Zimmer And Associates

I haven’t had a chance to go through all the articles yet, but the Wall Street Journal has a report on information security. Topics include what to do if you’ve been hacked, employees being the biggest security risk, going beyond passwords, and the risks of remote access to corporate data. From what I’ve seen so far they appear to be worthwhile articles aimed at people on the business side of the house.

http://online.wsj.com/public/page/leadership-in-information-security-09262011.html

The New York Times has an article about companies accepting personal laptops as an employee’s primary office computer. This saves money for the company and increases worker satisfaction, but security must also be considered.

Attackers have shifted from targeting servers to targeting end user’s computers as they’re often the weakest link these days. If your company has sensitive corporate data and wants to allow personal laptops, don’t forget to consider the security of those devices. Possible options include requiring users to meet the same level of security as company-managed devices (verify with quarterly checks or centralized management software), or increasing security around the device with network intrusion detection systems. A potential legal option would be a waiver that the employee signs, assuming all responsibility and costs for security breaches caused by their laptop. It’s definitely not the friendliest option though, especially if there’s a security breach.

http://www.nytimes.com/2011/09/23/technology/workers-own-cellphones-and-ipads-find-a-role-at-the-office.html

A previously theoretical attack against secure web sites will be proven possible later this week. SSL/TLS protects sensitive data transmitted between your computer and secure websites such as your bank and Gmail. Researchers have found a way to decrypt the encrypted SSL traffic, allowing them access to the sensitive data inside.

For the moment the best protection is to use a JavaScript blocker like NoScript, which will prevent the Javascript from running on unauthorized sites. Note that this attack hasn’t been seen in the wild yet, but it’s probably only a matter of time.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

http://noscript.net/

If you’ve upgraded to OS X Lion be aware that it’s now easier for anyone with physical access to your system to break in. Researchers have found what seem to be accidental oversights in the protection of passwords in Lion, making it easier for them to be read and changed by unauthorized users.

To protect yourself make sure you have some standard security measures in place, including disabling auto login, enabling screensaver passwords, disabling guest accounts, and disabling admin privileges for regular users. Luckily these are all pretty easy to do with OS X. Directions are in the first link below.

http://reviews.cnet.com/8301-13727_7-20108261-263/os-x-lion-passwords-can-be-changed-by-any-local-user/

http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

While this isn’t something most people need to worry about, it’s a fun development in the security world. A few researchers put together a flying toy and a linux computer to create a flying robot hacker, allowing them to remotely break in to networks and take over computers.

http://news.cnet.com/8301-17938_105-20103599-1/diy-flying-robo-hacker-threatens-wireless-networks/

https://db.usenix.org/events/woot11/tech/final_files/Reed.pdf

Security researchers (including one I’ve hung out with, Hi Garrett!) were able to easily steal 20 gigabytes of sensitive data by registering bogus domains. People accidentally mistyped email addresses for legitimate domains and the data wound up at the bogus domains. For example, if malicious attackers wanted to collect data going to your domain (say bobcompany.com) they would register bobcompamy.com, bogcompany.com, bobvompany.com, and other similar misspellings. The hope is that someone sending sensitive data in an email will mistype the address and it will go to the attacker’s address instead. This happens a lot more than most people would think, as is evidenced by the research findings.

The best way to protect your company against this attack is to buy up misspelled domains similar to yours, which a number of companies are already doing. It’s not ideal or foolproof, but it’s better than having your data silently siphoned off.

http://gizmodo.com/5838708/how-researchers-stole-20-gb-of-e+mail-from-fortune-500-companies

http://www.wired.com/images_blogs/threatlevel/2011/09/Doppelganger.Domains.pdf

Here’s a really interesting article on the commercialization of cyber weapons (software used to break into computers), and how they have the attention of the military.

http://www.businessweek.com/printer/magazine/cyber-weapons-the-new-arms-race-07212011.html

Lion, the latest version of Apple’s OS X has taken a big step to improve security. Sandboxing and the principle of least privilege are being used to contain the effect of future security holes. Sandboxing creates a restrictive shell around a program and limits what actions it can take on your system, from writing files to accessing the camera. The principle of least privilege is being followed to split programs into smaller, more restricted chunks. For example, the part of the Safari web browser that displays web pages is being split off from the rest of the program since more security holes are typically found there. That chunk of the program has an even more restrictive sandbox around it, further limiting the risk to your system if a security hole is found. I definitely recommend the $30 upgrade to Lion, just make sure all your programs are compatible before installing it.

http://www.theregister.co.uk/2011/07/21/mac_os_x_lion_security/

Just because your data is in the cloud doesn’t mean it’s completely safe. Cloud providers experience outages and data loss just like the rest of us. Besides the technical risks your data faces, you could also lose data due to the cloud provider’s usage policy. If you violate their policy (or in this case they think you violated it) they can lock your account, leaving you temporarily or permanently unable to access your data.

http://www.zdnet.com/blog/hardware/why-you-shouldnt-trust-google-or-any-cloud-service-with-your-data/13860

July 29th is System Administrator Appreciation Day. Take a moment to appreciate the geek that keeps your data flowing. It’s typically a thankless, high stress job, where you’re only noticed when something goes wrong. Let’s not forget all the after hours work too.
http://www.sysadminday.com/