Google and Apple that, going forward, might even have to pay Redmond for the right to use Skype on some of their platforms.

2. Still no tablets (Dumb). If the current holiday shopping season has proven anything, it’s that 2011 is the year of the tablet. Market data shows that the hottest gifts under the tree this year will be touch-powered slates from the likes of Apple, Android OEMs, and Amazon and its Kindle Fire. As for Microsoft? It’s still talking about tablets in the future tense. The company’s tablet strategy is closely linked to the touch-friendly Windows 8, which may not see daylight until late next year or even until 2013. By then it may be too late to the party.

3. Kinect for Windows (Smart). With PCs taking a backseat to tablets and smartphones, Microsoft needs to find a way to reinvigorate its core Windows franchise. It may have just the thing in tools that will allow developers to port Kinect apps from the Xbox to the PC. Kinect on Windows machines promises a number of new applications, from entertainment to manufacturing to healthcare. Some developers at the University of Washington are already using the technology to create systems that will allow physicians to operate miniaturized surgical equipment through hand gestures.

4. Killed Zune (Smart and Dumb). Microsoft officially put its long suffering Zune franchise out of its misery in October. That was smart because Zune had become an also ran in the MP3 music player category, and as a brand did not fit with Microsoft’s new mobile strategy, which is based around Windows Phone 7. The dumb part? That it took so long–Zune has been on life support for years and should have been scrapped long ago.

5. Office 365 launch (Smart). With cities like Los Angeles and Washington, D.C. moving their desktops to Google Apps, Microsoft needed to respond to its rival’s cloud-based offerings. It did so with Office 365, which launched in June. Office 365 features cloud-based versions of familiar Microsoft productivity and communications tools. It includes access to Office Professional Plus, Exchange Online, SharePoint Online, Lync Online, and Office Web Apps.   Plans start at $6 per user, per month, making the offering competitive with Google’s Google Apps service, which includes online email, productivity apps, and calendaring starting at $5 per user, per month. Key Office 365 customer wins to date include Hendrick Automotive Group.

6. Billions To Nokia (Dumb). Microsoft and Nokia earlier this year struck a deal under which the Finnish handset maker will ditch Symbian and use Windows Phone as the default OS on virtually all its mobile devices. On the surface, it’s a good deal for Microsoft, given that Nokia still ships more phones worldwide than any other manufacturer. But it turns out that Microsoft will actually pay Nokia billions of dollars to use Windows Phone. Don’t OEMs usually pay for the right to use software, not the other way around?

7. SUSE Linux deal (Smart). Microsoft in July announced that it would extend an agreement under which it purchases “certificates” for SUSE Linux support and services and resells them at a markup to Windows customers that operate in hybrid environments. Microsoft, which claims Linux violates its patents, also pledges not to sue certificate holders for infringement. The arrangement allows the company to profit from its claims on Linux without angering customers.

80 Percent of All Phones Vulnerable to Hijack Scams, Security Expert Says

Vulnerability in a widely used wireless technology could allow hackers to gain remote control of phones And instruct them to send text messages or make calls, according to an expert on mobile phone security.

They could use the vulnerability in the GSM network technology, which is used by billions of people in about 80 percent of the global mobile market, to make calls or send texts to expensive, premium phone and messaging services in scams, said Karsten Nohl, head of Germany’s Security Research Labs.

Similar attacks against a small number of smartphones have been done before, but the new attack could expose any cellphone using GSM technology.

“We can do it to hundreds of thousands of phones in a short timeframe,” Nohl told Reuters in advance of a presentation at a hacking convention in Berlin on Tuesday.