Threats come in all shapes and sizes, but all of them can, ultimately, cause damage to an organization <sic>

And earlier tonight I’ve been involved in another Facebook chat about security with a friend that I thought would know better. If anything though, his initial re-post of a bit of Facebook spam has at least done something. It’s caused me to jump in on the thread and put over my point of view.

Am I right?

I think so.

But what say you? Should security be a one off concern or an ongoing one? And let me be clear here … I’m talking essentially about cyber or online security but equally this applies to the real world as well. Would you go on holiday and leave your house unlocked? No, so why then allow the world to see your high jinks on places like Facebook?

And I’m not picking on Facebook here.

Far from it. Any social network or publicly accessible forum needs to be treated with the appropriate caution. If you want a place to unburden or unload your frustrations then either make sure it’s private or you are anonymous – or as anonymous as being on the internet allows you to be.

I have ways I do that if needed but have never yet felt the need.

So proactive or reactive – which are you?

Ongoing Security is a post from: Church Techy

A time saver – for the end user if not for the creator.

They originated in car manufacturing back in 1994, but in the last few years they’ve become much more available – from the giant building size codes visible from space via company’s such as Blue Marble to QR codes on your business cards. The key thing about them is the amount of data the code can hold is more than a simple one visible line.

They are being used in education – in sales – in marketing – in … well you get the idea. If you can think of somewhere then it’s likely a QR code could be used.

And therein also lies a problem.

As we become more and more used to them and in some cases even dependent on them then so the bad guys will use them.

Consider how easily we accept QR codes as benign and just scan them in.

(The following taken from the Optimal Security blog)

•  Malicious URLs are at all time highs – from Q2 2011 to Q4 2011 they are up an additional 89%
• QR scanning growth is exploding – the Mobile Barcode Trend Report provides interesting statics:
  o Active users of QR codes is up 525%
  o Average number of scans per code is up 39%
• Mobile Marketer reports QR code scanning is up 4,549%
•  It’s easy for anyone to create a QR code with any kind of content
•  Mobile devices such as iPhones and Androids out of the box are poorly equipped to deal with filtering QR codes and their underlying URLs
•   Malicious QR codes are already in use and are making money for the bad guys. It is a certainty that the use of malicious QR codes will expand.

When you consider the explosive use of QR codes then have we, the techs, kept up with educating the end users of possible dangers?

Are all of us techs aware that we can equip our smart devices with 3rd party scanning tools that we would natively install on our desltops?

Or how about getting the tech industry to only release apps that pre-emptively pre-scan and advise us of what the URL(s) we are about to visit are? As it happens, Google Goggles does this and is one of a very few that do.

QR Codes – good, bad or ugly?

QR Codes is a post from: Church Techy

I freely admit I don’t know everything, buy then Google is only a web connection away and most of what they require is relatively easy stuff. Things like my mouse is not working – or my screen is an odd size – or I have no power and so on.

But today’s phonecall was not one I was expecting – or rather it started as and eMail. The main contact there sent me an email with a subject matter of “XP Arrrrrrrrrrr” – which I took to be the start of an ‘I hate XP eMail’. But no, read out the second word of that subject and you get a word commonly associated to pirates.

As in the swashbuckling adventure types.

And not as in the hacker types.

Knowing that all the PCs in the Church have a valid license and even to the point where they have spare capacity I was very surprised to hear that one of the recently rebuilt PCs was coming up saying it was “Windows XP Pirate Edition”.

And I was even more surprised when I turned up to check to find this is indeed the case.

Well apart from the moral implications there are all sorts of issues such as security of the network, etc that now come into play so I have immediately quarantined the box until such a time as I can investigate it and rebuild it.

However, I do know how it happened. I’d asked one of the newer church members (who’s into IT) to rebuild it as I was too busy to do it myself. I’d even said not to worry about the license key as my church contact had that and could supply it when required.

Lesson learnt:

1. find the time
2. sometimes trusting others doesn’t work

One can pray for help. One can even trust that help.

But it doesn’t always work out.

OS Pirates is a post from: Church Techy

In fact long before it got commercialised.

However one of the things it was never easy to do with PGP was encrypt what I’ll call ad-hoc communications and web based email. So trying to encrypt IM conversations or facebook messages or … well you take your pick of what … was just a nightmare that required complicated hoop jumping measures or specific client software.

Now encipher.it have come out with a simple, effective and strong method for doing all of the above and more.

Simply visit the site, bookmark the link they point you at (a bit of javascript) and when you need to encrypt your webmail simply create your email as normal but prior to sending click the javascript link, enter your chosen encryption key which can be as simple or as complicated as you like and your text become garbage to all intents and purposes.

So an email that says:

This is a test

becomes:

 This message is encrypted. Visit https://encipher.it to learn how to deal with it.

EnCt2a24aebb4948433aa3bdae40c2dbccc2ad02f3c7fa24aebb4948433aa3bdae40cbE6vPop02QB
S7uL3kk5hgkVFeK0UnVYQronPlg6z10g=IwEmS

The only other thing you need to organise is getting the encryption key to the person at the other end.

And as for security, well all the processing is done locally in your browser.

Sorted.

Encrypted Webmail is a post from: Church Techy

And I have good reason to do so.

But what about your website? Do you ever consider backing up that? What if it your web hoster had major issues or even went into receivership? How would you rebuild your site elsewhere?

More specifically, how would you do it quickly?

Well if your site happens to run from a cpanel account then let me introduce SiteAutoBackup to you. You simply provide your cpanel details, set a schedule and it does the rest. Should the worst happen and you need to restore then you simply download the most recent backup file and provide it to your hoster (or new one) and they restore and suddenly your site is back up and running.

Unfortunately they no longer do a free 1Gb account but they do a 1Gb account for $20 a year or a 5Gb one for $50. And occasionally they even put sales on where you can get a 5Gb account at a permanent reduced price.

Backup Your cPanel Site is a post from: Church Techy

Well I for one have long sung the merits of needing strong passwords and tear my hair out when family and friends wonder why their PC security [ha] has been breached. Translate this attitude into the Corporate world and it isn’t hard to imagine that your data isn’t guaranteed to be safe.

That said, these things will make geeks in charge get very twitchy about protecting their systems – and rightly so.

So when I or acknowledged security experts tell you to choose a long, complicated & secure password then you will sit up and listen. Won’t you?

And that password will contain numbers and punctuation (if the website or application allows them) as well as letters in BOTH cases. Furthermore that password will consist of 10 or more digits. Finally that password won’t include a recognisable word, will it? Why? Well it’s a simple matter of mathmatics really. A password which consists of only letters drawn from a 26-character pool (a-z) is so much easier to crack than if the range of characters is 52 (a-z and A-Z) or 62 (including digits too). Then add punctuation and the combinations go astronomical.

So have you ever wondered how secure your favourite password is then wander over here: howsecureismypassword.net and as you type, the indicator is updated after every character to tell you, approximately, how long a desktop PC would typically take to crack it.

Worried yet?

But before you go all mental trying to follow my rules take some heart. I have one standard password I use on websites where I don’t care if my ID gets taken over or lost. Places such as forums or blogs that require a login before I can leave a comment – this does make life easier but that standard password is crackable in 87yrs according to the above website. But one of my typical 14 character passwords will take 32 Billion years to crack.

Take away one punctuation mark and that same password becomes breakabl ein 87 days – so it’s simple. Add some punctuation.

Now, how secure is your password?

How Secure Is Your Password is a post from: Church Techy

One is a simple, register, download app, run and use whilst the other takes a little more effort and knowledge. However the reality is that they both allow you to “place files” into a cloud based storage and access or have them accessed by others from a remote location.

So why would or should you go for one rather than the other?

In my opinion there are two main reasons.

1. One works out cheaper if you go beyond the free 2Gb offered (though there are ways to up this for free)
2. And one of them has zero access to your files and all security is in your control.

In both cases that company is SpiderOak and a third possible reason to use them over Dropbox is that you can share any folder or file on your computer without having to first put it in a special area.

The security aspect is an interesting one. On a day to day basis most of us will never have to worry about the security of either of these ‘apps’. However there are some subtle differences that may want you to re-think which you’d use. Dropbox can’t directly access your files but can see the file names for ‘support purposes‘ and your password can be reset online via the web interface. This also means any employee can reset it and allow access to various authorities.

If you’re ok with this then use away.

For my part I have nothing to hide, but I do feel very uneasy that just about anyone can be granted access to my data without my knowledge. Consequently, SpiderOak is all about making us the user responsible for security. The password can only be changed from the desktop app, its encrypted with your own key and the password is only stored on your PC. This doesn’t make it foolproof but it does mean you should be aware of any one wanting access … even if that is via an early morning stinger battering ram.

Don’t get me wrong. Dropbox is a great tool but I have reservations.

What about you?

What online file sync tool do you use?

Online File Sync is a post from: Church Techy

The three I think of are what I call the 3 areas or zones of internet safety.

1. Digital Citizenship
2. Digital Footprint
3. Online Risks

For digital citizenship I think in terms of  our online social behavior and skills or empowerment; support and advancement of causes; online law; online security; etc.

For digital footprint I consider issues of privacy; what goes online stays online; one’s online reputation; etc.

And for online risks the ares I consider would include online bullying; sexting; virus; malware; etc.

• Do you think about internet safety?
• Have I missed any areas / zones?
• Am I being too  simplistic with my 3 step view?

Three Zones of Internet Safety is a post from: Church Techy