Criminal Law Library Blog

NEWSLETTER

AUGUST 2008 Volume 1, Issue 4
Firewalls
From the Desk of David Badertscher

What is a firewall and why should I use one?

A firewall is a software program or hardware device that filters the inbound and outbound traffic between your network or computer and the Internet. Firewalls add a layer of protection by blocking unauthorized and potentially dangerous data from entering your computer or network. Firewalls are especially critical for users who have an “always on” connection to the Internet.

Some users may think that data residing on their computer is not valuable and therefore a firewall is not necessary. However, even small pieces of information can be obtained by the hacker and used to steal identities and other personal data. In addition, hackers may be interested in taking over your computer to store illegal materials or launch other attacks that can leave a trail back to your computer. Once a hacker gets access to your computer, the intruder may have access to resources and data stored on your machine.

What does a firewall protect me from?

Firewalls can help protect your data and computer by blocking the following:

• unsolicited traffic/malware from coming into your computer or network
• traffic from known malicious computers
• specific traffic you don’t want leaving your computer or network
• programs, protocols and ports that you specify
• attempts to access or attack your computer

Firewalls can also log activity, and these logs should be reviewed periodically to identify any anomalous or unexpected activity.

What type of firewall should I use?

There are two types of firewalls: hardware and software. A hardware firewall is usually an external device that sits between your computer and your connection to the Internet. A software firewall (also known as a personal firewall) runs directly on your computer. This firewall is the most common type for home users.

The selection of a firewall is dependent on what is being protected. The value of the assets, the complexity of the computers or networks, and their usage of the Internet will dictate the type and size of firewall that should be used.

Make sure you have a firewall--selected based on your business or personal needs--and that it is enabled.

Before enabling a firewall, read the documentation carefully to ensure proper configuration. A properly configured firewall can save you hours of recovery or rebuilding of data.

Below are some areas for consideration when installing a firewall:

• allow only the traffic that you need
• enable the “automatic update” feature if one exists and also periodically check the firewall vendor’s website for the latest software updates
• enable the logging feature and review the logs regularly
• change the default “administrator” account (if available) and password
• disable the remote management option (if available)

A firewall is a very valuable tool to protect your data and your computers, but it must be selected, installed, configured, monitored, and maintained effectively to do its job. It’s also important to note that although firewalls can block intruders, viruses or unwanted traffic from getting into your computer, using a firewall is not a complete solution to security. Firewalls should be used along with anti-virus, anti-spyware, and anti-spam software, as part of a defense-in-depth strategy for protecting your computer from various forms of malware (viruses, worms, trojans, etc.), hackers, and others who want your data or your computer for illegal or malicious purposes.

Remember: Cyber Security is Your Responsibility. Always apply safe cyber security practices to protect the data on your computer or network.

References
To learn more about firewalls, please visit the following sites:

MS-ISAC - Beginners Guide to Firewalls
http://www.cscic.state.ny.us/localgov/#download

US-CERT
http://www.us-cert.gov/cas/tips/ST04-004.html

How Stuff Works - Firewalls
http://computer.howstuffworks.com/firewall.htm

Firewalls for Dummies
http://www.dummies.com/WileyCDA/DummiesTitle/Firewalls-For-Dummies-2nd-Edition.productCd-0764540483.html

Resources – For previous issues of the Monthly Cyber Security Tips Newsletter go to:
http://www.msisac.org/awareness/news/

Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture.
.

Brought to you by:

http://www.msisac.org

April 2008 Volume 1, Issue 3

From the Desk of David Badertscher

SOCIAL ENGINEERING: ARE YOU AT RISK?

The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of the discussion in this newsletter, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or untrusted sources or to visit untrusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else - for example, impersonating a senior official from your organization or someone from your Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

Remember to follow your internal procedures when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim to be from “technical support.”

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering into a secure area or building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee. Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

BAITING

This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker--whether that information is about your work environment, fellow employees, projects, or personal information--must be handled with extreme care. Be mindful of what you say to whom.

SURVEYS

Many of us have no doubt been recipients of requests to participate in surveys—whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your organization, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.

DUMPSTER DIVING

Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy them in accordance with your organization’s records retention policy.

PUTTING IT ALL TOGETHER

The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information:

1 Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information, your authority to exchange or release the information, the real identity of the third party (positive identification), and the purpose of the exchange.

2.Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.

3.Before you throw something in the trash, ask yourself, “Is this something I would give to an unauthorized person or want to become publicly available?” If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.

4.If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.

SECURITY NEWS UPDATE FROM CERTSTATION TMA:

Dutch transit card crippled by multihacks Wed, Apr 16 2008
The introduction of the Dutch public RFID transit pass will be delayed because it can be easily hacked. The final blow was given by researchers from Royal Holloway, University of London, who confirmed earlier findings by Dutch Institute TNO that the card isn't properly secured.

Researchers uncover undetectable chip hack Wed, Apr 16 2008
For years, hackers have focused on finding bugs in computer software that give them unauthorised access to computer systems, but now there's another way to break in: hack the microprocessor.

Regulatory compliance 'irrelevant' to security Tue, Apr 15 2008
Companies who get hung up on regulatory compliance are developing a false sense of security which leaves them just as open to malware attacks the chief exec of tools vendor Protegrity has warned.

Criminals phish for CEOs via fake subpoenas Tue, Apr 15 2008
Panos Anastassiadis didn't click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.

For more monthly cyber security tips, please visit: www.msisac.org/awareness/news/

Brought to you by:

www.msisac.org

CLLB Information Scurity Newsletter
March 2008
Volume 1, Issue 2

Annual Maintenance For Computers

From the Desk of David Badertscher

Perform Annual Maintenance in Conjunction With Daylight Savings Time Change

In addition to your routine security and maintenance processes, you should perform an annual PC “tune up” or maintenance to be sure that your computer is operating efficiently, that appropriate software updates and settings have been applied and to minimize the risk of losing your data. Performing your annual check up with the switch to Daylight Savings Time is a great way to develop an annual schedule. One important step to take before performing maintenance is to back up all your data, in case anything goes wrong during your maintenance.

System and Data Backups - Review, update and test your file backup process.

If you do not have a backup system, consider purchasing a portable back up hard drive.
Check your scheduled “backup” scheme to see if it is still applicable. Add folders and files to be backed up as necessary. Test the restore function for the backed up files to ensure the restore works properly. Create a folder on you computer and restore your back up to the folder. Afterwards, delete the test folder.

Firewall - Check firewall settings to check for a current licensed version and updates.

Review settings for product configurations. Confirm settings are appropriate for the current level of security needed. Review firewall settings to ensure they are configured for automatic updates (if available), known applications are allowed, known inappropriate sites are blocked and known port scans are blocked. Confirm that the firewall is updated and that the license is current (if applicable).

Internet Browser - Check your browser configuration to ensure you have appropriate secure zone settings.

Review current zone settings (Tools/Internet Options/Security tab) for appropriate levels. The minimum level of security should be the default level which is set at Medium-High for the Internet zone. Adjustments can be made based on your needs.Confirm “Automatic Update” settings for your browser are set properly (applied at least weekly or as available).

Anti-Virus, Anti-Spam, and Anti-Spyware - Check all products for current versions and updates.

Confirm “Automatic Update” settings are set properly (applied at least weekly or as available).Confirm that applicable updates have been applied and that you have current versions and updates for all products. You may need to visit the vendor site for details. Confirm that your software licenses are current (if applicable). Run complete virus and anti-spyware scans on all drives. This should be done on a weekly basis.

Other Computer Software - Update other frequently used software programs, especially those that interface with the Internet.

Some software programs have “Automatic Update” features, others do not. Check your software programs (media players, music players, Adobe, etc.) for updates and new software versions. Follow the instructions within each program for updating.

The recommendations below are designed for Windows XP Operating System (since this the most prevalent operating system) and thus some steps may be slightly different with other Windows operating systems.

Operating System - Check for updates and remove unneeded programs.

Confirm that the “Automatic Update” settings are set properly (applied at least weekly or as available). Confirm that Applicable updates (Critical, Important) have been applied to your operating system (Settings/Control Panel/Add or Remove Programs and click Show updates).
Remove old System Restore Points – Use Start/Control Panel/System/System Restore tab, check “Turn off System Restore” box to remove all restore points except the most recent.
Remove unneeded programs and “trial” programs. Go to Settings/Control Panel/Add or Remove Programs to uninstall a program.

Hard Disk Drive Maintenance - Ensure your hard disk is operating at peak efficiency.

Scan your Hard Disk for errors. In Windows Explorer select the drive then right click-Properties/Tools/Check Now/.

Check “Automatically fix file system errors” and “Scan for and attempt recovery of bad sectors.” Defragment your Hard Disk Drive. The data on your hard drive can get separated or fragmented and therefore makes your computer less efficient. Defragmenting physically reorganizing the data to store the pieces of each file close together for more efficient storage and retrieval. In Windows Explorer select the drive then right click-Properties/Tools/Defrag Now.
Remove old files and emails on your PC. Remember to empty the “Recycle Bin” or “Deleted Items” (Outlook) folders.

Clean up your disk to remove cookies, temp files, cache, and history files. Go to Start/Program/Accessories/System Tools/Disk Cleanup.

Additional resources for PC maintenance can be found at:

Microsoft PC Care Online

www.microsoft.com/athome/moredone/maintenance.mspx

Microsoft Backup Utility

http://support.microsoft.com/kb/308422/

For more cyber security monthly tips go to: www.msisac.org/awareness/news/

More News:

From SC Magazine Newswire March 4, 2008.

Fake Department of Justice complaint-spam strikes again
Jim Carr March 03, 2008
"In what could presage a rash of tax-time spam emails purportedly from government agencies, security researchers at MX Logic have uncovered an influx of keylogger-laden emails spoofing the U.S. Department of Justice (DOJ). "

Sourcefire offers weak outlook following rough fourth quarter
"Dan Kaplan February 29, 2008
A dismal earnings forecast this week from intrusion prevention maker Sourcefire underscores some of the challenges facing public IT security companies, a pair of analysts said Friday."

Report outs banks with most ID theft complaints
Sue Marquette Poremba February 29, 2008
"Consumers, regulators, and businesses have no way to reliably assess the incidences and frequency of identity fraud at major financial institutions, a new study concludes."

Survey: IT security employees in demand, but skills lack
Sue Marquette Poremba February 28, 2008
"There is a wide gap between IT security skills that organizations need and the skills IT professionals bring to the job, according to a new survey by the Computing Technology Industry Association (CompTIA)."

From Government Computer News, March 7, 2008.

Biometrics accreditation planned
"The Homeland Security Department has asked the National Institute of Standards and Technology to develop a Biometrics Laboratory Accreditation Program that would accredit laboratories to evaluate biometric ID systems."

"Wikis are useful business tools. With planning and some staff time, you can make your own online collection of useful articles, tailored to your organization's needs, to communicate about business processes, manage collective know-how and more" Since many libraries, including law libraries, have expressed an interest in incorporating wikis into their progrrams and services , we have included a link to the article: "How to Build Your own Wikipedia," by Margaret Locher, CIO, February 27,2008. This is a "hands on" article which addresses issues many of us are beginning to encounter. Comments are welcome.

The following is some updated information that we thought might be of interest. This is not a separate issue of the Newsletter:

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER INFORMATION BULLETIN

DATE ISSUED:

February 21, 2008

SUBJECT:

Malicious Email Messages Referencing the Lunar Eclipse

One state reported that they received a large number of malicious email messages which reference the “lunar eclipse” and include a link purporting to show video of a lunar eclipse. Clicking on the link connects users to a site that will deliver malware to client machines. Presently, some commercial antivirus products are not detecting this malware. The addresses hosting the malware are reported to be constantly changing, thus minimizing the impact of blocking the offending sites.

We recommend that organizations warn users of the risks associated with visiting unknown or un-trusted Web sites and clicking on links provided in email messages.

As this example demonstrates, be advised that attackers may use current events (such as the recent lunar eclipse, various holiday greetings, and the 2008 Presidential Election) to entice users to visit Web sites, click on links, open attachments, or perform other actions that could lead to system compromise.

While reviewing responses to readers of this blawg, I noticed that many seem interested in postings related to information security. Therefore, as an experiment beginning with this posting I plan to include an occasional newsletter covering topics and issues related to information security.

As an added activity I serve on an Information Security Committee at my orgaization. This experience has certainly increased my awareness of the importance of information security issues to all of us, including law librarians. Let's see how this works. Comments are welcome.

David Badertscher

February 2008

Volume 1, Issue 1

Securing a Wireless Network

From the Desk of David Badertscher

Is a Wireless Network Secure?

Wireless networks are not as secure as the traditional “wired” networks, but you can minimize the risk on your wireless network (at home or at work) by following the tips below.

How Does it Work?

The standard set up for a wireless network requires two components: a Wireless Access Point (WAP) and a computer with a wireless network adaptor. Properly configuring a wireless device can be challenging and the steps will vary depending on the manufacturer. If you do not feel comfortable doing it yourself, be sure that whomever is configuring the wireless network follows these best practices.

Wireless Access Point (WAP)

The WAP connects to your high speed Internet connection or your internal network. This is the foundation for building a wireless network. It provides the ability to use a computer without being constrained by the distance of a wire. Keep in mind that metal filing cabinets as well as certain building materials, such as bricks and blocks, can interfere or limit the range. The distance between your wireless computer and the wireless access point. Generally, the indoor range for a WAP is approximately 125 feet.

Wireless Network Adaptor

A wireless network adaptor, used for transmitting and receiving information, is required for each computer you intend to connect to a WAP. When purchasing wireless networking hardware from separate vendors, be sure to obtain guarantees that the hardware will conform to defined standards and interoperate properly. The wireless network adaptor is usually built into laptop computers while it is an add-on component inserted into a USB port on desktop computers.

Enable Encryption

Every wireless network should enable encryption. Encryption scrambles the data in a way that if your signal is intercepted there is reduced risk of someone being able to eavesdrop or monitor your communications. There are several standards of encryption common to most WAPs. Wired Equivalency Privacy (WEP) is the older standard. WEP has a number of known security flaws and should only be used if no other method of encryption is available. Be sure to set the WEP authentication method to ”shared key” instead of “open system.” Under “open system” the initial sign-on is encrypted but the data is not. Newer wireless access points include Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). WPA2 is the stronger and the preferred method of encryption.

Change the Default Password

Change the default password that comes with your WAP. The default passwords used by manufacturers are well known to the hacking community. Be sure to use a strong password, at least eight characters including numbers and special characters.

Change SSID Name

The Service Set Identifier (SSID) is the name of your wireless network. Default SSIDs are well known, often the name of the manufacturer and easy to guess. Change the SSID name to something unique and be careful not to use a name that freely discloses information. For example, avoid using your family name. Avoid descriptive or functional names as well, such as “Payroll” or “Accounting” since this would advertise an attractive target for an attacker.

Turn Off SSID Broadcasting

By turning off SSID Broadcasting, your wireless access point does not advertise its presence. It is similar to having an unlisted telephone number. This is a way to reduce the visibility of your network to others in your neighborhood. The only way to connect to a WAP with SSID Broadcasting turned off is to know the SSID name and password.

Use MAC Filtering on Your WAP

The MAC (Media Access Control) address is the unique ID assigned to your computer’s network interface card. It is referred to as the computer’s “physical address.” Enabling MAC filtering on your WAP allows you to designate and restrict which computers can connect to your WAP. If the computer’s address is not listed, a wireless connection cannot be made to the WAP. To look up a MAC address on a Windows computer, go to “Start” then “Run” and type “cmd”. A new window will open and you will need to type ipconfig /all and press the enter key. A number of attributes will be displayed. The MAC address is identified as the “Physical Address.”

RF Interference Assuming your WAP point functions in the 2.4 GHz range, you may experience Radio Frequency (RF) interference from other 2.4 GHz devices, such as cordless phones, microwaves and baby monitoring devices. These devices can limit wireless performance. To manage the problem, limit sources of RF interference in proximity to the WAP.

Additional resources for wireless networks can be found at:
Wireless Network Tutorial including manufacturer step by step procedures.
http://spotlight.getnetwise.org/wireless/wifitips/
Microsoft: www.microsoft.com/technet/network/wifi/wifisoho.mspx

For more monthly tips go to: www.msisac.org/awareness/news

FROM IT SECURITY NEWS:

Bush wants a security clearance reform plan by April 30
The memo's language reflects concerns that longstanding security
clearance practices are preventing employees and contractors from
beginning work. (fcw)
http://www.1105newsletters.com/t.do?id=866100:3309489

For more monthly tips go to: www.msisac.org/awareness/news/