Tag: Security

Check your router’s vulnerability

A recent security vulnerability has been unearthed in many routers previously though safe. Universal Plug and Play (uPNP) is a method of easily configuring a router automatically to allow traffic to flow from the Internet into the local network. It should only be accessible from devices inside the local network. However, as it turns out, the vulnerability allows devices on the Internet to potentially reconfigure a router. This is REALLY, REALLY bad to say the least.
Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw
You can find out more about the specific of the issues at:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
So advice is that you should check to ensure your router is not vulnerable. To do this visit grc.com and go to the Shields Up page like so:

Click on the GRC’s Instant UPnP Exposure test.
Hopefully you will see:

If not then you need to take steps to ensure you rectify any issues discovered.

Why passwords matter

Here is a great example from a buddy of mine (Ben from DigitIT) about why passwords are important.
 
As his blog post details he was called in when a client found their machines displaying a message asking for money to unencrypt their files. They had been infected with Ransomware. Why? Very poor passwords as the blog post notes.

End results? A complete reinstall and restore of the server from a known good point in time. After that how much do you figure using strong password is worth?

I always recommend something like Lastpass to auto generate and remember complex passwords. If you haven’t used Lastpass then you SHOULD!

Facebook security video

Here’s a great video from Kaspersky that covers how to enable the security features of Facebook.

 

Office 365 data not encrypted at rest

One of the questions that was posed in todays Office 365 Security session hosted by Scorpion Software that I appeared on

 

https://www.youtube.com/watch?v=RvDB3vOFpEI&feature=player_embedded

 

was whether the data in Office 365 was encrypted ‘at rest’. I said that I thought it would be but as it turns out I was wrong. The following document:

 

Standard Response to Request for Information O365 – Security Privacy v2 – http://www.microsoft.com/en-us/download/details.aspx?id=26647

 

says clearly:

 

“Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS.”

 

in multiple places (one instance is on p26, in the IS-18 Information Security Encryption section).

 

However, before everyone starts jumping up and down about this, can I ask whether the information on your local server is encrypted at rest? It can be (using Bit Locker and what not) but it isn’t be default I believe. However, I’d like to know the reason why it is not, so let me see what I can find on that score and report back.

Cloud security


One of the most common reasons people cite for being concerned (or downright afraid) of putting their information into ‘cloud’ services is security. Interestingly, most of their reasoning is based on hearsay and hysteria. Many in fact simply parrot back what they have read or heard somewhere. What I’d like to do here is provide a little bit of balance to the argument and some alternative points of view that I think many naysayers haven’t considered.

1. Security is a journey not a destination. When human beings are involved, nothing will ever be perfect. There will be oversights, errors and mistakes. That is simply a fact. This means that it can happen whether the information is stored locally or whether it is hosted. I will however point out that the chances of error are reduced (you can never eliminate them) when you have multiple people and processes looking at the systems. This is probably more likely going to be the case for hosted environments in large data centres than on a single server at a customers premises.

2. If you are using email you are already sending information insecurely. Emails are generally sent in plain text with no encryption and with no guarantee of delivery. In most cases you have no idea that the person who is reading your email is the one that you sent it to. Some surveys note that up to 20% of legitimate email never gets delivered to the intended inbox. But does this stop people using email? Certainly doesn’t seem to. So, on the one hand people are worried about saving their information on hosted servers yet they freely send that same information in emails, without security to someone they hope is the right person at the other end. If you were so worried about your information being secure you wouldn’t use email now would you? The reality is that the functionality of email far outweighs, for most people, any risk of insecurity.

3. If you are using a device that has access to the Internet, that can browse web pages and receive emails that device is already connected to the ‘cloud’. Further more, if you can get to the ‘cloud’, the ‘cloud’ can get to you. So how worried are you about that server you have on your premises that is connected to the Internet? How secure is the information stored there? How do you know that someone isn’t stealing that information while you are reading this? Generally, you won’t. Sure you have firewalls and other security protection on your equipment but how do you KNOW it is working? Do you employ someone to monitor it constantly? Probably not but large hosting firms do. They can afford to invest a significant amount of money in security and pay the best people to monitor it. Their challenge is no different from yours but chances are they have significantly more resources on tap that someone running a server as part of their business does.

4. The Patriot Act applies everywhere a US company operates. So many people I hear say they want their data stored locally so that it won’t be subject to the US Patriot Act. The reality is that any US based company is subject to the Patriot Act no matter where they operate. That means that if Microsoft or Google had data centres here in Australia (which they don’t currently) they would still be subject to the US Patriot Act. Aside from that, there are far reaching agreements between international law enforcement agencies to provide access to data outside their jurisdiction upon request. And even further to that, local intelligence agencies, like ASIO in Australia, typically already have the right to access your data without your knowledge. Don’t believe me? See:

ASIO Powershttp://www.pcworld.idg.com.au/article/100781/asio_given_power_hack_systems/
“The legislation allows ASIO operatives to hack into PCs and corporate networks to retrieve data, and add, delete, or alter data in the “target” computer, while being immune from prosecution under the Crimes Act hacking provisions.”

and they have had this power since 1999! (Pre 911!).

5. Why worry about hacking our information when they can tap our phones? Many people are paranoid about their information security but give no thought to the fact that their phone conversations could be tapped. Many readily carry on a conversation on their mobile with the person at the other end and the fifteen people in the immediate vicinity. If they were truly paranoid about all their information they would be more judicious about using the phone wouldn’t they? Again, the convenience far outweighs the risk of a breech but that still doesn’t mean it can’t happen, it still doesn’t mean it won’t. How can you maintain information security if you are going to blab it out next time you receive a call in a public place eh?

6. We use the hole in wall (ATMs) to get money when we need it. We use Internet banking as a convenient way of managing our money. If you were truly concerned about security wouldn’t you squirrel you money under your pillow and not trust the banks? You could but most don’t. Why? Because there are far more benefits with trusting your money to bank. They can centralize it and implement better security, they can make it available to you a more convenient places and locations (read ATMs) and so on. Is there a risk that your money will be stolen? Certainly, but again the convenience outweighs the risk. I understand that money is different from information but in a lot of ways the model we understand and use that is modern banking is very similar to ‘cloud’ computing. That seems to work pretty well for most people despite its flaws.

So there you have it. A few of my thoughts on the whole ‘cloud’ security argument. There will of course be people who reject all these and continue to argue that on premises is the only way to be secure. I hope that you can at least see in some little way that such an argument has less and less validity when you do a like versus like comparison without the emotion that seems to litter so many discussions around today on ‘cloud’ security.

I’m sure back in the day, many people questioned how the automobile could replace the trusty horse. Guess what? We don’t see many horses on our roads these days do we?

Staying up to date

One of the most causes of security breeches is out-dated software. However, in a world where you can have hundreds of different applications installed?

 

There is a free solution to keep you informed about the update status of many common applications – Secunai PSI. It is designed to be installed on personal machines and then inform on what applications are installed and how up to date they are.

 

image_2_19C8166F

 

After installing and running a scan you will be able to view a report of the applications installed on your machine. You’ll also see whether any require updating and in most cases you’ll also be given a link to take you to the update page for the software.

 

Once installed the Secunia software will also sit in the background and inform you when new updates become available. This really makes it an easy way to ensure you system is not only up to date but also more secure.

Unfazed

I found the following article via the Sydney Morning Herald app on my iPad but for some reason it doesn’t appear in the online version (or at least that I can find). Which is strange, but here it is with my commentary below:

 

JULY 27, 2011

Customers unfazed by spike in computer glitches, survey reveals

FATIMA KDOUH

THE inconvenience caused to bank customers by meltdowns in information technology does not appear to have had an impact on levels of customer satisfaction with the big four banks.

Figures from the most recent survey of consumer attitudes by Roy Morgan Research continued on an upward trend of 1.2 per cent in June, with 75 per cent of customers saying they were satisfied with their bank despite a recent spike in system glitches across all four banks.

The latest system failure at Westpac, which delayed the processing of payments, was being blamed on a ”corrupt file”.

 

The bank, which has recently embarked on an ambitious, $2 billion computer-system upgrade, insisted yesterday the failure was not a result of any scheduled computer revamp.

The latest headache for Westpac customers is one of a long list of upsets for bank customers in recent times. In April, NAB customers were left unable to access their pay after a processing failure. In May, ANZ customers were unable to access their online accounts and, a month later, a technical error prevented Commonwealth Bank customers from using their online banking accounts.

 

The Commonwealth and NAB are undertaking billion-dollar ”core migration” upgrades of their computer systems, and the Commonwealth is well ahead of its rivals.

 

But ANZ, which has more modern core systems than its rivals, recently said it would not invest in major upgrades of its existing computer technology.

 

The upgrades are complex and involve replacing technology that in some cases is decades old, making teething problems like those experienced of late inevitable.

– My comments –

So why is that relevant? Well, to me it indicates that for all the sensationalism about service level agreements and uptimes with cloud computing it seems, from the above anyway, that most people are willing to put up with glitches.

 

There seems to be this belief that moving to the cloud should guarantee 100% uptime. If it involves technology and if it involves human beings then there is always going to be the chance of downtime. Much the like the banking systems detailed above, such large system are much more reliable in the cloud but they will never be perfect.

 

The key here is:

 

“does not appear to have had an impact on levels of customer satisfaction”

 

Why? Because most customers understand the complexity of these systems and expect issues now and again. Sure, there is a point when enough issues will start impacting their levels of satisfaction but I’d say that if this is the case with banks why won’t it be the same for cloud computing? And why are all these pundits screaming about the unreliability of moving to the cloud? Simple, you get more attention for sensationalism than you do for reality, although reality wins out in the long run. So too will cloud computing. Customers don’t expect it to be perfect but they are happiest when the costs are kept down, which is what moving to the cloud is doing to the cost of technology for most businesses. For that reduction in price most are prepared to tolerate ‘glitches’.