Rossander’s Security Reader

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It’s not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.

These days, keeping all your passwords straight can be an almost impossible task. Every website and application needs a password. Do you pick the same password and use it everywhere or do you write them down? If you use the same password, you’ll lose them all as soon as any one of those systems gets compromised. But if you write them down, you lose them all when your sticky-note gets lost or stolen.

Here’s a trick for making semi-customized passwords that will be easy to memorize but still unique to each site.

Pick a "static" password. (For this example, I’ll use "Bluebird" but a passphrase is much better.) Now look at the website or application that you’re signing onto. Make up a personal rule about the website name such as:

1. The first digit of my password will always be the second letter of the website’s name.
2. The second digit of my password will always be the number of characters in the website’s name.
3. The third digit will be a dash.

The password at Amazon would be "m6-Bluebird" and at eBay would be "b4-Bluebird". The password on your home Dell computer might be "e4-Bluebird". A password in this pattern is reasonably strong because it has all four character classes (uppercase, lowercase, number, punctuation) and because it doesn’t follow the predictable tendency for English speakers to capitalize the first letter and put the number(s) at the end. Best of all, every password is different but you only have the one phrase to memorize and one rule.

There are a couple of limitations to this technique.

• You must be the only person who knows your exact rules. Do not use the exact rules above. Make your own choices about which letter, punctuation, etc.
• Some systems won’t allow special characters (like the dash) or may have size limits on the password. Unfortunately, there’s no easy way around those problems. Make the best choice you can given the limits of the system and write down only enough to remind yourself what’s different (such as "401k – no dash"). If it’s an important system (like your online bank), lobby the company to allow stronger passphrases.

As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.

As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.

• The user’s co-workers should never have access to each others’ passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user’s files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
• Not even your own IT staff should ask for a user’s password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
• You don’t need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don’t want to have counter-accusations that the chain of evidence was compromised.

Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.

According to a non-scientific survey I just conducted, the most common question this time of year is “How were your holidays?” The second most common question is “Have you broken your New Year’s resolutions yet?”

Here’s a trick to help keep at least a few of those resolutions by choosing stronger passwords. As we’ve talked about before, passwords are fairly easy to break because most of us pick an English word, capitalize the first character and add a number at the end. That’s a statistically common trend among English-speakers. It meets the minimum complexity rules but will fail to a password cracking tool in 30 seconds or less.

If your New Year’s resolution is your passphrase, you’ll get a strong password that is hard for an outsider to break. (Microsoft’s password rules allow up to 127 characters and permit any character on the keyboard, including the spacebar. You can pick a whole sentence including spaces and punctuation for your password.) And by typing it several times a day, well, maybe repetition will help me actually live up to the resolution. For example, I need to eat less and exercise more. If my password for the month is “Take the Stairs.“, I’m reminding myself several times a day that I shouldn’t be lazy – that those extra steps are good for me.

A couple of thoughts, though. First, don’t make your password obvious to others. If your password is “Spend more time with your Kids!“, don’t make a poster with the same phrase and hang it in your office. Second, add unusual capitalization or swap a letter for a number in the middle of the phrase. For example, “Give more time 2 Charity.” Even if someone does guess your resolution, they won’t know what little change you’ve made to the way you type it. Put together, you’ll have a strong password that’s easy to remember and might actually help you keep that resolution a little longer.

Passwords are only useful if they are kept secret. That sounds obvious but we are still finding users who tape their passwords to the computer or "hide" them in an unlocked desk drawer.

Laptop and desktop computers represent the single greatest risk to the computer systems and customer private information of most organizations. A stolen or lost laptop is a gold mine for an identity thief. Laptops and desktops hold all kinds of private information (often including the access rights and certificates necessary for a hack to get onto the rest of the network).

In order to mitigate the risk, many organizations have encrypted their computers – scrambled the content so that, in theory, if a computer is stolen, the thief gets away with a $2000 doorstop. Unfortunately, that encryption is often completely dependent on the password. If the thief also gets away with the password, they have access to everything and all the organization’s defenses are for naught.

Make it very clear to your staff that leaving a password unprotected is a very serious violation of your security policies. If they see an unsecured password, have them report it immediately to their manager or supervisor.