First off, what if I had a very simple security fix, requiring no new software to be purchased or installed, and with minimal configuration changes, that could block 64% of all Microsoft vulnerabilities reported in 2009? Would you be interested? What if I told you we had a fix that could also prevent 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009? How about blocking 100% of Microsoft Office vulnerabilities reported in 2009? Still not enough? How about blocking 90% of critical Windows 7 vulnerabilities reported to date?

As you should have guessed by now, the fix for all of these is the same: removing administrative rights from end users over their PCs.

While there are still some (poorly written) desktop applications which require administrative rights to run, I have found these to be relatively few in number these days, and once the initial configuration has been done, most programs run just fine as an ordinary user. Despite the additional configuration required by some programs, including hardware drivers, that needs to be done by an admin, the cost of setting these up the right way is generally far less than recovering from the damage caused by a serious malware outbreak.

The press release and the complete report are available from BeyondTrust’s website.

I’m reprinting the questions (with permission) in this post, and will post the answers in a subsequent post to let you rate your own password knowledge.

What’s your Password IQ?

1. How often should you change your password?
a) Every 30 days
b) Every 60 days
c) Every 90 days
d) When IT tells you to

2.  One of your co-workers is working on a critical report this weekend
and needs access to some of your files.  How should you give her your
password?
a) Send it in an email message
b) Call her on the phone and tell her the password
c) Don’t give it to her or anybody else
d) Write it on a piece of paper, seal it in an envelope, and mail it to
her

3.  What is the most common (and so the weakest) password used in 2009?
a) password
b) 123456
c) qwerty
d) abc123

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle

The full SANS Ouch! newsletter, and others, are available at the SANS website.

The advice is to have a PC dedicated to online banking. If you weigh the convenience and cost savings of having access to online banking, versus time spent on the phone or traveling to and from a bank to conduct your business, the expense of a PC dedicated to this task, to continue to enable online banking, will likely be recouped within a matter of weeks, if not days.

The three arguments I’ve heard against this are:

• We don’t have enough money in the bank for anyone to want to hack it. (Or, “no one is interested in us because we’re too small.“)
  Then it sounds like you have everything to lose! Isn’t it more important to protect what assets you have, regardless of size?
• We’re protected by our bank’s security.
  No, you’re not. Bank websites get hacked frequently. Don’t believe me? Just do a Google search on the subject. Furthermore, the banks are not required to refund your money! You do not have the same protections as you do with credit cards on bank accounts. Finally, it’s not usually the bank that gets hacked – it’s your computer.
• We can’t afford the expense.
  The cost of a lightweight PC dedicated to this task is most likely lower than most of my clients’ electric bill, heating bill, or liability insurance for one month. You can afford the cost. But can you afford getting hacked and having your assets drained?

This is the same advice we gave on this blog last year. It’s sound. It’s simple. It’s cheap. Get a new netbook for a couple hundred dollars and use that for online banking. Is this not worth the risk of your business losing tens of thousands of dollars from its bank account? Please, if you do online banking at home or at work, at the very least, practice it from a non-Windows computer not running Internet Explorer. Better yet, prove me wrong and get a cheap PC and dedicate it to your online banking needs. Never go to any website other than your bank’s with it. Another alternative would be to boot from a live CD of your favorite Linux distribution, such as my favorite, Ubuntu.

References:

• http://lastwatchdog.com/american-bankers-associations-small-business-warning/
• http://itknowledgeexchange.techtarget.com/security-corner/aba-recommends-using-dedicated-pc-for-online-banking/
• http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=1#sID200
• http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
  ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1
• http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
  /UPI-81761262329630/

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



The main alleged weakness is the lack of two-factor authentication by Ocean Bank. While I am not sure that this places all of the blame in Ocean’s hands, and I think that Patco should be at least partially responsible for their losses if it is found that their own systems were compromised, a victory by the plaintiff in this case could set an interesting precedent to financial institutions who have not implemented strong authentication mechanisms in their online services. Banks and credit unions – take note! However, a victory by the defendant will likely send a very different signal, more to the tune of “If you bank online, you take your chances.” Small businesses and individuals – take note!

This week’s Data Security Podcast also has an excellent interview with the attorney who filed the suit on behalf of Patco.

“Between March 19 and March 28 the spyware sent more than 1,000 screen captures … via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well…”

This incident goes a long way to show that the biggest threat can often come from inside. Yes, while the boyfriend was the root cause, had the hospital employee not been allowed to access her personal email from work, her system would not have been infected in the first place.

In a separate news article, Panda Security reports that a hacker site is offering to crack Facebook accounts for the low low price of $100. Setting aside the question of whether the site is a “legitimate” hacking site (who’s to say they won’t just take your $100 and walk away?), I found it interesting that a Facebook account is now worth 3 times the street price of a social security or bank account number, which my sources say are going for $20-35 a piece.