Windows 10 App Background Permissions

This is one of a series of user tips for protecting your privacy and security.

Windows 10 has a feature that allows apps to run in the background.

Is this a problem? Well, not in theory, but that is the problem. Theories are just that – our best guess at the moment.

If you allow an app to run in the background, even if you don’t explicitly start it or ever use it, the app can receive information, send notifications, download and install updates and eat your bandwidth and battery life (on laptops).

If you are running on an Internet connection that is not unlimited, it will also eat into whatever limit you have on your data transfer.

I don’t know about you, but I don’t recall saying it was okay for any applications to run in the background. You didn’t. To paraphrase a famous quote, we’re from Microsoft and we’re here to help you.

On your Windows 10 machine, start the SETTINGS app and then go to PRIVACY and then BACKGROUND APPS.

You should see a screen that looks like this:

In fact, there are multiple screens on my computer:

All of these apps are running in the background.

Whether you use the apps or not.

Many of these apps I have NEVER used.

It is possible that Microsoft MAY install updates in the background rather than through the Windows update process, but this seems dangerous since people can turn background apps off, so I am guessing they don’t do that.

Windows 10 lets you turn off background running on individual apps or all apps (at the top).

Also consider that you may break something that depends on whatever – the xbox game bar – running in the background.

I, for one, am going to see if anything breaks.

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

I Can’t Seem to Get Away from Supply Chain Attacks

Supply chain attacks are attacks on the software (and hardware) that goes into the software (and hardware) that you buy. We keep seeing attacks that compromise that underlying software. Earlier this year, it was Ripple20 that affected millions of IoT devices. Many of those devices will likely never be patched and will be vulnerable forever. In part, that is because the software that the Ripple20 affected software is integrated into is no longer supported.

This week it is a series of Thales products that were discovered to be buggy. The bugs were found by IBM’s X-Force security team and disclosed to Thales. While Thales has released patches to these bugs, now begins the long hard slog to get vendors who used the Thales software and hardware to release patches. The bugs were actually discovered a year ago. Of course no one knows if or when these bugs were discovered by hackers.

The hardware involved is a series of small computer circuit boards that are integrated into many IoT devices to support communications functions.

In this case, the boards store sensitive information like passwords and encryption keys.

Concerns include the possibility that these devices are used inside of medical equipment and if hacked, could possibly kill patients.

Another potential attack is against connected devices that manage the electric grid. Attackers could accidentally or intentionally take the electric grid down.

Its even possible that hackers could compromise VPN concentrators, stealing encryption keys, certificates and other confidential information.

These are just two examples of supply chain problems.

What needs to happen now is for buyers to understand these issues and demand that vendors have a strong supply chain security program. Part of this is to create and provide buyers with software Bills of Materials.

In this case, the healthcare industry is concerned that connected medical devices, many of which are old and no longer supported, may be affected. In the case of healthcare devices, they also have the challenge of getting FDA approval to patch the devices.

While this article focuses on medical devices, the problem runs across all industries and all electronic devices.

Until buyers start demanding that sellers fix these problems it is unlikely to get any better. Credit: Health IT Security

It All Starts With Physical Access

Sometimes we focus on the details of cybersecurity protections. And ignore the core issues.

In a lot of cases, when companies office in multi-tenant office buildings, the Internet comes into a shared area of the building that is not part of the company’s leased space. This is called a Dmarc for point of demarcation. The demarcation is where the Internet provider’s responsibility ends and your company’s responsibility starts.

But this is not in your space. it could be in a closet or in the building’s basement. You may not even have access to that space. If you do have access, other people may also have access. It may not even be locked. I used to have an office in a building where all of the communications connections came in to the basement and that space didn’t even have a door, never mind a lock.

Many times it is more convenient to put your company’s network gear such as switches and firewalls in this area. That way you don’t have to allocate any space in your area.

But why is this a problem?

Because now a hacker doesn’t have to hack your network from the outside; he or she can just come in and be on the inside. He or she can pay a janitor a few bucks, at night, to let him or her in, for example, or pick a lock. When only the cleaning crew is there, is someone taking 60 seconds to pick a lock in a hall closet going to be noticed?

Come into the building at night when the cleaning crew is there and insert a probe into your network. The cleaning crew is not going to stop anyone. At that point the hacker may be able to see and capture and transmit all of your network data to any place they want. They can come back at some time in the future and retrieve their gear. Or consider it a throwaway.

So what should you be doing?

Number one is that YOUR Dmarc should be inside your office space and it should be locked in a cabinet. The cabinet can have a tamper seal on it (since locks are for honest people) to make it more likely that you can detect if someone tries to get into it.

Hackers sometimes masquerade as cleaners or maintenance people and even if the equipment is in your space, if it is easily accessible, then that is a problem. Other times they just bribe them.

No one wants to think that an employee would go rogue, but it does happen. Ask the NSA. They “vetted” Edward Snowden. It didn’t work out very well for them.

If you lock the equipment up – and I am talking all network gear – you at least make it more difficult for the hackers.

You still have to deal with that common area Dmarc, but for a one time fee, the utility will typically extend that into your space. Then they are responsible for that wire. If you have to extend it yourself, you really should put your firewall at the end of the wire that is in your space. That way, anything outside your firewall is not trusted and not a whole lot different than what a hacker sees from the Internet – untrusted and with no sensitive data.

If you have questions about how your network gear is protected, reach out to us. We can do a virtual inspection and make recommendations for improvements, if needed.

Beware: Changes to HTTPS Certificate Requirements

This is a follow up to yesterday’s newsletter alert and sorry, it is a bit technical, but I will try to make it as untechnical as possible.

Up to a few years ago, if you ran a website, you could buy an HTTPS (also known as a TLS or SSL) certificate that didn’t expire for 10 years. The problem is that if something happened, a malicious actor could continue to use that certificate and masquerade as a legitimate website owner, possibly for an additional 9 and half years.

There was a certificate revocation process to stop compromised certificates from being used any more, but it never really worked.

As a result, a few years ago, the board that oversees the browser makers (called the CA/Browser Forum) and the certificate authorities that issue certificates reduced the allowed lifetime for a certificate to three years. This was a lot better than 10 years, but still a malicious actor could use a compromised certificate for several years.

As the CA/Browser Forum continued to wrestle with how to deal with compromised certificates, they invented something called OCSP or the Online Certificate Status Protocol. The idea is that the user’s browser could look inside the certificate to find the OCSP web site that the certificate creator runs and a browser can use that webiste to see if a certificate is still good. The problem is that this process doubles the number of requests that is required in order to load a web page. For example, as I write this, the home page of Fox news requires 84 separate calls just to load that one page. Some might be an image or a video or it could be some code. If you have to check to see if the certificate for each of these loads is valid, now you have to make 168 calls, significantly increasing the time to display the results to the user.

And, what do if that web site is down, overloaded or takes too long to respond? Do you not display the page?

During this time the CA/Browser forum reduced the allowed lifetime of a certificate to just two years. Still a bad actor can do damage for a year or more, but each time, we reduce the window for malicious activity.

Then they came up with yet another standard called OCSP Stapling. With stapling, the website owner is responsible for checking to see if the certificate is still valid. A website will get an OCSP certificate from the certificate authority say every few hours. That is then “stapled”, securely, to the HTTPS certificate that is sent to the user’s browser. When there is, say, an hour left in the life of the OCSP certificate, the website owner orders a new one. It has an hour, say, to get it and that is an eternity in browser time. For a while not all browsers understood stapling but now they do.

BUT, there is nothing to force a web site to support either OCSP or STAPLING and many do not support either.

Sometime along this time, came Let’s Encrypt. Let’s Encrypt offers a lower security (but okay for many users) certificate, but it is free and it only lasts 90 days before it expires. Now we have really reduced the bad actor’s window of opportunity.

But Let’s Encrypt came with a new standard called ACME (this has nothing to do with the Road Runner 🙂 ). With ACME, once you get Let’s encrypt installed on your server, it AUTOMATICALLY renewed itself every 90 days. This completely eliminated the work for administrators to manage and Let’s Encrypt has now issued a BILLION certificates.

Of course the certificate authorities aren’t thrilled with someone giving away their product for free, even if it is a slightly lower security product.

There was an effort in February to reduce the lifetime of certificates to one year, but it failed to get approved at the CA/Browser Forum meeting. Administrators and certificate authorities complained about the workload, but if everyone implemented ACME or something like it, that problem goes away.

OK, so now you are up to date. Fast forward to 2020.

Like Google, Microsoft and others, Apple has a lot of clout. After the move to reduce the certificate life to one year failed earlier this year, Apple said you guys can do whatever you want, but we are not going to display any web page that has a certificate (and this is important) THAT WAS ISSUED AFTER SEPTEMBER 1, 2020 AND HAS A LIFETIME OF MORE THAN A YEAR PLUS A MONTH GRACE PERIOD.

This means that if you have a new certificate that has a two year life and someone visits your website from an iPhone, iPad or Mac after September 1, they will get an error message.

So basically, Apple forced the issue.

Once this was a done deal, Google Dogpiled.

This means that if you get a new certificate with a two year life after September one, about 80% of the world’s users will no longer be able to get to your website.

THIS is why the change is kind of important.

Got questions? Contact us. Credit: ZDNet

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register