Febraury 11th is “Safer Internet Day” as declared by the UK based organization www.saferinternet.org.uk. We need to change our mindset about security and cival librties. In this fast paced high tech world we live in today everyone seems to want everything faster and cheaper and security seems to be one of the biggest areas neglected in the value chain. That is until you get violated.
Here are some real world threats and 10 things you can do to make a difference:
Examples like the recent Target Stores estimating nearly 70+ million credit cards were compromised, numerous identity theft cases in the news and the information that folks like Edward Snowden have exposed. Did you know the NSA and just about any crafty hacker with a purpose can completely access any of your electronic devices including turning on your cell phone/laptop mikes or cameras without you even knowing it? This in my mind can make interacting with cyber space much scarier than the “Wild Wild West” ever was.
See:http://www.npr.org/blogs/alltechconsidered/2014/01/17/263375116/analysts-credit-card-hacking-goes-much-further-than-target As quoted from another news article "Attention 70 million Target shoppers: the people who stole your credit and debit card information also have your mailing address, email account and phone number."
Chaos in the marketplace
I recently found a collection of interesting videos recorded at the Chaos Communication Congress held this past December over in Germany. While many of these were extremely geek oriented and some so intense they left my head spinning, I did learn more about some mind blowing challenges in the security and civil liberties space we all should be aware of.
Most folks seem to have followed the newsbytes about the “Edward Snowden Case” but few realize the real information he shared, what it exposed and what this really means.
The first videos in this exploration opened my eyes to some scary realities:https://www.youtube.com/watch?v=vILAlhwUgIU and that lead me to a whole collection of similar videos:http://media.ccc.de/browse/congress/2013/
If you take a few minutes poking through this stuff you will most likely see a picture you may not have considered in the past.
Be aware, take steps to yourself and never assume
Back in 2000, while working on a military base for the Naval Underwarter Warefare Center (NUWC), I was one of the first to play with tunneling through port 80 using Flash Communication Server. Imagine a spy being able to broadcast secrets anywhere over the internet directly from within a military base or any highly secure facility. I exposed a major whole in their firewall security that their IT experts had no clue about. Why? Because at the time it was new emerging technology and they were looking at security from the perspective of what they learned in school not what was emerging on the street. We are in a similar boat today where even though we may have some of the smartest folks and high-tech tools helping us to protect our cyber assets there are no guarantees. There are plenty of folks with techniques, motive and knowhow out there waiting to blindside us and steal our money or most valuable secrets. Remember for all of the groovy new tools that we now have for doing good and making things convenient online there are equally as many advancements in tools that could be used against us. Being aware of the potential vulnerability you have by interacting with these new technologies is the first step and it may require a little more effort than in the past given the proliferation of technology all around us.
The end of “Social Security” has a double meaning on the web
Having worked on military bases and secure facilities for 5 years, where security is ingrained in our heads to be a disciplined process we all had to follow, I was eager to jump back into the private sector where I thought things could be a little more lax. I could not have been further from the truth. It is just as important for us in our personal lives and business practices to keep a strong focus on security. We lock the doors to our cars and houses but often we do not consider potential access to much more valuable stuff kept on our electronic devices.
I went on Youtube yesterday and found 15 videos on how to hack any facebook account and login as any user. By now most people know that when you put information up on Facebook “they” then own it and “they” have very loose “Non” privacy rules. However, these networks while fun and exciting as they may be, open us to leaving our guards down. It is way too easy for folks with motives to put together complete pictures of your life from small pieces of information and use it in ways that they could take advantage of.
Having many friends in the security community, over the years, I have been exposed to some intense tools hackers use to get “their way” online. Though, I was curious to see what would be out there for the average person other than typical antivirus software. I started searching for tools to protect all of my personal devices and networks etc.
This search ended up scaring me even more since, I found very few tools that an average user can use to fight off the bad guys. Remember, (thanks to Edward Snoden) we know now that there have been backdoors built into the actual chips on most hardware built in the past 5+ years. It was pointed out to me that aniti-virus and anti-spyware software cannot protect you from access of the craftiest hackers and they can operate in stealth. I found more, easy to follow tutorials on things like “man in the middle” attacks where someone hacks your wireless router and can spy on everything you do on your desk top. I also found services that allow you to spy on anyone with a cell phone.http://www.flexispy.com/ andhttp://www.mobile-spy.com/. If you really start thinking about it and look deeper there is a lot to be concerned with for your business, your family and personal privacy.
Keep your CMS Up to date!
Businesses are rushing to the internet since it has the potential to make them more competitive in a global marketplace and they can now reach broader audiences. There are three dominate open source Content Management systems in the market place, Joomla, Drupal and Wordpress. Each of these CMS’s has best use cases and strengths for a variety of online solutions. Our experience has taught us that the number one way folks leave themselves vulnerable online is by not keeping their web applications up to date. Remember, technologies are advancing at a rapid pace. How many of you keep the same cell phone or laptop for more than 2 years? Software development is moving at an even faster pace than hardware and this means not only are there more great features that you can take advantage of by upgrading your CMS but the longer you wait to do so the more time hackers have to try to break the older technologies.
One thing that is very fascinating to me is that in the “hacker community” or on the “dark web”, once one person figures out some type of vulnerability; they spread it across a vast network of web hackers that have the potential to do a lot of damage long before there is even a fix available.
One of the reasons we chose to focus our support for Joomla is because there is such a vast development community they can respond to security patches quickly and Joomla puts security as their top priority. In fact, the latest version of Joomla even offers double authentication just like many back sites will send you a security code that is only good for a short period so it is nearly impossible to hack your login. Equally important as keeping your CMS up to date is to understand the infrastructure and security policies of your hosting company. If you are the owner of any site and you get hacked and this leads to any one’s personal information to be compromised, not only can they shut you down immediately but they will hold you liable for all damages. This about that for a moment and if 70 million folks can get hacked on Targets network what would happen if they got into the cloud where your site was hosted and that was the origin of a massif hack? Not a pretty picture.
Oh My G… What can I do?
Ok enough with the scary stuff and on to some practical options for protecting yourself. As you begin thinking more security conscious you need to identify what information, communications and technical assets you want to protect and to keep private. Once you have a clear picture of your security landscape, you may find these tips and tools helpful.
1. Be AWARE and stay in the loop. Subscribe to RSS feeds, newsletters or information channels that can keep you informed on what threats are out there.
2. Seek advice from experts. If you run a business online or off audit your systems on a regular basis. Build a support team that can be proactive and responsive when it comes to security. Network security is often different than online web security and make sure you have all of the right expertise on your team.
3. Develop a security emergency protocol for how to respond to various situations both personal and for your business networks or web sites. Keep call lists and information available that can help you respond quickly. If a pipe breaks in your house the longer it goes with the water running the more damage that can be done.
4. Surf on a TOR browser to protect your privacy. There is an interesting open source project called the TOR networkhttps://www.torproject.org/. This web site has a collection of privacy tools and suggestions for setting up things like encrypted emails.
5. Set up encrypted email and encourage others to do so. Here is one tool for thishttp://www.gpg4win.org/features.html and here is a tutorial:http://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744
6. Get security software for your cell phone such ashttps://silentcircle.com/ services or other apps
7. Install encryption on your VoIP phones. Use a service or look around for options. Here are a couple sample links: http://zfoneproject.com/ orhttp://lifehacker.com/255283/how-to-encrypt-your-voip
8. Use strong passwords and keep your private passwords protected in a tool like Keepasshttp://keepass.info/ There are also several other online services to research.
9. If you have a web site for your business make sure you keep it up to date, use secure passwords and we recommend using a web application security solutions likehttp://www.securelive.com. I would also recommend reading Tom Canavan’s book CMS Security Handbook:http://www.amazon.com/CMS-Security-Handbook-Comprehensive-WordPress/dp/0470916214
10. Get involved with organizations, events and resources groups that foster safety and security online such as http://www.saferinternet.org.uk/ Notice: Feb, 11th 2014 is Safer Internet Day. There are plenty more… go find them and speak up!
There are a ton of other steps you can and should take as well as many more tools or books and blogs to investigate. The most important thing you can do though is to always think consciously about security. Start developing new habits and discipline yourself to be more aware of how you can protective of your privacy and technology assets.