Infosec – Page 2

I Love Ransomware

I had a few minutes to timesink yesterday and was reading stories on Google News. One link leads to another, and before I knew it, I was sucked into a story on 40 little known facts about TV’s most popular situation comedy ever, “I Love Lucy”. What could be more wholesome web viewing?

I rather quickly noticed that the text accompanying the pictures was very poorly written. Words were misspelled and misused with alarming frequency. I was convinced that the writing had been outsourced to an offshore bot that had stolen the content elsewhere on the interwebs.

And then, this happened.

fake-virus

My computer was crazily beeping and there was a fake virus alert displayed on the screen. Of course I took the time to close the browser (despite the false warning that I would not be able to) and make sure that my workstation was not actually infected. Such fun!

A brief Google survey revealed that the call center number displayed, (877) 337-7936, is often connected with malware scam artists. Most of the displayed pages seem to be further attempts to get you to install real malware on your system. Don’t fall for them.

Then I made the call. I was the end user from hell that these cyberpirates deserve. Imagine if Ransomware Inc. got hundreds of calls like this every day? They’d have no time to hold up their other poor victims and their profit margins would take a dive. The obvious annoyance of the Ransomware Agent at about 7 minutes into the call, when he lets out an exasperated “Yeeeeessss”, is priceless.

Remember, October is National Cyber Security Awareness Month. Stay safe online.

Lessons From A Ship’s Captain

What does a ship’s captain know about information security? A lot, apparently, if that Captain is Richard Phillips of Maersk Alabama fame. If you recall, this ship was the target of a failed hijacking attempt by four Somali pirates in April 2009. The ultimate failure of the hijackers, despite their early success in penetrating the perimeter of the ship, was in large part due to the leadership and strategic skills of Captain Phillips.

I recently had the opportunity to hear Captain Phillips speak at an event where the target audience was information security professionals. The lessons of the Captain’s experience were very relatable to that audience.

When Captain Phillips joined the crew of the Maersk, he took a couple of days to settle in and observe. He was concerned that security seemed a bit loose on board and decided to drill the crew. He did this repeatedly, each time learning from the failures of the previous drills. He and the crew, working together, improved things to a point where each member understood his role and responsibilities in case of an attack.

Sound familiar? Through iterative testing and analysis he helped his crew understand the policies and the actions that would increase their chances of repelling or surviving an attack by intruders. He made sure that any attack had to go through multiple layers of defenses. When the attack came, not everything worked as planned and practiced, but enough worked to ultimately assure the lives and safety of the crew.

From Captain Phillips’ experience, it reminds us of our need to have policies that make sense and procedures that can be followed, especially under the worst of circumstances. He reminds us to educate our teams and organizations on their roles in executing those procedures. We need to test, test and test again. Learn from failures and successes and you and your crew will survive to tell the tale.

Hopefully you won’t need the help of US Navy SEAL marksmen to repel your next attack.

Windows 10 Update – Unhappy Anniversary

The Windows 10 anniversary update came recently to my radio room computer. The folks in Redmond have some quality assurance problems to resolve. Here’s what I’ve noticed so far.

All my firewall rules were deleted. This means that as I run applications which require external access, I have to reauthorize them. While it is not a bad practice to occasionally review these settings, I would have preferred to do so at a time of my own choosing.

The WINUSB driver used by my Perseus SDR was deleted. I had to reinstall the driver and to do so, I had to go through the multiple reboots to allow installation of the unsigned 64 bit driver. Not fun.

My sound device settings were changed. The friendly name for the SignaLink USB sound card device that is connected to my Kenwood TS-2000 reverted to “USB Audio CODEC” and Windows decided to make that device my default sound and communications devices.

This update was hardly the best anniversary present that Microsoft could have given me.

Android Security Just Got a Whole Lot Better

While Marshmallows are soft and gooey, Android 6.0.1 (Marshmallow) is one tough cookie. Marshmallow provides granular security controls that allow you to decide whether an application gets access to particular information. Tired of LinkedIn or Facebook trying to grab all your contacts?

Android Marshmallow allows for more granular control of application permissions.

Now you can control this behavior.

To take a look at these settings, go to Settings->Apps->Application manager. Pick an app and you’ll see a bunch of sliders that let you turn access on or off for that control. Newer app versions directly support the Marshmallow security model. Older apps don’t and may malfunction, but don’t let that stop you from trying out settings that meet your security requirements.

Blackberry has had this level of application security control for many years. It is good to see that Android is now taking application and data security very seriously.

WordPress Security 101

When I installed WordPress on this site, one thing that concerned me is that login and administrative functions were not using SSL by default. OK, I didn’t have an SSL certificate installed at that point, fair enough. But once the SSL certificate from Let’s Encrypt was installed, I set about learning how to secure these functions.

It is very simple.

In the same directory where WordPress is installed you’ll find a file named “wp-config.php”. Add the following line toward the bottom, right above the “That’s all” comment:

define(‘FORCE_SSL_ADMIN’, true);

Save the file and you’re good to go. Assuming that an SSL certificate is properly installed on your web server, login and administration will now go over SSL.

I then set out to further validate my WordPress security. I found this free web based tool.

I ran it against this site and found that my user accounts could be enumerated. This is clearly information leakage that should be avoided. The solution is to enable a WordPress plugin that stops this behavior. The plugin can be found here.

Download the plugin and copy it to the plugins directory as described in the Installation section of the above page. Using the plugins menu of the WordPress administration console, activate the plugin.

Run the scan again against your WordPress site and you’ll see that this issue has been resolved.

Let’s Encrypt – Free SSL Certificates for Everyone

One of the best things I learned at Hope XI is that we no longer have to pay for SSL certificates. In an effort to make web encryption universal, the Internet Security Research Group (ISRG) has started Let’s Encrypt. Lest you think that this is an evil hacker plot to steal your encryption keys and data, you may feel better to know that the Technical Advisory Board is comprised of representatives from Akamai, Cisco, Electronic Frontier Foundation, Mozilla, and the Internet Society. This project is on the level and taking off.

My first certificate will be used to encrypt connections to this site. I’m sure that it will be the first of many. One downside is a short validity window (90 days) but Let’s Encrypt is offering automated tools to make the entire installation process simple and transparent. Unfortunately, this site is my free Optimum 60 website and I have limited control over the server, so I must wait for Optonline tech support to install my certificate.