Sunday, 25 January 2015

5 Ways to Protect Your Password

The below mentioned methods & procedure are basic ways to protect your password against being stolen by hawkers.

1.Golden rule: Never share your passwords

First and foremost thing, even a present generation kid would advise others when it comes to ways to protect your password is not to share them with anybody. A user credential/password is for a particular users and it must be personal at any cost. What is the use of letting it known to others! It would have been better without passwords than sharing passwords. Even if you have to show them an email for a discussion, just forward them the email or provide a hard copy of the email. Sharing password will make you equally liable for any mischief done by others. So remember the golden rule. “Never share your password”. Even you may share a good relationship with others or it might be a family member; it is ill-advised to share user credentials.
You might ask “What’s problem with my wife? She won’t turn against me.” It is not about the veracity of your family members. But what precautions they follow will compromise your password with someone ignorantly. What if your family members respond to a spam emails which likely appears to be from your banker asking you to reset your login credential from the below mentioned link in that email stating a reason that a someone tried to open your account with wrong email address? Not everybody from your family will understand the difference between spam and real banking emails. Your banking password will end up with the fraudster who tricked your wife or children to login to the fake site which logged your login credentials. Even though many organization campaign against such fraudsters still many fall to the trap of such spam emails. They social engineered your family to give away your banking password in this circumstance. The above scenario might make you think how vulnerable you are when you share your password with others.

2. Don’t keep a simple password

The next most common vulnerability is nature of your password. Most user computer passwords are vulnerable to cracking or password recovery tools. Users ignorant of need of strong passwords usually keep the password short. The advantage of short passwords is easy to remember but at the expense of security. Almost all passwords are guessable due to weak password. Many of us use just our name along with birth year as password. For instance, your name is Mary and date of birth is 14th January 1981. Then the person who tries to steal your password has vital lead to crack your password. Just a word-merge website will create all possible combinations. Sadly, one among that combination will be your user password. A fully automated software will complete the whole operation is no time. So, don’t make your password guessable. Any combinations of your name, family-name, date of birth, pet name, school, college, university, and your work are easy to steal.
Your password strength highly depends on how difficult to guess it. Try to add symbols & numerals. Keep a good length to the password you create. Just a four letters password even with symbols &numerals are walk in the park for the password hawkers. Try to create a lengthy password. A standard would be to create a 15 letter password. Most casual hacker who doesn’t invest in serious hacking will relent with your 14th letter.

3. Never say password in phone calls/text messages/emails

The easiest trick is to make you give away your username and password is simple. Just call your phone number and ask for it. You will provide it without hesitation. Anyone can call your phone number and claim that he is a customer care executive of internet service provider or as a desktop customer care executive who is going to run official update to your devices. They request for the username and password so that they can finish the job from remote place.
Sometimes, when you hesitate to provide username and password, they will insist on visiting your home to install those fake updates on-site. Even though, you may not provide them the password when they visit your home, they will install the update on your system and go away. But the update would be nothing but a key-logger or malware to spook your security. Either way, they gain access to devices with or without your password. It would be always wise to check the identity who visits your home.
As a rule of thumb, don’t provide your password through phone calls or text messages to anyone. If the person calling insists on visiting your home, just call the official customer care help-line to confirm it from the company. Know the name, designation and purpose of the visit of executive if the company actually sends someone to fix the problem. Never leave him alone with your computers and network hardware. Don’t hesitate to question him about his business with your hardware. Know everything technical that you need to know from that executive since they will always demand administrative privileges to your hardware.

4. Spam links

Spamming, old school method of getting user credentials from others. Despite spam filters, we may find unwanted links finding its way to inbox. The most common way is the hawker would send email to all email contacts found on forum we use regularly. Not only they advertise products and services but also try to steal critical information about your computers. All the will do is run a browser script to fish information out of your system. Some trick you to enter your password with phrase “Login with Google”. Don’t fall for the trap. Even though with advanced tech, spam were reduced to ground. Compared to 50 to 100 emails per day, we started receiving a maximum of 10 per month. Still, the possible to get your password through spams are high.  The old school lesson is not to follow spams unless you know who sent it.

Did You Know: Spams too contribute Global warming!

5. Don’t save passwords in text files

Alright, now you might question, “A password which is difficult to guess is difficult to remember. So what to do”? A simple solution that might tick in your creativity is to store password in file. Please, don’t follow this method. It is most vulnerable method to store the passwords.  The most common mistake is to store password in password protected excel sheets which are cracked opened in no time. Next worse mistake will be writing down in sticky notes and placing it near desktop. If you decide to write down passwords, write down and keep it in safe location.
The best method is to use a password manager which stores login credentials securely. For anybody, who feel cost involved in the password manager, they can opt for open source password managers. But download the password managers only from trusted sources, especially with open source password managers. Don’t feel lazy to check md5 and checksum of the download file with the official websites of the open source password manager. Md5 and checksum ensure that source package is trustable and does not contain any harmful injected codes.

The methods provided above are basic steps that one must follow to keep oneself secure. There are further steps involved to completely secure your systems from attacks which you can follow future blogpost.


Subscribe via email or follow on twitter for updates.

Saturday, 24 January 2015

Tutorial: Use Google Doc Offline

Requirement:
The following are the basic requirements to setup Google Doc offline.
·        Latest Chrome Browser
·        Google Account
·        New Google drive Chrome App
·        Minimum of 5 GB HDD Storage space(Recommended)

Step 1: Open your Google Chrome web browser. Type “drive.google.com” in the address bar. It will open the Google Drive. Login with your Google account.


Step 2:  Now on the right side of the screen, select “settings” as shows above. On the pop up screen, select “Sync Google Docs, Sheets, Slides & Drawings flies to this computer…” as shown in the below fig. Select Done! Now you can get a system tray notification for Google Drive.

Step 3: To test it go offline, Open your Chrome web browser. Select Google Drive icon from the Chrome web browser. And try to edit or create any Google doc. It should save offline.

That’s it! Google Docs offline setup completed. Whenever your computer connects to internet the documents created or edited offline will save or update automatically to your Google Drive.

Subscribe via Email or follow on Twitter for updates.


Friday, 23 January 2015

Infosec: 5 Ways to protect your passwords

The below mentioned methods & procedure are basic ways to protect your password against being stolen by hawkers.
5 Ways to protect your passwords:

1.     Golden rule: Never share your passwords

First and foremost thing, even a present generation kid would advise others when it comes to password are not to share them with anybody. A user credential is for a particular users and it must be personal at any cost. What is the use of letting it known to others! It would have been better without passwords than sharing passwords. Even if you have to show them an email for a discussion, just forward them the email or provide a hard copy of the email. Sharing password will make you equally liable for any mischief done by others. So remember the golden rule. “Never share your password”. Even you may share a good relationship with others or it might be a family member; it is ill-advised to share user credentials.

You might ask “What’s problem with my wife? She won’t turn against me.” It is not about the veracity of your family members. But what precautions they follow will compromise your password with someone ignorantly. What if your family members respond to a spam emails which likely appears to be from your banker asking you to reset your login credential from the below mentioned link in that email stating a reason that a someone tried to open your account with wrong email address? Not everybody from your family will understand the difference between spam and real banking emails. Your banking password will end up with the fraudster who tricked your wife or children to login to the fake site which logged your login credentials. Even though many organization campaign against such fraudsters still many fall to the trap of such spam emails. They social engineered your family to give away your banking password in this circumstance. The above scenario might make you think how vulnerable you are when you share your password with others.

2.     Don’t keep a simple password

The next most common vulnerability is nature of your password. Most user computer passwords are vulnerable to cracking or password recovery tools. Users ignorant of need of strong passwords usually keep the password short. The advantage of short passwords is easy to remember but at the expense of security. Almost all passwords are guessable due to weak password. Many of us use just our name along with birth year as password. For instance, your name is Mary and date of birth is 14th January 1981. Then the person who tries to steal your password has vital lead to crack your password. Just a word-merge website will create all possible combinations. Sadly, one among that combination will be your user password. A fully automated software will complete the whole operation is no time. So, don’t make your password guessable. Any combinations of your name, family-name, date of birth, pet name, school, college, university, and your work are easy to steal.

Your password strength highly depends on how difficult to guess it. Try to add symbols & numerals. Keep a good length to the password you create. Just a four letters password even with symbols &numerals are walk in the park for the password hawkers. Try to create a lengthy password. A standard would be to create a 15 letter password. Most casual hacker who doesn’t invest in serious hacking will relent with your 14th letter.

3.     Never say password in phone calls/text messages/emails

The easiest trick is to make you give away your username and password is simple. Just call your phone number and ask for it. You will provide it without hesitation. Anyone can call your phone number and claim that he is a customer care executive of internet service provider or as a desktop customer care executive who is going to run official update to your devices. They request for the username and password so that they can finish the job from remote place.

Sometimes, when you hesitate to provide username and password, they will insist on visiting your home to install those fake updates on-site. Even though, you may not provide them the password when they visit your home, they will install the update on your system and go away. But the update would be nothing but a key-logger or malware to spook your security. Either way, they gain access to devices with or without your password. It would be always wise to check the identity who visits your home.

As a rule of thumb, don’t provide your password through phone calls or text messages to anyone. If the person calling insists on visiting your home, just call the official customer care help-line to confirm it from the company. Know the name, designation and purpose of the visit of executive if the company actually sends someone to fix the problem. Never leave him alone with your computers and network hardware. Don’t hesitate to question him about his business with your hardware. Know everything technical that you need to know from that executive since they will always demand administrative privileges to your hardware.

4.     Spam links

Spamming, old school method of getting user credentials from others. Despite spam filters, we may find unwanted links finding its way to inbox. The most common way is the hawker would send email to all email contacts found on forum we use regularly. Not only they advertise products and services but also try to steal critical information about your computers. All the will do is run a browser script to fish information out of your system. Some trick you to enter your password with phrase “Login with Google”. Don’t fall for the trap. Even though with advanced tech, spam were reduced to ground. Compared to 50 to 100 emails per day, we started receiving a maximum of 10 per month. Still, the possibility to get your password through spams are high.  The old school lesson is not to follow spams unless you know who sent it.
DYK: Spams too contribute Global warming.

5.     Don’t save passwords in text files

Alright, now you might question, “A password which is difficult to guess is difficult to remember. So what to do”? A simple solution that might tick in your creativity is to store password in file. Please, don’t follow this method. It is most vulnerable method to store the passwords.  The most common mistake is to store password in password protected excel sheets which are cracked opened in no time. Next worse mistake will be writing down in sticky notes and placing it near desktop. If you decide to write down passwords, write down and keep it in safe location.

The best method is to use a password manager which stores login credentials securely. For anybody, who feel cost involved in the password manager, they can opt for open source password managers. But download the password managers only from trusted sources, especially with open source password managers. Don’t feel lazy to check md5 and checksum of the download file with the official websites of the open source password manager. Md5 and checksum ensure that source package is trustable and does not contain any harmful injected codes.

The methods provided above are basic steps that one must follow to keep oneself secure. There are further steps involved to completely secure your systems from attacks which you can follow future blogpost.


Subscribe via email or follow on twitter for updates.

Saturday, 17 January 2015

Infosec: Insiders Job

Your security systems assume programmed logic and programmed decisions unlike humans. How good may be your security infrastructure, you don't meet the ends of security unless you educate your employees about your security policy. Whenever, news breaks open that reputed company systems are hacked, you would wonder how attackers did that?! There exists a high probable chance of insider job behind these attacks. "The attackers gained access to database server!" Now the question is how did they get the password? How did they get to know about the security systems in place inside the company?  How good are the small & medium companies when securing information?

Now, think who gave those passwords. It would be none other than who knows it, your employee. Not every employee would ends up providing passwords to the attackers. A disgruntled employee who started envying his boss will provide passwords for 95% of chances. Not only passwords but also the how good the physical security elements are in place! So how do far could you trust your employees when it comes to information security? Almost all employees will be discontent at some point. So it's up to your Information Technology team to decide how to handle critical business information.

Classified Assets:

A common phenomenon would be is to classify employees based on the importance of the work. Example, we can classify then as critical and non-critical assets. Critical assets are employees who work on classified information. A unique security guideline including social interactions when it comes to business must be placed. And liability for non-compliance of guidelines. A Unique password for each critical asset to interact with critical information. Avoid common security credentials for all employees. Providing unique security credentials will help in identifying the mole in the organization.

Firewall, Filters:

Also it is well advised to place good firewall, email filters policies to avoid data being sniffed out of your company. It may sound like old-school methods of securing information. But it is wise to invest on firewall to know the type of traffic and request which were turned down by your servers. They help in identifying the possible methods and protocols attackers trying to explore with your information infrastructure. 

When it comes to email filters, huge cry would be infringement on privacy of your employees. Most of them envy email filters as it will not spare even personal emails. But you will not regret placing such filters to identify what kinds of information are sent to outsiders from employee desk. Consider, an employee emails a spreadsheet which has crucial information about the business target of present fiscal year. If no filters were in place, respecting the privacy of the workers, then you will face a huge public embarrassment. Email filters will block such emails which are crucial to your business. Even the person states that he will work on the data from home. The company must take serious decision especially on "weather the person need that data? And what he is trying to do with that? Do he really have any useful business with the data?" A rational decision would save the day for your company future. For information security is all about being proactive. Once, the information goes out of company LAN then in no way you would be able to recover it.

Actually placing a working email filter is not spying technically. Educate your employees about the email filters and discourage them to use personal emails during work hours. This would be commendable as those using personal emails have high potential to infect the company networks with malwares and spywares.

Storage Policies:
Now, the way through email was blocked. Next best method for grabbing crucial information is through portable storage devices. Most common is Pen drive and USB sticks. First, question yourself, who need access to the USB and why do they need them? Not all employees need access to store information to a USB sticks. So create a storage policy that prohibits usage of external storage devices. But a general ban on USB external storage will hurt some business very bad.

So those systems through which external storage devices could be accessed must have record of people who use them. The activity log must be collected to analysis for any activity against the company policies. 

Assessments:

Last but not the least, test the integrity. You must conduct periodic test against your information infrastructure, especially, on the social interaction front of critical assets. Hire security experts and create a plan for the attack emulation. Work with experts and test against your assets and infrastructure. Find the vulnerabilities before the attackers get head-start. Find out how easy for outsiders to get information about your company.
Analyze your vulnerabilities and educate your employees about the importance of the role they play. Assess them periodically and under pressure. One who keeps up with the change will win the race. Don't relent and be complacent with information security. Being in the information era, investing in information security infrastructure worth every penny.


Friday, 16 January 2015

Infosec: Waste Paper & Document management

Is your company invest heavily on Information Security? But still you find leaked critical information out of your database! Despite your investments and firewall, crackers play havoc on your business? Now, its time to think how you manage files and documents that are be disposed.

Welcome people, its time to manage your method of disposing waste paper that might contain potential information. A dedicated hacker(cracker) will not relent until he made it through your information security systems. The potential information about your infrastructure and security might end up in trash one day. Example, think about your customer database printout which were used for business analysis finds place in trash. Bravo! the attacker who sniffs for a breakthrough around your company might find this treasure. Unfortunately, you comprise your customer identity. The attacker would make good money out of the information from your trash at loss of your business.

The above illustration is just a tip of the iceberg. Think about copy of your security blueprints leading to server, hand written passwords, placement of security elements, contractors hired by you, employee details, etc in your trash. So don't neglect the safe disposal guideline to manage the waste. The best solution is to create a security policy for your company and educate all employees about the importance of waste management. Especially for the people who have hands on critical information. Any lapse will cost the company future.

Most effective way to prevent attack is to use a shredder. But not a normal shredder. Install a cross shredder so that the information on the papers shredded is unrecoverable. A dedicated attacker will not stop even after finding paper bits in the trash can. An hour or two  and a tape are enough to get the pieces of paper together. It might find crazy at first. But its always better to prepare for the worst. So install a cross shredder and make your company security policy strictly enforce  cross shredding all the papers, especially of the critical assets.

Even if you have contract with incinerating facilities, it is well advised to cross shred the documents and papers before loading it for transport. Trust no outsiders when it comes to information security. So make sure your security policy reflect this practice.

Keysweeper: USB Charger which can decrypt Wireless Keyboard Information


Wireless Keyboard
Samy Kamkar, Poland based security researcher, released a device which can sniff, decrypt, log and reprot back keystrokes for wireless keyboards. The device resembles a large USB wall charger and it tracks everything you type on wireless keyboard.

The device Keysweeper could record everything and capable of sending text message to the hacker if certain key combinations are pressed. The device is fitted with internal battery for recording keystrokes even if it is unplugged from wall plug.

The device is capable of recording from 20 feet. The most vulnerable wireless keyboards are from Microsoft. The test were conducted on Microsoft keyboards. The device is capable of sending alert to the attacker if certain keywords are used. Example: icici, boi, etc. As the device simply looks like USB charger, it may turn as a potential device to spy on anybody. Most important is the device is not for sale.

source: DNA