14 January Patch Tuesday Alert

UPDATE 2 Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities; Using one flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections. https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/

UPDATE: National Security Agency Confirms Windows 10 Security Flaw ‘Makes Trust Vulnerable’ “If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.” https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/ You should put together a test computer with any proprietary software or non-off-the-shelf, mission essential software and test the patch first.

UPDATE: National Security Agency Confirms Windows 10 Security Flaw ‘Makes Trust Vulnerable’
“If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.”

https://www.forbes.com/sites/daveywinder/2020/01/14/national-security-agency-confirms-windows-10-security-flaw-makes-trust-vulnerable/

January 14, 2020 – Microsoft MAY release a patch TODAY that is supposed to fix a huge security vulnerability. I am providing this notification because I recommend that only a test computer be patched, IF you are running non-off-the-shelf software. That is anything that you can’t buy at a store, like Office programs, etc. If you are using any proprietary software or software designed for your business systems, then you should ALWAYS test Microsoft patches before implementing them. This is a story by Brian Krebs, a leading #cybersecurity journalist. “Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog.” https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Continue reading “14 January Patch Tuesday Alert”

Coffee with a cop; Our discussion: Security, it is the simple stuff that will get you

Sylvania Township Police shoulder patch from their Web site. http://www.sylvaniatownship.com/police-department/

What does physical security and cybersecurity have in common? Among other things; it’s the simple stuff that will get you.

I decided to stop by the Sylvania Township, Ohio Starbucks on Central Avenue for “Coffee with a cop.” October is National Cybersecurity Awareness Month and I thought it would be a good idea to check in with our local police first responders. These officers were from the Sylvania, Ohio Police Department.

I had a pleasant surprise because Chief Paul Long and Deputy Chief Ray Carroll were there. Both of these officers have already had long successful and distinguished law enforcement careers.

Upon entering and shaking hands, I asked whether there were any assets or other material that these local heroes needed. I am sure that there must be something local citizens could do to better support the police. However, Chief Carroll said that their message is simple: “Lock your house, garage and car(s).”

And that’s where the convergence of cyber and physical security intersect – it’s the simple stuff. Lock up your possessions to keep them secure. Cyber – “Keep you operating system up-to-date.” Why are they so similar?

Whether we like it or not, the basic design of our computers and networking equipment and operating systems follow the open academic beginnings of computing and internet/networking. Up to the early 1990s personal computers were not networked. A few of us could maybe wrangle internet access from a local college or university and that was it. The World Wide Web did not exist. Fast forward to the cobbled together systems that we now use. If you don’t keep your operating system up-to-date with a firewall and antivirus, then you are doing the same as leaving your house unlocked.

Enough preaching. What I loved about meeting with the several police officers and command officers was how much we all have in common. We all agreed. It does not matter how fancy your security system is – either physical or cyber. It is the mindset and care of the people who are operating or failing to operate them. If you have a lock on your door and you don’t use it, then you have a much better chance of losing your stuff. And it is the same with your personal information that you keep in your computer.

I am looking forward to more conversations with our first responders. Even a geek like me will learn and be motivated by the exchange of ideas.

UPDATE 2: New Evidence 09 OCT 18 U.S. Telecom company – Hack of the decade; China wins it! Close to a non detectable hardware modification

Alternate link for Bloomberg YouTube

UPDATE 2: New Evidence found by Bloomberg reporting. “A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.” https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom

UPDATE: WHY SHOULD YOU CARE? If true, then your electronic devices will spike up in price because more than 90% of them are made in China. That would end. The potential damage to national security would cost the government 100s of billions of dollars and you as a tax payer will see the bill. Apple and Amazon have unequivocally denied that this hack ever took place. Folks, Bloomberg is a top notch publication with almost incomparable reporters and editors. They spent a year researching this story. On the other hand, Apple and Amazon could be just as screwed as Elon Musk, if the SEC or other regulatory agency finds that their statement(s) of denial are false. So far this is first relatively comprehensive discussion that I have found. https://itunes.apple.com/us/podcast/325-chinese-spy-chips-microsoft-announcements-pixel/id430333725?i=1000421160995&mt=2

How many Americans have purchased drones, phones, and computers that are assembled in China? Millions and millions, for sure…

According to a well reported story from Bloomberg, a chip the size of a grain of rice that appears to be a common part of a circuit board was stealthily placed by secret members of China’s Peoples Liberation Army in devices used in some U.S. servers. This chip is not detectable by operating systems nor by any antivirus. Further, it is found on circuit boards made in China and sold to U.S. enterprise-class computer server manufacturers. Companies like Amazon, Apple and even (reportedly) some government agencies.

This is may be the greatest intelligence coup of the decade, as well. See the story HERE.

Major vulnerability in Bluetooth – Update your smartphone, watch, etc.

The Bluetooth that you use to connect your smart watch, speakers or other peripheral is seriously compromised. Please check that you have updated your device to the latest operating system version. This applies to iPhones and Android devices. The devices include Apple, Android smart phones, smart watches like Apple Watch and other devices (perhaps even Chrome laptops).

Failure to update your operating system may expose your confidential information to a nearby hacker who could ruin your finances and/or snoop on your messages and possibly put you in danger.

Forbes published a good explanation headlined, Update Your iPhones And Androids Now If You Don’t Want Your Bluetooth Hacked . Enough said, please just update now.

See below for how to update Android and Apple phones:

How to Update an Android

This wikiHow teaches you how to manually update an Android phone or tablet operating system. While your Android will typically update automatically, you can speed up the update process by manually updating as soon as you know an update is available.

Quick Summary

1. Connect to Wi-Fi.
2. Open Settings.
3. Tap System.
4. Tap System Update.
5. Tap Download and Install.

How to Update iOS

Two Methods:Performing an On-Device Update (Over-the-Air)Using iTunesCommunity Q&A

This wikiHow teaches you how to install the latest version of Apple’s operating system for your iPhone, iPad, or iPod Touch.

Performing an On-Device Update (Over-the-Air)

  1. Open “Settings.” It’s a gray app with gears that’s typically located on your home screen.
  2. Scroll down and tap “General.
  3. Tap Software “Update.” It’s at the top of the menu.
    • Tap Download and Install or Install Now. If a software update is already downloaded, the Install Now button will appear below the update description. Enter your passcode if prompted. Enter the passcode you use to unlock your phone.

      • Your phone will restart and the update process will begin.
      • In some cases, you may have to set up your phone again, although all your apps and data should be intact.You’ll need to accept legal agreements before manually downloading the update.

      Need help? Call or text Pilum Technology at 419-862-5252 email paulhem at paulhem dot com

Update Windows – and all other operating systems – as soon as practical

Many successful data thefts and attacks relied on vulnerabilities that had patches available

First please heed this: If you are a large or small business leader or associate do not patch before you test that patch with any specialized software – that is any software other than generic office apps, like Microsoft (R) Office apps. Even commercial scheduling software should be tested. At least make sure that you create a Restore Point. before updating. Of course, Windows is supposed to create one for you. Do not bet your operation on that!

Many highly publicized data breaches occurred because firms did not patch or update software. For example Equifax had at least two months to patch/update specific software before 143 million people had their personal information stolen.  And some Equifax personnel were even aware of the need to patch the software in question. The U.S. Office of Personnel Management lost several million security clearance background investigation details because a contractor failed to update his computer.

As mentioned in My take on security, even if an individual believes that their information is not important enough to be stolen or abused, it can and will be collected and used.

Update your software.

FBI advises you to reboot your home/office router right now; Why?

First, the news.

(RNN) – Russia’s hackers are busy folks.

The FBI and Cisco warned us this week that they’ve infiltrated 500,000 routers in more than 50 countries across the globe by using a malware system known as VPNFilter.

The compromised routers could be used for lots of things, but the experts believe the malicious software used to hack them are part of a plan for a huge cyber attack on Ukraine.

To torpedo the Russian plot, the FBI got court approval to seize a domain the hacking group was using to coordinate the operation.

The computer code used in the malware program shares code with previous Russian cyber attacks.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” according to Cisco’s cyber intelligence unit, Talos.

“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

And most of these routers are older devices that don’t have up-to-date software.

And now from FBI Internet Crime Complaint Center:

May 25, 2018

Alert Number

I-052518-PSA

Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations: www.fbi.gov/contact-us/field

———————————————–

There will be a lot more on this.  There are some lists of routers out there. Some of them may have been installed by your Internet Service Provider. The Boston Globe reports, The FBI is urging Internet service providers Comcast Corp. and Verizon Communications Inc. and others to check whether their hardware is vulnerable, and work with customers on updating their routers.

This will be continually updated, until this becomes less of an issue.

EFF: How to fix your Facebook settings so the recent Cambridge Analytica spying doesn’t get you

Of course, your personal information is valuable so the cybercrooks will still come after you. Not the end-all-beat-all…. This will help make your Facebook privacy more robust, however.

From:

How To Change Your Facebook Settings To Opt Out of Platform API Sharing

March 19, 2018

UPDATE (3/30/18): We have updated this post and its screenshots to reflect how Facebook reorganized and removed some settings this week.

You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.

Over the weekend, it became clear that Cambridge Analytica, a data analytics company, got access to more than 50 million Facebook users’ data in 2014. The data was overwhelmingly collected, shared, and stored without user consent. The scale of this violation of user privacy reflects how Facebook’s terms of service and API were structured at the time. Make no mistake: this was not a data breach. This was exactly how Facebook’s infrastructure was designed to work.

In addition to raising questions about Facebook’s role in the 2016 presidential election, this news is a reminder of the inevitable privacy risks that users face when their personal information is captured, analyzed, indefinitely stored, and shared by a constellation of data brokers, marketers, and social media companies.

Tech companies can and should do more to protect users, including giving users far more control over what data is collected and how that data is used. That starts with meaningful transparency and allowing truly independent researchers—with no bottom line or corporate interest—access to work with, black-box test, and audit their systems. Finally, users need to be able to leave when a platform isn’t serving them — and take their data with them when they do.

Of course, you could choose to leave Facebook entirely, but for many that is not a viable solution. For now, if you’d like keep your data from going through Facebook’s API, you can take control of your privacy settings. Keep in mind that this disables ALL platform apps (like Farmville, Twitter, or Instagram) and you will not be able to log into other sites using your Facebook login.

Log into Facebook and visit the App Settings page (or go there manually via the Settings Menu > Apps ).

From there, click the “Edit” button under “Apps, Websites and Games.” Click “Turn Off.”