Posts

The Death of Facebook Would Make Everyone Safer

With recent news regarding Facebook and Cambridge Analytica there has been an uptick in comments about the lack of safety provided by Facebook to their users. Websites like Facebook and LinkedIn are valuable assets for attackers when crafting spear phishing attacks because large amounts of personal data are available and can be used imitate company employees as a part of an attack on a company. If Facebook were to fall to the wayside like MySpace and Google Plus, attackers would have one less tool to use against their chosen victims.

There is an even more important effect that would be created if Facebook were to disappear. Many websites and services use Facebook as a way of authenticating and signing people into accounts. Without Facebook’s authentication service many users would have to fall back to using email accounts to authenticate online. Each site would be it’s own account which would lead to “account fatigue”. Account fatigue is the annoyance of having to keep track of a different username and password for every website users log into. To mitigate this, tools like LastPass and Keepass would likely see a steep rise in popularity. Any decent password manager includes a feature to create randomized passwords. This guides users towards having different and complex passwords for every site. This would reduce password reuse. A common attack is to gather usernames and passwords from stolen password databases and try the same username and password combinations on other sites in hopes that users use the same usernames and passwords, allowing the attacker to log in to accounts they should not have access to. Password managers make it easy to mitigate this risk because it is easy to generate a random different password for every website used.

Use LetsEncrypt to Enable HTTPS on your Web Server for Free

LetsEncrypt offers free SSL certificates for websites, allowing you to protect users who access your site.

This guide will go step by step moving an unencrypted HTTP website to using HTTPS on Nginx. For the purpose of this guide, I’ll be using the website guide.highguard.net. There is no content there.

Lets start with the site in nginx.

server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}

Right now the URL guide.highguard.net will show whatever is located at /var/www/guide/index/html on the server. To enable HTTPS we will need to get a certificate from LetsEncrypt using CertBot, then set up the site to use it and also redirect HTTP requests to use HTTPS in an intelligent manner. Lets start with getting the certificate.

Install Certbot with apt install python-certbot python-certbot-nginx, if you are using a distribution other than Debian, the package may have a different name or might not be available. The binary can be downloaded from the EFF.

Use Certbot to automatically create a challenge, request the certificate, download it, and install it.

certbot --nginx certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: guide.highguard.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for guide.highguard.net
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0000_key.pem
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem

The certificate is generated and dropped into /etc/letsencrypt/live/guide.highguard.net/. Now we can make changes to the config file for the site to take advantage of the certificate. The easiest way to do that is to change the top of the server block so that it will use SSL, then add a new server block that uses non-SSL to redirect unencrypted connections to HTTPS.

The new server block:

server {
server_name guide.highguard.net;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
access_log off;
log_not_found_off;
}

Then put the old server block right below that with minor changes. Change the listen ports from 80 to 443 ssl and add the path to the cert.

server {
server_name guide.highguard.net;
listen 443 ssl;
listen [::] 443 ssl;
ssl_certificate /etc/letsencrypt/live/guide.highguard.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guide.highguard.net/privkey.pem;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
}

Google and Mozilla are pushing for HTTPS to be everywhere

If your default browser is Firefox or Chrome you have have notice recently that both browsers are starting to take a harder stance on insecure login pages.

Whenever inputting text to a field, or when on a login page not secured with HTTPS, both Firefox and Chrome have their own ways of notifying users that the data they are sending, such as passwords or credit card numbers could be intercepted by someone bad.

Chrome is showing “Not secure” next to the URL bar and Firefox puts a banner under the password field of text boxes.

Firefox:

Chrome:

Users on twitter are seeing these notifications and taking it up with the companies that run the sites.

https://twitter.com/search?q=%22log%20in%22%20%22not%20secure%22&src=typd

https://twitter.com/search?q=%22log%20in%22%20%22not%20secure%22&src=typd

Annoying Web Scanners with Zip Bombs

This one can be filed squarely under “so dumb it works”. This practice wont really do much to increase practical security of a website, but it does create roadblocks for the guys running the tools that look for holes in your security.

Zip Bombs are really large files that are basically empty, so that when you zip the file up it becomes way smaller. For example, 42.zip is a 4.3 GB file that when fully decompressed is 4.5 PB (petabytes) of data. Thats 4,718,592 GB of data. When vulnerability scanners come in contact with these files they download it and try to unzip it to see whats inside, but because of the huge size of the file they crash or hang and give up with an error.

Vulnerability scanners are kind of annoying because they clog up your logs and don’t actually contribute to your site being any more popular. If your site ever does become vulnerable you could get hacked because everyone and their brother is trying to get in. By looking in access logs, we can see patterns of what resources bots are requesting and what their user agents are. With a simple bit of scripting, we can deliver a zip bomb to the scanner instead of a legitimate resource, wasting their time and hopefully crashing their software.

Read more at Christian Haschek’s blog.

Why to avoid IoT in the workplace and at home

The Internet of Things, commonly referred to as IoT, is a new market popping up that boils down to the idea of connecting everything to the internet, even if it doesn’t need to be. The downside of these devices is that many of them are not secure out of the box and many more are unmaintained. Many of the devices that are showing up on market dont even have a good reason to be connected to the internet.

Exhibit 1: Juicero

Juicero is a cold press juicer, but you cant just put whatever you want into it like a normal juicer. No, you have to buy their prepackaged bags of fruits and vegetables. Even worse, if your internet cuts out it stops working. The only value add to connecting this thing to the internet is that if there was a recall on a package, the Juicero wouldn’t squeeze it. The good news is that if your internet fails, you can just squeeze the juice yourself.

But lets stop talking about how dumb these devices are. They are serious security problems waiting to happen, too.

Exhibit 2: JideTech Onvif 2.4 Wi-Fi Security Camera

Amazon has since taken this camera down from their store, hence the Internet Archive link. This is probably my favorite example and the one I bring up most often when talking about how badly insecure IoT is. This is one of the cameras that make the Mirai botnet the most powerful botnet in the world. Security guru Rob Graham tweeted about buying this camera and watching with WireShark as it was infected very soon after plugging it in. It is vulnerable out of the box and was never patched, hence why amazon stopped selling it. Video

So now we know that IoT devices are worthless and insecure, what about your privacy?

Exhibit 3: Pillsy

Pillsy is a bluetooth enabled pill bottle that reminds you to take your meds. The idea of sharing what medication you take, or how often you forget to take it is a terrible idea. I don’t even want to imagine how much money information like that is worth to health insurers.

 

This is an expansion on one of the topics in my article on tips for your employees on how to secure a home network.

 

Tips for your employees on how to secure a home network

It has become very common for employees to work from home using company laptops or by working remotely with a home computer. This change can be good for comfort and productivity, but a home network rarely ever reaches the same level of security as a business network. Here are some tips to reduce data risk at home.

  1. Keep everything updated
  2. Dont use IoT (Internet of Things) devices
  3. Use a VPN
  4. Use ad blocking addons
  5. Disable UPnP (Universal Plug and Play) on your router

Keep everything updated

Just because a vulnerability gets patched doesn’t mean that hackers are going to stop trying to use that method of attack. Rather, bad guys rely on victims to leave their electronics unpatched, and try older, still working exploits, even though there is already a fix available. Everything in your house that connected to the internet, weather through a wired or wireless connection should stay as up to date as possible, so that old methods of attack wont work against you.

 

Don’t use IoT devices

It is very common for IoT devices to be highly vulnerable. The most powerful botnet named Mirai is made up of internet connected security cameras designed for home use. If you were to plug a vulnerable camera into your home network, the camera could become infected in less than two minutes and start slurping up all of your internet bandwidth every time it is directed to attack a target. The camera can also be used to spy on you. Other IoT devices are known to have vulnerabilities that put your personal data at risk, such as this kids toy designed to record audio messages, but could be used to snoop on the house, and had no security what so ever on the storage of the recordings.

 

Use a VPN

Most security minded clients I’ve had have required employees who from outside of the office to connect to company resources using a VPN. Some industries are required by law to not allow access in to the network from the outside. A VPN allows users to bypass this restriction.

 

Use ad blocking addons

The Google Chrome and Mozilla Firefox browsers have many different addons that block advertisements. Personally I recommend uBlock Origin [Chrome | Firefox]. ad blockers are good because they clean up web pages and speed up the time it takes to load a web page, but my reason for recommending blockers is because advertisements can carry malware. Let me give you an anecdote from my time working in helpdesk:

We had a high number of calls coming in for users getting hit with ransomware and every time it was the same story. “I just opened up the internet and suddenly I had the virus!” Sometimes people would be searching for something business related and would click a bad link in a Google search. Once I saw a government site that had been compromised give a a user a virus. Sometimes people fess up and say they were browsing Facebook and they clicked a link they should not have. I thought it was strange that at the same time there was this big uptick in infections, so many people were giving the same lame unbelievable story. I did some research and it turns out they were telling the truth. All of the infected users were opening Internet Explorer, which would load the default MSN homepage where ads were being served though Microsoft’s Bing ad platform. Someone had purchased ad space that contained malicious code that, by simply loading the advertisement would cause the computer to download and run the ransomeware virus. Had the users been using ad blockers, these bad advertisements would not have loaded and would not have infected the computers.

 

Disable UPnP on your router

This one is a bit more technical. Universal Plug and Play (UPnP) is a utility that allows computers inside the network to open up ports on the router to send and receive information. Each port is used for a different service, such as browsing the web or sending files. Every port open is another potential security risk for your network. Some viruses require UPnP to function and to disable it would stop the virus from working.

Why certifications are valuable in IT

I made the decision before leaving high school that I did not want to go to college. As I knew that I was going into the tech industry I was already well aware of the downsides of getting a degree. A degree proves that you learned about both your trade as well as took classes in other fields to come out after four or so years with a well rounded education. After that, there is nothing. You pay an exuberant amount of money for degree with no future course, and possibly nothing that would prove that you are good at what you actually want to do. A computer science degree can get you helpdesk, maybe a sysadmin position, or something in management, but dont expect a degree to get you seated in a position working cryptoanalysis or offensive security.

On the other hand, certifications allow you to create a much longer road for your further education. you can start with simple certifications and move up towards proving that you are good at what you want to do. Two years of study for certifications is much less expensive than college, and gives you a longer list of accomplishments that are more specific to the dream job that you chase. The technology industry is changing rapidly, meaning that education becomes obsolete much faster than in many other sectors. a four year degree loses a lot of its value after a decade, but because of the ongoing nature of certifications, your knowledge, and proof of that knowledge is constantly updating and staying current.