Securing your digital life

It is long overdue time to rejuvenate the site with fresh information security content that will help you protect what is digitally important to you. The answer to what is important to protect is going to be different for each person but some of the things that are most likely to be important to you are:

  • Protecting your online financial information (online banking account & retirement accounts)
  • Protecting your primary email accounts that often control the reset functionality to other important accounts if you forget the passwords.
  • Protecting your social media presence to avoid embarrassment or being used to infect others with malware
  • Protecting your online file storage including documents and pictures that are important to you
  • Protecting information that you consider private while engaging online
  • Protecting your expensive digital devices from theft

All of us have something important to protect and awareness that you are a target is the first step towards taking the needed actions to lower your probability of having problems down the line. Next up will be suggestions on what you need to do to help safeguard your digital life.

How to reset an ipad when the passcode is lost

I received a stack of redeployed ipads and had to figure out how to reset them to factory default state. Only problem was the ipads passcodes had been set by the previous users as required by policy and I didn’t have the passcodes handy. No problems I fired up trusty google and figured I would be through it in a minute.

Unfortunately the instructions were not as easy to find as I had hoped and so I had to click through several of the sites and experiment a bit until I finally got it to work just right. Most of the methods led to me getting the error “iTunes could not connect to the iPad named x because it is locked with a passcode. You must enter your passcode on the iPad/iPhone before it can be used with iTunes

I would have just restored from a previous backup if I had used these ipads before but since I hadn’t I had to restore the device to factory default.

Here is how I reset the ipad to factory default without having the passcode:

  1. Connect the iPad to your USB cable but make sure itunes is closed on your pc (close it if it opens).
  2. Turn off the ipad device by pressing and holding the Sleep/Wake button until it goes off.
  3. Start itunes on your pc.
  4. Press & hold the home and power buttons together until you see the Apple symbol come up and continue holding the home button until you see “Connect to iTunes” on the ipad screen
  5. You will get to recovery mode and then you should restore the device to factory default using your pc via itunes. I restored them to factory default since I did not have a backup and this brought the ipads back to their original state, clearing the troublesome password in the process.

Definitely not rocket science but also not clear from a lot of the higher ranking sites based on the search term I used.

Is Jailbreaking your iphone or ipad bad for security?

Jailbreaking is the terminology used to describe the situation where the native protection of an iPhone or and iPad is defeated (hacked) to allow developers access to the file system’s root directory. These files would normally be hidden and not accessible but when a device is jailbroken developer’s are then able to modify them and create new offerings outside the control of the Apple store. Now that you know what jailbreaking is you may be asking yourself why would someone want to jailbreak their device and how is it done?

Why would someone want to jailbreak and iphone or ipad?

Jailbreaking is typically done by digital rebels who like to tinker with their devices and not be bounded by the laws imposed by others. People that believe devices should be open to exploration and that once they purchase it they are free to modify and improve. Many people jailbreak to utilize advanced short cut features, use apps only available on jailbroken devices, and open up their data options beyond the restricted carrier models that are available normally (also known as unlocking vs. jailbreaking).

How is jailbreaking done?

There are numerous free utilities available including Spirit and Absinthe that allow you to jailbreak your iphone, ipad, or other iOS based device. If you decide you should choose your utility wisely because picking the wrong one could lead to an inoperable device or security problems. I have chosen not to jailbreak my device but if I did jailbreak it I would make sure follow these jailbreaking risk mitigation steps.

Jailbreaking security risk mitigation steps

  1. Perform a full system backup prior to attempting the jailbreak
  2. Choose a jailbreaking utility that is validated as compliant with your version of iOS running on your ipad or iphone to minimize the likelihood of problems
  3. Choose a jailbreaking utility that is highly rated by other users with a large install base
  4. Choose a jailbreaking utility that has a track record for supporting new iOS levels and is covered by respected
  5. Skim the documentation of your jailbreaking utility to make sure you are changing any default passwords that are created as part of the process. Many of the utilities leave a default account that could be a future security or malware thorn in your side if you do not assign a unique password when prompted.

Why jailbreaking is not a good idea for enterprise use?
#1. Jailbreaking a device violates the Apple terms of service and likely violates your Apple care warranty. Many companies rely on Apple for hardware support so violating the terms of service puts this arrangement in jeopardy.

#2. Jailbreaking a device increases the risks of device instability since Apple does not validate the effectiveness of a jailbroken device. This is more theory vs. any working examples to highlight at the moment but it is very logical that increasing complexity can lead to increase problems.

#3. Jailbreaking a device increases the likelihood of iOS upgrade issues when new updates are rolled out. Apple iOS constantly changes so you have to ask yourself how much time you have to troubleshoot and deal with problems if the jailbroken device does not tolerate a routine iOS update.

#4. Jailbreaking an iPhone or iPad can increase the probability of data security issues since you are installing unreviewed software from vendors of unknown quality. In my opinion this is the biggest reason not to do this at the corporate level there is just too much downside risk that is hard to quantify.

#5. Jailbreaking a device has been known to increase battery consumption rates. Batteries drain quick enough and adding extra app or utility overhead only increases the drain.

Jailbreaking a personal iphone or ipad is a personal decision with limited risk but the same action is a drastically different equation in a corporate setting.

iOS 6 fallrelease will be first big test to enterprise iPad tablet life cycle management

iOS 6 is coming in the Fall and the release will be the first big test to enterprise iPad tablet life cycle management processes. Until now all versions of the iPad have been compatible with new iOS releases so there has never been a security or compatibility required reason to upgrade to the latest and greatest iPad. Upgrades were based solely on the desire to have the latest and greatest gadget or due primarily to new device acquisition timing.

The announcement that iOS 6 will not be compatible with the first iPad is a game changer for enterprises that haven’t thought out their renewal strategy yet. This announcement is sure to have a drastic effect on reducing the number of first generation iPad devices inside security conscious businesses. This is really no different than when Microsoft sunsets a legacy version of Windows and announces that security and service pack upgrades will no longer be available after a certain date.

What new risks will user’s of legacy iPad devices face once iOS 6 is released?

  • Increased risk of application instability as app vendors phase out support and testing for first generation iPad devices
  • Application incompatibility for apps focusing on taking advantage of retina screen and other enhancements targeting iOS 6 capable devices
  • Increased risk of security vulnerability problems if first generation devices are not updated for important security bugs found in iOS 6.0 upgrades. I have not seen definitive word from Apple that important updates to legacy iOS will not be provided but the writing is on the wall.

It has been a good run first generation iPad but expect many of you will no longer have a place in the enterprise once iOS 6 is a reality. Corporate user’s with a first generation iPad who couldn’t justify an upgrade rejoice, you soon will have one courtesy of iOS 6.

How do LinkedIn’s security problems affect you?

The recent news that top business networking site LinkedIn had a significant number of passwords compromised has been the biggest story in the information security world this week. It is disappointing but not surprising that LinkedIn was affected this breach. What went wrong in their security process?

  • An as of yet undisclosed vulnerability (probably some type of database injection attack) led to unauthorized access which allowed the hacker to download the site’s hashed password database.
  • Even though the passwords were hashed they were not salted to provide an additional level of security. This meant that the he hashed passwords were susceptible to attacks that could quickly crack weak passwords.
  • LinkedIn was relatively slow to fess up to the attack and notify the users to change their passwords. This has now happened and after taking some initial grief LinkedIn has now forced password changes on those they believe were affected. This should help minimize the damage to users who had passwords disclosed.

So how do LinkedIn’s security problems affect you?

If you are a LinkedIn user make sure to reset your site password and the passwords on any other sites if you use the same passwords across multiple sites.

What information security lessons does this incident teach an average website user?

Even professional companies with a lot of money to spend will be subject to information security compromises. For that reason it is important to utilize different user account names and separate passwords on each site you use to minimize the impact if any one account is compromised. To help manage this level of security and keep your sanity in the process I highly recommend that you use a password management program such as LastPass. This will help you spread out your risk and minimize the damage of any one site being compromised (and if your password management company gets compromised be sure to change that one with lightening speed). Lastly, it is important to keep up with the news and know when information security problems occur for sites you utilize. That will help you take swift action to minimize your chance of problems.


How to use Windows 7 system restore to fix system stability issues

I grew up on the Windows operating system and through the years have learned how to easily navigate in it and do everything I need to do. I know many people absolutely hate Windows and Microsoft but I am not one of those people. I have had mostly good experiences with Windows through the years and am comfortable with its operating framework and need to update security patches on a monthly (or more frequent basis).

That does not mean I am stuck in the dark ages refusing to use new technology. I have an iphone and an ipad and also love those devices but when I had to buy a personal machine for a side business I work on I chose an economical Gateway laptop running Windows 7. Priced at less than $400 I am not sure it is possible to get more value for such a usable machine. I have been using this machine regularly for about 9 months now with no problems until late April when I experienced my first big problem with the machine.

Out of nowhere the machine became extremely sluggish and would not even load the operating system after putting in my initial password. Even though I am extremely cautious I was worried that I became infected with some type of malware and that my machine was compromised. I could not even find out at first because the machine basically wouldn’t load so I had to resort to plan B starting it in safe mode.

I was able to get the machine to load via safe mode and then ran some security scans which did not pick up any signs of malicious behavior (I ran Microsoft Security Essentials and Spybot S&D). Like a good operational/security person I then checked my event logs and realized several patches went in recently so I lept to the conclusion that one of these patches must be responsible for the horrific state of my system. Time to do my first ever Windows 7 system restore on this machine.

The Windows 7 system restore functionality is a great way to rollback your machine to a previously known “good state”. System restore is marketed by Microsoft as a convenient way to undo system changes to your computer without affecting your personal files, such as e?mail, documents, or photos. Basically, a way to back out patches and other system level changes without losing your personal data.

I had configured my system to have many different restore points so the key question for me was which restore point to revert back to. At first I tried the nearest restore point one day out with no success, the machine was still unusable. After spending about an hour experimenting I decided to rollback 3 days and got a workable stable version of my system going again. Even after the OS was stable again my Firefox browser never regained stability so I had to uninstall and then reinstall it to get it working effectively again.

Total time spent troubleshooting my problem ~ 1.45 min

Probable root cause – Microsoft or firefox related patch (I did not isolate the exact source only going by details of required rollback mentioned above)

Summary of actions taken for my Windows 7 system restore

1. Utilized Windows 7 system restore functionality by going to Start > All Programs > Accessories > System Tools > System Restore (make sure you set frequent restore points so you have this available to you)

2. You may need to experiment with your restore back date until you find the point where your system is again stable.

3. Restore your system to that point and run your antivirus scan and Spybot Search & Destroy to validate that a security compromise did not cause your problem.

It takes some effort but you can do this yourself and save yourself some money if this happens to you.


How long until Apple iOS needs its own patch Super Tuesday?

Are you Apple fans ready for some digital heresy? Apple iOS is as vulnerable to security problems as any other software, even as vulnerable as gasp Microsoft. We have witnessed this evolve from occasional updates to regular iOS updates and news of active attacks in the wild. If there was any doubt it is official Apple devices need the same security measures as any other device.

None of this should come as surprise to anyone. One of the unpleasant realities of being the big dog in town is that you become an attractive target to hackers. Apple devices started as a consumer hit but that success has led to a clamor for equivalent devices in the enterprise. Top level executives love these devices and have adopted them in masses along with the regular rank in file company employee. Would be attackers now realize that Apple devices are the future and compromising them can lead to a treasure trove of corporate intellectual property.

So will Apple adopt the equivalent of a regular monthly patching window the equivalent of Microsoft’s infamous “Super Tuesday” patch window? I would bet big money on it and the reason is enterprise adoption. Most enterprise IT departments have not been on the forefront of bringing Apple mobile devices into the fold and are now quickly playing catch up.

Playing security catchup for them with Apple devices means:

  • Refining policies to enable Apple mobility devices
  • Educating users on security requirements on Apple devices such as patching and safe device usage tips
  • Reminding users that physical security and safe browsing security measures apply on mobile devices
  • Evaluating and implementing iOS enterprise security tools to help control devices that contain sensitive corporate information

Enterprise IT will also pressure Apple to release iOS updates at a consistent time of the month because it helps with planning and user education. It is a lot easier to schedule, implement and communicate security updates when a fixed release date is established and can be planned around. Then again Apple has never had a reputation of pandering to corporate IT departments so the call for consistent patch release dates may go unanswered.

Bold and not so bold predictions:

Within next 6 months a major security incident will involve the iOS and be responsible for a big intellectual property loss.

Within one year Apple will establish a fixed monthly patch window date

How should you secure your webcam?

Webcam security is probably something you have never given much thought to. You might have a friend that physically tapes their web cam and think that they are being a bit paranoid, but are they really? Criminals will do anything to make a buck and if they can do that via a webcam do you have any doubt that they would? I read this recent posting on quora that got me thinking about that very question.

It is well established that operating systems and applications of all types are insecure due to the complexity of code and lack of proper security reviews throughout the development and release process. Simply put any vulnerability at the operating system or application layer that grants sufficient privilege to the attacker could lead to the compromise of your web cam. So the possibility definitely exists that someone could compromise your webcam. But to paraphrase a poster on quora what would a hacker gain by doing that? Let’s examine the potential threats

Why would a hacker want to hack a webcam?

Here are just a few possibilities this list is not meant to be exhaustive but just to show you that there is plenty of motivation and potential financial gain by doing so.

  1. To gain access to pictures that can be used for blackmail or financial gain. How much would someone potential pay to keep embarrassing photos out of the public domain? I imagine this could become quite a source of revenue especially if someone in the public eye was the victim of this type of attack. Granted that this is called blackmail and has serious potential legal repercussions but so does hacking and that did not stop the hacker up to this point.
  2. For information to know what is happening in a given location covered by the webcam. This factor comes into play more when a webcam is setup to provide security for a high value location but could also be relevant if a home is particularly pricey or a prime target for physical theft. This one may be of a bit more of a stretch vs. option #1 but is definitely within the realm of possibilities.
  3. To terrorize the person on the other end of the webcam. Lets face it there are some sick and twisted individuals in the world who just like instilling fear in others and causing pain. Imagine the damage they can do if they control your webcam and you have not implemented any kind of security controls over your webcam. 

So what can you do to protect yourself from these webcam security threats?

Suddenly, the person using dark black tape to block their webcam when it is not in use does not seem so paranoid now that we know the evil doers have potential incentive to hack your webcam. I believe a physical security method is the preferred way to deal with this threat especially if you participate in sensitive activities with your webcam. Tape that does not allow the camera to be utilize is a good control here but it is only as effective as your regular usage of it. You must do this every time your webcam is not in use to have effective security.
Another effective method to control webcam security risks is to have a portable web cam vs. a built in one so you can unplug the usb port when it is not in use. If you do not have a built in camera this is the best security option you can employ but once again it is only as effective as your ability to do this every time it is not in use.
There are other important measures you need to take such as keeping your operating systems, internet browsers and other applications like Adobe flash up to date with the most recent versions. This will help minimize the likelihood of your machine being vulnerable to attackers. Minimizing your use of a webcam to situations that would not leave you embarrassed and open to potential blackmail is another important mitigation step that will help protect you even if someone manages to compromise your webcam.
Who would of thought a webcam could have so many security implications?

Is WordPress 3.3.2 tied to the MAC OS X security issues?

Blogging platform king WordPress has gone quite a long time without an update, until today that is. When I logged into my blogs I noticed that WordPress update 3.3.2 was awaiting my installation. I have read via SANS that compromised WordPress sites were the major attack vector for this high profile MAC attacks. Putting two and two together it makes quite a lot of sense that there is a new WordPress update to install to mitigate discovered issues with the platform.

Upon review of the update it contains fixes for several cross site scripting vulnerabilities as wells as a limited privilege escalation vulnerability. I decided to break with my normal policy of installing WordPress updates after 2-3 weeks stability and experimented with applying the patch right away. My test site worked with no problem so I applied it to my other two sites and no issues were experienced across the board.

It feels like it is only a matter of time until iOS gets hit big time and iPhone and iPad users learn that they are not isolated from the security issues that have faces Windows users for over a decade. With popularity comes scrutiny.


Best information security blogs run by universities

Information security is an important topic for both businesses and individuals. It is nice to see many leading Colleges and Universities stepping up to the information security challenge and launching blogs and using social media tools to help educate students and faculty about the importance of information security. Information security groups at colleges and universities have a challenging job getting the word out and driving information security compliance since students are often prone to engaging in risky online behavior that leads to an increased likelihood of information security incidents.

Best edu information security blogs & social media presence

Indiana University – IU is running a well designed blog that looks like something you would see from a saavy expensively run 3rd party site. The information security news is regularly updated and it appears that IU has a pretty big team working on this effort because many of the posts are by different individuals. Kudos to the team for the excellent work on information security and from a quick scan it appears personal information protection is a big component of the overall awareness effort.

Missouri State Information Security Blog – Charla Berry is doing an excellent job helping keep the Missouri State community aware of information security threats and how they can stay protected. Recent posts feature awareness tips about holiday scams and keeping online financial information secure.

Georgetown Information Security Blog -Nicole Kegler has been a longtime blogger on information security the site’s index is listed back to March 2010. My favorite post is the one warning that Macs are not immune to information security problems since many people make this statement in error. With the ever increasing popularity of Apple devices  you can expect reported information security problems in Apple devices to grow this year.

Rochester Institute of Technology –  RIT has an excellent page for information security education but what really make them stand out is their use of Facebook to spread the information security gospel using social media tools. They have over 5300 Facebook page likes, a lot of  awareness material and discussions going online so be sure to give their page a visit.

Kansas State University -Information Security program is run by Harvard Townsend and the school has an excellent overall online information security presence but they run a blog dedicated to information security threats which I have linked to that talks about common problems like spam, malware, and phishing attempts.

University of Connecticut – Mick DiGrazia has done a nice job with this information security blog that dates back to June 2010. I assume he will be back with a vengeance for the Spring semester.

The Ohio State University – I had to include the “The” since I always hear it on sports name/university roll calls plus it is listed that way on the site. The site contains a nice RSS feed highlighting information security awareness messages that students and faculty should be aware of. In addition, it looks like the institution has embraced encryption tools like PGP for faculty so that is a good sign that the information security program has been able to work effectively and get faculty support.

Stanford School of Medicine Information Security Blog – Site hasn’t had a recent post but previously published excellent awareness reminders around common scams and other pertinent information security information. Hopefully this recognition will help provide incentive to post more updates in the future.

If you run or know of other edu blogs that I should index please send me an email or reply below.