Category Archives: Privacy

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

FBI: Building Digital Defense with Browsers

As more of our computing world lives inside a browser, the risk goes up.

As we move to Work From Home, the risk goes up again because we no longer have corporate infrastructure to chop off the top few layers of attacks.  Also many of us have kids that either share our computer or share our network.

The FBI has launched an initiative to protect political campaigns and voters from foreign influence campaigns and cyber attacks called Protected Voices.

The Portland office of the FBI adapted some of the recommendations from that program into recommendations for everyone.

Before I give you the list, let me warn you that it is going to expose that always issue – security or convenience – PICK JUST ONE!

Here are the FBI’s recommendations:

Note: How you implement these will be browser and system specific

  • Disable AUTOFILL
  • Disable remember passwords
  • Disable browsing history

Disabling these features makes it more difficult for malware on your system to steal sensitive data

  • Do not accept cookies from third parties

Note that some browsers do this by default.  Doing this reduces the ability of third parties to track you and aggregate your browsing habits.  And sell them.

  • Clear browsing history when you close your browser or use incognito mode

Note that this means that you actually have to close your browse.  Again, this reduces your fingerprint and makes it more difficult for advertisers (and hackers) to track you.

  • Block ad tracking
  • Enable do not track (there has to be at least one site on the web that honors this)

There are a number of good ad blockers.  Apple and Firefox have built in ad blocking.  Not only does this make it harder to track you but it stops malware laden ads from running on your system.

  • Disable browser data collection

All browsers like your digital exhaust;  that is why they collect it, but it is none of their business.

  • Make sure that if a web site wants your digital certificate, you have to approve each request

Your digital certificate *IS* your signature.   Protect it.

  • Disable caching

Caching makes browsing faster, but apps and web pages can find out what is in the cache and figure out what you are doing and where you have been.

  • Enable browser features to block malicious, deceptive and dangerous content.  Different browsers do this in different ways; some more privacy friendly than others.

What is true about all of these features is that they will have some impact on your browsing experience.  You don’t have to implement all of them, but each one makes things a little more difficult for the bad guys.

It is your call.

Source: FBI

Facebooktwitterredditlinkedinmailby feather

Working from Home Security Challenges / Coronavirus

The bad guys did not waste any time using the Coronavirus pandemic to attack folks who are suddenly Working From Home (WFH) or Studying From Home (SFH).  Here is some information to help those of you who are WFH to navigate the perilous path.

Given that many WFH programs were created out of nothing in almost zero time or scaled up from zero to 60, it is no surprise that there might be a security hole or two.

This applies not only to employees working from home but also to students attending school from home.

First of all, hackers are pumping out tons of malicious emails themed around Coronavirus.  The malicious emails are compromising systems with password stealing malware and remote access back door software, among other goodies.  And don’t forget that old favorite – ransomware.  More on that later in this post.

Given how stressed people are, they are likely to forget their security training.

Another challenge for WFH/SFH – making sure that all devices are fully patched.  That is going to fall more on the end user now.  Companies who have fully automated that are in better shape, but lots of organizations are not set up for that.  THIS INCLUDES PHONES AND TABLETS!

Another problem is home and public WiFi.  At work, the company can control the setup of company WiFi, but at home it is a bit of the wild west.

For example, when was the last time you patched your WiFi server and your Internet router, modem or firewall?

When did you last have a security expert check the security configuration of those devices?

If your company uses older, in the office systems, they likely do not work very well for remote workers.  There is no quick fix for this.  It is fixable, but the fix requires new hardware and employee training.

Companies who are in regulated industries such as healthcare, finance or defense have additional problems.  How do you continue to comply with the security laws and regulations that these industries have to comply with?  In fact, in many of these industries employees are not allow to work remotely by regulation or law.

To make matters worse, in many cases, IT doesn’t have the right tools to securely assist workers who are no longer at the office.  If an employee uses a virtual private network (VPN) to connect to their work network, it usually makes it even more difficult for IT to securely connect back to them in order to provide tech support.  Even in cases where it does work technically, many times the company has not bought the right support tools to make this possible.

Of course employees who are using their mobile devices more open up yet another attack vector.  Many phones and tablets are horribly out of date when it comes to security patches.  Many phone manufacturers do a crappy job or releasing patches and for older phones – say more than 2 years old – many times the manufacturer says they are no longer supported and leave the user wide open to a whole raft of attacks.

Companies need to conduct a risk assessment of the remote work environment to make sure that they understand what new risks the company is accepting.

Companies need to consider whether they even have enough security software licenses such as VPN connections.  Employees will create unsafe workarounds if the company can’t provide them tools that are secure.

Here is a screenshot of a malicious email.  It pretends to be from the CDC, but the email address in the red box shows that this is not the real CDC.  The URL in the second red box looks like it is from the CDC, but if you hover over it, it turns out that it is not.

Cybercriminals sent this coronavirus phishing email, which was designed to look like it came from the U.S. Centers for Disease Control and Prevention. Courtesy of Kapersky.

The spam emails might claim to provide information on the Coronavirus or perhaps provide a way for people to contribute to those who need help.  Unfortunately, the only one these people are helping are themselves.

KnowBe4 published a picture of an email containing a QR bar code asking for donations (see below).  If you want to make the folks in China or North Korea rich, you should donate.

coronavirus_donation-1

This piece of spam, also from KnowBe4, asks you to watch a Coronavirus video.

covid19_spam-scam-1a

It promises secret information that the government isn’t telling you.  If you buy their book for $37.00.

That is actually good because some of them tell you that you need to update your software in order to view this secret video.  In fact the update is software that infects your computer, steals your passwords, empties your bank account, encrypts all of your data or some combination of the above.

In the following email, if you just click on the link, some  dude will tell you everything you need to know about the Coronavirus and how to stay alive.  NOT!

coronavirus_info-1a

Suffice it to say, this is a bit of a mess and it is not likely to get any better soon.

Companies will, unfortunately in this time of uncertainty, need to up their security spending.  The alternative might be a bit of a train wreck.

If you do need help or have security questions.  Please reach out to us.  After all, we are staying home to stay safe :).

Information for this post came from Threatpost, GCN, the US Secret Service and KnowBe4.

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending February 28, 2020

Russia Behind Cyberattacks on Country of Georgia Last Year

The State Department and the UK say that Russia was behind the attack on over ten thousand websites in the Country of Georgia last year.

They also formally attributed Sandworm (AKA Voodoo Bear, Telebots and BlackEnergy) to Russia’s GRU Unit 74455. Sandworm is the group responsible for the attacks against Ukraine’s power grid in 2015 and 2016 as well as NotPetya and other attacks. Not a nice bunch, but highly skilled. Andy Greenberg’s book, Sandworm, tells a scary story about these guys.

This is an interesting announcement from the State Department given the general position of the White House regarding Russian hacking. Here is the State Department’s press release.

Google to Restrict Android App Access to Location Tracking

Google is changing the Google Play Store policy for apps accessing your location when they are running in the background in response to user concerns.

The “user” is likely the folks running GDPR and the concern is the potential fine of 4% of Google’s revenue (AKA $6.4 billion).

They are reviewing all apps in the Play Store to see if the really need background access to your location or whether the user experience is just fine without them collecting and selling your location.

New apps will have to comply with this new policy by August 3 and existing apps will have until November 3 to comply.

In Android 11 you will be able to give an app ONE TIME permission to access your location data. When the app moves to the background, it will lose permission and will have to re-request it if it wants your location again.

This is actually pretty cool, but GDPR went into effect almost two years ago and they are just doing this now? Could it have something to do with a EU investigation of their use of location data? Probably just a coincidence. Source: PC Magazine

Accused CIA Vault 7 Leaker Goes To Trial

Accused CIA Vault 7 leaker Joshua Schulte’s trial for leaking top secret documents to Wikileaks started earlier this month. Schulte is accused of leaking top secret programs that the CIA used to hack opponents, causing serious embarrassment for their horrible security, allowing those tools to get into the hands of hackers and allowing our enemies to know how we hack them. It also cost the CIA a ton of money because they had to create a whole bunch of new programs that exploited different bugs that that had not disclosed to vendors to fix. Apparently Joshua is a bit of a challenge to work with and manage. Not only was he “a pain in the ass” but he also was into kiddie porn. He will be tried on those charges separately. Schulte’s lawyers say the government failed to turn over evidence that there might have been another leaker and wants the court to declare a mistrial. WOW! Read the details here.

Microsoft Trying to Do Away With Windows “Local” Accounts

For those of you who have been long time Windows users, you know that you had a userid to log on to the computer and then, possibly, if you want, another userid and password to logon to cloud services.

Like Google, Microsoft wants as much information about you as it can possibly collect. They also want you to use all of Microsoft’s online services, all of which are tied to your Microsoft login and not your local Windows login.

Microsoft’s answer? Make it very difficult for a user to logon to his or her computer with a local login. In fact, as of the most recent update to Windows 10, the only way to create a local, non-Microsoft, login is to disconnect your computer from the Internet when you first install it.

After all, they know that you DO want them to snoop on everything that you do. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

What Does Your Car Know About You?

Here is what the connected world looks like and why car makers want 5G.

It starts with hundreds of sensors, at least.

But the data it collects? That data does not belong to you and the owner’s manual doesn’t say anything about it (which is legal in every state besides California).

So what would you do if you were a reporter working for Wired?

Hire a hacker and hack your car.

In this case, a 2017 Chevy Volt.

Almost all new cars come with a built in Internet connection, whether you want it or not.  100% of Fords, GMs and BMWs.  All but one Toyota and Volkswagen.  Sometimes it is free (because they want the data).  Other times it comes with a fee.

The Wired reporter and an engineer who tears apart cars (after crashes) for a living met in an empty warehouse with a Chevy Volt belonging to a friend of the reporter.

These cars can generate upwards of 25 gigabytes of data PER HOUR that the car is running.  Of course, most of this data stays in the car, but *IF* the manufacturers had 5G cell connections, I bet more of it would get transmitted back to them.

In their case, they hacked into (literally) the radio – which is now called an infotainment system – to see some of the data that it collects. They were able to see only a tiny fraction of the data that is being collected.   Here is what it looked like when they were working on it.

Buried behind the touch screen and radio controls sits our Chevrolet's infotainment computer, a box identifiable here by a circle for its fan. (Geoffrey Fowler/The Washington Post)

They found location data – including the warehouse where they were taking the car apart and the hardware store where he went to buy some tape.

It included the unique ID numbers of the two phones that Wired was using.

It included a long list of contact’s addresses, emails and photos.

They also bought a used infotainment system on eBay and found reams of data on it.

Fords record location data even if you don’t use the navigation system.

Some Beamers have a 300 gigabyte hard drive in them to store the data.

Telsas can even collect video and store it.

If you have a self driving car, there are cameras that watch you.  That data will likely be stored.

When the car’s owner asked GM what they collected and who they shared it with, they declined to answer.

When Wired asked, they got a very vague answer.

A lot of this is dependent on what features you ask for.  If you want the ability, for example, for Amazon to unlock your car and deliver packages, you have to have remote unlock.  If you want remote key access, well, there is another access point.

Most people don’t even know what services come with the car.

And maybe you don’t care if the car maker and the government and hackers are tracking you.  If so, no problem.

If you get fewer of bells and whistles, the less private data (as opposed to engine data) they will be able to collect.

And, we think, if you replace the radio with an after market radio (infotainment system), you will likely disable a lot more.

BUT, you will also disable some features.

Likely, for example, OnStar is connected to the Infotainment system, so if you replace it, that might disable OnStar.

Or, you could be an older, used, vehicle.

Certainly an interesting world.

Source: Wired

Facebooktwitterredditlinkedinmailby feather

5G Security Is a Mess and Banning Huawei WILL NOT Help

The President is right that cellular security is a problem, but not for the reason that he thinks – although that is a problem too.

Researchers at Ruhr-Universität Bochum have discovered a way to compromise 4G cellular security – the cell service that almost all of us use now.

It allows them to impersonate the phone’s owner and book fee based services that get charged to the owner’s phone bill.

It also could impact law enforcement investigations because it would also allow a hacker to access websites using the victim’s identity. In fact do anything the real owner can do.

If the attacker wanted to blackmail someone, they could upload sensitive or compromising information and then lead the cops to that info. The cops would believe the owner did it. Hackers could threaten to do that in order to blackmail someone.

The vulnerability affects all LTE devices – Apple, Android, Windows – even Cellular IoT devices.

And the only way to fix it is by changing the hardware – at both the user end and the cell company end. Any bets on that getting fixed? I didn’t think so.

The team is trying to figure a fix for the next generation (5G). They say that it is possible.

But it is going to cost the cell carriers money.

The additional security requires the phones to transmit more bits, costing the carriers overhead.

And all 5G phones would have to be replaced (DO NOT buy one if you have not already done so).

And the base stations would have to be expanded.

Other than that, it is a piece of cake.

The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping. However, it is possible to modify the exchanged data packets.

For more info see Help Net Security and CSO Magazine.

Facebooktwitterredditlinkedinmailby feather