{editor note: A priority for this blog is to provide information related to security. There are over 300 entries in this blog, so to list each security entry would take a long time. So, if you have a question about IT security, try searching for it in this blog first. Use the search bar provided on this page to search. If you can't find an answer, then google the question- just type the question as a sentence in the browser. You will usually get an answer, though it might be in technical jargon; in that case, contact me to translate.}
In the wake of the disclosure that Yahoo has been "hacked" and that hundreds of millions of user's personal information has been made available on the web, everyone should reevaluate their own security practices associated with smart phones, computers, tablets, and even credit cards. I will be presenting a bonus event at Olli Furman on Thursday, Oct 13 on this post's topic. Specifically I will review the latest on the why of hacking, the how of identity theft, and what you MUST be doing these days to protect yourself and your family. A Q and A will follow. This post will provide the notes and references for that event. Regarding the links in this discussion.
- One of the rules to avoid being "hacked" is to not follow links on blogs and in emails unless you "vet" the link. For that reason, rather than using a word or phrase to name I link, I have the full link name in the text. It is a little cumbersome, but it is instructive.
- Links have age. Over time, a web page can be removed or moved. I apologize in advance if some of the following links don't work at the time you click on them. As a remedy, google ("search for") the topic. But watch out for fakes in the results.
The Why and How of Hacking
The State of Affairs
A recent article on a tech web site said this about the state of internet (and intranet) security:"It's become so bad that it's already generated a mirthless cliché -- that there are only two types of companies: the ones that have been hacked and the ones that don't yet know they've been hacked."A recent "Black Hat 2016 Hacker Survey" of black hackers found that "The bottom line: 77% say no password is safe from hackers—or the government" {https://hosteddocs.ittoolbox.com/Black-Hat-Hacker-Survey-Report-2016.pdf}
So where did it all go wrong? Building secure systems is hard, especially when the security is being bolted on afterwards, as is often the case. And security is expensive and hard to justify as it doesn't come with a visible return on investment, making it easier to skimp on when times are hard.
On the other side are the attackers: lone hackers with enough time and interest to probe every potential weakness in a website, or the organised crime groups with the contacts to be able to turn a flaw in a company's security setup into a lucrative payday. Add to that the state-backed groups with the experience and the patience to lurk inside a network and then strike when the time is right for maximum impact.
The defenders have to get it right every time, whereas the attackers only need to find one weakness to bring the whole thing crashing down."
From http://www.zdnet.com/article/serious-security-three-changes-that-could-turn-the-tide-on-hackers/?ftag=TRE17cfd61&bhid=22449904719690284461257671316617
What more is there to say?
Well, I do have something to say, and it will ruffle more than a few feathers. What a user, from a government, to a company, to a senior citizen does with respect to security literally depends on their "risk assessment" of their situation. All entities do risk assessment, even if they don't know it. If they ignore security, their risk assessment is: "not important to me, won't happen." There is an entire discipline that spans the domains of manufacturing, safety, security, defense, ... any human endeavor. This discipline is called Risk Management. I've spent my career, which spans manufacturing, IT, healthcare, and safety, in roles that require learning implementing this discipline. My PhD was in Artificial Intelligence, which is, essentially, implementing statistical, time-dependent risk management. For IT in general, and the financial industry in particular, there is a society, SIRA, Society of Information Risk Analysts, (http://www.societyinforisk.org) that talk and research the math and policy of Risk Management.
Risk management is hard, very hard, to implement. This is because managers don't understand the math, but they think they do, and the financial models most managers use to justify implementing features of risk management are absolutely and ridiculously wrong. In other words, the models do not reflect the real cost of "things going wrong." So things are built or coded, or procedures implemented, and then, as mentioned above, security becomes incomprehensibly more expensive because it has to be bolted on afterward, plus the cost of the breach must be added to the total cost of the lost opportunity. (Of course, I go back again to the first rule of mismanagement, which is it is more profitable to the manager to implement a faulty system and then be a hero fixing it than it is to build a faultless system.)
Black Hackers
(Black) Hackers are the bad guys: they want your stuff. Exactly what kind of stuff? You might think:- Your banking account number, user id and password
- Your email user id and password, so that they can use the information in that email to get at financial information or to, in some way, blackmail you or broadcast information you would rather not be known to your friends, family, or the world.
Try the following test to see what hackers are after and how much info about you has been exposed: http://www.nytimes.com/
For a pretty good article on the financial and business details of the Black Hacker world, read http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7
White Hackers and the IT Security Industry
White Hackers is a humorous way to say "people who work in the security industry." The security industry itself is huge. Think of all the vendors who sell software to combat hackers, , etc. HUGE! And it is all thanks to the early coders of operating systems, especially Microsoft. These vendors simply ignored problems associated with failures of code to do what was expected.In coding there is a general construct in programmng: a piece of code that does something, the functional code, has another piece of code, let's call it the ExceptionHandler, attached to the first piece that handles any errors. If the functional code encounters an error, such as the math operation failing, the code automatically (this is not directly coded by the programmer) "throws an exception." This exception is "caught" by the ExceptionHandler, if one has been coded, to handle the error.
The first versions of Windows, and all the way to Windows XP, generally did not have coded ExceptionHandlers other than at the highest level of code. (In computer programming the code is very hierarchical: code has embedded code has embedded code down to the hundredth level.) Microsoft coded its first operating systems in a language called "C". They converted to a better language for handling errors called C++ around the time of Windows XP, but they just did a straight conversion (technically, a recompilation), without adding all the error handling at every level of code. This "shortcut" left a giant security hole that you could drive a truck through." Opportunity knocked" and those holes were exploited, giving birth to viruses and trojans. That, in turn, gave birth to the security industry. (Every disaster for one is an opportunity for another.)
Point: Microsoft cut corners. As the Linux based operating systems, such as those used by Apple, have shown, it is possible to design for security from the start and avoid the problem all together.
I was a part of that development time and IBM was developing an operating system in parallel with Windows 95 called OS/2. OS/2 was developed in C++ and coded from the start to handle errors at the lowest level; that is, it used the ExceptionHandler to a much greater extent and to a much lower level than Windows. I've always wondered if the powers that be really wanted to make money in the security industry so they decided to go with the unprotected code. Naw, it is not true. What is true is the first rule of business (im)maturity: build in defects so you can be a hero when you correct them.
There is a professional organization that I look to for all things IT security: SANS (https://www.sans.org) Take a look at the page to see what is going on in the industry. There are a some pages that are really good resources. I've listed them in another post: https://leetlinktips.blogspot.com/2016/10/a-techie-resource-for-all-things-it.html.
In my past life I worked on industry committees to create "industry frameworks." These are reference designs that the industry should use for a particular function in that industry. For the security IT function, a government organization called NIST, the one I worked with while representing IBM, has developed a cybersecurity framework. The web page for this is: https://www.nist.gov/cyberframework. If you follow some of the links off this page you will see what is going on in the government re: IT security.
The web site I use most often in my daily security work is BleepingComputer: https://www.bleepingcomputer.com. This is a techie site but has a lot of cookbook information on how to recover from various security breeches.
The How of Being Secure: Your Responsibility
Passwords
- Have long passwords (16 characters minimum where allowed) with at least letters and numbers. Length is more important than complexity. (For Yahoo, only letters and numbers are allowed, no special characters, but I think the length limit is up to 26.)
- Do not use the same password for different sites. The first thing the bad guys do is use a hijacked password across popular financial sites on the hope that it is used on one of those sites. According to one recent article, their success rate is, by my standards, high: .2 - 2%.
- Change your passwords on a regular basis- all of them.
- Do not use the save password feature of a browser. Those can be hacked fairly easy. This means Google Chrome, any Microsoft product, and, yes, Mac through iCloud.
- Write your passwords down and keep them up to date.
- OR use a real password manager. Some antivirus/antimalware suites, such as Norton, come with a password manager. Depending on how the information is saved, these can be fine. (The information has to be heavily encrypted and not saved on your computer.) Of the stand alone password managers I have seen to date, Lastpass is the easiest and most complete application to use. It is free for your computer and costs $12 / year for all your electronic devices.
Facial Recognition, Fingerprint recognition, etc.
You would think these would be the security "password" methods of choice. In my experience, they just haven't worked out. The technology itself has matured, but the software seems to be clumsy or error prone. I don't have anything else to say at this point. I might add something at a later time to this blog. Anybody like one of these methods and had a good experience?On Line Browsing
These suggestions apply to all Chrome, Firefox, Internet Explorer, and Edge browsers. Probably all the rest too, since they are web site-dependent, not browser dependent.- Use only email systems that have two factor authentication. It's a hassle, but a must. Two factor authentication is where, if you change userid on the same computer or device OR you go to a different device, you will have to authenticate before you get access: an email or text message is sent to your cell phone or called to your land line (or mailed). You have to enter this to continue.
- Any financial site should have two factor authentication: use it.
- For your email, create an email site that is a "dummy;" that is, you don't really use it. However, all your email is sent as if it came from that site. This dummy has absolutely no information in it:
- No email
- No contacts
- No personal info
- Some email providers have a feature that is a "temporary account". You can use this, but it is not a permanent solution.
- Build your real email site as secure. Never use the email address to that site. Don't let anybody know about it.
- Always use https: for every online query and for email. There are settings in any browser that will force this. (Another topic) This makes your garbles your transmission. This doesn't necessarily make the result at either end secure. You can use an extension called "HTTPS Everywhere" to assure you force https. If a site does not support the "s", then HTTPS Everywhere will warn you and show the https: red-lined out in the address bar.
- Use an add-on or extension to examine your search results for links to questionable web sites. You can google for something like "browser add-ons extensions link security" to find these extensions. You can go to the store of your kind of phone and do the same kind of search. But it is a chicken and egg situation- there are a lot of bogus applications. So, to start, two that I use are McAfee Site Advisor and WOT. Several security suites come with an application that designates suspicious web sites.
- If you want to click on a link in a web page or document, make sure the link is valid. Browsers have two "build-in" ways to examine a line before clicking on it. If you "hover" your mouse over the link, the browser will show the actual url either in the lower left corner of your browser, right at the edge of the browser's frame, or floating under your mouse. Why is this important? Many gotcha phishing and ransom attacks start when a link is clicked that is labeled one thing and it goes to someplace else. For example, this link looks like it goes to Google Search. It doesn't. Where does it go?
- Vet Tinyurls. There is a inherent problem with some links. They look peculiar; eg.http://sec.r.os. These are called shortlinks or tinyurls. They are created by applications such as TinyURL to save typing long urls. But they hid the real destination. There are applications that will expand these shortlinks to their full identity, so you can make a judgement on safety before going to them. Go to your device's "store" and get a free high-rated extension that exands shortlinks. Or you can use any of a number of web sites that expand shortlinks plus provide other information as well. FYI, I use the extension "Unshorten.It!" http://www.unshorten.it/. When installed in Chrome, you can right click on any url and there will be a selection "Unshorten this link". Left click or select that and you will see a web page that will give a lot of information about that link's web site/web page.
- Copying urls. Most of these applications require that you copy the link over to a pop up window. But doesn't that present a problem? If you click on the link to "copy it", you will just end up going to the link. The trick is to right-click the link to bring up a context menu, then click the following to add to your clip board so you can paste it into the search field of the app's pop-up window:
-
- IE: "copy shortcut"
- Firefox "copy link location"
- Chrome "copy link location"
- There is a great site to check the location of any server providing any url. It is http://www.ip-address.org/tracer/ip-whois.php
- Use Blacklists and Whitelists: Blacklists are a list of sites that your browser will not/can not visit; whitelists are lists of sites that your browser can visit. Browsers and email applications have features or addons/extensions that maintain both kinds of lists. When I provide this feature, I like to use Firefox as my primary browser. (I use Chrome otherwise.) In my opinion, an addon called ProCon Latte is particularly easy to use. You can add your own opinion on your favorite blacklister/whitelister in the comments section at the end of this blog entry. {My thanks to Justin Phelps of PC World, who wrote an article in 2012 that gave me suggestions on what to cover in this section. Some of the remarks are loosely copied from that article.}
Device Level Protection Inside and Outside Your House
Your "device" is your computer, your tablet, your laptop, your phone, your smart watch, your car, your TV, and on and on: Anything that someone can control by "getting on" the device. This is called your "Internet of Things," or IoT. There are a few main things you should do to protect yourself when you are in a public place, or even some else's home. As a matter of fact, if you allow someone to log on to your network, then you have an exposure similar to being in public. See Setting Your Guest Account under RoutersFirewalls
A Firewall is a combination of hardware, low level "microcode", and high level software that sits between the user's devices and both the intranet and internet. It "filters" any traffic coming in to or leaving your device according to criteria you set or according to default criteria. Modems and routers have firewalls. Your device may or may not have a firewall.The following is more information taken from this source: Jeff Tyson "How Firewalls Work" 24 October 2000. HowStuffWorks.com. http://computer.howstuffworks.com/firewall.htm. I've included it "inline" in this blog entry because I get tired of looking up definitions for a lot of these terms below. I though it would be helpful to put it in one place.
Firewalls use one or more of three methods to control traffic flowing in and out of the network:
- Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
- Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
- Stateful inspection - A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
- IP addresses - Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address.
- Domain names - Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 216.27.61.137. A company might block all access to certain domain names, or allow access only to specific domain names.
- Protocols - The protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web's protocol. Some common protocols that you can set firewall filters for include:
- IP (Internet Protocol) - the main delivery system for information over the Internet. Usually TCP and IP go together, as in TCP/IP
- TCP (Transmission Control Protocol) - a language to open links to devices on the internet and to transfer information. It's main feature is a the IP protocol that breaks apart and rebuilds information that travels over the Internet. This is the most efficient way to transfer information
- HTTP (Hyper Text Transfer Protocol) - a language used to build Web pages and to communicate information from a browser to a web site.
- FTP (File Transfer Protocol) - a language used to download and upload files. Uses TCP/IP
- UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video
- ICMP (Internet Control Message Protocol) - used by a router to exchange the information with other routers
- SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
- SNMP (Simple Network Management Protocol) - used to collect system information from a remote computer
- Telnet - used to perform commands on a remote computer (archaic)
- Ports - Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server (see How Web Servers Work for details). For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. You might might block port 21 access on all machines but one inside your intranet.
- Specific words and phrases - This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need.
With a hardware firewall, the firewall unit itself is normally in the router/gateway A good example is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in your home network connect to the router, which in turn is connected to either a cable or DSL modem. You configure the router via a Web-based interface that you reach through the browser on your computer. You can then set any filters or additional information. Hardware firewalls are incredibly secure. The casual consumer doesn't bother with advanced settings associated with these firewalls.
Why Firewall Security? There are many creative ways that unscrupulous people use to access or abuse unprotected computers:
- Remote login - When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer.
- Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program.
- SMTP session hijacking - SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace. Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.
- Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash.
- E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer.
- Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data. Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer.
- Redirect bombs - Hackers can use ICMP to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up.
- Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default. Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some firewalls offer virus protection, it is worth the investment to install anti-virus software on each computer. And, even though it is annoying, some spam is going to get through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb is to block everything, then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through. This is a good rule for businesses that have an experienced network administrator that understands what the needs are and knows exactly what traffic to allow through. For most of us, it is probably better to work with the defaults provided by the firewall developer unless there is a specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging onto a computer in your private network. While this is a big deal for businesses, most home networks will probably not be threatened in this manner. Still, putting a firewall in place provides some peace of mind.
- Web site
- Online business
- FTP download and upload area.
Smartphones and Tablets: You would think smartphones and tablets should have firewalls too: not necessarily. There are three sources of malware for these devices:
- Data from the cell tower
- Data from a wifi
- Apps downloaded from wherever.
On downloaded apps: You take your chances if you don't use the preferred store (Apple or Play). I have some applications installed on my Android to protect me:
- Malwarebytes (https://www.malwarebytes.com)
- Lookout (This is the best) (https://www.lookout.com)
- CCleaner (cleans out your browser caches and other temporary information, eliminating potential threats that are "ticking" in those locations (https://www.piriform.com)
- NoRoot Firewall, the only true firewall in this selection. https://play.google.com/store/apps/details?id=app.greyshirts.firewall&hl=en
Logging on to Public Wifi: Logging on to Public Wifi is always a risk. Note that when you do log on, the landing page has some verbage to the effect that you are accepting all risk. In Windows systems, when you log on to the wifi, make sure that the connection is "Public". Verify this by going to Control Panel.All Control Panel Items.Network and Sharing Center. The diagram on the target page should have the wifi SSID next to an icon and also the word "Public" underneath. If this isn't true, then there is something wrong. See the following tutorial: http://www.tenforums.com/tutorials/6815-network-location-set-private-public-windows-10-a.html
Login IDs for Devices
One very common problem I encounter is that someone has let there young or grown up kid use their device. That other person downloads something, a game, music, an app, that is maleware. The device is infected and the owner suffers the consequences. I get calls to fix the problem and, during the course of talking about things, I discover that someone has been on the computer that is not the owner. So, some dos and don'ts:- Don't let anyone on your own user id: no one, not even your spouse.
- Create a new local user for guests (already set up in Windows) and make sure that the account has only "standard" rights, so they can't change the computer, get in to your stuff, etc.
- Create a separate administrative user. Use this account if you get malware. Usually malware installs in a user account, so switching accounts will give you a chance to run antimalware apps.
- Create other users and give them administrative authority if necessary; otherwise standard authority.
- Use a reasonably difficult password for your account. If kids or guests are around, log out of your account whenever you leave the computer.
- Consider disabling the USB ports on the guest account or other accounts that kids might use.
Flash Drives
I usually don't put security on flash drives. But that is because the information on them is not sensitive. If you put personal information on drives, you should think about encrypting the information and using a password to get into the drive. Most flash drives come with security software on them Read this article: http://www.zdnet.com/pictures/keep-sensitive-data-safe-with-these-5-secure-usb-drives/ . Also, if someone gives you a flash drive, don't trust it. You can run antivirus and antimalware on the drive before you use it. Usually your antimalware/antivirus can be accessed by right clicking on the flash drive and selecting a scan of that drive by your software.Routers
Routers are the devices that distribute internet around your house. That includes supplying your ethernet and your wifi. Among the security settings you need to consider:- The login id and password to the software "front end" of the router, where you set up the router. This login has defaults, such as userid = "admin" and password = "password". Anyone who knows anything about routers can quickly google the defaults for your router and get in. So you need to change these. Anyone who is able to log on to your intranet can access your router and create a back door just for them or mess up your router.
- The SSID and the password for wifi access should be set. You should use WPA2-PSK or WPA-PSK[TKIP}_WPA2-PSK[AES} as the security protocol. There is always an option to not broadcast your SSID. If you live in an environment where there are a lot of wifis, you should consider setting this to not broadcast. Then your wifi will be invisible.
- Newer routers have 3 different signals: a 2.4, a 5.0, and a guest. You should keep the 2.4 and 5.0 to yourself and use the guest for anyone who wants to get on your router. But you have to turn the guest account on and give it a password.
- Routers have many settings that manage your network security. These settings allow you to only allow certain computers or devices on your network, configure your firewall, and even allow access to your computer from a remote location. (This last one should be used only if absolutely necessary.) The casual user typically does not care about these settings; however, the black hacker does.
- If you have a Netgear router, there is a great app for managing your network called "Netgear Genie". Get it from the Netgear site.
No comments:
Post a Comment