If you are tired of patching your many security solutions and are looking for a simple yet effective managed security appliance, Network Box offers a new protection direction. Combining several dozen active scanning technologies, they can provide advanced anti-malware and network protection within seconds of discovering an attack.
You can view my latest screencast video review here of this product.
So the news this week is filled with ever-changing horror about how various reporters in the Murdoch’s News Corp. “hacked” into the cell phone voice mail accounts of prominent Britons. What exactly does this mean, and why should you care?
The hacking was minimal at best: apparently, reporters asked their shift editor to make calls using a phone spoofing service to the cell of the intended victim. These services can be set up to use any specified caller ID, so once a mobile number is known, it is easy to obtain your voicemail. Since most cell phones allow immediate access to your voicemail from your own calling number without any password or PIN number. Three of the four US cellular carriers operate this way – only Verizon requires all subscribers to use a PIN on their voicemail accounts.
In the past, many of us guarded our cell numbers for financial reasons: plans cost a lot for few minutes. But as cell plans got more generous with their minutes, and as more carriers made mobile-to-mobile minutes “free,” more of us have given out our cell numbers on our business cards and in our email signatures.
So what is involved with spoofing your cell number? The market is huge, and the number of sites that offer this “service” seem somewhat like walking past the part of town where merchandise is offered for sale on blankets along the sidewalk. Basically, you sign up for a service (there are some free ones around, too). Next, you dial an access number for the service and then enter the number you want to call and then the caller id number you want to be displayed. Most services have simple voice prompts. When your call is completed, your party will see the caller ID that you entered, rather than the “real” calling number of your phone.
Once someone accesses your voicemail, there is really no way you can know it, unless they delete your messages. Most services have a way to mark a message as unread after it has been listened to.
If you want to know more about caller ID spoofing, check out this Web site which has a nice historical perspective.
Skype Out has had for a long time the ability to adjust its caller ID, but it goes through a series of checks to make sure that you at least own (or have in your possession at the time) the mobile phone number that you give it for this service.
The moral of the story: If you care about your voicemail security, use a PIN. And preferably not 1234 or 2000 or something that is easily guessed.
Lately, there is lots of news about various bank accounts being compromised – including the network of the International Monetary Fund, the biggest piggybank of them all. Coincidentally, there was the news that both Facebook and Google’s Gmail have beefed up their security with two-factor authentication. They both now have optional mechanisms for making sure that your login process is more secure.
Two-factor authentication is called that for a reason: you need more than type in your username and password, something that you have on your person that isn’t easily known to anyone else (like your mother’s maiden name or birth date). Both sites make use of texting you a short string of numbers to your cell phone as part of the login process: once you set this up, as long as you have your phone nearby (and who doesn’t?), you can be sure that no one else can login into your account.
Older forms of two-factor authentication used small key fobs that had a button: when you pressed the button you got a code number that you used to type in at the moment you were logging in. The number changed every 30 seconds or so, making it difficult to hack. Using a cell phone is much more convenient: the fobs were forgotten or lost.
Two-factor authentication has been around for a long time, and lately has gotten a black eye, thanks to the behavior of RSA, one of the leading companies in the market. Their SecurID system was compromised several months ago, and the company has been slow in getting the word out and replacing the fobs for its customers. As a result, several of its competitors have stepped forward and offered deals on replacements.
I’ve had a fob for my eBay/Paypal account for several years: I think it cost $10. (It now costs $30!!) You can still get them, although there are free alternatives available that can make use of your smartphone to get SMS texts and you can also sign up with Symantec’s Verisign Identity Protection program for their fob. Symantec doesn’t make it easy to find this online.
(Note: I did one of my sponsored screencast videos of the service for them last year.)
But even better is what Google and Facebook have put in place. If you have a Gmail account (but not a Google-hosted email account, sadly), you can get this set up in about 10 minutes: Go to your account’s personal settings and you should see a menu item for two-factor authentication, and follow the instructions show in their blog.
The problem is that adding two-factor for your Gmail account will create problems for you for other applications that access your account. If you use your smartphone or Outlook to access your email, you will need to setup these apps to handle the two-factor authentication. If you read your email on a tablet, ditto. So this may not be as easy as you first think.
Facebook has taken lots of (deserved) knocks on its security, and it also has implemented two-factor authentication lately. Go to Account/Account settings/Account Security and enter the information requested under the Login Approvals section, at least until they rearrange their menus and put it somewhere else.
Two-factor isn’t a panacea, and it does add an extra step. And as the folks at Lockheed found it, it isn’t flawless. But it does offer much better protection than straight username/password. If you use Google, Facebook, and Paypal, it is time to start using it.
If you’re in the market for endpoint protection, Check Point’s new R80 Unified Endpoint Security Management product shows promise. The R80 represents the first integration of the Pointsec encryption product line, which Check Point acquired in 2007, and the notion of software blades. The R80 features six separately licensed blades that cover a wide range of endpoint security features. You can read my entire review along with a short slide show of what I liked and didn’t, over on Network World here.
A friend of mine, Tim Bonno, has started blogging on business continuity, emergency management, and disaster planning. He has lots of great practical advice and some very pity insights, which makes sense given that he has been in that industry for decades. Here is one snippet:
Yes, we do have customers. They work in the business units our plans are written for. They are the senior managers that fund our programs and to whom we provide feedback. They are the auditors who review our plans and programs for compliance. It’s important for us, as business continuity professionals, to recognize who our customers are and make sure we are treating them as if our jobs depend upon them, because they do.
Go on over and check out a few of his entries. I think you will find them interesting.
Do you need to take credit card payments on the go for your business? Do you operate a food truck, maybe, or sell your wares from a booth at trade shows or craft fairs? There are now several different hardware add-ons that can turn your iPhone into a credit card processor.
Choosing protection for a virtual infrastructure is a lot like buying an antivirus product for the Mac OS: most people would wonder why you bothered. Nonetheless, as more IT shops migrate their servers to virtual machines and cloud-based environments, it is only a matter of time before protecting these resources becomes considerably more important.
You can read the full story, published this week in TechTarget’s SearchCloudComputing.com site, here.
One of the more annoying things about using the Web is those little confirmation boxes called Captchas that you have to type in some words to prove that you are a carbon life form and not some computer program scanning a site. I don’t know about you, but I have to try two or three different code words before I can complete whatever task it was at the time. I used to think it was just old age, bad eyesight or memory, or fumble fingers but now I realize that it is a more systemic issue.
And the problem isn’t just folks like me that can’t figure out the message in the box: hackers have developed code to do so or companies pay actual people to defeat them for their evil marketing purposes. This makes for another arms race as the Captcha people make even more difficult to read codes for us to interpret. This isn’t what we had in mind when we started using the Web back in the early days.
Of course, there are companies that are innovating in this space, trying to make a better mousetrap, or bot-trap. They are NuCaptcha.com and SolveMedia.com. Both have developed new algorithms that make it easier for people to use but not for machines or gangs of low-paid keyboarders. They are now being used on a number of Web sites, such as Microsoft and Toyota and so forth.
How do they work? You have to watch a short video where a marketing message – like “oh what a feeling” is presented on the final frame. Then you are asked to type this message into the box to confirm that you are you. By putting the information inside the video, you make it more odious for the human keyboard gangs to enter the information, because they have to wait for the magic letters. It is also more difficult to program any machine recognition too.
You can see a simple example here.
Personally, as long as they don’t blast some audio clip along with the video, I am ok with this approach. And perhaps there will be other companies that will have other innovations in this area.
My first car had what is called a kill switch that I put in shortly after I had bought it. I was living in LA at the time, the capital of car thefts, and I even though it wasn’t all that fancy a vehicle I wanted to make sure that it was somewhat protected. It was a simple thing: you had to turn the headlights on before you started the car. I thought I was in good shape until I found out how many valets could figure out the sequence (in LA you have to leave your car with valets a lot). This is a good analogy for the same process when it comes time to turn off Internet access to an entire country, whether it is for cybersecurity or censorship. Someone clever will always figure out a way around the blockade.
The idea to protect our own Internet access has been around for some time, and various people have proposed that we do something about it, including Senator Joe Lieberman.
The senator got his wish for a simple on/off switch for the Internet, but it didn’t go down quite as he had planned when he first proposed the idea before Congress last year. Early last Friday just after midnight local time, the Egyptian telecoms authority turned off almost all Internet and cell phone access to its 80 million residents. What is astounding is how easy and effective this action seemed to be. While no one directly involved is actually talking, savvy folks have figured out it was a series of phone calls to the network operations staffs of the service providers involved. Egypt is served by only a few Internet providers and cell carriers. Within a few minutes, the entire country went offline. SInce then, some cell service has been restored.
What makes this noteworthy is that there are dozens of countries that try to control their net access with a series of firewalls and content filters, most notably Iran and China. These countries allow most Internet traffic through. Egypt has been wide open over the past in terms of what packets flowed through its pipes. Indeed, just as its location is critical for shipping traffic on the Suez canal, major international fiber routes pass through the country. These long-haul connections are still operating.
But there is very little traffic coming in or out of the country, according to Renasys, which tracks this kind of thing and the source of the graphic above. So the first step towards total control ironically is to first set yourself up as a free society, to prevent anyone from even thinking that you can just flip the switch. The more you tend to block, the more motivated others are to figure out ways around it, as my own experience with my first car illustrates.
There are some countries that use more than just an off switch for their blockades: they rate-limit the traffic, slowing down access to make it all but useless for people looking for forbidden content or IP addresses. This is a time-tested technique by many IT directors who don’t want their user populations surfing Facebook or streaming videos during the workday. They don’t turn access off completely; just slow it down enough that most users will move on to another destination. Earlier last week, Egyptian authorities blocked Twitter and Facebook access. When that wasn’t working, they went with the nuclear option and turned everything off.
Finally, what also helped Egypt’s ability to turn off its Internet is it has a few providers to give everyone the sense of competition. This ironically made it less of an issue for people to seek out alternatives that are outside of domestic control. In places that have fewer providers, people are more afraid of potential censorship and find proxies and other routes around the domestic network.
I hope this column becomes quickly obsolete and access is turned on in Egypt. But in the meantime, they have provided a roadmap that others should take heed.
In my latest screencast video review of McAfee’s Firewall Profiler, I show you how you can use some of its impressive features to analyze your network traffic and troubleshoot common networking problems with a very intuitive graphical interface. 