Sep 27, 2012

PINS are simply 'weak passwords'

I recently listened to a security webcast on threats from Mandiant. One of the presenters described PINs as 'weak passwords'. I found this to be an accurate description and it has prompted me to add my 2 cents using this blog entry.

Let's take a look at a 4 digit PIN. It is got 10,000 combinations. It sounds like a lot. In reality, brute forcing through this number is nothing using today's computing power. It is even easier to successfully guess a user's PIN without going through these options. This is because users are likely to make simple choices. Various researches have shown that users pick 4 digit combinations such as 1234, 1111, 0000, 1212, 7777, etc. One research showed that the 20 most common PIN combinations accounted for 26.83% of all passwords in the sample. This shows a bias otherwise it should have accounted for only 0.2% if users' choices for PINs were statistically uniformly randomly distributed. Any reasonable attempt at brute forcing will take into consideration the more likely combinations. This is a major risk with PINs especially if it is used as a key mechanism for protecting important information assets. The entropy around a 4 digit PIN - and even a 6 digit PIN - show the weak password syndrome. As a result, PINs are simply 'weak passwords' when used by themselves.

PINs are simple and easy to use. Organizations need to keep authentication simple for users as it makes it easy for them to consume business technology. In doing so, it is important that ease of use and digital security concerns are adequately balanced. Digital security threats are real. PINs should be avoided where possible. Taking the PIN route for the sake of simplicity is the equivalent of giving users the choice to make poor decisions -- if used as the main mechanism to protect important information assets and if there are inadequate compensating controls.

I recommend that organizations strive to deliver easy to use but 'secure' solutions.

Mar 4, 2012

Security Guide: Phishing

I found this funny but educational Symantec video on phishing. It is a good watch. It teaches you the basics on how to handle phishing threats. Enjoy it!

Jan 6, 2012

APT infection through vulnerability in HP printers

Advanced Persistent Threat (APT) became a keyword in the IT vocabulary of several organizations in 2011. Trends indicate that this type of attack will increase in 2012 and subsequent years.

Most of the APT attacks have been initiated through spear-phishing emails that allow the bad guy to gain control of your computer through the execution of code included in the email. What if the malware is inserted into a Word or PDF document as part of normal print instructions? Researchers from Columbia University have shown that this is technically possible to do using known vulnerabilities with HP printers. Here is a list of the affected printers.  Watch this hour long video to get the gist of this possibility and how you can do very little about it. Ang Cui does a good job.

The Columbia University presentation is located here.
The attack process based on the Columbia University research is pretty neat. It goes as follows:

  1. Embed the malicious Remote Firmware Update (RFU) in a document. A HR resume is a good candidate since HR typically prints out resumes.
  2. An HR personnel sends the resume to the printer so that he or she can hand it to the recruiting manner.
  3. The printer prints the resume, and notices that there is an instruction for it to processes the RFU. It then switches to ACL mode, enters the RFU and actually executes the malware.
  4. The malware can be designed to initiate a reverse connection to the bad guy who can then use the printer to commence a lateral spread of the organization’s network.

How can organizations mitigate against this attack? There is no one silver bullet. It is actually hard to prevent the attack described in the video. Some common sense (or not so common sense) things to do include:

  1. Run up-to-date anti-virus software on all computers
  2. Patch your systems – operating system, applications, network devices and printers.
  3. Perform continuous monitoring of key network infrastructure and systems.
  4. Lock down your printers. Disable RFY if you do not need it.

Oct 2, 2010

It is the new now

Take the time to watch this video. I found it on Youtube. Spend some time to reflect upon the video. It describes the changing ways in which information is disseminated and consumed. It is not just about is the new now!

Sep 20, 2010

Reliable corporate email for $10 or less

Several organizations have experienced tough times over the past twenty months. The economic downturn has taken its toil on organizations -- sales have declined, profits have dropped, and it has been challenging times. Small organizations have felt the brunt of the downturn. Businesses are trying to reduce operating costs, make their business processes more efficient, and at the same time focus on their core competencies.

For several organizations, information technology (“IT”) is not the reason for their existence. They do not want to worry about the daily hassles of running their IT infrastructure. I have heard business owners and C-suite executives complain about the burden of maintaining their IT infrastructure. This includes the cost of buying and maintaining severs and software. Other complaints include the need for business continuity,  redundancy for key IT systems, hiring IT personnel with the appropriate skills to maintain the environment, and trusting their IT staff to be ethical. Quite a list eh?

Changing the delivery model for some of these IT services can help reduce these complaints. A good candidate for many small organizations is email. Rather than maintain your own email and calendaring systems in-house, organizations can move to a service oriented model that is provided by companies whose core business is IT.

Today you can get 99.9% guaranteed availability, full spam and virus protection, and virtual anywhere access for as low as $10 a month per staff. This includes full management support of your email service -- including setup, configuration, provisioning, upgrades and maintenance. Your staff and you can access your emails via Microsoft Outlook on your desktop or laptop, smartphone and from any computer device that has a web browser. Business continuity, privacy, redundancy and security are also part of the package. It frees you and your staff to focus on your organization’s core strategic initiatives.

For a 20 person organization, annual cost for email and calendaring service can be $2,400 or less. This is a way better deal than paying over $10,000 for less service. It is something worth considering.

Jun 9, 2010

iPad for business

Love Apple or hate the company, one must admit that its products are functional, practical, easy to use and definitely stylish. Apple is cool.

A few weeks back, Apple launched the iPad. Like several people, I had initially considered the iPad to be “just a large iPhone without the phone”. However, I had a change of mind after playing around with one at the Apple Store in Seattle. Yes, it is an iPhone without the phone component, but the 9.7” display makes it a more purposeful tool for a variety of activities. The all new iPad has potential business use and that’s what I will be talking about in this blog entry. Oh, talking about Apple, their all new iPhone 4 is so tempting that I have decided to dump my boring Blackberry and move to the iPhone 4 as soon as it becomes available in Canada. It presents way more potential than the Blackberry. For me, the Blackberry device is very yesterday.

Organizations are beginning to see potential business use for the iPad. I am aware of a few Calgary-based oil and gas corporations that are in the process of evaluating the iPad’s potential of becoming a business tool. There have also been reports in the media about organizations in Asia and the United States that are considering the iPad for business use. For some business types, the iPad is a sine qua non -- a must-have. For some corporate executives, it has the potential to be a laptop replacement. For others, may be it will just be a nice-to-have.

The iPad can be a laptop replacement for corporate and sales executives who need a mobile device to read and send emails, connect to the corporate network remotely, browse the web when on the road, and watch some Youtube or iTune movies when relaxing in their hotel rooms or waiting to catch a flight. 3G versions of the iPad also provide users with always-on network connectivity. The iPad can also be used for brainstorming exercises, making presentations, and taking notes at meetings, as well as being a whiteboard. It is the ultra portable; it brings computing to your finger tips. Security on the iPad is just as well thought out as what obtains on most laptops...remote wipe, data encryption, secure network communication, etc. For this category of users, the total cost of ownership for the iPad is significantly lower than a traditional laptop. It can provide organizations with significant cost savings - something in the neighbourhood of  25% to 40%.

Technology providers have released applications for the iPad that allow business users to perform activities that were previously done on laptops and PCs. For example, Citrix Receiver makes it possible for users to take a virtual office with them anywhere they go by providing secure access to all of their corporate applications and documents. Cisco’s VPN software allows businesses to extend their corporate network to the iPad user. Penultimate exists for note taking. iWorks...the Microsoft Office equivalent also exists for the iPad.

The iPad is also the perfect tool for florists, interior decorators, photographers and videographers. It provides an awesome ultra-portable platform for these businesses to display their work to clients. Graphics on the screen are brilliant, crisp and vivid. Pictures actually appear to look better on the iPad than they are when printed. The first website that I checked on the iPad was my photography blog (at boy, what I saw wowed me. The images were as good as what my Apple MacBook Pro would render.

Other users for the iPad include doctors as they move from one patient room to the other, and teachers who will use the iPad as they lecture. Politicians are also liking, em actually loving, the iPad. The Globe and Mail recently published a story about Stockwell Day, a Canadian MP, loving his iPad.

Technology in the business place is starting to change. Traditional business tools will give way to the new computing platform. The technology landscape at work will be very different in the next 5 years from what it is today. Corporate organizations need to become ready for this change. The iPad is the start of this revolution.