SECURITY

Generation I (For Insecure)?

12/1/2012 6:26:16 PM

We explore the pinterest security problem and reveals how to check if you’ve been Pwned.

Check Point, the firm behind ZoneAlarm, published a report revealing interesting variations in how security is perceived and applied by different age groups. This "generation gap in computer security" report looked at attitudes of "Generation Y" (18 to 25-year-olds) versus "Baby Boomers" (56 to 65-year-olds) and its results were surprising. Generation Y users were surer of themselves concerning IT security than Baby Boomers, but had experienced more security problems over the past couple of years than the latter. In fact, the research suggests 78% of younger users don't follow best practices when it comes to computer security, while Baby Boomers are twice as likely to install and use security software. This could prove more problematic for the UK than the other regions covered, since it was there that reported security breaches over the past two years peaked at 67%, compared to 57% in Australia and 50% in Canada, Germany and the USA.

Perhaps the problems for Generation Y users are due to poor prioritisation, since they value entertainment and community above security - only 31% of them placed security at the top of their list compared to 58% of 56 to 65-year-olds. Combine this with overconfidence when it comes to their perception of risk, and you're asking for trouble, especially if you throw in cost. Some 45% of Generation Y users think security software is too expensive, and are far less likely to use antivirus and third-party firewalls, for example.

Of course, there are free security suites available that perform very well in a domestic setting, and would almost certainly lead to a lowering of those infection rates were these people to use them. Assuming a Windows 7 platform - more specifically Windows 7 64-bit, which is pretty well the norm in both the domestic and small-business circles I frequent nowadays - it's easy enough to ward off malware and phishing attacks by installing Microsoft Security Essentials and Windows Defender, together with keeping everything you use properly patched and updated. That goes a long way towards mitigating most threats and it costs nothing. Using Gmail as a spam filter helps keep most of the archived malware attachments off your PC as well.

It's even possible to defend against oft-used DNS redirects that send your browser off to a drive-by exploit site, should something nasty sneak past your initial defences. Both OpenDNS (www.opendns.com) and Google Public DNS are free DNS services that can bolster your security. For example, OpenDNS offers a phishing filter and domain blocking with typo correction. This kind of secured DNS, with free options that are fine for most users, simply requires you to type the relevant DNS server addresses (208.67.222.222 and 8.8.8.8 respectively) into the DHCP server settings of your router and let it deal with everything on the network.

Have you been owned?

What a month for database breaches June was, with membership database leaks confirmed by Linkedln, eHarmony and TechRadar to name but three. Usually, individual members know about the potential risk they've been exposed to only once the news story breaks, or they receive an email telling them to change their passwords due to a security problem. The latter will often be ignored because people are wary of any email that asks them to "click here to change your password", which nowadays is perceived as potentially phishy. If you're among the masses that still reuse the same password across multiple sites, despite constant warnings to the contrary, this can be a major issue.

Description: What a month for database breaches June was, with membership database leaks confirmed by Linkedln, eHarmony and TechRadar to name but three

What a month for database breaches June was, with membership database leaks confirmed by Linkedln, eHarmony and TechRadar to name but three

The bad guys know the value of trying a cracked password against webmail accounts in order to scrape useful personal data and perpetrate further scams, but they have to do this before the victim has a chance to change the password in question. Luckily for them and unluckily for you all too often this is easily achieved, since official notifications go unnoticed and media stories unread. In the case of the Linkedln compromise, it was easy to check whether your password was among those affected by the breach, since a list of six-and- a-half million or so unsalted SHA-1 password hashes had been posted online in a bid to get help from other hackers in decrypting them. One web developer who was on the list of leaked passwords made an app that compared your password - using a SHA-1 hash generator to the published list and reported whether it had been compromised or not.

Of course, the professional advice is never to give your password to anyone, so an app such as this could all too easily have been a scam designed to collect yet more passwords. As it turns out, this wasn't the case, and Leakedln (great name) employs JavaScript to hash your password so that the password itself never need leave the confines of your computer. Whether or not your password was on the list, however, my advice would still be to change it, having used Leakedln or any other such resource just as a matter of sense.

The best advice when it comes to passwords is to not reuse them - it's really asking for trouble. Invest in a password management solution such as LastPass or IPassword, which not only generates truly "strong" passwords, but also stores them safely in an encrypted format on your home computer, external drive, USB memory stick or smartphone. This way, you only have to remember one super-strong password in order to access all the others, and memorising a single complex string isn't beyond the ability of most folk. With a product such as this in place, it becomes easy to establish a rotation routine where you change all your passwords on a regular basis, adding to the security layers already in place.

I'd seriously recommend doing this if you're one of our hobbyist or small business readers. Take the opportunity to change all your passwords: you may as well get off to the best start, and it will be a worthwhile investment of your time. In the meantime, you may want to make use of a neat tool called PwnedList (https://pwnedlist.com), which will check whether your email address has appeared in any of the hacker dumps from corporate data breaches that appear online. If it has, then you're at an increased risk of falling victim to fraud, and should set a password changing strategy in motion immediately.

Description: PwnedList and Leakedln identify at-risk accounts, but a secure password strategy is the best protection.

PwnedList and Leakedln identify at-risk accounts, but a secure password strategy is the best protection.

PwnedList started when security researchers wondered how many compromised accounts could be harvested automatically by a scraping routine - the answer was 30,000 within two hours, complete with logins and passwords attached. They decided to create a one-click service to allow people to check if their email was in any of these account dumps, and to do so for free. At the time of writing, the number of "pwned" emails harvested and compiled in this way is almost 15 million. It should be noted that PwnedList only scrapes the emails, and the accompanying password and login data is discarded. The emails are put through a one-way hash and the clear text is then destroyed, and when you enter your email address in the checker it isn't stored in any form.

Forget BYOD, what about BYOB?

While Bring Your Own Device (BYOD) continues to soak up headlines and hyperbole in equal measure, I'm willing to gamble that you probably haven't yet heard about BYOB. Bring Your Own Browser is the name applied to a security threat that enables a potential hacker to make the leap from a compromised home PC to a work PC, in much the same way that BYOD opens up a consumer-to-workplace threat channel, but without any physical device being involved. The key, according to the Imperva Application Defense Center researchers who uncovered the threat, is the tab-syncing feature introduced in recent versions of the Google Chrome browser. It looks like a great feature, syncing your browser tabs across multiple computers so whatever pages were open when you left your office will still be open when you fire up Chrome at home, and vice versa.

Description: Many of us know to “bring your own bottle” (BYOB) to parties and like BYOB in social circles, “bring your own device” (BYOD) is an extremely popular trend in the workplace.

Many of us know to “bring your own bottle” (BYOB) to parties and like BYOB in social circles, “bring your own device” (BYOD) is an extremely popular trend in the workplace.

Where's the risk in this? According to Rob Rachwald, director of security at Imperva, it's a pretty straightforward one: sign in to your sync account at home and work to enable the tab synchronisation to be utilised; if the home PC is compromised by a malware infection then the data you sync from your work PC is also compromised. Now you might still think that this is no big deal, that even if a hacker were able to see what internal corporate URLs you've been accessing, this information alone isn't necessarily going to lead to a breach. But it isn't only data about which tabs are open that's synced to Chrome when you sign in. In fact, to enable a "personal Chrome experience" across all devices, pretty well all browser settings are synced, including apps installed, bookmarks, extensions and browsing history, for example.

Now the threat surface has just expanded considerably, and all of a sudden the value of that kind of information to a potential hacker is far greater, especially when you consider that the Chrome default for syncing is to include everything. Remember, unlike BYOD scenarios, where there's the opportunity to implement security measures to manage what data can flow between devices when you connect your home laptop or smartphone to the company network, managing what you do with your home web browser or the one that lives in your pocket is impossible for enterprise IT bods.

Malware detection will spot and stop most infections, but "most" isn't good enough. What if a home PC, by virtue of the corporate acceptable use policy not stretching into the domestic environment, became infected by malware that does the drive-by thing and redirects an open URL to an infected page distributing a zero-day exploit? If the same settings are synced to the work computer, then that browser is at risk from the same infection as soon as it's opened - and this being a zero-day means the chances are high that the company network will be compromised even if there are methods in place to mitigate the zero-day risk.

Description: Malware detection will spot and stop most infections, but "most" isn't good enough

Malware detection will spot and stop most infections, but "most" isn't good enough

How so? Because the home PC will remain infected even though the corporate one has detected the exploit and disinfected itself, leaving the bad guys (should they be of the advanced, persistent threat variety) to tweak and morph the malware that would get a fresh chance at antivirus avoidance every day. Then there's the small matter of apps and extensions, which are also synced between devices by default. I'm sure you don't need me to remind you of the dangers of rogue extensions, especially in terms of JavaScript injection attacks. Now think back to the no AUP at home dilemma, and while an AUP may guard against the installation of non-trusted apps and extensions in the workplace, it can't reach into the home, where defences are likely to be lower and users more relaxed when it comes to the nature of the extensions they install, and the provenance of the developers who create them.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8