CyberSecurity News of Note

Here’s the last of the news chum collections for this morning. This one has to do with safety and security.

  • Tiny Dots and Phish. Hopefully, you’ve been getting trained on how to recognize phishing threats, and how to distrust links in email or on websites. But it’s getting even trickier, as this article notes. Miscreants are using characters in other character sets that ļȯоķ like other characters. Hint: Always look at how addresses look when you hover over them, and even then be suspicious.
  • Complex Passwords Don’t Solve All Problems. So you’ve gotten smart: you are using complex passwords everywhere. But every solution contains a problem: reusing complex passwords can give your identity away. Research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice. Remember: complex passwords, never reused, and use a password manager.
  • Two Factor Authentication. Using 2FA can also help. Here’s a handy guide on how to set it up on most major websites. Here’s a list of all major websites, and whether they support 2FA.
  • Protecting Your Social Security. This article from Brian Krebs explores abuse of the social security system, and contains some advice I hadn’t known: go create your account at now to protect yourself.  That’s something I need to do; I tried to do it this morning but it wouldn’t accept the proof for the upgraded account, and I have to (a) find a previous year’s W2 and (b) wait 24 hours to try again.
  • Predicting Problems. A few articles on predictive algorithms. One explores whether predictive algorithms should be part of public policy.  Essentially, should they have a hand in shaping jail sentences and predicting public policies? Government agencies are now using algorithms and data mining to predict outcomes and behaviors in individuals, and to aid decision-making. In a cyber-vein, there are calls to add prediction to the NIST cyber-security framework. The argument: With AI and machine learning, companies should now be considering how to predict threats before they even appear. Speaking of the NIST Framework, Ron Ross tweets that it is being incorporated into FIPS 200 and the RMF.
  • Building It In. The NIST effort — especially with SP 800-160 — is to emphasize the importance of engineering in and designing in security from the very beginning, not bolting it on at the end. Good news: The government is finally coming around to that realization as well. The link is a summary of the recent updates to the NIST pub. It’s an area I’ve been exploring as well, and I’ve been working on some modifications to the process to make it even more accepted. The first report on the effort is under review right now; I hope to publish something soon.



The Importance of Visualizations

Visualizations and charts make our lives easier, and sometimes can give us insights we hadn’t considered before. Here are three examples:



It’s a Sign of the Times: The Spectre of a Security Meltdown

Perhaps it is telling that my first post of the year is one dealing with recent articles on cybersecurity. Perhaps it is a recognition that 2018 may be the year when cybersecurity come even more to the fore, both from the protection of our personal systems, to the protection of our voting systems, and to the tampering that occurs in our systems. But it may also be reflective of the fear, uncertainty, and distrust that is growing in our society today, where every risk is super scary. Part of the problem is that people either confuse or don’t understand the terms. So, let’s be clear (and these are from NIST SP 800-37 Rev 1):

  • Risk [FIPS 200, Adapted]. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
  • Threat [CNSSI 4009, Adapted]. Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
  • Vulnerability [CNSSI 4009]. Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

There is no such thing as a “mega-vulnerability”. “Mega” is a risk assessment, and requires not only the weakness from the vulnerability, but a high likelihood of exploitation by a likely threat, and a likely adverse impact of that exploitation. You can have a vulnerability in a system that is easy to exploit, but doesn’t get you much information. You can have one that is hard to exploit, but can get you a lot of information. Risk depends not only on the vulnerability and the likelihood of exploitation, but the context of use and the likely attackers (threats), in order to determine the overall risk.

With that, let’s look at some news:

  • Meltdown and Spectre. You’ve heard about these (makes air quotes) mega-vulnerabilities (end air quotes). They can impact almost any processor that does predictive execution. That includes Intel, AMD, and ARM processors. They can look into memory and expose data. Fixing them will slow down your system. There are emergency Windows updates being issued for Windows 10. But beyond the fear, what do you know? What is the risk? Here are the gory details on the problem. If you read through this, you’ll see that these aren’t they easy to exploit. You need to get someone to run a specially crafted program, and it needs to be on a system that might have some information you need. For most people, the risk from this is low. That doesn’t mean you don’t want to patch it as soon as you can — the longer a vulnerability is out there, the more it will be exploited. But this isn’t the world coming to an end. It does, however, demonstrate a few key rules: (1) complexity is your enemy — the larger and more complex a system it, the more likely that there will be undiscovered vulnerabilities; (2) because it is hardware/on a chip, doesn’t mean it is secure — we make the assumption that because something isn’t obviously software, that it isn’t security. But today’s firmware can be equally complex, and the hardware circuit designs even more so, just being on a chip doesn’t make it secure.
  • Secure Your Router. Whereas Meltdown might be lower risk, here’s a greater risk — and one that you likely can’t do much about: Your router. You need to secure your home router. Absolutely, positively. This is the router that connects your ISP to your home systems. You need to (at minimum) change the administrator passwords, set up the appropriate NAT, and ideally use a DNS other than your ISP’s DNS. You also need to update the firmware regularly, although you might not be able to do that. If you can’t, you need to consider that router a compromise zone, and put something more secure behind it for your use. Let the guest’s you don’t care about use the ISP’s wireless.
  • Ransomware. An emerging trend (unfortunately) is ransomware. Ransomware doesn’t steal your data; rather, it demands money so you can access it. It is insidious and evil, and far too easy to run into with all the hidden drive-by-downloads. So bookmark the following site: No More Ransomware. It is a clearinghouse of information on how to remove ransomware infections.
  • Attacking Hard Disks. Meltdown and Spectre can only get to information in memory. What about your hard disk? What about an attack that could cause the disk to crash? What if that attack didn’t require you to get on the system at all? Scared? Such an attack exists: Gizmodo is reporting on attacks using sound to crash hard disks by exploiting resonant frequencies.
  • Voting Machines. Of course, it isn’t just home machines and businesses that get attacked. Our voting systems get attacked, as we saw in the 2016 elections. But just as a broken clock tells the right time twice a day, the GOP-led Congress actually has a reasonable bill proposal regarding secure voting. Learn about this bill, and if you agree with its approach, work to secure its passage. The bill creates earmarks to help states get rid of their paperless electronic voting machine in favor of voter-verified, machine-readable paper ballots, and institutes a system of randomized post-election audits that use good statistical techniques to spot systemic anomalies. This may become even more important as states move away from precincts and to voting centers.
    • Edited to add: I pointed out the above to a friend who is very concerned about cybersecurity and elections, and she had this response — which I think highlights something important: “The congressional initiative on secure voting does advance the use of paper, but it does nothing to end the imposition of vulnerable expensive private architecture on public record management. In fact it serves to continue it. “Trusting” states to hire impartial auditors and to conduct audits is a stretch. A sponsor, Kamala Harris’s lack of discernment has so far been a big disappointment. First Franken. Now this.”

Internet / Security

The never ending task of paring down my saved chum list brings you this collection of articles related to the Internet and Internet security. Pay attention folks — there’s some good stuff here. Also, remember the key adage: If you get a service for free, you are the product, not the customer.

  • Be Alert for Phishing. I’ve always opined that the key risk from the Equifax and other breaches is not identity theft, but phishing. Help Net agrees: they view phishing as a bigger threat than keyloggers or third party breaches. They researched the subject, and noted that “victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. Keyloggers fall in between these extremes, with an odds ratio of roughly 40x”. The reason for this is that phishing kits also actively steal additional authentication factors (secret questions, phone number, device-related information, geolocation data) that can be used to impersonate the victim and bypass protections put in place by email (and other online service) providers.
  • So What is Phishing/Spearphishing? Here is a wonderful infographic/cartoon on how to protect yourself from Spearphishing. Along the way, it explains what spearphishing is, how it influenced an election (and potentially gave us President Trump) . It also contains some good tips about how to protect yourself from phishing. Note that, depending on where you work, this may be NSFW.
  • Lava Lamps and Security. Entropy. That’s “N”-“Tro”-“Pee”. Say it with me. Entropy is the property of how random your random numbers are. These numbers are usually generated by computers, and depend upon a random seed to start the process. A big issue is: how do you get the seed? Cloudflare does it in a very interesting and analog way: Lava Lamps. A lava lamp is a great way to generate randomness. Cloudflare videotapes its wall of colorful constantly morphing lava lamps and translates that video information into unique cryptographic keys.
  • Facebook Privacy. Remember my adage about getting a service for free? One such service is Facebook, and they don’t care about your privacy (and neither does that minx, Wendy). But you care about you, and that’s why you’re going to read this article about how to lock down your privacy settings on Facebook. Yes, you can make it so that when you go out searching for such-and-such for a friend (you know, that NSFW such-and-such), you aren’t suddenly deluged with ads on FB for that product.
  • Objectivity of Blog Sites. You’re probably familiar with them: all those blog sites that review this product and that product. Mattress blogs. Makeup blogs. Theatre blogs*. But there’s often a story behind the story about how manufacturers subtly influence them. Remember: if you get a product for free, what are you? Here’s a story I’ve been saving for a while about the Mattress Wars, where a bunch of new mattress stores started a war with mattress bloggers. *This, by the way, is one reason I do not accept free theatre tickets. I choose what I want to see and write about. I follow the ethical model of Consumers Reports. I will pay for tickets what I would have paid through the various discount ticket services I know about.



Caught With Your Pants Down

I’ve been reading a lot today about the Equifax compromise, where, you, the person whose data Equifax collected, were caught with your pants down because — although you buckled the belt as you should — the manufacturer forgot to secure the buckle to belt. When you bent over to pick up that hot dog that landed on the floor — whoops, your privates, and those of 143 Million other Equifax individuals about which Equifax had data (about 44%) were put out there for all the world to see, to point at, and to laugh.

Don’t you feel embarrassed? Don’t you feel like you should lock yourself up in a dark room and hide forever?

You don’t need to. Equifax has provided a complicated checking procedure and registration approach that, ultimately, puts you in a queue for a paid year of credit monitoring, while you give up your rights to arbitration and class actions suits¹. Doesn’t that make you feel better? Oh, and that credit monitoring. I think you still need to give a credit card, so they can start billing you after the free year is over.² Still feel better? Remember, this is monitoring — it doesn’t stop anything and lets you know after the information is used. Of course, you can have confidence in Equifax that they will protect you after the breech, given how they have handled it. [ETA: Oh, and Equifax was sending people to a fake phishing site.]

¹: [Update: They later clarified this wasn’t the case, although initial language made it appear to be the case. Translation: Sloppy response to the situation; poor contingency planning.]
²: [Update: They since removed the requirement for a credit card; it was there when this article was written]

Of course, there are security folks proposing other solutions. Some suggest the easy solution of just giving everyone new, more secure, social security numbers. Alternatively, we could start using our RealID Drivers License, and have one national identity number.

More sane folks are recommending a two pronged approach that doesn’t requiring using Equifax’s protection: the most common approach is suggesting a fraud alert on your records, and paying to have a freeze to prevent new accounts. All good ideas.

As for me, I’m going to wait and see. With 143 Million pieces of data, their odds of picking me are, well, 1 in 143 million. That’s pretty small.  Plus the information has been out there for months — and with information like this, you have to use it quickly or it loses its value. Have we seen an uptick in identity theft? I haven’t heard of anything. I strongly suspect that this was a nation state, just like the OPM breach, and only select data will be used, for sophisticated spear phishing attacks. After all, why do they need to do the fraud when they can get you to unlock the door? Further, this isn’t the only attack: you’ve likely already had your information released (see this site).

Oh, and before you get scared about using the Internet, think about this: You don’t have to be an Internet user to have your information in the Equifax data. You just have to have had credit as some point in your life. The fault was with Equifax, the company you trusted to protect your data. Oh, that’s right. You didn’t choose Equifax. The fault was with Equifax, the company other companies trusted to give them accurate credit data. Equifax didn’t care about you or your credit. And neither did that little minx, Wendy*.

It is not in Equifax’s business model to protect your data: well, they’ll protect it only until they can sell it to the highest bidder. Remember the adage: If you get the service for free, you’re not the customer, you’re the product. [Translation: Equifax and other credit reporters make money by selling your data. Until their customers — the financial organizations that buy their data — demand accurate information, nothing will change. They won’t demand as long as it doesn’t cost them. They don’t pay the cost of the identity theft — you do.]

Feel better now? If not, wait I bit. I’ll be posting something this evening that will make you feel much better, even if your pants are down.

P.S.: Speaking about phishing, my favorite theatre about spam is having performances on 9/10 and 9/17. Go see it. It had Gene Spafford rolling in the aisles.

*[Paraphrasing my favorite Alton Brown quote, long since removed from his website:]

Here’s what it comes down to kids. Equifax doesn’t give a damn about you. Neither does that little minx Rachel from Card Services or any of the other icons of finance. And you know what, they’re not supposed to. They’re businesses doing what businesses do. They don’t love you. They are not going to laugh with you on your birthdays, or hold you when you’re sick and sad. They won’t be with you when you graduate, when your children are born or when you die. You will be with you and your family and friends will be with you. And, if you’re any kind of human being, you will be there for them. And you know what, you and your family and friends are supposed to watch out for you too. That’s right folks, protecting someone else’s information is an act of caring. We will always be protected best by those that care, be it ourselves or the aforementioned friends and family.

We are having our information exposed and exploited and exploited again because we have handed a basic, fundamental and intimate function of life over to corporations. We choose to value our information so little that we entrust it to strangers. We hand our lives over to big companies and then drag them to court when the deal goes bad. This is insanity.


Sesame? Says Me!

Over the last few days, my newsfeed has been filled with people gloating over the fact that the fellow who came up with that original guidance — make complex passwords and change them often — admitted he was wrong. But, if course, as with most people, they are misinterpreting things. Here are some key takeaways:

  • Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.
  • Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.

In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.

Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.

In the larger world, NIST is simplifying their password recommendations. The folks at Lastpass believe that will make things easier, but I believe that the fundamentals still remain: pick a unique password for each site, make it suitably complex, ideally gaining complexity through words vs. characters. How to do that? Use the password generator in your password manager, use the nonsense word generator, or use the XKCD Password Generator, XKPasswd.


A Secure Companion

This is a companion lunchtime post to my previous one. Whereas that post focused on government-related areas, this posts shares some cybersecurity items of broader interest:

  • Two Factor Authentication. The Verge has an interesting opinion piece on why two-factor authentication has failed us. We have a mix of approaches, some still depending on SMS even though there are significant weaknesses there. As they say: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”
  • Backup Software. One of the best solutions for security — and a key protection against ransomware — is having backups. But Windows backup software is often hit or miss. Here’s a good review of various packages from PC World. I’ve been using an older version of their top-rated software for a few years now: I’m on Acronis True Image 2015. It backs up to the cloud without a subscription. Their newer stuff seems to have some different models, and I haven’t decided (a) if I want to upgrade, and (b) if I want to go with their subscription approach. I’ll also note that I’ve used the Paragon backup (an older version). What I didn’t like was that it grabbed every partition on the system, and did really bad space management such that your backups would fill a drive.
  • Family Passwords. This week, Lastpass announced a new service: A family password manager. As they write: “Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.” I still need to figure out if this service (or how this service) is an improvement over multiple Lastpass accounts. They also indicate that there is a fee for the service beyond Lastpass Premium, but if I have multiple family members with LP Premium, can things somehow be combined into one account that takes into account what has been paid. Perhaps they’ll answer this post.
  • Alice and Bob. I’ve always joked that when I hear the names Alice and Bob, my eyes glaze over for the crypto discussion that follows. But why Alice and Bob? What is their history? This article answers that question. It details the major events in the “lives” of Alice and Bob, from their birth in 1978 onwards.
  • Erasing Data. Here’s a pretty good summary of how to erase data from both magnetic and solid state drives. File it away; it may prove useful.

Cyber (Security + Space)

Over the past few weeks, I’ve collected a number of articles related to, shall we say, work-related topics. Here is where I share them with you, while enjoying my lunch:

  • Headline: “Air Force operationalizes new cybersecurity plans. This is a real interesting article detailing some of the changes being made in the Air Force to improve their cybersecurity stance. For those with an interest in cybersecurity and resilience, it is a move in the right direction.
  • Headline: “There may soon be a new US military service — for space. There’s one problem with the US Air Force. There’s no air in space. This article is about a potential separation between the Air Force side and the “Space Force”, with a notion that the Space Force would be like the Marines: part of, but yet separate from, the Air Force. It will be interesting to see how this pans out.
  • Headline: “Malware protection for air-gapped systems. One of the ways we supposedly protect system is through air gaps — that is, no actual network connections. Yet as we saw with Stuxnet, such gaps don’t always work. This explores the way one vendor is addressing protection for such systems.
  • Headline: “U.S. to create the independent U.S. Cyber Command, split off from NSA. The Department of Defense has many broad commands, most representing geographic areas (think Atlantic Command, Pacific Command, etc.) or broad functional areas (Strategic Command). One recent command created was Cyber Command, but it was part of and colocated with NSA. This article, as well as this one, discuss the potential separation of the two. This would permit Cyber Command to focus on cyber-related defense activities  (and possibly offense), and NSA to focus on its intelligence role. What they don’t discussion is the disposition of the unclassified side of NSA — what was once the National Computer Security Center, and now would include things like the Common Criteria folk. My guess is that the separation is easier in theory than practice.