« August 2009 | Main | October 2009 »

September 2009

September 27, 2009

One Month to Fall CITRT Regional Events

For most locations, the fall regional event is just one month away.  You are registered, right?  If not, what are you waiting for?  (that's a serious question)

Posted at 05:50 AM in CITRT | | Comments (0) | TrackBack (0)

September 21, 2009

Need any Barracuda Help?

My Barracuda blog has been pretty silent over the last three years because, frankly, Barracuda Networks has been doing a great job keeping Barracuda’s running well without needing much hands-on work.  However, I know some people still have specific spam, or usage, issues.  If you use a Barracuda Spam Firewall and are in need of some custom rules, I’d love to hear from you about your needs.

Posted at 10:01 PM in AntiSpam, BestPractice, Church IT | | Comments (0) | TrackBack (0)

September 11, 2009

Password Guidelines

This is pretty much unrelated to Jason Powell's recent talk, but coincidentally I was working on a password document at about the same time.  This was prepared for a client who agreed to allow for reuse and modification.  What would you add or change?  Looking for “best practices” and practical guidelines to share.  CITRT people, please use if appropriate.  And yes, I already know that Jason's policy was different.  Remember, this is a set of guidelines to be adapted to particular needs.  A recent story in Windows Secrets is also good information on strong passwords.

Why are good passwords important?
It’s an unfortunate fact of life that there are “bad guys” out there who are trying to get you.  It’s possible that someone specifically wants to steal YOUR information or that of your employer.  Or, perhaps someone wants to discredit or embarrass you or your employer.  It’s just as possible that there is someone out there who’s just interested in learning *if* your system can be violated.  Regardless the motive of the bad guys, if they break in, it’s a bad thing.  There is a common misconception around the idea of “I don’t have anything of interest to a bad guy.”  If a hacker gains access to ANY account on a system, that gives a way to use the system’s own power to help gain further access.  Any breech gives a foot in the door for a more targeted attack.  If you have an account, you are a gateway to EVERYTHING stored on the network. 
 
What makes a good password?
There are three primary qualities of a good password:

  1. Not easy to machine decode. Hackers have powerful tools that can “guess” passwords with incredible speed and ability. Therefore, good passwords are long and complex
  2. Not easy to guess. A good password shouldn’t be easy for a person to guess. Long and complex passwords are best but they should NOT be based on identifiable personal information.
  3. Easy to remember. This may be the most counter-intuitive part of a good password. If you have to write your password down, it’s a bad password. A good password is one that you, and only you, can easily remember

Do those three rules make it seem that good passwords would be impossible?  Perhaps, but maybe there are some simple ways to create long, complex passwords that are also easy to remember.
 
Ideas on creating good passwords:
One of the best ways to come up with a long, complex, password is to think in terms of phrases rather than words.  Start with a phrase that’s easy to remember, but is not based on any information obviously identifiable to you.  Find a phrase that includes upper and lower case, numbers, and special characters.  For instance:
My #1 all time favorite movie is Gone With The Wind
Using that entire phrase as your password is great:
My#1alltimefavoritemovieisGoneWithTheWind
(Sometimes it’s hard to NOT type the spaces,  but many systems DO allow for spaces in passwords!)

Another good solution is to pick first letters from a phrase.  Using the above phrase, we might generate (in your head, still) a password of:
M#1atfmiGWTW
That password is almost as easy to remember as the original, reasonably easy to type, yet very difficult to guess or for a program to decode.

Let’s try another:
September 29 is a special day to a friend of mine
As before, we could use the entire phrase, or we could do a quick encoding to come up with
S29iasdtafom
 
Now here’s a special trick that makes passwords better.  Most people, when asked to create a complex password, come up with a word, capitalize it, then add a special character or number to the end.  Orangutan*1 is an example.  Technically, that is an “ok” password.  However, since that’s what most people do, that’s the sort of approach most password cracking programs take to break passwords.  You can be smarter!  Simply turn it around.  #1Orangutan is a far better password (still not great, but incredibly better).  (#1SortOfLikeAGorilla is much better.)
 
A few things to avoid:
There are certainly some things NOT to use when creating passwords.  You can add to this list, then just remember not to do these things.  Easy, right?

  • Passwords should never contain your name, your account name, or your company name
  • Passwords should never be simple words from the dictionary (note: using multiple words is recommended)
  • Passwords should never be made substantially of letter sequences (ABCDE) or number sequences (87654)
  • New passwords should not be at all similar to previously used password. (start with an entirely new phrase)
  • Don’t use the same password for different purposes. For different accounts, different systems, different websites, use different passwords. It’s easier than you think to be creative and still have unique, memorable, passwords if you think in terms of phrases

Password Policy
Here are the absolute must do and must not do requirements:

  • At least 8 characters (more is always better)
  • Contains at least 3 of the 4 character types: Upper Case Letters, Lower Case Letters, Numbers, and Special Characters
  • Does NOT contain any part of your name or user name
  • Must be changed at least every 6 months
  • Is NEVER to be given to anyone else. Not your family, not your friends, not your manager – NOBODY!
  • Is NEVER to be written down
  • YOU are 100% responsible for the security of your account through your own careful use of a quality password
  • Any employee found to have violated policy may be subject to disciplinary action, up to and including termination of employment.


 

Posted at 11:40 AM in BestPractice, Church IT, Consulting | | Comments (3) | TrackBack (0)

September 08, 2009

Taking Over Failed Business Phone Numbers

PhoneDisconnected Imagine that you're in a service business and you do superior work all the time.  Your customers love you.  Now imagine there are others in your city, who are in the same line of business, but they don't always do great work.  As a matter of fact, some of those competitors of yours are failing.

Well, this happens all the time.  But, for whatever reason, people (customers) still have the phone numbers of those old, not-so-good, failed businesses.  An idea that comes up from time to time is to take over the number of the failed competitor so you now get the calls and, of course, provide superior service to those customers.

I took on a little project recently to try to find a way to learn when a competitor is failing so you can quickly acquire the phone number.  I struck out!  I can't find any way to get a timely report of when a company fails, or more importantly, when their phone number goes out of service.  The only solutions I found were to auto-dial a list of numbers, and when one doesn't answer, or gives an "out of service" message, you call the phone company and buy it.

It seems that buying these dead numbers would be useful to lots of service businesses.  There must be a better way to find those numbers.

Anybody know a solution?  Anybody want to go into this business (finding failed numbers)?

Posted at 08:41 AM in BestPractice, Consulting, Technology | | Comments (0) | TrackBack (0)