Tagged: security

02
Jul
2020

123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.

05
May
2020

EventBot Android Malware and Why I Won’t Leave the iPhone

The Hacker News reports that there is a new Android based malware called “EventBot” that is making the rounds in rogue app stores and APK download sites that are not part of the official Google Play ecosystem. In reading The Hacker News article, this sounds pretty nasty but it begs the question, why are users of Android devices are so bent on using app stores and websites that they have no way of know are providing legitimate apps or not? It makes no sense to me.

  • Is it because they don’t know any better?
  • Is it because their phone manufacturer pushes some junk alternative app store to their customers?
  • Is it because they want to use apps they can’t in the Google Play store?
  • Is it because they want to feel rebellious?
  • Is it because they don’t want to be kept down by the “man?”

I have no idea, and I don’t know why these phone users expose themselves to these risks with such a valuable trove of information sitting on their device.

Full disclosure, I am an Apple iPhone user, and probably will be forever. It’s not because I love everything Apple and must have everything Apple. Clearly that isn’t the case given my professional background. It is a combination of economic factors, security factors, and usability factors.. I am bought into the Apple mobile device app ecosystem and it is too costly to leave.

Apple Strengths

There are some things that Apple does do better than the Android community can do, primarily because it is a closed ecosystem.

  1. They keep their users safer because bad actors have a much harder time getting truly malicious software past the app store guardians. Sure there are people that jail break their iPhones, but let’s face it, they are few and far between and most users don’t care to spend the time doing so only to void their Apple Care plan.
  2. I don’t care what kind of Snapdragon processor you have in your Android phone or many milliamp-hours your battery is rated for, they just cannot outlast and out perform an iPhone. You may be able to outperform an iPhone at certain tasks and drain your battery in an hour, or you may be able to make your battery last all day but not get any performance but you won’t be able to do both easily. I have yet to see an Android phone (you can throw any Samsung SXX model out there at this) hold up against any serious comparison to the iPhone processors and battery life combination. I attribute this to the closed Apple ecosystem as well. The software written for apple devices is always highly optimized for just that platform. There is no need to trade off compatibility for performance or battery life. Android’s open ecosystem approach just can’t do this effectively when you have hundreds or thousands of device models you have to play nicely with.
  3. The phones are reliable and they don’t crash*. I can’t count the number of times I have had Android OS phones just restart on me in the past or crash outright. Maybe it was a bad app, or maybe my specific manufacturer’s device model wasn’t tested with the app. Or maybe it was a combination of the app and some random launcher I am using on my Android phone that caused it. Needless to say, my iPhone 11 pro just doesn’t crash, at all. It reboots when I want it to or when it does an update.

*assuming you aren’t running a beta version of their iOS software or trying to us a really old device with a new iOS version. If you want to be bleeding edge or never buy new hardware, you are going to have issues on any platform.

Android Strengths

On the flip side, you can do some really cool things with Android devices that you can’t do with Apple devices.

  1. You can interact with your device at the hardware level and as long as you give an app permission to do it, they can do a whole lot. Want to record phone calls? No problem. Want to quickly and easily side load an app? No problem. Want to completely change how your phone keys work? No problem. Android is all about letting people do what they want when they want. For better or worse.
  2. You can make the phone look and feel exactly how you want. Don’t like that app launcher? Change it. Don’t like the app manager and user interface? Change it. Want the light to flash purple when you get a slack message? Go for it. Again, Android is all about the ability to make the phone do anything you want, regardless of the performance and security impacts it may have.
  3. You can find a model of phone with just the features you want at the price you want. There is no “Apple tax” when buying an Android device. Just pick the model from the thousands out there that fits your needs and budget.

What is Best For Me

The nerd in me loves these things about Android, but the practical user side of me does not. When I pick up my phone I want to know that it is going to work without any issues – every time. I don’t want to worry about a new app launcher eating up my battery and destroying the CPU usage. I don’t want to worry if that app I just downloaded has malware in it it. I don’t want to have to manage app permissions at such a granular level that I have to worry about every little thing it has access to in the OS.

At the end of the day, I just want a device that works. That means iPhone with iOS will consistently be more capable and secure for my use case. I am willing to live with the lack of customization in some respects in order to have a better overall user experience with performance and security. An experience that doesn’t require my constant attention to achieve. I have enough other things to worry about each day, my phone should not have to be one of them.

11
Nov
2019

Python Overtakes Java

InfoWorld has an article about the Python programming language overtaking Java in terms of popularity on GitHub. 15 years ago I was taking computer science classes primarily focused on Java development and now Java, what was touted as the programming language to end all languages for cross platform application development, has been eclipsed. I’m not particularly sad to see it get knocked down a notch. Java has always been notoriously buggy and full of vulnerabilities. It has been the bane of IT managers worldwide since its inception, causing audit findings because older versions are required to run certain applications, because there are new zero day vulnerabilities, and because vendors’ Java coding practices have been less than optimal. Throw Tomcat into the mix and you have the recipe to be the next Equifax.

Vulnerabilities aside, the news about Java being overtaken in popularity is a reminder to programmers everywhere that they must keep their skills current and not be afraid to learn new things. Yes, I know COBOL and Fortran are still around, but do you really want to be the last dinosaur standing or would you rather be able to evolve and avoid extinction? I would suggest the latter.

26
Aug
2019

Time To Unplug Your Smart Ovens

The Verge reports that owners of the June smart oven have been experiencing some seriously concerning incidents recently involving the oven’s preheating without their owner’s knowing. This continues to raise questions about just how much control you want to give smart devices over your house and its critical systems. While I am not sure what the true cause of the issue is, it should make everyone re-think connecting so called “smart” devices that can cause serious physical damage if something goes wrong. An oven is a perfect example of this kind of device.

Smart ovens, locks, etc. all sound great until they are hacked, poorly programmed, designed poorly, etc. When your smart device can let a malicious person into your home, cause your food to go bad, burn down your home, track your movements, etc. then it is time to rethink just how smart you want your home to be. I know smart devices are the way of the future, I have many of them myself, but I never hook them up to anything that could physically damage my home. There is too much risk to take given that the health of you and your family are at stake.

I urge anyone considering these devices to evaluate why they are needed and if you can live without them. After all, preheating your oven is great, but not burning down your house is even better.

07
Apr
2019

New Breach Identification Service Launches

There is a new data breach identification service, Breach Clarity, that is the first of its kind to offer guidance on what a consumer should do if they are part of a breach. The service doesn’t replace the work that other sites like Have I Been Pwned do but complements it. Once a consumer verifies that their information has been exposed as part of a data breach through a site like Have I Been Pwned, they then can go and enter the name of that breach on the Breach Clarity site to determine what they need to do to protect themselves based on the data that was harvested.

This is a huge positive step in the fight to help protect consumers when their personally identifiable information (PII) has been disclosed. Up until now, there has not been a resource that gives real guidance on what to do if you were a victim of one of these breaches. The best you could do was know that you were a part of the breach and then if you read sites like Krebs On Security, you would know to freeze your credit reports. With Breach Clarity consumers now have a resource that provides real guidance on what to do when their data is no longer private. I strongly encourage you to check this site out and make sure that you have taken some of the steps it suggests if you have been part of a data breach.

As a reminder, some of the best things you can do whether you are a part of a current data breach or not are:

  1. Use a different password for every online account, never use the same one multiple times. You will need to find a password manager program like 1Password or LastPass to help you mange these.
  2. Freeze your credit reports – it is just a good idea to do that. There is no need to leave them unfrozen and if you know you are going to need to get a loan or have a credit check done, use a temporary thaw period.
  3. Disclose as little about yourself on social media as you can. Do you really need everyone to know your phone number, email addresses, addresses, etc? Protect that information and only disclose it to those that really need it. If you are using your mobile phone or email as a second factor of authentication on accounts, it is even more important to protect these details.
  4. Always use two factor authentication when a service provider allows it. Even better, use an app like Google Authenticator or Authy to provide the one-time passcodes for these services. Don’t use your phone number or email address unless there is not another option.

Stay safe out there.

25
Mar
2019

Facebook Did It – They Lost All of Their Credibility

There is an interesting article over at Forbes today detailing how if you thought Facebook hadn’t lost their credibility yet on privacy, they certainly have now. For about the past six years, Facebook has been storing all the passwords you have used in clear text within an internal database that all of their staff have had access to. Yes, that means anyone in Facebook could have gotten into your account, or possibly just taken the whole database and dumped it for the world to have. Facebook is a little fuzzy on if anything nefarious has been done with this data or not.

The large implications, as the article’s author points out, is that this constant disclosure of personal data is desensitizing us to the serious implications that they truly have. Ultimately this could result in other companies taking the stance that there is no need to secure data any longer because no one really cares if it is protected or not. It comes down to us, as consumers and as the owners of this data, that we demand companies be held accountable to keep it safe. Either that, or we need to actively stop using these services. I don’t know how likely that will be in the case of an organization like Facebook since people are so invested in it that leaving is almost impossible to comprehend for many. Yet this is what is going to be required if these companies are going to be forced to change. Otherwise nothing will change and your data will be available to anyone, anywhere, anytime with no ability to control its spread.

The question then becomes, how important is your data, your private information, to you? Do you value it and if so how much? If the value is high then inaction is no longer acceptable and you must begin to advocate for stronger protections around that information. How can you advocate for this? Check out the resources below:

And of course, you can always write or call your elected officials to demand action on regulatory change.

28
Dec
2018

pfSense + Ubiquiti = <3

So I have a new weekend DIY project to work on over the next several days. I just bought a new pfSense firewall appliance along with some Ubiquiti WiFi access points for the house. I decided that it is time to get serious about securing our home network since we have so many IoT devices around these days.

At this point I have ordered the hardware and am beginning to get things planned out. for the install. I will continue to document the experience here as I go.

Hardware

  • QOTOM-Q190G4-S02 Barebone Industrial PC Gateway Router for pfSense – Intel J1900 4 Gigabit NICs
  • Crucial 8GB Single DDR3/DDR3L 1600 MT/S (PC3-12800) Unbuffered SODIMM 204-Pin Memory – CT102464BF160B
  • Dogfish Msata 120GB Internal Solid State Drive Mini Sata SSD Disk
  • Ubiquiti Unifi Ap-AC Lite – Wireless Access Point – 802.11 B/A/G/n/AC (UAPACLITEUS)
  • Ubiquiti Unifi Cloud Key – Remote Control Device (UC-CK)

Installing pfSense

First thing’s first, I had to open up my QOTOM PC and install the RAM and mSATA SSD in on the board. This was very easy to do, all that was required was to remove the four case screws using a Philips head screw driver. From there, the RAM and mSATA job just slide into their respective slots on the motherboard. You will need to hold the mSATA drive in place with a screw as well that is already on the motherboard when you open the PC case.

Once all of this was set, I downloaded (https://www.pfsense.org/download/) and burned a copy of pfSense to a DVD and connected a USB external DVD-ROM to the QOTOM PC along with a keyboard, mouse, and VGA based monitor. I powered everything up and… failure. The PC hung at the pfSense “booting” prompt. After some quick Google searching it was clear I was not the first to experience this with the latest version of pfSense. The short explanation is that the version of freeBSD that pfSense uses doesn’t like some graphics chipsets so the console hangs. To get around this you need to add the following line to your boot settings:

set kern.vty=sc

Once this was done everything very well. Installation proceeded without any other major issues. I essentially took all of the defaults in the installation and had the installer partition my SSD automatically.

pfSense Console Options

The QOTOM comes with four ethernet ports so you will need to tell pfSense what to do with all of them once the PC boots for the first time after installation. When the system has booted you will get to a menu with a list of console administration options to choose from. You will need to select the menu item for assigning interfaces for pfSense system. The console program will then walk you assigning your WAN, LAN and optional interfaces. In my case I did the following:

InterfaceUsage
igb0WAN
igb1LAN
igb2Opt 1
igb2Opt 2
Jonathan Cilley

Follow me on Twitter