Posts Tagged ‘internet security’

Has Target Done Enough?

Saturday, February 1st, 2014

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  (more…)

Why We Should All Pay for Smartphone Apps

Saturday, August 24th, 2013

Suppose Josephine and Rick have built the most incredible smartphone application ever.  They offer it up to the market for a few dollars, and next thing we know they are millionaires.  Their customers not only love the app, but they also appreciate not being deluged by incessant banner ads or pop-ups.   Jo and Rick didn’t have to bring in on-line advertisers because their profit model was simple: sell the app itself to make money.   

 

But not all developers are as lucky.  Steve and Sue can’t get anyone to pay attention to their app, and darn, they spent all their money creating it.  So they will have to figure out another way to earn their money back.  The most popular way to do this is to get paid when users view ads.  Steve and Sue decide to make their app available for free, and advertisers pay Steve and Sue to place ads alongside the application.  These ads change dynamically just as they would at a (more…)

When Your 401K Gets Hacked

Monday, March 11th, 2013

When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds.  But the verdict was rendered a few months ago: the company is not responsible.  It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.

In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable (more…)

Gordon Snow on Cybersecurity at Home

Sunday, December 23rd, 2012

I’m a military brat.  Most Americans are familiar with this term, because it is a common way we brats answer the question: “Where are you from?”  Every other answer takes too long.  You know, like explaining why being born in Italy doesn’t mean I’m Italian.  And we really don’t have enough time to talk about all the schools we went to.

According to Wikipedia, we are an entire sub-culture.  One component of this subculture is a company called USAA.  USAA is an organization which provides financial services, loans and banking to anyone associated with the military.  And in their eyes, once a brat, always a brat.  This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.

The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow.  He was formerly the FBI’s top cybercrime cop.  Naturally I was curious to read about his tips for keeping our families safe.

You can find the on-line article here, but they cut out a lot of the good stuff (nice reference to my employer though).  Here are my two favorite useful tips:

1.)  Go Long!  – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?

Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.

(more…)

Add Your Own Security – say yes to the “s”

Monday, August 13th, 2012

Here’s a tip I haven’t heard from anyone except my CISSP study-buddy, Amir .  He manages global IT for a big company, so he’s smart about these things.  I tell everyone about it now because it’s very easy, makes you safer, and it’s not obvious.  I hope it won’t be long before it’s not necessary, but right now it’s still a great idea for those of you who engage in on-line banking, or are toying with the idea of adding such an app to your cell phone.

First, you’ve all seen this part of a web page address, whether it’s in an ad or at the top of your browser:

http://

for example, http://bankofamerica.com

and you may or may not have noticed that sometimes you get this one instead, and it looks just a little different:

https://

for example, https://bankofamerica.com

What’s the difference between these two sequences, kids?  That’s right, the second one has an extra “s”!  And what does that stand for?

Some of you know it has something to do with security, which is good, because when I asked my writer friend Deb she asked, “maybe they ran out of “http” and need to add “https”?

This is not a bad guess.  But, it’s completely wrong.

What the little “s” is telling you is that the site you are accessing is more secure.  It is making sure you are who you say you are by conducting what we call a handshake between the computer you are using and the website.  Part of that includes encrypting the information which flows between the two of you so that no one else along the way can read it.

Doing this makes certain types of attacks much harder to carry out*.  So anytime you are providing data which is at all sensitive, make sure the site you are going to is “https” and not only “http”.

Sounds like a good idea, right?  But how is this done?

Believe it or not, all you have to do is go up to your browser and add in the “s” to the address, and refresh (hit “Enter”).  This will redirect you to the secure version of the site if that company has one.   Many companies maintain both an http and an https version.

Easy, right?  But if more security is better, then why have a non-secure website at all?  The simple answer is that https isn’t free, so if it’s not necessary most sites don’t implement it.  By example google has an http version for the unwashed masses (and the rest of us, when we’re goofing off and checking celebrity gossip) but they will automatically switch you to https when you go to check your gmail account.  Amazon will allow you into their http to browse, but of course when you make a purchase you end up on https.  This is how the majority of sites operate.  They try to protect you, so in most cases you’ll be alright.  But when it’s especially critical, keep an eye out for the s!

Best,

cj

* it will protect you unless your system is already infected, so never conduct on-line banking from a public terminal!