Archive for Security

Checking for Heartbleed vulnerability

Today has been a whirlwind of password changes and working with customers to help them understand the Heartbleed bug. They are rightfully confused and worried, especially since they are getting a lot of conflicting information. Some of them have received emails from websites essentially saying that they have no evidence of compromise so they don’t need to worry or take any action. This is a huge disservice because it’s just not true. This vulnerability affects a huge number of web servers including Yahoo, Flickr, AWS load balancers, and many more.

Here is a tool to check if websites are affected: http://filippo.io/Heartbleed/

There’s also a Chrome extension called Chromebleed chromebleed

 

 

 

Take a look a a list of some of the affected websites: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

At a minimum I think it’s prudent to change all your passwords for banking, email and other critical services.

Skype Scam

Fake security Skype scam. This Skype call came in this afternoon. Fortunately I had my iPhone handy and recorded the whole thing. Take a look. Hopefully reporting it as abuse and blocking the call will help.

20120509-150020.jpg

Small Business Insurance For Data Loss and Security Breach : Connecticut Business Litigation Blog

Small Business Insurance For Data Loss and Security Breach

Did you know that you could purchase insurance for data loss? Should you?

It depends. I believe in educating our clients about their risks as I see them, not just computer risks, but all of their vulnerabilities. I think that in our industry there is a surprising lack of regulation, especially given the critical information we see everyday.

I recommend that you give quite a bit of thought to your IT person, going so far to do a background check on them. It’s a reasonable and safe step until we can work for better certifications and regulations.

Here are a few certification authorities that test for technical knowledge. But there are NO recognized authorities to test for soft skills and general decency.

CompTIA (A+ and Network+ certifications)

Microsoft Certifications

Cisco

Open Source Software

So my husband @wx13 and I were discussing open source software. This became especially poignant during the apparent selling of our search history by @google

Super lame move btw, because I loved their products and was a big fan and promoted the bejesus out of them. No mas free advertising from me.

Below I list the software recommendations we came up with and how it can be used to make your #privacy more functional.

Might I suggest autohotkeys for open windows?

chrome browser: only for gmail and online banking and where ever you want cookies and stored passwords (it’s okay if google knows that you’re a bankofamericagreedybastards customer because the session is SSL so it’s not like they know how poor you are LOL).

firefox: with noscript addon for regular browsing (no script is critical here).

set firefox to clear your cookies at the end of each session.

windows pager for multiple desktops … work vs. personal and separation of those tasks.

 

 

Stop using PCAnywhere Immediately!

.

Symantec’s remote access product “PC Anywhere” has been compromised. If you are using this product, Symantec has issued a recommendation to stop using the product.

Here’s their whitepaper http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

Microsoft Phone Scam

Recently we have had several clients contact us because they received a suspicious phone call from someone claiming to be from Microsoft. The caller continued on to say that they were calling from “the Microsoft Windows Support” and that the computer was compromised. I’m grateful that our clients were wise and hung up on these callers.

Ryan did a little research and we found this information http://www.microsoft.com/Presspass/press/2011/jun11/06-16MSPhoneScamPR.mspx

The following is Microsoft’s advice and we recommend the same information:

Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company.
Never provide personal information, such as credit card or bank details, to an unsolicited caller.
Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue.
Take the caller’s information down and pass it to the authorities.
Use up-to-date versions of Windows and application software.
Make sure security updates are installed regularly.
Use a strong password and change it regularly.
Make sure the firewall is turned on and that antivirus software is installed and up to date.

 

I have all my passwords on a piece of paper…

I have all my passwords on a piece of paper….

 

 

You must be thinking about a post it note under my keyboard. But you’d be wrong. I have always been passionate about security. Just ask Dana Epp of Scorpion Software, he’s an Enterprise Security MVP and I stalk him at conferences because he is so brilliantly dialed in to the security issues of today.

My good colleague and fellow MVP Wayne Small over at SBSFAQ.com showed me an incredible password management strategy and I want you to immediately check it out and see if you can make it work for you.

No big $$ investment, no selling your soul to the latest “Security Expert”. Just simple two factor authentication. Here’s the link

 

LinkedIn Privacy Setting

Linked In (the social network) has made a change to their default settings which, if left unchanged, allows them to show your photo and name for advertising purposes. You can opt out of this.

1. Click your name on the homepage (upper right corner). On the drop-down menu, click “Settings”.

2. From the “Settings” page, select “Account*”.

3. In the column next to “Account”, click “Manage Social Advertising” .

4. De-select the box next to “LinkedIn may use my name, photo in social advertising” .

 

 

 

 

Sony comes clean: Playstation Network user data was stolen | VentureBeat

Sony comes clean: Playstation Network user data was stolen | VentureBeat.

It seems that nearly every week there is a new story about data breaches. From Epsilon’s database being hacked into and now Sony. So what’s the lesson here, do we all pull back and refuse to purchase online content as some clients are saying? I don’t think that is the answer. What about simplifying and putting a few protections in place?

My recommendations:

1. Have a credit or debit card linked to an account with a certain balance limit, say $500. Use this account strictly for online purchases, such as Netflix, Sony, Xbox Live, etc.

2. Setup an email account just for such purchases.

3. When creating online accounts at sites, use the junk email box and your “online” credit card information. Don’t give your real name, address, age or birthdate where possible.

I think these steps should help. Perhaps you have other ideas to share? Give us your comments!

So You Want to Use Your iPhone for Work? Uh-oh. – WSJ.com

This is a great article that highlights many of the questions that need to be asked when an employee wants to use a personal device to access corporate data. What do you think? How do you manage this issue at your workplace? Let’s have a policy discussion and perhaps folks can take back some ideas for their situation.

So You Want to Use Your iPhone for Work? Uh-oh. – WSJ.com.