Good afternoon.

A Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it's automatic mail notification!

Thank you for using our services.
FaceBook Service.

There are a few tip-offs that this is bogus.

The grammar. Why is "Spam" capitalized?  Facebook doesn't have a capital "B".  The sentences are choppy and amateurish.  "Change the password to complicated one." The whole thing reads like it was written by a 16 year old who doesn't really speak English.

Second...why is there a ZIP file attached?  That's a red flag for ANY e-mail - unless you're expecting an attached ZIP file there really shouldn't be one. That's one of the MOST common ways for bad folks to try and sneak malware (including viruses and spyware) into your system.

Under no circumstances should you be opening a .ZIP file from a stranger.  Not going to happen.  If you're worried that something really did happen...try going to your Facebook account.  If it still works...then your password didn't change.

Practice smart computing folks.  If an e-mail message smells bogus, especially if it has an attached file or link, then it probably is bogus.

You can reach Ben M. Schorr at bens@rolandschorr.com or by phone at 928-526-3970. You can follow him on Twitter @Bschorr

Clever buggers - they've figured out a way to use the Cloud to advance a technology used to break passwords.

Essentially what this article is talking about is a Brute Force Attack.  It means when presented with a password prompt you just try every possible password until you get the one that actually opens the door.  There are two primary against this are varied and, in a good system, both of them are employed.  A summary....

Account Lockout

You've probably stumbled across this once or twice in your life.  If you enter the wrong password a pre-defined number of times, the account is locked either for a period of time or until an administrator manually unlocks it.  You'll find that on your bank ATM, enter the wrong PIN too many times and it keeps your card. Most good systems will do the same - anywhere from 3-10 (typically) wrong attempts within a certain amount of time disables the account.

Obviously that makes a brute force attack impractical.  The point of a brute force attack, is that you throw thousands of possible passwords at the system until it opens. If the account is going to lock after 5 wrong guesses then even a single-character password only has (at best) a 50% chance of being broken that way.  And that's if you're only using numbers.

The downside of account lockout is frustration for users and wasted time for administrators.  In these days of having a lot of different passwords to remember people often forget or mistype their passwords and then it's often the job of administrators to unlock or reset their accounts.  And of course we've probably all experienced the frustration of needing to log into something and being locked out.

That's why we recommend setting account lockout to trigger only if 100 incorrect passwords are entered within 5 minutes.  No human is going to type the wrong password 100 times in under 5 minutes, but a brute force attack will trigger that lockout within a second.

You can also typically set the account to automatically unlock after a period of time.  We recommend 20 minutes.  If you reduce a brute force attack to trying 100 passwords every 20 minutes...it will take an impossibly long time for it to guess any decent password.

Long Passwords

Summary

Julian Assange is not a hacker - at least not in the sense most people think of hackers. He didn't break into the State Department or Pentagon systems to get the information he leaked. What facilitated the leak was not a hole in a firewall....it was a hole in our people process. One or more insiders with access (properly or otherwise) to the documents deliberately obtained them and then transferred them to Mr. Assange. As governments and large companies the world over set their jaws and shift uncomfortably in their seats at the thought of having their organization's secrets laid bare to the world undoubtedly a great many of them are ordering a serious review of their document access policies and maybe even a refresh of their staff background checks.

What should you be doing? (even if you're not a government, or Bank of America)

1. Take an Inventory of What You've Got

Before you can decide how to protect it you have to know what you're trying to protect. Take a good look at what documents you have and try to categorize them according to how sensitive they actually are. The list of passwords to your bank accounts? Top secret; only you should know it.

Your kid's soccer schedule? Unclassified. It's posted on the league website where everybody, even those darn "Bumblebees" who beat you in the playoffs last year, can see it.

Your list of clients may be restricted - i.e. everybody in your firm can see it, but you'd prefer it not be publicly available. How many levels of classifications you want to have, and what you call them, is up to you. One easy way to think about it is to consider the social circles in which you operate. The classifications should map roughly to that.

For example:

• Level1 (Top Secret): You. Maybe you and a spouse.
• Level 2 (Secret): You and a very small circle of trusted colleagues; perhaps you and your partners in the firm. Or maybe you, spouse and other family members.
• Level 3 (Classified): A wider circle; perhaps including the administrative team at the firm.
• Level 4 (Confidential): The entire firm, but not anybody outside.
• Level 5 (Restricted): The firm plus selected outsiders. Co-counsel, client, expert witnesses, etc.
• Level 6 (Public): Everybody. Your firm brochure, etc.

Do you need that many levels? I don't know - each person's situation is unique. If you're a government agent you probably need at least that many if not more. If you're a hairdresser you might only need 2 or 3 levels.

The more levels you have the more difficult and costly it can be to secure everything. So try to keep it reasonable - probably nobody needs 12 different levels of access. Also the more nuanced levels of classification can be more expensive to secure. It's cheap to secure the PIN number for your ATM card. Only you (and maybe a spouse) should know it. If it is potentially compromised beyond that tiny circle the PIN number gets changed. Doesn't take a lot of effort to maintain that level of classification. Likewise it's easy to manage information that is public or unclassified. You don't care who sees it, in fact you may WANT it exposed to the widest group of people possible. Your firm brochure, website or business card for example - the more people who see those the better. There's no cost to securing that information because it doesn't need to be secured (at least on a read-only basis; you don't want random folk CHANGING your website).

Where it gets tricky is when you have a piece of information that is secret, but needs to be available to a wider group of people; perhaps your partners, a client, selected members of the firm and two outside experts. Now you have to manage access to a larger group of people and it's a group that may not be static. Hopefully your partners don't change often, but outside experts may come and go, staffers at the firm can retire or leave for other opportunities. You may find yourself trying to secure access while still providing access to a dynamic group of people and organizations. And some of those people may be off your physical premises. Now you're transmitting secret information off-site where you may have considerably less control over it. That's when the headaches set in. And that brings us to....

2. Take an Inventory of Who You've Got

Once you have an idea of what information you have and what level of secrecy each piece of information requires, look around you and figure out who should be in each social circle. Your closest circle is the easiest one - your spouse. Maybe you have a trusted advisor that also fits into circle 1, but more likely is in circle 2.

Partners, staff in sensitive positions, all staff, clients, vendors and outside-partners, etc. Ever-widening circles.

Now is also the time to give some thought to those people. The ones who are particularly dangerous are the ones who are in a smaller circle but whom you may not know as well as you'd like to. Presumably you know your spouse pretty well. And hopefully you know your business partners pretty well too. You have a strong sense of if they can be trusted and what their motivations might be. But what about senior staff? Those people in "Level 3" in my example above? They probably have access to some rather sensitive data but how well do you REALLY know them? That circle you should color in red - those are the folks who may have a dangerous level of access but who may have an agenda other than your own. That's not to say that you can't be undermined by your spouse or business partners, only that (if you're alert) you should have a better sense for how trustworthy those people are. Hopefully you've done a good job of selecting your spouse/partners so that's not really an issue. But how carefully have you screened your administrative team? Have you done background checks before hiring them? Or did they just go to the right school and have a pleasant demeanor during the lunch interview?

How confident are you REALLY that they can be trusted to keep your secrets? Those are questions you need to ask. The more access you're going to grant somebody the better you need to know them and understand their motivations, agenda and allegiances.

3. Check the Locks

Now that you know what information you have and who in your world should have access to it, check to see if you've really secured those things. I go into a lot of firms that have their internal accounting data, personnel reviews and other proprietary and even confidential information just sitting on a server right next to the fliers for the company Christmas party.

Do you have secured folders in your firm? Have you placed your sensitive documents - whether they're internal firm information, information relating to a very sensitive matter you're working on or perhaps confidential client information - into appropriately secured folders or shares? Perhaps you're guarding information so sensitive that it makes sense to locate it on its own server?

Think of it like a filing cabinet without locks - many firms have a server where all of the folders are essentially the same. If you can connect to the server you can navigate around any folder as easily as any other. Some firms even have a "Guest" account in their network and haven't ensured that the guest account has no access to the sensitive firm data.

Other firms have realized that not all information is created equal. That some information needs to be secret while other information may only be restricted; and so they've made some careful decisions about which folders are available to which people. Try logging into your server with your receptionist's account some time and see what he or she can actually access. You may be in for an unpleasant shock.

4. Keep the Locks Locked

I've lost count of how many times I've been in a client's office and I've heard a lawyer or executive walk out of their office and say to their assistant "Sally, I'm leaving for the conference now. I'll be back on Friday. Here's my password, check my e-mail while I'm gone." WHAT?! Your assistant has just been elevated to your circle - in your world Sally now has Circle 1; Top Secret clearance. She can probably access almost anything you can access with that password. Your e-mail, sure. How about the firm accounting system? How about personnel reviews or other sensitive documents? Home phone numbers of clients and colleagues? And chances are good that you use that same password for other systems too - maybe to log into your bank accounts?

Not only can "Sally" access this information now, but she can access it AS YOU. She can sent out e-mail as if it came from you. She can access files and any audit systems would show that YOU accessed the file.

She not only has the key to the kingdom, she has a perfect mask of you to wear as she explores it.

Maybe Sally wouldn't do that. But when was the last time you changed your password? And how many assistants have you gone through during that time? So how many former employees, some of them perhaps not happy to be so former, might have your username and password? Do any of those former assistants now work for your competition?

Keep the locks locked. Passwords are not to be shared.

5. Sign in Please...

Now that you've determined the different levels of information, different people and groups whom you need to share information with and you've set up the security to try and ensure that only the proper people have access to that information you need to do one more thing...have an audit trail. For information that's sensitive you should have a log that tells you who has accessed that information and when.

Wikileaks happened not because somebody lost an unencrypted laptop or because a firewall was breached by a clever hacker but because somebody INSIDE the firewall, somebody who was either considered trusted or who was allowed to cross from their level of access to a higher level of access, inappropriately copied and distributed files. It was an inside job. What have you done to make sure it's harder for somebody to do an inside job to you?

Facebook is famous for a few things and one of those things is the pervasive "Like" button on status updates, pictures...just about everything.  But despite the clamoring of users there's never been a "Dislike" button and, honestly, it's a little awkward to "Like" that your friend just got divorced or that their pet died.

Now, however, there's a 3rd party app that claims to be the "official dislike" button. The thing that should set off warning bells for users is that you have to download it though.  Facebook is a web app.  You don't need to download the "official" dislike button any more than you needed to download the omnipresent "like" button.

Sure enough, the "dislike" button app is malware.

Stay clear of it and let your friends and family who are Facebook users know to steer clear of it as well.

If you'd like to like us on Facebook, however, you don't need to download a thing.   Just go to: http://www.facebook.com/rolandschorr.

Well, it looks like yet another organization has gotten compromised and potentially exposed the data of thousands of customers.  In this case the University of Hawaii Parking Office are the culprits and as many as 53,000 people may have had their personal info (including social security numbers and even a few credit cards) exposed.

I won't beat the dead horse too much, but I do want to say:

1. Really?  A database with social security numbers that wasn't locked down?  I guess we don't have much information on how this breach occurred but I'll be very curious to know if it was a known vulnerability that hadn't been patched or simply lax security procedures.
2. Really?  You need social security numbers to sell parking permits?  That's what the database in question apparently was - it's not at all clear to me why that database needed to include social security numbers.  Hot tip: If you don't need to collect/store sensitive information like social security numbers or credit card numbers...don't collect and store them.
3. It appears that U.H. isn't offering any free credit monitoring to those affected.  I realize they're under a budget crunch over there, but under the circumstances that seems a little weak.

In a story that has been all over the tech press and even into the mainstream press lately, Google ("Don't Be Evil") has been caught with its fingers in another privacy pie.

It turns out that while their camera cars have been driving up and down the streets of the world, taking pictures of every building, tree and mini-mall they've also been collecting the names and MAC addresses (a unique string of characters that identifies a network device) of any wireless networks they encounter.

O.K., that's a little questionable but the name and MAC address isn't really anything that anybody sitting there in a car with a WiFi receiver couldn't see. Unfortunately Google took it a step further, unintentionally they claim, by (allegedly) also capturing network traffic on any of those wireless networks that happened to be unsecured. Granted that traffic would have been just a snippet - whatever their car could "hear" as it drove past - but still, it calls into question the whole operation in my mind. I have to wonder WHY Google wanted to capture the names (SSID's) and MAC addresses of those wireless networks.

Was it their intention to create some sort of map of wireless networks? Considering the impermanent nature of those networks (networks come and go daily) and the fact that any such data set could be at least somewhat out of date by the time the camera car even finished it's sweep of the area and uploaded the data I have to wonder what the real value of that is. And what are the possible privacy implications of Google adding a map layer that shows private wireless networks and their locations?

Should Have Known Better

One bit that stands out to me from the story linked above is that one of the plaintiffs, Ms. Van Valin, allegedly works for a high-tech company.  According to her complaint she sometimes uses the wireless network to transmit sensitive or confidential data.  But her wireless network was unsecured!?  How on earth can somebody who works in a high technology company even think about deploying and using an unsecured wireless network in their home, much less transmitting sensitive or confidential data on that system?

Whether she prevails in her lawsuit against Google or not I have to wonder if Ms. Van Valin has just committed career suicide.  I know if I were her employer we'd be having some serious discussions about her future with my organization.

The Lesson

The lessons here are pretty clear, I think...

1. If you're a company that is going around mapping data or images, be careful to stick to your mandate.  If you're taking pictures of mailboxes stick to the mailboxes.  Don't go photographing the mail inside those mailboxes or peeking through the windows of adjacent buildings.  Eventually somebody will find out and the backlash will be serious.  Google, who was already starting to make people a little uncomfortable with the extent of their ambitions, and who has always touted their "Don't Be Evil" motto, has a lot of explaining to do about what exactly they intended to do with this information they were collecting.
2. If you deploy a wireless network for private use, SECURE IT.  Every wireless access point sold in the last 5 years has the ability to do WPA encryption, which requires a password for access.  It's easy to do.  It's FREE.  It's necessary.

Folks, how many times do we have to have examples like this?  A stolen or lost laptop, thousnads of people's personal information out in the wind.  Whole disk encryption is neither expensive nor difficult.  There's an article RIGHT HERE (http://www.officeforlawyers.com/lawtech/truecrypt.htm) that even explains how to do it for free!

And it's a heck of a lot easier than having to contact all of your clients and tell them you just lost their personal information.

Any device that is portable, or could become portable, and that has, or could have, sensitive data on it should be encrypted.  Period.

Apple's protectionist App Store, which requires Apple to approve and authorize every app that gets installed on an iPhone, iPod Touch and now iPad, has gotten a lot of criticism from folks because it's such a closed environment.  While that criticism is valid - the closed App store makes it very difficult for companies to develop their own apps and essentially allows Apple to shut the door on any 3rd party ISV (Independant Software Vendor) they want to - it does have some benefits.

In the linked article we learn that a trojan - bad or hostile software pretending to be good stuff to entice you to run it - masquerading as a legitimate game for Windows Mobile devices has been found in the wild.  If you get infected with this malware it will use your Windows Mobile smart phone to, unbeknownst to you, make expensive international phone calls.

Because, at least theoretically, Apple thoroughly vets each application before it's approved for the App Store, iPhone users should be protected from these kinds of attacks.  I say "theoretically" because there is always the chance something could slip by.

The fact that these kinds of attacks are out there just underscores the need for everybody to exercise caution when downloading and installing any applications - especially those that claim to be games or other entertainment.