Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think

Tuesday, January 3, 2017

New Year, Don't Click!

   Well, it's a new year and, as we've discussed in the past, the more things change the more they stay the same.

   My advice for 2017... Don't Click!

   Of course, that's easier said than done.  We've discussed phishing and malicious email here, here and here.

   But on a more practical note, and because I like things that come in 3's, here's some info from the way-back machine... it's advice from Brian Krebs from 2011.  It is his 3 basic rules for online safety.  They are every bit as relevant now as when this was first published.  And it was relevant for years before that.

   The 3 rules are:
  1. If you didn’t go looking for it, don’t install it - this means when you get a pop-up asking you to install some software... don't click!  Only install software that you look for and intend to use.  And, wherever possible, install from reputable websites.  Do your research.
  2. If you installed it, update it - After you install the software you want, you need to keep it up to date.  This is not trivial, but I like using Secunia PSI (Personal Software Inspector) on my home systems for keeping software up to date.
  3. If you no longer need it, remove it - software will have vulnerabilities.  The less software you have, the fewer opportunities there are for vulnerabilities and malware.  This is especially true on your smartphone and tablet, where excess software really slows the performance of the device.
   Here's to a safe and secure 2017!

Tuesday, December 20, 2016


   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?

Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Tuesday, November 22, 2016

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Information Security Learning Resources
or information security for the self-learner
by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:
  • Systems Administration
  • Network Administration
  • Programming
It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.
“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD

Tuesday, November 8, 2016

Patch, Vault 'n Fob

   Well, I was trying for something catchy like Stop, Drop and Roll.  That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.

   Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.

   Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.

   Fortunately, the odds of your clothes catching on fire is low.

   Unfortunately, the odds of your software, browsers or accounts being compromised is very high.

   A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (DDoS) attack on Dyn, a DNS provider.  I won't go into the details here but I think I will cover DDoS in a future post.  Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do.  To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...

Tuesday, October 25, 2016

Lock Before You Leap

   Most organizations have some kind of requirement to protect data.  Sometimes it's regulatory, for example organizations in healthcare or financial or retail need to protect personal data on individuals.  But for sales, manufacturing or other industries like medical devices, their "secret sauce" could be intellectual property like formulas or proprietary processes, or customer lists.

   Whether it's critical data on people, processes or things, what most organizations have in common is that, if they cannot protect this information, the results could be fines or inability to do business and that can directly translate to harm to people and organizations.

   There are so many ways to protect information (or to fail at protecting information), some more complicated than others.

   One very simple way that information can be breached, disclosed or otherwise lost is through unattended, unlocked devices.  For example, someone leaves a laptop logged in, screen unlocked and walks away - someone else can take that laptop and would have access to any data it has.  This is also true for desktop workstations.  In this case the computer won't likely be taken, but if the workstation is unattended and unlocked, anyone else can access the data on that machine leading to potential breaches and regulatory problems.