InfoSec Links April 24, 2014

Heartbleed disclosure timeline: who knew what and when - Ben Grubb - The Sydney Morning Herald

A pretty good breakdown of the Heartbleed timeline. Google’s security team was the one that found the bug and they’ve recently begun to take some flak on not notifying people more quickly.

Ephermal Apps - Bruce Schneier - Schneier on Security

I am beginning to question everything in my life and you should to. Case in point, Snapchat says pictures are a one and done, but are they really? The recipient could screenshot the communication and Snapchat could be storing those images on an internal server.

States: Spike in Tax Fraud Against Doctors - Brian Krebs - Krebs on Security

Just another reason to get your taxes done as soon as possible. If you don't like doing taxes and you procrastinate until the April 15 deadline then you just may find that other people have filed taxes on your behalf. In this link it appears doctors are being targeted, but they're far from the only target.

 

 This post first appeared on Exploring Information Security.

Patch Management - Secunia PSI

One of the best security pracitces within the computing industry is patching. Patching not only improves software by fixing bugs and adding features, but it also fixes vulnerabilities in software, that can lead to your computer to getting viruses or other malware. New vulnerabilities in the devices and programs are discovered on a daily basis, so It's very important that patches for operating systems, devices and any programs be applied regularly and when they become available.

Good patch management, though, can be a challenge and an annoyance to people who have only so many hours in the day and many other things to worry about. Luckily, there is a free tool that can help with getting patches installed regularly and, more importantly, with very little interaction. Secunia PSI is a free program I've been using for a while now to help with patch management on my computer, as well as my family and friend's computers.

Secunia PSI

Download the program, no sign-up is required (another excellent plus). Install the program and then open it.* Click 'scan now' to initiate a discovery scan of all the programs on your computer. At this point, you can return to your regularly scheduled computer programming. Really, that's it.

*Sometimes when you first try to open the program you'll get a message about it having problems connecting to the internet. Give it a few minutes and if it says it's still having problems, then reboot your computer.

Once Secunia has completed it's initial scan it will start patching programs on your system, automatically. There are some programs that will require a manual download and install, but Secunia PSI will provide you a direct link to the patch(s) that need to be applied.

There will be exceptions: Sometimes a program doesn't have a patch available yet; and other times applying a patch causes issues with other programs. The Secunia PSI tool will, however, get 80-90% of your programs patched with requiring any interaction from you.

Patch management is one of the most important things you can do to keep your computer safe from malicious activity. It's also one of the easiest things you can do, with the right tool.

If you have any questions feel free to leave a comment or contact me directly via email or Twitter.

This post first appeared on Exploring Information Security.

InfoSec Links April 18, 2014

This is Earth's malware threat, visualized - Sean Buckley - Engadget

Created by Kaspesky Labs, this is a real cool visualization of malware threats around the world.

Crimeware Helps File Fraudulent Tax Retruns - Brian Krebs - Krebs on Security

A big reason why you should do your taxes as soon as possible; otherwise someone else might do them for you and get your tax return.

Critical Java Update Plugs 37 Security Holes - Brian Krebs - Krebs on Security

If you can do without Java, uninstall Java from your computer as quickly as possible. Unfortunately, I think there are very few people who can do without Java. Personally, I have several sites that I use at home and work that require Java to function properly so I'm screwed. If you do need Java to function on the internet, then, at the very least, make sure you keep Java up to date.

 This post first appeared on Exploring Information Security.

InfoSec Links April 17, 2014

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say - David E. Sanger - New York Times

Disclosure of vulnerabilities by the government can be a bit more complex than it would seem. Still, I believe the governments primary goal should be defense, not offense.

At Feds' request, GoGo in-flight Wi-fi service added more spying capabilities - Joe Silver - ars technica

If you plan on using airplane WiFi, then be prepared to hand over anything you do on that WiFi to the government.

A telephone box near GCHQ gets a visit from Banksy - Graham Cluley

This is a pretty good indication of how street artist Banksy feels about the GCHQ.

 

 This post first appeared on Exploring Information Security.

InfoSec Links April 16, 2014

Xbox password flaw exposed by five-year-old boy - BBC

This five-year-old boy is now on Microsoft's page thanking people for finding problems in their software. The boy found that if you hit spacebar multiple times in a password field he could get access to his dad's Xbox live account. Not surprising, his dad works in security.

XPocalypse: Experts Warn of Attackers Hoarding Windows XP 'Forever Days' - Fahmida Y. Rashid - Security Week

Just another reason to upgrade your Windows XP computers to a newer operating system. Attackers are saving their exploits for after support so that they are not discovered and patched.

IRS another Windows XP laggard, will pay Microsoft for patches - Peter Bright - ars technica

That is unless you're the IRS and you procrastinated on upgrading your computers to a newer operating system. It's going to cost $30 million dollars to finish the upgrade. Before they do that though they're going to give Microsoft anywhere from $500K to $11M (actual number to be published later) to continue to support their old XP boxes. Oh, and the IRS made it very clear that this won't be an excuse for you to miss the April 15 tax filing deadline. Hooray government.

This post first appeared on Exploring Information Security.

Heartbleed Bug: Things To Know

The week of April 7, 2014, it was discovered that there was a very serious vulnerability on the internet. On a scale of 1-10, one security thought leader put the seriousness of the bug at an 11. Over half a million sites were vulnerable to this bug including many major websites such as Google, Facebook, Amazon, Yahoo, banking sites, etc.

Technically speaking a bug was found in SSL, which is used to secure internet traffic (HTTPS). The vulnerability allows attackers to get data that is being processed on the website at that time. Username, passwords, email address, social security numbers, bank information and etc. are all things that can be collected using this vulnerability. This comic has a pretty good visual explanation of the vulnerability.

This bug, only recently discovered by security researchers, has been around for two years. What that means is that we don’t know who knew about the bug and who didn’t, so we have to assume that all account information and other information on these affected websites have been compromised. Mashable has a list of sites that have been found to be affected by this bug.

Now that this bug is out in the open, it is being exploited by attackers. It is imperative that you change passwords on affected websites, and if the option is available I would highly recommend turning on two-factor authentication. However, before you do you need to make sure that the vulnerability has been fixed by the website; otherwise you’ll just compromise your new password immediately. I would recommend LastPass’ Heartbleed checker, because it tells you whether the website was previously vulnerable and if it’s vulnerable now. Here is a list of other sites to check the vulnerability of websites with.

·         http://filippo.io/Heartbleed/

·         http://heartbleed.criticalwatch.com/

·         https://lastpass.com/heartbleed/

·         https://www.ssllabs.com/ssltest/

Other Suggested Readings:

http://heartbleed.com/

http://bhconsulting.ie/securitywatch/?p=2103

http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work

This post first appeared on Exploring Information Security.

OpenSSL Heartbleed Links April 12, 2014

Trying to protect yourself from Heartbleed could land you in jail - Chris Smith - BGR

There are laws in place that say testing a website's security without permissions is illegal. This would include running checks using Heartbleed websites or the Heartbleed Chrome app i linked to in Friday's post. They would have to enforce the law first, but technically you're still breaking the law when you do it. Which just further highlights how far behind the law is when it comes to the internet.

NSA Denies Knowing About Heartbleed Bug - Denver Nicks - Times

It was only a matter of time before the NSA was going to be thrown under the Heartbleed Bug Bus. The NSA has two directives to gather intelligence from it's enemies AND defend the country. Knowing about the bug in OpenSSL and not reporting it would be a massive epic fail for the NSA.

How The Heartbleed Bug Works - xkcd

A very well done, yet simple, visualization of how the Heartbleed bug works.

This post first appeared on Exploring Information Security.

InfoSec Links April 9, 2014

Microsoft: Let's be clear, WE won't read your email - but the cops will - Lain Thomson - The Register

Note to self: don't use Hotmail to distribute pirated copies of Windows 8.

The Heartbleed Bug, explained - Timothy B. Lee - Vox

I good explanation of the OpenSSL bug that has rocked the infosec world the past couple days. This is a pretty serious bug that puts millions of sites at risk and potentially your information such as passwords. Unfortunately, there's really nothing you can do about it except hope that the sites you have accounts on apply the patch that fixes the bug ASAP. Most big sites have probably already done it.

Xbox password flaw exposed by five-year-old boy - BBC

Five-year-old wants to get into his dads Xbox account. What does he do? Find a vulnerability in Microsoft's Xbox Live, thus starting his illustrious hacking career. It's not the least bit surprising that his dad works in security.

This post first appeared on Exploring Information Security.

More on the Experian breach

On Saturday I posted about Experian's breach of costumer data not being the hack that the media seems to think it is. It's actually much worse than that. Apparently, I wasn't alone in identifying the inaccuracies of the Experian breach and Experian themselves went to set the record straight. Except they really didn't, and Brian Krebs broke their statements with factual information.

If you liked Krebs article, then I would suggest reading the post he did last month that looked at whether or not credit monitoring services are really worth it. Even if you don't use a credit monitoring service, there are some good tips on how to protect yourself from identity theft in the article.

And in-case you're wondering who Brian Krebs is, he's kind of a big deal. Sony pictures is planning on making a movie about Brian Krebs' life.

This post first appeared on Exploring Information Security.

InfoSec Links April 5, 2014

Fandango, Credit Karma settle with FTC over app security flaws - by Kate Tummarello - The Hill

If you build an insecure app the FTC is going to come after you. Hopefully, this will make developers start taking security into consideration when build apps. Especially, when it deals with some form of currency.

Web TV service Boxee.tv Hacked, Details of 158,000 Forum Users Leaked - By Eduard Kovacs - Softpedia

If you have a Boxee.tv account you might want to go change your password. And this is just another example of why you want to have different passwords for different accounts. If you need help with managing your password might I suggest Password Safe (look for a post in the future).

Big Brother Goes Dutch - by Lee Munson - Security Watch

The Dutch have voted fore more surveillance. /facepalm

 This post first appeared on Exploring Information Security.

InfoSec Links April 2, 2014

Banks Drop Suit Against Target, Trustwave - Brian Prince - Security Week

A day after linking articles that talk about how ridiculous it was to sue Target and Trustwave we learn that both banks have put in for dismissals of their lawsuit. Coincidentally, news of this comes on April Fool's day, which makes it just an elaborate April Fool's day joke.

Analyzing the Target Break "Kill Chain Analysis" Report - Rafal Los - Following the Wh1t3 Rabbit

Excellent in-depth analysis and discourse of the Target breach and how it happened.

The Continuing Public/Private Surveillance Partnership - Bruce Schneier - Schneier on Security

What's really happening between the government and the companies that are handing over your data.

This post first appeared on Exploring Information Security.

InfoSec Links March 19, 2014

Beware of this Dangerously Convincing Google Docs Phishing Scam - Adam Clark Estes - Gizmodo

This is really scary if you use your Google account, and more specifically Google Docs, regularly. Essentially, some scammers have figured out that if they upload a file to Google Docs and use preview mode, they can replicate the Google account login page relatively easily AND make it look like it's coming from Google.

Be very careful and aware of where you're logging into Google and please turn on two-factor authentication. It's easy to do and improves the security of your Google account (or any other account that offers two-factor authentication) tremendously.

Better WP Security Changing To iThemes Security What You Need To Know - Cory Miller - ithemes

If you're using WordPress I hope you have a security plugin installed if not check out Better WP Security, soon to be iThemes Security. If you already have Better WP Security, here are some changes to look forward to in the near future with the plugin.

Metadata = Surveillance - Bruce Schneier

Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

-Bruce Schneier

This post first appeared on Exploring Information Security.

Safety Starts With Strong Passwords

This is a post I wrote for work talking about how to create a strong password.

Creating a strong password is one of the best things you can do to keep both yourself and your accounts safe, both at work and at home. However, creating a strong password is not the easiest thing to do and requires a little bit of thought.

If you choose a long string of random characters, the password is strong but easy to forget. If you choose a much shorter password without any random characters, then it’s easy for someone to guess. The idea is to find a balance between the two. A recent study of passwords that had been compromised, showed the top 10 worst used passwords were:

  1. 123456

  2. password

  3. 12345678

  4. qwerty

  5. abc123

  6. 123456789

  7. 111111

  8. 1234567

  9. Iloveyou

  10. adobe123

Fortunately, most places have a set of password requirements designed to keep your information safe. That does create a bit of a challenge for users because you are required to change your passwords every three months. Here are some tips that will help make the seemingly daunting task of creating strong and memorable passwords, a little easier.

Pick a Theme

Most organizations will require a password to be at least eight characters—with  at least one special character and one number. Try to think of something in your life, non-work related, that has all three of those elements.

Some examples include:

  • Restaurant menu

  • Retail stores

  • Hardware stores

  • Legal documents

  • Food stores

Once you have a theme, start mixing and matching numbers in a way that you can remember. For example, Chicken Strips for 14.99 from a restaurant could be ChSt14.99 or ChcktRips14.99 or Ch1ck4Nst9i9s!

There are thousands of different passwords waiting to be thought up from everyday life. The one caveat is, that if you create a password from your everyday life, make sure you’re not posting it all over your social media site. It’s pointless to use chicken strips as part of a password if you’re tweeting about it for the world to see.

Pick a Phrase

Pick a phrase and then use a combination of letters, numbers and special characters to craft your password. For example, Take The Bull By The Horns could be T-tB-b-TH0 or T8k-7@buLL-bi*7-h0rns or T-T@8’8@T-H0. Be intuitive about it and craft it in a way that you can easily remember it. The same rule applies here; don’t use your own personal catchphrase that’s on your social media profile. Don’t use anything obvious because phrases are easily searchable, especially if they’re popular.

Other Ideas
The two suggestions above are only a couple of ways to create strong and easy- to-remember passwords. It just takes a little thought on the front end. Find something that works for you, and once you do it’s much easier to change and improve on a regular basis.

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.