Password Security Policies – Part 3 – Manage the Mobile Morass

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place. Here is the last of a three part series – managing your mobile devices.

7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring–or at least strongly encouraging–staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.

8. Don’t jailbreak or root phones. This one’s likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That’s a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.


Password Security Policies – Part 2 – Go Beyond Basics

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place. Here is the second part of this series – going beyond the basics.

4. Double-down on email accounts. Too many SMBs get lazy with their email passwords, leading to larger-scale problems. Those are the holy grail for thieves particularly for online applications that use the ubiquitous “Forgot Password” feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet–particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.

5. Restrict application settings. Particularly for online and mobile applications, it’s a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.

6. Consider a password wallet. One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. That way it’s easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are.

next up – Manage the Mobile Morass

Password Security Policies – Part 1 – Refresh the Fundamentals

A state-of-the-art security system won’t much matter if a hacker gets a hold of an employee’s password. That’s much more likely to happen if you take a laissez-faire approach–or none at all–to creating and protecting passwords.

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don’t need to take up much time, either, especially once your policies and procedures are in place.

1. Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters–at least eight in total. Use memorable phrases broken up by spaces, special characters, and/or numbers. Those can create pretty robust passwords that are a lot easier to remember.

2. Don’t reuse passwords. This one’s a must, yet it remains a common danger. Employees that use the same password across multiple systems–often both professional and personal–to keep things simple can turn a minor, isolated issue into a major security breach.

Unique passwords help stop the bleeding much faster if a password is leaked or stolen–otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice should be to not re-use credentials for sensitive applications such as financial information across less sensitive–and often less secure–areas such as a blog publishing tool.

3. Change passwords regularly. It’s the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.

next up – Go Beyond the Basics

Uncle Sam Can Demand You Decrypt Laptop

A Colorado woman argued that surrendering her full-disk encryption password would violate her Fifth Amendment right against self-incrimination, but a judge disagreed.

A judge has ruled that a Colorado woman accused by federal authorities of real estate fraud must surrender a copy of her laptop’s hard drive to prosecutors, even though the drive is protected with full-disk encryption software.

FBI agents had seized three desktops and three laptops during a search of the house where Fricosu was living with her mother and two children. Only one of the computers, a Toshiba Satellite M305 laptop, was protected by full-disk encryption, and agents couldn’t access its contents. Accordingly, prosecutors sought a warrant to search the computer, based on evidence that Fricosu owned it.

Antivirus programmer turned Kelihos botnet hacker

Several months ago there was a massive spam operation by the name of Kelihos botnet that both Microsoft and partners took offline, this menace having already sent 3.8 billion spam emails a day for some time. What you should know, and perhaps much more importantly, is the following fact: the controller and creator of that spam factory was no less than a former employee of several Antivirus firms.

Andrey N. Sabelnikov from the Russian Federation worked most notably with antivirus vendor Agnitum. Once he began his work on this Kelihos operation, he embedded debug codes into the source of the virus which then allowed the software to download and install the Kelihos machine. It’s undoubtably clear that the fellow in question here got his knowhow from working with the firms he’d worked with in the past whose main goal it is to do away with the viruses he now slung. His LinkedIn page also noted that he’d worked for security vendor Returnil between 2008 and 2011, his stint with Agnitum taking place between 2005 and 2008.

How many hackers do you think studied with the protection agencies they’d hope to bypass in the future? Imagine the ease!

Megaupload Bust Causes Cyberlocker Panic

No longer will we be able to host a large file somewhere for free and have someone else download it.

Actually, it’s not quite so dire, but it’s true that a number of major file hosts have either shut down, closed part of their service, or changed the way they operate. It’s not the first time that file-sharing tools have received a shock to the system, though, and this little contraction is less the end of an era and more a winnowing of the herd. That’s a good thing.

A few sites have been tracking the changes and shutdowns. At Fileserve and Filesonic you can only download items you’ve uploaded yourself. Sites like Filejungle, 4shared, and Uploadstation are deleting premium accounts and affiliate programs. has banned all US IP addresses. And the list goes on. There are dozens, some taking more serious actions than others. TorrentFreak has been keeping track, and the ever-zealous commenters there are full of information as well.

Services that have operated more cautiously from the beginning, things like Yousendit and Mediafire, aren’t feeling the heat. The restrictions they’ve placed on their service, and their more rigorous attention to enforcing copyright infringement, means that they can go on as they have done for years. It’s sites that have built a model with sharing as the currency that are spooked. That just means that this model is done for. It was never going to last forever. Neither did Napster.

Symantec Confirms Norton AV Source Code Exposed

An unidentified hacker, going by the handle YamaTough, appears to have source code for the 2006 version of Symantec’s Norton antivirus product.

Symantec’s response has been the following:

“Symantec can confirm that a segment of its source code has been accessed.  Symantec’s own network was not breached, but rather that of a third party entity.”

“We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”

“Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions.  Furthermore, there are no indications that customer information has been impacted or exposed at this time.”

“However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information.  We will communicate that process once the steps have been finalized.”

“Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

Though the code is for an older version of the Norton antivirus product, the impact of the exposure is still as of yet undetermined, and several questions remain:

• As the file provided to Symantec was merely a sample of the material YamTough claimed to be in possession of, does that mean that code for more recent editions have not been compromised as well?

• What was the “third party” – presumably some entity related to the Indian government – doing in possession of the source code for the Symantec product?

• How much information would source code from 2006 provide to malware authors assuming that the entire product has not been reinvented from scratch since the time this code was produced?

Stay tuned for more as this story develops into what could be one of the biggest data loss events of 2012, and just less than one week into the new year.