Joe Hackman

Joe Hackman

Digital Transformation, Industry 4.0, Tesla, maker, and more...

You are here: Home / Archives for Joe Hackman

A Powerful Tool to Keep You Safe Online – Sandboxie

by 1 Comment

This is part 3 of 4 of the Personal Information Security Redux.

Since there are things that we cannot protect ourselves from online, the next best solution is to prevent them from harming your computer. This can be accomplished on Windows Platforms by using security software called Sandboxie. What Sandboxie does is creates a virtual sandbox for your browser and other applications to use that does not affect the rest of your operating system. It accomplishes this by storing all the changes that would have been to your system registry and file system into a virtual space on your hard disk. This virtual space is controlled by the Sandboxie application and it can be reset at any time, we’ll get into that more later.

Step One – Choose your Version, Download/Purchase and Install

There are only really a few options for Sandboxie. The big one is whether you are using for home or business use. If you are using it for home, you have the option to use the shareware version. The free version has a reminder every time it starts up for a few seconds and does not allow forced programs or folders. The average home user will probably not take advantage of the advanced features, however I would still recommend licensing the product because it is inexpensive and it will allow the developer to continue to improve it. Commercial users must always pay for the product in the form of an annual subscription.

Step Two – Install and Configure Sandboxie

The product is very simple to install, just follow the prompts. There is nothing that requires configuration.

Step Three – Using Sandboxie to Safely Open Files or Programs

Once installed to use the software you can either right click any file, shortcut or program and choose “run Sandboxed” as pictured:

Right click menu "Run Sandboxed"

Right click menu “Run Sandboxed”

Once you’ve done this, the item will open in the Sandboxed space. You will know which windows are running in there by the yellow border surrounding them:

Yellow border indicates it is running "Sandboxed"

Yellow border indicates it is running “Sandboxed”

Had this program been malware, a virus or some other undesirable application that would damage your computer, the sandbox would protect you. The “damage” would be done to the files in the virtual space that Sandboxie is running.

Step 4 – Using a Sandbox to Access the Internet and Webmail

Earlier it was suggested to use a sandbox for your web browser and Web Mail. The reason for that is simple, the sandbox gives you protection that neither antivirus or the most careful user can. A Sandboxed web browser can give you protection from even un-known exploits. Think of it as peace of mind for anything you access using a web browser. To access a Sand Boxed web browser either right click the shortcut to the browser you’d like to use or click the “Pizza Like” icon entitled “Sandboxed Web Browser” you may want to keep it pinned to your taskbar:
sandboxedbrowserlink

You will know again by the yellow border around the browser, just like the earlier example. While in this mode you can enjoy a layer of protection for your operating system. Nothing that you can access should be able to hurt you unless it is information you input (type) or files that you download and “recover locally”. We’ll address those exceptions more carefully in the next section.

Sandboxie is not an excuse to be careless and cannot protect you from everything

Sandboxie will isolate your computer from Malware, Viruses or other things with a few very critical exceptions. Keep in mind that anything you type including passwords, etc, may be captured by malware or key loggers that are able to infect the environment. To avoid this it is critical that you purge the contents of your sandbox periodically, particularly if something suspicious has been accessed. This can be done several ways, but the easiest is through the start menu/programs/Sandboxie/Sandboxie Control.

Purging Items in your Sandbox

Purging Items in your Sandbox

It is also important to keep in mind that besides programs that could be running inside the Sandbox, other information and cookies may be present. So even if you think everything is fine, you still may wish to run the Sandboxed browser in Incognito/InPrivate mode to avoid allowing access to any cookies or sessions that may be running in the normal Sandboxed browser. Think of the advertisements you see on Facebook two minutes after you were on an E-Commerce website. Incognito/InPrivate mode will protect you from that kind of targeting.

Another way to completely undermine the safety that your Sandbox gives you is by saving a file downloaded through it locally. This is a really bad idea unless you are 100% certain the file is okay. The dialogue box looks like this, click “Close” if you want to leave the file in the Sandbox where it likely belongs:

Choose "Close" to avoid the file leaving the Sandbox.

Choose “Close” to avoid the file leaving the Sandbox.

Always Know Your Limits

There are some useful tips in this article, if you are unsure of something don’t take risks with your personal information security. Do some research and educate yourself before making a mistake.

Where are we most vulnerable online?

by Leave a Comment

This is part 2 of 4 of the Personal Information Security Redux.

While assessing ways to stay safe from personal information security breeches online, it is critical to understand where we are most vulnerable. Picture your entire information security footprint as a chain, in that chain there are a number of links. The most likely place for you to be compromised is the weakest link in this chain. While we won’t address all of them, here is an example of what some of your links are:

  • Firewall Hardware
  • Wireless Access Point
    • Encryption method
    • Hardware Firmware
    • Strength of Password
  • Personal Computer
    • File and Disk Encryption
    • Strength of Password
    • Software Security Patch Status
  • Email Account
    • Provider Filtering
    • Strength of Password
    • Circulation of Address
  • Web Browser
    • Browser patching
    • Security Settings
    • Sandboxing
  • User
    • Cautious or careless?
    • Gullibility
    • Greed

In the interest of space, this is an abbreviated list, but it hits many of the high points and in particular the big three – User, Browser and Email. The purpose of this series is to address you as a user we touched on it in the first part of this article as well as this personal information security article from 2010. Let’s look at your Web Browser and Email account next.

Which-is-the-Most-Secure-Web-Browser-V2-1Web Browsers Role in Personal Information Security

Your web browser is your eyes on the World Wide Web. Without a web browser the 3+ billion active users of the web could not access the 45 billion+ pages of content. In terms of information security, this places the browser at an extremely critical place. If there is one small loophole in the security of the web browser you use, a visit to a single website can lead to a complete compromise of your accounts or worse your identity. In fact in just the 10 seconds or so it took you to read this paragraph, 5 people have become victims of identity theft, 1 every 2 seconds!

It’s Still About You

If the browser is your eyes, you are the brain. Your actions are the real key here. You can do all the right things in terms of securing your web browser:

  • Use a reputable browser (Chrome, Internet Explorer, Mozilla, Safari, etc)
  • Install Malware/Anti-Virus Protection. Here is a free option, “ninite” download link use at your own risk, no warranties implied or given. 🙂
  • Keep your browser and other key essentials up to date.
  • Disable Java.
  • Block popups.
  • Don’t give yourself administrator rights.

And in spite of all these precautions still experience a compromise of your information security. You have to commit to becoming a cautious Internet user. Some habits of a cautious Internet user include:

  • Implement and use a Sandbox (next in this article series)
  • Stick to only reputable websites.
  • Only install software from trusted sources.
  • Validate any unusual correspondence/requests via a phone call to the Company or Individual that sent them.
  • Never giving personal information unless you initiated the connection (e.g. log on to Amazon.com directly through your browser address bar).
  • Limit your online shopping to known companies, use Paypal for smaller/lesser known companies.
  • Not sure about something? Don’t use it.

With those precautions you will be much safer on the web.

Email Accounts Role in Personal Information Security

Email accounts can be accessed either through Web Mail or using an app on your smart phone or computer. The Email address is a public conduit to you from the outside world. Up to this point we’ve talked about things you directed, in the case of Email it is the reverse, what is coming at you specifically. Email has played a role in many hi profile compromises such as the hacking of the RSA, a security firm. The individuals were targeted because of where they worked and the implications were huge. You may not work for a security software company, but you are still a potential target of either direct or broadcast type attacks. The more personal the attack, the more difficult it may be to recognize and avoid it. The broadcast type attacks are usually easy to identify and are obvious to the average Internet user. Many attempts are specific to commonly used products such as ADP payroll, Facebook, even LinkedIn, or other Generic Phishing attempts.

Best Practices for Better Email Security

For starters you should use a strong password for your Email account. Every password you use should also be unique, you can use this tool to generate a strong password be sure to check the box for special characters and hit generate. Write this password down and store it in a safe place until you have memorized it. No-one will guess your password now.

Make sure the company you use for Email hosting has strong filtering in place. I recommend Rackspace (for business) and Google Gmail (for personal) Email, both are fairly good. There is no perfect solution, but using a company that does an above average job means you will see less dangerous stuff in your inbox.

Always access your Web Mail using a sandbox. You will learn more about this in article 3 of this series.

Maintain one or more junk accounts or aliases, those are either accounts that forward to your main one or aliases of the main account that can be easily deleted. This helps to keep your mail Email address in lower circulation. The more circulated your address becomes, the more likely you are to receive malicious or junk messages. Never give your core Email address out to non-essential entities such as blog sign ups, shopping, etc. unless you feel you are adept at dealing with those risks. It is also nice to have a backup Email account as well, for personal or business use.

Set the bar really high for what you allow yourself to click or open, particularly if you don’t have a way to sandbox it. This applies especially to attachments and links from unsolicited sources.

Use security software that protects your Email client (if you use an Email application such as Outlook) or Web browser (if you use Web Mail). Also understand the limits of your security software (read step 4 of this article).

Wrapping Up

These are just some suggestions, as you can probably see by this brief article, this is a complex topic. Don’t worry or become over-whelmed, the best part is yet to come, in part 3 of this series.

Infographic by Whoishostingthis.

Personal Information Security Redux Part 1 of 4

by Leave a Comment

Back in October 2010 I wrote an article about personal choices being the most powerful information security tool. It is now January 2015 and while other things have changed, this simple fact has not. You are still the most critical piece in both your personal and work information security apparatus. In light of all the recent developments including the very high profile hacking of Sony Pictures Entertainment and while preparing for an upcoming speaking engagement, I decided it was time to refresh some of the content here on my blog.

This means you. :)

This means you. 🙂

The Next Steps

This is obviously article #1 of this series, what will be addressed in 2-4 and why?

  • Where we are most vulnerable online.
  • A powerful tool to keep you safe online.
  • Other valuable tools for Personal Information Security.

Where are we most vulnerable online?

In this section the specific applications and services that are most likely to lead to a compromise of your information security are to occur. This will enable you to be particularly cautious and invest time where it is most likely to spare you the inconvenience and expense of being compromised.

What tools are available to protect you online?

With knowledge of where you are most vulnerable, we’ll address one particular tool that will help protect you. It is unlikely that you’ve heard of this tool, but you will find that it is a powerful asset to keep you safe.

Other Valuable Tools

Some extra tools are covered that will help make your online experience more secure.

Image Credit TripwireInc, Creative Commons.

See Who Owns Your Local Politician

by 1 Comment

A bright young developer has come up with a way for us to easily see who the top contributors to political candidates are using a simple browser plugin. The plugin is called “Greenhouse” and it is available for Chrome, Safari and Mozilla. Once you have the plugin installed it will attempt to determine on each and every web page that you load if there is a politician and display information about their top contributors (and greatest benefactors?). The data comes from opensecrets.org. The information provides a quick and simple to read list of top contributors to the candidates election. This provides a very valuable context to the article that would be lacking without extensive knowledge of that candidate. I frankly cannot see myself being without this plugin now that I’ve had it installed for a couple of days, and you may feel the same way after trying it out.

Sample of plugin in action, moused over local pols name for info.

Sample of plugin in action.

The application of this is obvious and you are probably either very interested or be indifferent depending on your personal interests. I hope you find it helpful! You can download the plugin here.

Information Security Friendly Hiring

by 3 Comments

Bad HireRecently while discussing an ordeal one of my customers went through due to a bad hire, we started discussing a different criteria that makes a big difference with hiring. The benefit of experience is seeing patterns and applying them to other related things. A bad hire can have grave consequences for even the most healthy companies. For this article we’ll focus on the information security criteria of new hires. For starters I’ll share some of the good and bad patterns, then we can address together the value of applying this to your hiring practices. If you are not involved with hiring you might want to apply the information to help you understand your strengths or build up areas of improvement.

One factor I’m going to leave out of this is the InfoSec infrastructure and culture of your company. If it wasn’t good you wouldn’t be able to tell if you were hiring the right people or not, everyone would have problems. Your websites would be getting hacked, your Email accounts would be getting shut down because they were sending spam and an abundance of other similar issues would exist across the board.

What Good InfoSec Hires Look Like

How do you know you have employees that should be ranked as good in terms of information security? The biggest factor is, do you ever have any problems with their computers and accounts due to some compromise? Good InfoSec hires will rarely if ever open suspicious Emails. They will rarely if ever click links they shouldn’t have. They will rarely if ever have to talk to IT or have a system restored due to a security issue or compromised account.

What characteristics do good InfoSec hires demonstrate?

There are a number of things that you can look for to help make better hiring decisions. Here are some traits that a good InfoSec hire would have:

  • Responsibility – individuals that exhibit responsibility will be less likely to make careless mistakes that compromise your security.
  • Street Smarts – being able to spot a con is actually a very valuable trait. A little street smarts goes a long way, candidates that are too innocent and lack worldly experience are much more likely to become victims of phishing attempts.
  • Generosity – Greed is one of the predominant traits that criminals play on, an person who is fiscally generous is much less likely to fall into these traps, or others, that could have a huge fiscal and reputation impact on your company.
  • Digital Native – candidates who have a strong mastery of software, social networks, computers and smart devices are much more likely to understand the ever present risks and instinctively make good decisions.

These are just a few traits, it is likely that others are also valuable, if you have suggestions to add use either the comment or contact me to share.

What Bad InfoSec Hires Look Like

We know what a good hire looks like on a deeper level, but what about a bad hire? This one is perhaps more obvious. Bad hires will be people who struggle with technology or always seem to be having problems due to carelessness or a lack of knowledge. Here are some of the characteristics a bad hire would exhibit:

  • Carelessness – candidates who are careless will struggle with issues like identity theft, become victims of scams and face infiltration from Malware and viruses.
  • Innocence – adults in the work force will need some basic protections, candidates that are too innocent are an easy mark for some kinds of exploitation.
  • Greed – people who might be willing to compromise values or fall for scams due to greed are not good hires. Greed also tends to replicate entitlement, and greedy people will think things are owed to them and be less likely to produce quality work.
  • Technology Challenged – lacking experience with technology means that certain things will be learned the hard way.

Suggestions are welcome, and I think there is a great opportunity for a lively discussion about this in the comments or privately via Email.

Tips for making good InfoSec hires

The good news is, the traits that make for good InfoSec hires will serve your company well. Thinking about how to analyze and determine these is very valuable. Here are some interview questions and hiring concepts that might help you find the ideal employees:

  • Ask candidates if the last time they had a problem with a computer or smart phone. What was it related to? What did they do to fix it/get it resolved? You can follow up with more specific questions about viruses, malware, etc.
  • Call both references provided and seek out others that they did not mention, but may be listed in their LinkedIn or other profiles. One technique that might be helpful is to check for people you have in common at those companies, they will be more likely to introduce you to the manager they worked with. This could be a great option to determine the character qualities of your candidates.
  • Present a scenario that the candidate is unlikely to have knowledge, see if they are able to deliver a potential solution using gut instinct. This will help determine their street smarts.
  • If they have stated software or technology skills that you are very familiar with, talk about those things to gauge how well they really know them.

You can do better…

These are some examples but I’m willing to bet you can use the concepts and come up with even better options that fit your company and candidates better, after all you know your business better than anyone else. The main intention of this article was to help you avoid a bad hire that could hurt your company. Most of the people I work with aren’t huge companies and cannot afford to make poor hiring decisions… do you have any tips to share that might help others?