After
reading the stories about Mac OS X's security gaps last month, a
friend commented "Mac has become like Windows" (in terms of security
flaws). The friend has obviously only read the headlines.
If you were to ask any independent security analyst if Macs
should now be considered to be as insecure as a Windows system,
he or she would laugh. Had my friend read the entire story, he
would have understood that the holes found in the Apple
operating system would not be easily spread.
Meanwhile, elsewhere the IT manager who read only the headlines
about the Mac OS X problems may have pulled back on some
Macintosh implementations.
You might be thinking I'm crazy to think someone would make
decisions based on story headlines. But it doesn't take a lot to
influence decisions. All an executive needs is a little voice in
the back of his or her head whispering, "It's not
secure—remember those headlines."
There are many hurdles security
administrators have to overcome to do their jobs, ranging from
users who never learn how to avoid viruses to security companies
that hype every problem to security practices that are difficult
to implement to company executives who don't want to pay for
security or think they can handle security with one big
application or appliance.
We can now add to this list people
who don't bother to get the story behind the headline.
The old
saying that a little bit of information is lethal applies
doubly to security. Understand the complete story before making
decisions.
There is a new
spyware program that sneakily changes Google results for those
with infected web browsers.
The uninvited
software appears to change or replace the display of search
results, sticking in additional listings as though they were
Google organic search results.
Scan your
browser
Test your browser for any vulnerabilities. It's free and only takes a couple
of minutes.
If you know a friend
or colleague who could benefit from this newsletter, please pass
it along...or get them to
subscribe.
E-mails come back to haunt
As you already know it
is not impossible to get what is saved on a hard disk. So, watch what you're
writing in your emails.
In the anti-trust case Microsoft
fought in the recent years an email Bill Gates sent came to haunt them.
The email sent to MS executives said "Do we have a clear plan on what we want
Apple to do to undermine Sun?"
Directory Scam
The new
popular scam in Europe these days is to send companies
fake invoices
for accessing internet
"directories." The scammers are hoping that with so many people on holidays over
the summer, people won't check these carefully, and will simply pay. The
amounts usually aren't big, either, making it less likely that an accounts
payable person will carefully check the invoice.
Consider
having a purchase order for all purchases except for cash purchases.
Make sure you shut down the computers at the end of each day.
Not only does this save power but also re-booting the
machine next morning helps to get rid off unnecessary things
in its memory and makes the updates work well.
Result:
Your machines
will run faster and the anti-virus will be updated.
Savings on Printing
Telstra and similar larger
organisations are trialling a new initiative to reduce their
printing costs. They usually spend millions of dollars in
printing and mailing annual reports.
They are planning to send out PDF documents.
Consider questioning printing in your organisation.
Is it necessary to send out printed material or will an email with a
PDF document do?
Want Content?
You can use the
articles from Digital Arrow in your newsletter.
Please
contact us for details.
Passwords are one of the many
lines of defence against intruders. Your castle guards -- the
login programs and the like --
believe that you are who you say you are because you have your
password. Therefore, it is important to strengthen the passwords
and safeguard them.
I hope that staffs in your
organisation don't
(a) use simple passwords (we have
listed some guidelines in the last issue of Digital Arrow)
(b) write the passwords on pieces
of paper and leave them on their desks
(c) use the same password for all
applications (and their personal use such as Internet banking)
If they do, I strongly recommend
that you get your IT department/company to help you put the right
policies in place and educate the users, as a matter of
priority.
Even if you don't
do (a), (b) and (c),
there are clever ways for hackers to get your passwords.
Here are some ways:
Method
What they do
Keystroke loggers
These programs track the keys you type when you
are at
specific websites and then pass the information on to the criminals
who installed it on your machine.
BruteForce
These programs attempt to crack the password
using every combination of numeric, alphabetic and special
characters available no matter how long it takes. Usually this
is done 'offline' or on an online system where
no account policies have been set, e.g. lock
account after 3 bad attempts.
DictionaryAttacks
Dictionary attacks try different variations of the alphabets.
Listeningonthenetwork
Malicious
users listen in on the traffic on a network segment. This
practice, known as ``packet sniffing'', means that if passwords
are transmitted in clear text over the network, the miscreants
can pick them right up.
Users who give out the passwords
There
is nothing much we can do if the users themselves trade their
passwords for chocolate (this story was published in Digital
Arrow a couple of months ago). Hope the users in our
organisations take security more seriously.
Here are some ways on how you can make password-theft
more difficult.
How to
stop the password thieves
Two factor authentication
Under this system, you will carry
a small gadget that has a screen, in your pocket.
The gadget changes the numbers periodically (say every minute or
so). When you want to login, you enter a four digit code that
you already know (your password) and then the digits that appear
on the gadget screen. Enter them so that the server authenticates you. Bill Gates predicts that this
is the future
of password security.
Bendigo Bank recently started using this method of
authentication for online banking.
Linus,
one of our Senior Engineers, tells me that he has used
a system where the server sends the current password via SMS to
the mobile phone of the user when they are ready to login.
Scratchy cards
A commercial bank in Sweden introduced a different method of
securing passwords. To log into their online banking, you
need to enter your password and your Swedish National Number.
For additional security, scratch the ('scratchy') card that has
50 codes. You need to use the codes, one by one, each time you
log on or perform a transaction.
As you can imagine there are many more ways to protect your
passwords.
We can add several layers of protection to secure our data
and passwords.
However it really depends on your budget and the needs.
Even if you don't do much else (security-wise), at least use stronger passwords and make them expire
regularly.
Recently, more vulnerabilities have been discovered in Internet
Explorer. This time the attacks are more severe.
Sadly, it will take a while
for Microsoft to close these security holes. In the meantime,
Computer Emergency Response Team (CERT), a well-respected
security organisation asked the Internet Explorer users to get other browsers
that are not affected by the attack, such as Mozilla, Mozilla Firefox and Opera.
Mac, Linux and other non-Windows
operating systems are immune from this attack.
For people who
continue to use the Internet Explorer, CERT and Microsoft
recommend setting the browser's security settings to "high," but
that can impair some browsing functions.
At least for now,
please ask your users to stop using
Internet Explorer.
Is this your copy?
If this newsletter
was forwarded to you by a colleague or a friend,
click hereand get your own copy.
The more specific your search is, the
more likely you will find what you want. Don't be afraid to tell
a search engine exactly what you are looking for.
For example, if you want information
about Windows 98 bugs, search for "Windows 98 bugs," not
"Windows." Or even better, search for exactly what the problem
is: "I can't install a USB device in Windows 98," for example.
You'll be surprised at how often this works.
Using The + Symbol to Add
Sometimes, you want to make sure that
a search engine finds pages that have all the words you enter,
not just some of them. The + symbol lets you do this.
For example, you
may want to find
pages that have references to both Clinton and Kenneth Starr on
the same page. You could search this way:
+clinton +starr
The + symbol is especially helpful
when you do a search and then find yourself overwhelmed with
information. If you wanted to reserve a camping space
on the Gold Coast, you might start out
simply searching:gold coast
If so, chances
are, you'll probably get too many off-target results. Instead,
try searching for all the words you know must appear on the type
of page you're looking for:
+gold coast +camping +reservations
Using The - Symbol to Subtract
Sometimes, you want a search engine to
find pages that have one word on them but not another word. The
- symbol lets you do this.
For example,
imagine you want information about President Clinton but
don't want to be overwhelmed by pages relating to the Monica
Lewinsky scandal. You could search this way:
clinton -lewinsky
Perhaps you are a
fan of the original Star Trek series but instead keep finding
pages about Voyager, Deep Space Nine or Star Trek: The Next
Generation. Try a search like this:
star trek -voyager -deep -space -nine -next
-generation
In general, the -
symbol is helpful for focusing results when you get too many
that are unrelated to your topic. Simply begin subtracting terms
you know are not of interest, and you should get better results.
Using
Quotation Marks to Multiply
Now that you know
how to add and subtract terms, we can move on to multiplication.
For example,
remember above when we wanted pages about reserving a campsite
in Gold Coast? We entered all the terms like this:
+gold coast +camping +reservations
That brings back
pages that have all those words on them, but there's no
guarantee that the words may necessarily be near each other. You
could get a page that mentions Gold Coash in the opening paragraph
but then later talks about getting camping reservations
elsewhere. All the words you added together would appear on
this page, but it still might not be what you are looking for.
Doing a phrase
search avoids this problem. This is where you tell a search
engine to give you pages where the terms appear in exactly the
order you specify. You do this by putting quotation marks around
the phrase, like this:
"gold coast camping reservations"
Now, only pages
that have all the words and in the exact order shown above will
be listed. The answers should be much more on target than with
simple addition.
Remember the
search for information about the latest Star Trek movie? We
could transform that into a phrase search like this:
"star trek insurrection"
But the movie's
title actually has a colon after the word "trek," and many pages
might also follow this format. Thus, a better phrase search
might be:
"star trek: insurrection"
Combining Symbols
Once you've
mastered adding, subtracting and multiplying, you can combine
symbols to easily create targeted searches.
For example,
remember the person who wanted pages only about Star Trek's
original series? We searched this way:
star trek -voyager -deep -space -nine -next
-generation
A better search
might use subtraction and multiplication:
"star trek" -voyager -"deep space nine" -"next
generation"
Digital Armour now has a new site.
There are variety of tips (cost-saving tips, insights,
security tips) and information resources (software
licensing newsletters, spotlight newsletters - they
focus on specific areas of computing) available.
Live Help is available (usually) at the site so that you
can get any questions you may have immediately - when
you visit.
If you subscribe to the Special Reports, you will
receive all the special reports when they are made
available.
Customers can log in from this site to access the
Helpdesk and other tools.
Please click on
"Call Me Now"
button above, if you want one of us to contact you.
To align with our new website, we have changed the
layout of Digital Arrow.
As always, please do
let us knowif you have any comments/suggestions
on how we can improve the site and the offering.
The Governor of Wisconsin (in the US) has a secure line
to Homeland Security. He has now started getting
telemarketing calls on this secure line!!
A contractor to British Defence called BAE Systems has
developed a stealth wallpaper to beat electronic
eavesdropping on wireless and wired networks.
The company has produced panels using the technology to produce
a screen that will prevent outsiders from listening in on
companies' wireless network traffic but let other radio and
mobile phone traffic to get through.
The FSS (Frequency Selective Surface) panels are made in the
same way as printed circuit boards are used on stealth bombers
and fighter jets. They come in two varieties: passive, which is
effectively permanent, and active, where various areas can be
switched on and off to enlarge or limit the area of the network.
In August's Digital Arrow
You'll find articles covering
Blogging - what is it and how can it help you
Your Network Security (We apologise that we couldn't fit this
article, in the July issue)
The
information provided in the newsletter is for use of a
general nature only and is not intended to be relied upon
as, nor to be a substitute for, specific professional advice
to your situation.
No
responsibility for loss occasioned to any persons acting on
or refraining from action as a result of any material in
this publication can be accepted.
The
information provided is owned by Digital Armour and may be
reproduced only if there is written consent.
Digital Arrow is
published by Digital Armour Corporation Pty Ltd, (ACN 098
270 369 ABN 30 098 270 369) 15 Taylors Drive, Lane Cove,
Sydney, NSW 2066.
If you do not
wish to receive the newsletter any longer, you can either
unsubscribe via email or fax to us on 02 9420 1431 or write
to Digital Armour Corporation, 15 Taylors Drive, Lane Cove,
Sydney, NSW 2066.
Passwords are one of the many
lines of defence against intruders. Your castle guards -- the
login programs and the like --
believe that you are who you say you are because you have your
password. Therefore, it is important to strengthen the passwords
and safeguard them.
