Rossander’s Security Reader

We’ve talked before about the risks of carrying your debit card unnecessarily. Unlike credit cards where your liability for fraudulent transactions is capped, if your debit card is lost or stolen, you are liable for any purchases made on the card up to the full amount of your checking account.

A new report is describing yet more problems with debit cards. Because of the way the transactions are processed, they are apparently much more fragile than credit card transactions. The slightest mistake in the process and you could see double and even triple charges on your statement for the same goods. The merchant will probably refund the overcharge but in the meantime you have already been hit with overdraft charges, late fees and damage to your credit report.

Read more about how this weakness occurs at StorefrontBacktalk.com.

Debit cards are convenient but it’s increasingly clear that they’re not worth the risk for consumers. Ask your bank for an ATM-only card and cut up your regular debit card. Use a credit card for purchases.

Consumer Reports recently published a list of Seven Online Blunders and common mistakes made by consumers which leave their computers – and their identities – at risk.

The seven are all common-sense and are topics we’ve talked about before, but it never hurts to read another perspective. Here’s my take on their list.

1. This sounds really obvious but the anti-virus software won’t do any good if you turn it off – or if you stop paying for the updates. Make sure your anti-virus is on and up-to-date.
2. Be suspicious of any link in an email. The risk of phishing remains high.
3. Passwords are tricky. Too easy and they can be easily guessed. Too many or too complex and you’ll write them down, defeating the purpose. Use your own rules to build strong, unique passphrases that are easy for you to remember but hard for others to guess.
4. Be careful about downloads. “Free” stuff is often quite expensive if it comes bundled with some form of malware.
5. Macs aren’t perfect. (Neither is my favorite, Firefox.) There may be fewer viruses targeting those systems, but there are more every day. (I wouldn’t have put this one at number 5 – the CR folks must see a lot more Mac users than I do.)
6. Scareware is scary. Never click that pop-up that says “Your computer is at risk!!!”
7. Online shopping is not quite the same as shopping at a physical store. It can be safe if you stick to reputable retailers and use common sense.

To that list, I would add:

• Keep your computer patched.
• Be careful how you dispose of your old computer.
• Don’t forward hoaxes.
• Shred your trash at home and at work.

Social networking sites are more and more important these days. Recruiters and business partners look to find more about you, often before they will talk to you in person but almost certainly before they finally commit to the relationship. MySpace and Facebook are the most popular for college and personal uses. LinkedIn is probably the most popular among business users. Individuals post synopses of their resumes and business histories and seek introductions to new prospective partners. In these difficult economic times, it can be a very useful step to finding new work or just staying in touch with old colleagues.

Some folks get themselves in trouble with social networking sites, though. CIO Magazine ran a recent column on LinkedIn Etiquette that should be required reading. The short version is “use common sense”. You’re posting about yourself for the whole world to see. Don’t post anything that will come back to haunt you later.

Recruiters especially don’t like surprises. Make sure that the impression a reader gets from your profile matches what they will find when they meet you in person or talk to your references.

Today’s post doesn’t have anything to do with information security but it was just too cool and I had to write about it.

Last Friday, I got to work with my son’s elementary school’s Science Day and led the lab on Cabbage Chemistry – using red cabbage juice as a pH indicator. To make the cabbage juice:

1. Cut up a red cabbage.
2. Cover with water and boil for 10-15 min.
3. Strain, cool and bottle.

The resultant juice contains a high proportion of flavins. The mixture starts purple (or sometimes blue). In combination with acid, it changes to pink. In combination with a base, it turns green. The best write-up of the reaction and a good chart of the full range of possible colors is here.

The kids then put an eyedropper’s worth of their test substance into a disposable cup, added about the same amount of cabbage juice and stirred. They recorded their results and then analyzed the kinds of chemicals which were acidic, basic and neutral. They discovered, for example, that acids generally taste sour (at least, all the ones that are safe to eat) and bases generally taste bitter. They also discovered that while adding lemon juice directly to the laundry detergent neutralizes the mixture’s pH, it also turns the result into a gelatinous goop. (I have not yet been able to replicate that result – it may be specific to the detergent we used.)

At home, we took the experiment one step further. We took the juice and poured it on several kinds of paper, then let it dry on a cookie sheet for about two days. We cut the result into small strips and made our own litmus paper. The litmus paper had the advantage of showing a clear color change even when the test substance was colored.

Paper towels and toilet paper both absorbed and retained enough of the juice to be useful indicators. Of those two, the paper towels were the easier to use since they were stronger and the waffle-pattern of the material helped keep it from sticking so tightly to the pan. The kraft paper (from some pale cardboard) failed to absorb enough juice. The construction paper turned a pretty shade of light blue but bound it too tightly to the paper and did not show a clear color change.

Oddly, our homemade juice and our homemade litmus paper showed the same strong pink color change for acids as we’d seen in the class but showed much weaker color changes at the base end of the spectrum. No matter how strongly we mixed the baking soda, we can’t get much past a blue color. We might investigate that more next weekend…

This article was originally published in the first quarter, 2008 edition of The Agent Newsline, a publication of Westfield Insurance.

Despite the Hollywood stereotypes, most hackers are not technical geniuses using complicated and personalized attacks on your systems. Hackers use openly-available toolkits to look for and exploit known holes in the most common computer systems. They look for unpatched operating systems and old versions of software that are vulnerable to specific viruses and other malicious code. They don’t really know how the virus works but they know enough to send it toward your computer.

Of course, some hackers don’t use software at all. They use well-known tactics to try to con your staff into revealing confidential information or into giving them access that they can later abuse.

If you have some fairly simple defenses in place, the vast majority of hackers will go looking for easier prey. The challenge is finding (and fixing) these common holes. Few of us can do our day jobs and also keep up with the constantly-changing list of vulnerabilities, rapidly changing software versions or evolving tactics of the hackers.

In addition, more and more regulators (and customers) are expecting us to have our security periodically tested by someone from outside our own organization. Luckily, there is an entire “vulnerability testing”industry with experts who do stay current on all these issues and who can provide an independent assessment of your systems’ strengths and weaknesses.

Every company should have an independent assessment of their systems conducted at least annually and preferably more often. It validates that your normal IT operations are running properly, finds and closes the door on the more obscure vulnerabilities that you didn’t know about and, perhaps most importantly, shows that you have been doing everything reasonable to protect the confidential information entrusted to you. If you have independent audits of your security and act on the findings, you will be in a far better position to defend your company if the unthinkable happens.

There are many vulnerability or “penetration” testers out there, offering a wide range of services. Pick a vendor that decides what to test based on your specific risks and circumstances. Ask for samples of their final reports and make sure that they can communicate their recommendations clearly. The most thorough test in the world is worthless if the findings are buried under incomprehensible jargon. The best test for you is the one that you will use to improve your company’s security.