09/17/2018

Newbie2Security: Passwords

0

by Newbie2Security, Security

A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site.  How do I make sure my passwords are good enough for security, but not forget them continuously?”

Well, passwords are a tough nut to crack these days.  Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords.  Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack.  There’s good news, though, so let’s talk about passwords:

Passwords should be:

1 – Difficult for an attacker to guess

2 – Easy for you to remember

3 – Never re-used

4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)

Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password.  Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.

Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords.  They might be able to manage 1, 2, and 4; but only at the expense of 3.  If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.

The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:

1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected.  This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps.  You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords.  Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself.  1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.

2 – Use a Pass Phrase Instead:  Who says a password has to only be one word?  Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use.  How about “ThisIsMySecureGooglePassword!” for your Google account?  It’s the right length, has upper and lowercase letters, has a special character, etc.  It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.

NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords.  PLEASE think up a passphrase or sentence of your own.

4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever.  If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.

5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone.  It is never necessary for them to do so.  They can access your information via their own methods, and don’t need you to tell them your password in order to do it.  So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info.  Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured.  So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.

Defending yourself with strong, non-reused, passwords is a critical part of online security.  These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of.  Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.

09/05/2018

Newbie2Security: What Your Browser can Tell Sites About You

0

by Newbie2Security

Here’s a great reader-submitted question, “I heard that if I connect to a site from a web browser, they can tell a lot about me.  Is that true? What can they see?”

It’s absolutely true, and your browser can tell a website or service a tremendous amount of information about you.  This can happen even if you haven’t specifically given the site, service, or app any privileges beyond just connecting to it in your browser.  That’s been the case for a very long time now – and this data doesn’t take a lot of technology or expertise for someone to see it and learn about you from it.  Let’s take a look at what your browser can be telling people about you.

Browsers transmit and receive a lot more data that is visible on your screen.  They also transmit what are known as browser headers – metadata (data about data) that identifies what your browser is capable of displaying, how much data it can accept, and a lot more details

When you connect to a website or service via a browser, the web server and your machine exchange a lot of information.  This is necessary since thousands if not millions of people visit a website, and not all fo them use the same web browser, Operating System (Windows, Mac, Linux, etc.), have the same fonts installed, have the same browser add-ons and extensions, etc.  So, in order to figure out what should be sent to your machine, the web server needs this metadata so it can send you the right information to display in your browser.

Most, but not all, of this data is sent in the browser headers.  Here’s what can be sent via headers during any connection to a web server:

 The IP address (a digital address assigned to your computer by your Internet Service Provider) so that the website knows who it is talking to.
The browser you are using (Internet Explorer, Firefox, Chrome, etc.) and what version of it you are running so that the website knows what your browser is capable of displaying
What fonts, add-ons, and extensions you have installed in your browser – also to help the website figure out what can be displayed.

That may no sound all that informative to a website, but it really is.  With the right tools, here’s what a website can find out based on that information:

 Your IP address can identify where you physically are at the moment.  While it’s not precise, IP geo-location is capable of finding your location within a couple hundred meters if not closer.  IP addresses can also identify what Internet Service Provider you use, if the connection is a cable modem, DSL, fiber, etc. and if you’re using something that can anonymize you (like a VPN or TOR networks).
Your browser type and version can identify what Operating System you use – Internet Explorer only runs on Windows and Safari typically runs on Mac, for example.
The combination of the above information combined with the add-ons, fonts, and other details can allow a website to “fingerprint” your machine to a high degree of accuracy.  This means that if you visit the site again – or go from site to site between websites that share information – these sites can track you and establish a pattern to your browsing history that cannot be removed by clearing your cache.

There are also small text files known as cookies that are placed on your computer/laptop/tablet/phone disk.  These cookies allow a specific site to recognize your device when you re-visit that site, and it’s how sites like FaceBook, Twitter, Amazon, etc. know you when you return to them later on.  Generally, cookies are harmless and only apply to a specific website you visit.  Others, known as “supercookies” are used by advertising networks to track you all around the Internet, however. By setting your browser’s “Do Not Track” settings you can eliminate most – but not all – of them.  Clearing your browsing history, cache, and cookies will get rid of them, though.

There are also tools for most major browsers that can help keep you more private while web surfing.  The Electonic Frontier Foundation (https://www.eff.org) has a tool called Privacy Badger that blocks most tracking cookies but can let you allow them on sites you do trust.  Ad Blockers can stop ad networks from landing supercookies on your machine.  They’re usually free, and well trusted tools like uBlock Origin are regularly checked for malware to make sure you’re not opening more security holes than you close.

So, as you can see, a browser can leak a lot of information about you and your devices.  Headers and cookies can tell a website a tremendous amount about who you are, where you are, and where you’ve been online.  Normally this isn’t a problem, as this information is fairly public and not considered Personally Identifiable Information like your name, phone number, social security number, etc. would be.  Just be aware that sites can see this information about you when you visit, and avoid even visiting sites that you don’t ever want to have this level of detail about you in the first place.

08/29/2018

Newbie2Security: Is the Cloud Safe, Part III

0

by Newbie2Security

Noun Monitor Cloud 66781
A reader asked a particularly complex question recently: “Is the cloud safe to use?”

In my continuing answer to that complicated question, let’s look at the cloud desktop experiences.

Cloud desktops are becoming more and more common as we move toward doing more within the cloud, as opposed to on our own networks and hardware. A cloud desktop is exactly what it sounds like; namely, a virtual desktop computer that runs within a cloud vendor and not on your own desktop, laptop, or tablet itself. They’re currently very popular for PC gaming when you want to play a very resource-heavy game and don’t own a powerful gaming desktop – or a PC at all. I myself use one to play PC games on my Mac (there’s a post on Paperspace and Parsec from a while back still posted here on the blog). While cloud desktops are incredibly useful, they’re still quite expensive to run and therefore not something everyone would use. That’s changing though, as prices come down just like all technology. This means you might be interested in using one in the near future if you’re not using one already.

If you do use or end up using a cloud desktop, its security is a lot different than using the cloud to sync data, or manage your Internet of Things (IoT) devices. Since a cloud desktop is an entire Operating System (Windows, Linux, etc.), it has to be secured in very much the same way as a desktop or laptop – but without the physical security you can put around a physical device you own and control.

So, how do you secure cloud desktops? Let’s take a look:

1 – Remember it’s a desktop. You should always keep your cloud desktop up to date with patches and fixes, and install and maintain an anti-malware tool on it as well. In much the same way as you would do these things on your own desktops and laptops, you must do them on cloud desktops too. Some service providers take care of some or all of these things for you; so check to see what they do in terms of updates and anti-malware and what you are responsible for yourself.

2 – The trust factor exists here too. Much like with IoT devices in the previous article, you have to know your cloud desktop vendor and put your trust in them. Most cloud desktop platforms are very new, so you won’t find a well-established company to go with; but you can research the company and find out if you should be trusting them. Where are they located? Is it in your country or off-shore? What back-end do they use to host their services – is it an established platform like AWS or RackSpace, or some cloud company no one has ever heard of? Who handles their billing – is it a reputable vendor like PayPal or directly with credit card companies (including all the Visa/MasterCard/Amex security methods) or with some payment provider no one has heard of? All of these questions can help you create a good profile of the company and their practices to base you trust decision on.

3 – Be careful what you put there. A cloud desktop can hold a lot of information on you. For example, if you use it for gaming, then the cloud desktop has your Steam and EA account info on there in all likelihood. It also might have billing information stored in memory when you buy things while you’re on the cloud desktop (like new games and software). That’s a bit of a problem, since you don’t have physical possession of the desktop itself, and won’t know if – for example – it’s stolen.

You can limit this liability by only logging into sites and applications you absolutely have to. Your Steam account is pretty much required, but you can turn on SteamGuard (two-factor login) to make sure no one can log in just by stealing the cloud desktop. You can also only update Steam and other payment information on your own desktop, rather than doing it via the interface on the cloud desktop. You can purchase games and other software on your own computer, get the access/registration keys via your own desktop email, then download the software and put in the key without having to put your credit card info into forms on the cloud desktop. For game apps like Steam and EA Origin, you can even make your purchases at their websites on your own desktop, then let the apps in the cloud desktop download the games next time you open the app there.

It’s also not necessary to even install or set up email apps/accounts on the cloud desktop at all – you can do that on your desktop or laptop and just cut and paste as required. Browsers don’t need to be synced to your Google/Apple/Firefox account, and therefore you don’t need to log into those services on the cloud desktop. Small steps like these don’t have a large impact on your cloud desktop experience and limiting what data is actually typed into or uploaded to the cloud desktop also limits what an attacker can get if they break in.

Cloud desktops can make life easier and open up the ability to do things you can’t do on your own desktop. As prices come down, they’ll become an option for more and more people – and a target for more and more attackers. Using them safely is very much possible, with a little strategy and forethought you can compute in the cloud with no problems at all.

08/27/2018

Newbie2Security: Is the Cloud Safe, Part II

0

by Newbie2Security

IoT Security 1520897A reader asked a particularly complex question recently: “Is the cloud safe to use?”

In my continuing answer to that complicated question, let’s look at the Internet of Things and what you can do to keep your own things safe.

The Internet of Things (IoT) is a collective term to describe all the connected boxes, devices, and widgets that don’t fall into the category of desktops, laptops, and phones/tablets. In some cases, even those devices are considered IoT technology; but generally this refers to home automation, home assistants, set-top boxes, and other such gear that is steadily but surely sneaking its way into our homes and hearts.

The security of IoT devices depends a lot on both you and the cloud vendor that manages the online components of those devices. Let’s take a look at things to watch out for.

1 – The trust factor. While the very latest gizmo to automate your home might sound cool, remember that these devices are only as secure as the companies that make them. Millions of IoT devices became infected with malware that turned them into distributed denial-of-service (DDoS) attackers due to a back-door that vendors put into the devices to make them easier to manage remotely.

DDoS (Distributed Denial-of-Service) is a type of attack where thousands or even millions of devices all over the internet start flooding a website with bogus data traffic. Since a website can only handle a fixed amount of traffic at any one time, all these devices suddenly blasting it with data requests causes legitimate users of the site to be unable to reach it. Effectively, the site is offline to real users even though there’s nothing wrong with the site itself – it’s simply overwhelmed with all the requests and cannot talk to anyone else.

Working with vendors that you trust is critical to avoiding this situation. While any vendor can make a mistake or have bugs in their code, those who are well-known and well-reviewed are less likely to let a major flaw end up taking their whole network offline or allowing their devices to be compromised. They also react much faster if they should get attacked, pushing out updates and changes quickly to fix the problem. A fly-by-night vendor, on the other hand, may just stop supporting a product and leaving all their users out in the cold when the next security problem comes up.

2 – Limiting what devices can do. Does your home lighting system need to speak directly to the internet? Probably not, and therefore it should not. While some systems like home thermostats do have a good reason to be accessible to the outside world (so you can remotely change the temperature), it shouldn’t be allowed when it isn’t necessary. Reputable vendors use home hubs and other technology to limit how much of their system needs to talk to the internet at all – and most vendors allow for you to limit that connectivity further. In short, if it doesn’t have to talk to the internet, it shouldn’t – full stop. If a vendor demands that the device be able to connect to their servers when there’s no reason to; choose another vendor. One great example is software updates for smart LED lights. Why should the light-bulb have to talk to the internet when updates can be done via a smartphone app or other method that doesn’t require every bulb have an internet connection individually?

3 – Segregate your networks. Most home internet routers have an easy-to-use method for creating a guest network. Guest networks are great for IoT devices that have no need to speak to your computers and tablets, but still do need internet access. Basically a guest network is a WiFi network on your home router that can talk to the internet, but cannot talk to anything else that’s using the same router. This means that if someone does manage to compromise your IoT devices, they cannot use that as a way to access your home computer or other systems. The one exception here is for devices that indeed to have to talk to the rest of the things on your home network – like home assistants and other tools. They’ll have to go on your main WiFi network; so keep the trust factor high in your mind.

4 – Use basic security precautions at all times. Alexa, Google Home, and Apple HomePod all listen all the time, and can’t figure out your voice from anyone else’s except for some tricks they do. They can’t stop someone else from voice ordering products or changing settings since their voice identification systems aren’t sharp enough to figure out it’s not you talking. This means you should set up purchase passcodes, and limit their ability to access sensitive stuff via their configuration apps. You should also think twice about letting them communicate to outside devices (such as Alexa’s ability to call other people who own and Alexa). It might be convenient, but the phone still works for that purpose (or email, or text messaging, etc.). One recent case of Alexa accidentally sending a voice message with mildly embarrassing info to a contact in its address book is a great example of why you have to be very careful. Amazon did note that it was because of an incredibly rare set of circumstances, but it’s still possible and should be taken into account before you set up “drop in” or similar features.

Finally, as these services are attached to online accounts with various vendors, you should keep your account secured with two-factor logins and password hygiene at all times. Just like any other website you access, your username and password can be easily stolen or compromised if you’re not careful, and you have to take that into consideration.

IoT devices can be incredibly useful, or just downright fun, or both. But always remember that these are devices that can open dangerous doors into your home and office. Take precautions to make sure they don’t and you can use them safely to make your life better and more enjoyable.

08/22/2018

Newbie2Security: Is the Cloud Safe, Part I

0

by Newbie2Security

Cloud Security 1725060A reader asked a particularly complex question recently: “Is the cloud safe to use?”

That’s one incredibly complex question. I’m going to to my best to answer it, but keep in mind that “the cloud” isn’t a single thing – it’s an interwoven set of services, platforms, and applications from multiple vendors and companies. The short answer to the question would be “Yes, so long as you’re secure when you use it,” but that’s hardly a good answer to give to someone looking for information. So, let’s break this down over the next few articles to give some advise on cloud security for the average user on the most common consumer cloud services: Cloud Backup, Syncing, and Storage, Cloud Software, The Internet of Things, and Cloud Desktops.

Part I: Cloud Storage, Syncing and Backup

Anyone with an Android or iOS phone, tablet, or other device knows about cloud storage, syncing, and backup. Your photos, application data, and other info are synced between your devices by means of cloud services provided by Google and Apple. Your data is backed up with automated backup tools from those companies, and you may even store data up in their cloud systems for sharing or use elsewhere. These same services can be used by other types of computers and devices with tools provided by DropBox, Carbonite, SpiderOak and more for your PC, Mac, and Linux desktops and laptops.

Security for these types of systems revolves around three concepts: Device security, platform security, and account security.

Device security is how you protect the devices that you control. That can be desktops, laptops, phones, tablets, set-top TV boxes (or SmartTV’s), etc. You do need to do your part to make sure the system as a whole remains secure – it’s not all the responsibility of the cloud provider in this case. The good news is that providing for device security isn’t overly complicated, and most devices walk you through the process automatically when you set them up.

Core concepts in device security are:
1 – Keep the device in your possession, and immediately notify the cloud provider if it’s lost or stolen. We all keep track of our – rather expensive – laptops, tablets, and phones, but this also extends to any device that holds personal or confidential information that can be stolen from you. If you lose any mobile device, or have a mobile or non-mobile device stolen, you must immediately notify the cloud provider to let them know it happened. This allows the cloud provider (Microsoft, Apple, Roku, Google, etc.) time to lock down your account to make sure whoever comes into possession of that device cannot get any of your information off of it.

2 – Lock devices down. Make sure you use passwords that aren’t simple 4 or 5 digit numbers (the usual default for these devices). iPhone, Android, and other types of devices will allow you to use fingerprints, facial recognition, and/or a complex password to gain access to their services; and you really should take advantage of these features. An attacker can quickly and easily figure out a 4-digit passcode, but will take much longer to figure out a complex password or passphrase. This means more time for you to realize the device isn’t in your possession anymore and alert the cloud provider that it is lost or stolen. It also means that visitors, kids, and others won’t gain access to things they shouldn’t – even when their intent isn’t malicious. This also counts for home assistants like Google Home, Apple HomePod, and Alexa. Set up purchasing passcodes so that people cannot accidentally or purposely place orders via these devices voice control systems.

3 – Don’t connect devices when you don’t have to – and limit what they can talk to. Not every device needs to talk to the internet 24/7. Make sure that, if you have the option, these devices are only allowed to go online when they need to. If a device must be online all the time, limit what it can do and who it can talk to. For example, most home routers have the ability to allow you to connect to your home network from anywhere. That means they continuously update the router vendor’s cloud services with your home IP address and other information. If you don’t have a need to access your home network from the outside world (and unless you have a specific reason to do that then you probably have no need), shut that feature off. Finally, be aware the convenience is often the enemy of security. I once had a CPAP machine (for sleep apnea) that offered to upload my sleep data to their cloud service so my doctor could get it. My doctor said I could just use the build-in memory card to get him that data – there was no need for the machine to be broadcasting that info – and so I shut it off. It would be more convenient to have the cloud handle that data, but much less secure with my medical details.

Platform security is all about the cloud vendor themselves, and what steps they take to make sure their own systems are secured. Most of this is far outside of your control, so you need to ask the vendors about their security practices and make a judgement call on if you trust them to hold your data or not.

For example, until relatively recently I had avoided using EverNote for note syncing. While they did encrypt data while it was being transmitted from my machine to their storage (known as encryption-in-flight), they did not store the data in an encrypted format when they were holding it (known as encryption-at-rest). That meant that if their systems got breached, all that data would be immediately visible to the attacker with no need to break an encryption algorithm to read it. Basically they had mined the front yard, but left the front door unlocked.

For the most part, cloud vendors will encrypt both in-flight and at-rest these days. As a matter of fact EverNote has indeed started encrypting at-rest over the past year or so in response to users demanding it. Apple, Microsoft, and Google all encrypt at rest for their sync and backup tools in iCloud, Office 365, and Google Apps as well.

You should be aware, however, that not all encryption-at-rest is created equal. Most vendors use shared-knowledge encryption, meaning that no other user of the service can see your data, but the service provider (Apple, Google, etc.) can see it whenever they need to. A famous case in recent history was when the US Government demanded Apple turn over all data from a suspect’s iPhone. While Apple could not read the data on the iPhone itself (as the phone’s encryption didn’t allow Apple to unlock it); Apple was able to – and did – hand over all data stored in iCloud, which uses shared-knowledge and allows Apple to unlock and read it.

While zero-knowledge vendors of cloud sync, backup, and storage exist (such as SpiderOak and CrashPlan Pro); their services are generally much more complex and expensive that shared-knowledge vendors like DropBox and iCloud. The reason is that zero-knowledge systems require dedicated storage and other technologies for each user, making those services cost the vendor more per-customer, which is passed on to the customers themselves. For most data, shared-knowledge is perfectly fine if the company in question – like DropBox or Apple – has a proven track record of securing their own access to your data. Apple has proven they will only turn over data with a valid warrant or other legal instrument; and DropBox did have some hiccups, but has worked very hard to close those security holes and ensure new ones do not crop up.

Account security is the third pillar of safe sync, backup, and storage online. This one is shared between you and the cloud vendor equally. You must use a secure password and only access the service from devices that you trust. They must ensure all employees follow security best-practices and no one gets unauthorized access to their systems. Working together, both of you ensure that your account information (passwords, application authorizations, etc.) stay assigned to you and you alone – keeping prying eyes from getting the chance to access your stuff on their servers.

Taken together; device security, platform security, and account security work to make sure that neither you or the cloud vendor do anything that could compromise either your data or their services. Controlling your devices allows you to make sure they don’t leak information or allow others to access it. By sticking with well-regarded and well-secured vendors who have a commitment to platform security you can make sure the platform itself will keep attackers out. Account security makes sure that it is as difficult as possible for an attacker to impersonate you or an employee of the cloud vendor and gain unauthorized access.

So, as you can see; using sync, backup, and storage in the cloud can be secure if both you and the cloud vendor take security seriously. Stay tuned for parts II and III for more information!

noun_Network_176216.png

08/20/2018

Newbie2Security: Are Macs Safer Than PC?

0

by Newbie2Security

Image courtesy of The Noun ProjectA reader recently asked: “I’ve heard that Macs are safer than PC’s. Is that true, and why or why not?”

Well, unfortunately the answer to “Is that true?” is a complete “No.” Macs are not safer than PC’s at all, read on to find out more.

Macs *do* have fewer pieces of malware written specifically to attack them, that is indeed true.

Malware is a security industry catch-all term for any software specifically written to attack and/or damage a digital system or steal information from such a digital system. That can be a virus, trojan, or worm – but it can also be software that encrypts your data and holds the unlock key hostage (ransomeware) or software designed to steal your usernames, passwords, etc.

That being said, there are several things to keep in mind that make Macs as exposed as PC’s (Windows-based machines) these days:

1 – Malware is less about how many different kinds of it exist and much more about how often the ones that do exist succeed in attacking your computer, phone, etc. Mac malware absolutely exists, and though there is less of it; it tends to be very widespread in a very short amount of time. That means while there are fewer kinds of Mac malware, they’re more likely to find their way onto your devices. It only takes one piece of malware to wreak havoc, so the numbers don’t matter and Macs are not inherently safer because there’s fewer pieces of it out there.

2 – Modern attackers are moving away from machine-specific or Operating System-specific attacks. While before the methods used to infect a machine were loaded email attachments and network-based attacks; these days they’re more likely to take advantage of tools and platforms that work on both Windows and Mac. Google Apps, Microsoft Office Online, Adobe Flash Player, Java, and many others work nearly identically on both Windows and Mac since these software packages run in the browser or are just modified versions of each other for each platform. Chrome on Windows and Chrome on Mac are not identical, but they are close enough to each other that an attack that works on one will work equally well on the other. Recent ransomware attacks that were spawned through an infected Flash app are a great example of that. The attacker wrote slightly different payloads for Windows and Mac, but the actual attack worked the same on both platforms; making it much easier for the whole attack to happen – and just as likely to happen on Mac as it was to happen on PC.

3 – Attacks may not need to talk to your computer to impact you at all. Attackers are working hard to compromise websites and online applications directly. That means they can steal personal information and data without ever having to actually compromise your machine at all – PC or Mac. Since these attacks happen at the Service Provider side (such as your bank website or online shopping vendor); you don’t have to fall victim to anything on your own computer to fall victim to the attacker.

So, as you can see, no matter if you’re on a PC or a Mac, you’re no safer on one vs. the other. You need to take reasonable precautions to make sure you’re not getting attacked just as much on your MacOS-based devices as you do on your Windows devices. Oh, and for those who say Linux is the answer; just remember that anything that doesn’t attack your machine directly (see point 3 above) will still hit you – even on Ubuntu or RedHat.

Stay safe, no matter what Operating System you use.

08/20/2018

Where the hell have you been?

0

by Newbie2Security

Well, it’s been some time since I posted, and I think an explanation is in order.

As many of those who follow me on Twitter already know, I moved about a year ago into a whole new career path. I’m still working as a technology pro helping out sales teams; but now I’m doing it in the Identity Security world. That’s meant a lot of ramp up and learning time for me, limiting how much time I can spend on this blog.

I’ve also been helping out by contributing blog postings to their company blog. Search the SecureAuth+Core Security blog for “Security in Plain English” and you’ll find a bunch of stuff I’ve been typing away on.

However, I don’t want to leave my independent writing behind! So, I’m glad to introduce a whole new column here on MikeTalon.com: Newbie2Security. The first several articles are already written and ready to go, and I’ll be posting more as we move forward. Please feel free to tweet or DM me if you have questions you’d like answered, and I’ll keep finding interesting stories to explain out in everyday language for those just learning about security and technology.

Enjoy the new column, and thanks for sticking around! First post in the new column is coming in just a few hours.

12/14/2017

The Reality of the New Non-Neutral Net

0

by Rant, Tech

So the FCC has repealed the regulations that mandated that all traffic on the Internet must be treated equally. The telecom/Internet Service Provider industry has touted this as a good thing, as there will now be a “fast lane” for most traffic and a “faster lane” for so-called priority traffic.

The regulations in question are long, wordy, complex, and unfortunately boring as hell. So what does this new non-neutral net mean in the real world? Let’s take a look:

If you are a tech company:
First, unless you’re well established and have rock-solid relationships with bandwidth providers, you’re in trouble. You *will* be paying more to get your traffic prioritized in a world where everything else online is going to drive up latency and bottlenecks. This means more budget for bandwidth for the life of your product line, and that means you need to start lining up additional funding right now. The impact of the regulatory change may take a few months or a few years, but it is indeed coming – start planning.

If you don’t want to pay for prioritization, then be ready to accept the fact that everyone who did pay will get lower latency and faster throughput – especially during peak operational times for your type of application or platform. So for consumer apps, your performance is going to absolutely suck from about 6PM through about 12AM local time for your customers. For business applications, the 9AM to 5PM local time frame is going to be a nightmare for you and your clients.

While non-latency-dependent or bandwidth-light applications won’t have too much of a problem, if you are streaming anything at all, this will impact your bottom line. If you’re starting up a cloud platform (especially IaaS), just give up now.

If you are a consumer:
Get ready for your Internet Service Provider (ISP) and Mobile companies to charge you more. If you are a heavy user of streaming services (Netflix, Amazon Prime, Apple Music, Spotify, and several dozen more), then you’re going to need prioritized service. After all, if everyone else in your neighborhood pays for it and you don’t, all you’re going to see is the “buffering” message or “please wait” audio prompts as their traffic gets to their devices ahead of yours.

ISP’s are already charging for high-bandwidth users, and in a world of streaming video and audio services we’re pretty much all high-bandwidth users now. If you work from home and are constantly on company applications and VPN connections, your bandwidth profile goes even higher. Have a VoIP phone or a micro-cell for your mobile phone? Higher still. Want to use that VPN for personal or business use – you’ll probably have to pay more for that privilege. There is no end to the nickel and diming that’s now available to ISP’s that they could have only dreamed of before.

A history lesson:
In our history, we have seen that giving corporations – even non-monopolistic corporations – the ability to pick and choose winners and losers exclusively by their ability to control supply doesn’t lead to good things. The punch-card era of IBM is a wonderful example. You see, while anyone could physically produce punch-cards to program and manage IBM accounting machines, only certain vendors were permitted to do so by IBM. Anyone who wanted to get into the market would have to be certified by IBM (an expensive proposition) – even though a punch-card is just a stiff piece of paper of certain physical dimensions. Eventually, other technologies got a toe-hold in the accounting machine market and overcame that restriction – but that took a generation, and caused many businesses who would have competed with official IBM punch-card vendors to go under. Since any vendor selling IBM punch-cards would not have a financial reason to produce them for other brands of accounting machines, this also meant that IBM gained the ability to become a virtual monopoly – no other machines could get anyone to make their punch-cards. Customers also got shafted, as they had to pay a premium for the officially-certified cards or risk their service contracts being voided. To put that in perspective, if your service contract was cancelled, your accounting machine pretty much stopped working.

What’s the correlation? Well, now any new business that wants high-bandwidth, low-latency throughput will have to pay to receive the blessing of an ISP above and beyond what they’re paying for that same service right now. Based on recent history, any user who wants to get the service as intended will also have to pony up some cash each month, making the actual cost of the new platform or service higher still. This will lead to situations where newer technologies may not even be developed, since it will be fiscally difficult to bring them to market successfully. The inventors won’t have the budget to pay for premium connectivity, and the end-users will be reluctant to get better cable/fibre packages to use them.

Recent innovations will wither and die when these new bandwidth fees and/or restrictions exceed their budgets; making it impossible for them to compete with players in the market who can more easily afford the fees by passing them on to their already sizable user bases, or just absorbing them as a cost of business. Google will be able to hold power over online video sharing where a newer company like Twitch may not be able to absorb the extra bandwidth costs. Amazon and Azure will ensure they have little to no competition because any cloud startup will be bankrupted by these premium fees, which would be required for things like Infrastructure as a Service to even function.

Yes, in time, newer bandwidth technologies will be created, and ISP’s will find themselves on the same losing end as the old Bell System did when it got shattered. But, ask yourself, how many innovations and new frontiers took decades longer to develop or were entirely lost when “Ma Bell” controlled almost every telephone line in the country? By allowing a very limited number of bandwidth providers to dictate fees at will – with no regulation to keep them in check – we’re quickly approaching the same situation we had with the Bell Network back in the 1980’s. Will we need to wait several decades for ISP’s to become irrelevant before we’re out of this nightmare, and how much progress will be sacrificed in the meantime?

Our government – in the form of the FCC – has sold us out. We are all going to be poorer in both actual money and in lost innovation and discovery for it.

12/13/2017

My Take on the Amazon vs. Google Shenanigans

0

by Rant, Tech

TL;DR – they’re both being insane and need to stop this crap.

In case you haven’t heard the news, Google (who owns YouTube) is pulling the ability for Amazon Echo devices and Fire devices (tablets, set-top and stick streamers, etc.) as of January 1. Some of this has already happened, as most Fire tablets and the Echo Show already have no ability to show YouTube videos, but after the 1st of the year, the entire rest of the product lines will lose the ability to serve up YouTube content – even though they are Android based, and there are Android apps for YouTube available.

Some backstory:

Amazon is a world-wide powerhouse in online retail and Cloud Services. Google owns most of the information on the Internet and is a major player in Cloud Services. Both are massive – and massively powerful – companies who can set and change the market at will. Both have services which compete with each other directly. Google has their own mobile OS (Android) and a vested interest in online retail – though indirectly as they sell advertising that leads to retail sites instead of offering a retail shop. Amazon is an online retail superstore, and has a mobile OS (FireOS) – though indirectly since FireOS is a fork of Android. Over the last couple of years, a feud has developed between them over eyeballs and ownership, and now we’re all paying the price.

The first salvo was Amazon not permitting the Google Play Store (the Android app store) on Fire devices like tablets and set-top streaming boxes. Apps had to be purchased via Amazon’s own app store functionality. Google made it well known that FireOS wasn’t considered Android anymore, but rather a fork that had branched into its own OS entirely. Some time later, Google devices (like Google Home, ChromeCast streaming sticks for TV’s, etc.) began to systematically disappear from Amazon shopping venues – while at the same time Amazon was promoting their own devices which served the same purpose. So Echo devices were available for sale but Google Home was not. FireTV set-top and stick streaming devices were still available, but ChromeCast sticks disappeared. Fooling absolutely no one with this strategy, Amazon soon caught the ire of Google, who became less and less willing to put up with Amazon’s tricks.

At around this time, FireOS tablets and other devices were using an Amazon-built YouTube application. Google claimed that this app violated their terms of service by manipulating the way in which YouTube advertising displayed, and blocked the app from functioning with YouTube. Amazon retaliated by creating an app that was just a shell to load the YouTube website – seeming taking care of the problem. Google, in a move that is controversial at best, objected to the fact that the touch-screen controls used by the new app didn’t fit their standards, and blocked the new app as well. When the Echo Show (an Echo device with a touch screen) debuted, it was quickly blocked from getting access to YouTube videos by Google, continuing the trend.

So which came first? Did Amazon piss off Google by pulling items from their storefront and manipulating how their devices accessed YouTube? Did Google piss off Amazon by developing competing product lines and limiting 3rd-Party access to their services? It’s a hard call to make, as a lot of these things happened in a very short period of time; but the end result is clear to see. YouTube – as of January 1 – will not be accessible on any Amazon device. ChromeCast and other Google-made hardware devices won’t be sold on Amazon.com – even by 3rd-Party sellers. Together, they’re tearing off their collective noses to spite their collective faces, and that doesn’t help anyone.

Amazon – you’re losing money. People will be hesitant to buy FireTV, or tablets, or the Echo Show when they cannot display the most popular video streaming site in the world. This is especially true when other devices like the Roku, AppleTV, and the majority of smart TV’s can show both Amazon content and YouTube content. You are hurting your sales and tarnishing your reputation.

Google – you are losing money. There is a large population of people who already own FireTV or Echo Show devices, and aren’t going to buy another device just to watch YouTube. That means less eyeballs, and less advertising revenue. It also means fewer people signing up for YouTube Red (the subscription service). The feud is keeping your devices off the most popular online shopping portal in most of the world, and you too are tarnishing your reputation.

Both of you are hurting your own bottom lines, and neither of you can win this in the current market. 3rd-Party devices that neither of you make money from will gain ground, and Apple is going to eventually eat your lunches when they inevitably launch their own voice assistant home device that supports both streaming platforms and doesn’t require directly dealing with either of your independent petty streams of bullshit.

Start working together. Amazon, use the YouTube native interface for touch and web. Show the ads inside of YouTube the way Google wants. Google, face the fact that Amazon sells competing hardware and isn’t going to promote your hardware. Take solace in the fact that you can buy a ChromeCast from a lot of places, and just sit back and rake in the ad revenue from ALL platforms that run YouTube. You don’t have to get along with each other, and can continue sniping at each other until the end of time – just don’t force your end users to make the difficult but inevitable choice to abandon both your platforms for the next hot hardware that comes into the market. Worse yet, don’t put a bad taste in consumers’ mouths when alternatives (like iTunes Video and Xbox Video) exist and could gain market share at your expense if you force users into new behaviors.

10/19/2017

No, I will not disable my ad blocker.

0

by Rant, Security

Anyone who uses an ad blocker has no doubt seen the “placeholder” images or text that replace where the advertisement would be on popular websites. These placeholders implore us to turn off our ad blockers to give the site vital revenue, to not starve the website owners of cash. Lately, there have been even more aggressive methods to ask us to turn blocking off – pop-up or interstitial notifications to shut the blocker off, or even full-page-blocking notifications that keep you from seeing anything if an ad blocker is on.

I do not, in principle, have an issue with these notifications. I think companies and individuals who support their sites with advertising have the right to ask us to turn off the tech that keeps them from getting paid and paying their bills. However, I must regretfully inform these sites that I will not be turning off my ad blocking software, and here is why:

Ad networks (the 3rd-party companies that serve up the ads found on most websites these days) have become nothing more than the latest vector for delivering malware of many forms. In the past, an attacker had to compromise the site itself through security holes or brute force in order to turn that site into an attack vector for infecting visitors with various nasty software. Ad networks have allowed attackers to do many multiple times the damage with a fraction of the effort.

Here’s how it works: The attacker buys ad space with a network that allows Javascript or other active-code ad serving. The technology generally allows advertisers to show rich-media ads (which are annoying and should be removed from the internet anyway, but I digress). Rich-media ads have video, audio, and other eye-catching stuff built-in, but require that the website displaying them allow for the scripts to be run. They also require that the browser allow the scripts to run, which ad blockers disable. For a legitimate advertiser and the website owner, this means better conversion rates (the rate at which viewers click on the ad to see the product/service being sold) and rich-media ads have become insanely popular for advertisers themselves; and a requirement for most ad networks to support.

An attacker can create an “advertisement” that has scripting which delivers the payload of their choice. This could be malware or spyware that the user must accept and run, other malware and spyware that requires no user interaction (limiting what it can attack, but making it much more likely to execute), or more recently crypto-currency mining scripts that chew up CPU cycles and can theoretically damage a computer though overheating it. Since the ad network has no way to tell that the malicious ad is any different from any other rich-media ad (because networks don’t bother to police their customers), the ad network serves up the bad ad to hundreds of websites and infects thousands of end-users.

In short, network advertising on websites has become the new way for attackers to deliver their malware.

This “malvertising” has become so prevalent that even giant sites like Showtime have been attacked via malware in ads posted on their sites. The ad networks do nearly nothing to stop the problem, and the site owners cannot stop it short of removing the ad networks’ code from their sites.

So, until such time as ad networks begin to properly police the ads they put up on network sites, or until such time as you – the site owner – remove that code and post ads you know to be non-malicious only; I’m not turning off the ad blocker. I’m sorry that this impacts you, truly I am. However, the situation has reached a point where no site that runs network ads is safe unless that code is blocked from ever running.

PS: I do indeed subscribe to websites that offer quality content without ads, either through Patreon or directly with the site itself. I know that this limits how many sites I can possibly support, but for those that offer great content and don’t attempt to infect my system with their lax code policies, I’m more than willing to put my money where my mouth is.

1 2 3 4 5 >»

Mike Talon's Home on the Web is Stephen Fry proof thanks to caching by WP Super Cache