The Ohio Cyber Range Institute and the Ohio Cyber Reserve took part in a cyber security exercise at the University of Cincinnati July 15, 2022. Maj. Gen. John Harris said, “This is just a next level of training for our Ohio Cyber Reserve. Our responsibility first and foremost is to respond if there is a crisis here in Ohio.” https://t.co/F8HQ2oQKbq
— Ohio Cyber Reserve (@OhioCyber) July 19, 2022

Ransomware – Who is responsible?

Look in the mirror

85 percent of computer and network breaches involved a human element, according to Verizon’s “2021 Data Breach Investigations Report,” while over 80 percent of breaches were discovered by external parties. That is good news. Does that mean if each one of us could modify our behavior, then perhaps this ransomware and breach problem might go away?

Well… Everyone works under some kind deadline pressure. And if you are like me, you tend to procrastinate. To meet that impending deadline, we have to work quickly. So, when that application or operating system security update pops up, we have to push it away. Or the I.T. department applies the update. Of course that is the day our assignment, proposal, paper, or whatever is due for presentation or submission. If you work remotely, that’s when you notice that your organization’s system is crawling along slowly or the company network is unavailable. You have already forgotten about or quashed that warning you received updating your home or office workstation to the latest security patch. Or your antivirus program that has been interrupting you for days does it again. And that’s when a “Digital Pearl Harbor” is most likely to occur.

Our I.T. computer people and the information technology industry can’t fix this. Together with the leadership, we can.

There is no silver bullet or firewall that the computer/network security industry can set up to protect you or your organization from yourselves. Again, 85% of the problem it is a behavior issue.

When was the last time your immediate supervisor asked about whether you saw that operating system security update or antivirus update? When did your boss take an interest in that phishing training offered over lunch or online? Never? Well, there you go. Unless your entire organization takes the appropriate amount of interest based on their risk management processes, what can you hope to do to fix this? Or if you work for yourself at home or remotely for your company; when was the last time you made sure your computer operating system was updated, your cable modem or home router internal operating systems were updated?

Defend yourself!

Here are some examples of what that means in practice

If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
If you trust the linked site, type out the link’s web address manually.
If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURLto reveal the actual, long link it points to before clicking.
Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Unless or until information security becomes a priority for society, including organizations and individuals we are heading for a serious setback to our way of life or even life itself

Here is where the reader will expect me to come up with a frightening scenario. I will not waste my time. Suffice it to say that unless we use fundamental risk management processes, then we will simply lose – and lose big – even lose life itself. Lose to nation-states, terrorists, criminals (sometimes sponsored by nation-states or terror organizations).

Here is how to begin to take cyber information security seriously

Start with the The National Institute of Standards and Technology (NIST) “Generally Accepted Principles and Practices for Securing Information Technology Systems”. NIST has been a government agency since 1901. This means that when one sees in lawsuits and insurance documents containing wording similar to: “Generally Accepted Principles and Practices” or “Industry Standards”, they mean NIST or other industry or business convention.

From there, it will be easy to understand what and how you and/or your organization need to begin your process to prevent a Digital Pearl Harbor that would impact, you and even society as a whole

January 14, 2020January 14, 2020

14 January Patch Tuesday Alert

UPDATE 2 Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities; Using one flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections. https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/

UPDATE: National Security Agency Confirms Windows 10 Security Flaw ‘Makes Trust Vulnerable’ “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.” https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/ You should put together a test computer with any proprietary software or non-off-the-shelf, mission essential software and test the patch first.

https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/

January 14, 2020 – Microsoft MAY release a patch TODAY that is supposed to fix a huge security vulnerability. I am providing this notification because I recommend that only a test computer be patched, IF you are running non-off-the-shelf software. That is anything that you can’t buy at a store, like Office programs, etc. If you are using any proprietary software or software designed for your business systems, then you should ALWAYS test Microsoft patches before implementing them. This is a story by Brian Krebs, a leading #cybersecurity journalist. “Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog.” https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Continue reading “14 January Patch Tuesday Alert”

October 11, 2018October 11, 2018

Coffee with a cop; Our discussion: Security, it is the simple stuff that will get you

Sylvania Township Police shoulder patch from their Web site. http://www.sylvaniatownship.com/police-department/

What does physical security and cybersecurity have in common? Among other things; it’s the simple stuff that will get you.

I decided to stop by the Sylvania Township, Ohio Starbucks on Central Avenue for “Coffee with a cop.” October is National Cybersecurity Awareness Month and I thought it would be a good idea to check in with our local police first responders. These officers were from the Sylvania, Ohio Police Department.

I had a pleasant surprise because Chief Paul Long and Deputy Chief Ray Carroll were there. Both of these officers have already had long successful and distinguished law enforcement careers.

Upon entering and shaking hands, I asked whether there were any assets or other material that these local heroes needed. I am sure that there must be something local citizens could do to better support the police. However, Chief Carroll said that their message is simple: “Lock your house, garage and car(s).”

And that’s where the convergence of cyber and physical security intersect – it’s the simple stuff. Lock up your possessions to keep them secure. Cyber – “Keep you operating system up-to-date.” Why are they so similar?

Whether we like it or not, the basic design of our computers and networking equipment and operating systems follow the open academic beginnings of computing and internet/networking. Up to the early 1990s personal computers were not networked. A few of us could maybe wrangle internet access from a local college or university and that was it. The World Wide Web did not exist. Fast forward to the cobbled together systems that we now use. If you don’t keep your operating system up-to-date with a firewall and antivirus, then you are doing the same as leaving your house unlocked.

Enough preaching. What I loved about meeting with the several police officers and command officers was how much we all have in common. We all agreed. It does not matter how fancy your security system is – either physical or cyber. It is the mindset and care of the people who are operating or failing to operate them. If you have a lock on your door and you don’t use it, then you have a much better chance of losing your stuff. And it is the same with your personal information that you keep in your computer.

I am looking forward to more conversations with our first responders. Even a geek like me will learn and be motivated by the exchange of ideas.

October 4, 2018February 25, 2020

UPDATE 2: New Evidence 09 OCT 18 U.S. Telecom company – Hack of the decade; China wins it! Close to a non detectable hardware modification

Alternate link for Bloomberg YouTube

UPDATE 2: New Evidence found by Bloomberg reporting. “A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.” https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom

UPDATE: WHY SHOULD YOU CARE? If true, then your electronic devices will spike up in price because more than 90% of them are made in China. That would end. The potential damage to national security would cost the government 100s of billions of dollars and you as a tax payer will see the bill. Apple and Amazon have unequivocally denied that this hack ever took place. Folks, Bloomberg is a top notch publication with almost incomparable reporters and editors. They spent a year researching this story. On the other hand, Apple and Amazon could be just as screwed as Elon Musk, if the SEC or other regulatory agency finds that their statement(s) of denial are false. So far this is first relatively comprehensive discussion that I have found. https://itunes.apple.com/us/podcast/325-chinese-spy-chips-microsoft-announcements-pixel/id430333725?i=1000421160995&mt=2

How many Americans have purchased drones, phones, and computers that are assembled in China? Millions and millions, for sure…

According to a well reported story from Bloomberg, a chip the size of a grain of rice that appears to be a common part of a circuit board was stealthily placed by secret members of China’s Peoples Liberation Army in devices used in some U.S. servers. This chip is not detectable by operating systems nor by any antivirus. Further, it is found on circuit boards made in China and sold to U.S. enterprise-class computer server manufacturers. Companies like Amazon, Apple and even (reportedly) some government agencies.

This is may be the greatest intelligence coup of the decade, as well. See the story HERE.

July 27, 2018

Major vulnerability in Bluetooth – Update your smartphone, watch, etc.

The Bluetooth that you use to connect your smart watch, speakers or other peripheral is seriously compromised. Please check that you have updated your device to the latest operating system version. This applies to iPhones and Android devices. The devices include Apple, Android smart phones, smart watches like Apple Watch and other devices (perhaps even Chrome laptops).

Failure to update your operating system may expose your confidential information to a nearby hacker who could ruin your finances and/or snoop on your messages and possibly put you in danger.

Forbes published a good explanation headlined, Update Your iPhones And Androids Now If You Don’t Want Your Bluetooth Hacked . Enough said, please just update now.

See below for how to update Android and Apple phones:

How to Update an Android

This wikiHow teaches you how to manually update an Android phone or tablet operating system. While your Android will typically update automatically, you can speed up the update process by manually updating as soon as you know an update is available.

Quick Summary

1. Connect to Wi-Fi.
2. Open Settings.
3. Tap System.
4. Tap System Update.
5. Tap Download and Install.

How to Update iOS

Two Methods:Performing an On-Device Update (Over-the-Air)Using iTunes Community Q&A

This wikiHow teaches you how to install the latest version of Apple’s operating system for your iPhone, iPad, or iPod Touch.

Performing an On-Device Update (Over-the-Air)

Back up your iOS device.
Open “Settings.” It’s a gray app with gears that’s typically located on your home screen.
Scroll down and tap “General.“
Tap Software “Update.” It’s at the top of the menu.
- Tap Download and Install or Install Now. If a software update is already downloaded, the Install Now button will appear below the update description. Enter your passcode if prompted. Enter the passcode you use to unlock your phone.
  
  Your phone will restart and the update process will begin.
  
  In some cases, you may have to set up your phone again, although all your apps and data should be intact.You’ll need to accept legal agreements before manually downloading the update.
  
  Need help? Call or text Pilum Technology at 419-862-5252 email paulhem at paulhem dot com

July 20, 2018

Update Windows – and all other operating systems – as soon as practical

Many successful data thefts and attacks relied on vulnerabilities that had patches available

First please heed this: If you are a large or small business leader or associate do not patch before you test that patch with any specialized software – that is any software other than generic office apps, like Microsoft (R) Office apps. Even commercial scheduling software should be tested. At least make sure that you create a Restore Point. before updating. Of course, Windows is supposed to create one for you. Do not bet your operation on that!

Many highly publicized data breaches occurred because firms did not patch or update software. For example Equifax had at least two months to patch/update specific software before 143 million people had their personal information stolen. And some Equifax personnel were even aware of the need to patch the software in question. The U.S. Office of Personnel Management lost several million security clearance background investigation details because a contractor failed to update his computer.

As mentioned in My take on security, even if an individual believes that their information is not important enough to be stolen or abused, it can and will be collected and used.

Update your software.

May 26, 2018May 27, 2018

FBI advises you to reboot your home/office router right now; Why?

First, the news.

(RNN) – Russia’s hackers are busy folks.

The FBI and Cisco warned us this week that they’ve infiltrated 500,000 routers in more than 50 countries across the globe by using a malware system known as VPNFilter.

The compromised routers could be used for lots of things, but the experts believe the malicious software used to hack them are part of a plan for a huge cyber attack on Ukraine.

To torpedo the Russian plot, the FBI got court approval to seize a domain the hacking group was using to coordinate the operation.

The computer code used in the malware program shares code with previous Russian cyber attacks.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” according to Cisco’s cyber intelligence unit, Talos.

“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

And most of these routers are older devices that don’t have up-to-date software.

And now from FBI Internet Crime Complaint Center:

May 25, 2018

Alert Number

I-052518-PSA

Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations: www.fbi.gov/contact-us/field

FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

SUMMARY

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

TECHNICAL DETAILS

The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

THREAT

VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

DEFENSE

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

———————————————–

There will be a lot more on this. There are some lists of routers out there. Some of them may have been installed by your Internet Service Provider. The Boston Globe reports, The FBI is urging Internet service providers Comcast Corp. and Verizon Communications Inc. and others to check whether their hardware is vulnerable, and work with customers on updating their routers.

This will be continually updated, until this becomes less of an issue.

April 12, 2018April 12, 2018

Congress vs. Facebook: Lack of tech understanding or political language?

Watching C-Span is like watching paint dry or like watching Windows slowly work through several months of updates. I don’t have the patience. So, I listened to a New York Times Podcast and a CBS news story about Zuckersberg’s solo testimony before Congress.

The news folks revealed what I thought would happen. The hearings were like a five hour tech support call. The Senators and Congressman seemed to stumble around trying to get sound-bites in for their constituents. Zuckerberg repeatedly had to say, “We already do that.” or “We already have that.”

Frankly, the poor showing by our elected officials may not demonstrate anything other than Congress’ attempt to make it easy for the U.S. public to understand. C’mon! Senators and Congressmen have substantial staffs who have tech expertise. So. Here you have our elected representatives attempting to ask intelligent questions about a subject with which they seem to be totally ignorant.

EXAMPLES from an Inc story by Minda Zetlin:

1. “Is Twitter the same as what you do?”

South Carolina Senator Lindsay Graham (R) asked this as he was seeking to discover if Facebook is a monopoly. “It overlaps with a portion of what we do,” Zuckerberg said.

2. “If I’m emailing within WhatsApp…does that inform your advertisers?”

That question came from Hawaii Senator Brian Schatz (D), who seemed unaware that WhatsApp is a chat–not email–platform. Zuckerberg, manfully resisting any temptation to correct him, simply said that content on WhatsApp would not lead to related ads.

3. “How do you sustain a business model in which users don’t pay for your service?”

This surprising question came from Utah Senator Orrin Hatch (R). Zuckerberg blinked for a moment–he couldn’t believe it either–and then said simply, “Senator we run ads.”

“I see. That’s great.” Hatch responded.

4. “What was Facemash and is it still up and running?”

Missouri Representative Billy Long asked that question, much to Zuckerberg’s embarrassment. If you’ve watched The Social Network, as Long evidently has, you know Facemash was an early Zuckerberg project in which users compared two photos of women and picked which was hotter. But Zuckerberg started Facemash from his dorm room 15 years ago and Harvard shut it down within days.

5. “What if I don’t want to receive [ads for chocolate]?”

Apparently, Florida Senator Bill Nelson (D) is fond of a particular type of chocolate, and having mentioned that fact to some Facebook friends, is now seeing ads for that chocolate. His question might be a good one but it’s one for the entire internet, not just Facebook, as anyone who’s ever shopped for anything online and been dogged by ads for that same item already knows.

Zuckerberg said that users can turn off third-party information within Facebook if they don’t want that info used to select ads for them. But, he added, “even though some people don’t like ads, people really don’t like ads that aren’t relevant.”

6. “My son is dedicated to Instagram so he’d want to be sure I mentioned him while I was here with you.”

That loving parental plug came from Missouri Senator Roy Blunt (R). It was a useful reminder that Zuckerberg is the real star in this roomful of powerful elders. And it wasn’t the only one.

7. “Would you bring some fiber because we don’t have connectivity?”

West Virginia Senator Shelley Moore (R) made this request–some of her state’s rural areas apparently lack broadband. Zuckerberg said there’s a group within Facebook bringing connectivity to rural areas and “we would be happy to follow up with you on that.”

8. “Some people refer to [Peter Thiel’s startup Palantir] as Stanford Analytica. Do you agree?”

Washington Senator Maria Cantwell (D) posed this odd question on her roundabout way to asking whether Cambridge Analytica’s data-gathering was the brainchild of a Palantir employee, as recent media reports have said. There’s no particular reason to think Zuckerberg would know the answer to either of her questions, and he said he didn’t.

9. “Did you know that the Motion Picture Association of America is having problems with piracy and…this is challenging their existence?”

Georgia Representative Buddy Carter (R) asked this question after first noting the rampant sale of opioids and ivory from endangered elephants over Facebook. Never mind that piracy takes place all over the internet and not just Facebook, or the absurdity of suggesting that it poses an existential threat to the Hollywood movie industry. Zuckerberg merely replied: “Congressman, I believe that has been an issue for a long time.”

Some expert observers said after the hearings were done that Congress could have been a lot harder on Zuckerberg if its members were better informed about how social networks and the internet work. If they were, their questions might have been less entertaining. On the other hand, these are the congressional committees charged with overseeing the web and ensuring all our data is safe there. So we all might be better off.

—End of Inc.com content by Minda Zetlin

There you have it. You decide. Is this a problem with Senators and their staffs attempting to create language to communicate with tech/internet ignorant constituents, or just tech/internet ignorance on the part of our elected leaders? I think, perhaps both.

April 11, 2018April 14, 2018

Windows update? No way! I have work to do! Later!

Or. Why is it taking all day to update Windows?

It seems that every time I want to use my Windows 10 computer, I have to wait through an update. For me, it may take only a friggin’ hour. However, for some friends it has taken all day – ALL DAY. I was there for one of them.

It doesn’t make any difference which update that triggers the update jail-time. You are caught. You are caught because one of those updates that you deferred, won’t. It starts and the computer hangs – or seems to do so.

That’s when I get the call. “The computer is frozen.” It can’t be used and doesn’t respond. This usually happens when Microsoft issues a CRITICAL update. It is fixing one of those vulnerabilities that might get its executives hauled before Congress after regular folks lose their IDs and bank information – not to mention medical data. So, you WILL update! You click on the acknowledgement for the software to update itself. That’s when the sh1t hits the fan. The computer restarts and just sits there – perhaps for hours.

Most of the time, this loss of use – for a day perhaps – is caused by failure to update when the machine wants to update. It doesn’t care what reason you might want to use the computer. 60 Minutes has already left messages for the Microsoft execs and you will update before Congress gets back in session. Of course, I am joking about 60 Minutes and Congress (maybe not that much). However, the point remains, you just have to update when the computer tells you – just after you perform that crucial task that couldn’t wait. If you wait until the next two or three updates go by, then you are what we call in the I.T. business – screwed. The next time, you will be in computer jail, awaiting the update gods to finish their sacrificial ritual with your computer.

SOLUTION – most of the time

If you are using Windows 10, then follow the guidance below. If not and you are using Windows 7, then you must update when you are notified PERIOD! **Exception: If you have business custom software program on your computer, you should stop and call that software vendor. Otherwise, an update may screw up that custom software .

You have to leave your computer on for the following to work.

Get updates when you’re away from your PC with active hours in Windows 10

Set active hours to let Windows know when you’re typically at your PC. We’ll use that info to schedule updates and restarts when you’re not using the PC.
- Select the Start button, select Settings > Update & security > Windows Update , then select Change active hours.
- Choose the start time and end time for active hours, and then select Save.