News from March, 2010

6 Tips for using online remote login services SAFELY

Saturday, March 27th, 2010

This week I am out at a Peak Potentials boot camp called Guerilla Business School. It has been absolutely fantastic and I would highly recommend it to anyone!

This is a PUBLIC SERVICE ANNOUNCEMENT for those who are in the seminar and attended Alex Mandossian’s excellent session on web-based marketing.

Today when we were talking about free online sites, a service called LogMeIn.com came up. LogMeIn is a site that facilitates logging into your PC from anywhere in the world.

These types of services can be extremely convenient, but there are some very important security considerations that must be taken. Failure to take appropriate precautions opens you up to ATTACK by professional criminals from ANYWHERE in the world.

I poked around the site, and it seems to offer decent security options, but unfortunately MOST people opt for the LEAST security possible for CONVENIENCE purposes, and the WEAKEST LINK in every security system is often YOU.

Let’s be clear. This site allows you FULL ACCESS to your computer from ANYWHERE in the world.

Here are some tips to use this type of site safely. These are the same tips I teach to my corporate customers:

1) This is an OPEN door into YOUR computer! Only use a service like this if you have a compelling reason. Any open door is a potential security hole for hackers. If the door is not open, the hacker cannot get in.

2) Use ALL the security features they offer! For example, this service has a feature that allows you to check the logs to see who is logging in – USE IT! Also, look into features such as one-time passwords and RSA SecurID tokens. These are significant security improvements.

3) HOW you log into your computer MATTERS. In order to use the service, you must log into the site as well as your computer. Most people log into their computer as an ADMINISTRATOR. AVOID doing this at all costs. Ideally, create a special guest account with low privileges, and use THAT account for this service. This ONE THING will make a HUGE difference. In fact, the less often you log into your computer as an administrator, the better.

4) Strong passwords are CRITICAL. Unfortunately, most people get this completely WRONG!

A few words on passwords. Remember, you are allowing people to log in to your computer from ANYWHERE in the world! You MUST use STRONG authentication. Passwords MUST be L-O-N-G and complex.

Passwords should be at least 8 characters (more is even better), and a combination of letters, numbers, and special characters.

Just for the record, if I were to allow a service to log me in from anywhere in the world, I would choose AT LEAST a 14 character password.

An easy way to remember a long password is to choose a quote from a movie, book, or song that you like. For example, a favorite movie of mine is The Princess Bride.

A popular quote from the movie is:
“Hello, my name is Inigo Montoya. You killed my father, prepare to Die!”

To choose a password using this quote, use the first letter of each word and include the special character. In this case, it becomes:
H,mniIM.Ykmf,ptD!

Believe it or not, this is a 17 character password that you will NEVER forget!

Also, passwords should NEVER look anything like words, even if you use the popular technique of substituting symbols for letters or numbers. For example, @ for A, 5 for S, etc.

Using this method, Password might become P@5sw0rd

Just to be clear, this is NOT a secure method of choosing a password! All good hackers know this trick, and the book/movie/song quote method I discussed above is MUCH better.

5) WHERE you store your passwords matters! Do NOT store your password on your computer, phone or PDA unless it is encrypted! If you do not know how to do this, you are probably better off writing it down somewhere safe at home, or memorizing it.

Remember: if you store it digitally, it can be STOLEN!

6) Don’t make all your passwords the same! A common method of IDENTITY THEFT is to break into one account, and then quickly log into all your other accounts that use the same password. Use DIFFERENT passwords for EVERY site! This goes double for online remote login services!

Think secure and be secure!
–rob

Tags:
Posted in Blog | No Comments »

Top 5 Things I don’t want to hear at RSA this year

Monday, March 1st, 2010
This year marks my 10th year attending the RSA conference.  While the conference (and the security industry) has grown significantly in that time, the marketing conversation from the vendors has not.

Since I’m on the people and process side of things, it annoys me to no end when I see vendors proclaiming some of the nonsense that they do.  One of my hobbies has become talking to the vendors to see just how thick they are shoveling the BS (Apparently I am a glutton for punishment).  The old adage of course applies: if it sounds too good to be true, then it probably is.

With that said, here are the top 5 things I do NOT want to hear on the RSA Expo floor this year.

#5) We’ve secured the cloud. First of all, we haven’t even defined the cloud. It typically means outsourcing some part of your system to somebody else’s infrastructure, but what that actually means varies tremendously once you get down into the details.  If you can’t define it, you probably can’t secure it either.  The reality is way too complex to make such blanket statements.

#4) Advanced Persistent Threat. Ever since the recent google hack, this term has been thrown around quite a bit.  The so-called “Advanced Persistent Threat” is something that has always been there, and probably always will – the sophisticated attacker on the inside.  If somebody tells you they have a solution that is guaranteed to deter the sophisticated, targeted inside attack, run away as quickly as possible.  You can mitigate this problem, but you will never completely prevent it.

#3) “We’ve solved the application security problem.” I actually had a vendor say this to me with a straight face last year.  Let’s be clear. No you haven’t.  Case in point: one of my colleagues, a professional penetration tester, told me a story about a test they did where an application firewall was in place.  The firewall was thwarting all of their attacks for the first day, so on day two the team shifted their focus to the application firewall.  After they succeeded in killing it, the tests ran smoothly from there on out.  Once again, the reality is way too complex for blanket statements.

#2) Our product is secure because it’s never been broken. Is that really your criteria for security?  That’s like saying “I know there’s no life on other planets because I haven’t personally seen any yet.”  How about “we make our product as secure as possible by incorporating secure development practices into our lifecycle, and we hire reputable third parties to thoroughly penetration test our product?”  That would be a good start.  Pro tip: the reason your product hasn’t been broken is most likely because the right person hasn’t looked at it yet.  ALL applications have bugs!

#1) Nothing can get past our [Firewall/Anti-virus/IDS/IPS/Wizbang new security product]. Repeat after me: There is no silver bullet and there is NO SUCH THING as 100% security!  It’s OK!  No one actually expects you to be perfectly secure. It’s all about what you do AFTER you’ve been hacked that matters.  Misinforming your customers by saying that your product is 100% secure makes you look silly and ultimately puts your customers at greater risk.  I would much rather have no security at all than a FALSE sense of security.

As a reminder to all the RSA Expo vendors, we have created a special limited edition t-shirt for you to wear on the Expo floor:
No Silver Bullets T-Shirt

Stop by booth #2058 to pick up your t-shirt while they last!
Tags: , , , , , , , , , , , ,
Posted in Blog | No Comments »