Category Archives: Security

Security related issues.

Put Your Money Under Your Mattress – Tips for Security

Money Stuffed in Between the Mattresses

The rash of security breaches continues unabated, especially in the retail sector. It’s getting to the point where I feel like just pulling my money out of the bank and putting it under my mattress. I had slowly transitioned to using my ATM for all my daily purchases and now I’m back to carrying more cash.

To highlight just a few recent events:

Kmart has a blue light special on malware

Why the Home Depot breach is worse than you think

Chase warns customers about massive data breach

Staples is investigating a possible data breach

If you go back even a year the list is waaaay too long. ATM hacks abound (Did you know most of them still run Windows 95?!) Gas pump card readers have been compromised for years.

I used to worry more about using a credit card at a small retailer because of the potential for employees to steal your data and use/share/sell it. Now with big software hacks in play, little guys aren’t profitable targets. Why compromise a store with hundreds of customers when you can nail a chain with millions?

In all this paranoia what can you really do about it. I’ve put together a short list of actionable things anyone can do. In a follow-up article shortly I’ll talk more about what the industry can and should be doing.

For consumers the list includes many things that don’t have anything to do with your computers.

  1. Use more cash. The software that is being used in these breaches is just to cheap, readily available, and easy to use. Expect to continue hearing about major breaches, and eventually more minor ones as well. Trickle-down hacking.
  2. Don’t pay at the pump. I know, this is a pain, but seriously this is the one I hear about the most from real people I actually know who have been affected. It was the card reader at the pump. So pay inside, and don’t forget, most stations are part of large organizations, making them tempting targets for the same POS attacks we keep hearing about. Use cash for gas. Or drive an electric, like I do.
  3. Don’t pay at suspicious places. Well I guess I don’t mean dine-and-dash, but don’t pay at credit cards at places that you’re unsure of. Look around and ask yourself if you’d leave your wallet or phone on the table unattended while using the restroom. If not, pay in cash.
  4. Big retailers are at least as unsafe as small ones. Hacks are happening just as often at big reputable places because it’s simply more profitable. More customers = more cards. It’s simple economics. So pay cash when you can, and keep track of announcements from retailers you use, including silly looking envelopes in the mail that look like junk mail. They could be security alerts.
  5. Don’t click links in unsolicited email. This is a corollary to above – be extremely careful clicking on email alerts about password updates, account info, etc. Phishing is too easy and too common. When in doubt, either put the URL in by hand (always a good idea) or get on the old-fashioned phone and actually call: Did you guys just email a security alert? The time you spend on hold (you know you will) is better than getting hacked.
  6. Use good passwords. I’ll be writing more about this at some point, but for now remember that longer is better. I’m shocked that some organizations still don’t allow really good passwords. In terms of complication longer is often more important and secure than the old adage of numbers, letters, and special characters. But the bigger the better. If your password is 8 characters, even with all of the above, it’s hackable, nearly instantly. Just remember that.
  7. Change passwords when a hack occurs. Even if you don’t get a notice from the company, just change it. If for example you heard about Staples today and are sitting around waiting for an email or letter, remember that the hackers aren’t waiting, in fact they may have had your data for weeks or even months. Just change your password now. This is a great case of better safe than sorry.
  8. Use a password manager You need something to manage all your passwords and other important secure data, otherwise you’ll never do steps 5 and 6 above as you should. There are quite a few good ones out there. Just make sure it’s got good encryption, comes from a reputable company, and supports ALL of the platforms you need so that you’ll use it. A few off the top of my head are Lastpass, 1Password, and Msecure. Some of them even support a USB dongle to make sure that your password manager data is secure.
  9. Use two-step authentication. This is a configuration option you can get from Microsoft, Apple, Google, etc. where they send a text message to your phone when you try to login. Sometimes they also have an authenticator app instead of the text message, which is nice because you don’t need a data connection like you would with a text message. Google announced security key support today, which is a USB device you put on your keychain instead of a text to your phone.
  10. Keep software up-to-date. This is especially important for both your operating system and your browsers. Major PC OS vendors like Microsoft and Apple issue regular security updates once a week or month. Phone vendors like Google do likewise, although updates depend greatly on both your phone manufacturer and your service provider. I know, it’s crazy, but it’s true. Android phones are frequently out of date and cannot be updated for no good reason. This is on advantage of an Apple or Nexus device – frequent OS updates. Watch Adobe too – that flash engine is a common attack surface.
  11. Get rid of old hardware that can’t be updated. Old phones, old computers running insecure operating systems, etc. It’s all more dangerous than it’s worth. How old – simple, if it isn’t supported with regular security updates, it’s time to junk it. I know you think you’re saving money, but the cost of a hack is bigger, not to mention the time you spend keeping old hardware running. And yes, there are all kinds of tech geeks that can keep stuff running forever. That’s fine as long as they’ve made sure it’s secure. When in doubt, throw it out. (Like in politics.)
  12. Avoid websites that don’t support secure connections. This means look for “https” instead of just “http” in the URL. Plus depending on your browser you should see some kind of lock that indicates a secure connection. Facebook had this problem for way too long, and what it means is that although you need a password to login, your password is sent over the internet unencrypted, just waiting for that pimply kid across the table at Starbucks to steal it. For a list of sites that you’d think are secure but aren’t, check the HTTP Shaming blog.
  13. Use a prepaid credit card for internet purchases. Come to think of it, that’s not a bad idea for gas pumps and restaurants either. You can get a “credit card” that you can reload at any grocery or convenience store. T-mobile has one that is particularly nice because it has no reload or monthly fees. The prepaid card severely limits your exposure in a breach, and it’s easy for you to walk away from by just getting a new one. They can’t take more out of it than you have sitting on it.

If you’ve got more tips, let me know and I’ll add them to the list. In the meantime, keep safe.

Resources

Open Source Security Webinar

I don't want to know!
Don’t tell me, I don’t want to know!

I’m doing a webinar on open source security with Parasoft and my friends at Protecode about how to make sure that the open source you’re including in your application is secure. It seems like some people want to take the attitude of “don’t tell me, I don’t want to know what can happen”.

The truth is that open source has the same kinds of vulnerabilities that your own source code does. Does this mean that you should avoid it? Of course not. Join the webinar and we’ll explain in detail how to make sure you’ve got the latest patches, how to make use of the National Vulnerability Database from the US government, and how to make sure that there are no other vulnerabilities lurking in the code you rely on.

We’re holding a couple of sessions, so you should be able to join no matter what timezone you’re in. Sign up for free. Hope to see you there.

When: Wednesday June 18th 2014 at 9am EDT, 6:30pm IST (India), 3:00pm CET (Central Europe), 2:00pm (UK)
Repeat: Wednesday June 18th 2014 at 2pm EDT, 11:00am PDT

Static Analysis Webinars: AppSec and Prevention

Information Security Wordle: OWASP Guide to Building Secure Web Applications and Web Services Wednesday October 30th I’m doing the third part in the appsec static analysis webinar series for Parasoft. The topic for this session is “Strategies for Optimizing Application Security and Defect Prevention“. You can join for free online on Wednesday, October 30, 2013 10:00 AM – 10:30 AM PDT. Dont forget to register here.

Your application security (appsec) and defect prevention strategy is either a liability or a competitive advantage. Even if you are seeing a good ROI from your static analysis implementation, exploring strategies for optimizing application security and defect prevention is still essential for ensuring lowered risk, increased productivity, and brand protection.

In this webinar, I will discuss how organizations can take a proactive approach to securing its applications with a comprehensive tool set that will help development managers and stakeholders sleep better.

I look forward to seeing you there.

Webinar: Getting ROI from Static Analysis

Unlock the value Next week I’m doing a static analysis webinar for Parasoft about “Getting More FOI from Static Analysis” on Tuesday October 15th at 10:00 AM Pacific. What I’ve been seeing is that a lot of people either don’t know how to determine the value they’re getting from static code analysis, or aren’t actually getting the value they need.
I’ll talk about some ways to make sure that you can maximize the value as well as measure it. It’s 30 minutes and free as always. Join us

Invitation

:

A lack of time, resources, or training often makes getting beyond basic static analysis implementations difficult. Development managers and stakeholders may not even realize that their current static analysis configurations are leaving a wealth of untapped risk-reducing options on the table, which may lead to abandoning the critical software quality practice.

In this webinar, Parasoft Static Analysis Expert Arthur Hicken will discuss tips and tricks for getting more value from your static analysis. Drawing from his 20+ years of field experience, Arthur aka CodeCurmudgeon will offer advice on using policy to connect static analysis to your business needs at the process level, which ensures that you get a better return on your static code analysis investment, while avoiding common pitfalls.

[Update – even if you missed this webinar you can still watch the recording by going to the registration link.]