Internet / Security

The never ending task of paring down my saved chum list brings you this collection of articles related to the Internet and Internet security. Pay attention folks — there’s some good stuff here. Also, remember the key adage: If you get a service for free, you are the product, not the customer.

  • Be Alert for Phishing. I’ve always opined that the key risk from the Equifax and other breaches is not identity theft, but phishing. Help Net agrees: they view phishing as a bigger threat than keyloggers or third party breaches. They researched the subject, and noted that “victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. Keyloggers fall in between these extremes, with an odds ratio of roughly 40x”. The reason for this is that phishing kits also actively steal additional authentication factors (secret questions, phone number, device-related information, geolocation data) that can be used to impersonate the victim and bypass protections put in place by email (and other online service) providers.
  • So What is Phishing/Spearphishing? Here is a wonderful infographic/cartoon on how to protect yourself from Spearphishing. Along the way, it explains what spearphishing is, how it influenced an election (and potentially gave us President Trump) . It also contains some good tips about how to protect yourself from phishing. Note that, depending on where you work, this may be NSFW.
  • Lava Lamps and Security. Entropy. That’s “N”-“Tro”-“Pee”. Say it with me. Entropy is the property of how random your random numbers are. These numbers are usually generated by computers, and depend upon a random seed to start the process. A big issue is: how do you get the seed? Cloudflare does it in a very interesting and analog way: Lava Lamps. A lava lamp is a great way to generate randomness. Cloudflare videotapes its wall of colorful constantly morphing lava lamps and translates that video information into unique cryptographic keys.
  • Facebook Privacy. Remember my adage about getting a service for free? One such service is Facebook, and they don’t care about your privacy (and neither does that minx, Wendy). But you care about you, and that’s why you’re going to read this article about how to lock down your privacy settings on Facebook. Yes, you can make it so that when you go out searching for such-and-such for a friend (you know, that NSFW such-and-such), you aren’t suddenly deluged with ads on FB for that product.
  • Objectivity of Blog Sites. You’re probably familiar with them: all those blog sites that review this product and that product. Mattress blogs. Makeup blogs. Theatre blogs*. But there’s often a story behind the story about how manufacturers subtly influence them. Remember: if you get a product for free, what are you? Here’s a story I’ve been saving for a while about the Mattress Wars, where a bunch of new mattress stores started a war with mattress bloggers. *This, by the way, is one reason I do not accept free theatre tickets. I choose what I want to see and write about. I follow the ethical model of Consumers Reports. I will pay for tickets what I would have paid through the various discount ticket services I know about.

 

Share

Caught With Your Pants Down

I’ve been reading a lot today about the Equifax compromise, where, you, the person whose data Equifax collected, were caught with your pants down because — although you buckled the belt as you should — the manufacturer forgot to secure the buckle to belt. When you bent over to pick up that hot dog that landed on the floor — whoops, your privates, and those of 143 Million other Equifax individuals about which Equifax had data (about 44%) were put out there for all the world to see, to point at, and to laugh.

Don’t you feel embarrassed? Don’t you feel like you should lock yourself up in a dark room and hide forever?

You don’t need to. Equifax has provided a complicated checking procedure and registration approach that, ultimately, puts you in a queue for a paid year of credit monitoring, while you give up your rights to arbitration and class actions suits¹. Doesn’t that make you feel better? Oh, and that credit monitoring. I think you still need to give a credit card, so they can start billing you after the free year is over.² Still feel better? Remember, this is monitoring — it doesn’t stop anything and lets you know after the information is used. Of course, you can have confidence in Equifax that they will protect you after the breech, given how they have handled it. [ETA: Oh, and Equifax was sending people to a fake phishing site.]

¹: [Update: They later clarified this wasn’t the case, although initial language made it appear to be the case. Translation: Sloppy response to the situation; poor contingency planning.]
²: [Update: They since removed the requirement for a credit card; it was there when this article was written]

Of course, there are security folks proposing other solutions. Some suggest the easy solution of just giving everyone new, more secure, social security numbers. Alternatively, we could start using our RealID Drivers License, and have one national identity number.

More sane folks are recommending a two pronged approach that doesn’t requiring using Equifax’s protection: the most common approach is suggesting a fraud alert on your records, and paying to have a freeze to prevent new accounts. All good ideas.

As for me, I’m going to wait and see. With 143 Million pieces of data, their odds of picking me are, well, 1 in 143 million. That’s pretty small.  Plus the information has been out there for months — and with information like this, you have to use it quickly or it loses its value. Have we seen an uptick in identity theft? I haven’t heard of anything. I strongly suspect that this was a nation state, just like the OPM breach, and only select data will be used, for sophisticated spear phishing attacks. After all, why do they need to do the fraud when they can get you to unlock the door? Further, this isn’t the only attack: you’ve likely already had your information released (see this site).

Oh, and before you get scared about using the Internet, think about this: You don’t have to be an Internet user to have your information in the Equifax data. You just have to have had credit as some point in your life. The fault was with Equifax, the company you trusted to protect your data. Oh, that’s right. You didn’t choose Equifax. The fault was with Equifax, the company other companies trusted to give them accurate credit data. Equifax didn’t care about you or your credit. And neither did that little minx, Wendy*.

It is not in Equifax’s business model to protect your data: well, they’ll protect it only until they can sell it to the highest bidder. Remember the adage: If you get the service for free, you’re not the customer, you’re the product. [Translation: Equifax and other credit reporters make money by selling your data. Until their customers — the financial organizations that buy their data — demand accurate information, nothing will change. They won’t demand as long as it doesn’t cost them. They don’t pay the cost of the identity theft — you do.]

Feel better now? If not, wait I bit. I’ll be posting something this evening that will make you feel much better, even if your pants are down.

P.S.: Speaking about phishing, my favorite theatre about spam is having performances on 9/10 and 9/17. Go see it. It had Gene Spafford rolling in the aisles.


*[Paraphrasing my favorite Alton Brown quote, long since removed from his website:]

Here’s what it comes down to kids. Equifax doesn’t give a damn about you. Neither does that little minx Rachel from Card Services or any of the other icons of finance. And you know what, they’re not supposed to. They’re businesses doing what businesses do. They don’t love you. They are not going to laugh with you on your birthdays, or hold you when you’re sick and sad. They won’t be with you when you graduate, when your children are born or when you die. You will be with you and your family and friends will be with you. And, if you’re any kind of human being, you will be there for them. And you know what, you and your family and friends are supposed to watch out for you too. That’s right folks, protecting someone else’s information is an act of caring. We will always be protected best by those that care, be it ourselves or the aforementioned friends and family.

We are having our information exposed and exploited and exploited again because we have handed a basic, fundamental and intimate function of life over to corporations. We choose to value our information so little that we entrust it to strangers. We hand our lives over to big companies and then drag them to court when the deal goes bad. This is insanity.

Share

Sesame? Says Me!

Over the last few days, my newsfeed has been filled with people gloating over the fact that the fellow who came up with that original guidance — make complex passwords and change them often — admitted he was wrong. But, if course, as with most people, they are misinterpreting things. Here are some key takeaways:

  • Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.
  • Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.

In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.

Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.

In the larger world, NIST is simplifying their password recommendations. The folks at Lastpass believe that will make things easier, but I believe that the fundamentals still remain: pick a unique password for each site, make it suitably complex, ideally gaining complexity through words vs. characters. How to do that? Use the password generator in your password manager, use the nonsense word generator, or use the XKCD Password Generator, XKPasswd.

Share

A Secure Companion

This is a companion lunchtime post to my previous one. Whereas that post focused on government-related areas, this posts shares some cybersecurity items of broader interest:

  • Two Factor Authentication. The Verge has an interesting opinion piece on why two-factor authentication has failed us. We have a mix of approaches, some still depending on SMS even though there are significant weaknesses there. As they say: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”
  • Backup Software. One of the best solutions for security — and a key protection against ransomware — is having backups. But Windows backup software is often hit or miss. Here’s a good review of various packages from PC World. I’ve been using an older version of their top-rated software for a few years now: I’m on Acronis True Image 2015. It backs up to the cloud without a subscription. Their newer stuff seems to have some different models, and I haven’t decided (a) if I want to upgrade, and (b) if I want to go with their subscription approach. I’ll also note that I’ve used the Paragon backup (an older version). What I didn’t like was that it grabbed every partition on the system, and did really bad space management such that your backups would fill a drive.
  • Family Passwords. This week, Lastpass announced a new service: A family password manager. As they write: “Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.” I still need to figure out if this service (or how this service) is an improvement over multiple Lastpass accounts. They also indicate that there is a fee for the service beyond Lastpass Premium, but if I have multiple family members with LP Premium, can things somehow be combined into one account that takes into account what has been paid. Perhaps they’ll answer this post.
  • Alice and Bob. I’ve always joked that when I hear the names Alice and Bob, my eyes glaze over for the crypto discussion that follows. But why Alice and Bob? What is their history? This article answers that question. It details the major events in the “lives” of Alice and Bob, from their birth in 1978 onwards.
  • Erasing Data. Here’s a pretty good summary of how to erase data from both magnetic and solid state drives. File it away; it may prove useful.
Share

Cyber (Security + Space)

Over the past few weeks, I’ve collected a number of articles related to, shall we say, work-related topics. Here is where I share them with you, while enjoying my lunch:

  • Headline: “Air Force operationalizes new cybersecurity plans. This is a real interesting article detailing some of the changes being made in the Air Force to improve their cybersecurity stance. For those with an interest in cybersecurity and resilience, it is a move in the right direction.
  • Headline: “There may soon be a new US military service — for space. There’s one problem with the US Air Force. There’s no air in space. This article is about a potential separation between the Air Force side and the “Space Force”, with a notion that the Space Force would be like the Marines: part of, but yet separate from, the Air Force. It will be interesting to see how this pans out.
  • Headline: “Malware protection for air-gapped systems. One of the ways we supposedly protect system is through air gaps — that is, no actual network connections. Yet as we saw with Stuxnet, such gaps don’t always work. This explores the way one vendor is addressing protection for such systems.
  • Headline: “U.S. to create the independent U.S. Cyber Command, split off from NSA. The Department of Defense has many broad commands, most representing geographic areas (think Atlantic Command, Pacific Command, etc.) or broad functional areas (Strategic Command). One recent command created was Cyber Command, but it was part of and colocated with NSA. This article, as well as this one, discuss the potential separation of the two. This would permit Cyber Command to focus on cyber-related defense activities  (and possibly offense), and NSA to focus on its intelligence role. What they don’t discussion is the disposition of the unclassified side of NSA — what was once the National Computer Security Center, and now would include things like the Common Criteria folk. My guess is that the separation is easier in theory than practice.

 

Share

Technology Tidbits

Here are some technology news chum items that have caught my eye of late:

Share

Cyber Newses You Can Uses

This has been a busy busy week, and I haven’t had a chance to work on clearing out the news chum until now. This first collection is all computer related:

  • Going Phishing. Hopefully, you’re all cyber-aware. You know not to trust links in email you receive. You’ve been trained to look at where a URL goes before you click on it. You know not to click on links in email; you’ll copy the link and paste it into your browser bar. You know not to trust sites that aren’t the well-known version. But https://аррӏе.com is safe, right? Right? RIGHT? Actually, no. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A (а), Er (р), Er (р), Palochka (ӏ), Ie (е). The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. This is what is called a homograph attack. It is something that can fool the best people, even if you hover over and check the link before browsing — unless you’re using IE or Edge or Safari. Ars Technica has even more information, but the short and skinny is: If you use Chrome, make sure you’re at Chrome 58 or later; if you use Firefox, enter “about:config” in the address bar, agree to the displayed warning, and then enter “punycode” in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word “false” to change it to “true.” From then on, Firefox will display the “dumb ascii” characters and not the deceptive, encoded ones.  I’ve done that, and now I see xn--80ak6aa92e.com when I hover over the link.
  • Secure Coding. I grew up programming in Fortran, PL/I, Algol 68, RSTS/E Basic, and C. Except for perhaps Fortran and C, the rest are mostly dead. Today, kids program in C++ and Java — but they aren’t necessarily writing better programs. But following good standards can help. Here’s a link to a discussion on how to do secure coding in C++.
  • iPod without iTunes. If you are like me (and fewer are), you use your iPod for all your music (and you plan on adding more this Record Store Day). But do you backup your iPod? I do — via iTunes to my M: drive, and I back that up on my X: and W: drives and on a backup iPod. But most don’t — and most abhor iTunes. Here’s how to backup your iPod without using iTunes. I’ll not that I’ve used copytrans in the past (especially before I just kept everything in iTunes), and I’d recommend it.
  • Never Too Late. As I’m typing this, iTunes is playing “Never Too Late” (to tell the Truth) from Scottsboro Boys. If you’re like me, and like to tell the truth, you’ll be happy to know that Snopes is now embeddable.  Here’s an example of an embedded article:
  • Decluttering Apps. If you’re like us, you need to declutter. The NY Times recently had a review of a number of apps that will help you do just that.
  • Pushy Microsoft. Microsoft is continuing to push people to subscribe to Office 365. The latest is restricting the ability to use Skype for Business and One-Drive if you are using a Microsoft Office Standalone Office product. You’ll see more and more products insisting on the subscription model: Adobe, Quicken, Microsoft, ….

 

Share

CyberSecurity News Chum

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

  • NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
  • Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.  Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
  • Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one.  Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: 208.67.222.222 and 208.67.220.220.
  • Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
  • JavaScript Popups. Google is making some changes to eliminate those popup dialogs that don’t let you leave. Such popups are occasionally useful as alerts, but their fix sounds reasonable.
  • Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
  • Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.

 

Share