Be careful when visiting web sites that you do not trust (or do not know whether you should trust by Muni Tripathi, CISSP

The idea behind World Wide Web (WWW) was to create a system of information sharing anytime, anywhere. The power of the web comes from the openness and the ability to find information easily. The same openness becomes a security risk in the hands of unscrupulous web site operators. Such web sites operate by installing a Trojan horse, spy ware and ad ware (Kazaa, the peer-to-peer file sharing software is one of such applications) either when you visit them or when you install software that they provide as free download. These applications pose a grave security danger for your personal information on computers. Therefore, before you install free software, do some research and verify that software is safe to install and does not contain Trojan horses, spy ware or ad ware that could potentially compromise personal information. It is almost impossible to find out this information about all the free software available on the web, hence as a safe alternative you should be visiting only websites which you already trust or to which you can reach via a trusted method such as recommendation from a friend or a web search. With web search we trust search providers for listing safe sites, and it is safer than visiting a site that is recommended by some unknown person in a chat room.

Wireless Access has become extremely popular. As is the case with any technology there are both benefits and drawbacks.

Some of the tips for safe wireless access are:

1. If you have a Wireless Access Point (WAP)  at home, make sure to use Wired Equivalent Privacy (WEP). Enable Media Access Control (MAC)  address filter if available. If you want to enhance security, do not broadcast SSID of your WAP.

2. If you use WAP at home, make sure to reset the default admin login and password of the WAP. Also, do not use the default IP address range that comes with the WAP.

3. You should use Virtual Private Network (VPN) if available  to connect over the WAP. If you use VPN no one connected to this WAP will be able to see your packets in clear-text.

4. If you are using a public WAP - limit the usage to casual browsing. Do not use it for personal transaction, such as logging into bank account.

5. Make sure your PC is well protected  with anti-virus and firewall before you connect to a public WAP.

6. When using the public WAP make sure to adhere to the terms and conditions stated by the WAP provider - most likely than not, your transactions are monitored.

This is a common wisdom which is often uncommon. There are free public Internet access terminals at various places for example International Airports. It is very tempting to use the terminals to access your personal accounts. This is not a good idea. Imagine for a moment, what if someone has installed a Key-logger on the terminal - your login id and the password can be easily captured.

You also have to remember that the public access terminal does not guarantee to safeguard your personal transactions. Moreover, someone waiting in the line to use the terminal can shoulder surf and capture what you are typing.

Free public access terminals are useful: limit the usage to casual web surfing not for accessing your personal accounts.

Some of us keep our computers running forever. One obvious reason is it takes time to boot the system and go through the login process. The other genuine reason could be that you are running a background process which you would not like to stop.

If your computer is idle i.e. not running any of your background process, it is a good idea to switch it off. Here are some advantages of turning off the computer:

1. Turning off the computer saves power.

2. Reduces wear and tear on your hardware.

3. Protects it from spread of viruses, worms that could be introduced or that it could introduce when it is on the network.

4. Helps prevent someone accidentally accessing information on your computer over the network.

5. If you do not wish to turn off the computer, and if your computer supports standby functionality use standby option instead of power off button.

Use Parental Controls by Muni Tripathi, CISSP

When kids are online, you do not know where they are going, unless of course, you monitor their activities. No one needs to tell you how important it is for kid’s safety to prevent them from going to porn, gambling, file sharing and drug related sites. They may land up on those sites unintentionally or may be solicited. Unprotected surfing by kids may also compromise your personal information either because they install a Trojan horse unknowingly or because someone in chat room asks personal information and takes advantage of their innocence. 

Keep your personal computing safe by installing parental control software. There are many software available which you can purchase and install on your computer. These can block sites, control how long kids stay online and provide many other monitoring facilities (search “parental controls” on Google to look at some of the available vendors).

Laptop has become integral part of our computing life. With the advent of docking station we use the same laptop as a work desktop.

Some of the tips for laptop safety are:

1. If you are travelling make sure you carry the laptop with you all the time.

2. Use disk encryption software for extra safety.

3. Don't lend your laptop to anyone else.

4. Make sure to use a physical lock to your laptop.

5. Use anti-theft software if your laptop has highly confidential information.

6. Make sure to use screen lock software on your laptop.

7. If you don't use disk encryption, make sure to encrypt the file.

8. Don't leave sensitive files scattered on the Desktop.

It is tempting for for any of us to try new software on our computer. Keep in mind that installing a new software is equivalent to installing known plus unknown vulnerabilities.

Here are some of the tips before you install a software:

1. Clearly understand the functionality of the software i.e. what can you expect it do and what it does.

2. Talk to your IT support about the software and ask them whether it is safe to install the software. If you don't have access to IT support talk to your friends who have used the software.

3. Try to stick to well  known brands - be it open source or proprietary vendors.

4. Don't install software just because the software is free - I am not referring to well regarded open source software. There are many free software that come bundled with Malware. Malware keeps track of your browsing habits and display annoying targeted advertisement. Some free software could as well have Trojans, for example keyloggers which can keep track of what you are typing.

5. If possible try to read the release notes of the software if available and see if there are any known vulnerabilties listed there and whether it poses a risk which is unacceptable.

6. Last but not the least, analyze the impact (for example memory hogging) that the software can cause on your computer.

Many security operation professionals boast that they have the best perimeter defense that works along with the best host defense. In short, there are multiple layers of defense that needs to be broken before information is breached. The point that I make is defense in depth does not matter, a single disgruntled employee can cause far reaching information breach. Information breach attributed to human element is also known as social engineering.

Here are some of the tips to counter social engineering:

1. Never ever give out your password or pin number over the phone. If by mistake you gave out your password make sure to reset it right away. Tricksters use FUD technique to coerce you to give away your personal information - if you don't give out your personal information your problem won't be fixed.

2. Avoid using your laptop at public places. If you do so, make sure no one is looking over your shoulders aka shoulder surfing.

3. If at all you become disgruntled with your company, in the fit of your anger do not do anything unethical that leads to information breach of your company. Alert your manager (if you don't like your manager alert senior manager), that you are not happy and she will figure out an amicable solution to your disgruntlement. Remember, if you breach the information of your company, no other employer can trust you in the future.

4. Never share your account with anyone else.

5. Do not respond to SPAM emails that announce: that you have won a lottery or about a lucrative business opportunity or seeking help to retrieve huge sums of money.

6. The best way to prevent social engineering is to prevent it in the first place. If someone is trying to collect personal information by unethical means, confront them with a warning and do report it at the first instance to your information security team.

Secure Personal Computing Tip #8 - Clear Browsing History and Cache by Muni Tripathi

Browser history, cookies and cache contain a treasure trove of your personal information. It contains all the search history, sites you visited, may contain user names, passwords, forms based information, all the images you downloaded and practically anything you did online. The reason all this information is stored on your computers are multifold; primary reason is that when you view anything in the browser, it needs to be downloaded in your local computer. It is not necessary to store all this information locally afterwards, but most of the browsers do it due to performance reasons and to provide better user experience. As a security conscious person, you should periodically clean up this history. Although I should warn you that cleaning up does not completely erase the information from your computer. It just makes it unavailable to a casual eavesdropper. A person with physical access to your computer and right forensics tools can still reconstruct all your activities. Still, you should do whatever you can to protect yourselves from casual breaches. So here is what you should do: 

On IE:

1. Click tools, and then select “Internet Options”. A dialog box pops up.
2. Under “temporary internet files” section, click “delete cookies” and “delete files”.
3. Under “History” section, click “clear history”. While you are at it, also reduce “Days to keep pages in history” to 2 days (its my personal preference, dialup users may want to keep this value slightly larger, perhaps 10 days)
4. Then click, “Apply” button and then click “OK”.
5. Remember to do above steps once a week.

On Firefox (1.0.4):

1. Click tools, then “Options…”, a dialog box appears.
2. Choose, privacy tab on the dialog box.
3. Click “Clear” buttons in front of history, Cookies and cache.
4. Then click “OK”
5. Remember to do above steps once a week.

On Firefox (1.5.0.1):

1. Click tools, then “Options…”, a dialog box appears.
2. Click “History” tab and then click “Clear browsing history now”.
3. Click “Cookies” tab and then click “Clear cookies now”.
4. Click “Cache” tab and then click “Clear cache now”.
5. Then click “OK”
6. Remember to do above steps once a week.

Your personal computer has various software products which have life cycle. Security is a function of time. The software which looks unbreakable today, can be easily broken tomorrow.

Stay secure by installing regular updates for your operating system, browser, email software, messaging software and other programs. It is not a good idea to stay behind by several revisions.

Many software vendors provide automated update feature to their software, use this feature to your advantage.

Imagine this scenario at work: your co-worker's computer has crashed, in order for him to get the problem fixed, he needs to open a helpdesk ticket - you allow him to use your computer to open a helpdesk ticket. In another scenario at home: you may allow your relative to use your computer. In both of these scenarios you are exposing your personal data on your computer to others. This is not a good security practice.

Ideally, it is not a good idea to share your computer with anyone else. The simple reason being that others may not be trained to use the computer securely. But in reality, you may have to share your computer with others at different times. The best way to do this would be to create  a local guest account (or use the default guest account) with minimum privileges for others to use. This can not only minimize the risk of exposure of your personal information, but also will ensure the safety of your computer.

This was the topic of my blog post a while ago. Often, we get stuck with a problem at work, in order to solve the problem: we can take help from peers or google for answers or  post for help through the newsgroup (or forum).

When posting for help through the newsgroup:

1. Do not explain details of your work place for example, your internal Internet Protocol addresses, user names Et. Al. - mask your post so that it does not divulge any information about your company.  If your post exposes sensitive company information then do not post it.

2. Do not use your workplace email id as the return address for the newsgroup post.

3. The above rules apply ditto when you provide help by your post through the newsgroup.

Bottom line is, think before you post anything regarding your company on the Internet. The same rule applies to your personal information.

Passwords are everywhere: it is required for logging into your Windows machine to  logging into your online brokerage account.

There are two critical aspects of password security. Firstly, the selection of the password itself, make sure that the password you choose is not easily breakable. Some tips for choosing good password can be found here. Secondly, the password needs to be changed periodically. It is recommended that you should change your password manually once every four months unless it is enforced by the server. You should also change your password (even earlier than the periodic change) if you believe that your password has been compromised. Also, make it a point to change your default password once your account with a default password has been established.

We live in a complex world. We are most likely to have many accounts and passwords. It is not a good idea to have the same password across multiple accounts - the reason is obvious if the password of a single account gets compromised, most likely the passwords on other accounts will get compromised too. I use a  tool called Password Safe to manage all my passwords. This tool is far superior and safer than using spreadsheet to store passwords or writing passwords on a piece of paper (don't!).

COBC is an acronym for Code of Business Conduct. This important piece of document is usually handed to you at the time of your joining of the company. COBC is the code of ethics as viewed by the company's context. Often, COBC gets lost in the pile of paperwork that you are expected to do when you join the company.

It is important to review the COBC and understand various violation clauses. One of the items in the COBC will be a reference to Information Security Policy. Make sure to read your company's Information Security Policy - this will make you aware of how to handle sensitive information with in your company.

It is better to be aware of COBC that guides your act rather than to act and hope that the act fits with in the appropriateness realm of COBC.

It should be noted that COBC is a living document, so make sure to read the revisions. There are some companies that make their employees to take mandatory periodic COBC training, that's a good business practice. Irrespective of the level of effort that a company takes to impart COBC training to their employees - reading the COBC helps you to stay safe.

Email is rightly called the killer App. Imagine the days of inter office memo - how such a physical mechanism of exchanging communication brought constraints to efficiency. Email has not only become the defacto communication tool for inter-office communication, but also it is helping dispersed families to keep in touch. Here are some tips for safe email practice:

1. Never open an email from a source that you do not know or trust.

2. If someone you know sends you an executable in the email attachment - never run it - if you cannot resist the temptation to run call the sender and ask them what it does.

3. Create a  web email id1. Use this id1 for sources that you do not trust - example promos on the web or as a return address for your newsgroup posts.

4. Create another web email id2. Use this for personal use. Give id2 to your near and dear ones and other outside professional contacts.

5. Never ever use your office email id for personal use.

6. Never entertain chain emails. This is one of techniques by which spammers harvest email ids.

7. Phishing is a social engineering technique used to harvest your personal information, such as bank account login and password by mimicking a trustworthy source. As an example; If you get an email from say bofa.com instructing you to change your password right away, pick up the phone and call customer service! Don't ever click on the link provided in the email, type the hyperlink by yourself, phishers will fool you with look alike names. Most of the time phishers use pressure tactics to instill fear and don't hesitate to pick up the phone to verify!

8. Suppose you would like to send an email to 50+ people, don't put all their email ids in the To: field, put their email ids in the Bcc: field instead. This way each individual id is not exposed to 50 other ids without need. This can cause annoyance if some out of the 50 respond by hitting Reply To: button, spamming all the 50.  

9. If you need to send sensitive information via email. Use PGP signatures.

10. When you forward somebody else's email (especially sensitive emails), make sure that the original sender is OK with you forwarding the message. Also, it is a good idea to think from original sender's point of view and do the neccessary edits before forwarding the message. 

11. Last but not the least, remember, once you hit the send button your email is out there on the Internet!

This is the first tip of the 25 tips of secure personal computing. I believe these tips are very valuable for any of us who use personal computer, be it a laptop or a desktop or a tablet PC at either home or office.

It is obvious that, if you don't use a screen saver and if you are away from your computer, some one else can access the personal data on your computer.

On Windows XP you can set the screen saver by the following steps:

Go to control panel >> Click on appearance and themes >> Click on choose screen saver >> Select a screen saver from the drop down menu, For the wait period select 10 mins (ideal time) and also select the check box "On resume, password protect" >> Click OK.

The bottom line is for any operating system that you use, make sure to use a screen saver and set the idle time to around 10 minutes and make sure to enable password protect on resume after the screen saver kicks in.

Do not download free (or paid) screen saver from unknown web sites, it could have spyware or viruses or it could introduce a vulnerability.