Posts

Posted on

Ransomware – Who is responsible?

Look in the mirror

85 percent of computer and network breaches involved a human element, according to Verizon’s “2021 Data Breach Investigations Report,” while over 80 percent of breaches were discovered by external parties. That is good news. Does that mean if each one of us could modify our behavior, then perhaps this ransomware and breach problem might go away?

Well… Everyone works under some kind deadline pressure. And if you are like me, you tend to procrastinate. To meet that impending deadline, we have to work quickly. So, when that application or operating system security update pops up, we have to push it away. Or the I.T. department applies the update. Of course that is the day our assignment, proposal, paper, or whatever is due for presentation or submission. If you work remotely, that’s when you notice that your organization’s system is crawling along slowly or the company network is unavailable. You have already forgotten about or quashed that warning you received updating your home or office workstation to the latest security patch. Or your antivirus program that has been interrupting you for days does it again. And that’s when a “Digital Pearl Harbor” is most likely to occur.

Our I.T. computer people and the information technology industry can’t fix this. Together with the leadership, we can.

There is no silver bullet or firewall that the computer/network security industry can set up to protect you or your organization from yourselves. Again, 85% of the problem it is a behavior issue.

When was the last time your immediate supervisor asked about whether you saw that operating system security update or antivirus update? When did your boss take an interest in that phishing training offered over lunch or online? Never? Well, there you go. Unless your entire organization takes the appropriate amount of interest based on their risk management processes, what can you hope to do to fix this? Or if you work for yourself at home or remotely for your company; when was the last time you made sure your computer operating system was updated, your cable modem or home router internal operating systems were updated?

Defend yourself!

Here are some examples of what that means in practice

  • If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
  • If you trust the linked site, type out the link’s web address manually.
  • If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
  • If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
  • If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURLto reveal the actual, long link it points to before clicking.
  • Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
  • Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
  • Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
  • If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.
  • a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
  • Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
  • Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
  • If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Unless or until information security becomes a priority for society, including organizations and individuals we are heading for a serious setback to our way of life or even life itself

Here is where the reader will expect me to come up with a frightening scenario. I will not waste my time. Suffice it to say that unless we use fundamental risk management processes, then we will simply lose – and lose big – even lose life itself. Lose to nation-states, terrorists, criminals (sometimes sponsored by nation-states or terror organizations).

Here is how to begin to take cyber information security seriously

Start with the The National Institute of Standards and Technology (NIST) “Generally Accepted Principles and Practices for Securing Information Technology Systems”. NIST has been a government agency since 1901. This means that when one sees in lawsuits and insurance documents containing wording similar to: “Generally Accepted Principles and Practices” or “Industry Standards”, they mean NIST or other industry or business convention.

From there, it will be easy to understand what and how you and/or your organization need to begin your process to prevent a Digital Pearl Harbor that would impact, you and even society as a whole

Posted on

14 January Patch Tuesday Alert

UPDATE 2 Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities; Using one flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections. https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/

UPDATE: National Security Agency Confirms Windows 10 Security Flaw ‘Makes Trust Vulnerable’ “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.” https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/ You should put together a test computer with any proprietary software or non-off-the-shelf, mission essential software and test the patch first.

UPDATE: National Security Agency Confirms Windows 10 Security Flaw ‘Makes Trust Vulnerable’
“If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.”

https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/

January 14, 2020 – Microsoft MAY release a patch TODAY that is supposed to fix a huge security vulnerability. I am providing this notification because I recommend that only a test computer be patched, IF you are running non-off-the-shelf software. That is anything that you can’t buy at a store, like Office programs, etc. If you are using any proprietary software or software designed for your business systems, then you should ALWAYS test Microsoft patches before implementing them. This is a story by Brian Krebs, a leading #cybersecurity journalist. “Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog.” https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Continue reading “14 January Patch Tuesday Alert”

Posted on

Coffee with a cop; Our discussion: Security, it is the simple stuff that will get you

Sylvania Township Police shoulder patch from their Web site. http://www.sylvaniatownship.com/police-department/

What does physical security and cybersecurity have in common? Among other things; it’s the simple stuff that will get you.

I decided to stop by the Sylvania Township, Ohio Starbucks on Central Avenue for “Coffee with a cop.” October is National Cybersecurity Awareness Month and I thought it would be a good idea to check in with our local police first responders. These officers were from the Sylvania, Ohio Police Department.

I had a pleasant surprise because Chief Paul Long and Deputy Chief Ray Carroll were there. Both of these officers have already had long successful and distinguished law enforcement careers.

Upon entering and shaking hands, I asked whether there were any assets or other material that these local heroes needed. I am sure that there must be something local citizens could do to better support the police. However, Chief Carroll said that their message is simple: “Lock your house, garage and car(s).”

And that’s where the convergence of cyber and physical security intersect – it’s the simple stuff. Lock up your possessions to keep them secure. Cyber – “Keep you operating system up-to-date.” Why are they so similar?

Whether we like it or not, the basic design of our computers and networking equipment and operating systems follow the open academic beginnings of computing and internet/networking. Up to the early 1990s personal computers were not networked. A few of us could maybe wrangle internet access from a local college or university and that was it. The World Wide Web did not exist. Fast forward to the cobbled together systems that we now use. If you don’t keep your operating system up-to-date with a firewall and antivirus, then you are doing the same as leaving your house unlocked.

Enough preaching. What I loved about meeting with the several police officers and command officers was how much we all have in common. We all agreed. It does not matter how fancy your security system is – either physical or cyber. It is the mindset and care of the people who are operating or failing to operate them. If you have a lock on your door and you don’t use it, then you have a much better chance of losing your stuff. And it is the same with your personal information that you keep in your computer.

I am looking forward to more conversations with our first responders. Even a geek like me will learn and be motivated by the exchange of ideas.

Posted on

UPDATE 2: New Evidence 09 OCT 18 U.S. Telecom company – Hack of the decade; China wins it! Close to a non detectable hardware modification

Alternate link for Bloomberg YouTube

UPDATE 2: New Evidence found by Bloomberg reporting. “A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.” https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom

UPDATE: WHY SHOULD YOU CARE? If true, then your electronic devices will spike up in price because more than 90% of them are made in China. That would end. The potential damage to national security would cost the government 100s of billions of dollars and you as a tax payer will see the bill. Apple and Amazon have unequivocally denied that this hack ever took place. Folks, Bloomberg is a top notch publication with almost incomparable reporters and editors. They spent a year researching this story. On the other hand, Apple and Amazon could be just as screwed as Elon Musk, if the SEC or other regulatory agency finds that their statement(s) of denial are false. So far this is first relatively comprehensive discussion that I have found. https://itunes.apple.com/us/podcast/325-chinese-spy-chips-microsoft-announcements-pixel/id430333725?i=1000421160995&mt=2

How many Americans have purchased drones, phones, and computers that are assembled in China? Millions and millions, for sure…

According to a well reported story from Bloomberg, a chip the size of a grain of rice that appears to be a common part of a circuit board was stealthily placed by secret members of China’s Peoples Liberation Army in devices used in some U.S. servers. This chip is not detectable by operating systems nor by any antivirus. Further, it is found on circuit boards made in China and sold to U.S. enterprise-class computer server manufacturers. Companies like Amazon, Apple and even (reportedly) some government agencies.

This is may be the greatest intelligence coup of the decade, as well. See the story HERE.

Posted on

Major vulnerability in Bluetooth – Update your smartphone, watch, etc.

The Bluetooth that you use to connect your smart watch, speakers or other peripheral is seriously compromised. Please check that you have updated your device to the latest operating system version. This applies to iPhones and Android devices. The devices include Apple, Android smart phones, smart watches like Apple Watch and other devices (perhaps even Chrome laptops).

Failure to update your operating system may expose your confidential information to a nearby hacker who could ruin your finances and/or snoop on your messages and possibly put you in danger.

Forbes published a good explanation headlined, Update Your iPhones And Androids Now If You Don’t Want Your Bluetooth Hacked . Enough said, please just update now.

See below for how to update Android and Apple phones:

How to Update an Android

This wikiHow teaches you how to manually update an Android phone or tablet operating system. While your Android will typically update automatically, you can speed up the update process by manually updating as soon as you know an update is available.

Quick Summary

1. Connect to Wi-Fi.
2. Open Settings.
3. Tap System.
4. Tap System Update.
5. Tap Download and Install.

How to Update iOS

Two Methods:Performing an On-Device Update (Over-the-Air)Using iTunesCommunity Q&A

This wikiHow teaches you how to install the latest version of Apple’s operating system for your iPhone, iPad, or iPod Touch.

Performing an On-Device Update (Over-the-Air)

  1. Back up your iOS device.
  2. Open “Settings.” It’s a gray app with gears that’s typically located on your home screen.
  3. Scroll down and tap “General.
  4. Tap Software “Update.” It’s at the top of the menu.
    • Tap Download and Install or Install Now. If a software update is already downloaded, the Install Now button will appear below the update description. Enter your passcode if prompted. Enter the passcode you use to unlock your phone.

      • Your phone will restart and the update process will begin.
      • In some cases, you may have to set up your phone again, although all your apps and data should be intact.You’ll need to accept legal agreements before manually downloading the update.

      Need help? Call or text Pilum Technology at 419-862-5252 email paulhem at paulhem dot com

Posted on

Update Windows – and all other operating systems – as soon as practical

Many successful data thefts and attacks relied on vulnerabilities that had patches available

First please heed this: If you are a large or small business leader or associate do not patch before you test that patch with any specialized software – that is any software other than generic office apps, like Microsoft (R) Office apps. Even commercial scheduling software should be tested. At least make sure that you create a Restore Point. before updating. Of course, Windows is supposed to create one for you. Do not bet your operation on that!

Many highly publicized data breaches occurred because firms did not patch or update software. For example Equifax had at least two months to patch/update specific software before 143 million people had their personal information stolen.  And some Equifax personnel were even aware of the need to patch the software in question. The U.S. Office of Personnel Management lost several million security clearance background investigation details because a contractor failed to update his computer.

As mentioned in My take on security, even if an individual believes that their information is not important enough to be stolen or abused, it can and will be collected and used.

Update your software.

Posted on

FBI advises you to reboot your home/office router right now; Why?

First, the news.

(RNN) – Russia’s hackers are busy folks.

The FBI and Cisco warned us this week that they’ve infiltrated 500,000 routers in more than 50 countries across the globe by using a malware system known as VPNFilter.

The compromised routers could be used for lots of things, but the experts believe the malicious software used to hack them are part of a plan for a huge cyber attack on Ukraine.

To torpedo the Russian plot, the FBI got court approval to seize a domain the hacking group was using to coordinate the operation.

The computer code used in the malware program shares code with previous Russian cyber attacks.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” according to Cisco’s cyber intelligence unit, Talos.

“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

And most of these routers are older devices that don’t have up-to-date software.

And now from FBI Internet Crime Complaint Center:

May 25, 2018

Alert Number

I-052518-PSA

Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations: www.fbi.gov/contact-us/field

———————————————–

There will be a lot more on this.  There are some lists of routers out there. Some of them may have been installed by your Internet Service Provider. The Boston Globe reports, The FBI is urging Internet service providers Comcast Corp. and Verizon Communications Inc. and others to check whether their hardware is vulnerable, and work with customers on updating their routers.

This will be continually updated, until this becomes less of an issue.

Posted on

Congress vs. Facebook: Lack of tech understanding or political language?

Watching C-Span is like watching paint dry or like watching Windows slowly work through several months of updates. I don’t have the patience. So, I listened to a New York Times Podcast and a CBS news story about Zuckersberg’s solo testimony before Congress.

The news folks revealed what I thought would happen. The hearings were like a five hour tech support call. The Senators and Congressman seemed to stumble around trying to get sound-bites in for their constituents. Zuckerberg repeatedly had to say, “We already do that.” or “We already have that.”

Frankly, the poor showing by our elected officials may not demonstrate anything other than Congress’ attempt to make it easy for the U.S. public to understand. C’mon! Senators and Congressmen have substantial staffs who have tech expertise. So. Here you have our elected representatives attempting to ask intelligent questions about a subject with which they seem to be totally ignorant.

EXAMPLES from an Inc story by Minda Zetlin:

1. “Is Twitter the same as what you do?”

South Carolina Senator Lindsay Graham (R) asked this as he was seeking to discover if Facebook is a monopoly. “It overlaps with a portion of what we do,” Zuckerberg said.

2. “If I’m emailing within WhatsApp…does that inform your advertisers?”

That question came from Hawaii Senator Brian Schatz (D), who seemed unaware that WhatsApp is a chat–not email–platform. Zuckerberg, manfully resisting any temptation to correct him, simply said that content on WhatsApp would not lead to related ads.

3. “How do you sustain a business model in which users don’t pay for your service?”

This surprising question came from Utah Senator Orrin Hatch (R). Zuckerberg blinked for a moment–he couldn’t believe it either–and then said simply, “Senator we run ads.”

“I see. That’s great.” Hatch responded.

4. “What was Facemash and is it still up and running?”

Missouri Representative Billy Long asked that question, much to Zuckerberg’s embarrassment. If you’ve watched The Social Network, as Long evidently has, you know Facemash was an early Zuckerberg project in which users compared two photos of women and picked which was hotter. But Zuckerberg started Facemash from his dorm room 15 years ago and Harvard shut it down within days.

5. “What if I don’t want to receive [ads for chocolate]?”

Apparently, Florida Senator Bill Nelson (D) is fond of a particular type of chocolate, and having mentioned that fact to some Facebook friends, is now seeing ads for that chocolate. His question might be a good one but it’s one for the entire internet, not just Facebook, as anyone who’s ever shopped for anything online and been dogged by ads for that same item already knows.

Zuckerberg said that users can turn off third-party information within Facebook if they don’t want that info used to select ads for them. But, he added, “even though some people don’t like ads, people really don’t like ads that aren’t relevant.”

6. “My son is dedicated to Instagram so he’d want to be sure I mentioned him while I was here with you.”

That loving parental plug came from Missouri Senator Roy Blunt (R). It was a useful reminder that Zuckerberg is the real star in this roomful of powerful elders. And it wasn’t the only one.

7. “Would you bring some fiber because we don’t have connectivity?”

West Virginia Senator Shelley Moore (R) made this request–some of her state’s rural areas apparently lack broadband. Zuckerberg said there’s a group within Facebook bringing connectivity to rural areas and “we would be happy to follow up with you on that.”

8. “Some people refer to [Peter Thiel’s startup Palantir] as Stanford Analytica. Do you agree?”

Washington Senator Maria Cantwell (D) posed this odd question on her roundabout way to asking whether Cambridge Analytica’s data-gathering was the brainchild of a Palantir employee, as recent media reports have said. There’s no particular reason to think Zuckerberg would know the answer to either of her questions, and he said he didn’t.

9. “Did you know that the Motion Picture Association of America is having problems with piracy and…this is challenging their existence?”

Georgia Representative  Buddy Carter (R) asked this question after first noting the rampant sale of opioids and ivory from endangered elephants over Facebook. Never mind that piracy takes place all over the internet and not just Facebook, or the absurdity of suggesting that it poses an existential threat to the Hollywood movie industry. Zuckerberg merely replied: “Congressman, I believe that has been an issue for a long time.”

Some expert observers said after the hearings were done that Congress could have been a lot harder on Zuckerberg if its members were better informed about how social networks and the internet work. If they were, their questions might have been less entertaining. On the other hand, these are the congressional committees charged with overseeing the web and ensuring all our data is safe there. So we all might be better off.

 —End of Inc.com content by Minda Zetlin
There you have it. You decide. Is this a problem with Senators and their staffs attempting to create language to communicate with tech/internet ignorant constituents, or just tech/internet ignorance on the part of our elected leaders? I think, perhaps both.
Posted on

Windows update? No way! I have work to do! Later!

Or. Why is it taking all day to update Windows?

It seems that every time I want to use my Windows 10 computer, I have to wait through an update. For me, it may take only a friggin’ hour. However, for some friends it has taken all day – ALL DAY.  I was there for one of them.

It doesn’t make any difference which update that triggers the update jail-time. You are caught. You are caught because one of those updates that you deferred, won’t. It starts and the computer hangs – or seems to do so.

That’s when I get the call. “The computer is frozen.” It can’t be used and doesn’t respond. This usually happens when Microsoft issues a CRITICAL update. It is fixing one of those vulnerabilities that might get its executives hauled before Congress after regular folks lose their IDs and bank information – not to mention medical data. So, you WILL update! You click on the acknowledgement for the software to update itself. That’s when the sh1t hits the fan. The computer restarts and just sits there – perhaps for hours.

Most of the time, this loss of use – for a day perhaps – is caused by failure to update when the machine wants to update. It doesn’t care what reason you might want to use the computer. 60 Minutes has already left messages for the Microsoft execs and you will update before Congress gets back in session. Of course, I am joking about 60 Minutes and Congress (maybe not that much). However, the point remains, you just have to update when the computer tells you – just after you perform that crucial task that couldn’t wait. If you wait until the next two or three updates go by, then you are what we call in the I.T. business – screwed. The next time, you will be in computer jail, awaiting the update gods to finish their sacrificial ritual with your computer.

SOLUTION – most of the time

If you are using Windows 10, then follow the guidance below. If not and you are using Windows 7, then you must update when you are notified PERIOD! **Exception: If you have business custom software program on your computer, you should stop and call that software vendor. Otherwise, an update may screw up that custom software .

You have to leave your computer on for the following to work.

Posted on

EFF: How to fix your Facebook settings so the recent Cambridge Analytica spying doesn’t get you

Of course, your personal information is valuable so the cybercrooks will still come after you. Not the end-all-beat-all…. This will help make your Facebook privacy more robust, however.

From:

How To Change Your Facebook Settings To Opt Out of Platform API Sharing

By Gennie Gebhart
March 19, 2018

UPDATE (3/30/18): We have updated this post and its screenshots to reflect how Facebook reorganized and removed some settings this week.

You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.

Over the weekend, it became clear that Cambridge Analytica, a data analytics company, got access to more than 50 million Facebook users’ data in 2014. The data was overwhelmingly collected, shared, and stored without user consent. The scale of this violation of user privacy reflects how Facebook’s terms of service and API were structured at the time. Make no mistake: this was not a data breach. This was exactly how Facebook’s infrastructure was designed to work.

In addition to raising questions about Facebook’s role in the 2016 presidential election, this news is a reminder of the inevitable privacy risks that users face when their personal information is captured, analyzed, indefinitely stored, and shared by a constellation of data brokers, marketers, and social media companies.

Tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used. That starts with meaningful transparency and allowing truly independent researchers—with no bottom line or corporate interest—access to work with, black-box test, and audit their systems. Finally, users need to be able to leave when a platform isn’t serving them — and take their data with them when they do.

Of course, you could choose to leave Facebook entirely, but for many that is not a viable solution. For now, if you’d like keep your data from going through Facebook’s API, you can take control of your privacy settings. Keep in mind that this disables ALL platform apps (like Farmville, Twitter, or Instagram) and you will not be able to log into other sites using your Facebook login.

Log into Facebook and visit the App Settings page (or go there manually via the Settings Menu > Apps ).

From there, click the “Edit” button under “Apps, Websites and Games.” Click “Turn Off.”