Tech Blast: Security
•Télécharger en tant que PPTX, PDF•
1 j'aime•3,524 vues
Presented at the NLC Tech Rodeo on the campus of Doane College in Crete, NE 26-28 June 2012. http://nlcblogs.nebraska.gov/techrodeo
Recommandé
Contenu connexe
Plus de Michael Sauers
Plus de Michael Sauers (20)
Dernier
Dernier (20)
Tech Blast: Security
- 1. Intro
- 3. Who do I need to worry about? http://www.flickr.com/photos/12273378@N00/2547546709/ Intro
- 5. Man In The Middle Attacks Trojans Privilege Escalations DNS Changes Arbitrary File Downloads Cross Site Request Forgery Heap Overflows Remote Stack Buffer Overflow Worms Blended Threats Malvertising Arbitrary Command Execution Address Bar Spoofing Crimevertising File Overwrite Keyloggers Format Strings Malware Shell Uploads Spyware Local Stack Buffer Overflow Advanced Persistent Threats Data Exfiltration Data Aggregation Attacks Code Remote Code Execution Scareware Injections Information Disclosures SQL Injections Denial Of Service Array Integer Overflows Stack Pointer Underflow Null Byte Injection Backdoors Tojan-Downloaders Cross Site Scripting HTTP Parameter Pollution Viruses Cookie Disclosures Forced Tweet Local File Inclusions Rootkits Man In The Browser Attacks Adware Remote Code Injection DNS Poisoning Buffer Overflows Directory Traversals Open Redirection Remote Command Executions Frankenmalware Intro
- 6. lethic s_torpig darkmailer FakeCheck Dofoil Phoenix Sefnit Rimecud Incognito SpyEye CoinMiner ClickPotato Zwangi FakeRean Bleeding Life Hotbar RedKit Citadel Siberia fivetoone Ramnit Conedex Cycbot Eleonore Alureon IRCBot ZeuS Blacole Alureon Camec GameVance Sirefef SEO Sploit SpyZeus Poison Intoxicated Onescan FineTop Taterf MSIL Taterf bobax Conficker grum OpenCandy Sality SideTab CrimePack PlayBryte cutwail Pdfjsc sendsafe gheg maazben Intro
- 7. Intro
- 8. Intro
- 9. Intro
- 10. Steal everything http://www.flickr.com/photos/36448457@N00/4521285655/ Intro Sort it out later
- 11. There’s no such thing as a secure computer! Intro
- 13. Passwords http://www.flickr.com/photos/7447470@N06/3839085638/
- 25. Only 1% of all cyber attacks are from previously unknown threats. -Microsoft Report
- 26. Simple: If it’s yours, secure it! If it’s not, don’t trust it!
- 31. Verizon Data Breach Investigations Report – Fall 2011
- 32. Being bad IT Security For Libraries is easy…
- 34. IT Security For Libraries
- 36. IT Security For Libraries
Notes de l'éditeur
- However, there is one kind of crime which may exist in the future - computer crime. Instead of mugging people in the streets or robbing houses, tomorrow's criminal may try to steal money from banks and other organizations by using a computer. … it is very difficult to carry out a successful robbery by computer. Many computers have secret codes to prevent anyone but their owners from operating them. As computers are used more and more, it is likely that computer crime will become increasingly difficult to carry out.
- They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
- I’m going to make you feel insecure, even if you’re not. My goal today is not to make you leave here screaming. But, you should leave here and make some changes.
- It boils down to 3 types of bad guys.Criminals, Activists, Government Agents
- They are everywhere. They are where you are.Social Networks,Search Engines, Advertising, Email, Web Sites, Web Servers, Home Computers, Mobile Devices
- so what are we talking about here? Viruses? Worms? Trojeans?Backdoors? Scareware? Rootkits? Malware? Exploits? We are talkingabout malicios code that takes advantage of software vulnerabilitiesto infect, dirupt or take control of a computer without consent, andusually, without knowledge. These exploits target vulnerabilities inthe OS, the web browser, various appplicates or anything elseinstalled on a computer. These exploits almost always targeted againstknown vulnerabilities that have already been patched by the maker ofthe software. They frequently target java, Adobe Flash and PDF Reader,and the windows OS. Many of these exploits are now spread throughinfected websites, mail, and social media. All these pieces add up—a great lesson to teach people who don’t tend to think outside of their little niche in the organisation. “When you’re thinking with a hacker mindset, the takeaway you get is there’s a little issue here, and there, and over there, and that a+b+c adds up,” Cheyne said. “Most computer users are all too aware of the threat of viruses and worms infecting their machines, but according to security research firm BitDefender different types of malware may now be infecting each other to create a new breed of security risk. Dubbed "Frankenmalware," the hybrids are created when a virus infects a machine that has already been compromised by a worm. The virus attaches itself to executable files on the host system — including the worm — and when the latter spreads it carries the virus along with it. BitDefender claims it analyzed a sample of 10 million pieces of malware and discovered 40,000 different examples of the new breed. Code from the Virtob virus, for example, was found inside both the OnlineGames and Mydoom worms.Finding attacks will only get harder.Smarter, Stealthier, Sneakier Malware Stuxnet. Duqu. Advanced persistent threats. Ever-evolving versions of Zeus and other malware. Malware is not only spreading, it's getting smarter. And sneakier. For most enterprises, it's difficult just to keep up with the newest and most sophisticated attacks, let alone stop them. As more and more tools are introduced they are perfected and this makes it easier for all bad guys to get more victims.
- But the threat model is evolving and ever changing, based on where the juiciest targets are, and what makes more sense for cybercriminals to use.Before, we used to see email as the primary vector for infection. Whether it was phishing emails trying to get people to click on a link, or simply a message carrying a payload like embedded JavaScript, or even a Word or PDF document trying to exploit a vulnerability in software. But now, email isn’t such a target anymore. Email clients have become much better at protecting users, and so have gateways and spam-scanning services. Today, the web is the main vector of attack, but perhaps not for long. With the increasing activity of hacktivists, the advent of cloud services of all types, and of course the mobile landscape, newer threats are emerging, and so the IT community must adapt.The report also underlined the growing threat posed by the malware-as-a-service industry, where crooks hire out networks of infected computers.“What's happening is a segregation of the malware market, where someone else will invest in infecting machines, and someone else will look to rent this for whatever means they see as most profitable,” James Todd, European technical head at FireEye told V3.They go out of their way to avoid detection and maybe more importantly, to cover their tracks. These things have help desks, user groups, social networking platforms, users can report and fix programming bugs, suggest and vote on new features, and generally guide future development of the botnet malware. The writers use CRMs. They are programmed to work against each other, or with each other. They have Affiliate Partners, and Recruiters, they do Advertising, and everything else any other businesses do.A peek into the underground economy and the market for stolen credit cardsPosted on February 17, 2012 by Linda MusthalerThere’s a great article from Bloomberg (Stolen credit cards for $3.50 online) in which author Michael Riley explores the depths of the underground market for stolen credit card data. Reading this is enough to make you want to stuff all your money in a mattress for safe keeping.By some estimates, the underground digital economy has now surpassed the estimated value of the international cocaine market. Oddly enough, this underground market actually functions like a legitimate economy in many ways. Not only do hackers sell their malware as if it were commercial software – complete with upgrades from time to time – but novice cyber criminals also can obtain training on how to get into the business. Black hat entrepreneurs offer translation services so those phishing scams can reach target victims in their native languages. What’s next, hacker support hot lines? (Maybe not hotlines, but there are chat rooms for sharing tips and “best practices.”)“The problem is getting worse faster than we’re getting better,” according to Tony Sager, the chief operating officer of the Information Assurance Directorate at the National Security Agency, which includes some of the U.S. government’s best cyber experts. “We’re not keeping pace.”2009 was a turning point year for the malware industry. In 2009, Symantec cataloged 2.8 million new viruses infecting computers. A year later that number had jumped to 286 million. This is the time frame when Zeus and its stepchild SpyEye came onto the scene, changing the illicit business model from “write your own code” to “buy the malware starter kit.” It allowed countless criminals with no technical knowledge to enter the market.Riley’s article does offer some hope for the white hats. The FBI and its international counterparts have learned some lessons from big take-downs in the past year. And as we’ve seen with the dramatic drop in spam when just one or two botnets were dismantled, all it takes is one good crime bust to put a dent in the underground market, at least for a while.This entry was posted in Security Threats and tagged SpyEye, stolen credit card data, underground digital economy, Zeus. Bookmark the permalink.
- They are after most of the things you’d expect, and some you might not...PINs, Passwords, Credit Cards, Bank Accounts, Computers, Usernames, Contact Lists, Emails, Phone Numbers
- You might say to yourself you’re not a target because you’re only on The Facebook or The Twitter...
- Personal information is the currency of the underground economy. It'sliterally what cybercriminals trade in. Hackers who obtain this datacan sell it to a variety of buyers, including identity thieves,organized crime rings, spammers and botnet operators, who use the datato make even more money.A name or email address is worth anywhere from fractions of a cent to$1 per record, depending on the quality and freshness of the data,information security experts say.That may not sound like a windfall, but when you multiply it bymillions of records, it quickly adds up. Take the Zappos breach as anexample: If hackers in fact obtained data on 24 million customers,even if they sell only 5 million email addresses at five cents apop—cha-ching—they've just made $250,000 off of one hack.Botnet operators make even more money. Say you own a botnet thatconsists of 100,000 computers. You may rent it out to spammers for$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, aprovider of Internet security awareness training based in Clearwater,Fla. If you rent or buy the 24 million records from Zappos' so thatyou can then send malware to those email addresses, even if only 20percent of recipients get infected with your malware that takescontrol of their computer, you've still grown your botnet by about 5million computers with very little work, he adds."Now you can charge $5,000 an hour instead of $1,000 per hour for 5million bots that start sending spam," says Sjouwerman. "These guysmake money hand over fist." Of course, their illegal activity alsomeans criminal charges, jail time and financial restitution.http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close WindowFrom: www.cio.comAre You at Risk? What Cybercriminals Do With Your Personal Data– Meridith Levinson, CIO
- It's also important to know that, ultimately, there is no such thing as a secure computer. Nothing we do can make things 100% safe. We can just make things safer than they were before. All of the security work we do is about reducing risk. It's about knowing what we're up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources) AND we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).To help set the stage for success we should keep in mind 2 things. "Any lock can be picked", and people are the weakest link in security chain. First, people:People choose bad passwords, we write them down, we share them, we reuse them,People email things we shouldn'tPeople post things on twitter or Facebook.People click on links without knowing what's behind them.People don't update our computers and programs.People plug in USB drives w/o knowing where they came from.Of course, we all want our computers to work. We don't want to worry about all this security. We just want things to be safe. We have better things to do. We do insecure things because we're tired and busy. We write down passwords because our brains are full. We have better things to do than update our computers and programs. It's not (only) because people are lazy. It's because every layer of security we add causes more work for them. Much of this advice, many of these things we want them to do just costs too much in terms of a daily burden when so few of them will really be harmed by evil doers. There is generally low motivation and poor understanding of why this could be important. People choose the easiest and quickest way to get things and hope for the best. So even though we have better security than ever before, there are also more ways to defeat it than ever before. To make matters worse, we are now in the era of "steal everything." We all have something a hacker is interested in stealing. And to make things even worse, barriers to this particular type of theft are lower than ever.Frequently, hacking requires little training or knowledge or investment of time. Hackers have moved beyond banks and are now stealing more mundane things that you have. These are all worth money, or can be used to cause trouble and spread malware. There are bad guys who will pay for email passwords, Facebook logins, trojaned PCs, game logins, nearly anything you have. Our libraries are no exception. They become targets because of what we have inside our ILSs, our public access machines, the OPAC, the databases and more.
- Unplugged, de-networked, and locked in a closet. Then they could still pick the lock.So, what can you do?
- Don’t reuse.Don’t make them weak.
- Passwords are like gum:Best When Fresh, Should Be Used Once, Should Not Be Shared, Make A Mess When Left Lying Around, Easy To StealNativeIntelligence.com
- UniquenessComplexityLengthStrengthMemorableness
- Choosing A Good PasswordSo, it turns out a key to a strong password isn’t its obscurity but its complexity — things that make it less likely to be guessed by an automated password cracker. However, making a good complex password means knowing a bit about how passwords get broken.Passwords don't necessarily need to be hard. Pick a good memorization strategy, pick a good password, and you'll be on your way to being more secure.Choose NON obvious, NON dictionary passwords. If we assume someone has time to just sit and guess your password on a system, they will check common passwords first, then they check a dictionary. Since they don't know your passwords, they look for the easiest guesses first. Given enough time, and if they are persistent enough, they will just start throwing every possible combination of letters, and then numbers, and then letters and numbers, and so on. So after using things that aren't common, the most important thing is length. There's no different between a simple long password as a complex long one as far as guessing goes. So start with an easy to remember password, then pad it with something else easy to remember. So get your own password and pad it. But don't just use Password1 as this is easily guessed, and don't pad by easily guessed numbers. The password plus padding shouldn't be easily guessed or obvious. E.g. most common (therefore easily guessed) padding is done by adding a 1,2,3,4 at the end of some word. This increase in length and complexity defends against Brute Forcing. We get protection by adding more digits because they need to guess every possible combination of everything up to that length, each digit adds A LOT of time required. If you use special characters and upper/lower case you add even more time because they know most passwords are all lower case numbers. Some places will allow the use of spaces in your password, which gives you the opportunity to use a pass phrase e.g. Correct Horse Battery Staple.Simple Things Make a Good Strong PasswordAt least 1 UppercaseAt least 1 LowercaseAt least 1 Number (And don't put those numbers on the end)At least 1 Something else (*%$@!-+=)Make it as long as you canAre complex passwords better? Well, maybe. Longer passwords are better, no doubt. If we knew exactly what each password was defending against, we would know what kind of password to choose. You have no idea how your passwords are stored or shared. Given enough time any captured password can be broken. Remember, we don't know HOW people are going to get your password. Given enough time and resources any password can be guessed. BUT, that is no excuse to not use a good password, because chances are good no one will have the time and resources to crack a good password.One more random piece of password changing advice, if you break up with someone who knew your passwords, change them all.
- A very brief discussion on which OS might be safest, or at least how using Apple or Linux makes you MORE safe... NOT safe.
- Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems.This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions):This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions): Rapid autoupdate to fix security issues.Some form of sandboxing.A long history of fuzzing and security research.These factors, combined with an ever more balanced distribution of browser usage, are making it uneconomical for mass malware to go after the browsers themselves.Enter plug-insPlug-ins are an attractive target because some of them have drastically more market share than even the most popular browser. And a lot of plug-ins haven't received the same security attention that browsers have over the past years.The traditional view in security is to look after your own house and let others look after theirs. But is this conscionable in a world where -- as a browser vendor -- you have the power to defend users from other peoples' bugs?As a robust illustrative point, a lot of security professionals recently noticed some interesting exploit kit data, showing a big difference in exploitation success between Chrome (~0%) and IE / Firefox (~15%).The particular exploits successfully targeted are largely old, fixed plug-in bugs in Java, Flash and Reader. So why the big difference between browsers?The answer is largely the investment Chrome's security team has made in defending against other peoples' problems, with initiatives such as: Blocking out-of-date plug-ins by default and encouraging the user to update.Blocking lesser-used plug-ins (such as Java, RealPlayer, Shockwave etc). by default.Having the Flash plug-in bundled such that it is autoupdated using Chrome's fast autoupdate strategy (this is why Chrome probably has the best Flash security story).The inclusion of a lightweight and reasonably sandboxed default PDF viewer (not all sandboxes are created equal!)The Open Type Sanitizer, which defends against a subset of Windows kernel bugs and Freetype bugs. Chrome often autoupdates OTS faster than e.g. Microsoft / Apple / Linux vendors fix the underlying bug.Certificate public key pinning. This new technology defends against the generally gnarly SSL Certificate Authority problem, and caught a serious CA compromise being abused in Iran last year.In conclusion, some of the biggest browser security wins over the past couple of years have come from browser vendors defending against other peoples' problems. So I repeat the hypothesis:The security of a given browser is dominated by how much effort it puts into other peoples' problemsFunny world we live in.
- The ones thing ALL those browsers have in common is plugins. Especially anything from Adobe. That’s why bad guys are targeting Flash and Acrobat Reader. They are ubiquitous, and notoriously easy to hack and notorious for 0Days.
- “Getting rid of swine flu”
- Fans Spinning WildlyPrograms start unexpectedlyYour firewall yells at youOdd emails FROM youFreezesYour browser behaves funnySudden slownessChange in behaviorOdd sounds or beeps Random PopupsUnwelcome images Disappearing files Random error messages
- Some tips on social media
- You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
- A conclusion reinforced by evidence accrued in the aforementioned Verizon report and the following summation by Marc Spitler, a Verizon security analyst: "Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords." In other words, easy-to-find, easy-to-learn and easy-to-exploit weak passwords. Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”And here’s the same thing in different wording:“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”And of course, I like this one because it highlights Automated Vulnerability Assessment:“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”Basically, your organization already has the security solution that it needs; you’re just not using it.
- As you’ve now seen, it takes very very little skill to be a bad guy now.Mae West
- Why Security Is HardThough it is easy, that is, so man of the holes we miss are easy to fill, it’s hard to get it all right.IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure.The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
- Force Attacker PerfectionI will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:The defender needs to be perfect all the time. The attacker only needs to succeed once.And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage.If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities.As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot.We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers.I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity).Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up.—Rich
- Ignoring it and thinking you're safeNot PreparingNot Training
- Don’t worry about Anonymous or APT Agents, worry about bots and scanners, automated tools that look for easy targets. By doing SOMETHING, by doing ANYTHING you’ll be ahead of the game. Make sure you pull down all the low hanging fruit those automated scans are looking for.
- OPAC / ILSStaff ComputersNetwork ThingysDatabasesPrinters / Copiers / ThingysWebsiteServersLaptopsBackupsPrintersCell PhonesWi-Fi RoutersRoutersCell PhonesiPads
- PACs give me the same feeling I get when I go into a hospital. I assume they are covered with flesh eating bacteria or MERSA or something awful.
- Train The Security Mindset Train The Hacker’s Mindset
- Some people see a lock. Others see a challenge.
- Same: Keep things updated,Passwords,Different: Limit logins,Logs,Watch for file changes (IDS),Firewall,Kill unneeded processes
- May 2, 2012, 1:59PMNine Percent of Websites May be MaliciousShare on twitterShare on facebookShare on redditShare on google_plusoneShare2 Commentsby Brian DonohueJust fewer than 10 percent of websites serve some sort of malicious purpose, with an additional nine percent of sites being characterized as “suspicious” by Zscaler in a new research report.Zscaler ran 27,000 website URLs through a tool they developed to assess the security of websites and give them a score from zero to 100. Nearly 81 percent of sites scored between zero and 49 (benign). 9.5 percent scored between 50 and 74 percent (suspicious) and another 9.5 percent scored somewhere between 75 and 100 (malicious), according to the company's State of the Web Report.The report also indicates that outdated plug-ins and the users that refuse to update them continue to be a serious but improving problem in the enterprise. Zscaler cites the Flashback outbreak, which exploited known java vulnerabilities, as anecdotal evidence of this. The report shows that more than 60 percent of Adobe Reader users are running an outdated version of that software. Adobe Shockwave came in second, with 35 percent of users running an outdated version. Java came in fourth, with a only five percent of users running an outdated version.Editor's PickCelebrity Ashton KutcherFiresheep'd at TED ConferenceNetwork Of 7K Typo Squatting Domains Drives Huge Traffic To Spam Web SitesNew Clickjacking Scam Uses Facebook, Javascript, Our Primate Brain To SpreadThreatpost Newsletter Sign-upIt appears also that enterprises are increasing their efforts to block employees from visiting social networking sites. When the quarter opened, social networks only accounted for 2.5 percent of policy blocks; by the end of the quarter, that statistic had increased to four percent.Some other interesting info-morsels include Zscaler’s findings that Apple devices are becoming more prevalent in the work place as Android and BlackBerry devices become less prevalent. Facebook’s share of Web 2.0 traffic is down slightly from 43 percent in Q4 2011 to 41 percent in Q1 2012. On the other side, Twitter saw its share of such traffic increase over the same period from five percent to seven percent. Zscaler claims that the drop in Facebook’s traffic share is due to corporate policies that are increasingly blocking employee access to that social network while remaining noticeably less concerned about employee access to Twitter. Zscaler also believes that Twitter’s traffic-share increase may suggest that the service is being more widely adopted for use in the enterprise.Sports and gambling sites generally see a spike in traffic in Q1 that can very likely be attributed to events like the NFL playoffs, Super Bowl, and March Madness in America and the International Cricket Council's Cricket World Cup in places like India and Australia. This year, those sites’ traffic increased a dramatic 74 percent.Commenting on this Article will be automatically closed on August 2, 2012.
- Use Good PasswordsBe ParanoidKeep Everything Updated