Categories
General

Meet IRA – Smart Security solution that not only reports but helps Prevent!

IRA is a revolutionary smart security solution that uses behavioural audio and video analytics based security solution which not only watches over the user, but has the wisdom to discern & learn and has unique personal safety features. It detects intrusion and violence using situation interpretation algorithms that fuse behavioral audio and video analytics and deters it through its immediate local response that is controlled by the user.

How IRA works?

IRA is implemented in a stand-alone architecture and avoids vulnerabilities by using Edge Computing technology. By putting processing and data near the end points and looking at data processing as a set of tiered components that interact with one another, information need not be transmitted from the point of consumption back to centralized computing platforms. This helps reduce latency and allows faster response to data by operating an Instant Response Device without having to check in with a central process.

IRA utilises computer vision technology for automatic extraction, analysis and understanding of useful information from a single image or a sequence of images. Some of the most powerful Deep Learning algorithms are Deep Neural Networks constructed from many layers of alternating linear and non-linear processing units, and are trained using large-scale algorithms and massive amounts of training data. IRA uses Deep Learning based Artificial Intelligence for video and audio analytics.

IRA uses Deep Learning based Artificial Intelligence for video and data analytics and learns to identify violent behaviour, intrusions, dangerous objects and distress audio signals.

Here are some key differentiators:

  • The key differentiator – It’s an Autonomous AI based product and can take decisions on its own to prevent crime and responds instantly
    Most of the existing solutions require manual intervention
  • IRA Voice is a personal safety app that does not require an overt action from a distressed user
  • It utilizes the standard components of a smartphone to analyze audio signals for danger and trigger user-configured responses to situations without any intervention from the user
  • IRA Voice learns to identify bad behaviour from distressed cries and can be configured to autonomously respond in several ways
  • Since IRA Voice can identify danger and respond independently, it can also be used in case of medical emergencies, especially for people with disabilities and the elderly
  • In addition, the smartphone based solution can also be deployed to protect private spaces
  • A sophisticated algorithm that allows the product to maintain a passive half-awake state, it judiciously avoids invading privacy during routine activity
  • IRA Voice only triggers a predefined alarm or action when it identifies a noise to be related with panic, pain or fear.

Availability:

As IRA will be a mass product, it will first hit the market as a mobile based security app, focusing on women safety which is large issue globally. Simultaneously, the company will be marketing it across OEMs, workplaces, home & other public premises.

The company has been working over the past few years towards developing this tech solution to curb violence against women. You can find more details about IRA here. They will pilot the product it in Asia Pacific, including India as part of the first roll out plan sometime around May 2018. However, Wise System aims to provide the solution worldwide.

Categories
Enterprise Tech Internet of Things (IoT)

IoT Security Challenges and how can we address them?

From music speakers to thermostats, to lights and accessories, everything has some sort of intelligence; We are living in tech heaven, to be precise. Having moved from keypads to touch interfaces, we are currently in the no interface era. Every company is focusing on getting the maximum done with very little interaction with the device, and that means voice-activated computing powered by artificial intelligence.

Opportunities IoT Implementations Can Bring

The thing that makes everyone excited about the future of IoT is the versatility of solutions it can provide. This also makes IoT the buzzword of the decade because we can expect an explosion of IoT solutions in various sectors.

Internet-equipped sensors on any device make it possible to tap all the unused data, and analysis of this data leads into inferences about things that are usually considered ‘offline’. This can lead to better productivity, reduce cost, and can bring about a sustainable lifestyle.

Think about it – there are so many devices we use on a daily basis that is generating vast amounts of data. This data provides great insight into user behaviour, the implications of this data over the lifecycle of a device is still unknown. For example, the information generated by health bands provides insight into your daily habits, like step counts, heart rate and sleep pattern.

Wearable technology enabled bands, accessories and even clothes are connected to the phone and are recording data about everything from blood pressure to the posture.

Further, this can help transform insights into action through powerful applications thereby creating new revenue and business opportunities.

Also speaking of the Internet of Things (IoT), it is not just the companies building consumer-facing products that are a big deal, there are many companies providing wireless power solutions and cloud-based solutions that are more useful. This increase in IoT adoptions have also made organizations rethink traditional IT approaches.

Need for Security:

Since the term ‘IoT’ was coined first, the definition has evolved a lot. In a generic sense though, this is a highly intelligent Machine-to-Machine technology which has potential to revolutionize how we live and work.

While we enjoy these benefits, there is a huge chance that things could go wrong. Chances of data leaks, modification, the hacker gaining control over your products etc. Hence, it is important to focus on these areas and ensure that we are safe and secure.

Further, the increase in the adoption of IoT based technology in areas of a home, retail and industrial automation, health & fitness monitoring and connected vehicles as well as the advent and growth of Smart cities, has also resulted in a greater need for a better model to secure these products.

Key Security Challenges and Solutions for protecting IoT devices

Security and Privacy are critical issues for any company that offers IoT Based products and solutions. According to Gartner, it is expected that by the year 2020, we will have over 25 billion devices connected to the Internet.

It is important to understand the key security challenges that come along with IoT; this needs more attention to detail than anything else. With the rise of connected devices, IoT based products need built-in security that can cover every aspect of the design. Let us look at the top 5 areas that can help make secure IoT solutions.

1. Secure Product Lifecycle:

Security must be addressed throughout the device lifecycle, from the initial design to the operational environment. Ensuring the product boots up with the known configurations and only digitally signed applications are installed.

The products have to be tamper-proof as well. The device should ensure data encryption is used; for when in transport and at rest. Also, it’s important to use secure APIs and tokens for access authorization. Usage of PKIs will also ensure Data Integrity.

The devices need to be properly secured to mitigate risks for organizations and individuals from malicious attacks.

2. Maintain Updates on Devices:

When we analyze the reasons behind the increasing numbers of vulnerabilities on IoT products, there clearly stands out two important reasons:

  1. Lack of standards and guidelines in the manufacturing of IoT devices.
  2. More open source platforms usage also allows attackers to stay ahead of the curve.

To address this, it’s important to have a security validation done on these devices before deploying these products in a work environment. It is also important to perform continuous updates and patching on personal devices to reduce vulnerabilities.

3. Secure Device Settings:

Data Leaks in IoT is another threat vector which most of the companies need to focus on. In the wake of massive data breaches and data theft cases we’ve seen in recent years, more effort needs to be made to secure IoT-related data to ensure the privacy of consumers and the functionality of businesses and corporations.

The gateways that connect IoT devices to company or manufacturer networks need to be secured as well as the devices themselves. IoT devices are always connected and on. In contrast to other devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system.

Data Integrity is a key aspect that would need focus as well. Certificates for devices validate identities to make sure only authorized users and machines have access to the device. It creates an encrypted link and allows information to be transmitted privately. They also make sure that any messages or data transferred from/to the device are not altered.

Good security principles are needed; regardless it is a low-powered device or a desktop class laptop.

4. Defense in Depth Strategy:

Defense in depth often includes usage of products and solutions like AV software, firewalls, anti-spyware programs, hierarchical passwords, intrusion detection and biometric verification.

Defense in Depth strategy would be the ideal solution for securing data from the IoT devices. Defense in Depth is an information assurance mechanism where multiple layers of security controls are placed throughout an information technology system.

A well-designed strategy will help system administrators identify people who attempt to compromise a device. If a hacker gains access to a system, defence in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent recurrence.

5. Default Passwords:

Most devices are ready to use out-of-the-box, attackers have learned how to leverage this to access devices discovered on the internet through tools like Shodan which has an inventory of Cameras, Refrigerators and other IoT devices. This has also been leveraged to employ devices to participate in massive attacks on the Internet.

In October 2016, Dyn DNS was attacked with IoT devices which were taken over in this way and caused a prolonged outage for sites including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

Changing your default password on all devices helps prevent this type of attack and helps maintain your privacy.

Summary:

IoT devices can help simplify and improve our visibility and capabilities, at the same time it can expose us to new threats, taking a few simple steps will help protect us against these threats:

  • Keep devices up to date
  • Choose Secure settings available
  • Change all default passwords.

Building a successful IoT environment will require massive amounts of coordination and strong analytics. More platforms are coming up to sync up devices on a data level, and not just with respect to connectivity alone.

Just like any other field, there are many sceptics around in tech industry as well. They predict IoT as a bubble that would burst very soon. But for the rest of us, we are definitely heading towards a better, sustainable future where there’s going to be a lot more evolution happening on the IoT front and we will be there to protect it.

 

Categories
Best Practices

Technologies That Help Improve Security Management

The more data gets put online and the more activities that happen on the Internet – the bigger security risks we face. This does not only apply for sensitive business information but also personal details like address, bank details etc. If you are looking for ways to improve your security management, this is the right article for you. There are certain technologies out there that can help secure your business and also enable employees and customers to access the information necessary to drive greater business success. Here are three technologies that help improve security management.

source: https://pixabay.com/en/cyber-security-online-computer-2296269/

Firstly, open source intelligence (OSINT) is a tool for security.

OSINT, by definition, refers to free and unclassified information. It is essentially all publicly available information gathered from all available outlets. For example, information gathered from radio, television, newspapers, commercial databases and electronic mail networks is all considered open source intelligence. Over time, the world of open source data has become the largest accessible database. OSINT can help with security, especially when businesses know what signals they are looking for and what would represent different levels of threat. Once the signals are understood, the gathering and analysis for successful for OSINT can be created to its most effective and efficient stent.

Secondly, Drainware is software that helps identify threats to business information

Corporate espionage and threats to business information keep all modern day businesses on their toes. Sensitive company information, such as employee personal files and bank account numbers, is always worth the effort to make sure it is secured to the best of any organization’s ability. Drainware enables users to track which information is contained and where. Drainware also monitors applications or devices that could lead to a security breach and can ensure that everyone within the organization is on the same page when it comes to whether security and guidelines are understood and adhered to.

Thirdly, Bluebox is an application that prevents mobile applications from being infiltrated.

The more devices and applications that have access to one another, the greater the opening for a weak point there is. This is what Bluebox solves. With Bluebox, customer information is safe no matter where services are accessed and when remote employees need to access sensitive company information, it is secure. Instead of limiting employees and customers in what they can access and where, Bluebox improves security and also enables people to access what they need to in order to be the most successful in their days. With the goal for self-protecting apps, protecting and monitoring sensitive information instead of restricting access to it makes for smoother business practices.

These three technologies encourage businesses to stay on top of what would signal a threat to and the tools to prevent threats. Avoiding compromised information does not mean needing to limit access to information, but rather doing all possible to ensure its security.Technology will not protect us all from all security risks, but it at least helps. Understanding what risks your company has and what options there are to take preventative measures is an important move in today’s technology age.

Categories
IT News, Tech Information and Analysis

Device Level Security in the scheme of Internet of Things (IoT)

Guest Author: Shakthi V

Anyone who is by any stretch a stakeholder in the IoT scene will tell you that there are two major issues, one is overall security that we discussed in my previous article and then there is the device angle to security. After all, if the device isn’t ready to scale, even the most thought out security schemes will fali miserably. So it is very relevant and important that we touch upon this angle in our second discussion about the IoT that is just around the corner. Let us discuss device level issues now.

There is need for carefully thought out measures at three levels for IoT to make sense, the device, network, and system levels. Here we shall talk about the device level. There is still no broad consensus on the best implementation of security at all levels. But, how do we protect deeply embedded endpoint devices that usually have a very specific, defined mission with limited resources available to accomplish it? That is the challenge. This calls for a structured approach to induct, add and enable a device into the IoT network.

That being said, there is no “silver bullet” or magic solution to solve this. We have to fall back on to the time tested learnings of security and extrapolate, innovate and implement a solution. And this approach can be just as effective for IoT—provided we can adapt them to the unique constraints of the embedded devices that will increasingly comprise networks of the future.

So we see that there needs to be a strict process adhered to, in order to get the device level security right. The main point to note here is that security must be addressed throughout the device lifecycle, from the initial design to the operational environment. It should not be an end or compartmental part of the process. It needs to be over-arching the whole device lifecycle, from manufacture to activation to operation in the IoT scheme of things. Here are some relevant points that can make this process secure and scalable.

iot_sec

  1. Secure booting: When a device powers up for the first time, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures. Similar to the way that a person signs a check or a legal document, a digital signature attached to the software image and verified by the device ensures that only the software that has been authorized to run on that device, and signed by the entity that authorized it, will be loaded. This enables initial trust for the device in the IoT. There is still possibility of malicious intent and attack.
  1. Access control: To prevent malicious attacks, different forms of resource and access control are applied. Strictly role-based access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs. If any component is compromised, access control will cut off that component and compartmentalize the access of that component to the system so that the rest of the system is safeguarded from similar issues. This is analogous to network-based access control systems such as Microsoft® Active Directory®. Even if someone managed to steal corporate credentials to gain access to a network, compromised information would be lim­ited to only those areas of the network authorized by those particular credentials. And when a component is tagged as compromised, even that access is revoked.

  1. Device authentication: When the device is added to the network, it should authenticate itself before receiving or sending data. These devices do not have users sitting behind keyboards, waiting to input the credentials required to access the network. How can we ensure that those devices are identified correctly prior to authorization? Just like how user authentication allows a user to access a corporate network based on user name and password, machine authen­tication allows a device to access a network based on a similar set of credentials stored in a secure storage area that is enabled with communication and handshake protocols. Hence the possibility of device spoofing to attack a system is considerably nullified here. Understood assumptions here are that this level involves smart hashing and key rotation too.
  1. Firewalling and IPS: The device also needs a firewall or packet inspection capability to control traffic that is destined to terminate at the device. Embedded devices have unique protocols, distinct from enter­prise IT protocols. For example, the smart energy grid has its own set of protocols governing how devices talk to each other. That is why industry-specific protocol filtering and packet inspection capabilities are needed to identify malicious pay­loads hiding in non-compliant protocols. The device needn’t bother itself with filtering higher-level, common Internet traffic—the network appliances should take care of that—it needs to filter the specific data destined to terminate on that device, that way, the limited resources that the device has are also not overloaded.
  1. Updates and patches: Once the device is in operation, it will start receiving patches and software updates. Device or Network Operators need to roll out patches, and devices need to authenticate them, in a way that does not consume bandwidth or impair the functional safety of the device. It’s not like when Microsoft sends updates to Windows® users and ties up their laptops for 25 minutes. It’s very risky and dicey when thou­sands of devices in the field are performing critical functions or services and are dependent on security patches to protect against the inevitable vulnerability that escapes into the network. Updates and patches need to be delivered using a mechanism that does not hog the network bandwidth which is intended for critical data. They should also take into account the type of device and its capabilities when updates are delivered

So we can clearly see that, we cannot just make a device, put it on the network and enable it to serve the IoT scheme. There is a lot of thought and diligence that goes into making devices smart, and then the smart devices need to be secure and trustworthy to be added to IoT. The point above are just rough outlines that the sector is grappling with now, they will flesh out into more granular details with the passage of time. Let us know what you think!

Categories
IT News, Tech Information and Analysis News

Google Introduces USB Security Key for 2-Step Verification

Few days back we were discussing on how to keep your Passwords and Online Accounts Safe; one of the tips was to use the Two Factor Authentication. Google today introduced the two step verification with Security Key. One can now choose Security Key as the primary method, instead of having verification codes sent to the phone.

With Security Key, one does not need to look or wait for codes on the phone and then re-type it; rather he/she can simply insert the Security Key into computer’s USB port when asked.

google_keyAs Google explains in a blog post, there are two advantages to using Security Key over a mobile device:

  • Better protection against phishing. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.
  • No mobile connection or batteries needed. Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.

To use Security Key, one will need a computer running Google Chrome version 38 or newer on ChromeOS, Windows, Mac OS, or Linux. Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today.

Security Key works with Google Accounts at no charge, but you’ll need to buy a compatible USB device. You can buy one at Amazon here.

Categories
News

Command Line Vulnerability – ‘Shell Shock’

On September 24th, a critical flaw was announced in the GNU Bourne Again Shell—better known as Bash—which is a widely installed command interpreter used by many Linux and Unix operating systems and is included in Apple’s OS X. It was discovered by security researchers at RedHat, and is described in detail in a blog post.

Analysis of the source history of Bash shows that the vulnerabilities had existed undiscovered since 1992. The Bash vulnerability being referred to by some as ‘Shell Shock’, ‘Bashdoor’, ‘Bash bug’ allows an attacker to run a wide range of malicious code remotely. Every organisation should be scanning for this vulnerability today and patching everything they can.

Secunia warns that Shell Shock is “bigger than Heartbleed” because it enables hackers to execute commands to take over servers and systems. Heartbleed, by contrast, leaked users’ passwords and other sensitive information, and did not allow third parties to directly hijack affected systems.

You can run this below command on a terminal to check if your machine is vulnerable. The chances of it being very high.

env x='() { :;}; echo vulnerable' bash -c 'echo test'

Companies are scanning and applying the first set of patches provided to address CVE-2014-6271. Because the first patch may spawn a new vulnerability, researchers are working on another, related patch for CVE-2014-7169. However, all vulnerable devices should be remediated with the available patch, since the vulnerability it creates is much less severe than the unchecked Bash bug. Do apply when the patch for CVE-2014-7169 becomes available. Read this for more information – https://securityblog.redhat.com/

Categories
Featured How-to IT News, Tech Information and Analysis Learning

How to keep your Passwords and Online Accounts Safe?

Internet has provided us with some amazing ways to do our day-to-day tasks better; sharing content and even getting in touch with friends have never been so awesome. As easy as it sounds, it is equally vulnerable to attacks. Most hackers either take control of your account for malicious activity or are just mere stalkers. I did hear about a couple of stalking cases from my friends recently and that’s when I thought of writing this piece. I even had a discussion with my friends online and they shared few commonly used methods in this regard.

Here are some of the best practices. The first tip is a very obvious one; using a strong password.

1. How to Keep Passwords Safe:

  • A strong password is generally referred to a key which has over 14 characters with at least 1 special character and numbers. There are online tools which can help you with suggesting some passwords. Random and Secure Passwords to name a few.

  • Do not use consecutive letters or numbers. For eg: abcd, 9876 etc.
  • Do not reuse old passwords; change your password regularly, at-least once in three months.
  • Do not use your family members name, the place you work, Anniversary and Birthday dates as passwords which is commonly known to others.
  • Do substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. Passphrase as some would refer. Again, partial substitution is a good idea. For example, One Step Closer can be One$tepCl0sEr.
  • Do not use long words, quotations or phrases in your password; anyone around your desk or the key logging tools can always track the possibilities.
  • Do not use the same password for all your email accounts.
  • Do not write down your passwords on a paper near your desk; or even as a saved note on your Phone.
  • Do not sharing password information on Emails and Instant Messengers etc.

2. Social Accounts:

  • If you use your Gmail address to sign-in to your Facebook Account, use unique passwords for the same. Your Gmail account and Facebook’s password doesn’t need to be the same.
  • Similar to emails, do not have the same password for all your social accounts.
  • Having a base password mixed with a prefix or suffix created using the name of each website can be a good idea too. So, for example, Facebook, the password is H!Th3r3Face. For Google, H!Th3r3Goog.
  • If you have synced your email / Facebook accounts with your Phone, try enabling a passcode/pattern/finger print for your device.
  • It is very easy to impersonate your profile these days. A hacker, generally takes the relevant details from your profile and your display pictures and create a new profile with your exact name. These fake profiles further send out friend requests to all your contacts claiming that, your old account was hacked and this would be your new profile. In such a scenario, it would be great idea to talk to your friend over phone, before you confirm the friend request.
  • If you abandon an old email address associated with any of your social accounts like Facebook, Apple ID, Dropbox etc. Be sure to update them with your current email address.

3. Two-Factor Authentications and OTPs

Two-Step Verification adds an extra layer of security to your online Account, drastically reducing the chances of having the personal information in your account getting stolen. To break into an account with 2-Step Verification, a hacker would not only have to know your username and password, they’d also have to get a hold of your phone.This can be a turn off to many people considering that, some of the providers send you a code via SMS, and you will need to wait for the SMS code before you log-in.

Google also introduced an USB Security Key; one does not need to look or wait for codes on the phone and then re-type it; rather he/she can simply insert the Security Key into computer’s USB port when asked.

However, Google’s 2 Factor authentication doesn’t need a SMS too; you can use their mobile app for the secondary token. It is quite similar to those RSA token generatorsDo find the detailed steps for Google Accounts.

Apple has introduced this option for the iCloud users as well. In order to set up the two-factor authentication on Apple’s cloud storage service, users must login to the Apple ID account, click on “Password and Security” and find “Two-step verification.” Once activated, a unique four-digit verification code is sent to the registered mobile number via SMS or Find My iPhone. The unique code will be asked every time there is suspicious account activity, like login from an unfamiliar device. This way, unauthorized access to the accounts can be blocked.

Facebook calls it code generator; Once you login, you can then get to the security settings and enable this feature. As a review, you can also check on the logic notifications, and trusted browsers to verify if those are the machines/connections you used in the past.

Read these official notes from LinkedIn and Twitter for detailed steps. Enabling an OTP before making a fund-transfer or payment is considered safe in online banking; Most of the banks do this by default now.

4. Email Attacks:

  • Phishing scams – Do not click on links in suspicious email messages, and never provide personal information on any websites. Think before you click or download anything. Some deals may be too good to be true; for eg: A free Airline ticket or a 100,000,000 GBP lottery price.
  • Manage your subscriptions; clicking on the ‘Unsubscribe” option in the spam mail is usually a bad idea. As most email providers these days do not send back “read-receipts”, hackers/spammers send you email from mailing list and wait for you to unsubscribe to confirm that its an email id “in use”. It’s best to just mark them as spam and leave it. You can also create some smart filters which moves emails like these straight to archives or deleted items.
  • Always have a secondary email configured for password-reset instructions. Preferably, a secret email address which you haven’t shared in public forums.
  • For a password reset request, choose security questions and answers that cannot be easily guessed by someone else. For eg: Do not choose a question like, what is your favorite color? and even if you end up choosing this question, Answer does not need to be black or blue always. You can even answer as weird as a cow or an elephant. But yea, do remember what you enter.

5. Keep your browser and other apps up-to-date.

  • Generally companies like Adobe, Microsoft, Google, Apple and few others release software updates and hotfixes and make it available to the end-users for download. These may not be just for new features but also to fix newly identified vulnerabilities with the software. Always make a point to run an up-to-date browser. Ensure your Java and Flash Player are updated to the latest available versions. Likewise, do not ignore OTA (On the Air) software updates on your smart-phone as well. Do update them.
  • As much as possible, do not auto-save your passwords on your browsers.
  • I personally do not recommend a password saving programs as well. However, if you still want to try these softwares, 1password can be a good option. 
  • If you are installing any 3rd party applications to access Facebook or Emails, understand the level of access these applications have on your phones. Well, Mobile and Cloud Security are totally new areas, let us look at them later.
  • When using a public computer, always sign out when your session is complete to prevent other people from accessing your account.
  • Use incognito / Private Browser window while accessing your bank accounts.

Summary:

Your online experience totally depends on how secure your accounts are. For many of us, businesses run on Internet and compromising them will result in a huge impact. Hopefully, this article has helped you with some inputs. Always remember to report when your account is hacked; not just to your friends but most importantly to your service providers like Google, Facebook, Banks etc. They can further block your account before it can be accessed by anyone else. Of Course, the most obvious thing remains, Do not share your password with anyone..!

Categories
General IT News, Tech Information and Analysis

A little more on Heartbleed and passwords

Despite the name no blood was shedded by a lot of digital ink was used to cover this security breach. Few days back, even I had reported this. Have a look at my previous article if you need to refresh your mind about the topic ;).

As nothing sales better a paper than the announcement of a catastrophe, alarmist title sprawl accross the web. Of course a lot of laymen may start to doubt about the security of their account on the web. Some really sensitive sectors like iGaming decided to clarify the matter for their reader by interviewing CTO of Super Lenny, the latest casino of BetIt Group. Leon Telander explains how they dealt with the matter with the assurance of a professional knowing exactly what he is doing. You can read the full paper here.

Some have compared the media coverage of Heartbleed with these of the so called 2k bugs. [Remember the time where the media predicted total chaos because the database system were not meant to manage the dates beyond 1999 and would reset to 1900 instead of continuing to 2000?] in a smilar fashion, the heartbleed security breach has required a lot of work from the IT people around the world but will have allmost no impact for the end user, except changing the password of their various and numerous account.

Now that, most of the service providers have updated their SSL, you need to update the password on these websites.

Microsoft has an excellent article about how to set a strong password, easy to remember.

In case you don’t want to bother yourself with remembering 10 different variation of your password for your twitter/Facebook/gmail/Spotify/etc… You may want to use a secure password manager like LastPass. And last but not least, to have a little laugh: the top of the worst password, based on SplashData 25 top Worst Password of 2013. Remember, those are examples not to follow!

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. azerty

 

Categories
General IT News, Tech Information and Analysis

What is the Heartbleed Bug all about? Be safe, Change your Password.

This Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520); and hence the name Heartbleed bug. This bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Neel Mehta of Google Security discovered this bug.

OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. So you are either affected directly or indirectly. Everything you use, be it your bank website, social networking, e-shopping or even your company website can be affected.

heartbleedThe Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Have a look at this article from mashable, where they have listed out the services/websites affected, and they have recommendations for you.

No matter how strong your password is, you need to change it. Changing the password on sites that are still vulnerable to the Heartbleed bug at least ensures that you’re not exposing other sites that use the same password.

If you are a Google Cloud Platform or Google Search Appliance customer, read the below instructions which Google has listed –

Google is currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions hereCustomers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions hereWith regard to the Google Search Appliance (GSA), The engineers are working on a patch. The GSA team is finalizing their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.

Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Source: OpenSSL Security Advisory

Categories
Best Practices Enterprise Tech Microsoft

Download Best Practices Analyzers – Forefront, ISA and Security

Best Practice Analyzers are free tools available for most Microsoft Enterprise products and they are used to determine the overall health of your platform. The tools perform read only scans against your environment’s servers and identify items that do not conform to Microsoft best practices. They should be run on a regular basis as part of your standard operations maintenance plan. Here are some tools for Internet Security and Acceleration Server, Forefront Unified Access Gateway, Threat Management, Baseline security and Security update Inventory tool.

Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer Tool

The ISA Server Best Practices Analyzer (BPA) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.  The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The ISA Server Best Practices Analyzer is supplied with two supplemental tools.

  • The ISA Data Packager enables you to create a single .cab file containing ISA Server diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.
  • BPA2Visio generates a Microsoft Office Visio® 2003 or Visio 2007 diagram of your network topology as seen from an ISA Server computer or any Windows computer based on output from the ISA Server Best Practices Analyzer Tool.

Microsoft Forefront Unified Access Gateway (UAG) 2010 Best Practices Analyzer Tool

The Forefront UAG BPA is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront UAG computer from a hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings. The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool

The Forefront TMG BPA is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront TMG computer from the Forefront TMG hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings. The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.


The Forefront TMG BPA is supplied with two supplemental tools:

  • The TMG Data Packager enables you to create a single .cab file containing Forefront TMG diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.
  • BPA2Visio generates a Microsoft Office Visio® diagram of your network topology as seen from a Forefront TMG computer or any Windows computer based on output from Forefront TMG BPA. Note that Microsoft Office Visio 2003, 2007, or 2010 must be installed in order to run BPA2Visio.

Important!: This BPA Tool is designed to support Forefront TMG only. To download the BPA Tool for Internet Security and Acceleration (ISA) Server, see ISA BPA Tool

Microsoft Forefront Client Security BPA

The FCS Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their Forefront computers and to diagnose current problems. The tool scans the configuration settings of the computer and reports issues that do not conform to the recommended best practices.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

Extended Security Update Inventory Tool

The SMS Extended Security Update Inventory tool is a scan tool built for the sole purpose of helping customers determine SMS client computers that may need security updates that are not detectable using the existing SMS Security Update Inventory Tool built on MBSA. Like the SMS Software Update Inventory tool, this tool also has the instructions for locating each applicable update, downloading it from Microsoft, and deploying it using SMS . The SMS Extended Security Update Inventory Tool is built on Enterprise Scan Tool (EST) detection technology.

Also read –