Category Archives: Work

Home Network Security

I review companies’ information security policies, practices, and procedures for a living. I tell them when they’re doing well, and when they suck (and have to do it nicely).  This past week, I was looking at a small business which is special in that they legitimately have to be concerned about targeted attacks (also known as “Advanced Persistent Threats” which I consider a bullshit term), and their network isn’t up-to-snuff.

In a diversion from personal finance stuff, I’m going to create a short series on protecting yourselves – as people with home networks, laptops, desktops, media servers, blogs, etc.  You may not be subject to targeted attacks, but you are subject to attacks just for the hell of it – and that’s more than enough motivation for most attackers.  Hopefully, some of you find this interesting and useful.

Information Security Basics

There are three things to be concerned about when it comes to information security: Confidentiality, Integrity, and Availability (CIA).  Each particular company or situation will focus on 1-2 of those, with the 3rd being relegated to “the back burner”.  But, it’s really important to at least consider all three areas.

Confidentiality

Confidentiality is keeping information from people who should not have access to it (for whatever reason).  Confidentiality means keeping your data under wraps, keeping it from prying eyes, keeping the information from “leaking” outside of the folks who are authorized.  It also means preventing people from being in a position to access the data in an unauthorized manner: not letting someone have access to a system where that data is stored.

Integrity

Integrity is one area that tends to get ignored (except in financial circles).  It means protecting information from unauthorized modification.  Financial institutions and folks that deal with SOX are really concerned about integrity – after all, if you can change one digit in the following string, you’re a very rich person: “1,000,000”.  Integrity also comes into play in legal disputes and digital forensics.  Because it’s *very* easy to change electronic information, and electronic information tends to be “hoarded”, it’s an important topic.  For personal files, integrity is important because one byte change in a photo, can “corrupt” the photo and you can no longer see it (although, this bleeds into availability).

Availability

You want to be able to access your information when you need it and where you need it.  This is generally the biggest concern of Internet based companies like Amazon – they lose money if you can’t get to their site.  Personal users also want to be able to get to their data when they need it.  For example, there’s a new virus out which will encrypt your entire hard drive (and all attached network drives) and won’t unlock the drive until you pay a ransom.  All of a sudden, you don’t have access to your pictures, your files, and possibly your records for business/tax purposes.

Information Security Controls

There are multiple ways to protect Confidentiality, Integrity, and Availability, and those are called controls.  You can have a “technical” control, where the systems enforce the control (like a locking screensaver), or you can have a “policy” control, where a policy dictates what to do/not do, and you expect people to follow those controls.  Generally, the policy controls aren’t as strong, but in some cases, there’s not much a choice because a technical control doesn’t exist.  I’ll be talking about both, but for a home user, “policy” controls are the easiest (cheapest) to implement and are “good enough”.

Links to the posts

  1. Firewalls
  2. Anti-Virus
  3. Updates
  4. Wireless Networks
  5. Outsourcing

Was (Is) College worth the expense?

Mr 1500 got me thinking about whether college was important to my current life.   I think it was extremely important in my particular situation, as I work in an industry where who you know is almost as important as what you know.  I work in the information security industry – at one point, I was a white-hat hacker, or “hacker for hire” through a consulting company.  Now, I specialize in information security risk evaluation, management and mitigation.

When I went through college, there was no such thing as an information security degree, or information assurance, or whatever the hell they’re calling it these days – the closest thing was CERIAS at Purdue (and when I applied to grad school, it was the only such program in the country – no, I didn’t get accepted).  Most of the folks in my field don’t have degrees, or if they do, it might be computer science (or french and biology like some of my co-workers).  You don’t learn information security by studying it in school, you learn it by doing.  Yes, there is now a lot of theory and research about information assurance and how to prove that something is secure (hint: you can’t), but at the time, it was a just developing field.

Continue reading

Back from Vacation

We’re back from our vacation, a few hundred dollars lighter than we expected, but we also have a lot of wine to enjoy over the next few weeks.

The Niagara-on-the-Lake region of Ontario is known for it’s icewine specifically, but also has excellent whites and lighter reds – less expensive than California for the most part (except the icewine).  We brought back 13 bottles of “normal” wine, and 400mL of icewine.

Icewine is a super sweet dessert wine that I’ve heard referred to as the ambrosia of the gods.  It’s almost syrupy, which doesn’t lend itself to drinking a lot at once.  You *might* drink 1oz at a time, more than that is just too much – that’s the reason it’s sold in 50mL, 200mL and 375mL bottles.  We bought two 200mL bottles and 8 50mL ones.  It’s made by leaving the grapes on the vine until there are 3-5 consecutive days of -10 to -12C temps (10-14F).  Then the grapes are harvested at night, and pressed while frozen to produce a very concentrated juice.  Then that juice is fermented like “regular” wine.  Most icewines are made from Vidal and Riesling grapes, but on this trip, we saw a lot of Cabernet Franc icewines, and one Winery had icewine made from almost any kind of grape you can imagine.  Unfortunately, they didn’t have any of the Chardonnay or Shiraz icewine for tasting, and we weren’t going to pay the premium for it.  Icewines run from about $40-$50 to $200 or more per 200mL – expensive stuff, but oooh so good!

We also took in a lot of the tourist sights around Niagara Falls, and met some of my friends for dinner in Toronto.  All-in-all, a great vacation.  I even managed to get myself back on east coast time pretty quickly after my recent visit to South East Asia.

I’m off to the West Coast for work tomorrow, but I’m on “American” time, so it’s not so hard on my body.  The separation is kinda hard on Daughter Person though.  She hasn’t let go of me since we picked her up at Grammy’s this weekend.

Credit Card Travel Notification

If you’re going to travel internationally, you’ll want to let your credit card provider know ahead of time so they don’t automatically flag your first international transaction as fraud.

UPDATE (March 29, 2016): I am not a bank or credit card company, I don’t want to know what your travel plans are, please call the number on the back of your cards.

American Express is pretty sweet in that you don’t need to let them know – they started as “the” travel card for Americans, and it’s still very widely used in business travel. It’s not very useful for most non-business transactions though – like paying for a hostel, or pulling money out of an ATM.

ATM Cards

Call your bank and let them know your travel plans in as much detail as you know (I’m going to be in this country on this date, and I’m planning on being home on this date…) They will mark your account so you can continue using it. ATMs also generally offer the best exchange rate, so make sure you’ve got an ATM card that works in the country you’re traveling to! The only issue I’ve ever had is that some of the ATMs in Japan require a 6 digit PIN vs the standard US 4 digit PIN. But, the ATMs at Narita airport and at all 7-11s will take US ATM cards with no problems. In rural Europe, you might run into ATM machines (and automated gas pumps,etc) that will only accept the Chip and PIN card, which only one US bank issues that I know of (Chase) – and it’s kind of in beta. If you need a Chip and PIN card, you can get a pre-paid one through AAA and Travelex. If you’re sticking to the big cities, you shouldn’t need to worry about it.

Other Credit Cards

Some have online travel notification (USAA), others you’ll need to call the issuer. It’s the same as with ATMs, you’ll need to let them know your itinerary. And if you have any authorized users on your account that will not be traveling with you, make sure they know that.

Fees

International transaction fees are usually about 3% for most credit cards, but there are several that are designed for frequent international travelers that do not charge the transaction fee (Pentagon Federal is the big one here that charges no fees). American Express charges a 3% transaction fee – despite being a “traveler’s card”. My bank (PNC) will refund any international ATM fee (usually $4), but will charge me 3% if I use it as a Visa card.

Usually, the best option is to pull out as much cash from an ATM as you think you will need at once, where there’s a flat fee on the ATM withdrawal instead of a percentage fee on each use. If you travel a lot, look into the options which do not charge transaction fees. I’ve yet to get a card that is transaction fee free, but I tend to use cash when traveling (except for business expenses, then I expense the 3% transaction fee for the corporate AMEX).

International Travel and Cell Phones

When you have a cell phone, you feel a bit lost without it – especially if it’s a smartphone with a data plan.  So, what can you do when you travel overseas?

Pre-paid SIMs

If you have an MVNO (Republic, Straight Talk, Ting, etc), your best bet is to get a SIM card in the country you are traveling to once you get there.  I used to use ekit.com to pre-buy my international SIM card for travel, but that’s more expensive than buying a pre-paid card when you get to where you’re going – I needed to give folks my phone number ahead of time, so the ekit route was best for me.  One thing to watch out for is that some countries require you to be a citizen to legally buy a SIM card (India), and you might not be able to get one at your destination.  It’s worth checking out before you go.

International Roaming

A second option, and one which I’ve used on short trips (2-4 days) is to just enable international roaming on your cell phone plan (free on AT&T), and pay per minute, per text, or per kb for what you use.  If you’ve switched your cell phone plan to an MVNO, this won’t apply to you, since you can’t roam internationally (and one reason I haven’t jumped the AT&T ship). In Europe, AT&T charges $1.69/minute and in Asia it’s $2.50/minute for talking – including a call going to voicemail! Everywhere I’ve been is $0.50 for an outgoing text message (SMS not MMS), and incoming text messages count against your domestic plan.  I generally encourage folks to text me rather than call me.

Data on international roaming is umm.. expensive to say the least.  I used my phone to check in on four-square once in Belgium on a per kb basis, and it ended up costing me almost $50 (and I had data disabled for that entire trip, except that one check-in….)  So, if you want to use data, I suggest you follow my next option.

International Data/Talk/Text Plan

With AT&T (at least), you can enable this for as little as a month, so if you’re traveling for 2 weeks or more and want data, I suggest you go this route.  I pay $30/mth for 120MB of data.  I was in Switzerland for 3 weeks last year, and didn’t use all of the 120MB I had available – and I used my phone for train tickets, GPS maps, etc.  I tried to keep the data usage down by turning off push, and forcing manual syncing of everything, but I certainly used my data.

I have this option enabled for September and my current international travel. The data you use internationally does not “count” against your domestic plan, so you basically get an additional 120MB above and beyond what you already pay for – as long as it’s used outside the US.  If you’re a very heavy data user, you can also pay for more, and as you go up in MB, the price per kb goes down.

In previous trips, I have not ever paid for an international talk plan, but on this trip I am.  A minute in Singapore and Malaysia is $2.50/minute without a plan, and I expect to spend at least 5-10 minutes on the phone while I’m traveling to sync up with folks I’m meeting.  AT&T offered a 15 minute plan for $30 – which works out to $2/minute, and any additional minutes are also $2/minute in Asia – and less in Canada.  I get to expense all this, so it’s not that big of a deal for me to add the 15 minutes.

The data plan, I’d add even if I weren’t traveling for business and getting to expense things.  I’d choose to pay for it myself, especially in Europe where a lot of things happen on mobile devices (train tickets, airline tickets/checkin, etc).  It was very nice buying my SBB tickets from the station platform!

Globetrotting

Over the next two weeks, I will be in 6 countries, not counting the US.  I plan on keeping up with a posting schedule, but things may have strange hours.  For the first week, I’ll be working in Singapore and Malaysia, and transiting through Japan, Thailand (Bangkok), and Germany.  This will be the first time I’ve been to either of those countries and Thailand – but really, an hour in the airport doesn’t really count as “visiting” a country.  Even though the flight schedule is pretty grueling, I hope to get to see a few things while I’m there.

The following week, I’ll be in Canada on vacation with Dad.  This will be our first vacation for more than a weekend without Daughter Person since she was born over 2.5 years ago.  We’re going to Niagara Falls and Toronto, and it just happens to be during Niagara-on-the-Lake’s wine festival…. (Really, we didn’t plan it that way).

The fun part is that my flight from Asia returns to the states at about 12:30pm on Friday the 20th, and that night, we drive to Grammy’s to drop off Daughter Person – I’m going to have a messed up body clock for a while.  On the plus side, I’m getting about 30k miles on Star Alliance towards my gold status for next year!  And I’m pretty sure after this trip, I’m going to need to get more pages in my passport before I can go anywhere else.

Mileage Run for Gold

I fly a lot for work, and I’m only 3,000 miles away from United Premier Gold – which is equivalent to Star Alliance Gold (which is awesome).  So, Dad and I are making a long weekend mileage run to San Francisco in December.  Daughter Person is going to stay at Grandma’s, and I’ll get my 3,000 miles (4,800 some actually) – and my Gold status for next year.  I lost my Gold status when Daughter Person was born, and this past year I only had Silver – I had Gold the year she was born – just in time to not be able to enjoy it 🙁

IAD to SFO is a hub-to-hub flight for United, so it’s really quite cheap: $350 each round trip.  We don’t have the best flight times (leaving IAD at 6:30am!), but they’re not horrible, and it’ll be just us this time.

Incessant Traveling

I’ve now been on the road for over 3 weeks. I’m getting a bit tired of eating out. And I’ve been in Switzerland the past week, so the food is doubly expensive. I get to expense it, but still, it kinda sucks eating alone. I’ve been mostly going to the local grocery store and picking up some things to eat (mostly not great for me since I can’t actually cook anything in my hotel that involves more than boiling water in the kettle…).

I’m missing Dad and Daughter Person, although we’ve skyped with each other twice now.  I have had some fun in all the work.  I took a day trip to JungFrauJoch via cog railway over the weekend, and most of the train is under the mountain.  It was cloudy, so I didn’t get to see that much, but then it opened up for us towards the end of the trip – right as we were about to leave.

I’m in a hotel now which I’ll be in for about 10 days (maybe 9 – I forget…), and there are no laundromats in this town.  The nearest one is in Zurich – almost 2 hours away by train.  If I’d known that I would have washed my clothes before I left Zurich on Sunday 🙁  As it is, I have the hotel washing my clothes.  I provided them with the one detergent I know won’t make me break out into a rash, so hopefully that goes well.  They’re supposed to be ironing them as well – although I tried to ask that they just fold or hang things – it’s all undies, socks, knit shirts and a pair of jeans – none of which needs ironed.  The price list was missing from my room, so I have no idea how much it’s costing my company (what, you think I’m paying for laundering?!?).

I did splurge while I was in Germany’s black forest area and bought a cuckoo clock to be shipped home.  I blew all of my spending money for the month, but I’ve wanted a cuckoo clock since I brought my mom one back in 2000.  Otherwise, pretty much everything is getting expensed – train tickets, hotels, food, etc.  I travel reasonably, even when on an expense budget, so I’m not having big parties or anything.

I drove on the autobahn in Germany (which is generic for “highway”).  The “suggested” speed limit is 130 km/h (about 80mph).  I was going the suggested speed limit, and it felt like I was sitting still compared to most of the cars passing me.  I did get up to 170 km/h (~105mph) only because I had a long stretch to accelerate.  There *is* a speed limit of 120 km/h in Switzerland, and they’re really strict about enforcing it too (lots and lots of speed cameras).  Driving on the autobahn isn’t a big deal (or much different from driving on an interstate in the states), but driving in a city centre?  Oh man, that was torture.  One of my hotels was in a city centre, right next to the main train station, and I was stressed about following signs, hitting people or bikes, and just really glad to find the hotel’s parking garage and set out walking instead.

Exhaustion

The last week has been one exercise in staying awake after another.  I finally have a break while traveling.

We spent the weekend at a friend’s cabin at a lake – with no air-conditioning.  I’m OK with heat as long as it’s not muggy and there’s shade available.  There was shade – but it was *very* muggy, and I was very uncomfortable.  Daughter Person ended up with a heat rash – along with Hand, Foot and Mouth (for the third time!).  I took off Monday to take her to the doctor to confirm it, and then spent the day driving her to grandma’s for the week.  We were planning on going to grandma’s this upcoming weekend anyway, so now it’s just Dad and I driving alone without Daughter Person.  I’ve spent way too long in a car the last few days.

Today, I took a day trip to Raleigh, NC for work – I left on an 8:30 am flight, and I’m sitting in the airport now waiting for my flight home.

I expected to be tired from having a child, but never this level of exhaustion.  I sleep well – mostly because I’m so tired that I just pass out in bed as soon as I lay down.  I’m ready for a mental health week.  I’m going to take a week stay cation, take Daughter Person to daycare, and let Dad go to work, then stay home and have the whole house to myself!