Category Archives: Safety

Sharing Passwords – Everyone Does It

Do you know the password to your spouse’s computer?

What about his or her social media accounts?

His or her email accounts?

Not married, just friends, maybe with benefits – what about his or her passwords?

We will get to work passwords in a minute.

ExpressVPN asked 1,500 American adults in an exclusive but not married relationship about their password sharing habits.

Couples, they say, share a variety of passwords and, most commonly, within the first six months of dating. What could possibly go wrong?

Here is what ExpressVPN found:

The most commonly shared passwords are for video streaming (78%).

Followed by mobile devices – nothing sensitive on your phone I am sure (64%).

Then comes music streaming (58%).

47% share social media passwords and 38% share email passwords.

Respondents said that sharing passwords is most indicative of trust (70%), commitment (63%), intimacy (54%), marriage-material (51%), affection (48%), and vulnerability (47%).

Given that half of Americans who marry get divorced and lots of people don’t even get married any more, the idea of sharing passwords might have some “long term” problems – as in when one of you moves on.

Now lets move to work passwords. Everyone has their own userid and password, but in many companies, the way that account setup is done, so does IT and sometimes, even your boss knows. Sometimes, even your coworkers, even if that is against company policy.

FYI, if something bad happens and you want to prosecute the employee, if you are one of the above companies, you better have some really good evidence (it is possible, but hard).

In many companies, employees, especially within a department, share passwords to some cloud services, such as those that charge by the user.

And IT often has “system” passwords – ones that “have to” be shared.

And don’t forget passwords to Internet of Things devices like, for example, your Alexa.

Lets say that at some point the magic fades.

If you are not married you split. If you are married you get divorced. If you are employed, you leave, voluntarily or otherwise. If you are a vendor to a company, the company changes vendors.

In any of these cases, do you know what passwords are at risk? In many cases, the answer is no.

If the separation is “less than friendly” – whether work or personal – can you change the at risk passwords quickly?

Do you know if the other person has downloaded your data – business or personal – before the split?

Everyone wants to assume that people are honest and that bad things won’t happen but the percentage of employees, for example, who take data with them when they leave is high. In 2015 Biscom did a survey. 87% of employees took data with them that they created and 28% took data that others created. While these numbers are old, they are probably still in the ballpark.

Most companies don’t change passwords when employees leave because it is logistically challenging, but especially with IT folks, if they are disgruntled, they can and have done major damage. Likewise scorned lovers have done their share of damage too. All you need to do is check out the news from time to time.

Like I said, no one wants to think that relationships, business or personal, will end and even fewer think that they will end badly.

To quote Maya Angelou: “Hoping for the best, prepared for the worst, and unsurprised by anything in between.”

Just a suggestion.

Credit: ZDnet

Security News for the Week Ending October 2, 2020

False Claims Act Means Big Fines

I had heard about the Department of Justice going after companies for misrepresenting things in federal contracts. I remember that Cisco paid a fine of less than $10 million, so I didn’t think it really meant much. But in a press release, the DoJ says that they recovered over $3 BILLION last year. That includes health care fraud, procurement fraud and other fraud. But 2019 was not an anomaly. In 2018 they recovered $2.8 billion; in 2017 they recovered $3.5 billion and in 2016, it was $4.9 billion. That is a lot of money, so if you are thinking about misrepresenting things in a government contract, you might want to reconsider. Read the details here.

911 Service in Multiple States Goes Down

Issues were reported by police departments in counties across Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington. Initially, it was thought that it was related to an outage at Microsoft at the same time. Many of the 911 dispatch centers were able to recover in less than an hour, but that turns out not to be the case; see yesterday’s blog post. Credit: ZDNet

DoJ Wins Case Against Snowden to Seize His Money

This has nothing to do with whether he is guilty of whatever. This is a simple contract dispute. If you go to work for the government and get a security clearance, you agree to let the government clear certain publications and speeches you make to make sure that you are not disclosing classified information. The Supremes have said in the past that the government can seize the proceeds from these illegal speeches and publications. In Snowden’s case, that is about $5 million. It is not clear that Snowden expected to keep the money; he knew the rules. Of course, if the money is in Russia with Edward, well, good luck. Credit: The Register

Still the Best Reason NOT to Buy Huawei Equipment

The White House has claimed that Chinese telecom provider Huawei is a national security risk – a tool of the Chinese government. That may be, I don’t know. But the Brits have been much more honest and open about things. The Brits have been evaluating Huawei’s software and they say that it is as secure against intruders as a screen door. Huawei says that these bugs prove that they are being honest. Not sure about that. Maybe they mean that they are too stupid to design backdoors for the Chinese government. Credit: The Register

Samsung has a Deal for You

Samsung has an interesting deal. They say to their advertisers that they will display an ad to an owner of one of their TVs, every time it is turned on and there is nothing the owner can do about it. They say this is about 400 times a month per TV. They use something called Automatic Content Recognition to understand whether you watch sports or movies (and what kind) or whatever and tune the ads to that. They do not tell you before you buy the TV that you are agreeing to that. Of course, if you have a dumb TV, that is not a problem, but that is not the direction the planet is going in. Perhaps buy a different brand. Credit: The Register

Universal Health Services Hit By Ransomware – 250 Hospitals Affected

UHS, which runs hundreds of hospitals and clinics, including behavioral health and addiction care and which has concentrations of facilities in California, Texas, Nevada and Florida has taken its systems offline. While they have not said what is going on, the scuttlebutt is that is the Ryuk strain of ransomware. Just what a hospital needs right now. They have shifted to paper based processes, although they say their electronic medical record system was not affected (it may just be offline right now but not encrypted). Utter chaos is probably rampant. Lawsuits to follow if people die. Credit: Security Week

Is Your Computer Spying on You?

It is pretty interesting what you find when you rummage around your computer.

Most computers these days have cameras and microphones. Do you know which applications can access your camera? What about your microphone? I didn’t. In fact, I didn’t even know where to look to find the answer to that question. When I looked, I was surprised what I found.

Both of these device controls can be found in the Windows SETTINGS app.

In settings, click on CAMERA to see this:

From this screen, you can see which apps, on my computer, had access to my camera. I understand why Skype needs access to my camera (maybe – depends if you are a Skype user), but why does the 3D Viewer need it? I am not even sure what that is. Microsoft Photos? I ONLY use it to look at pictures. Disable all of those items that you do not want to give access to your camera. You can always turn it back on if you want to.

Now move onto your microphone. It is on the same screen, just further down.

Again, there are apps that I don’t even know what they are that have access to my microphone. What is the feedback hub anyway?

Note that Microsoft’s Cortana is disabled. That is because I don’t use it. If you do use it, it needs to be on.

It is unlikely that these apps are evil, but they do increase the attack surface.

Every app has the possibility of being compromised or having bugs that allow hackers to take over the apps and take control your devices.

You have probably seen people that put tape or little slides over their cameras. That pretty effectively stops people from seeing things that they should not see.

There is no equivalent way to stop apps from hearing what is going on. Tape does not solve this problem.

In some cases there is a way to handle this.

After using a laptop for many years, last year I switched to a desktop. I wanted to have a more powerful computer – multiple disk drives, an amazing amount of memory, etc.

One thing that happened as a result of that was that I no longer had a built in camera. My camera sits on top of my monitor and plugs into a USB port.

For me – and this won’t work for everyone – I unplug my camera when I am not on a video conference. That camera, an inexpensive Logitech unit, is also my computer’s microphone. When I unplug the camera, the microphone is unplugged as well.

Highly effective. I don’t know how to hack a camera or microphone that are not connected and not powered on. Consider that.

Just food for thought.

NSA Offers Recommendation to Reduce Cellphone Exhaust

If you didn’t know better you would think the NSA is trying to turn over a new leaf. Credit Anne Neuberger.

A couple of years ago the NSA dissolved the Information Assurance Directorate – the group that helps the good guys. To me, this was an incredibly stupid move on the part of the NSA.

Fast forward to late last year and the NSA reincarnated IAD and called it the Cybersecurity Directorate. Same mission.

But the NSA had a horrible rep that they spent most of their effort on OFFENSIVE cyber and very little on DEFENSIVE cyber.

Anne Neuberger is the new head of the Cybersecurity Directorate and she has been working hard to change that reputation.

Photo of Anne Neuberger
Anne Neuberger

Fast forward to this week. The Cybersecurity Directorate released a memo on reducing the exposure from your cellphone data. What we affectionately call your digital exhaust.

They rightfully say that you cannot eliminate your digital exhaust but you can reduce it. While this article is targeted at government employees, it is useful to anyone who is concerned about their digital footprint.

They explain that just having your phone turned on, even if location tracking and your GPS are off, gives location information to apps, who collect and sell it. Even if you phone is in airplane mode, you could be giving away your location.

The whole idea of telling people how to reduce their footprint goes against the NSA’s offensive mission. Kudos to Anne Neuberger.

The memo also talks about tracking you from your fitness device and other items like this. The feds had a virtual heart attack recently when a bunch of data appeared from, I think, Fitbits, that showed this strange activity pattern in a place where no one should be. Like, perhaps, a secret base run by special operations soldiers. Oops.

So if this is a subject that is of interest to you, check it out.

Even if it is just out of curiosity. Credit NSA via Cyberscoop

Critical Infrastructure Can be Hacked by Anyone

Well that is not a comforting thought.

Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.

Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.

This represents an onshore oil well and it looks like they could change flow from this interface.

This system seems to control five different off-shore wells.

Perhaps you would prefer to control the water supply instead.


Or perhaps you would like to drinking water undrinkable.

If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.

These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.

Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.

In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.

Have any of these companies been fined anything? I don’t think so.

Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?

What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.

Needless to say, this is a bit of a mess and these are only samples of what they were able to do.

One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.

If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.

Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.

And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.

I just hope that it won’t take a Bhopal-style disaster to get their attention.

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch