Wednesday, March 22, 2017

Slide set for tonight's session

I know many people who cannot attend tonight's presentation on practical tips for protecting your data and privacy in cyberspace.  So, here is a link to the slide set in PDF form.  I will be updating the presentation soon and will post updated slides when I do. Be safe!

http://personal.psu.edu/gms/privacy/Privacy%20Online.pdf

I am also happy to give this presentation to schools or civic groups.  No pay necessary but it would be great if you can cover my travel expenses.

Sunday, March 19, 2017

Protecting your Privacy Online - talk on Weds March 22


About passwords and 2FA

If you are like most users, you have a dozen or more userids and passwords on various services such as Google, Facebook, Yahoo, etc.  It gets pretty complicated remembering all of these. So what is the security-savvy user to do?

What you DO NOT want to do is use the same set of userid/password credentials for multiple systems!  The reason for this is simple, if your credentials are stolen from one system the hackers will try them on other systems, such as social network sites or bank sites.

According to a recent article in The Hacker News, over 1 million sets of Yahoo and Google credentials are available on the dark Web. Information gleaned from these sites can then be used in various ways, such as creating spear phishing attacks.

One of the best methods for protection is 2FA, or Two-Factor Authentication. This requires a second method of authentication, such as a code sent by SMS to a cell phone. Some services, such as Google, provide for 2FA as an option.

Another popular approach is to use a password manager program.  These programs are like an encrypted database.  Here is a link to an article about the best password managers of 2017.

Yet another simple approach is to write them into a notebook and carry that with you. Or create a text file with the various credentials, print one or two copies to keep in safe places, then encrypt the file using Zip or some other method and store it on the cloud..  If you lose the paper copies or want to make a change you can retrieve the encrypted file from the cloud and edit or print it. Now you only need remember the decryption key, and your cloud credentials.

Your choice of password is also very important. Stupid passwords are easy to decrypt. One very simple exploit is to simply hash the top stupid passwords and compare them with the giant hashed password file.  You are likely to get at least a few hits.

Instead of a password, use a pass phrase. A simple sentence such as "I love hash browns with ice cream" can be extremely hard to crack. So how to you remember the phrase? Take your favorite poem, short story, or song. Employ the lyrics along with a userid helping you remember which lyric or sentence you are using. Avoid extremely popular pieces such as the Bible. You might also employ the approach of changing some characters to others, such as 4 for a, 0 for o, etc. A simple algorithm for this is easy to remember.

To give an example, my home network has WPA2 PKS for security. I have seen methods for cracking WPA2 PSK, but they rely on having a password of 12 characters or less, otherwise the time involved is too great. So my pass phrase is 27 characters. When I travel I turn the router off, but that is a story for another day!


Friday, March 10, 2017

What are ‘exploit kits’ and why should you fear them?


The Malwarebytes ‘Cybercrime tactics and techniques – 2016 Wrapup’ gives special mention to the rise in the availability, use, and complexity of exploit kits.  Many people have not heard of them so I thought I would make a post.

To understand what an exploit kit is you first need to understand what an exploit is.  There are many vulnerabilities in software. Some are in applications and some are in the operating system. When a cyber-attack is successfully mounted against one of those vulnerabilities, it is said to have been exploited. The attack itself is called an exploit.

In the basic cyber-attack, information is gathered about the servers and other nodes in the network. This is called ‘enumeration.’  Using this information, a database of potential vulnerabilities can be queried. Now the idea is to try exploits on each possible vulnerability, knowing that some may not have been patched.

In the early days of cyberspace, it took a great deal of skill to develop and deliver an exploit.  But like anything else the process has been automated into what is called an ‘exploit kit.’  There are many different exploit kits available for purchase or rental.

Some exploit kits even have user-friendly web-based administrative interfaces, where various options may be turned on or off. The level of skill needed to run many exploit kits is fairly low.  They are a lovely study in usability for cyber-crime.

Exploit kits initially infect networks or home systems through the common channels – e-mail attachment, macro, insecure application, and Web XSS.  These are common vectors for malware, so the same methods as against malware may be used to protect against exploit kits.

  • ·        Always maintain backups and air-gap them.
  • ·        Keep your OS and apps patched as patches are released. Don’t put it off.
  • ·        Always have good anti-virus, anti-adware and firewall deployed and current.
  • ·        Always use a least-privilege account.
  • ·        Do not open email attachments unless you are absolutely sure what is in them and where they came from.


Here are some good references:


Monday, March 6, 2017

Security news tags on delicious

I have long maintained a delicious.com site where I bookmark various links of interest. My security and IT news tags are public and have been available to my students for years.

Here is the link:

https://del.icio.us/gmsantoro/news

Malwarebytes Report - Ransomware

The Malwarebytes "The Cybercrime Tactics and Techniques Report" describes how ransomware has become, and likely will continue to become, the fastest-growing form of Windows-based malware in the foreseeable future, as cyber-criminals find ways to eliminate the middle-man in their scams.

What is ransomware? Very simply it is malware that encrypts some (or all) of your files, making your computer unusable. You are then given a time frame in which you may pay a fee to get the decryption code for your files. This fee is typically paid in bitcoin currency. Whether you actually do then get a decryption code to recover your files is a crap shoot. You might pay and get nothing.

From reports I read, recovering from ransomware can be  a headache or a nightmare. But, there are some steps you can take to raise your protection level:


  • Back up your important data files and air-gap the backups. I maintain at least 3 copies of all backups, rotating the drives. I also use open-source software whenever possible. Should the worse happen I can have my system wiped and re-install everything. A pain but not a disaster.
  • Have excellent anti-malware installed and updated frequently. There are many good, and in some cases free, anti-malware programs available.
  • Apply OS patches as they come out - many have to do with closing vulnerabilities.
  • Always use a Least Privilege Account. This is a user account that does NOT have administrative rights. This simple trick will stop 70-80% of all malware.
Here are some other sources:


Malwarebytes Labs: The Cybercrime Tactics and Techniques Report

Malwarebytes Labs just released a report titled "The Cybercrime Tactics and Techniques Report (2016)"  This report describes a number of trends regarding cybercrime and malware.  In my next few posts I will comment on each of these areas.  The whole report may be found at:

https://blog.malwarebytes.com/threat-analysis/2017/03/malwarebytes-labs-presents-cybercrime-tactics-techniques-report/

Sunday, March 5, 2017

My Security Basics site




I have been maintaining a free web site to educate people about things they should be doing to protect their information and privacy.  I will be continually adding to this site.

http://santorosecurity.weebly.com/


So you're FB has been Hacked - What now?

The first question to ask yourself is how do you know you have been hacked?  One clue would be from people who are already friends asking why you sent a second friend request. Another clue would be if any of your data, such as birthday, has been changed. Finally you may notice new friends who you did not add.

You can check to see if anyone is currently logged into your FB account by going to the arrow in the upper-righthand corner of your FB page and selecting SETTINGS.  Then select Security and finally select 'where you're logged in.'  If you do not recognize any of these you may select END ACTIVITY to temporarily log them out.

Now change your password right away!  Be sure not to re-use other passwords you have used since that may have been how you became hacked in the first place.  If you do re-use passwords you should go to all accounts with the same password and change them. Each to something different.  I know this is a pain, but this is one of the ways hackers turn a single dataset acquisition into many more.

This may be the end of it.  But you can also go to the Facebook help page, click on 'I think my account was hacked' and then click on 'secure it.'  Faceboook will transfer you to a page where you may further secure your account. 


Why do people do this?​ There are a number of theories. According to one theory, there could be as many as 67 million fake Facebook accounts.

One possibility is to spy on people., or their friends. The DOJ has released a document explaining how to use social media in law enforcement. Hackers may be interested in your open source exposure, possibly to compromise your credit or bank accounts. There is even one report that the NSA mines Facebook data looking for terrorist connections. 

Reasons to suspect a friend request may be bogus:

- Account was recently created, person has few friends - none mutual.
- Account has little activity, few pictures
- Profile pictures seem too good to be true (young model for instance).

You might also try a reverse image search to see if they possibly appropriated the image from another person.

Finally, and this goes without saying, limit the amount of personal information you share through Facebook. Better to be safe than sorry.