September 1, 2008

10 common security mistakes that should never be made

  • Date: August 15th, 2008
  • Author: Chad Perrin

Read about ten very basic, easily avoided security mistakes that should never be made — but are among the most common security mistakes people make.


The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.
  1. Sending sensitive data in unencrypted email: Stop sending me passwords, PINs, and account data via unencrypted email. Please. I understand that a lot of customers are too stupid or lazy to use encryption, but I’m not. Even if you’re going to give them what they want, in the form of unencrypted sensitive data sent via email, that doesn’t mean you can’t give me what I want — secure communications when sending sensitive data.
  2. Using “security” questions whose answers are easily discovered: Social security numbers, mothers’ maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. Requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do a little homework from gaining unauthorized access.
  3. Imposing password restrictions that are too strict: The number of cases I’ve seen where some online interface to a system that offers the ability to manage one’s finances — such as banking Web sites — impose password restrictions that actually make the interface less secure is simply unacceptable. Six-character numeric passwords are dismayingly common, and the examples only go downhill from there. See a previous article, “How does bad password policy like this even happen?” for another example in more detail.
  4. Letting vendors define “good security”: I’ve said before that there’s no such thing as a vendor you can trust. Hopefully you were listening. Ultimately, the only security a corporate vendor really cares about protecting is the security of its own profits and market share. While this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. As such, you must question a vendor’s definition of “good security”, and you must not let vendors tell you what’s important to you.
  5. Underestimating required security expertise: People in positions of authority in corporations often fail to understand the necessity for specific security expertise. This applies not only to nontechnical managers, but to technical IT managers as well. In fact, standards working groups such as the one that produced the WEP standard often include a lot of very smart technologists, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
  6. Underestimating the importance of review: Even those with security expertise specific to what they’re trying to accomplish should have their work checked by others with that expertise as propecia package insert well. Peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
  7. Overestimating the importance of secrecy: Many security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. They justify a lack of peer review with hand-waving about how important it is to keep security policies secret. As Kerckoffs’ Principle — one of the most fundamental in security research — points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
  8. Requiring easily forged identification: Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater — putting on a great show without actually providing the genuine article (security, in this case) at all. It is far too easy to forge such second-generation (or worse) low quality copies. In fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. Put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
  9. Unnecessarily reinventing the wheel: Often, developers of new security software are recreating something that already exists without any good reason for doing so. Many software vendors suffer from Not Invented Here disease, and end up creating new software that doesn’t really do anything new or needed. That might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. Whenever creating a new piece of software, consider whether you’re replacing something else that already does that job, and whether your replacement actually does anything different that is important. Then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
  10. Giving up the means of your security in exchange for a feeling of security: This is a mistake so absurd to make that I have difficulty formulating an explanation. It is also so common that there’s no way I can leave it out of the list. People give up the keys to their private security kingdoms to anyone who comes along and tells them, “Trust me, I’m an expert,” and they do it willingly, eagerly, often without thought. “Certificate Authorities” tell you who to trust, thus stripping you of your ability to make your own decisions about trust; Webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; operating systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. Don’t give up control of your security to some third party. Sure, you may not be able to develop a good security program or policy yourself, but that doesn’t mean the program or policy shouldn’t give you control over its operation on your behalf.
Permalink • Print • Comment

Fully Loaded Laptop

Techtips 183

By Bryan Lambert – Sunday, August 31, 2008

Pullquote183As many Tech Tip readers already know, the laptop computer is the preferred computer platform used by people today.  However, many people fret that giving up their desktop computer may mean giving up some of the great features that they had with it.  What most people don’t know is that they can get many of the same features (and then some) with a laptop.  While laptops do have limited expandability, if you choose your laptop wisely in the first place, you can come away with a computer that not only suits your needs, but will be a valuable addition to your computing family. Below is a brief run down of some cool extras that are becoming more and more available.

DVD_drive

DVD Burner – Actually, most laptops already include this as a standard optical drive. But if you do get a laptop with it, look forsuch extra features built into the DVD burner such as the ability to burn a LightScribe or a Double propecia overnight Layer disc.

webcam

Integrated Webcam – YouTube anyone? With an integrated web camera built into yourlaptop (usually at the top of the screen,) you can make your own videos – and it’s useful for video conferencing with programs such as Skype too! 

Card Reader

Card Reader – Also a component usually included these days – if you own a particular digital camera, look for one that supports your camera's flash memory format.

SSD

Solid State Drive (SSD) – A very cool, but very expensive, option being offered on more and more laptops.  Leave the spinning drive behind for a bank of flash memory chips.

TV_card

TV card – The name says it all. Get TV right on your laptop.  The newest TV cards are usually hybrid cards that can pick up HDTV, Analog TV and also work as a video capture device.

Extra Hard Drives – Some laptops offer a second hard drive as a dumping ground for data or as a scratch disc.  This is a very useful place to dump pictures and music. If a second internal drive is not offered, an external hard drive may be for you.

Fingerprint Scanner

Fingerprint scanner – Goodbye passwords and hello biometrics!  Used to be pretty much only seen on business-class laptops, but has been infiltrating the consumer laptop market slowly but surely.

Blu-ray – A very cool, but also expensive feature to get. A reader is often abbreviated as a BD-ROM, a writer as a BD-R and a writer/rewriter as BD-RE. If you do opt for a laptop with Blu-ray drive – spin the propeller on that beanie cap you’re wearing and welcome to a very exclusive (for the time being) club.

Long-life batteries/second batteries – There’s nothing quite as frustrating as having your batteries run out.  It is worthwhile to see if a long life battery is available for the model laptop you’re interested in. If not, consider buying a second battery.

Ultra-High screen resolutions – Particularly useful when your laptop includes a Blu-ray drive.

Cell Phone Modem – Cell phone modems or similar devices will (for a price, plus a service plan) allow you to be truly free, surfing the web where you want, when you want. Some high-end notebooks have this option built in.

Docks and port replicators – Basically, these can give you more ports (USB, FireWire, video, etc.,) that you may want.

Wireless (Wi-Fi) Printer – With many people hooking up wireless in their home, getting a printer with Wi-Fi already built in just makes sense.

Office Suites – Contrary to popular belief, most laptops DO NOT include office suites.  If you’re looking for a laptop with Microsoft Word already installed, you may be looking long and hard.  Some will have trial versions of the software, but you’ll need to purchase it after the trial period.  Home/Student editions of the software are usually very well priced and for many people worth buying as an extra. Pre-installed “Bundlewear” – This is actually a feature that people usually DON’T want on their laptop.  “Crapware” is any software that is preloaded into a laptop that is not normally part of the operating system.  While many laptop manufacturers usually do include a utility to uninstall crapware one at a time, for many it would be better if this “extra feature” is not loaded at all. Some manufacturers have gotten wise and now offer (for a nominal fee) to leave the crapware OFF your system in the first place.

Warranties and extended technical support – Some laptops (like the Lenovo ThinkPad series) already come with a monster warranty up-front. For everyone else, there are extended warranties.  Be sure to read the fine print, and find out of it covers accidental damage (like dropping the laptop).  An extended service plan will give you longer technical support if needed.  But, be forewarned, these warranties/extended service plans do add up quickly.

Of Course There’s More – We are sure there may be some features that we missed, and others that we may not have gone into deeply enough. However, this list, while not exhaustive, gives you a good starting point on the many cool features and extras to look for in your laptop purchase.  Feel free to add others in the Comments section of the Tech Tips Blog!

Permalink • Print • Comment
Made with WordPress and a healthy dose of Semiologic • Sky Gold skin by Denis de Bernardy