Category Archives: Internet security

Nation’s new cyber security chief just another windbag

President Obama recently appointed Michael Daniel to the position of “cybersecurity czar”. Michael Daniel official photoWho’s he? Techdirt reported that White House’s Cybersecurity Guy Proud Of His Lack Of Cybersecurity Knowledge Or Skills. Cybersecurity analyst Robert Lee, writing in Forbes, points out that It Does Matter That The White House Cybersecurity Czar Lacks Technical Chops. I agree. This supposedly high-tech administration is over-run with MBAs and lawyers who are dilettantes in technical matters. They don’t understand even the fundamentals of technology, so they can’t see through shuck.

Exhibit A is FCC chairman Tom Wheeler, who was a lobbyist for both the cable TV and cell phone industries(!). He was also a major Obama political campaign consolidator.

Click for Obama windbag video
image by Politizoid

Then there’s the IRS, whose managers and IT staff seem to have no clue about disaster recovery planning or routine data recovery procedures. Or are they merely trying to hide evidence of criminal behavior?

For an administration that boasts of its techno-hipness, the appointment of one more windbag to a position that requires technical expertise is pathetic.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Celebs’ photo thefts

The latest celebrities’ accounts breaches underline these truths:

  • The “cloud” is an innocent-sounding word for what is in fact a computer that’s owned by someone else.
  • Security questions — used to reset an account’s forgotten password — are mere guessable passwords. Paris Hilton’s account was compromised because her security question was “What’s your pet’s name?”; her dog’s name is easily found by searching the web.
  • Use two-factor authentication when available
  • Use a unique password on each account
  • Use a password management program. I like Keepass.

I’m guessing that access was gained via Apple iCloud password reset procedures. It’s been done before.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

The tyranny of CryptoLocker has ended, or at least paused.

Ding dong the witch is dead:

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.

CryptoLocker screenshotIf you have been infected by the CryptoLocker ransomware and all your files have been encrypted without your consent, go to FireEye and Fox-IT’s decryptcryptolocker website post haste. These noble folks seem to have located the CryptoLocker servers that store the unique private keys (called “master decryption keys”) for infected systems and will allow you to decrypt your encrypted files . . . gratis!

I warned about CryptoLocker when it first appeared in the fall of 2013. It is a very malicious piece of work.

I applaud FireEye and Fox-IT. I’m not sure how they were able to locate the CryptoLocker servers. (New randomly-named servers were created every day.) Also, it seems that CryptoLocker’s claim that the private keys would be destroyed after several days wasn’t true, since FireEye and Fox-IT appear to have found the keys intact on one or more CryptoLocker servers. In any case, FireEye and Fox-IT deserve a big round of applause.

The Register published a good article about decryptolocker and its background. According to their article, my celebration may be premature:

Hopes that this takedown would kill off CryptoLocker have been dashed. CryptoLocker has evolved and once again started to compromise user devices, FireEye warns.

Lions and tigers and bears! Oh my!

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Change your eBay password now!

eBay has posted this notice on http://www.ebayinc.com/in_the_news/story/faq-ebay-password-change:

Our company recently discovered a cyberattack that comprised [sic] a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network. As a result, a database containing encrypted password and other non-financial data was compromised. There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats. The company is asking all eBay users to change their passwords.

The attack resulted in unauthorized access to a database of eBay users that included:
Your password is the key to your kingdom
Customer name

Encrypted password

Email address

Physical address

Phone number

Date of birth

I changed my eBay password today. When I read through my keepass database.kdb file, I was chagrined to find that I’d used the same password for my accounts on several other sites. I changed them all. You should do the same if you have an eBay account. Here’s why, according to eBay:

I use the same password for multiple accounts. Do I now need to change all of them?

If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Apple’s TLS/SSL bug

A serious flaw in Apple’s TLS/SSL (Transport Layer Security/Secure Sockets Layer) was discovered last week. All current Apple hardware and software was found to be vulnerable to bogus security certificates. Apple reportedly pushed out patches to iPhones and iPads using IOS 6.0 and later. This week they released a large OS X update that includes a fixed TLS/SSL module.

Visit https://gotofail.com to learn if your Apple device is vulnerable. If so, get thee to the update.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

EFF’s Security Report

The Electronic Freedom Foundation (EFF) has begun publishing its Who’s Doing What report, which contains the results of EFF’s survey of Internet service providers’ internal security measures.

We should all examine this report to learn how secure our entrusted data are. It will help us more wisely choose service providers of all kinds — from your ISP to email, retail sales, and search providers.
EFF Crypto Survey
Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Serious encryption flaw revealed. Thanks again, NSA.

The NSA strikes again. Steve Gibson, in his Security Now podcast, yesterday revealed that RSA’s respected and popular BSAFE encryption library contains a serious weakness. Its default random number generator (RNG) isn’t especially random and was tweaked years ago by the NSA to provide them with a back door. RSA is the leading security software firm. Its products are used by most of the major software publishers — Microsoft, Apple, Google, et al. Programmers who use BSAFE may choose to use other (stronger) RNGs, but BSAFE’s default RNG is definitely weak, thanks to NSA’s tinkering.

Public_key_making.svgSecure encryption requires that a unique large random number be used for each encryption. If the number is predictable, the encrypted data can be cracked. Providing truly random large numbers isn’t easy, since computers are if nothing else, deterministic machines. They produce pseudo-random numbers. Typically they seed the RNG with a small random number such as the interval between mouse clicks.

Arstechnica explains: Stop using NSA-influenced code in our products, RSA tells customers

Observers fear that NSA’s actions such as this harm US software suppliers’ credibility. When a backdoor exists, not only is it available to its creator, but uninvited visitors may hammer on it, as well.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Does encryption prevent NSA snooping?

Colin Berkshire says No. Much of his argument assumes that the NSA has compromised root-level security certificates. In July he wrote a pessimistic article titled Does SSL equate to privacy?. An excerpt:

If you are concerned about keeping communications private from commercial eavesdroppers, then 256 bit security is relatively effective. . . but, if you want to have privacy from government the story is entirely different. You have no privacy whatsoever.

Last week he repeated his pessimistic message: How to secure corporate communications.

Is he correct? Has the NSA compromised root-level security certificates? I don’t know.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Two secure email services shut down rather than accede to NSA access demands

Lavabit, a U.S.-based provider of encrypted email services, announced that it has shut down its service. The U.K.’s Guardian reported today that

Lavabit, which is believed to have been used by Snowden and which claimed to have 350,000 customers, closed after apparently rejecting a US government court order to cooperate in surveillance on its customers by allowing some form of access to the encrypted messages on its servers.

Its founder Ladar Levison wrote on the company’s website: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”

Another U.S.-based encrypted email service, Silent Circle’s Silent Mail, followed Lavabit’s example and also shut down “to preempt possible government requests for data”. Silent Circle’s founder is Phil Zimmerman, the well-respected creator of PGP (Pretty Good Privacy).

Meanwhile back on the web, Kim Dotcom plans to step into this new vacuum and offer an encrypted email service from his New Zealand base. It may be out of the reach of the NSA and other U.S. three-letter agencies.

Snooping by American government agencies is out of control. I salute Mr. Levison and Mr. Zimmerman for their courage. Now, if the big players such as AT&T, Verizon, Facebook and Google would just step up to the plate, the U.S. Constitution might mean something.

And when will DoJ indict Director of National Intelligence James Clapper for perjury during his Congressional testimony?

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Facebook’s latest privacy breach

Facebook last week admitted that during the last year it has allowed the phone numbers and email addresses of about 6 million users to leak outside. MailOnline reports this in today’s article titled Facebook admits accidentally releasing phone numbers and email addresses for SIX MILLION users in year-long data breach.

thumbsdownSo, what else is new? We’re accustomed to Facebook privacy breaches. The new feature of this leak is that amongst the leaked data are data that you didn’t provide to Facebook. Yes, Facebook collects data about you from everywhere and stores them in your Facebook user record. Did you know that? For those unfortunate 6 million Facebook users, that data was also leaked.

Kaspersky offers good advice: What to Do if Facebook Leaked Your Data?

If you’re a Facebook user, this might be a good time to review Facebook’s Terms Of Service.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Judge dismisses LinkedIn password breach lawsuit

A US District Court judge has dismissed a suit that claimed that the plaintiffs were damaged by LinkedIn’s lack of diligence in safeguarding LinkedIn subscribers’ usernames and passwords. The case was brought by Katie Szpyrka and Khalilah Wright, after about 6.5 million usernames and passwords were downloaded from LinkedIn by a Russian hacker last June. (I wrote about two LinkedIn problems in LinkedIn users’ data LeakedOut. and again when 88 percent of the passwords were cracked within five days: No password news is good password news.)

Judge Edward Davila dismissed the lawsuit because

  • Plaintiffs hadn’t read LinkedIn’s Terms Of Service (TOS), so couldn’t claim that LinkedIn had breached their TOS, which includes

    …we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information.

  • Plaintiffs could not show consequent damage.

That clause within LinkedIn’s TOS sounds broad. “If you upload it to our site, don’t expect us to safeguard it.” Broad, I tells ya.


News article from Kaspersky’s ThreatPost: LinkedIn Data Breach Lawsuit Dismissed

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Scamming via email

Have you received an email from a stranger with news that they want you to help transfer a large sum of money, for which you’ll receive a large commission payment? Have you received an offer to buy your car that’s listed for sale on eBay, at your asking price, and the buyer is overnighting a cashier’s cheque for the full amount plus a thousand dollars for his brother’s tuition at Texas Tech? Are these messages too good to be true? Is that what’s troubling you, Bunky? You need to visit scamomatic.com.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Universal Plug and Play vulnerabity

I’ve never been comfortable with Universal Plug and Play (UPnP). It was dreamed up by Microsoft in an attempt to make networking easier for end-users and first appeared in Windows Millenium Edition (“Win ME”). I didn’t trust it then, and I still don’t trust it. The name “Universal Plug and Play” leverages Microsoft’s successful implementation of MS-Windows’ (benign) “Plug and Play” service, which first appeared in Windows 95. The UPnP name continued Microsoft’s tradition of confusing terminology and poor corporate communications in general.

UPnP has always skated on thin ice. For one thing, it contains no provision for authentication. It assumes that all UPnP objects reside behind a firewall and that no UPnP packets can traverse any public-facing router. These are naïve assumptions. I always disable UPnP, or at least I think that I disable it. (Some routers expose UPnP to the Internet no matter what the router’s admin instructs it to do!)

UPnP: Universal Plug and Play
UPnP’s discovery phase

Recently researchers, over a five month period, port scanned the entire IPv4 Internet multiple times, recording the IP address of each network device with exposed UPnP. They found 81 million vulnerable devices. Read the results:

 

shieldsupAre you vulnerable?
Check your Internet-connected local area network’s devices for exposure of UPnP capability to the outside world by using Steve Gibson’s ShieldsUP!.

UPnP bugs history
Apparently Intel, many years ago, published reference code in a library that demonstrated UPnP implementation. Most router manufacturers incorporated Intel’s UPnP library into their routers’ firmware. Intel’s UPnP library apparently contains bugs that can expose UPnP capability to the router’s WAN (Wide Area Network) port(!).

Read more: upnp-hacks.org.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Kaspersky shows how to secure your Facebook account.

Are you a Facebook user? Concerned about your account’s security? (You should be.) Watch this 5-minute video: http://blog.kaspersky.com/how-to-secure-your-facebook-account/.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695