April 2014

Well that didn’t take long. We didn’t make it out of April and there is already a serious vulnerability that won’t be patched for Windows XP – a serious Internet Explorer flaw. US-CERT, a division of the Department of Homeland Security has advised US citizens to stop using Internet Explorer until it is fixed, as they could find no practical workaround.

I try to be neutral about such things, but I gave up Internet Explorer long ago for Google Chrome. It’s faster and more stable, and I wouldn’t go back for anything. There are very few sites that won’t work with Chrome so I recommend you check it out.

It’s been a busy month as I also sent out an advisory a couple of weeks ago about the Heartbleed vulnerability which affected secure websites.

With Heartbleed, it’s important to note that there have still been no confirmed instances where the vulnerability was successfully exploited, so while a very serious issue, it seems maybe it was caught before real damage was done. However, there are two important steps you should take just to be safe:

1. Change your password on all secure sites
2. DON’T use the same password – each site needs a strong and unique password

I know, I am groaning right along with you. Multiple passwords are a headache. However, the way most of these hacks work is they break into some silly meaningless site where security doesn’t seem to be important. Maybe you signed up for a rewards card or you posted a question in an online support forum. They get your name and password, and then they follow the money – bank sites, shopping sites where your credit card info is saved, financial sites, etc. And guess what – you used the same login and password on one of those sites, I guarantee it.

What I do is I use a strong and unique password on all sites of concern. I do compromise and reuse the same password on many of those other sites, as long as I am sure there is no personal information or financial information attached.

The best way to manage all these passwords is to use a tool like LastPass. It securely manages the passwords for you. I’ll be honest, it is an added risk, because if my LastPass account is ever compromised, I’m in real trouble. But my LastPass vault has over 150 entries – I couldn’t possible manage without it.

Let me know if you have questions or need any help!

February 2014

The Target data breach keeps coming up in the headlines and I have a few thoughts I would like to share on that subject. Publicly, the breach has been blamed on an HVAC company. I’m here to tell you, if the login for an HVAC subcontractor was able to access the information that was obtained, the fault for this breach still solidly belongs with Target and their network management team.

This incident brings up a lot of important issues to consider and lessons to learn. If your employees have access to the networks of clients vendors or other partners, or if you allow others to access your network, we should all be asking ourselves the following questions:

Is this access still necessary?
Do we routinely review this access, and disable when it is no longer needed?
Do we have sufficient policies in place to govern the use of this access and any data that may be obtained, both intentionally and unintentionally?
Are both parties taking proper precautions to ensure the access is properly secure and protected?
Do both parties have a written agreement regarding this access, addressing all of these issues?
Have you conducted a recent audit of your security policies, in conjunction with your IT provider? I’m sure that HVAC contractor wishes they had – and even though the real fault probably lies somewhere else, will that company survive this incident? Doubtful.

Another important issue raised is a new term you’ll start hearing, the “Internet of things” or “Internet of Everything”. We’ve reached the point where most people are “connected” – via computers, cell phones, tablets, we almost can’t unplug. The next revolution is connecting “things” to the Internet. As wireless access becomes more prevalent, and costs to connect continue to fall, sensors will be installed in all types of devices. From HVAC systems to refrigerators, exercise equipment, shelves & cupboards, doors to potting soil, even individual product packaging.

Sensors can track location and behavior and even provide situational awareness, allowing machines to make analytical decisions. Imagine getting a text that the mayo has been outside the refrigerator for 30 minutes! Gartner estimates there will be over 26 billion “things” connected to the Internet in the next 6 years, far more than the 7.3 billion PCs, Smartphones and Tablets estimated for 2020. Of course, there are many convenience, safety & security applications for this technology – but how else will this level of connectivity affect our lives? I guess we’ll see!