Doug Lhotka

Technical Storyteller

  • Home
  • Cybersecurity
  • State of Security
  • Photography
  • 3D Modeling & Printing
  • About

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2020
Doug Lhotka

Can someone bring (more) chaos to an airport for less than $50?

June 8, 2016 By Doug

Last month, according to this article, a Verizon wireless crash disabled wifi at JFK, causing huge backups as agents had to hand-write boarding passes and baggage tags.  It’s interesting for many reasons, but we’ve just learned about a vulnerability at that airport.

If the article is correct, it means that someone with a $50 wifi or cellular jammer might be able to take down operations at one of the biggest airports in the world, and (here’s a movie plot threat), a bad actor could plug it in in an out of the way place, so it could disrupt things for a long time before being discovered.

WiFi and cellular data connections are easy and convenient to implement, but for critical infrastructure like this, they have real risks.  I’d guess that the designers focused on availability in terms of hardware failures, and not malicious intent.

Filed Under: Security

Secure Thinking

April 29, 2016 By Doug

I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives.  Here’s those tips:

 

  • Patch your systems regularly (patch Tuesday is a great start)
  • Run Anti-Malware, but don’t pay too much for it.
  • Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites).  Likewise with Java in your web browser.
  • Stay off the seedy side of the net
  • Only install software from trusted sources
  • Don’t click links in emails.
  • Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
  • Never, ever use a public computer, for anything. It’s like swimming in a sewer.
  • If you find a USB thumb drive, destroy it – never plug it in.
  • Encrypt your data – FileVault or BitLocker
  • Backup your data to a trusted repository
  • Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
  • Enable two factor authentication when it’s offered
  • Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
  • Only use Google Nexus android devices to ensure you can stay current
  • When asked for secret questions, lie – and record those lies in 1Password.
  • Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
  • If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
  • Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.

 

In the end, it boils down to simply being aware.

 

Think about security!

Filed Under: Security Tagged With: data security, encryption, everyone, iphone, mobile, personal, public computers

Apple and FBI

February 25, 2016 By Doug

Ok, Apple vs FBI.

I might as well write about a third rail, but I’ve gotten so many questions about what’s going on that it’s simpler to chime in.

Let me begin by saying that I’ve worked with a lot of law enforcement professionals over the years, and have the highest respect for their integrity and professionalism.  They have a tough job, and take their duty to stand between us and the bad guys very seriously.  I do not remotely, condemn them for making the request of Apple – in their role, with their charter, I’d probably do the same thing.  Likewise, Apple is acting on their own good character – this is not a marketing stunt as some have suggested, I believe it’s an honest principled position.

That’s not a cop out, this simply is one of those times when people of good conscience and character disagree.  Balancing security, privacy and liberty is very hard in the digital age.

Couple of things to start:  First, Apple is not being asked to break their encryption.  They’re being asked to create a special version of iOS that bypasses the protections against brute force attacks, so the FBI can break the encryption the hard way – by trying every PIN until it unlocks.   Right now, iOS has an escalating timeout on wrong passwords – after 9 it locks for an hour, and after 10, it wipes the phone (assuming that feature is turned on).  It’s those two features that they’re being asked to bypass (and to allow electronic passcode testing instead of tapping with fingers, but that’s less impactful).  A version of iOS that does that would to be digitally signed (validated as real) by Apple in order to be loaded on a device.  Once that code is created, it’s about 2 minutes work to enable it to be loaded on different devices, or to be loaded on any device at all.    This is not a universal back door –  it removes the barriers that protect the door against someone battering it down, which is still a significant reduction in security.

As an aside, it’s unfortunate that county that issued the phone failed to install basic MDM (mobile device management) software, which could have unlocked it remotely.  That’s a best practice.  It’s also unfortunate that this is an option – Apple allows loading of new iOS versions on locked devices without wiping memory.  I see reports today they’re working on closing that gap, so this whole thing may be a moot point going forward.

But let’s set that aside – this was always going to come to a head.

We can also set aside some wilder speculation:  ABC reports a rather esoteric means to extract the data directly from the chips.  I’ve seen some commentary that the chips could be removed intact, and the memory read out using the standard pinouts, loaded onto a separate machine, and brute forced external to iOS (I’m far removed from my soldering iron days, so I don’t know if that’s possible).  If that capability existed, it’d be something that would probably be a highly protected capability.  Conspiracy theories abound that the suit is a smokescreen to protect such a capability by unnamed three letter agencies.  Let’s leave that for the movie plots.

So the net is that Apple can do what’s being asked, though at a significant cost (they’d have to pull engineers off their commercial development activities), and at significant risk – both of precedent, and of the software leaking.   The question is should they do it?

I believe that such a question needs to be decided through the legislative process, with full public debate, by Congress.  Not by individual states, and especially not by the judiciary.  Apple is doing us all a service by forcing that debate to happen.

 

Filed Under: Security

  • « Previous Page
  • 1
  • …
  • 40
  • 41
  • 42
  • 43
  • 44
  • Next Page »

Cybersecurity

Photography

3D Modeling & Printing

Recent Posts

  • Tasmanian Sea Lions
  • Sly like a (Fire)Fox
  • River snow in Estes Park
  • Winter Lavender in Tasmanaia
  • Sunset over Pantheon