More on passwords (pw problems seem to NEVER go away)

So you’ve got a password that you use at home, and you still use that same password on every site you go to, even though you know that you shoudn’t.  So how much harm could there be if you decided to use that same universal password at work?  None of the “bad guys” are ever going to make that connection, are they?  Well, maybe they will.  More and more companies are becoming victims of just this kind of behavior.  There has to be a way to get around it, and darkreading.com has some possible policies that every organization ought to consider implementing.  Here they are:

Have your users passwords already been hacked?

Tablets for all? We’re getting there

With this news from InformationWeek, it’s obvious that business is quickly adapting tablet computing, and in particular, the iPad.  As long as business functional software can be loaded on an iPad (especially from iCloud), we’re going to see more and more of this.  iPads won’t replace the extensive functionality of a laptop, PC, or Mac, but for mobile workers (salespersons, in this case), there will be more adapters.

Level 3 rolling out iPads to all salespersons

Tactile vs. software keyboards

Are you ready for a different kind of keyboard on a handheld or tablet device?  While the Qwerty keyboard has held its own for nearly 150 years (incredible that one technology can remain in constant use, virtually unchanged, for that length of time), Snapkeys and other concepts just like it may change the way we do data input.  I must admit that while the keyboard of an iPad is very similar to what I’m used to, it’s still a bit too small to touch-type (which I do quite well, thank you) using it.  It’s absolutely impossible to do so with a smartphone’s keypad.  So maybe the wave of the future is upon us.

 

http://allthingsd.com/20120120/how-touchscreens-are-forcing-the-reinvention-of-keyboards/

Supreme Court rules 9-0 on use of GPS tracking devices

In a what I consider to be a surprising 9-0 decision, the US Supreme Court ruled today that law enforcement agencies will need a search warrant from a judge before installing and operating a GPS tracking device on a suspect’s vehicle.  I see this as surprising because I would have thought the the GHW Bush and GW Bush appointees would have ruled on the side of the law enforcement agencies.  In doing so, they upheld the lower court’s overturning of a case against a drug dealer who had such a device installed on his care for about four weeks without a search warrant.

As Justice Samuel Alito (a GW Bush appointee) wrote . .

The use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy . . . We need not identify with precision the point at which the tracking of this vehicle became a search, for the line was surely crossed before the four-week mark.

He wrote that the trespass was not as important as the suspect’s expectation of privacy and that the long-term surveillance impinged on that suspect’s expectations of privacy.  Of course, law enforcement can still employ such methods, as long as they first obtain a search warrant to do so.

http://www.msnbc.msn.com/id/46101025/ns/technology_and_science-security/#.Tx2xCoGwUdM

http://www.computerworld.com/s/article/9223634/Supreme_Court_GPS_tracking_needs_court_warrant?taxonomyId=17

More on the Password Conundrum

We can’t avoid it – every site we visit, from banking, to booking airline tickets, to just reading the New York Times or your local newspaper, requires a password.  It’s become the defacto method of authenticating oneself to a site, a system, their e-mail.

Without a doubt, it’s become more and more difficult to create unique passwords for each site, and remember them all.  We can write them down, or store them in a document, but that risks their discovery.  As I posted before, unless forced to by their employer, most users tend to use the same passwords, over and over again.  Sometimes users use a variant of that password, and associate it with the site they are visiting.  While that’s more secure, it’s not foolproof.  There has to be a better way.

In the December 2011-January 2012 issue of Information Security Magazine, author Ron Condon postulates that “Viable alternatives to passwords remain elusive.”  He states that biometrics is still not a viable alternative.  He quotes Peter Wood, CEO of Brighton-based security firm First Base Technologies. “The reuse of passwords is emerging as a massive problem,”  So what’s Condon’s solution?  One I’ve been thinking of implementing for myself for about a year now, and one that may resolve all of these issues (if I could ever just get started with it) – using a password management tool, such as Lastpass, where you store all of your passwords, and with one complex, rememberable password, you’re able to sign into any site.  Indeed, “Wood is a strong exponent of this, and has made it mandatory that all pen testers working for his company use such a tool. They all have a complex passphrase that locks their encrypted laptops and ensures only they have access to the various passwords stored on their machines.”

What’s the hold-up on me, or any other user, doing this?  It certainly isn’t fear of forgetting that one password, or even that site being hacked (although Lastpass did have some problems last year).  It’s the need to inventory and record (preferably off-line), each and every password one owns, and then enter all of those into the password manager.  It might take some time, but the effort expended would sure be worth it.  Now all I have to do is make the time.

More password victims – we all do it . . .

Online retailer Zappos.com has been compromised, and nearly 24 million (that’s right, million) customers may have had their names, addresses, e-mails, phone numbers, and last four of their credit card numbers (not the full card number – they’re stored separately) compromised.

Here’s the link, from MSNBC’s Red Tape Chronicles.

In addition, Zappos is stating that passwords may have been stolen, too. And while these are cryptographically scrambled into ciphertext to protect their customers, they have expired every customer’s password in order to force their customers to choose a new one. That’s a good policy. But they take it one step further, and recommend that if you use the same password on multiple sites, you change those as well.

We all do it – use a convenient password for multiple sites, even if they’re not used for ALL of our sites. Perhaps this would be a good time for all persons to actually do an “inventory” of their passwords (yes, record each site and each site’s password) in order to change as many of them as possible to something that isn’t used anywhere else. It’s a good idea.

First post . . . and purpose

I’ve tried blogging before, but gave it up after awhile.  I guess the problem I had was mixing my personal thoughts with my professional ones.  So I’m trying again.  But this time, I intend to make every effort to keep this blog limited to my professional musings . . . about information technologyand information and cyber security. I’m hoping that I can add some new ideas to the discussion of these topics, and once I do, I’m going to encourage my students to join in. Hopefully this will become an interactive media for the courses I teach.

In the meantime, if you find me, welcome to my world behind the computer – so let’s get started!!.

Hello world!

Welcome to WordPress.com. After you read this, you should delete and write your own post, with a new title above. Or hit Add New on the left (of the admin dashboard) to start a fresh post.

Here are some suggestions for your first post.

  1. You can find new ideas for what to blog about by reading the Daily Post.
  2. Add PressThis to your browser. It creates a new blog post for you about any interesting  page you read on the web.
  3. Make some changes to this page, and then hit preview on the right. You can always preview any post or edit it before you share it to the world.