Apr 10
When all of your users have decided to keep their passwords written down on sticky notes, on their hands and under their keyboards how do you protect them from themselves? You could go ahead and rip off each of their finger nails (ouch) until they promise to never write it down again or you could take a much nicer, more humane route — teach them a way to write it down without writing it down.
I learned a trick somewhere along the way of a simple means of keeping your information handy without giving it out to the rest of the world. It starts like this… Choose a keyword, write it down anywhere you’d like, choose a modification system and stick with it.
So, say my keyword I wanted to use was target. It’s simple, I could write it on my hand, on my car window or even shout it from the roof tops and besides people thinking I was crazy for the red-bullseye store no one would be the wiser. Next, I choose a pattern or modification system to use. I’m going to add the number of characters in the domain to the middle of my word and then write the first three letters of the site’s domain (with the first letter capitalized) to the end of my keyword. It may sound a bit tricky at first but after using it a couple of times, it becomes easy. When I setup my new Twitter login, I choose my username and then I create my new password. Starting with my keyword, target, I put the number 7 in between the r and the g. So now I have tar7get and then I add the first three letters of Twitter.com to the end of the password forming the new password, tar7getTwi.
Now I have a password with a number, a capital letter and I almost never use the same one again. It means that my accounts can be secure, I don’t lose sleep over the 20 million passwords I have AND it’s easy to “remember” or figure out the next time I go to that site.
Nov 30
Not performing your job to the best of your ability can be one of the worst feelings in the world. But fear not, it’s not always your fault (eh, sometimes it is). Many times that I don’t complete things the right was is because I’m strapped for time. The problem that I come across can’t wait till tomorrow or the next day to be fixed, it has to be done now or it might hurt the business. So I bite my lip and fix the immediate problem and I never look back again.
One great example of this is improving network perimeter security. I need to lock down what people can acess from the inside of our network to the internet. I could close off all access except for port 80 and 443 but that might break a finance application or an engineer’s connection to one of our customers. This would be a big no-no in the IT world. So when I get that call that something broke, I hop onto the firewall and add the rule that’s necessary to fix the immediate problem but I don’t figure out where the traffic is going or if there is a better way of doing this. This is a big problem because I didn’t plan out what my fix was.
Many people don’t realize the amount of time that it takes to plan out a project properly in any area. It’s not just a quick slap on fix — a plan needs to be layed out, decisions have to be made and re-made and testing has to be done to make sure that whatever is setup will not negatively affect the business any more than is necessary.
The issue at hand (no planning or testing) is not any one person’s fault in a company. There are always outside circumstances that cause things to be pushed through at a lightning speed because the CEO or the CIO need it today or the marketing department needed it yesterday but that doesn’t excuse proper planning or testing. I’m a firm believer in fixing a problem as soon as possible in order to get things running again but one thing that we in IT forget to do is to go back and take a look at the problem when time isn’t a concern. Without doing this second part of the process it will almost always take more time and money to fix the issue later.
I hope people (including myself) start thinking about the future problems that they leave behind when they run to fix an issue and put a band-aid on instead of actually fixing the underlying problem at hand. In the short run it might be time consuming and a pain to take a step back and actually focus but you’ll definitely save yourself a world of headaches if you make sure to go back later and actually correct the problem.
Oct 30
So, I just returned from an amazing security training out in San Francisco, California. It was the SANS 401 course which was much better than I could have ever imagined it would be. The course started out a little slow with Stephen Sims going over some basic networking concepts. Seeing as I’ve spent most of my life learning about networking and how TCP, UDP, and routing protocols work, it was a bit boring to me. But after we got through that the course started to get exciting. The 6 days were split up into 6 core areas that covered a wealth of information about security.
Some of the highlights from the course were definitly some of the off things that Stephen Sims talked about. He discussed an IE6 exploit with IFrames that has since been patched. As strange as it was though, about 10 of the 18 people in the class had machines that were still susceptible to the attack. Not only did he tell us about the exploit and show it in action but he delved into the assembly code that caused this attack to work. It was much deeper than I ever would have imaginged a network security class would have taken it. On top of this, we went over just how easy it is to crack WEP security (which I tell people all the time) but also the tools that are required to crack WPA using a brute-force attack.
The scariest thing I realized in this class though was how simple it is for people to get their hands on the tools that are necessary to make out these attacks. Things like ARP poisoning and using rainbow tables to crack LM Hash passwords are as easy to come by as a MySpace account… Alright, maybe not that easy… I mean some people who don’t read have MySpace accounts and unfortunatly, I don’t think these applications are made to be optimized for Text-to-Speech engines. Someone with a few days to read up on these techniques can start cracking WEP keys, sniffing network traffic and taking your personal or business information in a matter of minutes.
I’ll write more on some of the topics that were covered in this course soon. For now, I’ll leave you with one word of advice. While you can not ever truly protect yourself from all forms of attacks and keep your information safe from all prying eyes, one of the best things you can do for yourself is patch and update. Patch and update everything — from Windows to Mac OSX to Office to Mozilla Firefox, download the updates. I know it can be a pain and take some times but it’ll be worth it.
