Digital Insecurities

No, this is not about who hangs with the coolest kids on Facebook or has the biggest social media klout. (Seriously? Does anyone believe Klout scores mean anything?)

It’s not even about those late-night drunk texts, although you really should stop that.

Think of it as a minor rant in a major key, and it’s all about digital security. Or, more precisely, the lack thereof.

Doesn’t really exist, folks.

I know. You’ve heard some of this before. Some of it you haven’t, and I don’t want to leave out the newer visitors.

Plus, there’s a really good chance you didn’t do anything about it the first dozen times around.

….

I’ve been thinking about this one for a while. The thing that pushed me into writing it is a private message I got yesterday. Seems the dude got himself on one of the Spamhaus blocklists and wanted some help.

Ooops.

So, I called him up. After explaining to him that no, the Spamhaus folks really aren’t horrible people (not the words he used, but this is a family friendly rant), we got to the specifics. His WordPress site was hacked and the creeps sent 100,000+ spams through it.

Well, yeah. They’re supposed to block that. Fix the hack and the block will expire automatically. 3 days without more spam and you should be good to go.

It should be mentioned that nothing online is 100% secure. It’s just not possible. That said, this gentleman is running a fairly large operation that sends millions of legit emails each month, and it was based on an unsecured WordPress installation.

That’s just begging for a spanking.

When this happens to you, don’t panic. Fix the problem, and don’t send mail to your lists until after the block expires. That way you won’t lose a ton of subscribers to the hard bounces it will generate.

In the mean time, secure that puppy. Back up the site, all files and the database. Then install Bulletproof Security or Wordfence. (If you use BPS, make sure the installer is well clued, or you can bork things in an ugly way.) Make sure your choice of plugin doesn’t break your themes or other functionality.

If your operation is larger, consider using Sucuri. It’s a paid service, and it’s a bit easier for the technically challenged. I’m told it’s also lighter on server resources.

And have a system that makes backups of the whole blog on a regular basis. That way, when the digital rats find a way through your security maze, you won’t lose everything.

Yes, it’s a pain. So are locks on your house and car.

You’ve got locks, right?

….

Moving on…

If you use Lastpass, you may want to change your master password. Yes, they got hacked.

Again, don’t panic. From what they say, no user accounts or data were compromised. The odds of the hackers getting access to anything based on what they stole are low. The people at Lastpass are just showing an abundance of caution, which we like to see in a security operation.

They could teach the US government a thing or two.

You’ve probably heard that the Office of Personnel Management, overseen by the DHS, was hacked. Somewhere between 4 and 14 million records of government employees and contractors were “exfiltrated.”

That’s spook-speak for “stolen.”

As it turns out, the crooks (believed to be agents of the Chinese government) had valid credentials, so even encryption wouldn’t have kept them out.

What would have stopped them in their tracks is 2-factor authentication of logins. You know… like Facebook and Paypal and even Gmail offer.

The absence of any sort of serious security on those systems allowed a foreign government to pull data on millions of people, many of whom have high security clearances. In fact, some of the most potentially damaging stuff was the huge collection of files involving applications for security ratings.

If you’re familiar with those investigations, you know just how in-depth these things go, and how thoroughly they dig for any and all dirt there may be on you. Including legit stuff that you just don’t want broadcast to world+dog.

In short: If there’s anything that could be used to embarrass or blackmail you, it’s in there.

That makes this potentially the most damaging national security threat ever to come from a cyberattack.

And it could have been prevented by basic measures that you can get on a Gmail account or your personal blog.

Department of Homeland “Security,” indeed.

….

The lessons for us…

Don’t assume anyone is handling your data in the way you’d like. Even people whose job is to keep things secure.

If an account is important to you and offers 2-factor authentication, consider using it. It’s not that inconvenient. In most cases for consumers, it just means getting a text message or email confirmation each time you access an account from a new machine or IP address.

If it’s only your data involved, you can make whatever decision you think fits your risk tolerance. If you’re handling sensitive data that belongs to other people, though, take every precaution available to you to protect it.

That’s what you’d want others to do for you, right?

….

It’s not just the Bad Guys who pose a threat, either. The US government is pushing hard for social media, cell phone companies, and app providers to leave them “back doors” to gather data. They’re also objecting to the use of strong encryption in consumer products.

Let’s stay away from the whole conspiracy theory thing, and look at the more likely source of problems if they get their way on these issues. It’s really pretty simple.

If there’s a back door, the bad guys will find and exploit it. And if encryption is weak or non-existent, that puts everyone at greater risk.

You don’t need to be paranoid to know that’s a problem.

….

Conspiracy theories aren’t always wrong, by the way. A good example is the recent hack of Kaspersky, the security software giant.

Again, it doesn’t appear to pose any threat to their customers, so if you’re using a Kaspersky product you don’t need to panic. The interesting thing here is more who’s behind the hack then what effect it might have on you personally.

It’s a fascinating story. Leaving out the technical bits, it boils down to this: The attack uses code with clear ties to Stuxnet, the malware the US and Israel used to attack Iran’s nuclear program in 2010. Kaspersky calls this version Duqu 2.

The same malware was used to spy on the current discussions with Iran about limiting their nuclear program, and on people involved with the 70th anniversary event celebrating the liberation of Auschwitz.

The analysts at Kaspersky Labs are confident that an attack of this complexity and expense could only be launched and maintained by a nation-state.

Kaspersky does not attribute the malware to any specific country, but the implications of the data that has been released all point to one place: Israel.

That’s hardly a proven assumption, of course. Still, one can see their interest in 2 of those 3 targets. If I were them, I’d certainly want to keep an eye on such things. They’re legitimate national security interests.

You don’t have to like it, but you can’t help but understand it.

What concerns me is a government – any government – doing things that can compromise legitimate players in the digital security industry. That could expose companies and individuals across the world to unnecessary and unpredictable risks.

Including their own citizens.

For the record, I don’t put this kind of thing beyond the will of any country with the necessary resources. Or, for that matter, any number of major transnational companies.

And that’s really the point. There are many entities in the world with the technical capacity and a direct interest in defeating or circumventing security software.

Too many to assume some won’t succeed.

….

Another interesting thing about the Kaspersky hack is the way they got in to begin with. It appears that a non-technical employee got a very targeted email that got them to visit a site which dropped malware on their machine. From there, it was relatively easy to spread to the rest of their network.

The lesson is this one is obvious: Be careful about which sites you visit on the web, and what files you open that come in via email.

You’ve heard the last part a lot, I’d bet. Most people don’t know, though, that it’s possible to get your machine compromised just by visiting a web page. Or, in some cases, by visiting a known and legitimate website with a malware-enabled ad.

Yep. Google “malware Yahoo ads” (without the quotes) for the details, if you’re interested in how that works. If you just want the down and dirty, it’s this: Any page that hosts 3rd party ads can potentially be a source of “drive by” malware infections.

That’s pretty much every major site on the net.

Ain’t that just ducky?

….

The lesson? Update everything, all the time. If your browser, OS, Java, Flash player, or any other component says there’s a security update, install it.

One special note: If you visit a site and get a notification that you need to update the Flash player, go to Adobe.com and look for the link manually. Don’t do it though a pop-up at a website. That’s a common ruse to get you to install malware under cover of updating legitimate components.

For that matter, don’t ever believe any website pop-up with a security warning.

The very first thing I do every day when I sit down at my computer is a live update of my security software. It’s set to auto-update through the day, but when I start surfing I want to know I’ve got the very latest available.

Nothing is 100%, but you can stack the odds heavily in your favor. Doesn’t take much effort, either.

….

In a mildly amusing security breach, the St Louis Cardinals are being investigated by the FBI for allegedly hacking the systems of the Houston Astros.

The scenario: One of the key management staff that helped bring the Cards to their current dominant status went over to the Astros, and has made similarly spectacular moves for them. The Cards supposedly went in to get trade and scouting intelligence, assuming it would give them an edge.

Not an unreasonable assumption on their part. Illegal, yeah. Unsportsmanlike, certainly. If true.

It’s more often the case that the person who leaves will take intelligence with them which can potentially endanger the original firm’s data or systems. When someone leaves, make sure any passwords or security they had access through is changed to lock them out. Even if you trust them, you may not know what they might have leaked unknowingly.

It’s just good practice.

If you hire someone away from a competitor, be sure their passwords don’t come with them. They’re likely to use the same ones as at the old place, because that’s what people do.

When it comes to security in businesses, people are often the weakest link. Disgruntled employees or staff that want to make a few extra bucks can do you as much damage as any hacker.

….

The real point here is that you need to develop a security mindset. Never assume anything is secure, and be aware of the risks you may be taking with each action.

This applies to everything. Even the seemingly small stuff.

As an example, I have a friend who used a “swipe” pattern to unlock his cellphone. It was the number 4, which anyone could see every time he unlocked it. He did that about once every 10 minutes, most days.

He broke up with his girlfriend, and she didn’t take the news well. She did take his phone, though. The next day, a whole lot of very nasty comments appeared on his Facebook account, directed at many of his friends.

Guess who?

As you might imagine, that took some ‘splainin’.

I’m not going to tell you to keep your phone locked so your spouse or other family members can’t get at it. That’s a decision you have to make, based on your situation.

Even if you trust someone completely, though, there may be other factors. Like, for example, how careful they’re likely to be about not letting anyone else get that access.

Just be very clear with yourself which decision you’re making, and why.

And don’t go snooping around other people’s phones. If you feel the need to do that, you have bigger problems than data security.

….

In the “I would never have imagined” category, consider that somewhere around 600 million Samsung phones can be turned into remote bugging devices because of a vulnerability in their keyboards.

Yep. From the Galaxy S4 to the S6.

Because of the extremely broad permissions a keyboard has to have, this gives an attacker powerful access to almost all the phone’s functions.

They don’t all have problems, mind you, even if they’re vulnerable. They have to be actively hacked, which happens under specific circumstances while the keyboard app is updated.

Samsung has sent the fix to the various service providers, but it’s unknown how many of them have distributed it to their customers.

Gotta love it, eh?

….

Want to scare yourself? If you use an Android phone or tablet, go to the Play store and install an app called Dcentral1. (It’s safe.) Do a scan on your device using it, and watch how many apps come up with scores well into the red.

Tap on the ones with scores above 40, and look at the permissions involved. Sometimes, as with a multi-function app like Viber or Skype, those make sense. They’re needed for the app to do what it was advertised to do.

Some won’t make any sense at all. There is no reason for a photo editor to need access to your microphone, for example.

You won’t run into too many of these sorts of permissions abuses through the Apple store. Google Play is another story. And if you start sideloading apps on any platform you’re pretty much on your own.

Developing a security mindset doesn’t mean you need to be paranoid. It does mean, though, that you’re aware of the potential of the devices and systems you use. That smartphone in your pocket is a capable computer, with the ability to be used as a remote camera, an eavesdropping system, a personal location tracker, and much more.

With reasonable precautions, it’s a powerful tool. If you’re careless, it’s a window someone can use to see nearly everything you do and much of what you think.

….

Another concern is not mixing your personal and business stuff in the same accounts. That’s way too easy to do with all the proprietary services that come bundled with a phone or tablet.

Separate storage, requiring that you enter the passwords manually each time you access it, if possible. Dropbox allows this. You can use a Dropbox account on your home computer and not even install the app until/unless there’s a real reason to access it through your phone.

Or you can do what I do. Have one Dropbox account for stuff you use on the phone, and another for more important (and secure) long-term backups and project storage. That gives you the best of both worlds.

Losing your phone should not involve compromising your employer’s data, or your customers’ personal information.

That’s a security mindset.

….

The security mindset has another component. As far as possible, don’t create data on any network-connected device that you wouldn’t want “out there.”

The most recent example is Google’s revised Photos app. It’s great, as long as you’re aware of the risks. That data, along with anything you store at any other Google service, is available to anyone who manages to get that one single password.

Something like the iTunes hack that ended up revealing all those revealing celebrity photos is just the tip of the iceberg. You probably don’t need to worry about that. But there are other concerns, like who has access to those pics of your kids at school, or snapshots that could reveal info you don’t want strangers to have.

Or the crazy ex who steals your phone.

….

By this point, some people are getting paranoid. Others are thinking, “Cool. Some useful stuff I didn’t know.” A few are yawning, because they knew all this already.

The goal isn’t to scare you. It’s to show you that, despite the fact that there is no such thing as guaranteed digital security, you can reduce your risks to a manageable level. It doesn’t have to be expensive or involve a lot of technical knowledge.

Unless you’re a big target, the business risks are largely restricted to random attacks that are easily defeated. WordPress hacking, email attachments, and wi-fi snooping are the big ones there.

Risks from people you know are a different story. Not a problem at all for most folks, and easily deflected by good passwords for most others.

Just be aware, and be careful out there.

Posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *