Observations Along the Road

Theatre Writeups, Musings on the News, Rants and Roadkill Along the Information Superhighway

Category Archive: 'security'

Cyber Newses You Can Uses

Written By: cahwyguy - Sat Apr 22, 2017 @ 6:58 am PDT

This has been a busy busy week, and I haven’t had a chance to work on clearing out the news chum until now. This first collection is all computer related:

  • Going Phishing. Hopefully, you’re all cyber-aware. You know not to trust links in email you receive. You’ve been trained to look at where a URL goes before you click on it. You know not to click on links in email; you’ll copy the link and paste it into your browser bar. You know not to trust sites that aren’t the well-known version. But https://аррӏе.com is safe, right? Right? RIGHT? Actually, no. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A (а), Er (р), Er (р), Palochka (ӏ), Ie (е). The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. This is what is called a homograph attack. It is something that can fool the best people, even if you hover over and check the link before browsing — unless you’re using IE or Edge or Safari. Ars Technica has even more information, but the short and skinny is: If you use Chrome, make sure you’re at Chrome 58 or later; if you use Firefox, enter “about:config” in the address bar, agree to the displayed warning, and then enter “punycode” in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word “false” to change it to “true.” From then on, Firefox will display the “dumb ascii” characters and not the deceptive, encoded ones.  I’ve done that, and now I see xn--80ak6aa92e.com when I hover over the link.
  • Secure Coding. I grew up programming in Fortran, PL/I, Algol 68, RSTS/E Basic, and C. Except for perhaps Fortran and C, the rest are mostly dead. Today, kids program in C++ and Java — but they aren’t necessarily writing better programs. But following good standards can help. Here’s a link to a discussion on how to do secure coding in C++.
  • iPod without iTunes. If you are like me (and fewer are), you use your iPod for all your music (and you plan on adding more this Record Store Day). But do you backup your iPod? I do — via iTunes to my M: drive, and I back that up on my X: and W: drives and on a backup iPod. But most don’t — and most abhor iTunes. Here’s how to backup your iPod without using iTunes. I’ll not that I’ve used copytrans in the past (especially before I just kept everything in iTunes), and I’d recommend it.
  • Never Too Late. As I’m typing this, iTunes is playing “Never Too Late” (to tell the Truth) from Scottsboro Boys. If you’re like me, and like to tell the truth, you’ll be happy to know that Snopes is now embeddable.  Here’s an example of an embedded article:
  • Decluttering Apps. If you’re like us, you need to declutter. The NY Times recently had a review of a number of apps that will help you do just that.
  • Pushy Microsoft. Microsoft is continuing to push people to subscribe to Office 365. The latest is restricting the ability to use Skype for Business and One-Drive if you are using a Microsoft Office Standalone Office product. You’ll see more and more products insisting on the subscription model: Adobe, Quicken, Microsoft, ….

 

Share

--- *** ---

CyberSecurity News Chum

Written By: cahwyguy - Fri Apr 14, 2017 @ 7:42 pm PDT

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

  • NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
  • Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.  Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
  • Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one.  Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: 208.67.222.222 and 208.67.220.220.
  • Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
  • JavaScript Popups. Google is making some changes to eliminate those popup dialogs that don’t let you leave. Such popups are occasionally useful as alerts, but their fix sounds reasonable.
  • Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
  • Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.

 

Share

--- *** ---

Losing the Battle

Written By: cahwyguy - Wed Mar 29, 2017 @ 7:14 pm PDT

Well, I like to think I fought the good fight. I mean, I’m an old fart. Old habits die hard, and for the longest time I just kept using the term I was used to, even though it was politically incorrect. After all, I held on to other ideas that I believed were morally superior, only to watch them get discredited by the new-think, by people that didn’t know what was right was right, and what was wrong was wrong.

Eventually, though, I caved. I started using the updated politically correct term. People no longer looked at me funny, they no longer made fun of the way that I talk. As for my discredited ideas, well, I kept them to myself, lest I be made fun of. After all, in today’s world, you have to use the right terms and speak the right way and think the right things.

Right?

But then, of course, a new term came in for what I previously knew. I resisted, because resistance is good. After all, the new term was, to put it bluntly, stupid. It was idiotic. It didn’t refer to what they said it referred. But I forgot my Star Trek. Resistance is futile.

OK, “cyber“. You win. I mean, HelpNet even says as much.

I grew up in an era when it was “Computer Security” and COMPUSEC, when we believed we could write multi-level secure systems that provided high assurance. What did we get for our efforts? perl, and a High Assurance Brake Job.

Then it became “Information Assurance” and “Information Security“. A1 systems? Sorry, but A1 was reserved for steak.  Multi-level systems? They were for special uses; no one would write a general purpose MLS operating system. Formal Methods? Never in your wildest dreams — that’s Gypsy talk. Ina know about you, but I need some Jo.

But now? We have Cybersecurity and Cyber and Trustworthiness. We’ve lost the war. Here’s what HelpNet has to say:

We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.

[…]

It’s tempting to take the moral high ground and refuse to engage with cyber. Instead, we could choose to refer only to information security because we believe it accurately reflects both physical documents as well as digital assets, while giving importance to each one.

It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry who think there’s a buck to be made by scaring people into stocking up on silver bullets instead of informing them in a responsible way about how security can help them to do business better.

[…]

But if you open a dictionary, you’ll find cybersecurity is the only term of its kind. One survey ranked information security as the least popular term among the general public, even lower than e-security.

e-Security? Well, at least I can be thankful that term didn’t win.

e-Security? Sheeesh.

Share

--- *** ---

Password Managers and Understanding Risk

Written By: cahwyguy - Thu Mar 23, 2017 @ 11:29 am PDT

If you’ve been following the technical news the last few days, I’m sure you’ve seen the articles about the vulnerabilities discovered in Lastpass (a popular password manager, and one that I use). You may have even seen people complaining that Lastpass was slow to fix vulnerabilities and that one shouldn’t use browser extensions and such. To me (someone who works in cybersecurity), this demonstrates yet again that most people have no idea at all how to assess risk.

This is a great example of this. The vulnerabilities announced above depend on visiting a malicious website. Think about the websites you visit on any given day. The vast majority are probably from some small set of the same sites: social media, news sites, banks, well-known shopping sites, perhaps well-known games. All with low odds of being malicious. Your only exposure might be if you click on an ad (most of us don’t do that) or click on an unknown link in an email (your mother taught you better). So, for the vast majority of people, the odds of going to a malicious website that has a newly released vulnerability that targets a specific password manager is low. Although you may see FUD (fear, uncertainty, distrust) otherwise, such as this statement on the Lastpass forums:

You mentioned exposure. There is always the possibility that someone discovered the bug previously, harvested the information and is sitting on it. Due to the nature of LastPass the level of the compromise is greater than any other tool or device as it would provide information to all passwords (as I understand it), not merely a matter of changing the password to your email or facebook account but could consist of updating 100’s of passwords. That 2FA appears to have been side stepped by this compromise is a large worry.

(2FA refers to two-factor authentication). Let’s assume, as this author did, that someone discovered the bug previously, harvested the info, and is sitting on it. Exploitation still requires visiting a malicious website, and it having a targeted attack in place. From the Lastpass blog on the subject:

To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

Based on this description, they wouldn’t even be obtaining all passwords. They would have to do so one at a time. If you practice good security hygiene and enable 2FA whereever you can (not just Lastpass), even if you did visit a malicious website, and even if they had a targeted attack, and even if they guessed one account right, 2FA would defeat them on that account, or you would have noticed something.  In other words, low odds of it being exploited.

As for the time to correct the problem, Lastpass had updated extensions in place (which auto-update) within 24 hours. The researcher that identified the vulnerability even acknowledged as much in this updated article (scroll to the bottom). We’ve gotten used to reported Windows vulnerabilities — which might be in the wild — being corrected in a month if we’re lucky. Similarly for Flash vulnerabilities. Both see much greater use, and much greater exposure. Here you had reasonably rapid correction of a bug.

Tavis Ormandy @taviso : Two more LastPass bugs fixed today https://bugs.chromium.org/p/project-zero/issues/detail?id=1188 … and https://bugs.chromium.org/p/project-zero/issues/detail?id=1217 …. Very quick response from LastPass, < 24hr.

Tavis Ormandy @taviso : Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive

Lastly, there are folks out there that believe software should be bug-free. Programmers believe that as well, but recognize it is an impossibility. Turing Award Winner C.A.R. Hoare said it best:

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. It demands the same skill, devotion, insight, and even inspiration as the discovery of the simple physical laws which underlie the complex phenomena of nature.

Dahl, Dykstra, and Hoare, back in 1972, also noted that provably bug-free software is impossible: “Program testing can be used to show the presence of bugs, but never to show their absence.” We should expect our software to continue to have bugs, perhaps becoming more esoteric and harder to exploit as time goes on, but there none-the-less. All we can ask then is rapid patching.

 

Share

--- *** ---

Things You Should Know

Written By: cahwyguy - Tue Mar 14, 2017 @ 11:18 am PDT

Amongst the political and transitional news chum I’ve been collecting of late, there are a number of articles that are more informational — that is, they provide some really useful tidbits and insights. I’d like to share them with you:

 

Share

--- *** ---

Useful Security Site

Written By: cahwyguy - Tue Feb 21, 2017 @ 7:00 pm PDT

Password. The security mechanism we love to hate. Or hate to love. Or grudgingly tolerate. In any case, if you use passwords, you know you are encourage to (a) enable dual factor authentication whenever and where ever possible; (b) use the strongest passwords possible; and (c) use a unique password on every site. For (b) and (c), the easiest way to do this is to use a password manager (I use Lastpass), and have it generate strong passwords for sites (I have it generate long pronounceable passwords, and then modify them with digits and special characters). That still, of course, means you need a strong password for the password manager.

Many years ago, in the days of Dockmaster, there was a generator that would generate strong, prounceable passwords. For a few years I used those, then I went to grabbing words from various places and combining them to create master passwords. Yesterday, I found another solution. Here is a site that generates nonsense words based on a frequency list of phonemes as they occur in legitimate English words.  You should be able to get strong master passwords by combining words and making permutations to add special characters, digits, capitalization, etc.

Here is an example of some generated words: minating ocrates exishering hophish diuraggramely tilized middly apissong moratierencess antinumeted fances vaultanewns gunfins ineake snaphypong misplake quarout hightfulus ansprubblet midweir objecta steton lishep ratinessy mententes.

Hopefully, you’ll find this useful.

Share

--- *** ---

Security Chumbits – Tidbits to Raise Security Awareness

Written By: cahwyguy - Tue Jan 24, 2017 @ 12:39 pm PDT

This is a quickie collection of news chum items related to security that have caught my eye:

  • Weaponized Narratives. I did a whole separate blog entry on this, but I wanted to highlight the original article again in light of the emergence of “alternate facts”. Remember: A weaponized narrative “seeks to undermine an opponent’s civilization, identity, and will by generating complexity, confusion, and political and social schisms. It can be used tactically, as part of explicit military or geopolitical conflict; or strategically, as a way to reduce, neutralize, and defeat a civilization, state, or organization. Done well, it limits or even eliminates the need for armed force to achieve political and military aims.” Alternative facts? Excuuuuuuuse me. They are yet another weaponized narrative.
  • Ransomware. eWeek had an interesting article on some free software that claims to help fight off ransomware. This software is called RansomFree, from security company Cybereason. Once it’s installed (windows-only), it does three things. First it can detect the ransomware malware when it arrives on a computer if it has a signature it recognizes. But because of ransomware families rapidly evolve, it also watches the activity of the ransomware looking for attempts to encrypt files. Finally it deceives the ransomware into thinking its working, when in reality all that it’s doing is operating in a secure honey pot of a container. Think about that last point for a moment: a ransomware honeypot. Cool.
  • Infrastructure Security. A number of recent incidents in Las Vegas highlighted the Strip’s vulnerability in terms of infrastructure. In November, Paris Las Vegas was evacuated after an errant drilling severed its main power line; customers were not cleared to return for nearly a day. Shortly before New Year’s Eve, an unfortunate series of events that began with an overflowing sink sparked an outage that darkened the Rio’s Masquerade Tower (the tall one). The tower wasn’t fully reopened for a week, straddling both the New Year’s holiday and the start of CES, two peak occupancy periods. Earlier this month, Palace Station fell victim to an interruption in Nevada Power service that darkened the property for about 90 minutes. A similar outage had affected power at Palace Station—also for 90 minutes—in July. The MGM/New York-New York outage this month, reportedly caused by a windstorm blowing debris into a substation, lasted just over an hour. These all demonstrate inadequate contingency planning, or more important, resiliency, in the design of the buildings.
  • Phishing Attacks. There’s a new Gmail phishing attack going around, and it is one that can fool the best users. The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received. After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust. “You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns. The phishing page is a good copy of Gmail’s login page, and its URL contains the accounts.google.com subdomain, which is enough to fool many into believing that they are on a legitimate Google page. You can take it from there. Even the smartest people, with the right page, will click on an link in an email without examining it. I’m sure you’ve done it; I know I have.
  • Automotive Security. If you have a relatively new vehicle, you are driving an increasingly sophisticated computer that can be easily attacked. But fear not… or fear more. A consortium of researchers announced the development of a universal, free, and open source framework to protect wireless software updates in vehicles. The team issued a challenge to security experts everywhere to try to find vulnerabilities before it is adopted by the automotive industry.
  • Password / Form Security. Passwords are often stored in places you least expect, or obscure places that you do expect because you stored them there. One way around that mess is to use a good password manager. But you need to remember to get rid of the passwords stored outside the manager when you do.  Did you? Further, that form completion can also get you into trouble by completing saved personal information into fields you don’t expect. Again: use a password manager with form completion.

 

Share

--- *** ---

Being Safe Online

Written By: cahwyguy - Wed Jan 11, 2017 @ 6:24 pm PDT

As you have probably figured out by now, I accumulate articles of interest as I wander the web, and periodically collect them into themed articles.Today is no exception, and our topic for today is cybersecurity — specifically, whether anyone is safe online (or is it just an illusion), and how to really make the situation better.

  • Foreign Actors. In recent weeks, a big question has been whether Russia hacked the US — particularly, the DNC and RNC. Donald Trump, in his news conference today, finally admitted that it was likely Russia did, but that other countries could as well. What is the basis for the belief that Russia was behind things? Brian Krebs, in an article written before the CIA report was released, has a very good analysis. Krebs notes, “It probably doesn’t matter how many indicators of compromise and digital fingerprints the Obama administration releases on this incident: Chances are decent that if you asked a panel of security experts a year from now whether the march of time and additional data points released or leaked in the interim have influenced their opinion, you’ll find them just as evenly divided as they are today.” This is because providing strong attribution is difficult, short of your hacker being stupid, just because of the nature of Internet communications. The article points out that there are specific breadcrumbs that lead to the conclusion, and notes why the public has become skeptical. Of everything. I suggest you read that analysis, and then think about it in light of the BBC disclosure that there are unconfirmed reports that Russia has something on Trump. Ask yourself: If the Russians hacked the DNC, why did they want Trump to win (this is not to say they manipulated the election to do so)? Could it be that they didn’t need to worry about him for other reasons?
  • Data Breaches. Brian also has a really good article on data breeches, and in particular, some immutable truths about such breaches. He explains them in more detail in the article, but here they are in a nutshell: “(•) If you connect it to the Internet, someone will try to hack it. (•) If what you put on the Internet has value, someone will invest time and effort to steal it. (•) Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it. (•) The price he secures for it will almost certainly be a tiny slice of its true worth to the victim. (•) Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.” First, think about this with respect to the above. Both the DNC and RNC had servers on the Internet. Were they hacked? Most certainly. What was that information worth? Ask Hillary Clinton. Now, you deal with banks and businesses that put your information on the Internet. Now think about the truisms above.  Which organizations should you deal with? How much do they value your information?
  • Online Shopping. Dovetailing with all of this is an article from my web hosting service, Webhost, on what to be aware of when you shop online. They, too, go into a bit of detail, but their tips boil down to: (•) Shop online at home (or on a secure connection); (•) Make sure you have text, email, and/or phone security alerts set up with your financial institutions; (•) Always look for HTTPS when shopping; (•) If you’re shopping through a retailer’s mobile app, make sure it is an official version with a reputable company or developer behind it; (•) Use the ‘too good to be true’ rule and trust your gut. I’d add to this the adage to stay in a well-lit well populated part of the Internet. By that I mean: use companies that have a reputation to uphold — they are more likely to do things right.
  • Solving the Problem. The underlying problem for all of the above is that we are using a system that was never meant to be secure. That’s right: the basic and original protocols didn’t think about security because they believed everyone was trustworthy. The corollary to this is: if you want a secure system, you must engineer the security in from the start. Related to this, NIST has just announce a system security engineering website, based on their work with NIST SP 800-160. I’ve been doing a lot of close work with 800-160, and am working on gaining a deep understanding on it, and well as how all of the related processes (assessment, acquisition, and lifecycle) can work together. But 800-160 is a good start.

 

Share

--- *** ---