Monday, October 31, 2016

iOS 10.1.1 out today 10/31/2016

US-CERT and Department of Homeland Security suggest updating.

Monday, October 24, 2016

Internet of Things (IoT) default/weak password revisit

 One article cited the use of IoT devices with default or weak passwords to attack a security blog. The same malware was released and then caused a widespread Internet outage. This use of the IoT botnets will probably continue.

 Another aspect to consider. The IoT devices you have on your network like cameras, DVRs, thermostats, etc. can be used against your home network just as easily. Please secure the password and access to all of your IoT devices if you are able. Some IoT devices have passwords set in firmware and thus can not be changed. Contact the vendors to have this vulnerability addressed or replace with like devices that can be secured. Segment your IoT devices on a separate network. A reboot of IoT devices with Mirai infections will clear the bot net from memory, but scanners from the Internet will find and re-infect within minutes.

 An interesting comment on the recent IoT events: A network designed to survive a nuclear was was brought down by toasters.

Saturday, October 22, 2016

IMPORTANT Avoid Internet problems like the recent DYN attack for your critical sites

 The IoT botnet mentioned in another blog post caused the lead in story on evening news yesterday.

 The millions of internet connected cameras, DVRs, etc. with default or easily guessed passwords were directed towards dyn.com. dyn.com is part of the cloud infrastructure that provides Dynamic Name Services (DNS). This service takes the name you enter into your browser and provides the IP address needed to connect to the name's web presence. The sites themselves were not attacked   -- this time  -- only the ability for users to resolve the name to IP address.

 This botnet will become more and more powerful and thus used more and more in the future. The code used to power the botnet was released and scanning for vulnerable IoT devices has greatly increased. Any/everyone on the planet can attack every/anyone on the planet.

 When this happens again and you need to access a critical site that is being attacked via the DNS server method there is a method to gain access.

 The major Operating systems for PCs: Windows, macOS, and Linux all have the nslookup command. Get a CMD or terminal window, use the nslookup program to get the IP address for each critical site you would need access to:

once that is done capture that info to a file on your computer(s).

 When needed take the IP address for the site you need access to and use the IP address in place of the name in your browser.


 Now you can access your critical sites.

Friday, October 21, 2016

Breaking news Waves of cyber attacks hit Netflix, Twitter, and others USAtoday has story use search for more detail

 i do not like to embed links in blog posts so use search to find later and more information,

 in concert with the blog post on using Internet of Things (IoT) devices to launch a Denial of Service (DOS) attack this attack appears to be against the Domain Name Service (DNS) which provides hostname to IP address translation.

 The troubling aspect is just how easy it is now to bring down parts of the internet, Going with out streaming movies or social media is one thing. Going after any portion of our financial infrastructure would be a great impact.

Wednesday, October 19, 2016

Biometric device unlock

 
 In smart phone and other devices the trend is to add biometric features. You can unlock smart phones with finger prints for some time. That feature uses advanced technologies to prevent someone taking your finger or fingerprint to unlock your iPhone, iPad, or other smart device.

  In today's news an article wherein the FBI is requesting fingerprints of everyone in a California property,  This will spawn legal challenges but the current precedent is to allow this

 Some devices recognize your face to logon or unlock. Iris scanners, palm print scanners, the list of biometric methods will likely grow.
 This makes for convenience for the user, Can't forget your fingerprint.
 Consider your device is setup to unlock by scanning your face, Someone steals your unattended  phone. You start scanning the location looking for the device. The thief scans your panic face, unlocks the device, replaces your face with theirs,
 
 Most devices allow multi-factor unlock and/or login. PIN, and passphrases have their advantages and disadvantages. Consider utilizing both biometrics and PIN/passphrases. Doing so might prevent someone else gaining access by tying you up, anging you on the head, or ...

Thursday, October 13, 2016

Suggestions for accessing financial sites more safely

 As I have mentioned, you can only be safer    not safe.

 Web access through HTML language and HTTP protocol is stateless. Most computer communications are statefull.
 Analogy  Statefull   Phone conversation. Once connected and started the information flow builds. If you have called your lawyer about a concern at any point in the statefull conversation the case details are implied and understood by both parties.  Stateless is like mail. Each letter between the parties should state the concern explicitly.

 Since browsers have vulnerabilities, as do operating systems, that can cause cross site scripting, cross site request forgery, and other vulnerabilities caused by a stateless protocol it is safer to have a single browser session to a financial site where IDentity and currency is involved. A safer environment for such sessions could be a Linux machine running a more secure browser. As the goal of the financial session is to make or save money, buying or running yet another computer system is a consideration.

 Consider then two alternatives - keeping your existing PC, operating system, network setup, etc.

 One. A virtual machine (VM) on your existing hardware. When you need to visit a financial site or site that requires a more secure setup --  boot up the VM with Linux and a secure browser with nothing else running. Revert to a clean Linux install at each boot. Reboot to that clean install after and before each secure WEB session. The advantage of a VM over method two is most malware checks to see if it is running in a VM and will exit or be better behaved in a VM.
 Two. Similar setup with Linux and a secure browser but booted from a read-only DVD or CD-Rom. The advantage over a VM is there is no ability for malware to write to disk.

 The learning curve for Linux is much less now than in the past. Once booted all that is required is to login and invoke the secure browser. From that point connecting to the secure WEB site is the same.
Add the procedure to reboot to your native environment and you have the method to make your WEB sessions safer.

Wednesday, October 12, 2016

IDentity theft - once removed

 When we moved to Texas we bought a car. A demo unit from a big dealer. When going through the car a few days later we found a paper form completed from someone who had had the car for a few days, Every possible piece of personal information was on that paper. I took that paper to the dealer and explained they had to take better care of customer personal data. Head nodding with blank expressions was what I got.

 When someone rents a car at a rental agency and drives away, they often sync their phone with the rental car. Convenient. What they probably don't do is erase the address or contact book that results from that smart phone sync. Well you and I do, but what about your friends? The friends with details about you and/or family? Home address, birth date, those details.

Ransomware

What is ransomware? Software that runs on your computer that makes portions of that computer or files on that computer unavailable until a payment (ransom) is paid.

 Ransomware is very prevalent on the Internet today and will grow in usage. The threat is to business and home users alike. With the advent of digital currency (bitcoin and similar) cyber criminals can take already crafted ransomware suites, send millions of infectious emails or infect web sites with high traffic rates, and gain large sums of digital currency which is untraceable and accepted around the world. The perfect business model.

 Recent sites I've seen lure users with shocking news items (deaths of celebrities or similar) posted on social media and current news sites. Other infection vectors are used as well. Any thing that can lure users to open an attachment, click on a link, or load a vector of infection. Ransomware will then start encrypting files and folders while you continue to use your PC. Once you find you can no longer access a file, it is probably too late. Most of your files are symmetrically encrypted, previous versions are encrypted, backups might be encrypted, volume copies, any and every file that you have access to the ransomware has that access. A lot of monitoring tools will not raise an alarm as the files are not being removed, they are being encrypted. Automatic backups and archived dutifully encrypt those copies as well. The first indication most users get is a popup, email, or alert informing the user and providing details on how to pay the ransom in exchange for the encryption key,

 Then the decision to pay and perhaps get no key in exchange, pay and be flagged as someone who pays, pay and get the key, but get infected yet again.

 Ransomware if a huge profit for cyber criminals so it will be as stealthy as possible. Normal anti-malware suites will probably not catch the latest strains. Ransomware is using scripts, MS Office macros, infected PDFs, and other methods to avoid detection.

 In computer club presentations the 3-2-1 backup rule has been cited. I will suggest a slight modification, At least 3 backup methods. At least 2 different media, At least 1 manual backup. By manual backup think -- i need to manually connect the backup media, run a scan to ensure the files are uninfected, run the backup, then disconnect the backup media, Thus  if/when you get hit with ransomware you have a backup of your files the ransomware could not access. This might be enhanced by requiring a encryption key to access that offline backup archive.

 Other methods to avoid ransomware:

Do not be lured by sites or e-postcard messages that are very tempting by design, Any shocking news, links to current events (eg. hurricane Matthew).

 Keep your software to top date. Not just the OS (Windows, MAC, Linux, etc.) but also the browsers, Adobe, Office Suites, and security suites.

 Use a security suite with the understanding ransomware will avoid suites it knows about and/or disables those suites during the infection.

 Do not use the administrator account unless absolutely required for maintenance tasks and only for those maintenance tasks.

 For web links -- hover, think, research.

 Disable macros in office suites.

 Other practices will help with ransomware and other malware infections, Use the web to search for those best practices. But be aware, current ransomware is designed to infect and make money and the older best practices we have all used in the past are not effective.



Tuesday, October 11, 2016

"There is a problem with this website's security certificate"

First some information on cryptography

1-2-3-4.
Cryptography (check Wikipedia for further information) for this article:
 1. Hashing
 2. Stenography
 3. Symmetric (shared key) encryption
 4. Asymmetric (public / private keys) encryption.

 I will cover the first two in a later article.

 For encryption:
  1. Encryption algorithm (method)
  2. Encryption key(s)
  3. Clear text (message)
  4. Cipher text (encrypted message Symmetric encryption (shared secret/key).

 Bob and Alice want to communicate without Eve being able to determine the message. Bob and Alice agree on one key/secret and an algorithm (method). A large number of methods are available.

Methods for block ciphers, stream ciphers, etc. Problem is scale. Add additional parties to the shared secret… secret harder to keep, harder to communicate and keep current the secret key, etc.

 Asymmetric encryption uses two keys. One encrypts the cipher text the other has encrypted, but not the cipher text it has encrypted. One is chosen to be a “public” key, the other a “private” key. Now Bob and Alice communicate with a combination of both of their public and private keys. Bob encrypts his message to Alice with Alice’s public key. She decrypts that message with her private key. Her message to Bob is encrypted with Bob’s public key, decrypted by Bob with Bob’s private key.
Now anyone can encrypt messages to anyone if they have the other party’s public key. This requires public keys be available AND verifiable as that party’s actual public key. This is where digital certificates play a role.
 A certificate authority that both parties “trust” associates the party’s “IDentity” with their public key.

 Now there is a method that scales to the whole world. Problem is asymmetric encryption is slower that symmetric encryption. Thousands of times slower.
For most encrypted sessions, asymmetric encryption is used to setup a session, that session is used to exchange a symmetric key and the faster symmetric encryption handles the session for some amount of time.
 Digital certificates use a certificate authority (or a chain of certificate authorities) to verify the other parties public key actually belongs to the other party’s IDentity. These certificate authority chains are built into your browser.
 To do business with your bank you browse to the bank’s website. The browser uses its certificate authority chain to find and verify the bank’s certificate and loads the associated public key. That session provides a symmetric session key to encrypt the web traffic within that asymmetric session and your traffic is encrypted in transit.
 So when your browser indicates “There is a problem with this website’s security certificate” you should verify what and why before proceeding. Most browsers offer a button to provide a view of the digital certificate. This process is involved and not easy to grasp.

The point of this article is to use care when seeing this message.

Summary: Browser error messages similar to “There is a problem with this website’s security certificate” indicate something amiss in the setting up of that encrypted session. The site could be a site belonging to someone else in an attempt to steal your credentials and/or credit card.
Take the time and effort to check the site’s certificate. Use the browser’s Help function for more information.

Internet of Things proven to disrupt the Internet - PLEASE change your default password/passphrase

Recently a security researcher had his blog attacked.
The attack called a Denial of Service (DOS) was the largest traffic generator in the history of the Internet.
The researcher used a very large scale Internet Service Provider (ISP). Typical DOS attacks use BOTs (think robots) comprised of many (hundreds) of compromised machines on the Internet that do their normal function, but check with a command and control network periodically to perform nefarious functions like attack a domain or IP address with as much traffic as each bot can provide.
Usually these bots are built up over time and are leased or rented out to attack someone/something.

 What was different about this botnet? It was made from millions of Internet of Things (IoT) items like security cameras, Digital Video Recorders, printers, routers, and other devices. The devices used had default passwords and/or default configurations.

 If you’ve not changed the default password or default configuration on any of your IoT devices, you could have participated in this attack.
 The attack may target a critical infrastructure service instead the next time.

 Check your IoT devices and use strong passphrases. Check default configurations of IoT devices. Use a strong rule set on home routers and firewalls.
 Monitor traffic and behavior of your network.
Re check IoT devices periodically and after any upgrades.
Periodically reboot IoT devices to clear any BOT from running memory.

======= Summary There are enough devices on the internet with default passwords/passphrases to take down the Internet.
If you have not yet changed the default (from factory) password on your DVR, video streaming devices, home thermostat, garage door openers, etc. Please do so.