Data Deletion Done Right
What to Delete,
How, and When?
By: Eric Durrand
We all know at least one of those people who refuse to ever throw anything away. They live surrounded by boxes. Old papers, old clothes, memorabilia from high school, and broken gadgets are all stored somewhere in their apartment, leaving very little room for actual living. Their place is always cramped, but they can always locate that first high school diploma, or that first love poem. Another type of person we all know is the throwaway fanatic: she lives in a clean, organized space – with nothing but the bare necessities that serve an active purpose in her daily life. Occasionally, however, she is overcome with nostalgia for an object, a book, or a photograph long gone. The same things she ruthlessly discarded as unimportant, not useful, and cumbersome – she sometimes discovers had some value after all.
While legal departments in many companies encourage routine deletion of old materials to avoid furnishing potential litigations, it is illegal to delete anything potentially useful when litigation is reasonably foreseeable. Also – various documents can actually help a company’s legal case, making it harder to decide whether or not to embrace a policy of deletion. The same is true of old engineering projects, old client information, and old e-mail communication. These files take up a lot of storage space, make it harder to find actual relevant information, and are hardly ever opened.
So what to do with all this old information? One popular solution is – to move it around. Many organizations have found it useful to create several “storage tiers”, ranging in accessibility, security, cost of media, etc. They gradually migrate old information to cheaper and less accessible storage solutions. In a small office, for instance, the information is migrated from a storage server to an external drive, and from the external drive to backup tapes. Or it can be moved from a hard drive to a CD-R, etc.
1. Would this be needed in the foreseeable future?
2. If not, is there a chance that it would ever be needed?
3. If so, what might it be needed for? Who in the company might need it?
Posted on August 31, 2006 at 11:44 AM in Information Security | Permalink | Comments (0)
What to Do About Spam?
Surviving the Rising Tide in Junk Mail
By: Eric Durrand
You are approved! C-h-e-a-p Medicine! M@ke her h@ppy! Those are some of the common headlines we see in our inbox every day. Spam, or junk e-mail, has reached monstrous proportions: In the first half of 2005, an average of 68.6% of all E-Mail messages were identified as junk mail, or spam, according to MessageLabs data. In frequently targeted industries like healthcare, 8 out of 10 messages are spam. And the tide seems to continue to rise from a few years ago, when spam was responsible for less than 50% of E-mail communications.
While most service providers offer spam filtering and protection, no server level solution had proved perfect so far, and responsibility for sorting out the junk still falls on end users. But how can users withstand this onslaught of irrelevant information flooding their inbox? By using smart filtering desktop tools, and exercising caution when giving away your main address. We have gathered these tips to help you in dealing with Spam:
The most common E-mail clients today are Microsoft’s Outlook and Outlook Express. Both these applications offer a basic spam fighting capability. In Outlook Express, a specific sender can be blocked by clicking on a message, then Message -> Block Sender. This is useful in protecting against repeating offenders, but not against the professional spammers, who as a rule constantly change their e-mail addresses. Outlook 2003, included in the latest version of Microsoft Office, is much more sophisticated. It sorts incoming e-mails according to some 100,000 variables, identifying spam messages with up to 95% accuracy (when switched to the High spam protection level). Messages identified as spam will be automatically transferred to the Junk Mail folder in Outlook, where the user can go over him in his spare time, to make sure no messages were wrongfully blocked. To switch the spam protection level to High in Outlook 2003, go to Actions -> Junk E-Mail -> Junk E-Mail Options, and select High. Then click OK.
Users who have an older version of Outlook can enjoy the basic functions of blocking senders, and some very basic spam filtering options. These users can install special anti-spam plug-ins (described below), or try a completely different E-Mail client. Thunderbird, a mail client by Mozilla (the same group that brought us the Firefox browser), is a free, smart E-Mail client with advanced anti-spam features.
Beyond an Outlook replacement, many Outlook plug-ins are available that help curb the flood of spam. Qurb ($29.95), is one such tool – claiming to block 100% of spam messages. Qurb learns your preferences, your contacts, and your correspondence, and blocks any address that does not appear in them. You can then go over blocked messages at any time, and make sure no legitimate messages were blocked.
Other plug-ins are free, such as SpamFighter and SpamPal, which help separating and blocking spam messages in several possible E-Mail clients. Another interesting free tool for the more vindictive spam victim is Blue Frog, which does not block spam – but automatically posts complaints on the sites advertised by the spam you receive, once you identify it as spam.
Despite the many tools described above, the most effective way to avoid spam remains smart usage of your e-mail address. Keeping more than one address is recommended: users should keep a primary one for friends or co-workers, and not for online registration or services. Maintaining a strict confidence when it comes to your primary E-Mail address will help ensure that it will remain spam-free longer.
Posted on February 8, 2006 at 11:44 PM in Information Security | Permalink | Comments (0)
Online Privacy: A Myth?
How you can protect your privacy online.
By: Eric Durrand
Like many good things in life, privacy is often most valued when it’s lost: When conmen get hold of your credit card details, and spammers seem to know your name, e-mail, and shopping preferences. When people can find everything about you simply by googling your name, and hidden spyware installed on your computer sends a constant stream of information regarding your surfing habits to its unknown masters. When some viruses can select a random document from your hard drive and forward it to all your contacts. When virtually every website uses cookies to collect personal information and usage history. When E-mail is considered one of the least private mediums of communication (akin to sending an open postcard by a series of unknown messengers).
We have covered the most serious violation of privacy, the phishing scam, in this previous article. Phishing scams, to those unfamiliar with the term, is the act of baiting users into divulging personal information using a spoofed website designed to look like a trusted online service provider; a bank, an ISP, etc. But in the online world not all violations of your privacy are illegal. Some, in fact, may be inadvertently caused by you.
A well publicized way for websites to gather personal information about you is - using cookies: most internet browsers allow a website to save tiny bits of information (“cookies”) into a special file on your system. That information, usually nothing more than an ID number, helps the website identify you every time you visit. Most uses of cookies are perfectly benevolent: Amazon.com, for example, uses it to save you the time needed to log-in, to offer you recommendations based on your previous purchases, and to manage your wish list. There are, however, websites that abuse this option. To identify whether a website abides by accepted rules in regards to your privacy, it is recommended to check the presence and content of its privacy policy. Make sure the website does not collect personally identifiable information, and does not sell or reveal any kind of information without your explicit permission.
If you want to outright deny some websites the right to plant cookies on your computer, and thus increase your privacy in Internet Explorer, simply go to Tools -> Internet Options -> Privacy, and move the slider up to Medium or Medium High. You can also delete all your cookies by going to the General tab under Internet Options, and pressing the Delete Cookies button. Remember, though, that doing this will force you to login again in all the sites you’ve registered in. A more selective way to delete unwanted cookies is using an anti-spyware application, such as the free Ad-Aware tool, which will allow you to select which cookies to remove and which to keep.
Speaking of anti-spyware tools, we must also mention Spyware – malicious applications that illicitly collect and send personal information to their creator. Besides Ad-Aware, which scans, identifies, and removes unwanted spyware, there are Spyware Sweeper and Spyware Doctor, which do, for the most part, the same thing. A relatively new tool is Microsoft's AntiSpyware, which allows scan schedule option, and various privacy protection tools (cleaning cookies, erasing various tracks in Windows) in addition to scanning and removal.
The world wide web itself, as organized by Google, can present a collection of extremely personal information. If you don’t want anyone to be able to find your personal blog, discussion forums posts, and other personal information – don’t use your real name, and don’t give your primary e-mail. Another aspect of your privacy is the privacy of communication. An old advice regarding E-mail stands true to this day: Don’t send anything through E-Mail you couldn’t stand seeing in tomorrow’s paper. If you want to secure the information, encrypt it before you send. A basic guide to personal encryption can be found in our previous article on the subject.
The internet is a great resource for privacy news, tips, and information. From Privacy Tools, to Online Privacy for Kids – the information is out there, waiting for you to discover it. As a teacher, you are responsible not only for your own privacy, but – if using computers and the internet in the classroom – also for your students’ privacy. Teaching them not to divulge unnecessary information, and protecting their identity online, is the first step towards their, and your, online privacy.
Posted on October 26, 2005 at 12:21 PM in Information Security | Permalink | Comments (0) | TrackBack
Open Sesame
Choosing the Right Password
By: Eric Durrand
In the online world, your most valuable possessions are often protected by nothing more than a password. Online banking, shopping, E-mail, and other services identify you by your account username and password – making it an important, if not the only, line of defense against hackers trying to access your account.
But how secure is your password? It may surprise you to know, that password cracking tools, which are available online for free, can crack most passwords in less than a second! You may already know that you shouldn’t use your spouse’s birthdate, your Social Security number, or any personal information that might be on public record. But today’s hackers have sophisticated tools at their disposal – including “dictionary crackers” – tools that attempt any possible combinations of words, names, and numbers – often with tens of thousands of words in different languages.
As identity theft becomes more common, your password should be as hard to crack as possible. Following these tips would help you make it practically impregnable:
· Complexity – Your password should be at least 8 characters long (every new character multiplies the time needed for cracking by 96), and include low case and capital letters, numbers, and special symbols like @#$~%^&*. It’s also not enough to put just one number or symbol at the end of your password – many cracking tools try that first.
· No Actual Words/Names – If a word appears in any dictionary, no matter in what language, don’t use it in your password. As for names, well – don’t use them either. Dictionary attacks would often try hundreds, even thousands of names to crack a password.
· Don’t Use Strings – Don’t use strings of consecutive numbers like 87654, or letters like ABCDEFG. Don’t use keyboard strings such as QWERTY or LKJHG – the hackers have the same kind of keyboard.
· Choose a Memorable Password – Despite the security limitations, you can still choose a memorable password, and avoid losing it. A common way of doing this is to use acronyms, deliberate misspelling, or replacing symbols for letters. A line from a favorite Beatles song then becomes HJdMiB (“Hey Jude, Don’t Make it Bad”), and Montana becomes M0nt4n@.
After choosing a secure password, you need to make sure it remains hidden. Therefore:
· Keep it Private – Never share your personal password, send it over e-mail, or give it online if you’re not 100% sure the website is genuine.
· Keep it Safe – Even if you’re having difficulty remembering all your different passwords, do not write them down on a piece of paper (and certainly don’t post it under the keyboard – that’s where hackers look first). If you have to store it somewhere outside your head, use a designated password saver like RoboForm, or Network Password Manager.
· Keep it New – A password should be updated every few months – especially one that’s related to financial matters such as an online banking password.
Choosing the right password doesn’t have to be cumbersome, frustrating, or tiring once you get used to a few basic principles, and form your preferred method of creating new passwords. Only once you do that, can you be confident that you have created strong passwords that are hard to break.
Posted on September 28, 2005 at 12:22 PM in Information Security | Permalink | Comments (0) | TrackBack
Encryption for Everyone
Why You Should Encrypt Your Files and E-Mail
By: Eric Durrand
Encryption, the transformation of legible data into illegible ciphers had been with us since the time of Julius Caesar; but modern technology had made encryption a household tool. Whether logging into the company’s network using a secure VPN, or purchasing items on a secure SSL e-commerce website – the primary line of defense of precious data is encryption. Personal encryption, however, is not nearly as common as it should be.
Laptops with classified information are often lost or stolen, personal computers are invaded by hackers, and personal documents often reach prying hands. E-Mail, which had become a primary medium of business and personal communication, is an inherently vulnerable medium. Every unencrypted message sent can easily be read by your ISP, or a hacker trying to intercept it. Some experts liken E-Mail to a postcard – everyone along the way can read the content effortlessly.
The solution to all these risks is encryption. Encryption tools can help you protect your documents, your e-mail messages, even your Instant Messaging chats; and some of them are probably already at your disposal. Microsoft Outlook, for instance, has a built-in infrastructure for encryption; all you have to do in order to encrypt is purchase an annual Digital certificate subscription (for a few dollars per year) from one of several digital ID providers, and you are ready to go. Those providers include VeriSign, Thawte, Entrust, and RSA Security. When composing a new message in Outlook, simply click the Options button on the toolbar, choose Security Settings, and check both Encrypt Message Content and Attachments, and Add Digital Signature to This Message. If you don’t have a digital signature set up already, Outlook will allow you to purchase one online. A similar process exists in other E-Mail clients.
If you are using Windows 2000 or Windows XP Professional, you have a built-in encryption tool at your disposal. You can choose to encrypt a folder so that no other user on the system can read it. Even if your computer is stolen, or your hard-drive is hacked, the folder will remain encrypted. Just right-click on the folder’s icon, and choose Properties. Click on the Advanced button, and then check Encrypt Contents to Secure Data. Under Windows XP, encrypted folders will show up in green – letting you know that they are protected. Consider, however, that anyone who has access to the computer with your username and password would be able to read them. Also, remember that if you ever lose your password – the data will be lost!
Personal encryption solutions exist, and offer a very good level of protection for individuals. Unfortunately, not many people know about them, or bother to use them. PGP, which stands for Pretty Good Privacy, is a respected encryption algorithm ideal for personal use. In the past, it was published as an open source encryption tool for E-Mail messages. Today it’s developed by the PGP Corporation, which offers several personal encryption tools, including PGP Desktop 9.0, which allows the encryption of files, e-mail messages and attachments, and AOL Instant Messenger communication. Other tools provide whole-disk encryption, file transfer encryption, digital signatures, and more. In the Open Source arena, other algorithms have tried to take PGP’s place, most notably the GNU Privacy Guard (GnuPG) which offers a variety of encryption tools – most of them still too complex to be used by most end-users.
A very friendly E-Mail encryption solution is HushMail.com, which offers free encrypted web-based E-Mail, secure file sharing, and a unique encrypted instant messenger named Hush Messenger. The system uses Open PGP, a technology based on the PGP encryption algorithm. HushMail also offers digital signatures, Secure web-forms, E-mail branding (using HushMail services with your own domain), and Outlook integration.
Whether sending sensitive information by E-Mail, or saving it as a document on your PC, the possibility exists that it will be seen by a hacker. Encrypting the information using low cost tools, will make reading it virtually impossible for the average hacker (specifically when using 128bit encryption technologies or higher). We highly recommended that some form of encryption be applied for sensitive information not only at the organization level, but also at the personal level, with personal files and e-mail messages.
Posted on August 28, 2005 at 11:28 PM in Information Security | Permalink | Comments (0) | TrackBack
The Importance of Backup
Why Your School Can’t Do Without It
By: Eric Durrand
At a big computer expo a few years ago, Microsoft’s founder Bill Gates reportedly compared the computer industry with the auto industry by stating: "If GM had kept up with technology like the computer industry has, we would all be driving $25 cars that got 1000 miles to the gallon." According to the urban legend (which, unfortunately, is not true), GM came out with a press release replying that that might very well be true, but cars would also crash twice a day for no reason whatsoever, or shut down and refuse to start, forcing you to re-install the engine.
This story is meant to be a joke, but there is some truth behind it. Since the early days of computing, bugs, malfunctions and glitches were the rule – not the exception. The reason lies in the unparalleled complexity of computers, and in the way even the smallest human errors, in usage or design, can have undesirable results, primarily loss of important data.
Despite the inherent risks, our reliance on computers, as a society, increased over time. From the stock markets and other businesses to schools – almost everyone in the modern world relies on computers for communication, research, storage, and business transactions. Teachers use computers to write assignments, to manage attendance lists and grades, to research class materials, and to communicate with students and teachers. Many schools manage their student-base, their library, and their financials on one, or more computer systems.
Various factors can cause data loss, among them computer viruses and Trojans, human errors, electrical problems, normal hard-drive wear and tear, manufacturing defects, software bugs, network hacking (whether mischievous or criminal), and natural disasters like earthquakes, fire, or flood.
Imagine a scary, but possible scenario: you arrive at your office in the morning only to find that all your documents, and all your e-mail messages were destroyed by a new virus. The school is in shambles, because that same virus deleted the computerized grading system, the library collection, and the school’s main contact list! You want to call help, but you can’t find the number. In the meantime, teachers are hysterical, after losing their lesson plans for the entire year! Some of it may be salvageable, parts of it might be lost forever – and either way it’s going to cost a lot of money.
At this point, if you don’t have a backup, your options are few: break down in tears is one of them. Another favorite is praying for a miracle. If you do have a good backup, however, you can solve the problem with little effort and a manageable loss; you’d only lose whatever changed since the last backup.
Good backup takes many forms: Saving files on more than one computer on a network is one simple way. A designated backup server connected to the network can be a quick and relatively inexpensive way to achieve that; Setting up a backup server off site is the ideal solution. Tape backup devices are common but more prone to failure. One advantage of using tapes is that they can be removed from the data site and stored in a safe place. Another simple solution which improves the tolerance for fault of hard drives, without being in itself a backup solution, is RAID (Redundant Array of Independent Disks): A device acting on a group of drives allowing one and even two disks to fail without any loss of data nor down time. With RAID, replacing a faulty disk often does not require powering off the server.
For fewer, smaller files, there are cheaper, more mobile storage devices. CD-RW burners are virtually standard in new computers, and the media is both inexpensive, reliable, and can store up to 800MB on one disk. DVD-RW burners are more expensive, but they offer 4.7GB of space on each disk. Another option is a USB drive. USB drives range in size from a small “Disk-on-Key” that holds up to 1GB and can fit on a keychain, to a full-fledged external hard-drive, like the ones sold by Iomega, holding up to 400GBs on a single drive.
Another options is to use a distant backup service. Like hosting services, backup service providers usually charge a fixed monthly fee to regularly backup your entire data through T1 lines to a remote and secure location. These companies usually offer support and guidance in case of a disaster, and help in the recovery process. Unlike other backup options, the service is transparent to the school and does not require any involvement of the school’s staff.
Some rules of thumb will help you get the most out of your backup. Choose what’s right for your school: The proper backup method should depend on the frequency at which data is being updated, the number of machines requiring backup, and the existing network infrastructure. Make sure that all the important data is backed-up frequently enough to minimize serious loss in case of a disaster. Back up regularly! Backing-up your files once a year equals not backing them up at all. A good rule of thumb is to backup daily all the files that changed (Differential backup) and to weekly perform a full backup that covers all files that are business critical.
Keep the media labeled! If you’re using CDs, DVDs, tapes, or any other medium – make sure you know exactly what is stored on each. When that disaster comes, you don’t want to waste any more time than necessary looking for the right files.
Perform random restore tests. Many things can go wrong with backups: a CD can be defective, a file could be neglected in the transfer, or the labeling could be wrong. Conducting restore tests would help you pinpoint problems with your backup. A backup that wasn’t tested might not be any good!
Keep the backup media safe! It might sound redundant to say, but the backups are just as sensitive as the original data on your computer. Keep them as safe as the information demands. A big US bank that recently lost two backup tapes containing lists of many of its clients and their financial information can testify to the importance of keeping an eye on your backups.
The subject of backup may seem daunting, but it’s no more complicated than any other issue concerning information security. With the right attitude, a careful analysis of the needs, and a smart investment in an appropriate backup solution – a school can rest assured that its data is safe.
Posted on June 26, 2005 at 08:21 PM in Information Security | Permalink | Comments (0) | TrackBack
Something’s Phishy About This
Identity Theft Risks Are Running High
By: Eric Durrand
As the Internet becomes ubiquitous, more of our traditional daily activities take place on the web. We write letters, fill our taxes, talk to friends, read the newspaper, shop for books, electronic devices and clothes, and even bank online. As the exposure of our “normal” life to the web increases, so does the risk of identify theft. Schools where teachers and students use computers intensively are especially vulnerable to this kind of threat.
In the context of a school, identity theft might mean a teacher’s username and password being stolen and used to destroy or change class information, or to impersonate the teacher in various ways. Outside the school, the stakes are even higher: It might mean someone stealing your credit card details and using it to make unauthorized purchases, or someone stealing the username and password for your e-mail service, online store, or banking service. It can be used to take away your money, or to commit crimes and frauds with your name and details. The most common serious identify theft scam is known as phishing.
Phishing, like fishing, uses a bait to lure a person into giving away his personal details. It often starts with an e-mail pretending to come from a known service provider (a bank, an internet service provider, a credit card issuer), including a link to a fake website, that looks similar or identical to the original, asking you to re-submit your details.
On one of the latest phishing scams, occurring just a few weeks ago, customers of the Bank of Oklahoma were targeted, with a message titled “Update your Online Banking Records”. The message linked to a spoofed website designed to look like the authentic website. On that website, the customers were asked to fill in their personal details as well as credit card details – which were then sent to the crooks. During March, another phishing scam message posed as an AOL customer service message, with the title “Credit Card Decline Notice”. The goal of this scam was getting the victim's credit card and bank account information, AOL username/password, as well as other personal information. Other recent phishing scams targeted customers of eBay, MSN, Washington Mutual Bank, SouthTrust Bank, Huntington Bank, Keybank, and PayPal.
Microsoft, along with Trust-e and RSA Security, summarized the plague of phishing attacks as the "fastest-growing form of online fraud," and the Anti-Phishing Working Group reports a steady rise in the number of phishing scams over the last few months, with an average growth of 28% a month from July 2004 to January 2005. Many companies are trying to reverse this trend by offering anti-phishing solutions for businesses and individuals. Among them are Cyveillance, WebSense, Tumbleweed, Entrust, and MessageLevel.
New phishing scams are occurring almost every day, and at some point you, and others in your school, will receive a bait message. Don’t be fooled! To the educated user, avoiding phishing scams is simple: Never trust an e-mail requesting you to send, or fill out sensitive personal details online. Companies in general know better, and will always call over the phone rather than use the unsecured medium of e-mail as a means of obtaining sensitive information. If you are not certain about a message, you should ignore the link in the e-mail, and use the browser to go directly to the sender company’s website, to find out if the e-mail request was real.
In the future, however, it might not be that simple. Pharming scams are threatening to change that, through a process called DNS Poisoning. Instead of sending you a link through e-mail, the “pharmers” works in the background, "poisoning" your local DNS server into redirecting your request somewhere else. The danger here is that you don’t have to click a spoofed link – you might get a spoofed website even by typing in the real URL yourself!
In October 2002, unknown hackers tried to take down 13 high-level DNS servers throughout the world, and actually managed to take down 10 of them. The internet as a whole did not crash, because of deliberate redundancies – but it came close. DNS poisoning is an attempt not to take down, but to illegally change a record on the DNS system. This is done through actually posing as a person authorized to make the changes, or through hacking the DNS software.
DNS poisoning attacks have previously hit companies like New York’s ISP Panix, Google, eBay, and Amazon. What it means is that people surfing to those sites were temporarily directed to other sites, and could not get the original through the usual URL. Until now, most DNS poisoning attacks didn’t attempt to replace the original site with an imitation one. They didn’t try to steal information from surfers by pretending to be someone they’re not.
But experts are predicting that this day will come, and when pharming scams become rampant, neither the URL nor the actual spoofed website will look any different from the original. To protect themselves from spoofing, more and more websites display a certificate of authenticity from a certificate authority such as VeriSign, Entrust, or Thawte. To make sure the certificate is valid, you should make sure the name and address of the website on the certificate matches the one you were trying to reach. If the they don’t match – it is better not to give any personal information.
Identity theft is fast becoming a plague that’s costing society as a whole a fortune. An FTC survey estimates about 9.9 million Americans were victims of identity theft during 2002, with overall loses of $5 billion to consumers, and $48 billion to businesses and financial institutions. More than $50 billion in damages are caused every year all in all. Protecting yourself and your school from phishing and pharming is a first priority in defending your digital identity against thieves.
Posted on May 15, 2005 at 09:04 PM in Information Security | Permalink | Comments (0) | TrackBack
