Archive for December, 2008

Ken Colburn (aka the Data Doctor) was on CNN a couple of weeks ago to give some simple advice on protecting your sensitive information if your computer is stolen. The most common mistakes people make that put data at risk on lost laptops, according to Ken, are: not set a password on the computer, auto-saving username and passwords, and leaving sensitive information unprotected by alternate passwords or encryption.

As you can see from the video below, Ken goes on to recommend software than can help make your computer more secure and/or recover it. He recommends LoJack for Laptops / Computrace, as well as other programs listed here.

Thanks Ken for the great coverage!

Also in the news: Microsoft will stop selling its Windows Live OneCare consumer security service and will re-release it as a free download by the end of 2009. They hope this will mean less malware. Speaking of malware, a new trojan came up a couple days ago that can send both Mac & PC users, even with patched software, to impostor websites. Ouch!

There are four quick videos on YouTube about Absolute Software’s consumer product line, LoJack for Laptops and corporate product line, Computrace. The videos each go through a common scenario about a missing laptop. This first one examines an all-too-common issue: leaving a laptop in the car.

Whether you’re just running a quick errand or are going to bed for the night, you should never leave your laptop in your car. This practice causes many major data breaches each year. If your corporate laptop does get stolen, you should never be afraid to report that. Letting your IT department know quickly can help recover your laptop, if Computrace was installed, and is important so that steps can be taken to prevent or recover from a data breach. (more…)

Although the business world has been primarily PC-oriented for a number of years, Absolute Software has not forgotten the many Mac users out there (like me!). Both Computrace, the corporate product line, and LoJack for Laptops, the consumer product line, are available for both Mac & PC.

A recent article on Dark Reading talks about the widespread use of Computrace for PCs, but the article implies that Computrace would not work on a Mac. The scenario Rob Enderle writes about on DR is about how to secure Barack Obama’s computer, if he chooses to use a Mac. After recommending Computrace for PCs, Enderle tries to come up with an alternative for the Mac, but ends up with something that “isn’t as comprehensive as Absolute.” Thankfully, we can simply recommend the Mac version of Computrace! Computrace works on Mac OSX 10.3, 10.4 and 10.5.

After the install of the Computrace product, the customer uses Absolute via a secure web-based Customer Center. PC and Mac users, therefore, have the same experience. The only exception being that the Mac does not support the recently released GPS tracking feature in Computrace.

Some computers, currently only PCs, come with Computrace at the BIOS level as well. Perhaps this is where the Dark Reading confusion came in. But regardless, if you want to protect and recover your computer – PC or Mac – then Absolute Software has a product just right for you!

Learn more about Computrace here and LoJack for Laptops here.

SANS Internet Storm Center’s Lenny Zeltser put together an article that caught my attention for being both accurate and blunt: “Security Awareness Training Is Boring.”

So true, and perhaps why it’s not kept up, or is completely ignored. And when something is ignored, it’s a good time to shake it up. We’ve offered some suggestions in the past for being creative in training methods.

Lenny put together some ideas for shaking things up in the security training department – doing things that are unsual and personally relevant to make them remember. Ideas include making a “commercial” style interruption during another meeting, one that reminds employees of security issues. Rewarding employees for reporting unsafe IT practices anonymously can work, and has been suggested in many articles. Also, “bribes” like food at security meetings can help bolster attendance.

And you can integrate funny videos like this one, “The Duhs of Security,” created by the Virginia Government:

The SANS article references another great article written by Marcum Ranum entitled “The Six Dumbest Ideas in Computer Security“. Worth a read.

Secunia has followed-up to a survey done one year ago to see if PCs are any more secure this year than last. The data was collected from 20,000 new users of their software in the period of a week, mirroring the same sample from a year previous. The software is thus able to give a snapshot of how many installed programs are “secure” or “patched.”

Based on the data, PCs are more insecure than they were last year. Only 1.91% of PCs scanned could claim to have full secure / patched programs. The rest were not running the latest (and most secure) version of software available on at least one program.

• 0 Insecure Programs: 1.91% of PCs
• 1-5 Insecure Programs: 30.27% of PCs
• 6-10 Insecure Programs: 25.07% of PCs
• 11+ Insecure Programs: 45.76% of PCs

Quite scary that nearly half of those 20,000 PCs had more than 11 programs unpatched! Leaving programs unpatched makes them targets for hackers, which can lead to data leak issues if not stopped up. Mainstream programs like Microsoft Office, Adobe Flash and broswers are major targets for hackers.

So, perhaps now is a time to run your security updates? On PC and Mac, most programs can be updated automatically, or all together. In a few instances, you may need to ‘check for updates’ in individual programs. Of course, in a corporate environment, where you’re dealing with hundreds or thousands of computers, you need a way to manage this at once. Absolute’s asset tracking can help inventory what software and patches are installed, but other strategies (including Secunia PSI) can supplement in rolling out updates regularly.

Via security focus

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Absolute Software announced today that its Computrace product will be built into the hardware level of select Lenovo ThinkPad T400 notebooks, the first notebooks to ship with support for Intel’s Anti-Theft PC Protection and Computrace built right in. The new products will be available starting in December.

Select Lenovo ThinkPad T400 notebook computers will ship with the Absolute Computrace and Intel Anti-Theft PC Protection “ready”, needing only to be activated by companies’ IT departments. The Anti-Theft PC Protection extends the capabilities of Computrace. For example, if a computer does not “check in” with the Absolute Monitoring Center within a specified time period, the notebook can automatically lock down. That would make it unusable, unless unlocked by an authorized user. Additionally, if a notebook is lost or stolen, data can be deleted remotely and the lock down can happen automatically when the computer “checks in”.

“Absolute is excited to work with industry leaders to further drive anti-theft technologies into the marketplace – ensuring that joint Absolute, Intel and Lenovo customers have a secure computing experience,” – John Livingston, CEO of Absolute Software.

Computrace was previously made available in Lenovo ThinkPad T43 notebooks at the BIOS level, so that the security services could not be removed by simply reformatting or replacing the hard drive.

Continue reading the press release here.

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

In follow-up to our previous post about the economic impact to IT budgets for 2009, and the secondary budget about the budget impacting the education sector, a new study by the Computing Technology Industry Association indicates that IT spending in the UK will increase next year for small and medium sized businesses.

As with the Global State of Information Security report highlighted here, which shows that 44% of those surveyed would be increasing information security spending, this new study indicates that 51% of small and medium-sized businesses plan to increase their tech spending by 10% or more in the next 12 months. This growth in spending is lower than in the previous year, but the proportion of those decreasing or keeping flat their budgets is still low.

“In the past, tech spending might have been one of the first line items slashed in a tough economy. Today, SMBs are savvier because they rely on technology for an increasing amount of their core business operations. It’s encouraging to see that the majority of SMBs plan to maintain, if not increase, current tech spending during this time of economic uncertainty.” – Todd Thibodeaux, president and chief executive officer, CompTIA

Overall, SMBs continue to remain optimistic about business growth, despite the current economic instability in the UK and around the world.

Another very interesting article on CSO Online is encouraging colleges and universities to step up and include more IT security education for students planning on going into IT. And in terms of “stepping up”, an article in the Vancouver Sun recently also talked about social media and how companies should take stock of what’s being used and how to embrace it, rather than ignore or ban it (which, while also not effective, poses a security risk).

Via VNUNet