Category “General Security”

Tips for creating strong password

Wednesday, 22 December, 2010

This post is from Help Net Security, a great resource for News, Articles and information on Security. Visit Help Net Security and subscribe or follow their tweets. This post is located here.

To ensure consumers stay safe online and enjoy this holiday season, Check Point outlines practical tips for creating a strong password.

  • Choose a password that is at least 8 to 10 characters long. This should be long enough to prevent brute force attacks. Since brute force attacks consist of trying every possible code, combination, or a password until the right one is found.
  • Make sure your password is difficult to guess. Do not use names of any kind, including your login name, family member’s name or a pet’s name. Also avoid using personal information such as a phone number, birthday or place of birth.
  • Avoid words that can be found in the dictionary. With the availability of online dictionaries it is easy for someone to write a program to test all of the words until they find the right one.
  • Stay away from repeated characters or easy to guess sequences. For example: 77777, 12345, or abcde.
  • Choose a password that is a mixture of numbers, letter and special characters. The more complex and random it is the harder it will be for a malicious person to crack.
  • Use fragments of words that will not be found in a dictionary. Break the word in half and put a special character in the middle.
  • Choose different and unique passwords for all of the important sites.
  • Change your passwords often. Even if someone cracks the system password file, the password they obtain is not likely to last long.
  • Use a reliable password protection solution.

To get more insight on how people create poor passwords, take a look at this analysis of 32 million breached passwords.

How to avoid rogue security software

Thursday, 25 February, 2010

What can you do to help prevent the spread of rogues and make sure that rogue software vendors stop profiting from their unscrupulous business? Follow these tips below to tell what’s real and what’s not when it comes to security software – and share them with friends and family who may be vulnerable to rogue threats.

1. Do not fall for scare tactics. While browsing sites, be cautious of pop-ups warning you that your system is infected and offering a product to clean it up. Never pay for a program that installed itself to your computer. This is a hallmark of rogue software.

2. Use security software with real-time protection and keep it up-to-date. If you know that you have anti-virus, anti-spyware, and a firewall on your PC, you can safely ignore security alerts you receive that do not come from your chosen security software provider. (Rogue security software will often try to lure computer uses by using legitimate looking pop-up messages that appear to be security alerts.) Also, most anti-malware programs will help keep you protected from rogues because they can detect and remove these programs.

3. Access experts at security forums and ask about the software you are considering before you decide to purchase it.

4. Read the software reviews at reputable sites like Download.com. Do not blindly trust individual sites offering security products.

5. Ask knowledgeable friends and family members about quality software they use. Keep in mind that when you search for trustworthy security software online, rogue products can, and often do, appear in the search results list.

6. Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams, and to be cautious of links in e-mail messages and on social networking sites.

Author: Erin Earley, editor of Lavasoft News.

NOTE: Original article is posted on Help Net Security website: http://www.net-security.org/malware_news.php?id=1245. You can subscribe to their news for up-to-date security news and articles.
Follow us on Twitter: @securetoday.

Aurora – IE 0-day vulnerability

Wednesday, 20 January, 2010

Aurora

Aurora Borealis or the Northern Light is a jaw-dropping awe vista to witness. I have not witnessed one but it’s one of my dreams. While we know the beauty of it, there is another and different aurora (not borealis) that is not to be messed with.

The Operation Aurora dubbed by McAfee to describe the very recent Microsoft’s Internet Explorer Zero-Day vulnerability is a “coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems.” It was used to exploit Google and other 30 more companies as previously reported. Last Friday, George Kurtz, McAfee’s CTO talked in his Security blog about the Aurora exploit that is used to attack Google in December is now in public.

Any zero-day vulnerability is always a bad thing. Two weeks ago, one of my older computers crashed and for what I know it could be caused by this same exploit. While the discovery of this vulnerability has been a while now, Microsoft has yet to release an official patch.

The bad thing is, there are third-party patches out there that have gone out to provide temporary fix for this vulnerability. I would not really recommend installing these third-party patches since we don’t know what the ill-effects in the long run. The good news is, Microsoft is going to release a patch tomorrow, January 21st. Read Microsoft’s Bulletin.

To learn more about Operation Aurora from McAfee, watch the video from George Kurtz and the McAfee team here.

Read the rest of this entry »

CPTED – Physical Security

Sunday, 10 May, 2009

This month, I’d like to discuss a topic that is somewhat being set aside when talking about security – Physical Security. We all know and agree that the physical aspect of security is as important as any facets of security, be it technical or logical, and administrative.

As a security professional, we should be very aware and concerned that the security we protect, such as critcal data and confidential information through the technology like firewall, DLP, IDP, and the like can as easily be compromised as someone stealing the physical server, damaged by natural or environmental calamities, or broken by infrastructure faults. So, physical security must not be ignored and should also be incorporated in the security policies as well as included in any security discussions.

Physical security must be implemented based on the model of a layered defense. The idea is, before unauthorized entity can access the valuable asset, they should go through layers of layers of physical barriers before reaching the spot. If one of the layers fails, the others will protect the asset. So layers of defense should move from the perimeter towards the asset.

I am a firm believer that security should not be a patched-approach, rather, it should be part of the architecture. Similar to software applications, I believe that one of the best ways to stay secure is to develop the program as error-, flaw-free. This way, we don’t have to worry about patching it and afraid of getting compromised by its vulnerabilities. Of course, it is not a perfect world, and that is why as much as we can, security should begin at the very start of the design.

Physical security is not exempted. The CPTED (Crime Prevention Through Environmental Design) is a discipline that structures the proper architectural design of a physical environment to reduce crime by directly affecting human behaviors and activities. The CPTED concept has been around since the 1960s. It provides guidance in loss and crime prevention through proper construction of buildings and the arrangement of environmental components.

CPTED elements

CPTED Key Concepts

So the idea of CPTED is before even the construction of a facility, it then address the landscaping, entrances, exits, neighborhood layouts, access roads and freeways, lightnings, and traffic patterns. It also puts into consideration the placement of offices, lobby, restrooms, campuses surrounding, and even up to the scale of the wider scope of the city. As you can imagine, before a facility is built, the security is already put in consideration. Putting the proper landscaping should deter intruders, or building the right height of fence or correct placement of lightnings should stop unauthorized people. Another good example is to architect the built of a data center to be located at the center of the facility so that the walls will protect it from any damages from outside.

Read the rest of this entry »