Wednesday, January 6, 2010

Security reality check: user error

This could just as easily be any Windows or Linux user as well. I've summarized the original article by highlighting the "user errors" ... I leave it as an exercise for the student to go read the full article to get the solutions.

[Mac] Security reality check: user error
By Rich Mogull, Macworld
January 05, 2010 04:02 PM ET
Sponsored by:

Some security problems are due to user error (or user laziness). It's not that hard to practice good system security on your Mac [ASF note: for Windows and Linux users: every where you see "your Mac" just read it as "your computer" -- it applies regardless of your OS-of-choice]. But a surprising number of people--including some who should know better--don't. Here are some basic tips on practicing safe computing.

Poor passwords

The Threat A few months ago a close friend called me. A criminal was posing as him, passing bad checks, transferring funds out of bank accounts, and changing passwords. Fortunately, the nefarious activity was discovered early, and my friend worked with his banks and other providers to stop the attack and recover the lost funds. Piecing together what happened, I discovered the root problem: my friend had been using the same single password for most of his banks, e-mail, and other online services.

...

What You Can Do Use a password management tool like ... [ASF note: article recommends a Mac-only solution. I use LastPass online with a LONG passphrase (and I don't use it for my banking or credit-card passwords) and YAPS, Yet Another Password Safe on my Palm phone, but I recommend using whatever fits YOUR personal phone/PDA-and-computer needs. Ask me if you need recommendations.]

Sharing too much

The Threat Out of the box, new Macs expose few network services, and file sharing is disabled. But many power users quickly expose these services and turn on sharing, opening themselves up to potential exposure over the network. [ASF note: also true of Windows "Power Users". Know what you're doing before you enable services to Internet-exposed computers. Read the article for more.]

Unencrypted personal data

The Threat If bad guys gain access to your Mac itself--whether over your Internet connection or by physically possessing your Mac--they can possess all your crucial personal information--credit card, Social Security or Tax ID numbers, account passwords and so on.

Financial management software, plain-text password cheat-sheets, and e-mail messages are all ripe sources of confidential information. They're the first things any attacker will seek out when he gains access to your Mac. If he finds what he wants, the effects can be costly and long-lasting. This is a case where the risk is low, but the potential cost is so high that precautions are worthwhile.

What You Can Do [ASF note: article is very Mac-specific. Windows users should (a) use a password manager to encrypt things like SSNs and (b) use disk encryption like TrueCrypt, which works for Mac, Windows, and Linux computers. Do NOT store passwords in plain-text files, spreadsheets, or email folders. My laptop's datafiles are all encrypted using TrueCrypt.]

No backups

The Threat There are plenty of ways bad guys can destroy your data; it's not that hard to accidentally do it yourself. While losing applications or rebuilding a system is painful, losing something irreplaceable like all your family photos is the digital equivalent of your house burning down. So the most important thing you can do keep your data safe is to back it up regularly.

... [ASF note: my primary laptop hard-drive failed a few months ago. I was backed up to both local copies and a remote backup, so I lost nothing except the time it took to re-install my software and recover my data.]

Risky downloads

The Threat While there is virtually no malicious software for Macs circulating in the wild, what little Mac malware we do see is almost always hidden in illegitimate software. [ASF note: also true for Windows users.]

Right now, the most common source of Mac trojans is pirated software downloaded from the Net. ...

The next most common sources of infection are sites that ask you to download new QuickTime plugins or special applications to look at pictures or videos of people in various states of undress.

Lastly, we do sometimes see trojans planted in free software, especially gambling software and simple games. These, like the other trojans, tend to appear on less-popular sites or online forums.

What You Can Do Use your common sense. Don't try to find free copies of commercial programs. Don't download random QuickTime plugins or video viewers unless you know, with absolute certainty, that the source is legitimate. When downloading software, avoid forums or sources that are off the beaten track. If there's any doubt about a program, do a quick online search for it and see if it also appears on more mainstream download sites.

...

Antisocial networking

The Threat If the Internet is the Wild West of the digital world, social networking sites are the seedy saloons.

Criminals love social networking sites; they're cross-platform, based on trust, and often full of security flaws. We've seen social networking worms propagating through friend's lists, attackers stealing contact e-mails for spam, fake advertisements, and direct browser attacks to take over systems. And once you start installing widgets and applications on a social site, you are essentially allowing arbitrary programs to run inside your browser with full access to your information.

What You Can Do When posting information on a social networking site, don't put anything up there that you wouldn't want the whole world to see. Also carefully consider the applications you allow the site to install--especially on Facebook, where you can't always control the information an application accesses.....[ASF note: more advice in the article.]

Peer-to-peer sharing

The Threat Peer to peer (P2P) file-sharing can be a great way to distribute or download large files. But researchers have found reams of sensitive information on P2P networks. For example, there have been cases of public employees placing sensitive legal and government documents on home computers that were also running P2P software; those files turned up on the P2P networks. In my own research, I've seen everything from tax returns to scans of passports.

It isn't that P2P file-sharing itself is evil (despite what the recording and motion picture industries might claim). It's just that it's all too easy to inadvertently share things you shouldn't.

What You Can Do If you use P2P services, ... [ASF note: DON'T use P2P, especially on business computers, including computers you connect from home to the company network. If you use P2P on your home computer, do it in a "Virtual Machine" that only exposes your music or other shared files but doesn't have access to your taxes, checkbook, documents, or email. Call me if you need help with this.]

No comments: