Why Encrypt my Hard Disk

Encrypt Hard Disk

If you use a laptop or other mobile device for work, there is a good chance you are travelling with this machine and at times, it may not be completely secure. You cant keep your eyes on it 100% of the time can you? So there is always the risk that it could be lost or stolen, and with that would also go your data.

Sure, you probably have this backed up but not only would this be expensive and inconvenient to you to lose, it could also lead to a major security breach. If you have customer data/details on that machine, merely having password protection enabled is not enough to protect that data. If the machine falls in to the wrong hands, all that is required is for the hard disk to be removed, connected to another PC as a secondary disk and then the unauthorized user can take ownership of the data – at which point it is all available to them to do with as they wish.

It may be that you work under the control of one of many various regulatory bodies that already insist that you protect your customers data via full hard disk encryption. If so, then hopefully you are heeding their advice and doing so. If you are not subject to such control measures, it’s worth giving some thought as to whether you would feel more comfortable employing full disk encryption for your data.

Full disk encryption means that the whole disk is encrypted, rather than just a few files and folders and this is an ongoing process as you add more data to the disk. If the device is stolen, as long as you have a strong password, that should hopefully stop any users logging in to Windows. Outside of that, access to the disk is prohibited without the disk encryption key, which you should be holding stored in a separate place.

You can achieve full hard disk encryption if you have a Professional version of Windows 7 8 or 10 via Bit-Locker Encryption which is a part of Windows – provided your machine has the necessary hardware to support this. This is known as a TPM (Trusted Platform Module). Otherwise there are numerous third party tools available to purchase to add this functionality to your machine.

Paul Cox – IT Director Sound Networks

 

Get free SSL certificates from Let’s Encrypt

free ssl certificates

More than a million free TSL (Transport Layer Security) certificates have been given away, which will provide security between website and their visitors.

Let’s encrypt is an open source certificate authority based out of San Francisco, CA that has helped secure approximately 2.4 million domains at the time of writing this article. With a few quick and easy steps users can secure their websites and users information via the use of one of their certificates.

The company is backed and sponsored by a wide array of companies who support this endeavour. Mozilla, CISCO, Google, Facebook to name a few. I think this is a fantastic idea and a great thing for web developers and technicians alike. Having gone through the process myself I can understand the frustrations that SSL can provide during proper setup and configuration. With Let’s Encrypt this pressure has been removed. One more step forward for Open Source.

Daniel Brown – Web Developer

US Government challenges hackers

department of defence hacking

The Department of Defence DoD has launched its very first cyber bug Bounty Program, the first in the history of the US Federal Government. It is inviting cyber security experts and hackers to penetrate its system.

The program will begin in April this year (2016) and you can win financial rewards for your efforts. The challenge dubbed “Hack the Pentagon” is only open to residents that reside on the United States.

However only vetted participants can take place which will limit the success of the program, schooled hackers would not register their details as their hacking signatures (the way they do certain things can be monitored).

The engineered target network has been setup to monitor penetration attempts and is not part of critical operations of the DoD. It looks to me as if they are finally starting to do something useful and have taken note of the success of Bug Bounty Programs.

The real reason is the ever increasing hacking attempts on military and research targets from foreign sources. This new program might hover offer some insight into the weakness US cyber security.

Avast steals private data from 2000 devices in just 4 hours in the MWC16

mobile world congress 2016

On the occasion of the Mobile World Congress in Barcelona 2016, Avast wanted to do an experiment at the airport to show how easy it is to access private user data simply by creating free Wi-Fi spots.

Avast Mobile’s division President, Gagan Singh said: “We found it interesting to demonstrate that all that is needed to bring down most security systems incorporating a modern smartphone is to offer something for free, and doing it in a crowded technology journalists, product managers, hardware companies and even security expert’s event”.

“In the first group, the users reached the airport after a long flight, read ‘Mobile World Congress’ and naively assumed that someone had set the Wi-Fi network for them,” said Singh, “the second is even more interesting because in reality we neither even didn’t need some action by the user, enough that would be previously connected to a Starbucks, for example, so the mobile automatically connects from your pocket or bag when it detects a known and registered Wi-Fi network. ”

To reassure users, Singh declared that did not store any data, they only scanned the traffic drawing conclusions as:

  • Around 50% used an iOS device, Android 42%, and surprisingly according to Singh, 6% of Windows Phone users.
  • The main use of the network took place in Google and email clients.
  • More than half had the Facebook app installed, and less than 5% Twitter’s.

Source: Gizmodo

Purpose built backup appliances (PBBA’s)

Dds_tape_drive_01

What are they? The name says it all – a dedicated unit which sits on your network and manages your backup jobs for you. Forget swapping tapes or backup cartridges, take the hassle and responsibility out of your day!
It is imperative that businesses are able to recover important data that they rely on – how would your business function if your servers (and data on them) were stolen or destroyed in a fire? Many options are now aimed at smaller organisations looking for this type of backup and disaster recovery, making the move away from traditional backup methods more accessible.
Initial setup is straightforward. In most cases you deploy a software client agent to talk to the backup appliance. Login and centrally manage what is backed up and when, retention policies to specify revisions of data, setup exclusion rules and view backup reports, as well as managing the unit itself – firmware updates, storage information, logs and so on.
In addition to having the data on the appliance it is best practice to keep a copy of the data off-site for the reasons mentioned earlier. Another unit located elsewhere can be used to facilitate a backup of the backup. However most will allow you to replicate the data to the cloud via a subscription based on your needs, allowing you to choose what is uploaded and how long it is retained and is the preferred option for single sites. Failing this, external storage can be connected to certain models.
It’s hard to calculate individual storage requirements and as such vendors will be able to help. Data de-duplication and compression will vary on many factors such as file type and changes (and can “save” considerable space) – some customers may want to retain more data revisions – and bear in mind data growth over the life-span of the appliance too.
Advantages are many. No swapping backup media or worrying about off-site media storage. You’ll have backup and disaster recovery assuming you have selected the correct options (many existing businesses will just be protecting files, emails and databases rather than the system state and operating system which will enable a complete bare-metal recovery). Chances are you’ll have improved file versioning options offering better restoration possibilities. All of this can be managed centrally from a network connected pc or via the cloud, depending on your product and subscription.
Initial setup costs can be higher than removable media backup and may require an annual subscription but please consider the bigger picture; peace of mind, full automation, central management, reliability and relieving the nominated tape custodian of their duties to name a few! Consider the cost of downtime or lack of data restoration options you may lack should you stick with your current backup system.
All good vendors will offer an evaluation unit so you can discover the benefits yourself before making a commitment.

Mark Warburton
IT Consultant

Password conundrums

Secure password generator

In 2015 we all need to store or remember an increasing amount of usernames and passwords as the number of online services we now use is increasing, with no sign of let up. So how do you manage this? Especially as we all know that strong passwords are a must and best practice is not to use the same password on more than one site.

 Looking at this from a business point of view can be a bit of a headache. But it’s something that is worth factoring in to your business continuity plans. Recording all the usernames and passwords in a spreadsheet or Word doc seems to be a pretty common and extremely unsafe way of doing this, and if you are doing this it is something that needs addressing now as things won’t get any better. One of the biggest drawbacks of this is that it needs manually updating or modifying as and when necessary, not to mention all the other usual drawbacks associated with any other type of data.

 Moving forward, it would be wise to look in to some kind of password manager software that can be shared amongst users, there are thousands available online such as Dashlane, LastPass and Sticky Password. Yes, there are drawbacks to these as well, but with the right kind of usage, you will at least minimise your risks. Which one is right for you, only you can tell – and most will offer a free trial for you to make up your mind. But before it becomes even more of a lumbering beast, get to grips with that list of passwords you don’t like to talk about and start using something a bit more modern!

 

Built in SSH service coming to Windows

PowerShell - Open SSH Logo

Earlier this week Microsoft announced that they would be adding SSH services built into Windows. This means third party SSH applications are no longer required as Microsoft have said they will be supporting OpenSSH.

SSH or Secure Shell Session is a secure method to remotely administer computers and servers. This has been a problem for windows users in the past where third party apps were required such as Putty. So Microsoft’s PowerShell team have decided that they will support OpenSSH platform, integrate it into Windows and build a better application experience with the Open SSH community.

Angel Calvo, PowerShell Team Group Software Engineering Manager, states;

“A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH. Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and to remotely manage Linux and Windows systems.”

This has been attempted before with Microsoft so let just see what happens.

Watch this space…

WordPress vulnerability effects millions of websites

Wordpress logo floating

The latest in a long line of threats for the popular blogging and website platform WordPress is a XSS (cross site scripting) vulnerability. This occurs in the default installation of the platform which obviously means a much larger attack vector for would-be hackers to utilise.

The vulnerability was found by security researcher Robert Abela who works for Netsparker (http://www.netsparker.com). This problem is found in the Genericons webfont package that comes with WordPress Twenty Fifteen Theme. Hackers exploit the Document Object Model (DOM) and can then use your website for sophisticated phishing activities.

Solution to this vulnerability is as follows:

  • Check if you are running the Twenty Fifteen Theme or any derivative (as many created themes are built upon this theme).
  • Check if your website is using the Genericons package.
  • If this is the case then remove the example.html file that is included in the package.
  • Upgrade to the latest version of WordPress 4.2.2 was released recently.
  • If you have disabled Auto Update then it is advisable to unselect this option.

WordPress can automatically update and patch security holes if you allow it to update automatically. We advise you do this.

Hope this helps,

Daniel Brown

Sound Networks

Is your gateway secure?

router

No, we don’t mean the one round the back or the side of your house. We are talking about your cyber gateway, in other words your internet router and or firewall.

So you can’t remember where it is? Or what it looks like? It may be time to find out, and decide whether you need to take action. The reason for this is an increasing trend in attacks at the gateway level, rather than you’re PC.

This is due to the fact that most people have addressed security on their computers so an easier target for attackers is now your gateway.

Research from Tripwire research has revealed that 80% of Small-office/Home-office (SoHo) routers have exploitable flaws yet only half of these have updated their firmware.

And why is this a problem? Because once compromised, an attacker can interfere with communications between you and your online destination – so this could include your bank, your email or your PayPal account, and that’s just a few items to start with; the possibilities are endless. And once control is gained of your gateway it provides access to all of the devices on your network, so that includes tablets and mobile telephones as well as PC’s and laptops.

Our advice would be to familiarize yourself with what device you are using as your gateway and if possible update the firmware on it. If it is an older unit, replace it with a more modern one and make sure you take simple steps to secure it such as changing the default admin password and only running the bare minimum of services required for what you need to do. The more services you run, the more potential weakness’s you are exposed to.

Paul Cox.

The Heartbleed Bug

heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

XKCD has a nice layman’s explanation of how the heartbleed bug works.

Information which had previously been thought of as secure is now vulnerable to any attacker with knowledge of the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging and some virtual private networks (VPNs).

The current best advice is to check with any web service you use whether they were vulnerable and if it’s been fixed to change your passwords.

Laurence Gush.