Showing posts with label SECURITY RELATED. Show all posts
Showing posts with label SECURITY RELATED. Show all posts

Friday, June 03, 2011

USB Drives -- The security threats and how to safeguard

By Marc Saltzman for our content partner: IT Insider Online

You can find them in pockets, purses and on key chains. They're on lanyards and in pens, built into some jewelry and even found alongside scissors and nail files in Swiss army knives. Teeny USB thumb drives are ubiquitous: In fact, Gartner estimates more than 222 million were sold in 2009 alone. Could such a tiny gadget bring big risks?

Your Data at Risk
Thanks to their small size, low cost, and capability of instant backup and file transportation between multiple computers, USB drives actually pose significant security threats for businesses.

For example, disgruntled employees can easily make off with sensitive company information on a USB drive. "The threat is not new, but the problem is exacerbated by tiny and cheap USB drives," says Leslie Fiering, research vice president at Gartner in San Jose, Calif. "The moment we had removable storage media -- going back to floppy disk drives -- there have been stories of janitors going onto computers after hours and downloading major amounts of information." Employees who plan on quitting a company -- or perhaps those expecting a pink slip -- can also easily copy over customer or client databases, emails, calendar appointments and contact lists in a matter of seconds, and then take this digital info with them to a competitor.

Increasingly, USB drives can also carry harmful malware, say security experts. USB keys can be used to install viruses or to serve as boot drives to erase data -- even unintentionally. An employee who uses a USB drive on a personal computer at home could carry malware back to a work computer without his or her knowledge.

USB Security: What You Can Do
You should take several precautions to minimize the risk of data theft or malware attacks via USB drives. Consider the following:

  • Implement strong security software. All company computers should have the right security software to detect and remove potential threats. "Without question, you need serious protection today that not only protects from online threats but also is capable of scanning external devices too, such as USB drives," warns Fiering.
  • Limit USB access. In extreme cases, organizations have cut off access to USB ports. Others have limited USB access to specific employees. Using encrypted USB drives is another option, as is disabling AutoRun on computers so that programs on a USB drive don’t immediately run when a drive is inserted.
  • Monitor use. Keeping track of USB access will help you note who is using the drive, on which computer and at what time of day." IT departments need to make sure their machines are secure and sensitive information protected," adds Michael Gartenberg, research director at Gartner in Stamford, Conn.
  • Focus on education. “Banning can result in users trying to bypass the ban,” cautions Santorelli. A usage policy augmented by an awareness campaign to educate end users will help mitigate the risks.
Fiering and Santorelli note that these risks are not limited to USB drives. Santorelli calls it an “erosion of the traditional network perimeter” because of the prevalence of mobile devices and the convergence of personal and work technology. “This is a problem that's not going away any time soon," says Fiering. With the right security measures, however, companies can ensure the security of their data, despite today’s increased risks.

Monday, May 23, 2011

How to share safely on Social Networks such as Facebook

From the Editors of our content partner: Every Day Connected

The days when social networks were just for teens are long over: Adults now take up social networking for fun and business alike. One entrepreneur, Sheilah Etheridge of Anchorage, Alaska, uses social networks to turn up business leads for her home-based accounting and consulting firm. But Etheridge is selective with what she shares and where. “Everything we post on the Web is obviously out there for all the world to see, and it’s out there for eternity,” she says.

To get the most out of your favorite social networks, it’s important to be aware of how to protect your online privacy. Here’s how to share safely:

Tip No. 1: Don’t fork over too much personal info.
You don’t always know who is viewing even tidbits of your profiles, so think twice before you post sensitive -- or potentially embarrassing -- information, videos or photos on social networks. It could fall into the hands of identity thieves, prospective employers, college recruiters or even potential mates.
“People should assume the content they put online is going to be public,” says blogger Jeremiah Owyang, a former senior analyst for Forrester Research.

Tip No. 1: Review privacy policies before you post.
Some networks, such as LinkedIn, have adopted privacy policies that vouch they’ll never share your information with other users without your consent. Other sites, like Facebook and Twitter, offer online privacy settings that allow you to control who can view certain information and who gets notification when you add friends or Web applications.
But be mindful about the details: On Facebook, for example, your profile and photo privacy settings are separate. Just because you block non-friends from seeing your profile doesn’t bar them from seeing your photos. Make sure your review all your preferences under Account and Privacy Settings.

Tip No. 2: Don’t reveal every step you take.
It’s a freaky thought, but stalkers, jealous spouses and suspicious employers can use social networks to keep an eye on your every move. Many photos and posts are time-stamped, so the date and time you post it is recorded and shared with your network of friends or connections. This means your boss may be able to find out how much time you spend on Facebook while at work.

Facebook also allows you to “Check In” where you are, revealing your geographic location. On Twitter, you can note your location in your tweets and in your profile. If you want to keep your moves and location on the down-low, avoid checking in altogether and tweak your online privacy settings.

Tip No. 4: Be smart with apps.

Most social networking sites are for-profit companies, and advertising keeps membership free. Any time you sign up for a free app or contest on a social network, your private data might be used to target you with online advertising based on your activities.
“The purpose behind social networking sites is supposed to be to enable you to connect with friends and colleagues and do these networking activities,” says John Verdi, senior counsel for the Electronic Privacy Information Center (EPIC) , a nonprofit privacy advocacy group in Washington, D.C. “What they don’t say is that ‘our real purpose is to mine your data and sell it to the highest bidder.’”
So even if you’ve read Facebook’s online privacy policy, you still need to read the privacy policies of application-makers who promote their apps on Facebook. “They are third-party applications,” says Verdi. “The social networks don’t vouch for any of them.”

Tip No. 5: Don’t expect to be able to delete it once you post it.
It’s happened to the best of us: being haunted by your old social network posts that never die. There is an assumption that you “own” your profiles. But that’s not the case.
In the past, Facebook users were not able to completely delete their profiles. Facebook claimed it wanted to store the information in case users wanted to revive their profile, but it has now caved in under pressure from users to allow for easier deleting. MySpace and LinkedIn allow users to delete their profiles too.
But when it comes to posts you leave on others’ profiles -- or content that friends copied off your profile or blog -- it can remain online for eternity. “There are going to be remnants or ghosts,” says Owyang. “Assume that everything you put online is forever.”
The single best thing you can do before you put yourself out there on a social network? “Speak to other users you know and trust before joining some sites,” says Etheridge. In other words, network a bit before you sign up for a network so you can learn more about how the site protects your info -- or doesn’t.

Sunday, May 22, 2011

Safety tips while using Free Public Wi-Fi

You already have plenty on your plate, whether you are implementing and maintaining technology, helping to resolve technical issues or ensuring your company’s data is safe and secure. Now, you can add the proliferation of rogue free public Wi-Fi networks to that list.
Free Wi-Fi connections can be tempting for traveling employees. And hey, you can’t blame them, as one less item on an expense report can make them look better -- especially if your company is tightening its belt. But talking to them about the risks can help protect them -- and you.

How Rogue Free Public Wi-Fi Works
Tech-savvy thieves are taking advantage of users’ thirst for constant connectivity. “The basic idea is someone in vicinity has created a ‘free Wi-Fi network’ that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too,” says Tim Bajarin, president of Creative Strategies, a tech consultancy in Campbell, Calif.

“These ‘rogue’ networks are really individuals who have software to hack into your systems -- and because the majority of people’s laptops are not protected, they’re a lot more susceptible than they think.”

In fact, New York-based independent security consultant Dino A. Dai Zovi says he and a colleague, Shane Macaulay, authored a tool called KARMA to demonstrate the risk of unprotected wireless networks. 

“KARMA acts as a promiscuous access point that masquerades itself as a wireless network,” explains Dai Zovi. “It makes the victim connect to our rogue wireless network automatically.”

Rogue operators will often craft network names similar to the name of the hotel or the coffee shop where your end user is attempting to connect. One careless click and your data is exposed.

Scary stuff. So, what to do?





Tips for Safer Surfing on Free Public Wi-Fi
You’ve got your work cut out for you, and it starts with employee awareness, say the experts. Consider these steps:
  • Avoid free public Wi-Fi. Caution employees to steer clear of freebies. “When I go to hotel, I make sure they have a wired [Ethernet] connection,” says Bajarin. “And if I want to go wireless on my laptop or other devices in my hotel room, I bring an Airport Express with me,” he adds, referring to Apple’s compact wireless router.
  • Be efficient. If you or your end users can’t avoid a free public Wi-Fi network, “get on, get what you need and get off -- and don’t do any financial things until you’re back at home," cautions Bajarin.
  • Use VPN. Only use free public Wi-Fi if you have VPN (Virtual Private Network) access, says Dai Zovi. “Otherwise, everything you do can be easily monitored by anyone nearby.” Citing recent Firesheep attacks, Zovi says that even password-based networks can be attacked by malicious types. Firesheep is an extension for the Firefox browser that can grab your login credentials for sites such as Facebook and Twitter.
  • Give employees your own connection. Another option for mobile workers is to use WAN-enabled laptops, USB sticks with cellular connectivity or to create a mobile hotspot through a smartphone or tablet.
  • Use security software. Make sure all security software is updated regularly, enable firewalls and give employees a means to encrypt sensitive data.
Only through education, secured connections and some common sense can your employees keep personal and professional data safe from cyber-snoopers, waiting to attack through a free public Wi-Fi.
Photo Credit: @iStockphoto.com/gulfix

Brought to you in association with IT Insider Online

Saturday, May 21, 2011

Best Security Tips to keep your SmartPhone or Tablet Safe

Smartphones are everywhere, and with iPads and Android tablets now leading the market, the next generation in mobile computing is exploding in popularity around the world. But the risk of a hacker stealing your sensitive information (or the device itself) has also risen dramatically. Case in point: Last month, several malicious apps invaded the Android market, affecting 260,000 Android-based smartphones and tablets. (Google eventually removed the rogue apps from all devices.)

Here’s how to keep your new gadget safe:

Smartphone and Tablet Security Tip No. 1: Keep tabs on your devices.
Don’t leave your smartphone or tablet unattended at an Internet cafe or on planes, trains and automobiles. Tablets are hot sellers and harder to come by in certain European and Asian black markets, so thieves are even more tempted to steal them.

If you have an Android-based device, be sure to download a security app that can locate your device if you lose it. For Apple users, get an account with an online locating service, such as Find my iPhone. (It works for iPads too.) The idea behind these services is that the device checks in with the service every so often with the location of the device (from the GPS chip), and you can then use a website or other mobile application to view a map with the location of your device.



Smartphone and Tablet Security Tip No. 2: Set a strong password.
After ensuring the physical safety of your phone or tablet, the next step is to make sure you have a hard-to-crack login password. These passwords allow you to set them up so that after a certain number of incorrect login attempts, the device gets locked or the data is wiped.

When adding or changing any password, make it a long word with numbers or punctuation marks so it’s difficult to guess. To set up a password on an Android tablet, tap the open arrow to view your apps. Select “Settings,” then “Security,” then “Change Screen Lock.” Choose “Password.” On the iPad, tap “Settings,” then “General Settings.” Continue by opening “Passcode Lock” in the center box of options. Select “Turn Passcode On” and follow the instructions.

Smartphone and Tablet Security Tip No. 3: Look out for fake apps.
It’s tempting to download free apps with abandon. But be cautious: Malicious apps are often disguised as legitimate, and without security software, it’s nearly impossible to tell the difference. “From malware to root kits, malware-infested applications for mobile devices are showing up in alarming numbers, mostly out of Asia,” says technology analyst Rob Enderle of the Enderle Group.

A malicious app is dangerous because it can steal all the data from your smartphone or tablet and send out spam. Or, even worse, it can monitor everything you do and capture all your usernames and passwords. “You hear about this more on Android than Apple’s iOS,” says software programmer Daniel Elswick, “mainly because Apple is strict with what apps they allow into the Apple App Store, while the Android Market is more open, so almost any application can make it in there.”

To prevent this, download a mobile security app (from a legitimate company) that scans, detects and blocks mobile threats found in downloaded apps before they can infect your mobile device. The best kind will also check for security updates automatically so you don’t have to worry.

Smartphone and Tablet Security Tip No. 4: Watch that Wi-Fi.
Another big tablet security risk is browsing the Web on a public Wi-Fi hotspot or any unknown or untrusted wireless network. Since your traffic is public, there is the possibility that it is being captured. So if you’re browsing the Web and go to a page that doesn’t use SSL (Secure Socket Layer) to encrypt your communication, everything you are seeing and anything you send back (if you fill out a form or type in your username and password) can be captured and seen by anybody else on the network.

Most shopping and financial sites are using SSL for login information now, but it’s still safer not to send any sensitive data over an untrusted wireless network. (You know you’re on an SSL site when the URL starts with “https.”)

Also note that paying to access a Wi-Fi network doesn’t mean it’s secure. Access fees don’t necessarily mean a network is secure. If you have access to a VPN (virtual private network), use it. A VPN offers secure access to a company’s network.

Smartphone and Tablet Security Tip No. 5: Remotely wipe your tablet.
This is probably where a security software app comes in most handy: If your phone or tablet is lost or stolen and you’re certain you won’t get it back, you can remotely wipe all your data and information from it. GoogleApps details its autowipe app here, and Apple offers the MobileMe service.

Photo: @iStockphoto.com/skodonnell

Brought to you in association with The Online Family

Thursday, April 09, 2009

Microsoft Next-Generation Secure Computing Base

Q: What is the Next-Generation Secure Computing Base?

A: The Next-Generation Secure Computing Base (NGSCB), also referred to as "Palladium" is a new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn." NGSCB employs a unique hardware and software design to enable new kinds of secure computing capabilities to provide enhanced data protection, privacy and system integrity.

NGSCB will transform the PC into a platform that can perform trusted operations spanning multiple computers under a trust policy that can be dynamically created and whose integrity anyone can authenticate.

The technology being developed as part of NGSCB includes new software that will work on a new breed of PC hardware. This new architecture will provide unprecedented capabilities for enabling secure processing on the Microsoft Windows PC platform. In addition, it will preserve the flexibility and extensibility that contributes so much to today's PC ecosystem.

Microsoft is building base-level software components, including a new operating system module called a nexus that will enable secure interaction with applications, peripheral hardware, memory and storage. A nexus-aware PC will be designed to offer four categories of new security features:

  • Strong process isolation. Users can wall off and hide pages of main memory so that each nexus-aware application can be assured that it is not modified or observed by any other application or even the operating system.

  • Sealed storage. Information can be stored in such a way that only the application from which data is saved (or a trusted designated application or entity) can open it. With sealed storage, a nexus-aware application or module can mandate that the information be accessible only to itself or to a set of other trusted components that can be identified in a cryptographically secure manner.

  • Secure path to and from the user. Secure channels allow data to move safely from the keyboard/mouse to nexus-aware applications, and for data to move from nexus-aware applications to a region of the screen.

  • Attestation. Users have the ability to authenticate software or a combination of software and hardware. With attestation, a piece of code can digitally sign or otherwise attest to a piece of data and thus assure the recipient that the data was constructed by an unforgeable, cryptographically identified trusted software stack.

The Windows technologies that NGSCB introduces — the nexus and the special processes that the nexus commissions, called nexus computing agents (NCAs) — will offer a parallel execution environment to the traditional Windows kernel- and user-mode stacks. NGSCB creates a new environment that runs alongside the operating system, not underneath it.

A key goal in the development of NGSCB is to protect software from software-based attacks in the PC environment. In other words, NGSCB is designed to provide a set of features and services that a software application can use to defend against malicious code that might also be running on the machine, such as viruses running in the main operating system, keyboard sniffers or frame grabbers. This technology is not designed to provide defenses against hardware-based attacks that originate from someone in control of the local machine.

Q: What's new in NGSCB? What's the difference between NGSCB and Microsoft Windows today?

A: NGSCB extends the Windows operating system to provide a set of new secure computing capabilities. NGSCB will not change anything in Windows, but rather will sit beside with the regular Windows environment. To make NGSCB possible, both the software and the hardware will evolve. On the hardware side, the CPU, chipset, USB I/O and GPU hardware components will be redesigned, and a new component will be added, called the Security Support Component (SSC). On the software side, a new operating system component will be added, called the nexus, along with some associated code to enable the NGSCB environment. Collectively, this software comprises the trusted computing base (TCB) for NGSCB.

Q: How can I learn more about NGSCB ?

A: Microsoft will publish additional technical information about NGSCB as it makes progress. To be notified when this information is available, those interested can send e-mail to ngscb_qa@microsoft.com with "subscribe" in the subject line. Microsoft has established this announce-only mailing list to alert subscribers whenever new information has been posted to Microsoft.com.



Google