Observations Along the Road

Theatre Writeups, Musings on the News, Rants and Roadkill Along the Information Superhighway

Category Archive: 'security'

A Secure Companion

Written By: cahwyguy - Wed Jul 19, 2017 @ 11:48 am PDT

This is a companion lunchtime post to my previous one. Whereas that post focused on government-related areas, this posts shares some cybersecurity items of broader interest:

  • Two Factor Authentication. The Verge has an interesting opinion piece on why two-factor authentication has failed us. We have a mix of approaches, some still depending on SMS even though there are significant weaknesses there. As they say: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”
  • Backup Software. One of the best solutions for security — and a key protection against ransomware — is having backups. But Windows backup software is often hit or miss. Here’s a good review of various packages from PC World. I’ve been using an older version of their top-rated software for a few years now: I’m on Acronis True Image 2015. It backs up to the cloud without a subscription. Their newer stuff seems to have some different models, and I haven’t decided (a) if I want to upgrade, and (b) if I want to go with their subscription approach. I’ll also note that I’ve used the Paragon backup (an older version). What I didn’t like was that it grabbed every partition on the system, and did really bad space management such that your backups would fill a drive.
  • Family Passwords. This week, Lastpass announced a new service: A family password manager. As they write: “Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.” I still need to figure out if this service (or how this service) is an improvement over multiple Lastpass accounts. They also indicate that there is a fee for the service beyond Lastpass Premium, but if I have multiple family members with LP Premium, can things somehow be combined into one account that takes into account what has been paid. Perhaps they’ll answer this post.
  • Alice and Bob. I’ve always joked that when I hear the names Alice and Bob, my eyes glaze over for the crypto discussion that follows. But why Alice and Bob? What is their history? This article answers that question. It details the major events in the “lives” of Alice and Bob, from their birth in 1978 onwards.
  • Erasing Data. Here’s a pretty good summary of how to erase data from both magnetic and solid state drives. File it away; it may prove useful.
Share

--- *** ---

Cyber (Security + Space)

Written By: cahwyguy - Wed Jul 19, 2017 @ 11:13 am PDT

Over the past few weeks, I’ve collected a number of articles related to, shall we say, work-related topics. Here is where I share them with you, while enjoying my lunch:

  • Headline: “Air Force operationalizes new cybersecurity plans. This is a real interesting article detailing some of the changes being made in the Air Force to improve their cybersecurity stance. For those with an interest in cybersecurity and resilience, it is a move in the right direction.
  • Headline: “There may soon be a new US military service — for space. There’s one problem with the US Air Force. There’s no air in space. This article is about a potential separation between the Air Force side and the “Space Force”, with a notion that the Space Force would be like the Marines: part of, but yet separate from, the Air Force. It will be interesting to see how this pans out.
  • Headline: “Malware protection for air-gapped systems. One of the ways we supposedly protect system is through air gaps — that is, no actual network connections. Yet as we saw with Stuxnet, such gaps don’t always work. This explores the way one vendor is addressing protection for such systems.
  • Headline: “U.S. to create the independent U.S. Cyber Command, split off from NSA. The Department of Defense has many broad commands, most representing geographic areas (think Atlantic Command, Pacific Command, etc.) or broad functional areas (Strategic Command). One recent command created was Cyber Command, but it was part of and colocated with NSA. This article, as well as this one, discuss the potential separation of the two. This would permit Cyber Command to focus on cyber-related defense activities  (and possibly offense), and NSA to focus on its intelligence role. What they don’t discussion is the disposition of the unclassified side of NSA — what was once the National Computer Security Center, and now would include things like the Common Criteria folk. My guess is that the separation is easier in theory than practice.

 

Share

--- *** ---

Technology Tidbits

Written By: cahwyguy - Thu Jul 06, 2017 @ 11:24 am PDT

Here are some technology news chum items that have caught my eye of late:

Share

--- *** ---

Cyber Newses You Can Uses

Written By: cahwyguy - Sat Apr 22, 2017 @ 6:58 am PDT

This has been a busy busy week, and I haven’t had a chance to work on clearing out the news chum until now. This first collection is all computer related:

  • Going Phishing. Hopefully, you’re all cyber-aware. You know not to trust links in email you receive. You’ve been trained to look at where a URL goes before you click on it. You know not to click on links in email; you’ll copy the link and paste it into your browser bar. You know not to trust sites that aren’t the well-known version. But https://аррӏе.com is safe, right? Right? RIGHT? Actually, no. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A (а), Er (р), Er (р), Palochka (ӏ), Ie (е). The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. This is what is called a homograph attack. It is something that can fool the best people, even if you hover over and check the link before browsing — unless you’re using IE or Edge or Safari. Ars Technica has even more information, but the short and skinny is: If you use Chrome, make sure you’re at Chrome 58 or later; if you use Firefox, enter “about:config” in the address bar, agree to the displayed warning, and then enter “punycode” in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word “false” to change it to “true.” From then on, Firefox will display the “dumb ascii” characters and not the deceptive, encoded ones.  I’ve done that, and now I see xn--80ak6aa92e.com when I hover over the link.
  • Secure Coding. I grew up programming in Fortran, PL/I, Algol 68, RSTS/E Basic, and C. Except for perhaps Fortran and C, the rest are mostly dead. Today, kids program in C++ and Java — but they aren’t necessarily writing better programs. But following good standards can help. Here’s a link to a discussion on how to do secure coding in C++.
  • iPod without iTunes. If you are like me (and fewer are), you use your iPod for all your music (and you plan on adding more this Record Store Day). But do you backup your iPod? I do — via iTunes to my M: drive, and I back that up on my X: and W: drives and on a backup iPod. But most don’t — and most abhor iTunes. Here’s how to backup your iPod without using iTunes. I’ll not that I’ve used copytrans in the past (especially before I just kept everything in iTunes), and I’d recommend it.
  • Never Too Late. As I’m typing this, iTunes is playing “Never Too Late” (to tell the Truth) from Scottsboro Boys. If you’re like me, and like to tell the truth, you’ll be happy to know that Snopes is now embeddable.  Here’s an example of an embedded article:
  • Decluttering Apps. If you’re like us, you need to declutter. The NY Times recently had a review of a number of apps that will help you do just that.
  • Pushy Microsoft. Microsoft is continuing to push people to subscribe to Office 365. The latest is restricting the ability to use Skype for Business and One-Drive if you are using a Microsoft Office Standalone Office product. You’ll see more and more products insisting on the subscription model: Adobe, Quicken, Microsoft, ….

 

Share

--- *** ---

CyberSecurity News Chum

Written By: cahwyguy - Fri Apr 14, 2017 @ 7:42 pm PDT

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

  • NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
  • Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.  Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
  • Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one.  Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: 208.67.222.222 and 208.67.220.220.
  • Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
  • JavaScript Popups. Google is making some changes to eliminate those popup dialogs that don’t let you leave. Such popups are occasionally useful as alerts, but their fix sounds reasonable.
  • Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
  • Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.

 

Share

--- *** ---

Losing the Battle

Written By: cahwyguy - Wed Mar 29, 2017 @ 7:14 pm PDT

Well, I like to think I fought the good fight. I mean, I’m an old fart. Old habits die hard, and for the longest time I just kept using the term I was used to, even though it was politically incorrect. After all, I held on to other ideas that I believed were morally superior, only to watch them get discredited by the new-think, by people that didn’t know what was right was right, and what was wrong was wrong.

Eventually, though, I caved. I started using the updated politically correct term. People no longer looked at me funny, they no longer made fun of the way that I talk. As for my discredited ideas, well, I kept them to myself, lest I be made fun of. After all, in today’s world, you have to use the right terms and speak the right way and think the right things.

Right?

But then, of course, a new term came in for what I previously knew. I resisted, because resistance is good. After all, the new term was, to put it bluntly, stupid. It was idiotic. It didn’t refer to what they said it referred. But I forgot my Star Trek. Resistance is futile.

OK, “cyber“. You win. I mean, HelpNet even says as much.

I grew up in an era when it was “Computer Security” and COMPUSEC, when we believed we could write multi-level secure systems that provided high assurance. What did we get for our efforts? perl, and a High Assurance Brake Job.

Then it became “Information Assurance” and “Information Security“. A1 systems? Sorry, but A1 was reserved for steak.  Multi-level systems? They were for special uses; no one would write a general purpose MLS operating system. Formal Methods? Never in your wildest dreams — that’s Gypsy talk. Ina know about you, but I need some Jo.

But now? We have Cybersecurity and Cyber and Trustworthiness. We’ve lost the war. Here’s what HelpNet has to say:

We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.

[…]

It’s tempting to take the moral high ground and refuse to engage with cyber. Instead, we could choose to refer only to information security because we believe it accurately reflects both physical documents as well as digital assets, while giving importance to each one.

It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry who think there’s a buck to be made by scaring people into stocking up on silver bullets instead of informing them in a responsible way about how security can help them to do business better.

[…]

But if you open a dictionary, you’ll find cybersecurity is the only term of its kind. One survey ranked information security as the least popular term among the general public, even lower than e-security.

e-Security? Well, at least I can be thankful that term didn’t win.

e-Security? Sheeesh.

Share

--- *** ---

Password Managers and Understanding Risk

Written By: cahwyguy - Thu Mar 23, 2017 @ 11:29 am PDT

If you’ve been following the technical news the last few days, I’m sure you’ve seen the articles about the vulnerabilities discovered in Lastpass (a popular password manager, and one that I use). You may have even seen people complaining that Lastpass was slow to fix vulnerabilities and that one shouldn’t use browser extensions and such. To me (someone who works in cybersecurity), this demonstrates yet again that most people have no idea at all how to assess risk.

This is a great example of this. The vulnerabilities announced above depend on visiting a malicious website. Think about the websites you visit on any given day. The vast majority are probably from some small set of the same sites: social media, news sites, banks, well-known shopping sites, perhaps well-known games. All with low odds of being malicious. Your only exposure might be if you click on an ad (most of us don’t do that) or click on an unknown link in an email (your mother taught you better). So, for the vast majority of people, the odds of going to a malicious website that has a newly released vulnerability that targets a specific password manager is low. Although you may see FUD (fear, uncertainty, distrust) otherwise, such as this statement on the Lastpass forums:

You mentioned exposure. There is always the possibility that someone discovered the bug previously, harvested the information and is sitting on it. Due to the nature of LastPass the level of the compromise is greater than any other tool or device as it would provide information to all passwords (as I understand it), not merely a matter of changing the password to your email or facebook account but could consist of updating 100’s of passwords. That 2FA appears to have been side stepped by this compromise is a large worry.

(2FA refers to two-factor authentication). Let’s assume, as this author did, that someone discovered the bug previously, harvested the info, and is sitting on it. Exploitation still requires visiting a malicious website, and it having a targeted attack in place. From the Lastpass blog on the subject:

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Based on this description, they wouldn’t even be obtaining all passwords. They would have to do so one at a time. If you practice good security hygiene and enable 2FA whereever you can (not just Lastpass), even if you did visit a malicious website, and even if they had a targeted attack, and even if they guessed one account right, 2FA would defeat them on that account, or you would have noticed something.  In other words, low odds of it being exploited.

As for the time to correct the problem, Lastpass had updated extensions in place (which auto-update) within 24 hours. The researcher that identified the vulnerability even acknowledged as much in this updated article (scroll to the bottom). We’ve gotten used to reported Windows vulnerabilities — which might be in the wild — being corrected in a month if we’re lucky. Similarly for Flash vulnerabilities. Both see much greater use, and much greater exposure. Here you had reasonably rapid correction of a bug.

Tavis Ormandy @taviso : Two more LastPass bugs fixed today https://bugs.chromium.org/p/project-zero/issues/detail?id=1188 … and https://bugs.chromium.org/p/project-zero/issues/detail?id=1217 …. Very quick response from LastPass, < 24hr.

Tavis Ormandy @taviso : Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive

Lastly, there are folks out there that believe software should be bug-free. Programmers believe that as well, but recognize it is an impossibility. Turing Award Winner C.A.R. Hoare said it best:

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. It demands the same skill, devotion, insight, and even inspiration as the discovery of the simple physical laws which underlie the complex phenomena of nature.

Dahl, Dykstra, and Hoare, back in 1972, also noted that provably bug-free software is impossible: “Program testing can be used to show the presence of bugs, but never to show their absence.” We should expect our software to continue to have bugs, perhaps becoming more esoteric and harder to exploit as time goes on, but there none-the-less. All we can ask then is rapid patching.

 

Share

--- *** ---

Things You Should Know

Written By: cahwyguy - Tue Mar 14, 2017 @ 11:18 am PDT

Amongst the political and transitional news chum I’ve been collecting of late, there are a number of articles that are more informational — that is, they provide some really useful tidbits and insights. I’d like to share them with you:

 

Share

--- *** ---