Ask the Security Experts: Facebook Security For Teenagers

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

What should I tell my teenage children about privacy and security on Facebook?

Adam Hostetler:

Teach them how to use Facebook privacy settings. Go into the settings
and explain how it works, and that they should only post updates and
photos to their friends and not in public. Also, how to set their
account so they can only be found by friends of friends. As for apps, be
very careful about what Facebook apps they use, and pay attention to the
permissions they request. For their account, always use a strong
password. Do not give out account information to anyone (except
parents). Lastly, they should always log out of the account when they
are done. Never close the browser with the account still logged in.

Phil Grimes:

I fight this battle daily. I constantly remind my kids that what goes online now stays online forever. I have discussed privacy settings with them and give them little reminders that help them think about security and privacy online — at least in terms of posting info and pictures. It never hurts to remind them who I am and what I do for a living, they tend to always think twice before posting.

As for the games, however, this is something that is almost impossible to combat in my house. I think I am the only person who does NOT play Facebook games. The keys here are simple. Accept the machines that play these games as lost assets. I image the disks so I can restore them quickly and easily, then cordon them off on their own network segment so WHEN they get popped, I can “turn and burn” to get them back online. This really works well for me, but another important factor is to NOT do anything sensitive from these machines. Luckily, my kids don’t do any online banking or anything like that. I have my wife conduct sensitive tasks through another machine.

John Davis:

I would say to watch the scams and traps that are strewn like land mines throughout the site. Watch the free give-aways, be wary of clicking on pictures and videos and look carefully at any messages that contain links or suggest web sites to visit. Also, be VERY careful about ‘friends’ of friends and other strangers that want to friend you or communicate with you. You very well may not be communicating with who you think you are. Finally, if you’re on Facebook frequently and have not been wary, chances are you have malware on your computer that hides itself and runs in the background where you are not aware of it. So be careful when using the site and scan your system frequently.

Presentation Slides Available from The Ohio SCADA Security Symposium

Although we had a panel discussion, (and some presentations that were confidential) we do have a few we can share. If you’d like to view the slides for them, please visit our presentation page. We’re looking forward to doing this again next year! Thanks to all who came and to our speakers, who were very generous with their time and expertise!

Apple’s iOS5 and the iCloud: Great Ideas, Huge Security Impact

Wondering how Apple’s iOS5 and the iCloud will affect your life? Check our recent slide deck that tackles some potential challenges as Apple gets ready to roll out their newest creation. In this deck, you’ll learn:

  • What is key
  • iOS5  idealism and reality
  • The good news and bad news
  • What do do and not do

As always, we’re here for discussion. Follow Brent Huston on Twitter to engage even more!

MSI Strategy & Tactics Talk Ep. 10: Security For Windows Consumers & Their Home System

“You can be doing all the right things and still get your home machine compromised. It becomes less about prevention and more about what we do when our machines become compromised.”  – Brent Huston, CEO, MicroSolved, Inc.

Are you “the computer guy” for your family? Listen in as our tech team discusses common problems of Windows users and steps they can take to help protect their data. Discussion questions include:

  • How do Windows users stay safe in a world of modern malware and online crime?
  • What do Windows users do when their box gets infected?
  • What do you do to secure the Windows boxes of your family members?
  • What tools does every Windows box need and how should windows security settings be configured?
  • What about the browser?
Panelists:
Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

7 Security Areas of Concern With Cloud Computing

One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing. So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.

At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.

All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:

  1. Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
  2. Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect on security!
  3. Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA) or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
  4. Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
  5. Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
  6. Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
  7. Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.

Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.

Mobile Application Security Podcast with Brent Huston

Are you working with mobile applications? Trying to figure out security? In this helpful informative podcast, Brent covers 3 tips that will give you the tools you need to move forward. Often a developer isn’t certain what questions to start asking. Brent shares some common areas that include foundational practices:

Here is what you’ll learn:

    1) What you should be doing to encrypt your application

    2) Almost 50% of the apps we tested missed this powerful avenue toward leveraging knowledge that is readily available

    3) How are you storing your data? And where? Brent shares insights on data storage

Click to access the entire audio file

Jumphosts Are a Great Place For HoneyPoint Wasp

As the idea of network segmentation, or enclaving, becomes more and more popular, many organizations are also implementing so called “jumphosts” for their critical systems. Typically, a jumphost is a terminal server or Citrix host that users and admins connect to, then ride a terminal server or Citrix connection into the segmented critical hosts. This connection is usually filtered by a firewall, screening router or other access control method which segments the critical hosts from other parts of the infrastructure. Given the critical role these jumphosts play in the operations, it is essential that they be highly protected and monitored.

This is where HoneyPoint Wasp comes in. One of the strongest use cases for Wasp in the field has been to help protect these critical jumphosts from compromise and give the security team deeper visibility into their operation. Wasp lends itself well to this task, especially given the static nature of the systems, by extending normal anti-virus to include deeper, more accurate behavior-based anomaly detection. For example, Wasp maintains a white-list of known applications on the jumphost. If a user or attacker starts a new process that Wasp has never seen before, an alert is generated for the security team to investigate.

This white-listing approach is not reliant on signatures or heuristics to determine if a process is malware or the like, it just learns what is known on the jumphost and when something new is observed, it alerts. In addition, with Wasp in place, the jumphosts are continually monitored for other common signs of infection and intrusion, like newly opened listening IP ports, changes to critical files in the file system, new accounts being created locally or changes to the population of the local administrators group, etc. This new vision into changes on the jumphost can give the security team a heads up when an attack against the critical core is in process. Further, it does so without false positives or noise to degrade their performance over time.

Pricing for HoneyPoint Wasp is comparable to anti-virus pricing. Wasp is designed to work in conjunction with normal anti-virus and is available for Windows systems. Other components of the HoneyPoint product suite are also being used heavily in enclaved environments to bring detection to areas of the network defined as being of the highest priority. Deployments of these tools are in place in government systems, financial organizations, telecomm, manufacturing and critical infrastructure, including SCADA networks. For more information about what HoneyPoint Wasp can bring to your IT environment, give us a call or drop us a line.

Tales From a Non-Security Professional, An End-User’s View

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.

Passwords, Dinosaurs, and 8-Track Tapes

What do passwords dinosaurs and 8 track tapes all have in common? Pretty soon they will all be in the same category: things of the past! It’s not just a matter of people using short, simple, “stupid” passwords any more. With advances in easily available and cheap computing power such as advanced graphics processors and solid state drives (SSDs), even long and complex passwords can be cracked in seconds! Not to mention the fact that if you get hacked and someone installs a keylogging Trojan on your machine, it doesn’t matter how long and complex a password you use; it’s game over!

There are always big concerns about the “exploit du jour” in the information security field. SQL injection, application hacks, XSS, Bots – you name it! But ever since the start the number one way computers get hacked is because of password problems. It’s still going on today! No matter what system one tests, it seems someone has a password of “password” or “admin” or something dumb like that. Or someone forgets to change a blank SA password or forgets to change the default password in some application. Then, of course, there are the system admins who use the same passwords for their user and admin accounts. Instant privilege elevation is given to domain admin and, once again, game over! This is really just a problem of human nature. We all have ambitions to follow the password policies exactly, to use strong passwords all the time, use different passwords for every account, change them on a regular basis, and never reuse the same ones twice, etc. But we all get lazy, or complacent or busy or forget or just screw up! Like I say – human nature.

What is the upshot of all this? Passwords alone as a security measure are hopelessly inadequate. And they always have been! So what is the answer? Well, obviously, we need to use something in addition to passwords. Ideally it would be preferable to use all three of the possible authentication techniques: something we know, something we have and something we are. But it’s hard enough to get people and organizations to consider even two of the three. There is TREMENDOUS resistance against insisting that everyone use tokens for example. And I can understand that. They cost money, you always have to remember to have them with you, they might break at the most awkward of moments, they can be stolen or they can be lost. Same thing with biometrics. They are expensive, they are not always reliable, they can be often be circumvented and they may leave you open to personal attack or even kidnapping! These are all real issues that need to be addressed and, what’s more, gotten used to. People are just going to eventually come to the realization that one or more of these techniques MUST be used. Until now, though, people have been willing to accept the consequences rather than bite the bullet and put up with the hassles and expense. The tipping point has yet to be reached. But, with identity theft, cyber crime and the increasing ease with which passwords can be stolen or broken that point is now very close indeed!

In the mean time, we all should REALLY do a much better job in using strong passwords. The new MINIMUM standard for passwords should be 12 characters and they should use at least three of the four possible character types. And that’s just for normal folks. For system admins and other high value access passwords alone should never be enough. These folks should surely be using multi-part authentication techniques no matter what the expense or hassle. After all, they DO hold the keys to the kingdom for all of us!

Tips for Input Validation

Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done incorrectly, they end up bringing little more than a false sense of security. The bad news is that input validation is difficult. “White listing,” or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications. “Black listing,” that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings, can be challenging as well. Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.

Over the last few years, a single source has emerged for best practices around input validation and other web security issues. The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products. Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.

While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.