OPLIN 4cast #448: Pro-am cybersecurity

Wednesday, July 29th, 2015

cybersecurityLast week, while this blog was scaring you with tales of hackers-for-hire, the Google folks were presenting some interesting security practices research [pdf] at the Symposium on Usable Privacy and Security (SOUPS) in Ottawa, Canada. The researchers conducted a survey of 231 security “experts,” defined as someone who had at least five years experience working in or studying computer security, and 294 non-experts recruited through Amazon’s Mechanical Turk. There were some very clear differences between the responses of the experts and the non-experts.

  • What amateurs can learn from security pros about staying safe online (Ars Technica | Dan Goodin)  “A survey found stark discrepancies in the ways the two groups reported keeping themselves secure. Non security experts listed the top security practice as using antivirus software, followed by using strong passwords, changing passwords frequently, visiting only known websites, and not sharing personal information. Security experts, by contrast, listed the top practice as installing software updates, followed by using unique passwords, using two-factor authentication, choosing strong passwords, and using a password manager.”
  • New research: Comparing how security experts and non-experts stay safe online (Google Online Security Blog | Iulia Ion, Rob Reeder, and Sunny Consolvo)  “More broadly, our findings highlight fundamental misunderstandings about basic online security practices. Software updates, for example, are the seatbelts of online security; they make you safer, period. And yet, many non-experts not only overlook these as a best practice, but also mistakenly worry that software updates are a security risk.”
  • Trying to keep your data safe? You’re probably doing it wrong (NPR All Tech Considered | Aarti Shahani)  “There’s a similarly stark gap when it comes to antivirus — the software that has long been hailed as the all-purpose cleaner, the rubbing alcohol of the Internet. Forty-two percent of the non-­experts surveyed say products like McAfee and Norton are key. But among the experts like [Gerhard] Eschelbeck [Google Vice President for Security Engineering], just 7 percent agree. ‘Antivirus has absolutely its place. But it’s not like the only one solution that people can and should rely upon,’ Eschelbeck says.”
  • Online security: How the experts keep safe (InformationWeek | Thomas Claburn)  “A third point of differentiation between security experts and non-experts is the use of two-factor authentication. Eighty-nine percent of security experts polled said they used two-factor authentication, compared to 69% of non-experts. Some 12% of non-experts said they didn’t know whether they use two-factor authentication – which probably means they don’t.”

Articles from Ohio Web Library:

OPLIN 4cast #398: Google and HTTPS

Wednesday, August 13th, 2014

padlockGoogle made an interesting announcement last week. Because they want to promote the use of secure, encoded HTTPS for website connections, they are going to make HTTPS a “ranking signal” for their search results. In other words, if a website uses HTTPS, it will show up higher in a Google search than a site that does not — maybe only a little bit higher for now since this will initially be just a minor ranking signal, but Google confesses that they may make it a more important signal later. Almost all the reaction was positive, except for tweets from people who work in the search engine optimization business, but as librarians, shouldn’t we be a bit concerned that the quality of information might be judged based on its format instead of its content, just so Google can make a point about web security?

  • Google Search starts penalizing websites that don’t use encryption (PC World | Jeremy Kirk)  “The move is designed to spur developers to implement TLS (Transport Layer Security), which uses a digital certificate to encrypt traffic, signified by a padlock in most browsers and ‘https’ at the beginning of a URL. As Google scans Web pages, it takes into account certain attributes, such as whether a Web page has unique content, to determine where it will appear in search rankings. It has added the use of https into those signals, although it will be a ‘lightweight’ one and applies to about 1 percent of search queries now…”
  • In major shift, Google boosts search rankings of HTTPS-protected sites (Ars Technica | Dan Goodin)  “TLS also provides a means for cryptographically validating that a server claiming to belong to Google, Bank of America, or any other website is authentic, rather than an impostor set up to trick users. Over the past few years, American Civil Liberties Union Principal Technologist Chris Soghoian has used a carrot-and-stick approach to persuade more sites to HTTPS-protect their pages. He sometimes publicly chastises companies that transmit sensitive information over unencrypted connections.”
  • Google boosts secure sites in search results (Electronic Frontier Foundation | Bill Budington)  “This week’s announcement further underlines a commitment to encrypting Internet traffic and keeping user data safe, and encouraging others to do so. We urge Google to go further and carry out its plan to strengthen the preference of HTTPS sites, as well as favoring sites that have configured HTTPS well…”
  • Google to reward sites with HTTPS security in search rankings (Forbes | Larry Magid)  “This is one more example of the power of Google’s ranking system. While Google doesn’t control content on the web, its search is by far the most effective way for content to be found so anything a webmaster can do to increase a Google ranking equates to more visitors and, in many cases, more revenue.”

Articles from Ohio Web Library:

OPLIN 4cast #397: BadUSB

Wednesday, August 6th, 2014

USB driveAs if you needed something else to worry about, there seems to be a strong possibility that USB devices can be used in new and nasty ways to damage computers, such as the public computers in libraries. Security researchers Karsten Nohl and Jakob Lell are giving a briefing tomorrow about “BadUSB—on accessories that turn evil” at the Black Hat convention in Las Vegas. Their presentation has already received a lot of attention because they have found a way to reprogram the controller chip in a USB thumb drive so it acts like a different USB device, perhaps a keyboard or network card. And there doesn’t seem to be any easy way (yet) to protect your computers.

  • Why the security of USB is fundamentally broken (Wired | Andy Greenberg)  “The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”
  • Researchers warn about ‘BadUSB’ exploit (PC Mag | David Murphy)  “A device could, for example, emulate a USB-connected keyboard and automatically send over all sorts of keystrokes that, when combined, could lead to issues—installing malware, wiping key files off a drive, copying files over to the USB device, etc. And that’s just the first example. SRLabs notes that a USB-connected device could also pretend that it’s a network card and redirect the traffic to and from a system through a rogue DNS server. Or, better yet, it could infect that system with a boot-sector virus that could be a bit tougher to detect and remove than your average infection.”
  • BadUSB: Big, bad USB security problems ahead (ZDNet | Steven J. Vaughan-Nichols)  “The hackers claim that ‘Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.’ In short, ‘Once infected, computers and their USB peripherals can never be trusted again.’”
  • Don’t panic over the latest USB flaw (Tom’s Guide | Marshall Honorof)  “BadUSB is a proof-of-concept attack, designed by security researchers. They’re not going to release it into the wild[…] Furthermore, demonstrating something like BadUSB at a conference like Black Hat is basically an open invitation for the security community to fix this vulnerability before it becomes widespread.”

Articles from Ohio Web Library:

OPLIN 4cast #357: Can words still protect us?

Wednesday, October 23rd, 2013

safeOver the past couple of months, Dan Goodin wrote two articles in Ars Technica about password and passphrase protection that have been widely quoted in the tech media. (We link to the longer one of them below.) The articles were prompted by the release of a new version of Hashcat, a password cracking program that can now recover passwords up to 55 characters long. Because software like this keeps making password cracking easier, it is common to see recommendations that users instead use a passphrase – a long series of words that is easier to remember than a single complex password. But if passphrases are too easy, they may not be any better protection than passwords.

  • How the Bible and YouTube are fueling the next frontier of password cracking (Ars Technica/Dan Goodin)  “As awareness has grown about the growing insecurity of passwords that were presumed strong only a few years ago, many people have turned to passphrases, often pulled from what they believe are overlooked songs, books, or other sources. The idea is to generate a long passcode that contains upper- and lower-case letters and possibly punctuation that’s nonetheless easy to remember. This turns out to be largely an exercise in futility. As is the case with passwords, the same thing that makes passphrases easy to remember makes them susceptible to easy cracking.”
  • Books and Youtube are supplying password crackers with billions of passphrases (Tested/Wesley Fenlon)  “And now crackers have discovered that resources like the Bible, Wikipedia, and the Gutenberg archive provide millions of phrases that people may use for passwords, believing that they’re long enough to be secure or unknown enough to be unguessable. ‘Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1’ from H.P. Lovecraft is a prime example. No computer could bruteforce such a complex password string, but no computer will have to – once that phrase is in a dictionary, it’s easy to crack.”
  • Is it truly, finally, sadly, game over for passwords? (Neal O’Farrell)  “A passphrase should not simply be a statement or saying that you read somewhere or remembered from childhood. Because if it’s been used before, chances are it’s already in a dictionary and could be guessed. A real passphrase is supposed to be something about you and your life that is unlikely to be on the internet and guessable by a hacker. And taking it one step forward, and one very crucial step, you don’t use the exact passphrase but only selected elements.”
  • Password cracker cracks 55 character passwords (Infosecurity)  “What the new version of hashcat demonstrates is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols.”

Hashcat fact:
Hashcat claims to be the world’s “fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker.” It’s also free.

OPLIN 4cast #344: Basic protection

Wednesday, July 24th, 2013

virusThere was an interesting posting on the codeinsecurity blog a little over a month ago, which we didn’t see until recently, called “The anti-virus age is over.” The author, Graham Sutherland, argues that anti-virus (AV) programs cannot keep up with all the new types of malware in circulation and should just be considered “…a filter for the most basic attacks.” We know a lot of libraries still depend primarily on AV software for protection, so it seemed like it might be worthwhile to look this week at some of those new types of malware mentioned by Mr. Sutherland. (We’ve put the names of the malware types in bold.)

  • What is a polymorphic virus? (wiseGEEK) “Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.”
  • Advanced Persistent Threats: The new reality (Dark Reading/Michael Cobb)  “What is an APT? Though the term originally referred to nation-states engaging in cyber espionage, APT techniques are also being used by cybercriminals to steal data from businesses for financial gain. What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced. Unlike the majority of malware, which randomly infects any computer vulnerable to a given exploit, APTs target specific organizations with the purpose of stealing specific data or causing specific damage. The Conficker worm, for example, used many advanced techniques but did not target a particular organization. It infected millions of computers in more than 200 countries. In contrast, Stuxnet was designed to target a certain type, a certain brand and a certain model of control system.”
  • Advanced Persistent Threats get more advanced, persistent and threatening (The Register/John Leyden)  “Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.”
  • New course teaches techniques for detecting the most sophisticated malware in RAM only (Network World/Linda Musthaler) “The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It’s a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn’t be there.”

Sandbox fact:
One article above mentions a “sandbox.” Anti-virus software can sometimes combat difficult malware by using a virtual environment (sandbox) on a computer to run and test code from untrusted sources before it is installed for actual use.

OPLIN 4cast #331: Two factors are better than one

Wednesday, April 24th, 2013

two-factorPeople who work with Internet security have for some time advocated the use of “two-factor authentication” instead of a simple password control over access to sensitive or private information. Nobody likes to make things harder than we think they need to be, however, so adoption of two-factor authentication has been fairly limited. But last week, that may have begun to change, as Microsoft announced that two-factor authentication will be available (though not necessarily required) for all Windows products and services.

  • Microsoft rolling out two-factor authentication across its product line (ZDNet/Mary Jo Foley) “Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim’s password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.”
  • Microsoft Account gets more secure (Official Microsoft Blog) “This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info. More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, or accessing files on another one of your computers through SkyDrive.com. For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.”
  • Apple ID: Frequently asked questions about two-step verification for Apple ID (Apple Support) “Two-step verification simplifies and strengthens the security of your account. After you turn it on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key.”
  • AP Twitter hack sends stock market spinning (New York Magazine/Kevin Roose) “In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now. Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.”) But after today’s data point, it can’t wait any longer.”

Factor fact:
Good two-factor authentication combines a Knowledge Factor (something the user knows) with a Possession Factor (something the user has).

OPLIN 4Cast #286: Responding to a breach

Wednesday, June 13th, 2012

Last week’s revelation that millions of LinkedIn passwords had been stolen was just the latest in a long line of data breach stories. While public libraries don’t store millions of passwords or credit card numbers, they do store a lot of patron data, and things as mundane as people’s street addresses are beginning to be considered sensitive information by some security experts. With luck, your library ILS vendor has not made the same mistake that LinkedIn made and stored sensitive user information with relatively weak encryption. But if the worst should happen and your library system gets hacked, what’s the best way to respond? Are there lessons to be learned from the misfortune of previous data breach victims?

  • Dissecting LinkedIn’s response to the password breach (PC Magazine/Fahmida Y. Rashid)  “‘We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach,’ a LinkedIn spokesperson said in an email. She was unable to provide any other details. I was very concerned about LinkedIn’s focus on members at ‘greatest risk.’ How do they define this?”
  • Zappos data breach response a good idea or just panic mode? (Network World/Ellen Messmer)  “…online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.”
  • Heartland CEO on breach response (BankInfo Security/Tracy Kitten)  “…[Bob Carr, CEO of Heartland Payment Systems] says information sharing is key, especially among other payments processors. ‘Don’t minimize the impact,’ Carr says. ‘Share information. … The bad guys might be in somebody else’s system, so it is good for everyone to communicate.’ Although a great deal has changed since 2009, when Heartland’s breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run.”
  • Data breach response plans: Yours ready? (Information Week/Mathew J. Schwartz)  “Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. ‘I’ve seen organizations that totally jumped the gun–We’ve got to do it– and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,’ Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. ‘We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.’”

Breach facts:
The three breaches mentioned above affected: 6.5 million LinkedIn users; 24 million Zappos customers; and 130 million Heartland credit card accounts.
[And one more fact: OPLIN’s plan for Security Incident Response is included in our overall Information Technology Security Management plan.]

OPLIN 4Cast #265: Innovations in cyber crime

Wednesday, January 18th, 2012

Malicious attacks on websites continue to make the news. Whether it’s Anonymous exposing a whole country’s control and data systems or hackers stealing huge amounts of data last weekend from Zappos, the pace of malicious activity on the web has certainly not slowed down. While these big-news attacks generally use rather traditional hacking methods, the nasty people on the web have also been busy developing new attack vectors, and you might want to be aware of them.

  • Developer sneaks fake apps into Android market (SecurityNewsDaily/Matt Liebowitz)  “Behind their innocent facade, the cloned apps hid a secret weapon – they compromised customers’ smartphones by using them to send premium-rate text messages to the tune of about $20. ‘The texts are notifications that the user has been charged around $5, but you end up getting 3-4 of them in one shot,’ DroidGamers wrote. ‘A free download just became a $20 purchase.’”
  • Hackers spread malware via children’s gaming websites (BBC News)  “‘I believe that children’s computers are more vulnerable to attacks because they are usually in worse shape – in other words the owners are less likely to have the latest security updates installed,’ said Mr Vlcek [AVAST Software chief technical officer]. ‘The child may also be less suspicious that something wrong is happening than an adult would be.’”
  • Cyber-criminals target mobile devices with QR codes (SecurityWeek/Brian Prince)  “‘This is the first time we have seen a QR code used in an active spam campaign,’ Patrik Runald, senior manager of security research at Websense, told SecurityWeek. ‘Because QR codes are the ultimate URL obfuscator, with the right social lure, QR codes can become increasingly more successful in driving users to websites hosting malware targeting the mobile device.’”
  • Security flaw in printers could expose businesses to hackers (Huffington Post/Janean Chun)  “Keith Moore, HP’s chief technologist, also disagrees that the threat of security breaches through printer hacking could already be widespread. Moore points out that the researchers didn’t use passwords on the printers they tested and adds that no consumers have reported similar incidents. ‘There has been no data at all that any of this has been exploited. So we’re looking at the theoretic possibility, in a lab, to see if that can ever occur in a real world situation.’”

Cyber attack fact:
This sobering 11-minute video of a TED talk by Ralph Langner reminds us that cyber attacks may not always come from criminals.

OPLIN 4Cast #258: DoS’d for the holidays

Wednesday, November 30th, 2011

Late in the afternoon on Black Friday, the oplin.org website was hit by an apparent Denial of Service (DoS) attack. DoS and DDoS (Distributed Denial of Service) attacks overwhelm a website with so many requests for connections that the webserver is too busy with this “junk” traffic to respond to legitimate traffic. As a result, it looked like the OPLIN website, and all the services that run on the same server – like the 4cast – were offline for a couple of hours until we stopped the attack. Why was oplin.org targeted? Good question, since it’s a pretty innocuous website, but certainly the timing of the attack suggests that we may have been an innocent victim of a general increase in DoS attacks that happens around the holidays.

  • E-commerce, retail websites alert for DDoS attacks this holiday season (eWEEK/Fahmida Y. Rashid)  “DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said. E-commerce businesses aren’t the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said.”
  • Corero advises retailers of risks associated with DDoS attacks during holiday shopping season (BusinessWire)  “DDoS attacks bring victim websites to a crawl or halt, using network flooding techniques that have been in use for more than a decade, and more recently, insidious application-layer attacks which are very difficult to detect. Online commerce depends on sites that are responsive and always available. Frustrated customers will quickly abandon an unresponsive site and go to another.”
  • Firewalls can’t keep up with DDoS attacks (PCWorld/John E. Dunn)  “The survey of 1000 medium and large organizations in ten countries found that up to 45 percent of respondents experience such attacks on a regular basis, a mixture of application and network-layer incursions. About half rated denial of service attacks as highly effective with 79 percent saying they still relied on firewalls to deflect them despite 42 percent finding that such devices were ineffective against conventional attacks at the network layer.”
  • Happy holidays: 5 ways to use DoS testing to thwart cyber extortion (BreakingPoint/Pam O’Neal)  “…online businesses still fear these threats, with little confidence in the DoS mitigation and security measures put in place to protect them. This is especially true for Internet retailers, the latest victims of hacker-extortionists. Internet retailers have a small window to ‘get it right’ when it comes to hardening their resiliency to DoS or DDoS attacks. And the post-Thanksgiving Cyber Monday is part of that small window.”

Method fact:
Kaspersky Labs reports that the “HTTP flood” method, which simply sends a huge number of HTTP requests to the targeted site over a short period of time, accounted for 88.9% of all DDoS attacks in the second quarter of 2011.

OPLIN 4Cast #204: Locking down WiFi

Wednesday, November 17th, 2010

wifi padlockUp until now, many public libraries have not been too concerned with the security of their public wireless networks. Libraries, after all, are open to the public, so why shouldn’t their networks be “open,” too? Does it really matter if a neighbor might “steal” some of the library’s bandwidth? But about a week before Halloween, the Firesheep extension for the Firefox web browser rattled the WiFi world. Suddenly, it became ludicrously easy to use open WiFi library networks to steal patrons’ usernames and passwords to unsecured websites like Facebook and Twitter. Suddenly, there’s a really good reason to lock down the library WiFi.

  • Firesheep in wolves’ clothing: extension lets you hack into Twitter, Facebook accounts easily (TechCrunch/Evelyn Rusli)  “Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies. As Butler explains in his post, ‘As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed’ in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.”
  • Protection from FireSheep (ReadWriteWeb/Audrey Watters)   “Since Firesheep was released, there have been a number of countermeasures developed, ostensibly to warn if not protect users from potential side-jacking. Blacksheep, released earlier this week by Zscaler, generates ‘fake traffic’ then monitors the network to see if Firesheep is active. But Blacksheep warns you that it is, then what? Other than shutting off your notebook and perhaps relocating to a different cafe with free Wi-Fi, what are your options?”
  • Free WiFi should use “free” password (Ars Technica/Jacqui Cheng)  “…businesses that offer free WiFi to customers—such as Starbucks or hotels—are still putting everyone at risk of being sniffed and hacked by leaving their networks open. If those businesses were to simply lock their networks down (WPA2, of course) with the password of ‘free,’ then customers’ information would be much more secure and the world would be a happier place.”
  • Password doesn’t shear Firesheep (BoingBoing/Glenn Fleishman)  “Thus, you could defeat Firesheep today by assigning a shared key to a Wi-Fi network until the point at which some clever person simply grafts aircrack-ng into Firesheep to create an automated way to deauth clients, snatch their keys, and then perform the normal sheepshearing operations to grab tokens. […] The way around this is to use 802.1X, port-based access control, which uses a complicated system of allowing a client to connect to a network through a single port with just enough access to provide credentials.”

89% (645) of all Ohio public library buildings offer free public WiFi.