Tag Archives: security - Page 2

But It Was The Right Thing To Do

Posted by on November 15, 2015 No comments

I’m sorry, Kaitlynn.

wp_20151115_005

Your ATM card is dead.  You left it in the Publix parking lot tonight.  There were no other cars around, so I couldn’t try and find you.  I had a thought to turn it in at the customer service counter and see if you would call and say you left your card there.  Instead, I called your bank.

Bank of America.  What a great bank.  In their phone queue, they ask for my (your) account number.  I enter it from the card.  They ask for the last four of your SSN.  Hell, I don’t know.  I said 0000.  I was wrong.  So they start to blow me off (a machine, saying eff off -  wonderful) and I say “operator” (that’s supposedly a trick to get to a human).  Sorry, their customer service center is closed and no one can help me (or you).  Instead of getting pissed off and hanging up, I got pissed off and listened to the rest of their message.  I could report a stolen or lost card by saying “lost card”.  Bingo!

The lady handling the situation was pleasant.  She said she would deactivate your card right away.  I said that deactivating a card could result in a huge hassle.  Can’t you call the person and tell them their card will be waiting at the Publix service desk?  Nope.  Who knows who’s seen and copied the information on that card already before I found it.  Fair enough.  Goodbye, ATM card.  Goodbye, scheduled online payments.  Goodbye, electronic means of buying cigarettes (my assumption).  Oh, and they’re not going to call you either and say your card was found.  They’ll just wait for you to notice it’s gone and report it missing.  Seriously, that’s what they said.

So, I’m sorry.  But you should be happy it ended like this instead of the alternative.  Also, you need to sign your card before using it.  It says right on it: “Not valid unless signed.”

Happy holidays.

My Level Of Security

Posted by on April 29, 2015 No comments

I’ll admit, I get around on the web.  I go places that you shouldn’t go.  But for the activity that I do, I’m pretty safe.  There’s only a few precautions I take and I don’t think it’s all that difficult for anyone else to do.

First and foremost, I installed the MVP Hosts file.  This file does a system-level blocking of any network application that tries to access an internet address that is considered advertising or malware.  This makes nearly everything better, because websites don’t get bogged down with ads.  There are some times that I do need to disable it, but those times are few and far between.  Because it’s system-level, that means IE, Chrome, Firefox, or any other application is immediately protected.

If you go looking for it, there is a growing argument that ads should not be blocked on websites, especially legitimate content sites.  I disagree.  I recently read an article on the analysis of the spread of an unpatched vulnerability.  The malware authors used a legitimate ad service that was utilized by many legitimate websites.  This means that there is no ad service that can be fully trusted.  My position is, if you want to display ads, you host them on your domain and you will take full responsibility for their content.  And because the ads are on the same domain as the content, I can’t and won’t block them.  Even if the ads aren’t malicious, legitimate ad services still serve up misleading ads, designed to trick you into clicking them.  They make them look like authentic messages or toolbars or status bars.  That’s not advertising, that’s flat-out deception.

Back to my security.  Next, I block Flash, Java, and all other plugins by default on all websites.  I used to do this in IE by changing the Flash plugin from blacklist to whitelist, but have come to prefer the ActiveX Filtering feature.

And I’m sure certain people would be screaming “You’re using the most insecure web browser evar!”  I would respond with a hearty rolling of the eyes.  Of the three precautions I take, this is the only one I perform at the browser level and without ActiveX, the majority of exploits are defeated.  That leaves JavaScript exploits.  How are these exploits delivered?  Through ads.  Ads that are blocked by the MVP Hosts file.

So, what’s the last piece of defensive software I use?  Microsoft’s EMET utility, which blocks vulnerabilities at the code level.  This is a really low-level utility and is not exactly user friendly, so I pretty much just run it at the default level.  It’s hard to tell if EMET is working because it’s so low-level.  I’ve seen it do its job twice.  Once, when I was using a Java applet on Verizon’s pages to play my voicemail and another on a sketchy website where it looked like the website was trying to perform an SVG image exploit.  I admitted already, I go to bad places sometimes.

Because I take these precautions, I hadn’t thought about being attacked in quite a while.  On a whim, I ran MalwareBytes and it came back with zero results.  My database was over 2 months old, if I saw correctly.

The only thing that I am vulnerable to is downloading Trojans and installing them myself.  And that is simply a personal fault – no fault of my computer or software. I will comment that downloading software from websites has really become a minefield, with sites displaying many different “Download” buttons at once.  You have to study the page and find the correct context for each button to make sure you are choosing the right one.

In summary, I feel I’m doing pretty good with the tools that are made available: KeePass, VeraCrypt (the replacement for TrueCrypt), MVP Hosts, EMET, and IE’s ActiveX filtering.  I use two-factor authentication whenever it’s available.  It’s not something I did all at once.  I added each little piece as I went.  And in total, it doesn’t slow me down at all.

2014 In Spam

Posted by on January 27, 2015 No comments

It was in April of 2013 that I made a change to the way I use my email.  Unlike most people, I don’t just have an email address, I have an email domain.  And I use that entire domain namespace by creating a specific email address for every business I deal with.

My email server processes the emails against a blacklist instead of a whitelist.  That means that I can create any email address I want, and it will get delivered to me unless I put it on a list to be blocked.  That reduces the amount of administrative headache I have.

The purpose of this is so that I can tell where my emails are being lost, stolen, or sold.  The instances of this in 2014 were pretty low.  Someone got my paypal email from someone I did business with, some political spammer used a public records request to get my electric company email, and one website’s user database got hacked (and they won’t admit to it).

What I was a little fearful of when creating this wildcard email account was that some automated script would hit my mail server and try a whole slew of predictable emails, like admin@, webmaster@, accounting@, president@, etc.  My wildcard account would catch these and I’d get inundated with mail.  However, this hasn’t happened yet.  I did get some spam by someone who guessed an email address using the firstname.lastname@ structure, so that email was then blocked.

My blacklist only has 6 entries, which I think is pretty good.  And to not have any spam is plenty wonderful.  I just did some checking and it seems my mail server software is rather old.  I think an upgrade will be in order sometime this year.

Prediction

Posted by on November 5, 2014 No comments

A while ago, the world was abuzz with the celebrity nudes hack.  I was recently reminded of a recent update I had seen for Dropbox.  It’s easily understood that anything that can be used by you for good can be used against you for bad by someone else.  This feature is no different.

The specific feature that was added to Dropbox was “Remote Wipe”, which is intended to be used if you lose your phone or other portable device.  By triggering a remote wipe, your data is no longer available to steal.  That is a good thing.  This is presumably done through the Dropbox website.

But what happens if someone gains access to your Dropbox website account?  They can remotely wipe your data.  Now instead of your portable device being a backup copy if the service ever became inaccessible, now it’s vulnerable whenever the service is accessible.

Naturally, the hacker would either change the password and/or copy off all the files for their own potential ransom request or personal use.  Can you imagine opening up your Dropbox folder one day and have it be empty except for a text file with instructions on submitting a ransom in bitcoin?

I keep saying it one way or another.  The cloud is not to be trusted. 

You need to:

  • Keep your data locally.
  • Have unique usernames at each website – Use a password manager like KeePass
  • Have unique passwords at each website – Use a password manager like KeePass!
  • Keep a PIN on your phone.
  • Keep catastrophic data in an encrypted file – Use TrueCrypt 7.1a

The more of this you do, the more secure you will be, which means the more comfortable you will be. 

It Has Come To Pass

Posted by on March 23, 2014 No comments

So, something I’ve been expecting has finally happened and now I don’t really know what to do about it.

Back in April of last year, I made the decision to use unique passwords for every web site and at the same time, use a unique email address for every web site.  This wasn’t difficult to do, I just made a catch-all email address on my mail server, then started using unique emails on every website.  For example, amazon.com@mydomain.com would indicate to me that the email was from my amazon account registration.

And yesterday, I get a piece of spam from paypal.com@mydomain.com.  How many people have I shared this email with?  Exactly nine.  I don’t make a bunch of purchases via paypal.  So now, I don’t know what to do.  I don’t know exactly who sold off my email address or if they didn’t even sell my email, but their computer was hacked and their address book stolen.  Maybe they use a 3rd party cloud-based POS system and that was hacked.  The bottom line is, I don’t know. 

I’m going to work on the assumption that they were hacked.  Someone got into their EBay account (like they did for me) and mined their recent customer list.  This makes sense because I can’t imagine any of the people I dealt with having a large enough customer list to monetize it for any decent value.

I would love to email each of them and tell them what’s happened.  Someone out there has compromised my personal information.  They wouldn’t be able to do a whole lot of damage, but they probably have a full profile of me: name, address, phone, email.  That sucks.

So now, I have to set up a blacklist on my server for paypal.com@… and create a new email, like paypal.com2@…  That sucks, too.

Windows 8.1 and IE11

Posted by on October 20, 2013 No comments

Ok, I ran into my first significant issue with Windows 8.1 specifically, IE 11.  On all my machines, I use the MVP HOSTS file, which blocks ads at the system level by redirecting requests for common ad-serving websites to your local machine, which should be “not found” and just continue on.

Well, using IE 11, whenever a page had an element that was blocked by the HOSTS file, the browser would hang for as long as 3 seconds waiting for a reply, interrupting the load of the page.  Even on the Dilbert website, it would take sometime 10 seconds to load up.

So I had to find out why this was.  I compared my Windows 7 IE to my new Windows 8.1 IE and disabled all the settings that were new.  The one that fixed the problem: Enable Enhanced Protected Mode.  This is found in the Advanced setting of Internet Options.

image2

I did very little research on this after I discovered that it was the fix, but from what I understand, this mode is made to prevent unintended execution of code.  So I guess I can understand that a call from a page from a remote web site, linking to a file on your local computer could be considered suspicious.  But regardless, it is a problem for me.

This is the network trace that I would expect.  These websites are blocked in my HOSTS file, so they return 404 errors because they are not found on my local machine.

image3

When I have Enhanced Protected mode on, these requests have a status of Aborted, but that’s after seconds of waiting.

image4

So, that solves that mystery.  IE is now just as quick as ever, and I’m pretty sure I’m still going to be safe.

Change For The Good, Right Now

Posted by on April 9, 2013 No comments

In the “these things happen to other people” news, I’ve been a target of a hacker.  As hacks go, it was fairly significant – my EBay account.  The hacker bought a whole bunch of stuff, surprisingly not using my linked PayPal account.  EBay locked my account quickly, notified me, and took care of most all the issues with fees and listings.  Regardless, I felt obligated to apologize to a bunch of people who got caught up in the mess.  One person had actually shipped the product by the time I emailed them.

I’ve been online a long time and my password strength has grown with the ever-increasing threat.  I’ve felt I’ve had a decent password, but I suffer from what a lot of people probably do, and that is password entropy – using the same password on every site.  Well, that’s not entirely true since I do use a variant of my main password for those sites that don’t support the special characters I used.

Now it’s time to get real.  Just before I discovered my eBay account was hacked, I had dealt with some spammer sending me over 7000 emails of random text.  So I was giving consideration to changing my email address, and why not have a different email address for every site?  So my email address for Bank of America would be bankofamerica.com@mydomain.com and for Expedia it would be expedia.com@mydomain.com.  This would be relatively easy to remember and would identify if anyone sold my email address to another company or if my email was stolen or harvested.

But at the time, I felt a bit overwhelmed with the task of changing ALL my emails.  Now, since I have to change ALL my passwords, I might as well go through with it.  In addition, I’ve decided to use a password manager, KeePass.  It seems to be a pretty slick utility and I’m surprised I never gave it a chance before. I think my main reason for avoiding it was that I never wanted to be unable to access a website because I didn’t know my password.

But upon closer inspection of that fear, it is very similar to other fears that keep you from (positive) change.  The fringe cases override everything.  It seems everyone is afraid of the word “can’t,” because it is only interpreted in its absolute and permanent sense.  It’s not “I can’t do this,” it’s “I can’t do this right now.” And the “right now” part is what makes the modern time so awesome, hectic, and dangerous.

So, with KeePass, I can have a password file on my home computer and there’s a version for my phone that I can keep synched.  That should be well enough to let me do what I need when I need to.  And for the other cases, it’s going to have to be the other person disappointed when I say “I can’t” because I’m not going to let it control me.

Welcome To The Jungle

Posted by on December 6, 2011 No comments

I have recently moved my web hosting and email to a new dedicated server on GoDaddy.  I’m rather pleased by this because it will allow me complete freedom to do whatever I want with the server, set up as many websites as I want, install any software, and resell hosting services.

But with great power comes great amounts of bullshit.  With my old hosting account, I had the benefit of some decent anti-spam measures.  So now that my mail is off that server, I ‘m now exposed to more spam.  I’m trying to take it with a good attitude, because some of it is clever and some is just downright retarded.

Case in point, the following email received today:

capture

Edgardo from the USPS is emailing me from his school email account to tell me, in a poorly-constructed sentence, that they couldn’t deliver a package I sent.  He was nice enough to attach a shipment label in a zip file for me to print and collect at their office, wherever that office is.

Example #2:

image

This one is obvious.  You mouse over any link and the address it directs you to is not facebook.com, but some other address where you will get infected.  The best part of the email is that it is a notification for a facebook message posted on December 6, but the email notification was sent 5 hours early, on December 5.  Now that’s advanced technology, like they have in Nigeria, which happens to be in a time zone +6 hours away.  And we just happen to be on Daylight Savings Time here.  Nah, no coincidence.

Security Through Absurdity

Posted by on November 28, 2011 No comments

HSBC has always seemed to be the weirdest when it comes to logging in to their banking site.  To log in, you have a username, a password, and a security key – essentially, two passwords.  I’ve had an HSBC account for some time, and their little Java applet where you would enter your security key using the mouse was lame as hell.  If someone is watching over your shoulder, you can type your password pretty quickly and people probably won’t get it.  But if you’re clicking the mouse letter-to-letter, that’s as obvious as hunting and pecking your password with a single finger.

I have to assume it’s to prevent password capture from keyloggers, which is noble in its intent, just lame in its execution.  So HSBC changed up their login to something even more ridiculous. You still have your security key, but now, you enter random characters from it.

image

Can this be any more insane?  The first time, I couldn’t even log in.  I was stepping through my key letter by letter, counting the boxes and to be honest, I was using the wrong letters anyway.  I wouldn’t have made that mistake on the old login, because it was a keyboard pattern I was familiar with.

I think I understand the reasoning.  They want to inject some humanized processing of the security word.  What will be their next version of the login?  “Enter your security key… backwards.”  “Enter your security key… replacing all the letter A’s with underscores.” “Enter your security key… using capitals for lowercase and vice versa.”