Security | Jason Palmer, CPA, CITP

Securing your Email – Digital Certificate for Secure Email

August 23, 2012 By Jason Palmer Leave a Comment

A Digital Certificate for Secure Email enables you to digitally sign your email and authenticate that the message was actually sent from your email account. Optionally, you can also encrypt the email message to secure it against unauthorized viewing. (Encryption of email will be discussed in a future article.)

A Digital Certificate for Secure Email is issued by one of the well-known Certificate Authorities, the same group of companies that issue SSL (Secure Socket Layer) Certificates that encrypt web browser communications. (The “lock” in your browser when connected over HTTPS:// )

A Class 1 Certificate requires only that you enter your First Name, Last Name, Email Address and a pass-phrase which secures the Certificate itself from unauthorized use or for revocation if the Certificate is compromised or lost. The only Authentication performed is that the email address submitted is valid and that you have access to that email account to retrieve the Certificate. It is important to note that the Certificate is ONLY validating the existence of the email address. Anyone who has access to the specific email account can request a Certificate and can most likely use it to authenticate a message sent from that specific email account. This is critical to understand if you share your email account with others.

For many non-business users, a Class 1 Certificate is adequate and available at no cost from a Comodo, a Certificate Authority Provider. (There are a few other free providers but none as quick or as easy to use as Comodo.) Most people have an email account that they do not share and that is properly secured with a strong password. (Well at least they have an email account they do not share. Not everyone follows good password creation guidelines.) The point being that if you send an email message to jason@palmer.net confidence is high that I am the only one sending and receiving mail from that account. In fact, the entire point of using a Digital Certificate for Secure Email is that you as the recipient could immediately tell if the message was sent from the real jason@palmer.net email account (most likely me if a Class 1 Certificate and definitely me if a Class 2 Certificate) or if it was spoofed. (There are other ways of determining a Spoofed email, specifically by reviewing the Full Headers of the Message and spotting inconsistencies in the email addresses and Servers.)

For added assurance, you may want to consider a Class 2 Certificate whereby you need to provide the Certificate Authority with proof of identity, such as a Government issued ID (Driver’s License, Passport, Passport Card, Birth Certificate, or similar). A Class 2 Certificate validates both the email address and that you are its’ owner and a real person. Email signed with a Class 2 Certificate is similar sending over a notarized document. An independent third party has verified your identity so when you use the Certificate a certain level assurance can be assumed by the recipient that you are the actual, legitimate sender of the message.

Class 2 Digital Certificates for Secure Email come in two flavors: “Personal”, that specifically identify you as an individual and “Business”, that specifically identify you and that you are a legitimate employee of a specific company.

You may be wondering, “Wow, this sounds great! Why isn’t everyone using a Digital Certificate for Secure Email on every message?” The answer would be because it is a little cumbersome to setup and use. First both you and everyone you want to send and receive mail from need to obtain his or her own Digital Certificate for Secure Email. Next, you need to configure your email client to work with the Digital Certificate for Secure Email. This is relatively straightforward in Microsoft Outlook, Mozilla Thunderbird, or Lotus Notes. Not quite as easy for Web Mail Users of Gmail, AOL, Hotmail, Yahoo, and similar services as it requires a plug-in or extension installed in the web browser. (A plug-in or extension is a specialized helper application that enables additional features and capabilities in your web browser.)

If the recipients’ email client is properly configured to understand a Digitally Signed email message, when you send a Digitally Signed Message, the recipient will see a notation on the email that the message was Digitally Signed. However, if the recipients email client is not setup properly, the recipient will see an additional text attachment to your message that is meaningless and contains the Digital Signature Information. This can become very annoying to your recipients as every message would you send them would have an attachment.

Securing your email all starts with either a Class 1 or Class 2 Digital Certificate for Secure Email. At least visit Comodo below and start with a FREE Class 1 Digital Certificate for Secure Email, and then tell all of your friends to do the same. A Class 1 Digital Certificate for Secure Email takes only minutes to request and install, they are valid for one year, and are available free of charge

Stay tuned and read my future articles on how to implement Secure Email Communication for transmission of sensitive and confidential information over the wild Internet through Email.

Important Technical Note: Make sure that you use the same computer and web browser to request and access the retrieval of Digital Certificate for Secure Email. You will also need to make sure that Java is enabled and that your web browser accepts Cookies to complete the process successfully. The Certificate is actually being created and added to your web browser’s certificate store, and then you have to export it for your specific email client. Microsoft Internet Explorer and Microsoft Outlook do not require this step as they both can access the same Certificate Store in Windows. Firefox and the Thunderbird Email client or Lotus Notes might require some additional steps to configure properly. Instructions are provided by both the Certificate Authority and your Email Client Vendor.

Digital Certificate for Secure Email Authority Vendors:

Free Class 1

Comodo – FREE AND RECOMMENDED CHOICE
http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Symantec TrustCenter – FREE (Not as fast or easy as Comodo.)
https://www.trustcenter.de/RetailStore/cid/CustomerData!input.action

StartSSL – Free but cumbersome to apply for and install
https://www.startssl.com/?app=1

CACert – Free and very cumbersome to apply for and install
https://www.cacert.org/

Paid Class 1 and 2 Personal and Business
NOTE: There is no reason to pay for a Class 1 Certificate. Use the Free options above.

Comodo – Business Class 2 Certificates – Value Priced Leader
http://www.enterprisessl.com/ssl-certificate-products/addsupport/secure-email-certificates.html

*Prices and Features vary widely with Vendors listed below – Read Carefully before purchasing.

GlobalSign – Personal and Business Class 1 and 2
https://www.globalsign.com/personalsign/comparison.html

IdenTrust – Personal and Business Class 2
http://www.identrust.com/certificates/trustid.html

Symantec TrustCenter – Personal Class 2
http://www.trustcenter.de/en/products/tc_personal_id.htm

Symantec TrustCenter – Business Class 2
http://www.trustcenter.de/en/products/tc_business_id.htm

Symantec/Verisign – Personal Class 1
http://www.symantec.com/verisign/digital-id

Internet Email is NOT Secure even with SSL/TLS Engaged

August 22, 2012 By Jason Palmer Leave a Comment

The first rule of using email is to NEVER put anything in an email message that you would not want published on the cover of the New York Times or for the entire world to know.

Many Web Mail providers make a big deal of giving you the option of using HTTPS (Secure HTTP Web Access) instead of HTTP (Standard Web Access) to your email account. When you type HTTPS://mail.some-provider.com, if properly supported, you definitely engage an SSL (Secure Socket Layer) Certificate that fully encrypts every keystroke you type and every thing that you view. It is a secure connection between your computer and the web email provider.

The problem and major misunderstanding is that only thing “secure” is the connection between your computer and your email provider. Once you type an email message and press the SEND button, your message goes out in to the wild Internet in “clear text” just like the text on this web page. A message sent in clear text can be read at any point during its’ journey from your email provider to the recipients email provider. From a practical standpoint, even though your email message may pass through a number of Mail Servers on its’ way to the recipient, the likelihood that it will be intercepted is remote. Most email messages “travel time” from sender to recipient is a matter of seconds.

You may be thinking, “But I am sending from my Gmail account to another user on Gmail. Why is that message not secure?” Again, even though both the sender (you) and the recipient may have a secure HTTPS:// connection to Gmail, the message will be transported in “clear text” as it moves either between the various Gmail Servers and Mail Accounts.

The exposure to prying eyes is significantly reduced when sending to and from the SAME domain name such as user1@gmail.com to user2@gmail.com as the message never leaves the Internet Providers Network. However, remember the message is still in “clear text” and can be easily read by a System Administrator or anyone else who may have access to the message during its’ journey. Realize extremely large Internet Providers have many email servers in many locations and most have secure connections between their locations but some use the Public Internet instead.

There is an exception to the above: If you are using a Corporate Email Server such as Microsoft Exchange or Lotus Notes and are sending intra-company mail, that is mail that is to and from other users in your organization with the SAME domain name, i.e. user1@palmer.net and user2@palmer.net, then all mail will be 100% secure. This is because there is either a secure HTTPS:// (SSL) or TLS (Transport Layer Security) protocol engaged between your email client, Microsoft Outlook, and the Microsoft Exchange Mail Server and all email is stored in encrypted format in the Microsoft Exchange Mail Database. The same holds true for Lotus Notes. (Caveat: Although usually configured to be “secure” by default, in some cases, Microsoft Outlook or Outlook Web Access may have been configured to use a standard non-encrypted connection instead of a secure one. Check with your Corporate IT person to confirm.)

Keep in mind that both the Government and Criminals may have “sniffers” setup at various points on the Internet. This allows the snooper to view every single data packet, like the ones containing your email message, and read it.

With the trillions and trillions of data packets and email messages moving across the global Internet daily, the risk that your specific email message containing sensitive or confidential information will be intercepted is remote but the potential is very real.

Using a secure connection to your email provider is not enough. If you or your Company are the specific target of a Government Agency or Hacker, the only solution is to properly encrypt your message. Otherwise, the contents of that document or the photo attached might just make the cover of the New York Times.

[A future article will discuss options for encrypting email messages.]

Securing your Desktop – Antispam Software

August 21, 2012 By Jason Palmer Leave a Comment

Amazing, as it seems, some Internet email providers do not offer an Antispam service for filtering out Unsolicited Commercial Email (UCE) – the proper name for what is affectionately called “SPAM” or Junk email.

Some email client software such as Microsoft Outlook and Mozilla Thunderbird include their own Antispam filters but you may want something more robust. Many of the Antivirus software vendors in their “Internet Security Suite” products include an Antispam component. For the most part, the Antispam component, like the rest of the Suite is “set it and forget it.” However, since no automated process is perfect at detecting UCE, most usually have the ability to create whitelists (always accept) and blacklists (always deny) specific senders. Many dedicated desktop Antispam solutions exist as well and some are listed below.

Antispam filters use a combination of the following techniques to differentiate between legitimate email and UCE. Some use a form of Heuristic pattern matching. The filter looks for a combination of known phrases used in UCE messages such as the ever popular “In deepest confidence” and “the sum of X million dollars” and “need your assistance.” These may not be the actual phrases tested but they demonstrate the concept of the type of language used in the classic scam email of someone contacting you to assist with the movement of money in/out of the country if you will just show good faith with money of your own. In all cases, the phrases are scored with either with positive (more likely spam) or negative (more likely legitimate) and the net number determines if the message is allowed through or moves to your junk folder.

Another technique is the straight automatic blocking of messages that originate from specific IP (Internet) addresses and senders that are known to be bulk Spammers. The Antispam program will check with a well-known service such as Spamhaus.org or the DNS Black List, which maintain a continuously updated list of known originators of Spam and act accordingly.

Many will apply Bayesian content filtering which is a content filtering technique that looks at the words in the body of the message, the email message headers (detailed information about the sender and the path the message took to be delivered to your IN box), the amount of HTML code (colors and graphics), word pairs, phrases, and the general location and context of the words and phrases and assigns a score that determines if the message is or is not UCE/Spam. What makes Bayesian content filtering reasonably successful is that the initial analysis of UCE/Spam is from a pool of email that you personally classify as UCE/Spam. In this way, the program knows what you deem as UCE/Spam so it can analyze the messages received and score them appropriately as UCE/Spam. At the same time, the Bayesian content filters also look at known good non-spam email to create similar scores as a basis of comparison.

Technical NOTE: Bayesian filters work best against a pool of homogeneous mail for a single person or single company. Since the scoring is based on a large population and the algorithm is looking for patterns and trends, Bayesian filters break down when Good email can be confused with Bad email. Let us assume that a husband who is an Accountant and wife who is a Doctor share the same family email account address. The wife may receive a large number of email messages from Big Pharma that discuss well know drugs such as Celebrex or Viagra. The Bayesian filter can get easily confused because the husband might classify all Pharma email as UCE/Spam when in fact it is legitimate to the wife who is the Doctor. But how is the filter to tell the difference between an offer to purchase Celebrex (illegally) over the Internet and a legitimate email from Pfizer the makers of Celebrex? The answer is the Bayesian filters usually goof.

The last method I will discuss is called Challenge-Response, which maintains a list of permitted senders. Every time you receive an email, if the sender is not already whitelisted (permitted), the Antispam Component will send an automatic auto-reply to the sender and ask them to visit a web site to enter in a “challenge” like two plus two equals (fill in the blank) or some other simple test that verifies that the email was sent by a human. If there is no response, as would be the case from a list server (vendor mailing list program), then the message is placed in the quarantine or junk folder for later review by you. The use of Challenge-Response, although extremely reliable, can be problematic as every Challenge email sent out, if sent to a sender that was a fake address, will just bounce back and create even more mail traffic.

You can find extensive in-depth details about the above techniques and the more advanced ones by searching out “Antispam Filtering Techniques” in your favorite search engine.

If your Internet Service Provider, email host, or email client do not filter for UCE/Spam or you want a more robust solution at the individual level, consider the “Internet Security Suites” or Dedicated packages from the well known providers below.

Popular Internet Security Suites

NOTE: These are the Consumer Product Listings – Equivalents Exist for Business

Vipre Internet Security
http://www.vipreantivirus.com/VIPRE-Internet-Security/

Kaspersky Internet Security
http://usa.kaspersky.com/products-services/home-computer-security/internet-security

Trend Micro Titanium Internet Security
http://www.trendmicro.com/us/home/products/titanium/internet-security/index.html

McAfee Internet Security
http://home.mcafee.com/store/internet-security

Norton Internet Security
http://us.norton.com/internet-security/

Dedicated Antispam Solutions

MailFrontier Desktop
http://www.mailfrontier.com/products_matador.html

Cloudmark DesktopOne
http://www.cloudmark.com/en/products/cloudmark-desktopone/index

SpamFighter
http://www.spamfighter.com/Product_Info.asp

Mailshell
http://www.mailshell.com/mail/client/oem2.html/step/client

Sonicwall Anti-Spam Desktop
http://sonicwall.com/us/products/Anti-Spam_Desktop.html

Securing your Desktop – Firewall Software

August 20, 2012 By Jason Palmer Leave a Comment

We have all heard the expression, “Fences make good neighbors.” I will build on that by saying that adding a Gate helps too as you may occasionally want to leave or invite a visitor in. A Firewall is just like a Fence around your home and you control who is allowed to pass through the Gate – both in and out. Although not impossible to break through the Fence it is much easier to pass through the Gate.

In the same manner, a Firewall is an added layer of digital protection around your Data (the information stored on your computer) that helps control who and what are allowed access. Think of a Firewall as an overly attentive Nanny or Parent. As a kid, you may have been allowed to play in the yard but not the street. Or, you could walk to school but not to the Mall and you were not allowed out after dark. These examples introduce the concepts of Firewall rules – what you are allowing your computer to do.

Put in a business context, you might restrict the ability for a computer (or your entire company) to only access Facebook during lunch hour or for one or two hours before or after business hours. At one client, there is a computer on the shop floor to make Labels. We set the Firewall to prevent all Internet access, as the job function does not require any Internet access.

Firewalls also keep unwanted intrusions out. Unless you are running a Network Server, there is almost no reason to allow any access to your computer from the Internet. If you are in a Small Office or Home Office network environment, you may share a folder on your computer (Public Folder) or share a Printer attached directly to your computer. In this case, Windows (and Macs) will open up the specific ports (doorways and gates) to allow the computers to share their resources. You can have different Firewall settings for Internal (Local) vs. External (Internet) networks at the same time.

We know for a fact that no computer operating system is perfect and they all have security flaws. A Firewall puts up an added layer of protection around the operating system so that the intruder cannot reach the operating system to exploit the Security Flaw.

Firewalls come in many flavors, such as Personal, Network, and Application, depending on what you are trying to protect. The important thing to understand is that the premise is the same: Set a specific rule to allow or disallow a specific activity or type of connection to or from a computer or your entire network.

The key differences between the Free Firewalls including with your computer operating system and the Paid Firewalls available as part of “Internet Security Suites” is the degree to which they automate the Rule creation function and what they monitor. For example, the Free Firewall included in Windows is predominantly a network port based Firewall. It will allow you to restrict or allow access to your computer or a network resource based on the specific network connection say (wired or wireless) and the protocol being used (Web Browsing, Port 80, or File Transfer, Port 21). If you look at a more comprehensive product like the ones included in Suites from Vipre, Kaspersky, Trend Micro, McAfee, or Norton they include Application Firewalls. These will monitor the specific activities of your Web Browser to make sure it is only going to “Safe” places. Or, if you have Quickbooks, the Application Firewall will alert you every time, (and allow you to set a rule), Quickbooks goes out to the Internet to get updates.

The more advanced Firewall products monitor every single attempt that your computer makes to access the Internet (or any outbound connection to a network resource – even to a network printer) and every attempt by something to access your computer (knock on your front door) and either block that access or allow you to “open the door and let them in.”

In general, the default settings of most Firewall products are sufficient if you mostly use your computer for Web Browsing, Email, and Document Creation activities. If you have specialized Line of Business applications (Accounting or Database), secure connections to remote or Corporate offices, or extensive File Transfer applications, you may need to adjust the Firewall Rules to allow these applications to operate properly.

The baseline for all of the Paid Companies is an Antivirus product. The addition of the phrase “Internet Security” usually adds a Firewall and the ability to monitor application activity and web-browsing to make sure that you are protected from accidentally visiting known malware and virus sites. Sometimes they add the phrase “Total Security” which may include the ability to monitor Chat and Instant Messenger sessions for transmission of viruses and other malware. In short, as each vendors solution increases in price, they add more and more security and monitoring features for different types of computer activities: email, chat, web-browsing, file transfer, etc.

Popular Internet Security Suites

NOTE: These are the Consumer Product Listings – Equivalents Exist for Business

Vipre Internet Security
http://www.vipreantivirus.com/VIPRE-Internet-Security/

Kaspersky Internet Security
http://usa.kaspersky.com/products-services/home-computer-security/internet-security

Trend Micro Titanium Internet Security
http://www.trendmicro.com/us/home/products/titanium/internet-security/index.html

McAfee Internet Security
http://home.mcafee.com/store/internet-security

Norton Internet Security
http://us.norton.com/internet-security/

Securing your Desktop – Antivirus Software

August 19, 2012 By Jason Palmer Leave a Comment

With so many different Antivirus Software products available, it is easy to get overwhelmed with choices. Sometimes, the hardware vendor pre-installs a specific Antivirus Software product. The problem is that these are usually trial versions that are only valid for a short time period. If you forget to purchase a subscription, you are completely unprotected.

Any Antivirus Software is better than none at all. Understand that you are under no obligation to use the Antivirus package pre-installed on your system. The system manufacturer made the selection of Antivirus vendor based on a financial incentive or revenue share not because it was the best or most cost effective solution for you.

There are three basic considerations in selecting an Antivirus Software package: Price, Feature Set, and Frequency of Updates.

Free versions of Antivirus software offer basic file level and memory protection. If the Antivirus program detects a virus on your hard disk drive or malicious program attempting to execute, it will clean and remove the virus.

Paid versions of Antivirus software usually add additional features such as Safe Web Browsing. They will check the web site name (URL) against a list of known bad sites and help prevent a possible infection by blocking access to the site.

Perhaps the most critical aspect of a Free vs. Paid Antivirus software program is how frequently the definition database that contains the signature patters of known viruses and malicious programs is updated. Free Antivirus programs usually update once per day and Paid versions update multiple times per day. Some of the more advanced Paid Antivirus software products support an emergency update mode that is triggered when a widespread outbreak has occurred. This is especially beneficial for “zero day” viruses, those that appear with no notice and spread quickly via email or that exploit a Security flaw in the computer operating system.

It almost goes without saying that when it comes to support for the Free Antivirus products there really isn’t any. Support may be available through a Forum where you can ask questions of others, read documentation, and Frequently Asked Questions. For some Paid products, support is not much better. Even though you may have Paid for an Antivirus Software product, there may be a separate charge for Support if you want to ask a technical question via email or call and speak with someone. It is important to read the description of the package you are purchasing and understand exactly what is included with your purchase.

At the bare minimum, take advantage of one of the Free Antivirus programs and if you budget allows, consider a Paid Antivirus program to get more frequent updates and support for removing the virus should one get through.

Purchasing Note: Many of the Paid versions of Antivirus Software have upsell options that include more than just Antivirus software. They may include cookie monitors, added Firewall Software, Anti-Spam software, and other more advanced monitoring and alerting tools. Windows includes a basic firewall and most email providers include Anti-Spam filtering. Only purchase the tools you actually need.

Popular Free Antivirus Software Programs:

Microsoft Security Essentials – Windows
windows.microsoft.com/mse

AVG Free – Windows
free.avg.com

Avast Free – Windows or Mac
www.avast.com

iAntivirus.com – Mac

ClamAV – Windows
www.clamav.com

ClamXav – Mac
www.clamxav.com

Popular Paid Antivirus Software Programs

Vipre Antivirus – Windows
http://www.vipreantivirus.com

Kaspersky Antivirus – Windows
http://www.kasperskey.com

Trend Micro Antivirus – Windows
http://www.trendmicro.com

McAfee Antivirus – Windows
http://www.mcafee.com

Norton Antivirus – Windows
http://us.norton.com/antivirus

Lock your Computer Desktop Screen

August 18, 2012 By Jason Palmer 1 Comment

How often do you walk in to an office and see a computer screen with a Document, Spreadsheet, or Email message open but no one sitting at the desk in front of it? Too often would be the correct answer.

When you leave your desk without locking the computer desktop screen, anyone can see whatever is visible on your computer desktop screen at that moment.

What if a co-worker decides this would be a golden opportunity to sit down at your desk for a few minutes and “browse around?” Are you sure that nothing is “open” that might be of a sensitive nature? What if you had your personal Facebook page open or if you were logged in to your Personal Email Account? What if it were your Resume, an employee annual review, financial statement information, or something confidential? Do you really want anyone who might sit down at your desk to have immediate and unrestricted access to every document that is open and any web site you are logged in to? I think not.

You are probably thinking that none of this applies if you are in a one to three room office with less than ten people. You would be wrong. Quiz Time: Assuming you are in Commercial Office space, how many of you either do not log out of your computer nor lock your desktop screen when you leave at the end of the day? Almost no one? I thought so. Now, how many of you have a Professional Cleaning Service come in every evening. Who here is comfortable with a complete stranger possibly sitting down at your computer and “looking around?” Anyone? No? Again, I thought so.

If you are in a larger office with dozens of co-workers, delivery people, cleaning people, and visitors, it is critical that you secure your desktop by locking it every time you leave your desk. Even if you think you will only be gone a minute, you just never know. You might be called to a meeting or stop in the hallway for an extended chat. All the while, your computer is exposed to anyone who might pass by and “take a look” at what you are doing.

Just like in the physical world, Locks keep honest people honest. It takes only seconds to Lock your Desktop. In Windows, just press the Windows Key and the “L” key simultaneously. When you return, press “CTRL-ALT-DELETE”, like you normally would to get the User Name and Password Prompt. Enter your Password, and you are back at your desktop EXACTLY where you left off.

Mac users, you can press CTRL-SHIFT-EJECT or you can click on the LOCK in the top menu bar and select “Lock Screen.” NOTE: Many Mac users still do not have a password set so locking the screen on a Mac is of limited value unless you set a Password that is required to be entered AFTER the screen saver engages.

Locking your Desktop Screen helps maintain your privacy and protects you and your company from prying eyes.

Share Dessert, Not your Password

August 17, 2012 By Jason Palmer Leave a Comment

In many offices, people think nothing of giving their computer login User Name and Password to a co-worker. In general, this is a bad idea. Once a co-worker has the Password associated with your Login, the co-worker can masquerade as you. There is no technical way to differentiate actions taken by you vs. your co-worker should something inappropriate transpire.

For example, perhaps your co-worker is targeting your job and acts maliciously by sending out a sensitive document to a competitor using your email account. It would be extremely difficult to prove that you did not send it. Whoever did send it had your User Name and Password and gained access as you. Management will ask who else could have sent it but you? As an IT Auditor, I can assure you that most companies do not have the forensic skill to perform a proper investigation to save your job. The facts will appear to be self-evident and Management will take the path of least resistance and fire you.

It is extremely common for an Assistant to an Executive to have the Executive’s User Name and Password. This too is still a bad idea. The mitigating factor is that in most cases, the Assistant’s have the explicit trust of the Executive especially if they have been together for many years. I fully understand that the entire purpose of an Executive Assistant is to “assist” and act on matters that the Executive may not be able to attend to directly. However there are alternatives that do not compromise the Executive’s personal privacy, allow the Assistant access to selected functions, and still maintain an audit trail of access.

The problem with providing an Assistant your User Name and Login Password to your computer, corporate network or any other account is that this is an “All or Nothing” proposition. There is no ability for you as the Executive to keep anything “private” from your Assistant. This means that every single email, document you receive or draft, message from a family member to your work email (and possibly your personal email) – you entire life – potentially – is completely exposed to your Assistant.

On a practical level, this may not seem like an issue to you. You might say, “My Assistant only uses my Computer when I ask him or her to check something for me.” And I would say, “Are you absolutely sure that is the ONLY time he or she has ever sat down at your computer and looked around?” Giving your Assistant your Password exposes you as the Executive to the same kind of risk as any other Staff member. Information that was to be private and remain within the Company or that was for your “Eyes Only” is now potentially shared with your Assistant and whomever he or she sees fit to share it with.

Here is a better solution: Depending on your specific environment, if on a Corporate Network, your Assistant can use his or her own login to access your Computer and Files provided that you give (or more likely your IT Person gives) the appropriate permissions to the directories that contain your personal files that are either stored on the local computer hard drive or on the Corporate Network. In this manner, there is an “Audit Trail” of who accessed what file and when.

The best solution is to take advantage of the fact that you have Corporate Network environment and create “Shared Folders” that only you and your Assistant can access. This allows your Assistant access to files you deem unclassified in the Shared Folder while still allowing you to store sensitive information privately that only you can access in your own personal folders.

Both of the above options work regardless of if you have a Corporate Network and a File Server where files are stored centrally or if you have a Single stand-alone PC. Even on a Stand-Alone PC (or Mac) you can have individual user accounts, each with their own 100% private storage area that can only be accessed while that specific user is logged in under their user name and a common storage area that all users can access regardless of which specific user is logged in.

The most popular excuse (reason) for the sharing of the Executive User Name and Password is for the co-worker or Executive Assistant to check and respond to email. Most Corporate Email Servers, specifically Microsoft Exchange, support the ability for you to give Proxy Permissions to a co-worker or Assistant. This enables someone other than yourself to read, reply, create, and send mail as you depending on what permissions you allow. The subtle difference is that there is an Audit Trail that shows that the correspondence, even if appearing to have been sent by you to the outside party, was actually sent by your Proxy – the co-worker or Assistant acting on your behalf. The other key advantage is that if a message is marked as “private”, a function of some Corporate Mail Servers, the co-worker or Assistant cannot see it. Only you can only open the message with your specific User Name and Password.

User Names and Password are personal and should remain specific to you. As you can see, there are a number of ways to share files and enable access to email with co-workers and Executive Assistant’s that do not compromise your personal privacy.

There is one exception to sharing your Password with someone and that is usually the IT Administrator. Having your specific User Name and Password makes it easier to diagnose problems with your account and enables the IT Administrator to see exactly what you are seeing and the problem you are experiencing. Understand that your IT Administrator has a “Super User” (Administrator) account that would allow him or her to see, in most cases, absolutely every file, email, and piece of data on the Corporate Network regardless of if he or she had your specific User Name and Password or not. (The few cases where this is not true are when a separate encryption program is used to securely encrypt specific files and directories or a specific password is set on a file. In those situations, only the person who set the encryption or the password on the file or directory knows the password to decrypt (access) it. Neither the IT Administrator, nor anyone else for that matter, can access or read the file.)

In general, do not share your user name and Password with co-workers or your Assistant if you can possibly avoid it.

Share Dessert instead. Much tastier and the only risk is a few extra calories.

The Security Value Context – Data vs. Information

August 16, 2012 By Jason Palmer Leave a Comment

All Information is comprised of Data but not all Data leads to useful Information.

Data should be protected where possible but it is Information that needs to be actively secured.

The Security Value Context is the degree to which Data or Information needs to be protected and secured based entirely on the context of how it is organized and how it will be used.

Let me explain: If I have a Tax Preparation Business with thousands of individual client returns, considered Data, no one specific return is particularly interesting (unless perhaps the return belongs to a Public figure, then it becomes Information.) In fact, if I published one random Tax Return, (say Mitt En), on a Billboard in Times Square (without the Social Security Number), chances are no one would give it a second glance. Even if someone knew Mitt En, there is little practical value to the Data presented on the Tax Return. Big deal, the world now knows how much “Mitt” took home last year. The point being made here is that this Tax Return is just random Data. Unless someone is specifically interested in Mitt, and most people are not interested in Mitt, there is extremely limited security value risk to Mitt in the public exposure of his Tax Return. In short, the scope of the Context is singularly “Mitt” himself. No one else really cares.

(For the moment, I am excluding the possibility of Identity Theft from this discussion.)

On the other hand, if this is the Tax Return of Mitt Romney instead of our average individual Mitt En, what a moment ago was random unimportant Data now becomes specifically useful Information. The Tax Return will most likely list all of the Charitable Donations that Mitt Romney has made. This Information will imply the causes that he supports which in turn may suggest the types of Policies he will try to legislate based on his beliefs and values. This has a very high security value risk and therefore needs to be actively secured. The scope of the Context is huge. The majority of the voting population of the United States cares.

If I take the thousands of individual client returns and start to analyze and segregate them based on factors like income, mortgage interest paid, charitable donations, type of employment, dependents, or any other element, I have taken the raw disorganized Data and turned it in to incredibly valuable Information.

Used in a good way, the Internal Revenue Service aggregates the Data from Filed Tax Returns in just this manner to present anonymous profile statistics about the American Tax Payer. This provides valuable information that Congress can use to manage Tax Policy. Since the Data is presented in anonymous, aggregate format, there is a very low security value risk to any one individual return.

Used in a bad way, an unscrupulous person could use the identifiable Data that created this incredibly useful Information against specific groups of individuals for nefarious purposes. For example, groups of individuals that have high mortgage interest deductions might become the target of predatory refinancing lenders. Since each person can be identified, there is a very high security value risk.

It is impossible to know exactly how raw “Data” will be organized or its’ eventual value in producing Information which is why it is important to take appropriate action to protect it. For example, we manage user access with Password protected Software Applications and we encrypt the files to keep the Data as secure as practicable away from unauthorized access.

Conversely, we know exactly how “Data” can instantly become valuable “Information” which is why we go to such great lengths to actively secure it in its final form. We know that a Tax Return contains a Social Security Number, Birth Date, and the full legal name and address of an individual. In the wrong hands, like that of an Identity thief, the information on a Tax Return contains everything necessary to steal the Taxpayers identity and create financial chaos.

Actively securing access to valuable Information, like a Tax Return, requires more than a Password. It requires a policy that explicitly defines how the Information will be stored or transmitted and who will have access to it.

The simplest analogy to the difference in managing “Data” security vs. “Information” security is to think of “Data” as a Credit Card and “Information” as Cash.

With a Credit Card, if a fraudulent transaction is discovered, it can be reversed, the Card cancelled and your perfect credit score remains intact. Data stored on your computer works pretty much the same way: If a file becomes corrupted or damaged, that one data element can usually be isolated or fixed with minimal risk to the remainder of the data. It is one random element among many.

With Cash, if you lose it or it is stolen, it is completely gone with zero recourse. With valuable Information, like a Tax Return in the wrong hands, you can never get it back. The person’s identity may be stolen along with the creation of a financial mess that may take months to clean up.

Determining the Security Value Context of Data vs. Information requires an understanding of how each will be stored, accessed, and presented.

One person’s Data is another person’s Information.

Securing your Digital World with Passwords

August 15, 2012 By Jason Palmer Leave a Comment

This is a test: Grab your nearest digital device that has your personal information on it. That would be your cell or Smartphone, iPad or Android Tablet, notebook or desktop computer or iPod/mp3 player. Touch the screen or tap the keyboard to wake it up.

Does it ask you for a Password to proceed before you can access it?

If “Yes”, congratulations, you passed and understand the importance of taking as many precautions as possible to keep prying eyes out of your personal data and digital world.

If “No”, then the next question to you is “Why does your digital device not have a Password set?” Would you leave your car unlocked on the Street? Would you leave the front door of your house or apartment open so that anyone could just walk in and look around? Well, would you?

If you secure every aspect of your physical world with locks, keys, and combinations, why would you not think to do the same for your digital world?

Password security is not just for your online web accounts. Password security should be engaged and used everywhere it is supported.

I am sure that some of you have lost your cell or Smartphone. Without a Password set on the device, whoever found it immediately had access to your entire address book: every name, every phone number, perhaps full addresses, possibly birthdates. In this address book list there are probably sensitive contacts like your Doctor’s, Financial Advisors, and Attorney’s. If you are like many people, in the NOTES section, some contacts may have Account Number and (hopefully not) Password and access information to these accounts. But we are just getting started as we are only considering the wealth of information in the Address Book/Contact List. In the wrong hands, this is an identity thief’s dream.

If you have a Smartphone, every text message sent and received and every email for approximately the past two weeks is fully visible. If the person who just found your phone is a criminal or identity thief, he or she might send an email or text message that appears to come from you fraudulently asking for “assistance” to one or more of your contacts. (A popular scam is to claim that “you” are in a bad cell zone and can only text, have lost your wallet, and can “your friend” please send $100 via a wire service or mobile payment service.)

Your Smartphone most likely connects to an App Store – either the iTunes store or the Google Play store. This person may now be able to obtain additional personal information about you from Apple or Google and possibly credit card information which can then be used to break in to other accounts at other web sites discovered from your Contact/Address Book list.

The above scenarios hold true for most iPads, Android Tablets, iPods, and mp3 Players that have a contact list, email capability, and connect to any kind of App Store.

With a Notebook Computer it only gets worse: Your portable computer has all of the above and plenty of bonus content for the person who finds it. The computer will most likely contain sensitive documents. If you only have a notebook computer and no desktop computer, then it will contain your entire body of digital knowledge: Every letter, proposal, memo, spreadsheet (i.e. Expense Report, Income Information), Business Plan, poem – just about every piece of digital content you have every created will be on this one device. But wait, there’s more: Every picture you have ever downloaded from your phone or camera: you, your family members, places you have been, all of your friends, and pets. This may seem innocuous but for professional thieves, the photos may reveal additional physical targets for burglaries. (Fluffy might become pet-napped and held for ransom.)

If you are a person who accesses a corporate network, which probably does use and require a Password, and that Password is stored in the access application, DING, DING, DING – it is the Mother of all Pay Days for the unscrupulous individual who is now in possession of your notebook. That person potentially has full, unrestricted access to all of your company’s sensitive information. This time it includes not only documents but may include corporate financial information and detailed personal information about clients of the company.

Finally for the Lightening round: I am virtually positive that many of you have your Apps set for “auto-login” where your User Name along with your Password are stored in the App. (If a web site, the user name and password are stored in the Web Browser.) You have just given the person in possession of your digital device the “Keys to the Kingdom” of your Digital World. He or she is now capable of viewing (and manipulating) your Social Media, WebMail, eCommerce accounts and any other web site that has stored access information.

As you can see, for lack of taking a few extra seconds to enter a Password every time you pick up one of your digital devices, you could be needlessly exposing your entire digital world and putting yourself and those around you at extreme risk.

You lock your physical world. Lock your digital world too.

Set a Password on every device that supports the use of a Password.

For some guidelines on setting strong passwords, read my articles, “Strengthening Common Passwords” and “A Complex Password may not be a Strong Password.”

Technical Tip: If your device supports the use of a Swipe Pattern instead of entering a combination of numbers and letters as a Password, definitely use a Swipe Pattern. (A Swipe Pattern allows you to use your finger to draw a series of lines across the screen in a specific order to unlock the device.) Hackers can use automated programs to guess at the number and letter combinations which make up a Password. As of this writing, similar programs do not yet exist to crack a Swipe Pattern on a digital device. Although if a program did exist, most phones would still lock out all further attempts after a certain number of failures. It was reported in March of 2012 that even the FBI could not get in to a phone that used a Swipe Pattern to lock it. See more on that story here.

A Complex Password may not be a Strong Password

August 14, 2012 By Jason Palmer 2 Comments

Just because your password meets complexity requirements does not necessarily make it a strong password. It is a given that many sites require you to have a password of a minimum length of at least six or eight characters. Some go so far as to require the addition of a number and at least one upper case letter. At first glance, this gives the appearance of a complex password that, in theory, should be harder to crack. If we consider a blind brute force attack that starts at six characters with “000000” and cycles through every combination of upper and lower case letters and numbers through “zzzzzz”, this is essentially true.

The problem is that automated password attacks have become intelligent in the sense that hackers have added “Pattern Matching” and LEET algorithms. (LEET refers to the substitution of a character in a word with a corresponding number or special character. Read more about LEET in Wikipedia here.)

In my article, “Strengthening Common Passwords”, I discuss that Hackers will look first to the most common passwords. For example, “123456” is first and “Password” is fourth on the list of common passwords. This fact reduces the need to even begin a brute force attack on your Password until thousands of common words, phrases, and numbers such as Sports Teams, Birth Years in the 1900’s, Popular Baby Names, Movie Titles, and Fictional Characters have been tried first through a pattern match attack.

This is just the tip of the iceberg in breaking a password that appears to be complex.

If we start with a common password, “yankees” and modify it to meet complexity requirements, it might become “Yankees1” which is not necessarily any more secure than if it were all lower case without the addition of the number. Applying “Pattern Matching”, what would be the most obvious “Pattern” modification to any common word (password) to meet complexity requirements? Answer: The capitalization of the first letter, which follows standard English Grammar rules and the addition of the number 1 or even 12. Even adding LEET so the password becomes “Y@nK33s1” is not really a significant improvement because the next “pattern” applied in the attack to the well-known password list will be LEET substitutions.

How many of you just realized that your own password that properly met complexity requirements is not nearly as strong as you thought is was sixty seconds ago?

A pattern match attack program will first try making common pattern modifications to its’ list of well-known passwords before it starts a brute force sequential search. This will significantly increase the chances of success with minimal increase in the time required to crack your password.

Some of you are thinking, my password is really strong, it’s “1234qwerUIOP”. “No one could possibly guess that password, right? Again, on a pure sequential, brute force attack, to break a twelve character, non-dictionary password is a very long time. If we look closely at this password we see that it is three groups of four sequential characters from a standard computer keyboard: “1234” are the first four numbers of the numeral row, “qwer” are the first four characters of the top row, and “UIOP” are the last four letters of the top row. In short, a common pattern used for a password.

In order for a Password to be strong, it needs to be more than complex. It needs to be sufficiently long and suitably random to be truly effective.

Before you decide to abandon all on-line banking and social media activity for fear that almost no password you could create could ever be strong enough to protect your digital accounts, keep in mind a few key issues: The above discussion applies to a hacker making a concerted specific effort to crack your password to gain access to one of your digital accounts. The likelihood that you will be a specific “high value” target is minimal. Again, I go back to my analogy that car thieves look for unlocked cars with the keys in the ignition.

The key take away is to make it as difficult as possible so that the hacker gives up after trying obvious well-known Passwords with or without Pattern Matching algorithms applied and moves on to someone else.

Follow best practices by trying to make your passwords sufficiently long with at least eight characters, use upper and lower case letters (if recognized as different by your particular web site account), always include a few numbers either as substitutions for letters (LEET) or as additional characters added at random places in the Password (do not just put at the beginning or end), and where permitted, try to do the same with special characters such as @ $ %! # by placing them at random locations in the Password.

As a closing example looking back to “yankees”, we can even make it reasonably strong by applying all of the techniques so that it becomes “y@!nk3#3s”. (Note that it uses LEET and adds in two special characters in random locations.) Even though we start with a very common password, “yankees”, a pattern match attack will most likely fail and the only option for the hacker will be to use a brute force sequential search.

Finally, you can also use “Patterns” to your advantage. (The Patterns which just capitalize the first letter, add a number 1 at the end or only use LEET on a well-known common password or dictionary word should not be used.)

In an effort to be able to remember your passwords you can create a non-obvious pattern to strengthen your common passwords: Perhaps you always add a # after the third letter and an ! before the last letter or instead of using a U in your spelling, you always use a V.

Anything you can do to be non-standard and appear random in creating your Password will afford you a reasonably high degree of protection from hackers who use common, pattern match and brute force password attacks.

Technical Note: The ability of a brute force sequential attack to succeed in cracking your Password depends largely on who is behind the attack and the amount of computer power brought to the task. A Hacker with a single computer may take months or centuries to crack your sufficiently long complex random password. A Hacker who has tens of thousands of zombie PC’s coordinating an attack will take significantly less time to be successful. If a Government Security Agency is behind the attack, with that amount of computer power, it might be a matter of hours or days to crack your password.

As scary as this all sounds, the provider of your digital account can go a long way to slow these attacks to a crawl. Many web sites will not allow another login attempt for a certain period of time after three to five login failures or will lock the account completely after five or ten login attempts. No automated attack can proceed if the web site will not allow a login due to failed attempts – human or automated.

« Previous Page