Mac OS X Quick Lock Screen

Want to be able to lock your computer with a keyboard shortcut?

Since OS 8 you can put the screens to sleep using Control + Shift + Eject (⌃ + ⇧ + ⏏).

Here is how you can lock your computer from a keyboard shortcut

1. Open up your system preferences and go to Security & Privacy.

2. Check box to require password after sleep and select desired timeout.

I have mine set to require a password after 5 seconds so if my screens go to sleep while I am right there I have time to wake it up again before requiring a password.

3. Use keyboard shortcut to put monitors to sleep.

⌃ + ⇧ + ⏏

What is ISO 17799, ISO 27000, PCI Credit Card Standard

For my System Security class we get to learn about ISO 17799, ISO 27000, and the PCI Credit Card Standard. When I first started looking up information about 17799 and 27000 I was a bit overwhelmed and confused by the information that is out there on the web. I felt much like I was trying to memorize a chart like this:
bad
Now I understand a bit better why there are so many software applications and business built around helping other businesses become compliant with these security standards.

So what are the ISO 17799, ISO 27000, and PCI Credit Card Standards?
They are a set of standards set forth by the International Organization for Standardization to ensure that consumer and customer data is kept safe. The ISO.org site says that the 17799 “contains best practices of control objectives and controls in the following areas of information security management:

security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management,  business continuity management, compliance.

In simple terms this means that businesses and organizations need to:

  • Make rules to protect their stuff and your data
  • Actually protect their stuff and workers
  • Keep others from stealing from them
  • Keep things maintained and running well
  • Keep the business running smoothly for customers
  • Make sure they are doing everything on this list correctly

I found it funny that the 17799, according to Wikipedia, is a word-for-word copy of the British Standard 7799-1. The 17799 was updated and renamed to 27002 to keep it up to date and grouped with similar documents numbered in the 27000 domain.

You can download the official ISO 2700 document from the iso website if you’re so inclined to read it or need it.

PCI Credit Card Standard

The PCI Credit Card Standard is a document outlining a standard to ensure that businesses that are taking credit card payments meet a minimum standard to ensure the safety of their customers and the associated data. The current standard covers 6 areas:

  • Have secure network
  • Keep data safe
  • Keep system up to date and secure
  • Good passwords & other access restriction measures
  • Watch network for failure and intrusion
  • Have a plan

What’s interesting to me about the PCI credit card standard is that it isn’t issued by a organization that has multi-national participation. It is run and enforced by the major credit card companies. If vendors aren’t compliant then the credit card holder is vulnerable and that isn’t good for the main credit card company because their customer will get hurt. In order for the credit card company to keep their good name and customers, they have set up a standard in hopes that their customers and money will be more protected. If a vendor isn’t compliant then the credit card company often fines or quits doing business with the vendor completely.

I think security standards are good in the fact that they push those who don’t care or who aren’t thinking about security, to do something about it. The downside to having security standards is that it creates an easy resting place for companies. It makes it easier for them to say, “I’m compliant so I don’t have to do any more than this”.  I think they can also misguide sometimes if the group making the standard focuses on a risk is in one place but an even greater risk ends up getting less attention.

Disclaimer:

This post is for a school assignment and I do not claim to be an expert by any means. I was assigned a topic I knew nothing about and tried to make sense of it and share what I learned in simple terms.

Resources:

http://www.noweco.com/risk/riske13.htm
http://www.pbandsp.com/tools/iso.html
http://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
http://www.pcicomplianceguide.org/
http://www.computerworld.com/s/article/102913/Credit_card_data_security_standard_goes_into_effect
http://en.wikipedia.org/wiki/ISO/IEC_27000

Key Based Authentication for SSH

What is key based authentication for ssh?

keyKey based authentication for SSH is a way to connect remotely to another computer/server using an encrypted file you HAVE and an optional password you KNOW to unlock the file. Key based authentication has the advantage of being more secure and/or more convenient.

Why?

Password based authentication:
Logging in via password over SSH encrypts your password so it ends up looking like this:
..t-:p.%.E.{..E..X7.@.@.~....s..............NXP...{W..!8..;.eh9..N......#....q..1f...:...D9R0 zy
Because the password is encrypted, it won’t be seen in plain text over the wire which is good. If the password is short or simple enough, a hacker will be able to crack your password. Assuming the password is good enough, password based authentication’s strength comes from keeping that knowledge from others.

Key based authentication allows you to connect remotely using an encrypted file as a key instead of a password. Key based authentication gives you the option to Continue reading Key Based Authentication for SSH

Insecure Wireless Network Could Get You Arrested or Sued

Synopsis:

shocked girlHaving an insecure wireless network makes you liable for arrest or lawsuit! If you have not done all these things listed below to protect your wireless network, take the few minutes it will take to do the basics and DO THEM NOW!!

Basics

There is no excuse for not doing all these things
– Change default user name & passwords for routing equipment
– Use strong passwords
– Turn on encryption (WPA2 or better. WEP is hackable in minutes)
– Change default SSID
– Enable firewalls
– Turn off when not in use
– Update router firmware to the latest version

Advanced

Increases security but may require more time or expertise
– Disable DHCP and assign static IP Addresses
– Filter by MAC address
– Monitor network for intrusions
– Use software to test for network vulnerabilities

handcuffsDid you know that you can be arrested or be sued if your wireless network is insecure? If you have an insecure wireless router at home, someone could use your internet connection to start downloading child pornography, attack the NSA, send spam, release viruses, or hack your own computer and steal your identity! So when the police or NSA come knocking at your door how are you going to prove that you didn’t do it? All that activity will be traced back to your IP address and you will need a really good argument to convince them otherwise. But why waste your time, money, and possibly your identity by not taking a few minutes to secure your network? What about businesses that have wireless networks set up? If a business has an insecure wireless network, hackers can use that to steal information by monitoring the network or compromising computers on that network. If that happens, patients, customers, and employees are all at risk of having their private information stolen. Not good!

Lets step through the basics of what everyone should do to secure their wireless network.

Continue reading Insecure Wireless Network Could Get You Arrested or Sued