Week 12
Over a year and a half ago, I posted a blog entitled The End. That blog discussed the class that was finishing at the time (Information Security Management). Well, it is now the end of not just another current class but also my MS in Cybersecurity degree. I have learned a lot over the course of the past 2 years. I will have to say that I have a much stronger understanding of everything that goes on behind the scenes to make a company more secure, not just in the network but as a whole. Some classes were great; others were not.
If I were to have to pick a class that was the hardest on me, it would have to be Computer Forensics. The reading and writing in that class was by far the hardest to put my head around. The class that I would have to chose as the easiest on me would have been none of them but my favorite was Risk Management Studies. Being able to look at risks in a different light than I already was really made me respect the topic much more than I already did.
Going into my final class (Current Trends in Cybersecurity), I would have to say that I wish I would have known more about threats; threat modeling in general. Jumping right into this subject in the first week got me very worried that I was not ready for it, but I overcame the fears and was able to learn the subject matter. Threat modeling was by far the hardest part of the class. I feel that if I would have had the proper text material, it would have been easier for me, but with the lack of material, it was not that fun to deal with.
If I could do it over, I would have worked it to only take Current Trends by itself in the final session rather than taking another heavily active class. Taking just the one class would have helped calm my nerves down during the weeks while doing my research for both classes. Even though all classes built up to the Current Trends class, it did work out for me in the long run taking the one I did along with it (Security Architecture & Design). The two classes built off the same scenario so I had the scenario fresh in my mind on a weekly basis.
Overall, the Cybersecurity degree at Bellevue University is not for the faint of heart, so to speak. I went into the degree thinking that it was going to be more of just IT Security subjects. Cybersecurity is an entire view of IT security. It encompasses everything dealing with IT security and even physical security. The word of advice to those that think they are getting into an easy degree; you are not. Not that I came into this degree thinking that; I just felt that with my experience with IT security, I would do just fine. I will say, though, that this was one of the best decisions I have ever made. This degree has taught me everything I wanted to know and more.
Information Security Management
Friday, May 23, 2014
Saturday, May 17, 2014
Bring Your Own Device AKA BYOD
Week 10
Something that has been a growing trend of late is Bring Your Own Device (BYOD). Companies are allowing their employees to bring a device from home to use and connect to their network. You probably see this more than you think. Phones and tablets are two of the most used devices that people bring and use while at work. The downside to this, in my opinion, is the fact that they must use the company's wireless connections. This can open up their network for serious security threats. If a company is not set up properly, they can end up causing more damage by allowing BYOD.
I, for one, am not fond of this technology. A company network normally has some sort of confidential or sensitive information. If that part of the network is exposed to the Internet through a device, it could have huge ramifications for that business. Let me just use a specific scenario to get your attention.
Joe brings in his Samsung Galaxy 5. On his break, he decides that he wants to get on his phone and play some sort of game (app). The wireless connection allows his phone to connect to it so that his apps can process correctly. While Joe is playing an app, a link shows up offering him a game for free. Joe clicks on the link and begins the download. Little does he know, a virus is slowly making its way onto his phone. Now, the virus is on his phone and the company's network is exposed to it because the company's wireless connection was used. The virus is now slowly creeping onto the company's network. The network has now been infected with a virus. The network's data is now compromised.
Not a good scenario is it? Let's just say that this is what could happen if the company does not have a proper security process in place for BYOD. One of the first things you should do prior to allowing BYOD is to perform a risk assessment on the network to find the most vulnerable areas so those can be secured properly. You also need to ask the questions, Why should we allow BYOD? and Is it beneficial to the business? If the only answer to the first question is to allow employees to do something during break, you honestly don't need to be allowing it. If the second question's answer is, No, again, it shouldn't be allowed.
When it comes to securing BYOD, there is an awesome whitepaper written by Bradford Networks that discusses 10 steps in general to securing BYOD. The 10 steps are:
These steps will help secure BYOD better than it probably already is. You can follow the link in the reference section for more detailed information about each step. Don't just set up your network and allow employees to bring in their own devices without first going through the proper steps to secure your network. You do not want what happened to Joe's company happening to you.
Reference:
Bradford Networks. (2011). Ten Steps To Secure BYOD. Retrieved May 17, 2014 from http://www.cadincweb.com/wp-content/uploads/2012/04/CAD_BRAD_Ten_Steps_to_Secure_BYOD.pdf
Something that has been a growing trend of late is Bring Your Own Device (BYOD). Companies are allowing their employees to bring a device from home to use and connect to their network. You probably see this more than you think. Phones and tablets are two of the most used devices that people bring and use while at work. The downside to this, in my opinion, is the fact that they must use the company's wireless connections. This can open up their network for serious security threats. If a company is not set up properly, they can end up causing more damage by allowing BYOD.
I, for one, am not fond of this technology. A company network normally has some sort of confidential or sensitive information. If that part of the network is exposed to the Internet through a device, it could have huge ramifications for that business. Let me just use a specific scenario to get your attention.
Joe brings in his Samsung Galaxy 5. On his break, he decides that he wants to get on his phone and play some sort of game (app). The wireless connection allows his phone to connect to it so that his apps can process correctly. While Joe is playing an app, a link shows up offering him a game for free. Joe clicks on the link and begins the download. Little does he know, a virus is slowly making its way onto his phone. Now, the virus is on his phone and the company's network is exposed to it because the company's wireless connection was used. The virus is now slowly creeping onto the company's network. The network has now been infected with a virus. The network's data is now compromised.
Not a good scenario is it? Let's just say that this is what could happen if the company does not have a proper security process in place for BYOD. One of the first things you should do prior to allowing BYOD is to perform a risk assessment on the network to find the most vulnerable areas so those can be secured properly. You also need to ask the questions, Why should we allow BYOD? and Is it beneficial to the business? If the only answer to the first question is to allow employees to do something during break, you honestly don't need to be allowing it. If the second question's answer is, No, again, it shouldn't be allowed.
When it comes to securing BYOD, there is an awesome whitepaper written by Bradford Networks that discusses 10 steps in general to securing BYOD. The 10 steps are:
- Determine which mobile devices are allowed on the network - Are you going to allow phones only or both phones and tables? Also, are you going to allow outside laptops?
- Determine which OS versions are going to be allowed - Microsoft? Linux? UNIX?
- Determine which applications are mandatory and prohibited for each device - Are you going to allow only company apps or gaming as well?
- Determine which groups of employees will be allowed to use BYOD - All? Management? Security?
- Define the who, what, where and when of network access - Who will be able to access what content from where and when they are able to access it.
- Educate employees about BYOD - Make sure employees know the hazards of using BYOD and what they can do to defend against them.
- Inventory authorized and unauthorized devices - Find out what devices are being used and if they are authorized or unauthorized.
- Inventory authorized and unauthorized users - Determine if the users that are using the devices are authorized or unauthorized to use them.
- Control access based on the need to know - Limit access to areas just as you have it set up in your directory. Security gets to see security. HR gets to see HR.
- Continuous vulnerability assessment and remediation - Continuously monitor BYOD to make sure all policies and procedures are being followed.
These steps will help secure BYOD better than it probably already is. You can follow the link in the reference section for more detailed information about each step. Don't just set up your network and allow employees to bring in their own devices without first going through the proper steps to secure your network. You do not want what happened to Joe's company happening to you.
Reference:
Bradford Networks. (2011). Ten Steps To Secure BYOD. Retrieved May 17, 2014 from http://www.cadincweb.com/wp-content/uploads/2012/04/CAD_BRAD_Ten_Steps_to_Secure_BYOD.pdf
Saturday, May 10, 2014
Anti-Virus Software is Dead!
Week 9
According to the former U.S. Chief Technology Officer, Aneesh Chopra, anti-virus software is dead! Earlier this week, during an interview, Chopra mentioned that the technology is dead because most of the hackers are able to get into a network and its computers because the programs written for the software are too big and cumbersome. They are millions of lines of code, but yet an attacker can just right a few hundred lines and get in (Chopra, 2014).
The point to be made here is that the software is not doing its intended job. It is being found that more and more hackers are getting into networks and devices than before. Even with anti-virus software located on the devices, they are still getting in. Too many people are relying on simply that software to keep them safe. They are not doing anything on their end to keep them safe. They are relying on the software 100%.
This now brings up the question; If anti-virus is dead, why are we still buying it? This shouldn't be a hard question to answer. Devices still need to monitor the many common virus signatures that are out there. They can do this with the anti-virus software. That is what the software is for. Thing is, it isn't there to hold your hand and tell you that you don't need to do anything else to keep your computer safe because it will do everything for you. If you believe that the only thing that you need to do is to install the software and walk away, you are dead wrong. The software cannot do everything for you. Yes, you can set up the policies within the software but it will not keep you 100% secure. In fact, nothing can keep you 100% secure.
So what else do you need to do when it comes to securing your system? Chopra does mention that better password management and watching where you click on the Internet are good starts. He is right. I cannot tell you the amount of people I have spoken to in the past that have used a very easy password such as 'password' or even 'pw1234'. It is ridiculous! How can you feel safe with that password? Those are some of the first ones that a hacker will try after they have made it onto your system. If you can't think of anything good when it comes to a password, use a password generator. Set the character length and make sure it has a symbol or two and generate it. Don't write it down somewhere. Keep it in your mind and memorize it.
Clicking on links on the Internet can end up being very dangerous. 'Look, I can get a free Xbox One if I fill out this survey!' 'Let me just click this link to go and take it.' Now you have a virus installing in the background destroying everything in its path. It is that simple folks! If the deal looks too good to be true, chances are it is. If you have never heard of the site, don't go there. Research it first and determine if it has a good reputation.
I keep anti-virus software on my computer and up to date. Am I going to get rid of it or stop buying it because it is dying out? No! I am going to continue buying it, plus doing all the other things that I need to do to help take the load off of it. Managing my passwords and changing them regularly. Also, watching where I go and click on the Internet is always something that I have done and teach to others. Don't take this news as you should stop using an anti-virus software. Take it as a push to beef up the way you maintain your other security actions while you are on your computer.
References:
Chopra. A. (2014). Is anti-virus dead? Former U.S. tech czar weighs in. Retrieved May 10, 2014
from http://www.cnbc.com/id/101643106
According to the former U.S. Chief Technology Officer, Aneesh Chopra, anti-virus software is dead! Earlier this week, during an interview, Chopra mentioned that the technology is dead because most of the hackers are able to get into a network and its computers because the programs written for the software are too big and cumbersome. They are millions of lines of code, but yet an attacker can just right a few hundred lines and get in (Chopra, 2014).
The point to be made here is that the software is not doing its intended job. It is being found that more and more hackers are getting into networks and devices than before. Even with anti-virus software located on the devices, they are still getting in. Too many people are relying on simply that software to keep them safe. They are not doing anything on their end to keep them safe. They are relying on the software 100%.
This now brings up the question; If anti-virus is dead, why are we still buying it? This shouldn't be a hard question to answer. Devices still need to monitor the many common virus signatures that are out there. They can do this with the anti-virus software. That is what the software is for. Thing is, it isn't there to hold your hand and tell you that you don't need to do anything else to keep your computer safe because it will do everything for you. If you believe that the only thing that you need to do is to install the software and walk away, you are dead wrong. The software cannot do everything for you. Yes, you can set up the policies within the software but it will not keep you 100% secure. In fact, nothing can keep you 100% secure.
So what else do you need to do when it comes to securing your system? Chopra does mention that better password management and watching where you click on the Internet are good starts. He is right. I cannot tell you the amount of people I have spoken to in the past that have used a very easy password such as 'password' or even 'pw1234'. It is ridiculous! How can you feel safe with that password? Those are some of the first ones that a hacker will try after they have made it onto your system. If you can't think of anything good when it comes to a password, use a password generator. Set the character length and make sure it has a symbol or two and generate it. Don't write it down somewhere. Keep it in your mind and memorize it.
Clicking on links on the Internet can end up being very dangerous. 'Look, I can get a free Xbox One if I fill out this survey!' 'Let me just click this link to go and take it.' Now you have a virus installing in the background destroying everything in its path. It is that simple folks! If the deal looks too good to be true, chances are it is. If you have never heard of the site, don't go there. Research it first and determine if it has a good reputation.
I keep anti-virus software on my computer and up to date. Am I going to get rid of it or stop buying it because it is dying out? No! I am going to continue buying it, plus doing all the other things that I need to do to help take the load off of it. Managing my passwords and changing them regularly. Also, watching where I go and click on the Internet is always something that I have done and teach to others. Don't take this news as you should stop using an anti-virus software. Take it as a push to beef up the way you maintain your other security actions while you are on your computer.
References:
Chopra. A. (2014). Is anti-virus dead? Former U.S. tech czar weighs in. Retrieved May 10, 2014
from http://www.cnbc.com/id/101643106
Wednesday, April 30, 2014
Internet Explorer Bug!
Week 8
Well, a few weeks ago, I spoke on Microsoft ending all security updates for Microsoft XP. A few days ago, the Internet was a-buzz speaking about Internet Explorer (IE) and the new vulnerability that was found. Trust me when I say this, This is NOT good news for the users that still use XP. Due to Microsoft ending support, when the bug is fixed in IE, the users still using XP will not get that update. If they continue to use both XP and IE together, they are keeping themselves open for a serious security risk.
The major information about this bug is that it allows hackers to run code on your computer to allow them to get into your computer and gain admin privileges over it. They can pretty much do anything on your computer after that. They can even create a Web page to mimic one that you normally go to so that they can get information about you such as your user ID's and passwords. The main IE versions that are affected are 9, 10 and 11. This still affects, from estimates, 300 million users. That is an astounding number. Do they really feel that there are that many users of IE out there? To be honest, most the people I know use either Chrome or FireFox. Either way, there is no doubt in my mind that there are millions out there that are still using it and those are probably the XP users as well.
What can you do about it? Well, if you still have XP, upgrade to Windows 7 or 8 and install another browser on your machine. Chrome and FireFox are the two most popular browsers available, in my opinion. I, though, use a combination of three; the two mentioned before and Torch. This is a browser built off the Chrome source code and great for any social networking freak. Anyway, back to what you can do. If you currently have IE, and have a newer version of a Windows Operating System, install a new browser and uninstall IE. I honestly don't trust it and don't have it on my machine. Haven't used the browser in several years.
If you have XP, I again stress that it is time to upgrade your system. I know that costs money but it will cost a lot less than having to get your identity back after someone steals it after hacking into your machine. If you cannot upgrade to a new OS, again, install another browser and get rid of IE. Here are some recommended OS's from me:
Google Chrome - https://www.google.com/intl/en/chrome/browser/
Torch - http://www.torchbrowser.com/
FireFox - http://www.mozilla.org/en-US/firefox/new/
Opera - http://www.opera.com/computer
Sources for Blog:
https://news.yahoo.com/video/internet-explorer-security-flaw-poses-192303274.html;_ylt=A86.J3c1jWFTiScA7PIPxQt.;_ylu=X3oDMTBscmM0aHNtBHNlYwNjZC10aHVtYgRzbGsDc25vYg--
http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
Well, a few weeks ago, I spoke on Microsoft ending all security updates for Microsoft XP. A few days ago, the Internet was a-buzz speaking about Internet Explorer (IE) and the new vulnerability that was found. Trust me when I say this, This is NOT good news for the users that still use XP. Due to Microsoft ending support, when the bug is fixed in IE, the users still using XP will not get that update. If they continue to use both XP and IE together, they are keeping themselves open for a serious security risk.
The major information about this bug is that it allows hackers to run code on your computer to allow them to get into your computer and gain admin privileges over it. They can pretty much do anything on your computer after that. They can even create a Web page to mimic one that you normally go to so that they can get information about you such as your user ID's and passwords. The main IE versions that are affected are 9, 10 and 11. This still affects, from estimates, 300 million users. That is an astounding number. Do they really feel that there are that many users of IE out there? To be honest, most the people I know use either Chrome or FireFox. Either way, there is no doubt in my mind that there are millions out there that are still using it and those are probably the XP users as well.
What can you do about it? Well, if you still have XP, upgrade to Windows 7 or 8 and install another browser on your machine. Chrome and FireFox are the two most popular browsers available, in my opinion. I, though, use a combination of three; the two mentioned before and Torch. This is a browser built off the Chrome source code and great for any social networking freak. Anyway, back to what you can do. If you currently have IE, and have a newer version of a Windows Operating System, install a new browser and uninstall IE. I honestly don't trust it and don't have it on my machine. Haven't used the browser in several years.
If you have XP, I again stress that it is time to upgrade your system. I know that costs money but it will cost a lot less than having to get your identity back after someone steals it after hacking into your machine. If you cannot upgrade to a new OS, again, install another browser and get rid of IE. Here are some recommended OS's from me:
Google Chrome - https://www.google.com/intl/en/chrome/browser/
Torch - http://www.torchbrowser.com/
FireFox - http://www.mozilla.org/en-US/firefox/new/
Opera - http://www.opera.com/computer
Sources for Blog:
https://news.yahoo.com/video/internet-explorer-security-flaw-poses-192303274.html;_ylt=A86.J3c1jWFTiScA7PIPxQt.;_ylu=X3oDMTBscmM0aHNtBHNlYwNjZC10aHVtYgRzbGsDc25vYg--
http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
Tuesday, April 22, 2014
Verizon's Annual Data Breach Report
Week 7
Tomorrow, we will see the release of the annual report from Verizon that compiles and analyzes security incidents that happened over the year. This year it will be a 60 page document that discusses the main security concerns. This year, Verizon is reporting that 94% of all security related incidents in 2013 can be traced to 9 specific categories. Oh, did I mention that there were more than 63,000 security incidents last year alone! That means that over 59,000 of those incidents came from one of nine categories. This should tell you that we need to concentrate on specific areas to help secure our data. Throughout the rest of this blog, I'm going to go over these 9 threats.
Tomorrow, we will see the release of the annual report from Verizon that compiles and analyzes security incidents that happened over the year. This year it will be a 60 page document that discusses the main security concerns. This year, Verizon is reporting that 94% of all security related incidents in 2013 can be traced to 9 specific categories. Oh, did I mention that there were more than 63,000 security incidents last year alone! That means that over 59,000 of those incidents came from one of nine categories. This should tell you that we need to concentrate on specific areas to help secure our data. Throughout the rest of this blog, I'm going to go over these 9 threats.
- Web App Attacks - This attack is made through, you guessed it, your apps that you use on a daily basis. This is the most common type of breach according to the report coming out. You find an app that you think sounds great and you download it. Not all apps are safe. Some make it through app inspection and have viruses attached to them. You download, click and now you have a virus. Also, you are sometimes required to put in personal information to download the app. A few guesses at your security questions and the hacker is in. Please watch what you download. Apps are scarier than you may think.
- Cyberespionage - Pretty much, hackers are gaining unauthorized access to systems and then hanging around and getting personal information and stealing data. Keep software and security software up to date. This should stop most of the hackers from getting into your system.
- Point-of-sale intrusions - This is when a hacker gains access to a company's point-of-sale data. These are the systems that take the payment transactions that occur through a card transaction and submit those payments to the company. This is what happened with the Target incident this past year. Hackers gained access to the point-of-sale transactions and was able to steal millions of users data. Watch where you swipe that card. In times that there are going to be millions of people making transactions with cards in a short amount of time, for example Black Friday, I would suggest to use cash or checks during that time. Checks still have to go through a system process but it's not as unsafe as swiping that card.
- Payment Card Skimmers - This is when a hacker plants a device on a card scanner. This can be planted at a gas pump, ATM or even in Restaurants, but the later is harder to do because they could be seen planting it. Anyway, these can sit undetected and take data such as card numbers and your PIN. Watch where you swipe that card.
- Insider Misuse - This is simply put that someone on the inside (an employee) caused some sort of security issue to happen. They could have allowed the wrong person into the building, gave information out to the wrong person over the phone or they could have used the systems within in the wrong way.
- Crimeware - This is like cyberespionage but deals with more illicit activities like stealing banking or financial information. This can be done by creating fake webpages to make the user think they are on their banking site. Keep your browsers up to date and anti-virus software and firewalls up to date as well.
- Miscellaneous Errors - These are common errors that occur that open up a security concern. Nothing to do about this section other than to watch what you do when completing your job.
- Physical Theft/Loss - Of course, this is just theft and loss of equipment. Make sure you have proper physical security and insurance to help combat these losses. You don't want to lose all your computers and find out that you cannot replace them with insurance money.
- Distributed Denial-of-Service Attacks (DDoS) - Ah, the DDoS! One of the most common tools of a hacker. These attacks are a flood of attacks from multiple machines. The flood of information from the machines essentially makes the victim computer shut down and cause a denial of service and systems to the users that need that machine. For instance, several hackers can start to send requests to access a Web Server. That server gets too many of those and it shuts down. The users that really need that server cannot access it anymore, thus a DDoS has occurred. Keeping software and security software up to date can help but cannot help stop it from occurring if there are too many attacking. Software like Wireshark can help determine if there are multiple users trying to access a specific device, which can allow you to get ready and do something about the attack, but Wireshark will not help stop the attack all together.
The main point in this is, watch what you download, keep software up to date, make sure that you have proper anti-virus installed and a firewall defending your computer, and keep passwords and personal data to yourself. The Internet is a dangerous place. You are the person in charge of your security. Don't get mad when you are hacked but yet have no defense on your computer.
Get an early look at the report here - http://www.verizonenterprise.com/DBIR/2014/insider/?utm_source=earlyaccess&utm_medium=redirect&utm_campaign=DBIR
Reference:
Lev-Ram, M. (2014). New cyber-threats that go bump in the night. Retrieved April 22, 2014 from http://tech.fortune.cnn.com/2014/04/22/new-cyber-threats-that-go-bump-in-the-night/?section=magazines_fortune
Sunday, April 20, 2014
Heartbleed!
Week 6
I know I'm a bit late in discussing this topic, but I feel the need to blog about it so that my normal readers get a chance to hear from me on my feelings about it.
First off, let's start at the source, OpenSSL. This is a free and open project that collaborates to develop and implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with a general cryptography library. This is opened and managed by a community of volunteers that communicate through the Internet (The OpenSSL Project, 2014). In layman terms, the two communication protocols that help people communicate across a network (SSL & TLS) are used to create an open source security library (everyone can use this code and do what they want with it to an extent). This library helps encrypt data while communicating on the Internet.
The downside with this project is that it had flaws to begin with. Supposedly, hackers have been using these flaws against the project and been able to hack into Web sites vulnerable with the OpenSSL project. Hackers can take those flaws, find out where users have been on the Internet, create fake Web sites, and then the next time the user goes to that Web site, they actually access the fake site that the hacker created for them. This then allows the hacker to gain information such as User IDs and passwords (Fung, 2014). This is honestly scarier than it sounds. If you haven't taken steps to combat this bug, you are very vulnerable to it.
People have been navigating the Internet for years under the assumption that they were safe on sites. This, as we know now, has not been the case. Many popular Web sites are vulnerable to the Heartbleed bug, and chances are, you use them even today. Sites such as: Yahoo, Facebook, Dropbox, Tumblr, Pinterest, Netflix, Amazon, Paypal, Adobe and many more were vulnerable to begin with. Many have added security patches to help keep this bug from being used against its users but many have yet to do so.
There is a great tool out there that will help you determine if the site you use is safe from the Heartbleed bug. You can go to https://filippo.io/Heartbleed/ and type in the Web page of the site you wish to check. It will link itself with that page and run a scan on it. It will then give you a message. Make sure you read that message. Not getting a green message doesn't necessarily mean that it is a bad site.
My suggestion is that if the site gives you a green light, go to that site and change your password. I also recommend that you get into a habit of changing your password once every 2 to 3 months. Yes, that does get tedious but it will save you in the long run. Also, use passwords that are not easy to guess. Suggestion, use at least 1 capital letter, 1 lowercase letter, 1 number and 1 symbol within your password (that is if the site allows the 1 symbol, some do not). The more advanced you make your password, the safer you are.
A good site to use when testing your password strength is https://howsecureismypassword.net/. You can go here, type your password in and it will tell you how long it will take a computer to crack your password. It's not 100% accurate but it at least gives you an idea of how hard it is to crack your password. Don't worry, this site does not save a password. It doesn't even know where you will be typing this password nor does it know the user IDs associated with the password. You are safe on this site, and the filippo site I provided earlier that checks for Heartbleed vulnerabilities also says it is safe. Good luck in your quest to better secure your accounts.
References:
Fung, B. (2014). Heartbleed is about to get worse, and it will slow the Internet to a crawl. Retrieved April 20, 2014 from http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
The OpenSSL Project. (2014). Welcome to the OpenSSL Project. Retrieved April 20, 2014 from http://www.openssl.org/
I know I'm a bit late in discussing this topic, but I feel the need to blog about it so that my normal readers get a chance to hear from me on my feelings about it.
First off, let's start at the source, OpenSSL. This is a free and open project that collaborates to develop and implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with a general cryptography library. This is opened and managed by a community of volunteers that communicate through the Internet (The OpenSSL Project, 2014). In layman terms, the two communication protocols that help people communicate across a network (SSL & TLS) are used to create an open source security library (everyone can use this code and do what they want with it to an extent). This library helps encrypt data while communicating on the Internet.
The downside with this project is that it had flaws to begin with. Supposedly, hackers have been using these flaws against the project and been able to hack into Web sites vulnerable with the OpenSSL project. Hackers can take those flaws, find out where users have been on the Internet, create fake Web sites, and then the next time the user goes to that Web site, they actually access the fake site that the hacker created for them. This then allows the hacker to gain information such as User IDs and passwords (Fung, 2014). This is honestly scarier than it sounds. If you haven't taken steps to combat this bug, you are very vulnerable to it.
People have been navigating the Internet for years under the assumption that they were safe on sites. This, as we know now, has not been the case. Many popular Web sites are vulnerable to the Heartbleed bug, and chances are, you use them even today. Sites such as: Yahoo, Facebook, Dropbox, Tumblr, Pinterest, Netflix, Amazon, Paypal, Adobe and many more were vulnerable to begin with. Many have added security patches to help keep this bug from being used against its users but many have yet to do so.
There is a great tool out there that will help you determine if the site you use is safe from the Heartbleed bug. You can go to https://filippo.io/Heartbleed/ and type in the Web page of the site you wish to check. It will link itself with that page and run a scan on it. It will then give you a message. Make sure you read that message. Not getting a green message doesn't necessarily mean that it is a bad site.
My suggestion is that if the site gives you a green light, go to that site and change your password. I also recommend that you get into a habit of changing your password once every 2 to 3 months. Yes, that does get tedious but it will save you in the long run. Also, use passwords that are not easy to guess. Suggestion, use at least 1 capital letter, 1 lowercase letter, 1 number and 1 symbol within your password (that is if the site allows the 1 symbol, some do not). The more advanced you make your password, the safer you are.
A good site to use when testing your password strength is https://howsecureismypassword.net/. You can go here, type your password in and it will tell you how long it will take a computer to crack your password. It's not 100% accurate but it at least gives you an idea of how hard it is to crack your password. Don't worry, this site does not save a password. It doesn't even know where you will be typing this password nor does it know the user IDs associated with the password. You are safe on this site, and the filippo site I provided earlier that checks for Heartbleed vulnerabilities also says it is safe. Good luck in your quest to better secure your accounts.
References:
Fung, B. (2014). Heartbleed is about to get worse, and it will slow the Internet to a crawl. Retrieved April 20, 2014 from http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
The OpenSSL Project. (2014). Welcome to the OpenSSL Project. Retrieved April 20, 2014 from http://www.openssl.org/
Wednesday, April 9, 2014
The Death of Windows XP and What It Means to the Internet's Security!
Week 5
Yesterday, we all witnessed the death of probably the best Windows Operating System. Windows XP was introduced in 2001 and served most of us until the release of Windows 7. The crazy thing is, there are still close to 30% of computer owners who have XP still installed as their main OS. Who blames them though? That OS was one of a kind; flawless, dependable and secure. Now, when the patches come out next month from Microsoft, they will not be including XP. This means that for the first time in 13 years, the XP OS will not be updated or upgraded if needed. Security on that OS is now an issue. *Que intense music*
What surprises me is that even today, 30% of computer owners have XP as their main system. I don't blame them because it was a great OS. There is the word, "was". People need to understand that the Internet is changing and the source code for XP is not what it should be to defend against today's security threats. Now, with no support coming from Microsoft, security holes will be found and exploited and will not be fixed. Hackers will be able to use those holes to gain entrance into systems.
The dropping of the OS actually was announced months back to allow for people to go out and upgrade their systems prior to the cut. Why did so many people and companies decide to drag their feet? No one can answer that but them. Now, companies that have XP as their OS are having to quickly find a way to migrate and upgrade their systems. Companies need to understand the importance of upgrading. If they do not, they will find themselves in hot water before too long. Their data is at risk of being stolen. IT security should be the utmost importance to them.
I found an article that discussed how the dropping of XP will help make the whole Internet safer. The article couldn't be more right. Now you wonder, how could that be if only 30% of users have XP? The thing you have to realize is that those XP systems are touching other systems. We are all connected via the Internet. An XP system sending something to a Windows 7 machine makes that Windows 7 machine vulnerable because it is now exchanging packets with the XP system. Those packets, if sniffed out and hijacked would make both systems vulnerable to the attack. This is why it is so important to get upgraded to a newer OS, preferably Windows 7 and above and not Vista! That is my own opinion, but I think many will share the same feelings toward Vista that I do.
So, in closing, get rid of XP! Upgrade soon! Don't wait until your system has been compromised! It will end up saving not only you but the rest of the Internet.
Links to sites where I got some of my information for this blog:
http://www.informationweek.com/software/operating-systems/windows-xp-diehards-face-the-music/d/d-id/1204247
http://mashable.com/2014/04/09/windows-xp-security/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=rss
Yesterday, we all witnessed the death of probably the best Windows Operating System. Windows XP was introduced in 2001 and served most of us until the release of Windows 7. The crazy thing is, there are still close to 30% of computer owners who have XP still installed as their main OS. Who blames them though? That OS was one of a kind; flawless, dependable and secure. Now, when the patches come out next month from Microsoft, they will not be including XP. This means that for the first time in 13 years, the XP OS will not be updated or upgraded if needed. Security on that OS is now an issue. *Que intense music*
What surprises me is that even today, 30% of computer owners have XP as their main system. I don't blame them because it was a great OS. There is the word, "was". People need to understand that the Internet is changing and the source code for XP is not what it should be to defend against today's security threats. Now, with no support coming from Microsoft, security holes will be found and exploited and will not be fixed. Hackers will be able to use those holes to gain entrance into systems.
The dropping of the OS actually was announced months back to allow for people to go out and upgrade their systems prior to the cut. Why did so many people and companies decide to drag their feet? No one can answer that but them. Now, companies that have XP as their OS are having to quickly find a way to migrate and upgrade their systems. Companies need to understand the importance of upgrading. If they do not, they will find themselves in hot water before too long. Their data is at risk of being stolen. IT security should be the utmost importance to them.
I found an article that discussed how the dropping of XP will help make the whole Internet safer. The article couldn't be more right. Now you wonder, how could that be if only 30% of users have XP? The thing you have to realize is that those XP systems are touching other systems. We are all connected via the Internet. An XP system sending something to a Windows 7 machine makes that Windows 7 machine vulnerable because it is now exchanging packets with the XP system. Those packets, if sniffed out and hijacked would make both systems vulnerable to the attack. This is why it is so important to get upgraded to a newer OS, preferably Windows 7 and above and not Vista! That is my own opinion, but I think many will share the same feelings toward Vista that I do.
So, in closing, get rid of XP! Upgrade soon! Don't wait until your system has been compromised! It will end up saving not only you but the rest of the Internet.
Links to sites where I got some of my information for this blog:
http://www.informationweek.com/software/operating-systems/windows-xp-diehards-face-the-music/d/d-id/1204247
http://mashable.com/2014/04/09/windows-xp-security/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=rss
Subscribe to:
Posts (Atom)