Find hidden files with Show Hidden Files


External and internal threats to information security. Sane password policy.

Information security is a hard challenge for most organizations. In this newsletter, we discuss some security issues regarding external and internal threats to information security and password policy management.

Show Hidden Files Newsletter
Issue 9, June 7, 2005

Show Hidden Files News and Articles

The following information security issues are discussed in this newsletter:

1)      Virus writers are more intent on obtaining personal data

2)      Data leaks highlight complexities of electronic documents

3)      USB drives and data leakage

4)      Put policies before products in IT security battle

5)      Jotting down passwords is better than using one for all

Virus writers are more intent on obtaining personal data

Back in the good old days of computer viruses, malicious hackers wrote them for notoriety alone. Now, it's all about the money.

The Sober-N virus, which is responsible for roughly 80 percent of all virus reports and 5 percent of all global e-mail volume currently, is a fine example that viruses are used increasingly to obtain personal information and access to bank-account numbers, passwords and other sensitive financial data.

The Sober-N virus dwarfs the virus currently in the second place, which represents just over 6 percent of all virus reports and accounts for just 0.4 percent of all e-mail traffic.

It got so big, so quickly, because its writers probably used spam technology to distribute it in the first place. This shows the tendency that those who would launch malware into the public realm are doing it with more intention to distribute it more widely than ever before.

Once opened and launched on a personal computer, such malware often attempts to install software that captures a user's keystrokes, with the aim of gaining access to user's personal data.


Data leaks highlight complexities of electronic documents

Just a few clicks were enough to reveal “blacked out” names, training procedures and other secrets of an electronic report the U.S. military has released recently.

The U.S. military command in Baghdad produced a report in Portable Document Format, or PDF, and posted it on the command's Web site Saturday. Its censors simply put black rectangles over the text and did not delete any of the text itself from the documents. Readers can see what's buried beneath by simply opening the document in Acrobat Reader, hitting the “select text” button, copying and then pasting all the text into any word processor.

Such cases of confidentail data leakage are not uncommon. Besides offering the ability to uncover blacked-out text, many documents carry “metadata”, or embedded information like the document's author and company. For example, users of Microsoft Corp.'s Word routinely send files embedded with previous drafts, all revealed with a few clicks.

The users should realize that it's always a bad idea to email sensitive electronic documents or place them on a web site. Generally, when you release documents electronically, they have to be scrubbed with certain tools or procedures.


USB drives and data leakage

USB flash drives have become as common as CD burners in most organisations. However, these drives can also be a tremendous source of data leakage from an organisation's network.

Users often store the information they need, such as passwords or other corporate secrets, on these USB flash devices. Although confidential data can as well be easily transferred to 3.5-inch floppy disks, writeable CDs, or any other removable media allowed on the network, it is the size of USB devices that pose such a great risk.

Because these devices are so small, they're an easy target for thieves, and they're also easier for users to lose or misplace. And that means that vital secrets can disappear before you know it.

While it may be tempting to ban the use of these devices altogether, that really isn't necessary. These common devices are extremely useful, and it's perfectly fine to allow them on your network. However, to better protect corporate data, you have to take steps to add a layer of security to go with the information these handy devices can store.

For example, you can configure Windows Encrypting File System (EFS) to encrypt user data on the fly. This works extremely well with laptops that travel outside of your company walls.


Put policies before products in IT security battle

There is still room for improvement when it comes to IT security staff training. Education of information security staff is paramount in improving security management.

Education has to be directed to IT security staff so they can more effectively manage the technology already in place. The view within enterprises is that more dollars will solve security problems, but it is really about implementing and maintaining the right policies.

Putting the value of products before people and procedure had created a dangerous environment. Policies need to be embraced as one of the four 'P's' - people, policy, process and last of all products.

IT education is about ensuring a security policy is delivered and clearly understood, rather than tutoring people on how to use their computer.

For example, a company needs a unified policy regarding sensitive information and protected files. People within an organization have to realize that this type of data should exist in a single copy, and it cannot be transferred from the corporate network through unauthorized access.


Jotting down passwords is better than using one for all

Write down your passwords: It's better than using the same one for all...

Companies should not ban employees from writing down their passwords, because it forces users to use the same weak term on many systems.

Jesper Johansson, senior programme manager for security policy at Microsoft, said the security industry had been giving out the wrong advice to users by telling them not to write down their passwords: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them," he said.

Storing all personal passwords in an encrypted file may be a solution for IT administrators. However, storing a password list in an encrypted file may not work for users because they would then forget the password to decrypt the password file.


Newsletter information:

This newsletter coming every 3-weeks and we are happy that you read it and find it useful. If you think that others, for instance your friends or colleagues, can benefit from it then please, share subscription url with them

Find Protected Common Information:

Downloading free fully-functional 30-days trial:

Ordering URL:

Sending question to support:  

Made in Devoler