Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Armor up! Personal Cyber Safety

By

A friend of mine recently lost their smart phone.  They did most of the right things – sent the wipe signal to it, and changed their passwords.  Unfortunately, they missed telling the cellular carrier, and it turns out that someone had simply moved the SIM card into another phone and used it to make hundreds of dollars in overseas calls (much like we used to see with calling card and conference call numbers).  It also meant that any inbound calls and SMS messages would have rung on that stolen phone – something to think about in the age of SMS-two factor authentication.

He asked me for an updated list of suggestions on how to get secure and stay safe online, and rather than doing a one-off, I thought I’d share here – feel free to add suggestions in the comments, and I’ll keep this current.  The first is the most important, and the rest are in no particular order.  Many of these are involved topics that deserve posts in their own right – this is just a quick summary.

[Updates at the end]

#1 – Keep Current

Make sure you’re on a current and supported operating system, and keep up with patches.  For Windows that means 7 or higher, for Mac El Capitan or higher, and for iOS it means 9 or higher.  For both Windows and Mac, that’ll change soon – Windows 10 and Sierra are better options.  Android is much harder unless you get updates directly from Google.  If you don’t, you’re behind – that’s one of the reasons I don’t recommend non-google Android devices.

This also means keeping your applications up to date.  If you still have Office 2003 because it’s all you need, unfortunately, you’ll have to pay the Microsoft tax and get a current version to get patches.  Ditto on the Adobe products, and pretty much everything else.

For both OS and apps, apply patches and updates on a regular basis.  For Windows machines, makes sure you watch for ‘Patch Tuesday’ and apply patches right away – often the bad guys release new malware shortly afterwards that attacks unpatched machines.   We all find it hard to keep up with patches (Window takes far more care than Mac), so when possible, turn on automatic updates.  Which brings us to the importance of the next item:

 

Backups

Things will go wrong.  Consumer cloud has no guarantee of backup or restoration of data, so don’t trust Google, Apple, Microsoft, DropBox, or any other service as the sole place your information lives: any critical information (i.e. family photos) should live in at least two physical places, one of which should be in your personal controls.  For example, one of the first things I disabled in Sierra was the ‘automatic migration of data to iCloud’.  Aside from not controlling what’s uploaded, the last thing I’d trust a consumer-grade service to do is delete anything off my machine automatically.

Backups should be encrypted (see below), and at least one stored offsite – either a cloud-based backup like CrashPlan, or a drive in a safety deposit box or at a friend’s house.  If you use cloud backup, remember that they don’t work for things like virtual machines, and can blow out your data charges.

So I backup my iOS devices to my local computer (not iCloud), then backup the Mac using Time Machine (for the oops I deleted it situations), and Carbon Copy Cloner (www.bombich.com) for my disaster backups.  CCC has saved my bacon more times than I can count, and I highly recommend it for Mac users.

I also strongly recommend that at least one of your backups be physically disconnected from your computer when not actively backing up.  That’s the single best defense against ransomware.

 

Securing the browser

Absolutely run a current browser version.  I recommend using uBlock Origin and Privacy Badger to cut down on the worst of the tracking and funky sites.  Don’t use shady extensions like video downloaders.  To be extra safe, use two browsers – one for general browsing, and one for sensitive sites.  Be careful of typo-squatting sites.  That’s one reason I like 1Password – it validates the URL before pasting in credentials.  Stick with one of the big three – Edge, Firefox, or Chrome.  Retire Internet Explorer.

 

Trust the cloud – sort of

There are three kinds of cloud services:  free/consumer, and enterprise.  Free services monetize you in some fashion (more below), usually by selling your data to advertising – and I recommend avoiding them.  This includes services like Gmail, Facebook, Twitter, and such – if you’re not paying for it, you’re the product, not the customer.

iCloud is paid for as part of buying Apple products, and while Apple uses the data for marketing and product development, they don’t sell it to third parties, so it’s somewhat better.  One thing that all consumer services have in common is that they disavow any responsibility for data loss or disclosure.

So, for backups and email, I recommend paying for the service.  You’ll get much better responsiveness and much less privacy compromise.  And make darn sure the data is encrypted before uploading.

 

Passwords & Password Managers

That’s especially true of Password Managers.    I’m not a fan of cloud-storage for my password vault – it’s too inviting a target.  That’s one of the reasons I use 1Password from www.agilebits.com – they offer a local sync option.  But using one with the cloud is far better than not using one, and I have a number of family and friends using the 1Password cloud options.  I’ve written recently about 1Passwords migration to the cloud, and while I have concerns, it’s still the best option out there.

Your password manager password needs to be a good one – a passphrase is best.   The new advice is to pick four or five words:  cheetah shark Saturn smiley mayonnaise.  You’ll remember it much easier than a random set of characters, and most good cracking tools now easily bypass backwards words, replacing letters with numbers, and all the other tricks.

All this implies, yes, use a password manager that generates unique random passwords for each site.  That way you only need to remember one single password (hence 1Password) that’s really good and strong, then it does the rest for you.

Note:  Do not use the web-version of a password manager.  Use the application on a device that you control.

 

Lie

That brings me to one of the toughest ones – lying to sites by intent.   This falls into two categories – lying for protection, and lying because it’s none of their business.  For the former, when a site asks you to create a secret question and answer, lie – use a random word, and then store that in your password manager.

More importantly, when a site asks you for information it doesn’t need – your birthday for a shopping site for example, make something up that’s completely random.  I started getting retirement spam after using a 1940’s date…interesting.

This is also true for sites or companies that ask for ‘mother’s maiden name’.  Go change all those and record the new random answers in your password manager.  For companies that continue to insist on the single worst authentication mechanism (last 4 of SSN), pester them to see if you can get it changed.  If not, then we should all shame them on social media.

 

Use two-factor

When offered, use two-factor authentication.  It’s not perfect, but it’s better than just a password.  Do not use just device-based authentication though, always use both factors.

 

Disk/device encryption – backup and machines

Turn on whole disk encryption on your system.  For mac: https://support.apple.com/en-us/HT204837 and for Windows: https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

 

Set mobile devices to lock and wipe

If you have options to disable biometrics, and force a passcode after a handful of attempts turn it on, and then turn on the options to wipe the device after 10 failed attempts.

And use something stronger than a 4 digit PIN – at least 6.  Alpha numeric is better.  Pick one that’s not your, your spouse, your kids or any other date, address, phone number, or anything else that’s easy to guess or on social media.

While you’re at it, set airdrop to ‘contacts only’.  Better to stay off the grid.

 

Biometrics

Biometrics are a mixed bag.  Right now there’s tons of snake oil out there.  The only one that I trust for regular use is the fingerprint reader on the iPhone – and that’s because of the lock/wipe options.  I do not use it on a computer – type the passphrase instead.  Facial recognition, swipe patterns, and such can be spoofed trivially, and many consumer grade fingerprint readers can be as well.
Stay off public (and other) computers.

Using a public computer is like licking the seat in an outhouse.  Just don’t.  Ever.  Your friend’s computer isn’t quite as bad, but unless you know that they have good hygiene, it’s best to only use your own devices.

 

Uninstall Flash and Java 

It’s time to get rid of these two applications from your personal machines.  Corporate machines should too, but that’s a whole more involved story.

Flash:

Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Java:

Mac: https://www.java.com/en/download/help/mac_uninstall_java.xml

Windows: https://www.java.com/en/download/help/uninstall_java.xml

If you have to use Flash, use Chrome (but disable all the tracking first).

 

Get accounts before the bad guys do

As Brian Krebs recommends, get accounts on https://www.ssa.gov/ and IRS.gov https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ before someone does it first.

 

Credit Freeze

And again a shout-out to Brian, for his information on getting credit freezes from all four agencies.  Credit monitoring is useful for telling you it’s been compromised – a freeze protects it up front.  https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

If your homeowners insurance offers identity theft protection as a rider, that’s not a bad investment for the price.

Note:  If you have kids, freeze their credit too.

 

eMail security

Email is not private.  If you have a standalone email application, using SSL only keeps it secure between your machine and the server.  If you do it in the browser, same situation – and you’re also exposed if the browser is compromised.  Never email any sensitive information like bank account numbers, social security number, credit card numbers, and so on.  If you’re emailed a new password after a reset, immediately go change it on the site itself.

Note:  Yes, there are ways to technically encrypt email end-to-end.  It’s not clean or easy, and pretty fiddly.  If you absolutely positively must email something sensitive, my recommendation is to encrypt the document itself then attach that to a regular email.  That’s beyond the scope of this post.

Because password resets are done via email, this is the most important account you have.  It must be used with a robust random password, and you should never login from any device that you don’t own and control.  If the bad guys get your email, they get all your other accounts.

 

Have a throwaway email

So that means having more than one might make sense.  Ever have a site that you might want to get information from, but don’t want them to have your details?  Get and use a throwaway email account – or a junk mail account to use for all of them.

 

Never click links

And never, ever, click on any link in anything on that junk account.  That’s good practice for all email and all links.  Go manually to their site, and login by hand.  Related – stop sending emails with links in them (internal corporate communications I’m looking at you).

 

Stay off the seedy side of the internet

It goes without saying, stay off the seedy side of the internet.  Get legal software and content, avoid torrents, and naughty sites.

 

VPN/Public Hotspots/Cellular Data

I avoid using any public hotspots – it’s far too easy for someone to sniff what you’re doing, Use your cellular hotspot when you can.  For better protection, use a personal VPN like www.getcloak.com to prevent traffic monitoring and cellular carrier supercookies.  This includes hotel internet.

 

Never respond to inbound phone calls

If you get a call allegedly from your credit card company, bank, insurance company, or similar company, don’t give any information or acknowledge that you even have an account.  Politely thank them, and call the number on your credit card or statement (not the one they give you over the phone).  Hiring a fake call center is trivial.

 

Firewalls & Antivirus

Turn on the Firewall on a Mac https://support.apple.com/en-us/HT201642 and Windows https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off

As a minimum, turn on Xprotect on the Mac https://support.apple.com/en-us/HT201940 and Windows Defender on Windows: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer

On both Mac and Windows use www.malwarebytes.com to scan and remove malware, including adware.

On Windows, seriously consider paying for antimalware software.  At this point I’d probably recommend Symantec over the alternatives – the free solutions aren’t worth it.  If your bank offers Trusteer Rapport, download and install it.

Oh, and disable file sharing if you haven’t already.

Don’t tweak the bad guys

I know folks who will keep the ‘tech support’ spoofers on the line, or text with the thieves who stole a phone, or respond to phishing emails with ‘nice try’.  Don’t.  These folks are very good at what they do, and most of the time you’re just a drive by as they conduct a massive campaign.  But if you get them mad and they target you, it’s a whole different ball game.   Respect their skills.

In the end

Be skeptical, be wary, and be prepared to be hacked.  I had a bank ask me to send mortgage paperwork via email.  I said no.  I’ve had calls to my phone that spoof my own callerID.  I hung up.   I’ve also had really clever phishing emails that I almost clicked.  I did – to delete.  We’ve had our credit card stolen several times – caught it by watching my bills weekly.

As one of the characters in Harry Potter was fond of proclaiming, ‘Constant Vigilance’.

 

[Update]

Shred it

Shred anything and everything that has your information on it.  That includes envelopes from bills (they identify targets for the bad guys to hit), junk mail, receipts, boarding passes, hotel room cards, credit cards (unless metal – cut those with tin snips), conference badges (I punch out the RFID chip as soon as I get one), old business cards, and so on.  Bar codes are the most insidious as they can hide a lot of personal information, as Brian Krebs points out in the link about boarding passes.

Hacking Back is a Bad Idea

By

(c) DepositPhotos / @ Hansito

A bill was recently introduced in the US congress that would allow private organizations to ‘hack back’ when attacked. This is a Bad Idea™ that should be quickly put to rest – no good can come of it.

When we’re attacked, spoofed, phished, or just annoyed with junk phone calls, it’s human nature to want to return the favor.  Companies spend large and growing resources on cybersecurity that could better be spend building new and innovative products.  Unfortunately we don’t live in Utopia, and directions there don’t seem to be loaded into our GPS.  So we try to protect our organizations as best we can given resource constraints.   So should we divert a portion of that capability to hack back at attackers?  For private organizations, absolutely not.  Let me explain.

It goes back to the problem of attribution, which I’ve written about in the past.  Our adversaries are well versed in covering their tracks, planting misdirecting evidence, and throwing blame on innocent third parties.  Hacking back is far more likely to inadvertently hit a different victim of the hackers than the actual actors themselves.  Worse, we know the bad guys would use this as a new threat vector.  Rather than attacking company A directly, they’d hack those servers, and use them to hack company B.  When B retaliates against A, they do far more damage than the original hack.  If the two firms are direct competitors, then the only ones who really win in this situation are the bad guys and trial attorneys.  Oh, and on that last point – no legal counsel worth their salt is going to authorize a hack-back by a private entity, regardless of what the law says.

You’ll notice I’ve only talked about private organizations, which leaves law enforcement or national intelligence and defense.  I’m not going to address ethics of ‘stockpiling’ vulnerabilities, but there’s no question that those agencies and the military definitely possess offensive cyber-attack capabilities.  Should those be used on behalf of private organizations?  Only as much as is necessary for attribution and criminal prosecution – and even then, only with appropriate authorization and oversight.

Dealing with the next Petya, WannaCry, NotPetya attack

By

(c) DepositPhotos / Cseh Ioan

We are facing a continuous stream of ransomware, wipers, and related attacks.  I had a client ask recently, somewhat in exasperation after being hit with one, about why all their investment in security wasn’t enough to keep them safe, and what they could do to deal with the next one more effectively.  It’s a complex problem and paradoxically requires both more granular and more pre-planned response capabilities than we generally have available today.

A bit of brief background.  These attacks are focused on denying access to systems or information – that is, an attack on availability, with a secondary risk to confidentiality, and (so far) they have not impacted integrity, though I expect that to happen.  The code involved is often autonomous – rather than an attacker remotely accessing and controlling systems, the malware spreads via vulnerabilities in applications or operating systems, with some spread by phishing and email attachments.  This hands-of approach and quick impact mean that often the first warning we have of a campaign is when machines are discovered to be encrypted or wiped.  These are popular because malware kits are available for purchase, there’s a clear line from infection to monetization (or national state goal achievement), and the more advanced forms spread on their own.

We know these attacks are coming, and we know we’ll get hit.  Yet we continue to lurch from one to the next, relying on yesterday’s blanket policies and procedures to protect us from a dynamic and ever-changing threat.  There’s three major places to start work, and most of it is on the IT and policy side of the house.

Backup

Above all else, we need robust, and granular, backup and recovery solutions in place for all of our systems, including end-user workstations.  Running without backups, is like sailing the North Atlantic in spring without pumps – if you hit an iceberg, you’re going down.

If we have good backups, using a cloud backup solution like CrashPlan or enterprise-grade agent-based backup solution like Tivoli Storage Manager, it immediately limits the potential impact to whatever time it takes to restore the system.   We can’t use local disks like Time Machine, or NAS backups via mounted drives, as malware is now specifically targeting those.  While we can leverage our disaster recovery plans for this, they will have to be updated and made more agile.  Specifically, we need to understand system dependencies, and have solid – and tested – restore plans, and may need to change the backup timing to reduce the rollback period required.

Dynamic Organizational Threat Posture

Ok, I think I just won buzzword bingo, but let me explain.  Right now, 99% of organizations have two operational postures – running with static rules for network and system access, or hitting the big red button and dropping systems offline.  First, this involves properly segmenting networks – not just based on the type of system or classification of data, but also by type of machine.  Next, it involves defining at four levels of access control through those segments:  Standard, Heightened, Permissive, and Locked.  Standard is essentially what we have today – a set of restrictions that allow all components of the enterprise to function, and other services blocked or restricted.  Heightened is a set restrictions that only permit access necessary for tier-1 critical business functions.  Permissive involves selectively relaxing controls for catastrophic situations like natural disasters (e.g. suspending 2-factor requirements for regular users.  Locked is the equivalent of the big-red-button on the data center all, and involves isolating systems to prevent infection.

To continue the analogy, standard is our normal cruising posture – we’ve done lifeboat drills, inspected the equipment, but still allow people to smoke on deck, and maintain our current course.  Heightened might require uncovering the lifeboats, banning smoking, closing certain of the interior bulkhead doors, and making moderate course changes even if we’re going to miss a port date.  Permissive would be suspending lifeboat drills during a hurricane, and locked means that we slow the ship, post watches looking for bergs ahead, change course, and close all the watertight doors.

This isn’t easy to do.  Enterprise architectures are highly complex, intertwined messes of undocumented connections between systems.  And of course, it doesn’t help if our network gear is the point of infection.  Still, it can provide us with a more granular response – for example, if we know there’s a wiper that’s traveling via a self-replicating worm against Windows Server systems, we have the option to quickly restrict or lock down the ‘windows server’ segment on our network.

There’s numerous other examples of this approach: if we know there’s a virulent campaign being spread by email attachments, let’s have a plan in place to temporarily block all attachments until we get signatures in place (and potentially all encrypted attachments completely).  The key thing is to build the capability to change the threat posture for different logical components of our enterprise architecture independently, and establish an incident response team that includes security, IT and business decisions makers who jointly authorize the posture changes.

End Users

This is one of the hardest things to address politically and culturally in our organizations, but it’s time to have that conversation.   We need to start doing more granular segmentation of user devices than simply ‘Regular and Privileged’.  There’s a number of slices, some of which may intersect.

All the usual practices still apply.  Patching of applications and OS’s is the obvious one, and yes, that means we have an Android problem.  I’ll write more on that later this week.

First, on BYOD.  My personal preference is for the ‘treat them the same’ policy – allow BYOD, but require that any device used for business be fully managed by the organization with the same policies as enterprise owned equipment.  BYOD is a privilege, not a right.  For organizations that don’t have that policy (and particularly for the ones that are missing or ignore a policy), all BYOD devices should be relegated to their own network segment that can be quickly and completely isolated from all core infrastructure.  We wouldn’t allow passengers to steer the ship in iceberg infested waters after all.  More on BYOD policies another time.

Related, let’s look at local access rights.  This is the one place where BYOD policies may diverge, but we should ask how many users really need to be able to install and run software on their local machines?  I guarantee it’s less than are currently allowed.  Another way to reduce attack surface is to implement whitelisting of applications.  That’s would still allow local admin/installation rights, but within a controlled sandbox.  At the very least, requiring that software be signed by Apple/Microsoft/etc. is a policy that could be put in place with little impact.

Speaking of Apple, let’s have a conversation about Mac’s versus windows.  Right now, Mac has a lower threat posture than windows – doesn’t matter if it’s because it’s more secure inherently or just that’s it’s a less common target – the fact is, that we see far less malware on Marcos than on Windows.  The downside of Mac is that there is simply no good live anti-malware software available today.  I’ve tried all the packages – they either destabilize the system, fail on OS upgrades, or get in the way far too much.  We rely on Apple’s XProtect, and Apple can be tardy on posting new signatures.  More on Mac anti-malware another time (I think that’s three more blog entries coming up).  But for users of critical data, particularly if the organization is unwilling to lock down workstations, MacOS is an option to reduce the attack surface.  In other words, if you’re headed into Greenland in the spring, let’s bring an Icebreaker, not a dugout canoe.

And the rest

At this point we’re back into the security realm.  Host and network intrusion detection/prevention and anti-malware solutions, particularly if they are behavior rather than signature based, are a big part of stopping an attack in it’s tracks.  Security intelligence, including both open source and private threat feed data shortens the time to discovery.  Advanced analytics, including cognitive analytics, can help discover the full scope and context of an infection and provides more clear guidance on how to change the posture of our asset classes.  Workflow-based incident response plans, including pre-positioned conference bridges, roles and responsibilities, and decision maker identification facilitates ‘making the call’ to change postures in a timely manner.

How we stop the next black swan is a vexing question.  I believe that we have to move beyond tools and technologies, and focus on building processes that allow our people to respond in more effectively.  That means admitting we’ll be hit and being prepared to recover backups, segmenting our enterprise so we can better isolate and prevent the spread of an infection while minimizing business impact, and address the most common root cause – layer 8 problems with users doing things that compromise our systems.  Will that fix it?  Nope.  But it’s a start.