It’s not a matter of if, but when (Part II)

As promised, here is the second part of the post the other day. A disclaimer, these are only services and resources I’ve used in the past and found useful or appropriate for the situation at that time. I’ve noted the ones that I’m using currently and why I’m still using them despite more well known products or resources being available. The majority of what I’ve found in my experience is that online protection and security is more behavior (knowing what not to do or recognizing signs its bad stuff) rather than finding the right application to rely upon. What I’m using currently is an extension to my own experience and knowledge that helps when its not clear if I’m going down a road to something malicious.

Online Safety Resources

These are sites that I’ve come back to time and time again as resources to help people. Everyone has to realize that it’s their responsibility to keep themselves safe online because no one else is going to do it for you (unless you’re a child with proactive parents). The wife and I have consistently kept a lot of technology away from our daughter on purpose because we knew she wasn’t ready to 1) listen to our advice and 2) properly police herself online. A recent foray into YouTube that got her into some real-life videos with questionable content is a perfect example. She didn’t know enough to say “I shouldn’t be watching these” and close the application. The computer is now only allowed in open family space, no more in the bedroom with a closed door!

YouthSpark Hub (sponsored by Microsoft)

StaySafeOnline.org (sponsored by National Cyber Security Alliance)

Get Safe Online

Protection (Anti-Virus / Anti-Malware / Web Filtering)

Out of all the things that you can choose to passively keep yourself safe out there, these are the three that I highly recommend. They’re a good balance between protection and minimal resource impact on the machines you’re running them on. I’ll address each individually to make things easier.

Microsoft Internet Safety & Security Center

This is a combination service that includes Microsoft Security Center and Windows Defender that come bundled with Windows 8.x and Windows 10. It’s automatically enabled by default and if you don’t know that they’re there, you’re already protected to a certain extent. I like this application because it literally sits in the background and only reminds you its there when something bad is about to happen or your actions are going to trigger something bad. It would well despite some of the bad press online, however its free and capable at protecting the “macro” stuff.

Microsoft Family Safety

Probably one of the best services I’ve seen from Microsoft, this lets you create an account for your child with a password they select, yet let you watch/see/block anything you want. An amazingly easy interface, you create the Microsoft account while logged in with your account and authorize their account on only the devices you want them to be able to log onto. You have the ability to restrict their total time, the time frames they’re allowed to log on, as well as see everything they download/install/browse online. If a site shows up you don’t want them getting on, a quick click of “Block” next to the site will remove their ability to get to it via any browser. You can also block installations of certain applications (like Firefox or Chrome) forcing them to use IE or Edge so you can keep track of their online behavior. Instructions are easy and they take you through every step.

Sophos Home (anti-virus/anti-malware/web filtering)

I highly recommend this service due to the ease of use and quick setup. You create an account, then install the Sophos Home agent on every computer you want to protect (up to 10 for free). Each computer shows up individually by machine name (I change them to be specific, e.g., “DaughtersLaptop”) and lets you review their online activity. This is an added blocking defense for any site that they got to that Family Safety didn’t block for some reason. In addition to the web filtering, this is also an added anti-malware tool and has an extensive database of web sites that have been reported as having a bad reputation in regards to malware or virus activity. Simple installation and small footprint (less than 50MB of memory used when running), this passively watches in the background.

Passwords

I can’t stress enough how important it is to have strong, complex, and long passwords. A password using capital/lowercase letters, numbers, and special characters that is 8 characters long, can be cracked in about 6-8 hours @ 1,000 attempts/minute. The same type of password at 15 characters will take 2-3 years @ 1,000 attempts/minute. Once you add in non-standard characters, it could take decades to crack. It’s not a matter of making your password uncrackable (that’s impossible) but more a matter of making it so long to get it cracked that they move on to the poor guy that has decided to use “12345678”, “p@ssword1”, or “qwerty1234” as their password for their banking site. And please, don’t be a smart-ass and make it “passwordWITH1number”….. that’s just stupid.

I personally use LastPass and definitely utilize the password generator built into it for everything now. I can access my password database on all my devices including my mobile. The database is encrypted even in the cloud to the point where LastPass is unable to decrypt it should I happen to forget my master keycode. They also just released an authenticator application (numbers that sequence every 60 seconds) to allow for dual-factor authentication on sites that allow it. WordPress supports it ūüôā

LastPass – Password Manager

Creating a strong password

How to Create a Strong Password (and Remember It)

How to Create a Super Strong Password (Infographic)

Well, there you have it, a lot of information to digest and absorb. It’s worth the read in my opinion as it holds true: “It’s not a matter of if, but when” you get hacked / you get a virus / you get malware / you get phished / etc. Stay safe out there!

It’s not a matter of if, but when (Part I)

I received a letter from American Express yesterday. ¬†It was nothing out of the ordinary as they send me crap all the time, but this was different. ¬†The letter informed me that my information changed via a third party service sometime in January 2016. ¬†Red flag. ¬†The letter didn’t tell me that this was an ordinary or extraordinary action and in the 22 years I’ve had this card I’ve never had anything changed via a third party. ¬†Red flag. ¬†Upon calling them, I was informed of a potential breach in a third party system that American Express uses to update their credit files. ¬†The letter was auto generated and was a result of a changed file. ¬†My question “Why did I get a letter its changed as I’ve never received this before?” went unanswered.

This event triggered me to write about it, because I’ve yet to talk to someone that completely understands the extent of their threat exposure. ¬†So here, a short list of items that I’m sure everyone has an account with or a device in their possession:

  • Mobile Devices: ¬†mobile phones, wifi doorbells, wifi cameras, wifi baby monitors
  • WiFi Vehicles: ¬†On-Star, Hyundai Assist, Ford Sync
  • Medical Devices: ¬†pacemakers, defibrillators, insulin pumps
  • Social Engineering: ¬†email, text messages, phone calls
  • Service Providers: ¬†mobile phone companies, cable, phone, electric, gas, water

Every single one of the above items (its not an exhaustive list) has a component that can be breached and used to take advantage of unsuspecting people. ¬†I’ve been in this industry for years and still see threat deltas that I’ve never seen before. ¬†The potential that hundreds of thousands of people are even less aware is very real and the news tends to support that theory. ¬†Here are some scenarios that may or may not fit:

  • Get a new WiFi router for your home and just plug it in and it works. ¬†No changing of the default password, no wireless security (open), no update to the default factory settings that allows for internal device browsing, etc.
  • Get a new Android phone and start to build out your profile, download apps, etc. ¬†You get a prompt to enter in your credentials for GooglePlay and blindly enter in your credentials because you think its for an app. ¬†You don’t notice that you’re not prompted for a username/password ever for downloading apps (since it uses your Google account automatically) through official channels.
  • Connect your personal mobile device to a hotspot for internet access without reviewing the entire list of available networks. ¬†Most places of business will display their wifi network name so you don’t connect to something malicious. ¬†Ex – a wifi network will NEVER show up as “ad-hoc”, the ones that do are malicious almost in every case.

There are literally hundreds of thousands of articles and resources available if you want to learn more about protecting yourself. ¬†I’m going to list a few of the more easier to understand resources in my next post. ¬†Keep yourself safe online and the horror stories you see online will never be about you.

Tech Monday: China hacked US firms despite cyberpact

China hacked US firms despite cyberpact

It’s amazing how the governments of countries say one thing but do something completely opposite later on.¬† I think its absolute crap that the US and China agreed not to hack each other and steal intellectual property [IP].¬† It’s like telling a child that the big box in that room over there is full of candy, but there is an agreement with the rooms owner that they are not to go in there because they agreed to not each the candy.¬† It’s ridiculous.

I don’t doubt at all that China has again hacked 5 technology companies and two pharmaceutical companies.¬† Our intrusion systems are advanced enough to see that there is a lot of traffic coming from a particular country and IP range, so how can they deny it.¬† At the same time though, I know for a fact that the US is doing the same thing, but the difference is that they’re covering their tracks better and not getting caught.¬† The internet is more akin to the wild west than it is to a civilized online community.¬† Sure, there are people out there that don’t do this sort of thing…¬† how does that saying go? “one bad apple ruins the whole bushel”?

Adding to the problem is the increased use of what a lot are referring to as the “dark net” which is an encrypted and secretive underbelly of the commercial internet.¬† There is no getting on this part of the internet without knowing someone already in there to invite you in.¬† It’s estimated that over 20% of all traffic on the internet currently is tied in some way to the dark net.¬† If its illegal and you think it can be exploited online, its in the dark net.¬† Movies, music, software and even human body parts are listed somewhere on the dark net for the right price.¬† The most utilized currently in the dark net is Bitcoin as there isn’t any traditional method of tracing the source or recipient.

Hacking is going to continue and most likely get worse before something is done, if at all.¬† I personally hope I never have to be the victim of hacking during my lifetime, but with our ever increasing reliance on technology I fear that we’re heading for a disaster only seen in movies.

Hackers

“Anonymous” hacked the CIA, Alabama State, and several Mexican websites this past Friday into the weekend. ¬†I’m not sure what they’re trying to prove with the wacked manifesto’s they’ve published justifying the hacking of those websites. ¬†I have to wonder what types of people they have actually doing these hacks. ¬†Scruffy guys, wearing t-shirts, sitting around eating Hot Pockets and drinking Monster Energy drinks having a debate on what site to hit next? ¬†I have a different theory.

My thought is that its all of us unsuspecting, unprotected, “I have anti-virus” types out there that don’t know or wish to acknowledge the threat that exists on the Internet. ¬†It hasn’t come out exactly how these sites were taken down on Friday, but if I were a betting man I’d put money down on a distributed denial of service attack, or DDoS for short. ¬†It’s the method that hackers use to link hundreds or thousands of computers around the world and instruct them, through malware, to ping flood a single IP address. ¬†A ping flood is sending large packets of information via a persistent ping command. ¬†Here’s a screen shot of a persistent ping, I used a bogus IP for the sake of demonstration.

Amazing how the simplest of built in tools can be so destructive and devastating!

While I don’t agree with any sort of hacking practice, others out there are basically for hire. ¬†They take a job, transparent to the target, reason, cause, etc. ¬†If the goal of the hire is successful, they get paid. ¬†It literally is as simple as that. ¬†Most of these guys operate out of countries where government corruption is rampant, and therefore they are able to operate with little or no hassle from local officials. ¬†They get paid too in the form of bribes.

I personally use these tools and have for several years now. ¬†I’m of the opinion that just because something is free doesn’t necessarily make it any less effective than something you have to pay for. ¬†In most cases if I like a product that is free, I’ll send in a suggestion for improvement along with a “donation” to grease the wheels on my request. ¬†In all but 1 case, the suggestion was added to a future release.

Using these tools together, will provide you quite a bit of protection from anyone attempting to use your computer with or without your knowledge. ¬†In conjunction with an updated browser (IE9 or IE8, Firefox, Chrome) there are several built-in protections that warn you of potentially un-safe sites or downloads. ¬†Don’t just click on them blindly and allow the hacker crap to get on your computer.

Be safe, its a mine field of crap on the Internet if you’re not aware of where it’s sitting….

SCADA – supervisory control and data acquisition

I doubt most people heard about the water treatment facility that had their SCADA system hacked a few days ago that ultimately led to the facility to shutdown for several hours in Illinois. ¬†Most Americans don’t even know what this system does for us or just how critical it is to our daily lives until its too late and the systems are offline.

As the title suggests, SCADA stands for supervisory control and data acquisition.  In simple terms, it is a networked systems of switches, monitoring devices, control systems, and primary computer systems.  All of these together make it possible to run a facility, like a water treatment plant, without people physically having to be on-site.  The following industries have used or are currently using SCADA systems in their facilities:

  • electricity
  • water treatment
  • nuclear power
  • natural gas
  • petroleum
  • chemical

Now, hold on, I haven’t even gotten to the scary part yet. ¬†Most of these industries have one thing in common. ¬†They are in whole or part regulated by the Federal Government that use their own set of SCADA systems that, you guessed it, monitor the industrial SCADA systems on-site. ¬†Sort of like a watchdog for the watchdogs. ¬†Here is the really scary part…… ¬†they’re online! ¬†As in, most of these systems with exception for most nuclear plants and chemical plants, can be accessed remotely from any computer with a network connection and credentials to enter the system. ¬†The systems that can’t be accessed online are accessible if onsite, which for anyone determined enough is, in theory, possible. ¬†Live Free or Die Hard was about just this very topic, but veiled under what they called a “Firesale” that enabled them to steal credit information.

Finally, the horrific part of this whole thing.  Gaining access to the main SCADA system could potentially allow a single hacker to take down every other SCADA system in its network.  This would mean, in simple terms, that you would be without electricity, water, natural gas, gasoline, or any petro-chemical that goes into literally hundreds of consumer products.  The entire system, although speculation, is decades old and in need of major upgrading and fortification from modern threats.  In fact, most of the IT systems used by the Federal Government are decades old and archaic when compared to modern entry-level standards.  Did you know that the military is STILL using a hardened version of Windows XP on all of their computer systems?  Windows XP is 12 years old!!

We know how to use these systems for damage.  The StuxNet virus the United States released on Iran SCADA systems sabotaged the centrifuges in their Uranium Enrichment Facilities to prevent them from building nuclear weapons.  The only reason it got out that it was even developed was that it affected SCADA systems outside of Iran in several neighboring countries through the Internet.

The Internet. ¬†I’ve been aware of the fact that we don’t know what we’ve created or how it will develop. ¬†I truly believe that artificial intelligence will be born out of the Internet. ¬†Whether it takes over the world, wipes out the human race, or turns into a Terminator style future is anyone’s guess.

Technical details for this post were obtained from the below source:

http://en.wikipedia.org/wiki/SCADA