Saturday, May 30, 2015

Keeping kids safe online: Step 1

Step 1: Parents, educate yourselves

Here are a few facts about online safety that I learned by visiting the Cyber Safety Village at the RSA Conference this year:
  • 65% of 8- to 14-year-olds have been involved in a cyber bullying incident
  • 49% say that they have been the online bully
  • Only 6% of parents were aware of this
  • 49% of teens do not believe that posting personal information online might have a negative impact on their futures

The Internet can be a scary place for kids—and for parents. And yet, children are using the Internet by the time they are three years old. According to one study, which included 1100 parents and 825 children, kids spend twice as much time online as their parents think they do. Here are some statistics from that study:
  • one in seven children under the age of 16 spend 4+ hours a day glued to the screen
  • 64% of kids indicated they have had a negative experience online
  • 6% of children have been exposed to violent porn
  • one-third of children say it is harder to focus on offline tasks, like reading a book
  • one in 20 said they had met up with a stranger that they first met on the Internet

The truth is that most kids do not understand the risk; and most parents are not experts in cyber security. But kids need our help. What can you do as a parent to keep your kids safe online?

First, as a parent, you need to educate yourself, whether you are tech-savvy or not. There are many resources available to you. Don't be overwhelmed by the number of resources. Here are some starting places:
  1. Visit the RSAC Cyber Safety: Kids page
  2. Watch the brief cyber safety videos
  3. Read the Top 10 Online Safety Tips for Parents, distributed by the Internet security and safety giant, (ISC)2. 
  4. Bookmark these resources, and peruse them all:

OK, that's enough information for parents to get started. Don't put this off. Spend an hour or two with these resources, and discuss them with your partner. Arm yourself with information before you have that conversation with your kids. If you need some motivation to get started, read Alicia's story.

Secondly, communicate with your children. Have open discussions about online safety and stay positively engaged with your children. We'll take a look at ways to do this in our next posting, Keeping kids safe online: Step 2.

Saturday, May 23, 2015

Why you should care about Patch Tuesday

If you are a Windows user, you should be familiar with the term "Patch Tuesday." This refers to the second Tuesday of every month—the day that Microsoft releases the latest updates for its Windows operating system (OS).

All software has flaws, a.k.a. bugs. This will always be the case with any automation system created by humans. Many of these bugs create vulnerabilities that can be exploited by bad guys. Believe me, the bad guys are hard at work, day and night, finding these bugs and figuring out ways to take advantage of them and gain control over Windows systems* anywhere and everywhere.

Because all software requires periodic updating, software manufacturers like Microsoft provide software updates ("patches") that must be installed in order to bring systems up-to-date and help protect from unwanted intrusion. Microsoft issues patches on the second Tuesday of every month—a day that has become known as "Patch Tuesday."

A few things to note: First of all, home users want to keep your operating system and software applications patched. This is regardless of the fact that, once in a blue moon, a patch is released that inadvertently breaks another application on your system, like Microsoft Excel or Outlook, for example. Mistakes happen, and these are generally the result of testing failures in the Microsoft test labs. (I know because I worked in one of those labs in the mid-90's.) Think about the millions of computers running Microsoft Windows in a seemingly infinite number of configurations. Not every single case can be tested, but Microsoft is adept at hitting most of them.

Side note: If you're running a business that is reliant upon other Windows applications, you'll want to develop a testing process whereby you test patches before deploying them. The average home user isn't running critical applications and doesn't need to set up special test cases. Regardless, whether you are a home user or a small business owner, you need to understand patching and always have a recent backup in place. We'll talk about backing up your data in another post.

The point is, for home users, experiencing the very rare malfunction caused by patching is not a valid reason to decide you are not going to patch your systems (unless you don't care about being hacked or having your identity stolen). Not patching puts you and your data in a vulnerable position. My mom always said, "Better safe than sorry." Besides, if a Microsoft OS patch breaks an MS-Office product, rest assured it will be discovered and fixed rather quickly.

Secondly, all of this patching is self-automating in Windows by a program called Windows Update, which is a pre-installed component of the Windows OS. Users don't need to lift a finger. Windows Update should be set to "automatically install updates." This is your best bet. To check your settings, go to the Windows Update page.

More advanced users can use these methods to view and change Windows Update settings:
  • In Windows 7, click Start, select Control Panel, and click the Windows Update icon. 
  • Windows 8.x users, read the FAQ for more info.
  • Windows XP users, if you exist, you should immediately disconnect your obsolete computer from the Internet and go buy a new computer running a newer OS.
Finally, some (but not all) patch installations require a reboot. Keep an eye out for this important notification—especially after Patch Tuesday—which is visible when you use your mouse pointer or other pointing device to hover over the Shut down function. If your Windows Shut down control shows the "shut down Windows and install updates" icon, as shown in the image here, then that is exactly what you should do.

Additionally, Windows may prompt you to restart in 10 minutes. Save your work and click Restart now. Do exactly what it says. You are able to postpone, but I recommend you restart or shut down (whichever the case may be) as soon as possible. The next time the computer starts up, give it it time to finish installing the updates, if instructed on screen to do so.

*Computers running on the Apple platform (called iOS) also have bugs; however, Windows systems have a greater market share and therefore are more highly targeted. This doesn't mean that Mac users shouldn't pay heed to software update needs; it just means that I'm not focusing on iOS security in this blog posting.

Saturday, May 9, 2015

Should I freeze my kids' credit?

I was having coffee with a friend and fellow information security professional a few weeks ago when he told me that not only did he and his wife get letters from Blue Cross/Blue Shield regarding the Anthem breach, but so did each of his children. He has since frozen their credit with all three credit bureaus to protect it.

According to Marc Goodman, author of Future Crimes, kids are fifty-one times more likely to be victims of identity theft than adults. In the United States, 500,000 children become the victims of identity theft every year. And their parents don't even know it. Most of these kids don't find out about this crime committed against them until they are over 18, when they apply for student loans. Nineteen states allow parents to freeze their child's credit. For details, see Identity Theft Poses Extra Troubles for Children, a New York Times article posted April 17, 2015.

Every parent having a youngster at home should read that article and consider freezing the child's credit. I've received the same advice from friends of mine in the U.S. Secret Service and the FBI: The best protection you have against identity theft is to freeze your credit.

The credit bureaus claim it is an administrative nightmare for them, and I buy that, but a credit freeze doesn't pose any significant challenges to the consumer. Thawing your credit temporarily while you change cellular carriers or apply for a loan is easier than you might expect. Granted, freezing your credit won't stop someone who has pilfered your social security number (SSN) from filing a tax return in your name or using your medical insurance if he can gain access to your personal and group ID numbers, but credit freezing is one line of defense that shouldn't be overlooked.

Let's face it, the truth is that the bad guys are one step ahead of us. Protecting personally identifying information (PII) from falling into the hands of malicious actors is getting harder and harder to do. Why? Because our PII is stored electronically in countless databases in systems all over the world. All it takes for someone to steal your identity is knowledge of your name, SSN, date of birth, and address.

Three out of four of these identifiers can be too easy for anyone to find. (This is why it is not a good idea to post your birthday on your Facebook page.) The fourth, your SSN, is something you should protect to the best of your ability. Never give your SSN to someone who calls you on the phone, and never enter it on registration forms (like at your doctor's office) where there is no need-to-know. And don't carry your SSN card with you. For more information, see the U.S. Secret Service web page referenced at the end of this posting.

If you know your PII has been breached, freeze your credit; at the very least, subscribe to a credit monitoring service. Most retailers, financial institutions and other providers (like Anthem) will offer credit monitoring for free for a year or two following a compromise of your data. For more information, see the Consumer Financial Protection Bureau article, Should I use a credit monitoring service to protect myself from identity theft?, which compares credit monitoring to credit freezing.

Additionally, the FTC offers plenty of helpful information for consumers. See their web page Consumer Information | Identity Theft, or download Taking Charge: What to do if you identity is stolen (PDF format).

Monday, May 4, 2015

How do I create a strong password?

In my previous posting, I recommended that you change the default administrator user name and password used to access the configuration settings on your wireless router. These are frequently set by the router manufacturer to be admin/admin. All the hackers are aware of that fact and know that most of us probably don't know enough to change our credentials to something unique and hard to crack.

When you change the user name, make it something innocuous and unguessable. When you set a new password, make it long. Very, very long. Don't use dictionary words or dates or local sports team names. Don't use the name of your dog or your daughter's birthday—that information is readily accessible on your Facebook or Flickr page and a dozen other places. And do not reuse a password that you're using elsewhere.

A number of people's lives and finances have been ruined by password reuse. If you're using the same password for your Apple ID account, email account, online banking site, and more, then you're in deep doo-doo if just one of those accounts gets hacked. For an example of a huge loss endured following a password crack, read about the epic hack against Mat Honan of Wired magazine here.

OK, so what is a strong password? For one thing, it's no shorter than 14 characters (according to the Georgia Tech Research Institute). I wholeheartedly agree. Typically, a strong password is both long and complex—meaning it is a combination of upper- and lower-case letters, numbers and special characters (symbols, such as #, &, !, etc.). These are all good things to have in your password; in fact, the more random characters you use, the better.

Even Edward Snowden will tell you (in one of his April 5th interviews with John Oliver), that we need to stop thinking in terms of passwords, and start thinking about pass phrases instead. The longer the phrase, the better.

Know this: any password is crackable, given enough time and computing power. The goal is to make your password too hard to crack within a reasonable amount of time. A strong 14-character password can take centuries to crack. Those are the kind I like to use.

One great method for creating a password is described in the 3-minute video referenced in this article by security company Sophos: How to choose a strong password. Watch the video. I can't stress this enough. Got three minutes? Watch the video.

If you want to know more about how the bad guys crack passwords, see Bruce Shneier's blog posting about Choosing Secure Passwords. There are also plenty of web sites that provide a password strength checker. Just be sure not to test with a current or future password on those sites. For example: How secure is my password? Also, Microsoft has one at their Safety & Security Centre.

In the security industry, we all agree that password authentication is a fairly weak form of authentication, primarily because humans are the ones making up the passwords, and we've got too many passwords to remember. They say that passwords are going away and will be replaced by biometrics and other stronger forms of authentication. But not today. For now, we're still stuck with passwords for most of our online authentication.

In the meantime, for sites that hold sensitive or personally identifiable information (PII) it's a good idea to implement unique user names and strong passwords; and, if the site offers multi-factor authentication, take advantage of it. Got a Gmail account? Use Google's two-step verification. Most online banks offer this now, as well. Take advantage.

In a nutshell, make sure your passwords are unique and strong (i.e., long and complex); don't save passwords in a clear text file (in other words, unencrypted) stored on your PC; and don't write down your passwords or otherwise store them in an unsecured location.

Also, do not share your password with anyone. Anywhere. Anytime. Ever. No one, not even technical support staff, should ever ask you for your password. Would you hand your front door keys to a stranger? Treat your passwords the same way.

Saturday, May 2, 2015

How do I secure my home network?

It's easy to lock a deadbolt on your front door when you leave for the day, but how do you know if your home network is secured?

At home, most of us use a modem and a line from an Internet Service Provider (ISP) to connect to the Internet. Whether we use a cable modem (i.e., we subscribe to Comcast), a DSL line (via phone) or, more rarely, a satellite link, this modem provides our primary link to the Internet.

Typically, we configure our various computing devices within the home to connect to the modem wirelessly. For those intermediary connections, like laptops, smart phones, iPads, TVs, ROKUs, etc., we connect a wireless ("Wi-Fi") router to the modem. Sometimes the wireless adapter component is built into the modem.

Because your Wi-Fi network is available to any other human holding a device within range that can 'see' your home network, you need to secure it.

The three most common mistakes made that leave your Wi-Fi vulnerable to attack are:
  1. Not changing the default Wi-Fi network name, also known as the Service Set Identifier (SSID), and not disabling broadcasting the SSID. If you don't do the latter, your neighbors and anyone driving down the street can see your network name on their wireless computing device. Anyone who can see the network name can attempt to connect to it. Change the default name so the bad guys can't guess your SSID based on that router box that you put out in the recycle bin at your curb.
  2. Not changing the default administrator user name and password that is pre-set on the router. Typically, this is configured by the manufacturer to be admin/admin and is accessible through an interface that you use to configure your router settings called the administrator console.
  3. Not using strong encryption to secure the data transmitted over your wireless network. Too many unsuspecting users are still using the weakest protocol of all, WEP, instead of one of the stronger encryption protocols like WPA/WPA2. There is a huge difference in security between WEP and WPA encryption algorithms.
Those are the fundamentals. Even if you change just those configuration settings on your wireless router, you're way ahead of the bad guys who are trying to hack into your home wireless network.

How do you configure these three things on your router, and implement more security features? It's really quite simple. Using any web browser on your desktop, simply perform a web search (e.g., via Google) on your router manufacture name and model. A simple query on, for example, might be "secure LinkSys router," if you own a wireless router made by LinkSys. Better yet, search the model number: "secure linksys wrt54g," for example. 

Or, visit the manufacturer's web site and download the manual associated with your particular model. A quick Google search will get you to the manufacturer's web site (e.g.,

The user manual describes how to connect to your router directly, log in as the administrator, disable SSID broadcasting, enable strong encryption, and change the administrator login credentials (the administrator login name and password). A savvy user will not only change the default administrator password to a strong password, but will take it one step further and also change the administrator login ID from "admin" to something completely innocuous. (Don't use your own name!)

Stay tuned for more tips on Wi-Fi security. 

Friday, May 1, 2015

Why this blog?

Welcome to my new blog, Susie and Security. This is something I've been meaning to do for years. The audience for this blog is anyone and everyone. Most people are not technology experts or information security "infosec" specialists. And yet, thanks to the explosion of the Internet of Things (IoT), most people interact with a variety of digital devices throughout the day—both at home and at work, and in between. Is your phone, TV, laptop computer, wireless printer, home Wi-fi network, household alarm system and car secured? How do you know?

The purpose of this blog is to help and educate. The best way we can prevent breaches and understand how to detect and respond to them when they do happen—and they will—is by being aware, alert and informed. The fact is that we cannot necessarily keep the bad guys out, but we can take steps to limit the damage when they do compromise our systems.

Going forward, if you find this blog useful, please feel free to share the link ( with family and friends.

Thanks for visiting and stick around for my first security post this weekend!

May 1, 2015