Sunday, August 30, 2009

There is a Vanilla Soy Latte in my future...

Monday, August 10, 2009

Looking forward to new and wonderful things!

Thursday, August 6, 2009

Last minute wedding preparations... ya gotta love it!

Sunday, July 19, 2009

Home wireless network security

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

Keep in mind, WEP - Wired Encryption Privacy, can be cracked in minutes, and should not be used.
WPA/WPA2 (wi-fi Protected Access) is the strongest available for home use.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use

The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

11. Use Virus Protection

Ensure that you use some form of virus protection software. Additionally, this software is pretty worthless if you do not subscribe to the live updates.

12. Stay up to date on Identity Theft

Originally posted on / Edited/updated by Ron Clement

Thursday, April 23, 2009

The Beauty of Awareness

Article printed in Access Control & Security Systems - Security Solutions.Com

The Beauty of Awareness

Feb 1, 2008 12:00 PM, By Sandra Kay Miller
In the realm of ever‐changing technology, keeping skills up‐to‐date is critical,
especially in large data‐driven enterprises. Veteran trainers who have worked their
way through the multitude of platforms, hardware and business trends can also be
found on the frontlines of securing — both logically and physically — multi‐national
manufacturers, communications and entertainment giants and arms of the United
States government.

That has been the career path for Ron Clement, who was first introduced to
computers during his nine years in the Air Force. After leaving the service, he began
attending college in New York for accounting, but then “fell in love” with computers.
“I started working with computers at the help desk level,” says Clement who is
currently a risk management and compliance consultant at Est®¶e Lauder Companies
Inc. Clement hints at his age, admitting to teaching DOS on dual floppy machines
with green screens at telephone service provider GTE.

On his most recent project, Clement was tasked with creating a security awareness
program for Est®¶e Lauder, the 70‐year‐old skin care, makeup and fragrance
company based in New York City. Recently, Clement had the opportunity to meet
with the head of Est®¶e Lauder's physical security. “We talked about the touchpoints
of our two groups and how we're going to work together. For instance, using
Internet portals, hotlines and security awareness campaigns, we can feed a lot of the
physical security information — there's a lot of stuff we can do together.”
Despite the trend to centralize security operations, thanks to Clement's vast
experience, his goal is to develop a somewhat de‐centralized program so individual
countries will have some autonomy in order to accommodate multiple languages
and cultures. “They are in 130 countries, so it's going to be pretty huge. It will run
the gamut from posters to brochures to becoming part of employee orientations,”
explains Clement, who believes that awareness is the first line of defense because
people can prevent so much if they are informed and allowed to help.
It's the latest episode in a career that has progressed in lockstep with developments
in IT technology.

When Clement moved on earlier in his career, GTE had become Verizon, and he was
a senior systems analyst going from teaching one to all 18 of the classes they offered
through corporate training for software packages such as Lotus, dBase and
WordPerfect. Clement also gathered invaluable hands‐on training when he assisted
in the build‐out of a new corporate headquarters in Dallas. “We laid wire, set up the
LAN, printers, computers — the works — so 3,000 people from all over the country
could move to Dallas and work.” Clement stayed in Dallas for a few years, delving
deeply into network architecture and administration.

But then an opportunity lured him in a new direction: Microsoft. At the height of the
dot‐com boom, Clement went to work for the rapidly growing Redmond, Wash.,
giant as a technical account manager, handling enterprise installations. However,
taking the new position also meant a cut in pay for him at the time. “I really enjoyed
learning all the Windows stuff and networking, but at that time, they were big on
stock options, and didn't pay very well,” he says, following with an explanation of
how his two years at Microsoft paid off later. “My plan was take a step back to take
two steps forward.”

With Microsoft certifications in high demand, so were Clement's skills. He signed on
as a technical consultant with point‐of‐sale provider NCR, traveling throughout the
world deploying and securing networks for clients such as hotel chains.
With a market downturn, many of the projects on which Clement was working were
either reduced or eliminated, so he turned back to teaching. “I've always done some
sort of teaching either at a night school or technical college,” he says, ticking off a list
of commonly taught networking, security and UNIX classes. His skills caught the eye
of Chicago‐based Accenture, a large consulting firm, but when the market dipped
again, Clement found himself unemployed. “Now I was on the streets with a
boatload of skills and a list of certifications behind my name.”

Being resourceful, he returned to teaching full‐time at Central Piedmont Community
College near his home in Charlotte, N.C., where he taught Microsoft and Cisco
certification courses until becoming the program chair of the department, a job that
included putting together the curriculum and schedules and hiring other

Wanting to get back into hands‐on technical work, Clement began studying
computer security. Not long after that, 9/11 occurred and the demand for security
was on the rise, so he hit the road again, teaching week‐long CISSP boot camps
across the country.

But after a few years, Clement sought continuity in his work schedule and began
contracting with large enterprises such as Bank of America, Wachovia, Time Warner
Cable, Walt Disney World and the Department of Defense for security projects.
Moving through various organizations, Clement soon recognized the growing
convergence between physical and computer security. “Physical and logical security
are joined at the hip in a lot of places. Hackers are walking into buildings, picking up
laptops and walking out or walking into a building and plugging their laptop into a
jack in an empty conference room and gaining access to the corporate network,” he
says. “You know, once somebody is in your building, they can do pretty much
anything.” Furthering his observations, he points out that in the CISSP course there
is an entire section devoted to physical security, including locks, doors, fences,
security guards, wire installation as well as business continuity and disaster

Next on Clement's career agenda is to obtain his auditor certification. “I really enjoy
the security arena — especially standards, data classification, risk management and
policies,” he says, justifying his decision based upon the growing demands of
regulatory compliance. “Compliance is another piece that fits into security. It was
never figured into the bottom line because it didn't generate any income. Security
was ignored. So now we have things like SOX, Visa, PCI and all the other compliance
regulations. Companies are forced to implement security, and a lot of them are
scrambling because they never did it before. Now they have big budgets, otherwise
they're going to have big fines if they don't comply.”

As he becomes more experienced in compliance issues, Clement has found that most
of the regulations boil down to basic security practices.

Tuesday, March 31, 2009

Internet Crime Complaint Center Releases Annual Report

The 2008 Annual Report reports that complaints of online crime hit a record high
in 2008. IC3 received a total of 275,284 complaints, a 33.1% increase over the previous
year. The total dollar loss linked to online fraud was $265 million, about $25 million
more than in 2007. The average individual loss amounted to $931.

Thursday, March 19, 2009

What is Pharming??

"Pharming," is a method hackers use in which they can redirect computer users' browsers and direct them to spoofed banking or e-commerce sites. In other words, you can be directed to a site that looks just like your bank site. At that point, when you enter your personal information such as account number & password, it will be in the hands of the hacker.

How can this be prevented? As with most information security issues, security awareness will allow you to recognize these social engineering threats.

More on Email Tracking-Web Bug

Think about this every time you forward a message... jokes, virus warning, biblical quotes, prayers to pass on, Obama presentations, cute sayings, nice pictures, etc.

The originator places a 'web bug' in the message. Also called a "Web beacon," "pixel tag," "clear GIF" and "invisible GIF," it is a method for passing information from the user's computer to a third party Web site. Used in conjunction with cookies, Web bugs enable information to be gathered and tracked in the stateless environment of the Internet. The Web bug is typically a one-pixel, transparent GIF image, although it can be a visible image as well. As the HTML code for the Web bug points to a site to retrieve the image, it can pass along information at the same time.

Web bugs can be placed into an HTML page used for e-mail messages as most mail programs support the display of HTML pages.

The Web bug is inserted into the message, which is an invisible GIF with a unique name obtained from the tracker's server. When the recipient previews or opens the message, the GIF is downloaded from the tracker's server, which reads the name and notifies the sender.

The information relayed can include your email address, ISP, IP address, etc.

Again, this is called social engineering, which is described in a previous post.

So be aware of these threats, especially when forwarding email of which you have no idea who the 'original' originator is.

Thursday, March 12, 2009

Info Security for the rest of us

Everyday people have no idea of the information security threats they face. Unsuspecting home wireless network users normally do not have the knowledge to perform a few simple steps to securing their personal information!

What is Spear Phishing???

DEFINITION - Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.

According to an article in the New York Times, spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by "sophisticated groups out for financial gain, trade secrets or military information."

Here's one version of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering (fraudulent, non-technical) tactics to convince the recipient. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and gain access to sensitive data.

Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted individual, information within the messsage supports its validity, and the request seems to have a logical basis.

At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.

IBM's Global Security Index research found that, in 2005, intercepted spear-phishing attempts rose from 56 intercepted attempts in January to over 600,000 in June.

Wednesday, March 11, 2009

Spear Phishing Study

A recent study on human susceptibility to spear phishing attacks. The data set that formed the basis of this study was obtained from the results of mock spear phishing exercises run by our clients (against their respective workforce).

The data was gathered from 32 mock phishing exercises run at companies spanning a variety of industries ˆ healthcare, financial services, government, government contracting, etc and varying sizes (ranging from companies with 100 employees to those with more than 200,000 employees). Also, the target workforce spanned 18 different countries.

Key findings of the study include:

23% of people are vulnerable to targeted/spear phishing attacks (despite the fact that they received conventional user awareness training). This explains why spear phishing is the attack vector of choice today.

Phishing attacks that use an authoritative tone are 40% more successful that those that attempt to lure people through reward-giving.

Men and women are both equally (difference of 0.3%, margin of error +-3%) susceptible to phishing.

On an average 60% of corporate employees that were found susceptible to targeted spear phishing responded to the phishing emails within three hours of receiving them. 20% of those vulnerable reacted in the first hour!

We will be continuing to mine the unique set of data to draw other interesting statistics and assist organizations in focusing their security awareness efforts in the right areas.

Sunday, March 1, 2009

Forwarding Emails - The Threat

Forwarding emails that you receive pertaining to some supposedly important subject is certainly a form of social engineering. Social engineering, for those that don't know, is when a hacker uses the "gullibility of people" to gain information. We have all received emails telling us about an impending situation that you feel obligated to let all your friends and family know about. Emails about viruses, computer threats, stimulus checks, refunds, you name it... the subject list is endless. The point is... hackers, marketeers, and the like use these emails to gain information about the addressees that you forward the email to. Hacker tools in the category of E-Mail Tracking are used for this purpose. These tools allow the originator of an email to know whether the recipient reads, forwards, modifies, or deletes an email, along with their email address. A single pixel graphic file that isn't noticeable to the recipient is attached to the email. Then, when an action is performed on an e-mail, this graphic file connects back to the server and notifies the original sender of the action. So, when you forward that email, it returns a list of all the addresses you forwarded it to.

The result? The hacker now has all of the e-mail addresses that you forwarded the email to, along with those of the next person and so on. Notices about grave consequences are normally send by authorities on the subject matter... For example, Symantec or McAfee (computer security companies) would send out notices about computer threats, viruses, trojans, etc.

Passing on the emails to your address list is doing exactly what the hacker wants you to do! Remember, be judicious in forwarding emails, including jokes, to the members of your address list. Following this advice will help reduce spam, identity theft, and other malicious threats to your confidentiality.



About Me

My photo
Divorced, 3 Children, Information Security Professional.