IT professionals often perceive the cloud as insecure as or less secure than having their applications and data residing inside their own data centers. But perceptions don’t necessarily match reality. In this story for Tom’s Hardware, I talk about the difference and some questions to ask your provider.
Nart Villeneuve, who has written some excellent security reports in the past, takes us on a tour of Koobface, the botnet that continues to invade various social network in this report.
The author has managed to dissect the twisted pieces of this network to show that in the past year the villains have made off with more than $2 million using pay-per-click schemes that entice marks to download their exploit and click on phony security software ads. It is well worth the read to see how this botnet has been built, and how it continues to elude authorities and frustrate users.
You know by now not to open unexpected email attachments, but what if someone that appears legit sends you a PDF? How harmful can it be? As it turns out, very. This week a harmless-looking invitation to a Nobel Prize ceremony was a nasty piece of business indeed. When saved to a hard drive and opened, it sets up a backdoor so that the bad guys can take over your PC at will, all while you think nothing is going on. What is troubling is that this isn’t new.
This PDF exploit has been around for several years, yet it seems that it doesn’t get much attention from the general public. The security community is all over it. Here is a collection of articles that appeared on SearchSecurity.com earlier this summer that tells corporate IT folks how to secure these type of files.
And here is a video screencast that shows you the exploit in its gory detail.
So why hasn’t word gotten out? Why hasn’t Adobe fixed this issue? Well, they try, but the structure of the PDF format itself makes it hard to secure. It even has the nasty habit of saving revisions, so some hackers can go in and review previous versions and redacted text.
Yes, you can password-protect your PDFs. You can also sign them, so that your recipients know that they haven’t been tampered or forged by anyone in transit. But few people use these features. And because a PDF isn’t exactly an executable file, most of us are lulled into thinking that it is harmless.
As a test, go take a look and see if the version of Acrobat Reader on your PC is anywhere close to 9.4, which is the current one. I have seen people running version 5 or 6, which are years old – obviously, the older the version, the more likely it can be exploited. Take some time now to update your software to the current version.
And the next time you receive a PDF, take a moment to consider the consequences. Or use one of any number of free alternatives on Windows, or better yet, a Mac – its PDF viewer, the built-in Preview app, can’t be exploited as easily.
A number of vendors have stepped up with a series of scanning tools to help verify PCI compliance, and there are dozens of PCI scanning vendors on their approved list. The hardest part will be picking one that works well for your situation. Many of these programs require you to download some software, but a growing number of vendors are delivering Web-based scanning services. I evaluated one such solution, version 5 of the Web scanning service from Qualys called QualysGuard PCI Compliance.
You can read the review for eWeek here.
If you bank or shop online or otherwise use the Web to move money around, you need more protection for your accounts than just a simple username and password. Many of us reuse passwords on multiple accounts, and if a hacker or a malicious piece of software can obtain this information, you can suffer the consequences and be out a lot of dough in the process.
Of course, the quickest fix is to not reuse passwords across multiple accounts, but that isn’t likely to be implemented by many of us. A more secure and dependable solution is to make use of two-factor authentication. This is a fancy way to talk about a device that you keep on your person that only you have access to. If you work for a financial institution, or another paranoid employer, you probably already have something that looks like a credit card or a key fob with a small LCD display. This is the second factor (the first is your login name), and unlike your login only you have possession of this device. To make it work, you enter a series of numbers on its face after you enter your login ID. These are timed precisely to an authentication server. If you don’t enter the right sequence of digits, you can’t login to your account.
These fobs or security keys have been available for the general public for a few different Web sites. Paypal, for example, sells them for $5. Getting setup takes just a few moments, and requires an extra step when you login to your account.
But the fob can be lost, or you might not remember to carry it with you when you are shopping online. A better solution is to use a virtual key, one that runs on your smartphone for example, or makes use of a series of text messages if you just have that service. You don’t need to remember to bring anything with you, and these virtual keys are also free of charge.
VeriSign/Symantec calls its service VIP, for VeriSign Identity Protection. It is available in software for a wide variety of phones, including iPhones, Androids, Blackberries, and others. You download the software (via iTunes for the iPhone, and similar Web app stores for the others) to your phone, walk through the setup process, and register the software key with Paypal or other sites that you are interested in protecting. Here is one credit union in Palo Alto that makes use of the service where you can get an idea of the VIP process in more detail.
VIP can be used for other purposes than your online banking: they can protect VPN access to your corporate network, and other intranet kinds of applications. They are easy to manage, once you tie in the key servers to your corporate identity servers. And they remove the headache of managing the actual hardware security keys from the whole process, which is another plus.
VIP isn’t the only game in town. A startup called Enole.net is working on something similar that can turn your cellphone into a universal ID for all sorts of purposes, such as your car, your house key, and so forth. I haven’t gotten any specifics but the information on their Web site sounds intriguing.
It is time we started using better authentication methods for more of our online logins. And VIP is one very painless way to do so.
Everyone wants a bargain, but when it comes to buying luxury handbags and other high-priced name brand consumer goods online the deals are usually too good to be worth it. Given the discounts offered, it is no surprise that the amount of counterfeit goods being sold approaches nearly half the legitimate volume of the genuine articles.
But what is surprising is the level of sophistication that the fraudsters will go to place their sites high on search pages and purchase pay-per-click ads, making it harder to find the real articles from the name brand vendors when shopping online.
In this edition of the Brandjacking IndexTM, we look at the abuses in the luxury consumer goods sector. It isn’t a pretty picture, despite the smooth buttery leather exterior that many of the real handbags offer. You can register and download the full report here.
Windows Intune is Microsoft’s cloud-based antivirus software, and like other cloud antivirus products on the market that I reviewed earlier for Techtarget, it’s a bit rough around the edges. The product is a combination of Windows Defender anti-malware protection and the Windows System Center and Forefront management services. You can read my review published this week here.
My latest video screencast is looking at Bouncer from CoreTrace. They have a new software-only version 6 that provides solid endpoint protection by only allowing vetted applications to run across your enterprise. There are agents for all 32-bit versions of Windows since 2000 and 64-bit Windows 7 and Server 2008.
CoreTrace Bouncer. Pricing begins at $35 per endpoint
If you work in a corporate IT department, it is a hard call to say whether you want to, in its own argot, de-friend Facebook.
With seemingly everyone you know getting onboard the popular social networking site, IT managers are finding out that Facebook makes sharing information easier, information that ideally should remain within a corporate network.
Probably the most extreme example was a story I heard earlier this year. An Army grunt posted the location of his next mission in Afghanistan as his status update on his Facebook page. Within moments, the mission was scrubbed and the soldier was being sent back home.
How about the Michigan juror who posted her verdict on her Facebook page, prior to ever getting into the jury room to deliberate? Needless to say, she was removed forthwith by the judge. Now it isn’t unusual to hear about someone losing their job because of a Facebook indiscretion.
And the opportunity to track intra-office romances via the participants’ status messages is mind-boggling. Back in the olden times, we just had to rely on misdirected romantic email messages to amuse us. Now we have access to full-color photos and video documentation.
Speaking of entertainment, I am sure you have also noticed the collection of movies and TV shows that feature Facebook elements. And some of them even have accurate story lines, too. It is hard to think about anything else these days.
So what can an IT manager do to protect his or her enterprise? There are a bunch of strategies and products, as security vendors have become more Facebook-aware themselves. You can set up firewall policies, turn on bandwidth controls, or use a variety of data loss prevention and network monitoring products to track what is being sent out to the world.
Certainly, just about any firewall worth its packets can block Facebook access totally, but you might not want to do that. Let’s say you don’t mind if people message each other within Facebook, but playing Farmwille or other games during 9 to 5 is verboten. Several firewalls can make this distinction, such as McAfee’s Firewall Enterprise. Some firewalls, such as Sonicwall’s, have all sorts of granular policies to fine-tune what behavior is and isn’t allowed.
Or let’s say you run IT for a college campus. You can’t block your students’ use of Facebook (you might start a revolt), but during the daytime when faculty wants to get their work done, you might want to reclaim some of this bandwidth and at least slow access down. A number of products such as Blue Coat’s PacketShaper can do this. You can simulate the rate of say, a dial-up line for Facebook from 9 to 5, and turn it back to the full OC-3 pipe afterhours.
And in the world of data loss prevention (which is where the extreme examples cited above can make anyone a bit nervous), you can make sure that customer data or other sensitive information is properly monitored. You can also track who spends the most time on the site too.
To learn more about these and other products, you can read an article that I wrote for Techtarget last month, as well as go to my screencast review site Webinformant.tv where you can see my short videos that demonstrate some of the products that I mention above.
A rogue employee can easily carry a lot of private data out of your offices using a USB drive. While gluing your USB ports shut (like my local library did) is one way to prevent data loss via a portable drive, a less drastic — but just as efficient — option is a security or desktop management product.
I look at how five different products can disable USB devices in a story this week for TechTarget here.