The new year is always a great time to reflect on the happenings of the past year, and start the new one with a clean slate and fresh outlook. And your computer can start with a relatively clean slate too, if you follow a few simple steps:

Make sure your computer has all critical security patches, and is configured to install new patches automatically. For Windows systems, you can check for new patches by pointing Internet Explorer to update.microsoft.com. To configure automatic downloading and installation of new security patches, open the Windows Update section of your Control Panel, click Change Settings, and ensure it is set to “Install Updates Automatically”.

Don’t forget that your applications may need patching as well. Actually most of the vulnerabilities announced in 2011 were not on Microsoft products at all, but with 3rd party applications such as Adobe Flash/Acrobat and Apple’s QuickTime. Microsoft Update only covers critical security updates for the operating system, and some Microsoft products, so you also need to regularly check for updates to other applications you may be using. All modern applications offer free patching, and most will alert you to the availability of new patches if properly configured. Check your settings on each of those applications to make sure it’s enabled. If you have any doubt, uninstall the application using your control panel, and install a freshly-downloaded version from the vendor’s website.

Some antivirus products offer a patch management component as part of their solution, which can often facilitate the monitoring and installation of applications on your computer. Which brings us to our next health check topic…

Check the state of your antivirus. Did you know that there are about 55,000 new viruses discovered every single day? Antivirus programs *must* be updated at least daily to remain effective. Too often people install a trial version of an antivirus application and then neglect to purchase it once the trial has expired. Having an antivirus program that is out-of-date is pointless. There are a number of free antivirus products out there from well-regarded companies (Microsoft, Comodo, AVG, etc), but I think this is one area that benefits from an annual subscription for an upgraded commercial product because you get some additional features in addition to the peace-of-mind. Kaspersky’s antivirus product, for instance, has a built-in patch management component that will monitor common applications on your computer to see if new patches are available. And eSet’s Smart Security Suite, which I highly recommend, includes advanced features like firewall protection and parental controls. Either of those solutions are well worth the annual $40-$50 they cost to maintain.

Whichever solution you ultimately settle on, make sure whatever you have is updated regularly, and is configured to download new virus signatures at least on a daily basis, if not hourly.

A new year is a good time to try something new - how out a new browser? Internet Explorer continues to be one of the most popular ways hackers gain entry into a victim’s computer. Consider installing Firefox or Google’s Chrome as an alternative browser. Not only are they generally more secure, but often faster and easier to use.

If you do choose to stick with IE, make sure it’s the most recent version. Internet Explorer is updated frequently, and major updates (like from version 8 to 9) are not always installed through the monthly patching process. You can always go to www.microsoft.com/ie to check out and download the most recent release.

Scan your computer for malware. Even when you have an antivirus application installed, sometimes your computer can contract malware and other sketchy things on your computer, like tracking cookies, which are sometimes hard to get rid of. In addition to your regular virus scans, you should also run a malware scanner, such as MalwareBytes or Ad-Aware every few months to keep everything in check. Microsoft also offers a free malware scanning tool, as do most antivirus companies.

Roll your passwords. Now that you’ve installed all your patches, put on a good quality antivirus application, and checked your computer for malware, you should go through and change all your frequently-used passwords. Pay special attention to passwords that you use for financial sites, such as PayPal and your bank. You really should change those every few months. And if you are having trouble keeping track of them all, use a password repository like Password Safe, or frankly, write them down on a sticky and stick them on your monitor. Yeah, I said it: While it would not be appropriate for an office environment, it is generally OK to write your passwords down and leave them somewhere easily accessible when it comes to your home computer. We’d prefer you use a strong password that you have to write down to remember, than use one that is too weak to withstand attack from someone on the Internet. Check out my other articles about password hygiene for more tips about managing a large number of passwords.

Backup your important data. Consider how many family photos and other important artifacts live on your computer, and all-too-frequently, ONLY on your computer. Losing years’ worth of digital photographs is enough to reduce even the strongest man to tears. I’ve known folks that have spent years writing a manuscript, only to have a hard drive crash erase all their hard work. While it may be possible to recover some data from a crashed hard disk, it costs hundreds or thousands of dollars and only some of the data is ever recoverable.

Nowadays, backing up your computer doesn’t mean installing a complicated tape backup system on your computer and juggling various tapes. A number of companies are offering services that allow your computer to be backed up to the Internet, often for free. Companies like DropBox, SpiderOak (my recommendation), and Microsoft’s Live Mesh, all offer some storage at no cost, with a fairly low per-gigabyte fee to go above the starting allocation. In most cases, backing up your important documents is as simple as dragging and dropping the files into a special file folder that represents your online storage location. We particularly like SpiderOak because it encrypts your files before sending them over the Internet to their storage facility, greatly reducing the chance that a hacker will get their hands on them.

Taking these few simple steps will keep your computer free from malware, and ensure that you start 2012 off on the right foot.

In 2010, a developer named “Droid09” published a series of online banking applications to the Android Marketplace, enabling Android-based smartphone users to check bank balances and perform other common tasks at nearly 50 well-known banks, including Chase, Wells Fargo and Bank of America.

Unfortunately, Droid09’s applications were designed to record the bank login credentials entered by its users, enabling Droid09 to log into the victims’ bank accounts and electronically steal their money.

While we’d like to report that this is an isolated incident, the fact is that at least 400 malicious applications have been discovered on Android’s marketplace this year alone. And with smartphone sales topping PC sales for the first time last year, malware authors are looking for ways to break into that booming untapped pool of unsuspecting victims.

While the bulk of the new malware so far has targeted Google’s Android platform, Android isn’t alone in this fight. Just this year, a variant of the ubiquitous Zeus trojan was found spreading on Blackberrys. That particular malware variant allowed the attacker to record SMS messages, block and unblock calls, add a new administrator, and other nefarious acts. Similar variants were found attacking smartphones running the Symbian operating system as well as Windows Mobile. And attacks against Apple are on the rise, including a fake antivirus called MacDefender that is targeting some Apple platforms.

What are the most prevalent risks to smartphones and their users?

Loss/Theft:

35% of Americans had their phones lost or stolen in 2010. This is by far the leading way users have their data compromised.

Malicious Applications:

Malicious applications are another popular way for hackers to access your data. In addition to the examples above, sometimes innocent applications are “repackaged” to include malware. For example: before official versions of the megahit Angry Birds were available through the Android Marketplace, bootleg versions were available for download through 3^rd party app stores, and some of those had been repackaged to include the popular “DroidDream” malware.

Apple claims to reject about 20% of the applications attempting to get into their marketplace. Google takes a different approach, allowing nearly anyone to publish applications, but allowing the “community” to report bad applications back to them. Google claims to have removed around 1% of its applications using this mechanism.

Deceptive EULAs:

Ever read the End User License Agreement (EULA) on applications you are installing on your phone or elsewhere? Did you know that you could be unwittingly signing up for additional services that can cost you money?

Just this past June, a new game called “Social Tic Tac Toe” hit the market. If you stopped to read the EULA, you would see that agreeing to it allowed the game’s developed to charge a $9.99 fee against your phone bill every month, and stopping it required a convoluted process that was buried in – you guessed it – the EULA.

Malicious Advertisements (Malvertising):

In many popular applications, particularly free ones, there is a little bit of screen real estate set aside to display ads during their use. In some cases, these applications have (sometimes unwittingly) been used as vehicles to lure victims to installing malware on their devices.

For example, in 2011, a number of popular smartphone games were found to be displaying an advertisement for a battery saver application. When the user clicked on the ad, they were taken to a 3^rd party marketplace that looked identical to the official Android marketplace, where they were instructed on how to download and install the malicious application disguised as a battery saving tool.

Spoofing:

Do you know that in most cases someone can access your voicemail without a passcode if they know your phone number? The reason most cell phone users can access their voicemail by simply dialing their own phone number from their phone is because most carriers use that caller-ID to authenticate voicemail access unless the users have specifically enabled a passcode. Caller ID on cell phones can be faked just as easily as on a traditional landline. Of the major carriers, only Verizon is currently forcing their subscribers to use a passcode to enter their voicemail. All other carriers consider the protection optional, and generally have a passcode disabled unless a subscriber turns it on.

Remember the drama surrounding the “News of the World” in London a couple months back? Turned out they were rather routinely accessing the voicemails of celebrities, politicians, and crime victims. How did they do that? By simply spoofing their target’s phone number.

Best practices for defending your phone against attacks

There are a number of steps you can take to protect your phone from hackers:

•  Enable an unlock passcode. And if your phone supports it, enable the automatic wipe feature to destroy your personal data on the device if the passcode is entered incorrectly too many times. Some phones support a “remote wipe” which will allow a user to wipe a stolen/lost phone through a web interface, but those features typically cost extra.
• Enable a passcode on your voicemail, if supported by your carrier
• Use only official app stores. While you are not immune to contracting malware from applications on the official Apple and Android marketplaces, your chances go up dramatically when you use unsanctioned stores that have no oversight or control.
• Install a mobile security application. Most of your traditional antivirus developers, like Symantec, McAfee and eSet, also offer solutions for smartphones. There are also solutions from developers that specialize on smartphones, such as LookOut on the Android platform.
• Don’t overshare your phone number to reduce the risk of spoofing. Did you know that a recent change to permissions on Facebook made it possible for anyone to see your phone number if you had entered it into your Facebook profile? You should protect your phone number as if it were a passcode, because as the News of the World discovered, sometimes it is.

Hackers For Charity, the non-profit started a few years back by Johnny Long of Google Hacking fame, is running out of funds to sustain its operation in Uganda. They're doing good work for a disadvantaged people. 

Click. Give.

http://www.hackersforcharity.org/hackers-for-charity/hfc-uganda-going-out-of-business/

Hawaiian Telcom and Referentia have collaborated to put on a rare security conference in Hawaii, and I'll be there giving a talk about smartphone security. Richard Bejtlich, of TaoSecurity fame, will be headlining the event, giving a keynote talk on Advanced Persistent Threats.

The 2011 Business Security Conference is being held next week at the Honolulu Design Center in Honolulu. The day-long event starts at 8:30 and goes until 4:30. See the site for registration details.

(This is a re-post of the original article, which appeared on a previous iteration of bmonday.com in 2009)

I have been doing a lot of thinking lately given the state of the economy and some of the discussion I’ve had with many of my colleagues. What I’ve come to realize, is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security.  It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's Facebook access.  Our role is so much more than that. Too often, we paint ourselves into that corner because we are unwilling or unable to engage the organization at a higher level or learn how to make the business function better. 

Given the landscape of the past and the changes due to economics, a successful infosec leader must do the following things, and do them well, to cultivate a healthy information security program that will support and align with the business:
 

Communicate to the business about the business
Consider this quote from global recruiting firm Alta Associates: 

Never say "No"
No is rarely an acceptable response to someone communicating a requirement.  Someone's secretary wants to access Facebook during lunch?  "No" isn't going to get you anywhere.  How about "Sure, we can do that, but given the various threats coming from Facebook lately (demonstrate some), we'd be wise to implement some additional protections around that traffic."  I bet you can leverage that secretary's lunch desires to reduce her rights on the system, which kills 2 birds with one stone.  Or, if the organization isn't willing to spend the money on the necessary controls. you can go back to the secretary and let her know that you went to bat for her but failed.  Either way, you're the guy that tried to help, not the bad guy who just said "No".  Chances are, she'll come back to you the next time she wants to do something risky.

Be approachable
Encourage dialog.  Reach out to all level of end users.  Introduce yourself to business owners, solicit their opinion on things, and ask them what their challenges are, how they work, and their viewpoint of information security. Learning what the end users really think rather than making assumptions on their behalf builds the relationship of shared ownership. The result are allies that will enable you to sell future initiatives with their help.

Don't let the first contact with your end users or business owners be only after you have discovered a problem.  Integrate yourself into the onboarding process.  5 minutes spent in a new hire orientation, introducing the infosec organization, and going over basic guidelines will make a night-and-day difference in the attitude end users will have of you and your program. Sharing with then why security is integral to the business and making it personal will put them in the driver’s seat for supporting security.

Develop a reputation for being a straight shooter.  The business needs to know it can count on your for a fair and accurate assessment of risk, countermeasures, controls and technology.

After a nearly 2-year break from blogging, due mostly out of respect for my previous employer, I am back online. The blog is very different because I've given up on the open source subText engine, which was born out of dotText, and moved from self-hosting to hosted by Posterous.

I'll be reposting some of my old blog entries over the next few weeks, provided I can suck them out of my old subText database, which is in a somewhat damaged state after several failed upgrade attempts.