Monday, April 16, 2007

7 Easy tips to help ensure your child's internet safety

I have a couple of teenagers and another child about to become one. I am a caring father and a professional in the field of information security. Naturally I am concerned about the well-being of my kids when the use the Internet.

These are few tips based on my own experiences with my own children.

1. Talk to them
I have talked to many parents that claim to have an open dialog with their kids. There are basically three types of relationships with respect to parent-child dialog as I see it.

There are parents that have an open dialog with their kids, there are parents who think they have an open dialog with their kids but don't, and lastly there are parents that don't have an open dialog with their kids and they know it. The best method to approach your child will largely depend on which group you are in.

I like to consider myself as having an open dialog with my children but I am not naïve enough to think I know everything of what they do. Make attempts on a regular basis to sit down and learn how your kids use the computer. Get involved with them. Ask them to teach you about MySpace, instant messaging or the newest online game. I know my kids enjoy my involvement.

Parents who do not have an open dialog with their children need to start NOW. It may be difficult at first and your child may wonder “what’s the catch”. I urge you to stay consistent and build a habit out of demonstrating interest. Of course, counseling is always an option too.

Whatever you do as a parent, do NOT ignore the risks or think that they won’t affect your children. A false sense of security is no security at all.

2. Set boundaries
My children are not allowed to use the computer any time they wish. There are rules and boundaries to their usage. If I did not set boundaries, I am sure my kids would use the computer until their fingers bled. Your rules depend on your household and/or your beliefs, but set rules and communicate them effectively.

Just some of my boundaries:
- No computer usage until homework is done. (I do follow-up with teachers)
- There are only certain sites that I approve off.
- Very limited computer usage during nice days
- You must ask me before using the computer
And others…

If it helps, write your boundaries down on a piece of paper to share.

3) Work with them (will they let you particpate too?)
My teenage son loves to play games online, and I am not one to miss out on the fun. Last year we were talking about the games he plays online. He got me hooked on an online role playing game called Runescape. I am a game addict, so I have to be sure I follow some boundaries of my own! It's fun to share what we do and brag about our accomplishments.

My teenage daughter is more of a socialite, so her choice of Internet locations are MySpace, YouTube and blog sites. When she finds something interesting, she will share with me. When I find something interesting, I will share with her. We have a great time laughing about what we find.

IMPORTANT: Give some semblence of privacy. This is especially true with my daughter. She needs her space, so I do not hound her constantly about what she does. I realize that she needs to have private conversations from time-to-time with her peers. This is a balancing act. Allow her to have her space, but keep tabs too.

4) Stay consistent
My children don’t think twice when we talk about our Internet usage or safety. I don’t change the rules and I don’t spring things on them. There is an understanding built on trust and consistent clear communication. Stay consistent in the message and rules.

Equally important is to stay consistent in the punishment. Recently my teenage daughter broke one of my rules. Not a major rule, but a rule nonetheless. She lost computer privileges for two weeks. She knows why she was punished and she knows I care.

5) Understand the risks
Do some research and speak with facts. Don’t expect your children to take you at your word, especially if they are told differently by their peers. Once you are armed with facts, share them with you kids. Ask them how they feel about it.

Good resources for the facts:
National Center for Missing & Exploited Children
FBI: A Parent’s Guide to Internet Safety
MySpace: Safety Tips

Do some searches. There is much to learn!

6) Observe
This is a very simple tip. Have your children use the computer in an easily viewable location. Explain to them the reasons why.

7) Install controls
There are plenty of parental control software options on the market. I have used and can recommend Net Nanny. Install the software per the manufacturer’s specifications and check the access logs regularly. Follow-up with you children on any unusual changes in Internet access behavior.

None of these tips alone or in combination will guarantee your child’s Internet safety, they will only reduce the likelihood of something bad happening. I feel much better about my children’s safety since following these seven tips and our relationship has only become stronger.

Take an active role and don’t be intimidated by the technology or your children’s perceived mastery of it!
Read more!

Friday, April 13, 2007

Top 10 Free security-related programs for every home user

There are certain security-related programs that all home users should have installed on their computers. Installing, configuring, and maintaining programs from each category listed in this article will provide a good base of protection for most.

This list and accompanying suggestions are based with Windows 2000 and XP operating systems in mind. Many of the suggested programs in this article will not work with Vista.

Did I mention free? I like free. Don’t get me wrong I also like to do my part in supporting the economy, but why pay for something if I don’t have to (legally).

1. Anti-Virus Software
Effective, up-to-date anti-virus software is a critical cog in your home information security machine. I would not suggest anyone using a Windows (or Mac and maybe Linux) computer without it, unless you want to lose your information, have your computer participate in a “bot” network, or send not-so-nice emails to everyone in your contacts list.

Free Programs
My favorite is Grisoft’s AVG Anti-Virus Free. AVG has all of the options to ensure “good” virus protection, the performance is above-average, and it has a pretty good detection rate. The only beef I have with AVG is the clunky interface, but it IS free. Other free programs worth checking out include avast! 4 Home Edition and PC Tools AntiVirus Free Edition

2. Anti-Spyware Software
The question I get often is “If I am using anti-virus do I still need anti-spyware, and if so why?” The answer is always yes, and the reason is because of the difference in the way viruses and spyware (and adware) operate. Virus spreads, spyware imbeds. Your anti-virus software will not protect you adequately from spyware.

Free Programs
CRAWLER, LLC’s Spyware Terminator – Spyware and adware have evolved so much that I don’t think any of the free anti-spyware applications on the market should be relied upon solely. Although my favorite free anti-spyware application is Spyware Terminator, I would suggest that you supplement its protection with another (AVG Anti-Spyware Free, Spybot Search and Destroy, Ad-Aware SE Personal, etc.)

3. Personal Firewall
Personal firewalls are an important complement to your home computer information security. They are especially important if you have an “always on” cable or DSL connection at home. You should expect a “good” personal firewall to perform well in monitoring each connection into and out of your computer and tie it to the application (process) making the request.

Free Programs
Far and away, my favorite free personal firewall is Comodo Firewall Pro. Comodo performs well in leaktests, has all of the necessary options, and comes with good support in the form of updates, forums, and email. Other good free personal firewall products include ZoneAlarm Free, PC Tools Firewall Plus, and Jetico Personal Firewall (the best performer in leaktests).

4. Browser
There is always plenty of contention and discussion when talking about which browser is best. Whether you choose Internet Explorer, Mozilla Firefox, Opera, or any other browser, each will have its advantages and disadvantages. I can say one thing from experience; I am not at all pleased with IE7 on Windows XP SP2. The performance is horrendous.

Free Programs
All of the major browsers are free now and there are well over 100 available online. Trying to determine which one is the most secure is a very hotly debated topic. The most secure browser depends on the person using it. My favorite browser for security is Opera 9.20 for Windows. Opera is fast, can be made relatively secure, and has plenty of options. Other popular browsers include Internet Explorer, Mozilla Firefox and Netscape Browser 8.1.3.

5. Anti-Spam
Most home users use web-based email. Many of these web mail solutions employ some anti-spam technology. For home users that use an email client such as Outlook or Outlook Express, an anti-spam program is a very good idea. Convergence between spam, virus, and spyware is predicted in coming months and years (we have seen some already), which makes an anti-spyware solution that much more valuable.

Free Programs
My favorite anti-spam program for Windows is SPAMfighter. SPAMfighter does an admirable job of filtering spam and has features out its ears. Other good anti-spam programs include SpamAware V4.5 and Agnitum Spam Terrier. Spam Terrier looks very promising. I have not fully tested it yet.

6. Password Management (see “Passwords”)
I don’t know about you, but I have way too many passwords to keep track of! I won’t right them down (because you aren’t supposed to, duh). I use different passwords for different logins. In order to maintain control of my passwords securely, a password management program is absolutely necessary.

Free Programs
RoboForm has emerged as a market leader in easy-to-use, secure password management. I use RoboForm daily and I would be lost without it. Another good password management program that I use is PasswordSafe made by renowned crypto-expert Bruce Schneier

7. Anti-Phishing Software
As the number and sophistication of phishing attacks grow, so will the number of victims that fall prey. As the number of victims that fall prey grows, so will the number of phishing attacks. A vicious cycle. There are programs designed to help identify probable phishing attacks and it’s a good idea to check them out. Personally, I have received phishing emails that have gotten through both Internet Explorer’s and Gmail’s built-in protection.

Free Programs
Phishing is a social engineering attack, so the best free tool you can use is in your head (:o .

Using a browser and web-based email that provide built-in phishing protection is a good idea, but if you still want additional protection take a look at the Netcraft Anti-Phishing Toolbar or Phishing Detector v.1.0.

8. Backup Software
I am not going to suggest any free backup software other than what you already have on your computer. Use Microsoft’s backup program that was included with your operating system (assuming Windows 2000 or XP). Click Start, Run, type “ntbackup” (no quotes) and click OK.

9. File Recovery Tool
A case could be made whether or not a good file recovery tool is essential to the security of your computer. Too many times have I been called by someone in a panic because they had deleted their important information. The more time that passes between the time your files were deleted and the time you attempt to recover them, the less chance there is to recover them without a significant amount of expense. Having a tool “at the ready” will help to avoid confusion and diffuse the situation somewhat.

Free Programs
Be careful which file recovery tool you choose. Choosing the wrong one can make your problems worse. Also, install your program and test it out before a crisis. This way you will be that much more prepared. Convar’s PC Inspector File Recovery 4.x is one of my favorite free file recovery programs and their Smart Recovery program works well for flash media (i.e. photos from camera or video recorder).

WARNING: If your files are absolutely critical to you and you do not feel comfortable using a program on your own, call a professional.

10. Encryption Program
Being an information security guy, I do love me some good encryption! Encryption used properly will protect the confidentiality and integrity of your data. Essentially, your files will not be understood to anyone not authorized by you. If you store highly confidential data (i.e. tax documents, electronic bank statements, etc.), I would strongly suggest you encrypt it.

Free Programs
I have been using Axantum Software AB’s AxCrypt File Encryption Software for a long time and I have been very pleased with it. Another good free file encryption program is Cypherix Cryptainer LE. For those of you wanting to encrypt the entire drive for free, you can try CE-Infosys’ FREE CompuSec. If you are going to go for the “full disk” option, be sure to read the manual first (i.e. disable anti-virus during install)!

BONUS - Diagnostics
Sometimes a problem crops up and it gets misdiagnosed. In order to help determine what the root cause of a problem is, I need to gather as much pertinent information as I can about the problem. A good diagnostics tool helps accelerate this process.

Free Programs
There are hundreds of free diagnostic programs out there. Picking one as my favorite will surely draw some fire. Not being faint of heart, my favorite free diagnostic utility is System Information for Windows (SIW 1.67) written by Gabriel Topala. Much of what you will be looking for in a diagnostic program will be dependent upon your circumstances.

So there is my top ten, which is subject to change of course!

Keep in mind that this software is what I would recommend to a home computer user on a budget. The toolset I use in my work is more vast (i.e. audit tools, scanners, sniffers, compilers, etc.).

To the best of my knowledge, all of the software listed here is offered free to home users (i.e. non-commercial). Check with each individual developer to make sure you are using their software in compliance with their license.
Read more!

Wednesday, April 11, 2007

Getta Lotta Spam? Some tips for you, next time.

6.7 million cans of SPAM are sold each year in Hawaii, which equals 5.5 cans per year per Hawaiian. Those Hawaiians like a lot of SPAM. Interesting, but I think I got the wrong spam.

The "other" spam, the electronic variety, the kind that most Hawaiians don’t like. Now, I got it.

Some folks are calling 2007 "The Year of Spam", and maybe it will be. After all, IDC predicts 40 billion (that's 40,000,000,000) spam email messages will be sent worldwide this year. Couple this volume with the fact that spammers (those who are responsible for sending spam) are ever changing their filter-evading techniques means more spam reaches inboxes of people like you and me. Spammers are sneaky &#^$@*es.

Understanding the Spammer
Have you ever asked yourself why spammers spam? The answer is simple, money. Spammers make millions of dollars sending spam. It’s business to them, plain and simple. There are many ways that spam equals money for the spammer, from people actually buying goods advertised in spam emails to pay-per-click scamming. Spammers will do whatever it takes to get their email into your mailbox.

What spammers are doing is illegal, right? True, but spammers don’t care. The way they operate makes it very difficult if not impossible to catch and prosecute them. Spammers often use “bot” networks to send their emails through hundreds or thousands of unsuspecting hosts. Bot networks allow the spammer to hide his/her true origin. To complicate things more, the spammer may be physically located in another country.

Although there is no tool or technique that will guarantee you and I won't get spam email, there are things we can do to reduce our chances and/or the amount of spam email we receive.

‘Nuff of that, Now some Tips

Tip #1 - The obvious? Use anti-spam software and/or appliances. There are some useful programs on the market for personal computers and some good appliances for corporate environments. My favorite for personal home computers is SPAMfighter, and my favorite appliance is Tumbleweed. Your mileage may vary so check out what is a best fit for you.

Tip #2 - Use care in disclosing your email address. When posting in public forums (newsgroups, web sites, blogs, etc.) do not use your real email address. You can obfuscate your email address and still let people contact you, i.e. change into “ee em ay eye el at trustedtoolkit dot see oh em” or something else. You get the picture.

Spammers use various techniques for obtaining email address to send spam to. One of the easiest is to scan the Internet for patterns matching email addresses.

Tip #3 - Do not click links in spam emails. If a spam email gets through to your inbox, don’t click any links. If you click a link, chances are very good that the spammer now knows that you are a “live” person and the email address they have is good.

Tip #4 - Do not load images in emails automatically. The same premise in the tip above applies. Image spam is a very popular filter-evading technique these days. If you load images automatically in a spam email, chances are good that it contains a link that the spammer can track. Most email clients enable you to control how/if you load images in emails. Check your program for its capabilities. If you can live with “Text-only” (no HTML) email, then all the better.

Tip #5 - Do not “unsubscribe” to spam email. Spammers won’t take you off their mailing list; they will instead add you to the “active” or “confirmed” email list. The same premise in tip #3 applies. The unsubscribe link in the email lends some tiny semblance of implied legitimacy to the email in some people’s minds. No spam should be considered legitimate email.

Tip #6 - Read privacy policies. I understand that reading privacy policies is a pain in the rear for most people. Some privacy policies are a pain in the rear for me to read, and I read almost every one I encounter! Before I type my email address into an online form (encrypted, mind you), I check to see if the company or site has a privacy policy. If they do not, I will make a serious judgment call as to whether or not I want to share ANY of my information. If they do, I check the mention of how they will use and share my information, including my email address.

Tip #7 - If buying something online, read all the checkboxes during checkout. On many checkout pages there are checkboxes that state something like “share my information with partner companies” or “subscribe to company xyz news”. Don’t just skim over these checkboxes and continue on with your order. Read what they say and be sure that you have checked or unchecked the appropriate boxe(es).

Tip #8 - If you have a spam infested mailbox, consider a new email address. If your email address is “out there” meaning that it has been publicly posted on web sites, forums, newsgroups, etc. and you are getting an ample amount of spam, it may be time to consider a new email address. There are no methods I know of for cleaning your email address off the Internet, and spammers already have you in their lists. Might be time to “cut and run”.

Of course you could always choose not to use email.

I did not cover IM spam, Cell-phone spam, or any of the up and coming spam techniques being employed actively today. Maybe I will later.
Read more!

Tuesday, April 10, 2007

Over 2000 are actively exploiting Microsoft .ani flaw

2000+? That is a heckuva lot of sites!

"The number of Web sites engineered to exploit the problem has jumped considerably since the vulnerability was publicly disclosed by Microsoft on March 29. It will likely continue to rise until patches are applied across corporate and consumer PCs, said Ross Paul, senior product manager for Websense. " - IDG News Service, Over 2,000 sites now exploit .ani security flaw

If you have not applied this patch, you are implored to do so now! This is a serious flaw and exploits are rampant. Also, reference my earlier post labeled "Microsoft to Release OOB (Out of Band Patch) Tommorow"

Although there have been a few reported application incompatibility issues with this patch, the potential consequences of not patching should outweigh these issues. Read more!

When did kids get the right of free speech?

Sometimes I stumble across news or information that makes me wonder "What the &*@?"

Today the news is "Court Upholds Expletive Laced MySpace Posting". Read the story, then read the actual court decision.

Lawyers like to make things complicated, but I understand some of what the decision says ;). What I can't get around though is the fact that this very troubled juvenile delinquent is now some kind of hero for the rights of free speech. If she isn't now, she will be soon.

I have more questions than I have answers. I am flabergasted about how children are allowed to behave today. Should a child be rewarded for acting out like this? I also wonder where the parents are in all of this. Do they stand behind their daughter's actions?

I could continue my ramble and rant, but I'll let the news stand and continue to wonder. Read more!

Monday, April 9, 2007

The MySpace Journey - Day Two (Part 3)

Nothing notable on any of the three profiles today.

My Real Profile
I got a spam message for a loan application. The offer was intriguing, but I did not apply.
I also received an automated message with the subject "hey sexy". This is a message with a link a references to sexually explicit material.

The Other Two Profiles
No activity at all other than 1 profile view for the 15 year-old male profile and 2 profile views for the 14 year-old female profile. I have not done anything on these two profiles yet, and both profiles are basically blank. In order for people to find these profiles, I will need to add some information under one, more, or all

I noticed MySpace in the news today in a story labeled "Man sentenced to 10 years for assaulting girl he met on MySpace" This is a news story about a 41 year-old volunteer firefighter who molested a 14 year-old girl he met on MySpace between March, 2005 and February, 2006.

What Next?
It's time to add some content to the MySpace profiles. In order to access a MySpace profile, I need to visit (in case this wasn't obvious!) and login by typing my email address and password in space provided on the left hand side of the homepage. After I successfully login, and am presented with my profile home page. From here I can enter detailed profile information that I want to share with other members of the MySpace community.

To edit the MySpace profile, click the "Edit Profile" link just to the left of the profile picture.

The profile categories that are available for edit are Interest & Personality, Name. Basic Info, Background & Lifestyle, Schools, Companies, Networking, and Song & Video on Profile. I am going to enter information under the "Interest & Personality" header today. Here I can enter information into the following fields:

  • Headline, whatever is typed here will show up in my profile just to the left of my profile picture

  • About Me

  • I'd Like to Meet

  • Interests

  • Music

  • Movies

  • Television

  • Books, and;

  • Heroes

Notice the warning in this graphic.

It states "Warning - Please be aware that MySpace is accessed by thousands of users every day; since you do not know every user on the MySpace site, exercise caution when posting personally identifiable information. " I didn't even notice that this warning was there before.

I am going to enlist the help of my teenage children to complete the profiles. I have seen each of their profiles and they have really spiffed them up, and I just realized that I know less about this generation that I originally thought!

Again, MySpace is a "piece of cake" to use. It is very user-friendly. Although I like the warning, it doesn't do much to deter a teen from doing what he/she wants to do online anyway. Relying on people (especially teens!) to read warnings and take action is wishful thinking. I promised that I would read the MySpace "Safety Tips" and I have. I will write something about them in the next post.

Read more!

Sunday, April 8, 2007

The Trusted Toolkit April Newsletter

Quick Post...

Get The Trusted Toolkit's April 2007 Newsletter here:

The Trusted Toolkit newsletter is a monthly publication that we make available FREE of charge to customers and non-customers alike. If you would like to receive our newsletter via email, please visit and use the word “subscribe” Read more!

The MySpace Journey - "Creating the Profiles" (Part 2)

Creating profiles on MySpace is really a simple process, and purposely so. Part of the reason for the success of MySpace is the easy of use. The first step to beginning the journey through the MySpace world is to create a profile. As mentioned in the previous post, I will be creating three profiles as part of this project.

The first step in creating a MySpace profile is to visit the MySpace home page, At the top right of the page, there is a “sign-up” link.

Clicking the sign-up link brings me to the “JOIN MYSPACE HERE” page. I am prompted to type my email address, first name, last name, password (and password confirmation), country, postal code (zip), date of birth, gender, and language preference. I can also choose to allow others to see when it is my birthday (enabled by default). In order to proceed, I have to enter all of the fields and check the checkbox labeled "By checking the box you agree to the MySpace Terms of Service and Privacy Policy".

Clicking the "Sign Up" button at the bottom of the page (in the graphic above) takes me to a "Verify Account" page that displays a graphic with letters in it. I must type the letters correctly in order to proceed. This step is in place as an attempt to stop programs written to create accounts automatically. Spammers are notorious for creating hundreds or thousands of bogus accounts used to email legitimate (human) ones.

My account/profile is now created, but as part of the sign-up process I am prompted to upload pictures to share with other MySpace people. Before I am allowed to upload any pictures, I have to check the checkbox labeled "I have read the saftey tips". I wonder how many people, especially kids actually read them. I click the checkbox (I did not read the safety tips, but will later), and click the "Browse" button to upload a picture to use for my profile.

Next, I am prompted to invite my friends on the "Invite Your Friends" page. For now, I am going to skip this step by clicking the "Skip for now" link at the bottom of the page. The sign-up process is complete, and I see my profile page.

If I check the email address that I signed up with, I will have an email from MySpace asking me to verify my email address. This verification consists of clicking a link provided in the email. This is required if I want to communicate effectively with other MySpace members.

Break Down - The Good
The MySpace sign-up process was so easy and simple to follow along with. I was able to setup the three profiles that I will use in this project in less that 30 minutes. I liked how MySpace included some security steps along the way during the sign-up, i.e. the image verification step and "safety tips" checkbox. Clearly, the MySpace sign-up process was built for ease-of-use.

Break Down - The Bad
No age verification is a serious issue in my opinion. I can state my age as whatever I want. I can be a 10 year-old signing up as a 20 something, or I can be a 40 year-old pedophile signing up as a 16 year-old. I am not a seasoned pro when dealing with age verification, but I would think that MySpace could come up with something. The lack of age verification has been a serious point of contention between child advocacy groups and MySpace for some time.

As part of age verification, it would be nice to include a parental consent process of some sort also. Although I liked how MySpace included a link and a required checkbox concerning the safety tips, it still doesn't seem like enough to me. On the "JOIN MYSPACE HERE" page, I have doubts as to the effectiveness of Terms of Service and Privacy Policy agreement. Can you legally hold a minor to this?

Sign-Up Conclusion
The sign-up process was designed with easy-of-use at the forefront, security and safety were added as an afterthought.

Tomorrow I will complete the “Pick your MySpace Name/URL!” process, go through some of the MySpace safety tips, and share any notable events regarding any of the three profiles.

Oh yeah, Happy Easter!
Read more!

Friday, April 6, 2007

The MySpace Journey – “The Project” Announcement (Part 1)

A Little Background
Let me start out by telling you a little about myself. I am an information security professional (professional because I get paid) and a father of four wonderful children. Three of my children are intimately familiar with MySpace, and two have active profiles (Dad nixed one).

In the “big picture” that is the Internet, MySpace and other social networking sites offer a wonderful opportunity to meet new people, share ideas, and learn things that are happening in our world. I am a big fan!

In my “little corner of the world” I wonder how MySpace and social networking can affect me and my family. As I wonder and question, I become motivated to do something. My motivation:

1. Nothing is more important to me than the safety of my family. I try to do everything I can to protect my family. It’s my responsibility!

2. It pains me to see people get hurt. When I read articles like “MySpace mom's teen is pregnant”, “Man Arrested Again For MySpace Sex Crimes”, and “’Social surfing' could lose parents millions to ID fraud”, I feel terrible that people didn’t know any better!

3. I know I can offer advice that could help. If nothing else, people might just become aware.

Thus the creation of the MySpace, MyGeneration workshop and this project.

The Project
I have been researching MySpace and the whole Web 2.0 craze for a while now. I have much to share, but I want to know more. I want to share more. I am still amazed at how much life has changed since I was a kid!

The purpose of this project is to gain a better understanding of the risks and benefits of MySpace to myself and my family (my family is actually particpating which is a great learning experience for all of us).

The approach I am planning to take is to document three, 30-day journeys through the MySpace world. I understand that I will not be able to venture out into the entire MySpace world, but I think I will be able to give you a good picture of the landscape.

The Three MySpace profiles:

1. My normal everyday, 36 year-old, married, information security guy profile (for those of you that are interested my profile name is “TrustedToolkit”)

2. A fake, 15 year-old, male profile (I will share this profile name when the project is complete), and;

3. A fake, 14 year-old, female profile (I will share this profile name also upon project completion).

Profiles 2 and 3 are created in order to see what (potentially) my children (and yours) see. Profile 1 will give you a view of what I normally see as a parent.

Tomorrow - The MySpace Journey – Profile Creation

Read more!

Thursday, April 5, 2007

Passwords Part 3/3 - Password Management

Too many times have I seen passwords written on a Post-it note. Too many times have I heard one person give another person their password. Too many times have I been asked for my password from Help Desk personnel.

Oooooh Boy! I have to tell you that nothing tans my hide or boils my blood more than a password written down on a piece of paper! Then I tell myself to calm down and take the ISO hat off for a minute. Many people don't know any better. Others may know better, but how else will they remember 10, 20, 30 or more passwords? Especially if they are all supposed to be "strong"? To make matters worse, I suggest using a different password for each different login.

Why do I suggest a different password for each different login?
Simple answer, to limit the damage. If one of my passwords is compromised only that account is compromised, not all my accounts.

I suppose I should also mention what I mean by "password management". In a nutshell, password management is ensuring the confidentiality of your passwords from their creation through to disposal. Basically, keeping a password secret from the time I think of it until I no longer use it and everything in between.

I have a lot of accounts! I have 59 passwords that I need to keep track of, and each one needs to be "strong". Can you imagine how bad it would look if the "security guy" had his password disclosed? I have a very limited memory as surely my wife would agree. There is no way I will remember 59 passwords. I'm lucky to remember one! Is there something I can use to store my passwords securely and allow me to access them when I need to?

Yep, enter personal password management programs. A good personal password management program will:

  • Be easy to use
  • Store my passwords using encryption. If implemented correctly, this measure will prevent someone else from accessing my passwords.
  • Give me the ability to copy and paste passwords. I like this feature because it is quicker and defeats simple keyloggers.
  • Have the built-in ability to make secure backups of my passwords. Secure backups mean that the backup data will be encrypted.

So, which programs do I use?

I use a combination of two programs for personal password management. I use RoboForm for the management of my Web site/browser-based usernames and passwords and I use Password Safe for the management of all other passwords. I can recommend either or both of these programs because I have used them extensively. As with most things, you may find something you like better.

Through the use of a secure password management program, I can store all of my passwords safely. I only need to remember the one password that opens access to all of the others. Easy, right?

Well, there you go. Passwords are a necessary evil for us all, but the pain can be reduced somewhat. Remember to make backups your passwords!

Read more!

Wednesday, April 4, 2007

Passwords Part 2/3 - Strong Passwords

Let's begin where we left of yesterday. As you might recall, I mentioned two factors that are important to ensuring password confidentiality. One of which was using "strong" passwords. Also from yesterday's post we learned that maintaining confidentiality of our passwords is paramount to maintaining authentication (proof of identity) integrity.

A few questions come to mind when I think of strong passwords. What is a "strong" password? How does a "strong" password help to protect the confidentiality of the password? How do I choose a "strong" password that I can remember? The answers to these three questions is in essense the meaning of this article. So, let's get some answers then!

What is a strong password?
In the simplest terms, a "strong" password is one that is not easily guessed, and cannot be easily "cracked". Cracked!?!? What is "cracked"? There are numerous methods of cracking passwords (I won't elaborate, but can through email). In simplistic terms, traditional password cracking employs a program that continually tries combinations of letters, numbers, etc. until it makes a password match. This brings to mind another question, what makes a password strong?:

  • Length, the longer a password is the harder it is to guess. I recommend a password longer than 8 characters
  • Use letters, numbers, and symbols (!@#$%&^). A greater variety of letters, numbers, and symbols = less length required = same password strength.
  • Do not use words that you can find in a dictionary.

This might make better sense if I give you some examples of "strong" and "not so strong" passwords.

Not so strong password examples:
John1970 (could be easily guessed and not so hard to crack)
144WestMain (could be easily guessed and not so hard to crack)
ChelseaMichaelMarthaBob (nice and long, but still easy to guess and crack)

Strong password examples:

See the difference?

How does a "strong" password help to protect the confidentiality of the password?
Not taking into account what I do with the password (Next installment, Passwords Part 3/3 - Password Management), using a strong password reasonably assures the confidentiality of the password.

How do I choose a strong password that I can remember?
My best trick is to take a phrase that is easy for me to remember and make it into a strong password. A few examples:

  • My Dog's Name is Rover (phrase)
  • My!D0g!Rover (strong password)
  • My wife and four kids (phrase)
  • MyWife&4kids (strong password)
  • Account at Wells Fargo (phrase)
  • Acct.@Wells4go (strong password)

It takes a little creativity on your part to make a strong password that you will remember. Once you get the hang of it, it's a piece of cake.

Now a catch, I suggest using different passwords for different purposes (one for work, another one for eBay, another one for your bank, etc.). This can make for a lot of passwords! Learn why I suggest this, and how you can keep track of all these passwords in the last installment of this series, Passwords Part 3/3 - Password Management.

Feel free to post your comments, check out The Trusted Toolkit, or email me for more!

Read more!

Tuesday, April 3, 2007

Passwords Part 1/3 - Defending the IT Guys

Passwords. Ugh! If you are at all like most people I talk to, you don't like passwords. Actually, most of us security guys don't like them all that much either.

In "Passwords Part 1/3" we are going to explain some things. We will explore what a password is and why these IT guys are always on your case about them.

"Passwords Part 2/3" will dig into some detail about what a "strong" password is and detail some tips to help you to come up with your own.

Finally, in "Passwords Part 3/3" we'll outline some tips and tools to help you keep track of all your passwords. None of these tips or tools will include a pen, a piece of paper, or the underside of a keyboard!

So, let's get this ball rolling. Do you ever wonder why IT guys are such sticklers about passwords or why they have to make things so dag nab hard for you? In order to understand where the geeks are coming from you need to know a little bit about "identification" and "authentication". I won't go into a lot of detail on these two terms, but I will give you a general sense of what they mean.

Identification is what you present to a system to profess your identity. It tells the system who you are. Many times identification takes the form of a username or userid. Typically usernames are not secret. If my name is Bill Smith and my username is "bsmith", your name is John Doe and we both use the same system, I can make an educated guess that your username is "jdoe". Identification is important in order to define what it is that you can do in the system, called rights or privileges. Some people get to do more with a system, file, directory, etc. than others.

Authentication is what you present to a system to prove your identity. Anybody can say that they are me, but who can prove it? There are a variety of methods of proving your identity, but for the purpose of this writing we are talking about passwords. Once I have presented my credentials (identity + password) successfully to the system, then I am "authenticated" and I am given my assigned access to the system.

If I have a password that nobody else knows does this not prove my identity (at least theoretically)? What if someone else DOES know my password? Proof is gone. Someone else can impersonate as me and do what only I should be able to do. Protecting the confidentiality of passwords is paramount IF it is your method of authentication to a system. The IT guys don't care what your password is, they want to make sure that confidentiality is maintained. Period.

Maintaining the confidentiality of passwords means that they must be strong (Part 2/3) and stored securely (Part 3/3).

Check back tomorrow as we continue... Read more!

Monday, April 2, 2007

Microsoft to Release OOB (Out of Band) Patch Tomorrow

This is a little rare, but I am glad to see it! Microsoft made the announcement today that they would issue a patch for what has been called "Microsoft Windows Animated Cursor Handling Buffer Overflow". That's a mouthful. For those of you who don't know, Microsoft releases patches to the general public every second Tuesday of the month (AKA "Patch Tuesday"). Last month, Microsoft did not release any patches, which is also quite rare.

What is the "
Microsoft Windows Animated Cursor Handling Buffer Overflow"?
This vulnerability was announced on various information security sites more than four (4) days ago. The issue stems from the method in which Microsoft operating systems (Windows 2000 SP4 - Vista) handle the processing of malformed .ani, cur, and .ico files, resulting in possible memory corruption and buffer overflow

Should I Care?
Yes, you should. The is a remotely exploitable vulnerability which could lead to the ability to execute arbitrary commands and/or denial of service.

What does The Trusted Toolkit recommend?
Apply the patch tomorrow when it becomes available from Microsoft. In the meantime, follow other good security practices.

More Info:
Secunia (rated "Extremely critical"):

Read more!