Tuesday, September 19, 2017

What can we learn from Equifax?

So, anyway, this year the world has taken a couple of pretty big hits, between Equifax and RansomWorms like WannaCry. It's time to see what we can learn from them. Let's think about Equifax first. Although it left a bigger mark, it's a simpler solution. Patch, damnit! Patch! It's got nothing to do with some poor soul's music degree, or lack of degree. The patch was released months ago, and it was simply a grievous mistake to not patch, but people are human, and, unlike my dear readers, very few of us never make a mistake. It's also worth remembering that, just as humans are only human, all software has a weak underbelly if you look hard enough. One of my favorite security truisms is that security and functionality tend to exist in an inverse relationship. What this means is that the more functional you make something, the less secure it tends to be, and the world demands that we build for functionality. What this means is that someone will always be discovering a problem with something we care about, and if there's a patch available, patch it. Job done. Well, _that_ job's done, but there are other issues... You might be spear phished. You might get a malware infection. There are plenty of those to go around. You might have un-patchable IoT devices on your network. This is all still emerging. We will talk about these things at other times, but remember this ... there is no panacea. Remember that the best security is like layers of swiss cheese. Any one layer has lots of holes, but if you layer another slice on top, they cover up each other's holes. Put enough layers on top of each other, and you are much stronger. Never invulnerable, but _much_ stronger. This, unfortunately, is a part of the fabric of the Internet, and is simply a cost of doing business. It hurts, but it is what it is. Take care out there, folks. Www stands for World War Web.

Monday, March 13, 2017

Hi folks, For the first time in several years, I am able to blog at will, and, going forward, I will do my very best to find interesting topics. This one is a little mundane, but you gotta start somewhere, and, although it's not earth shattering, it's worth a mention. About every other day or so, I get an email along the lines of ... "have you ever thought to work from home? roger look over the attached invitation! Your secure password(for the document) is: 421233" and, attached, is a protected pdf. If you are naive enough to try to open the pdf, you are taken to a website that tries to get you involved in their business scheme. I'm sure they consider it marketing, but I consider it dangerous, because it is really difficult to tell whether or not it's taking you to an attack site. There are two really good security rules of thumb here... (1) Never open a pdf from someone you don't know. (2) Never open _any_ document, or any sort, from anyone you don't know, if it's password protected, because it makes it hard for your antivirus to scan inside it, to determine if it's safe or not. Keep safe out there, folks. Remember 'www' stands for World War Web.

Friday, September 9, 2011

NBC Twitter account

Hi folks,

So, today, in an (impressively successful) attempt to prove how irresponsible some people can be, some morons calling themselves ScriptKiddies managed to sneak into NBC's Twitter account, and posted fake alerts about a hijacked plane crashing into the World Trade Center site.

It's not clear how they got in yet, but I have a feeling it was password re-use. Yes, I know the password might have just been phished, and I know it might been a weak password which was guessed, but I doubt that it was brute-forced, as Twitter learned that lesson years ago.

Entirely too many people use just one, or a few, passwords for all their web access, and there are simply too many places we log in now, and if one falls, they all fall.

There are three lessons from this:

(1) Don't take Tweets too seriously. People do get their accounts nailed from time to time.
(2) Subscribe to multiple sources. If something important does happen, multiple sites will report it.
(3) Most importantly, please use one password, or passphrase per site, and either write them down and keep them in your wallet, or use some password keeping software, but don't re-use passwords.

Password re-use is your enemy.


Monday, September 5, 2011

Diginotar notes

SO, over the weekend, we became aware that a Dutch certificate authority had been hacked, and a whole truckload of fake certificates issued for people like google, cia.gov, and mossad, to mention just a few of the more embarrasing ones. In the fullness of time, it's become clear that the initial result of this is that for at least a day, Iranian Internet users were subject to mass Man In The Middle attacks.

The certificates have now been revoked, but there is a certain amount of damage already done.

What this means to those who have been attacked, is that authorities probably read a whole lot of their supposedly private emails, and may have stolen their login credentials for future use. If you happen to be an Iranian dissident, that's probably not good news for you.

There are a couple of shoes left to drop, however. The first is that some of these certificates could probably be used to sign executable code, which in turn will make it easier to slip targeted malcode into a victim's system. Stuxnet, you might recall, was code signed with stolen certificates, so as to avoid Windows warnings.

I don't like this idea at all, as I'm fond of having electricity, and would prefer if it stayed on. Just saying'

The second, and bigger shoe, is the simple idea that a medium sized Certificate Signing Authority can (a) have so much power, and (b) be so poorly defended.

How many more such authorities are there? It's worth pointing out that this is probably the second hack of a CA by the same guy, and we may be confident that he'll find more.

The really sad thing is that there is no easy solution for this. No single bit of software, like anti virus, will protect us.

The best we can do is to start layering in defenses.

For starters, make CAs show some level of security sense.

From an end user point of view, use only one password for each site.

Create a user-grade account for your PC, and use it on a daily basis, instead of admin level.

If your computer warns you about a dodgy certificate for a website, or for an executable... listen to it.

Keep patched (obviously) and find an av program that doesn't rely on signatures.

Most importantly, more needs to be done by ISPs, and backbone providers. Botnets have to be reduced.

We have probably reached a point where machines cannot be allowed on the Internet if they are showing they are infected. As it is, no one cares,as there is no revenue in it.

This has to change.


Wednesday, August 10, 2011

FaceBook _didn't_ screw up

Hi folks,

This morning, following a friend's status update, I looked at my contacts list on FaceBook, and was horrified to see a huge list of friends and their _phone numbers_! (If you want to see it yourself, you go to Accounts, Edit Friends, and Contacts)

On the page, FaceBook says "Facebook Phonebook displays contacts you have imported from your phone, as well as your Facebook friends. If you would like to remove your mobile contacts from Facebook, you need to disable the feature on your mobile phone and visit this page."

My initial reaction, looking at great swaths of phone numbers that I'd never seen before was "Oh no! FaceBook's done something bad again with privacy" (or words to that effect), followed by "And _I_ never gave permission for my contacts to be imported from my phone!", but after I looked at it for a while, I realized that the list did not have my phone's contact numbers at all. And not only that, but the list did not have all my friends on it.

What I was actually looking at was a list of my friends that had ponied up their own numbers. Perhaps they'd come from some of their phones, but a bunch that I checked were simply what people had put on their own profile, including one memorable one of +10000000000 (R.A....You know who you are).

FaceBook didn't do anything bad, they simply assembled available information, from your friends, in a neat list.

It was just a shock to see it all at once.

Really, the only downside is if your privacy settings are open to the world, and in that situation, it is not yet clear if that might leak your friends' private information.

Perhaps that's a topic for another day.

Keep safe folks.

Roger (Btw, I am currently an independent security guy, _not_ something to do with AVG. Even though they're still my friends, I no longer work there)

Saturday, July 23, 2011

YAFC-Y (Yet Another Facebook Clipjack - Yawn)

Hi folks,

Today, with Amy Winehouse's passing, another young star burned out entirely too soon. Whether we were fans or not is irrelevant. The salient point is that there is a group of greedy, covetous, rapacious, insatiable, avaricious, penurious, gluttonous vultures who eagerly await some misfortune, such as Amy, or yesterday, the cruel events in Norway.

Within hours of these events, they flood Facebook with promises of prurient or sensational videos, but the real goal is to trick kids or teens into agreeing to a $10 a month charge to the cell phone bill. They assume they won't read the fine print.

So, as the title says, on one hand it's YAFC-Y ... Yet Another Facebook Clipjack - Yawn..., but by golly, they're not much more than sociopathic animals. I wonder how they can sleep at night.

Truly, these people (and I use the word loosely) are the lowest of the low, and I can only hope that someone like FTC has them squarely in their crosshairs.


Wednesday, July 6, 2011

Hardening iOS

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.