Monitor page
for changes
    
   it's private  

by ChangeDetection


Book Review: Liars & Outliers: Enabling the Trust That Society Needs to Thrive

Choosing and Protecting Passwords

Basic Fire Escape Planning





Click Here to See!




Liars & Outliers: Enabling the Trust That Society Needs to Thrive
By Bruce Schneier
John Wiley & Sons, Indianapolis, 2012, cloth, 336 pages, US$24.95


As security professionals, we mainly consider how we can establish procedures, plans, and policies focused on actions intended to protect people, places, and things. We rarely consider the societal mechanisms fostering the trust that allows us to prioritize our actions even though we recognize that we cannot protect everyone, everything, and every place all the time. Without a broad base of trust, society and all of our institutions cannot function. This is the focus of Bruce Schneier’s newest book, Liars & Outliers: Enabling the Trust That Society Needs to Thrive.

Schneier begins by reviewing how society requires trust in order to function. Not blind, unlimited trust, of course. Just the right amount where the overwhelming majority recognizes that the social contract binding us is both important and essentially of benefit to all. There will always be those–“defectors”, he calls them–who won’t play by the rules, but there are means to deal with this. And equally important, not all defectors are harmful or even bad. Societal pressure is important to maintain trust by inducing compliance with group norms, but some defectors help society regain a proper focus when it strays. Schneier notes that, "Security is a type of societal pressure in that it induces cooperation....In many ways, it obviates the need for intimate trust. In another way, it is how we ultimately induce compliance and, by extension, trust."

Schneier argues that today’s world is at a “critical juncture” and must evolve societally to adjust to globalization and technological advances. Part of that adjustment requires security professionals to balance protective efforts against the ability to recognize the positive aspects of “defection” as a societal good–as when a Medal of Honor winner is recognized for acts taken against orders.

We have considerable security measures to complement trust–some argue too much in some cases. Schneier helps us put security in a societal context that challenges us to make choices which are beneficial instead of rote. Traditional security measures will need to adjust to make these choices.
Return to Top




US_CERT

Choosing and Protecting Passwords


Passwords are a common form of authentication and are often the only barrier between a user and your personal information. There are several programs attackers can use to help guess or "crack" passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

Why do you need a password?

Think about the number of personal identification numbers (PINs), passwords, or passphrases you use every day: getting money from the ATM or using your debit card in a store, logging on to your computer or email, signing in to an online bank account or shopping cart...the list seems to just keep getting longer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, and maybe you've wondered if all of the fuss is worth it. After all, what attacker cares about your personal email account, right? Or why would someone bother with your practically empty bank account when there are others with much more money? Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack. And while having someone gain access to your personal email might not seem like much more than an inconvenience and threat to your privacy, think of the implications of an attacker gaining access to your social security number or your medical records.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don't choose good passwords or keep them confidential, they're almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

How do you choose a good password?

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or "crack" them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to "Il!2pBb." and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, "This passwd is 4 my email!" would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase—many applications limit the length of passwords, and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.

Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

Here is a review of tactics to use when choosing a password:
  • Don't use passwords that are based on personal information that can be easily accessed or guessed.
  • Don't use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords.
  • Use both lowercase and capital letters.
  • Use a combination of letters, numbers, and special characters.
  • Use passphrases when you can.
  • Use different passwords on different systems.

How can you protect your password?

Now that you've chosen a password that's difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don't tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords

If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords (see Understanding ISPs and Supplementing Passwords for more information). Consider challenging service providers that only use passwords to adopt more secure methods.

Also, many programs offer the option of "remembering" your password, but these programs have varying degrees of security protecting that information. Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information. For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple's Keychain and Palm's Secure Desktop, use strong encryption to protect the information. These types of programs may be viable options for managing your passwords if you find you have too many to remember. There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

_________________________________________________________________

Both the National Cyber Security Alliance and US-CERT have identified this topic as one of the top tips for home users.
_________________________________________________________________

Authors: Mindi McDowell, Jason Rafail, Shawn Hernan
_________________________________________________________________

Courtesy of US-CERT, a government organization.


Return to Top
Basic Fire Escape Planning
By Security Today


Your ability to get out depends on advance warning from smoke alarms and advance planning.
  • Pull together everyone in your household and make a plan. Walk through your home and inspect all possible exits and escape routes. Households with children should consider drawing a floor plan of your home, marking two ways out of each room, including windows and doors. Also, mark the location of each smoke alarm. This is a great way to get children involved in fire safety in a non-threatening way.
  • Install smoke alarms in every sleeping room, outside each sleeping area and on every level of the home. NFPA 72, National Fire Alarm Code® requires interconnected smoke alarms throughout the home. When one sounds, they all sound.
  • Everyone in the household must understand the escape plan. When you walk through your plan, check to make sure the escape routes are clear and doors and windows can be opened easily.
  • Choose an outside meeting place (i.e. neighbor's house, a light post, mailbox, or stop sign) a safe distance in front of your home where everyone can meet after they've escaped. Make sure to mark the location of the meeting place on your escape plan.
  • Go outside to see if your street number is clearly visible from the road. If not, paint it on the curb or install house numbers to ensure that responding emergency personnel can find your home.
  • Have everyone memorize the emergency phone number of the fire department. That way any member of the household can call from a neighbor's home or a cellular phone once safely outside.
  • If there are infants, older adults, or family members with mobility limitations, make sure that someone is assigned to assist them in the fire drill and in the event of an emergency. Assign a backup person too, in case the designee is not home during the emergency.
  • If windows or doors in your home have security bars, make sure that the bars have emergency release devices inside so that they can be opened immediately in an emergency. Emergency release devices won't compromise your security - but they will increase your chances of safely escaping a home fire.
  • Tell guests or visitors to your home about your family's fire escape plan. When staying overnight at other people's homes, ask about their escape plan. If they don't have a plan in place, offer to help them make one. This is especially important when children are permitted to attend "sleepovers" at friends' homes. See NFPA's "Sleepover fire safety for kids" fact sheet.
  • Be fully prepared for a real fire: when a smoke alarm sounds, get out immediately. Residents of high-rise and apartment buildings may be safer "defending in place."
  • Once you're out, stay out! Under no circumstances should you ever go back into a burning building. If someone is missing, inform the fire department dispatcher when you call. Firefighters have the skills and equipment to perform rescues.

Putting your plan to the test

  • Practice your home fire escape plan twice a year, making the drill as realistic as possible.
  • Make arrangements in your plan for anyone in your home who has a disability.
  • Allow children to master fire escape planning and practice before holding a fire drill at night when they are sleeping. The objective is to practice, not to frighten, so telling children there will be a drill before they go to bed can be as effective as a surprise drill.
  • It's important to determine during the drill whether children and others can readily waken to the sound of the smoke alarm. If they fail to awaken, make sure that someone is assigned to wake them up as part of the drill and in a real emergency situation.
  • If your home has two floors, every family member (including children) must be able to escape from the second floor rooms. Escape ladders can be placed in or near windows to provide an additional escape route. Review the manufacturer's instructions carefully so you'll be able to use a safety ladder in an emergency. Practice setting up the ladder from a first floor window to make sure you can do it correctly and quickly. Children should only practice with a grown-up, and only from a first-story window. Store the ladder near the window, in an easily accessible location. You don't want to have to search for it during a fire.
  • Always choose the escape route that is safest -- the one with the least amount of smoke and heat -- but be prepared to escape under toxic smoke if necessary. When you do your fire drill, everyone in the family should practice getting low and going under the smoke to your exit.
  • Closing doors on your way out slows the spread of fire, giving you more time to safely escape.
  • In some cases, smoke or fire may prevent you from exiting your home or apartment building. To prepare for an emergency like this, practice "sealing yourself in for safety" as part of your home fire escape plan. Close all doors between you and the fire. Use duct tape or towels to seal the door cracks and cover air vents to keep smoke from coming in. If possible, open your windows at the top and bottom so fresh air can get in. Call the fire department to report your exact location. Wave a flashlight or light-colored cloth at the window to let the fire department know where you are located.
Courtesy of Security Today


Return to Top




[] About Mayer Nudell [] Publications [] Services [] Network []
[] Helpful Links [] What's New [] Contact Mayer Nudell [] Disclaimer [] Home []

copyright (c) 2014 MAYER NUDELL all rights reserved
InterNet Services by CyMatrix.net