Do I need a VPN?

TechRadar looks at the simple question: “Do I need a VPN?” (Spoiler alert: Yes, you do). The real value in this article is that it explains just why you need to use a VPN, and what benefits there are when you have one. It also discuses the disadvantages of using a VPN, and offers advice on what to look for in a VPN provider.

With so many fly-by-night VPN providers popping up, it can be hard to separate the good from the not-so-good. Fortunately, there are a few key characteristics to look for in a VPN. First, make sure the server offers private browsing. Most subscription-based VPNs host their own network servers, which means they’re able to allow their users the comfort to browse anonymously. Most free VPNs, on the other hand, use open networks which are often unsecured and full of privacy gaps.

I personally use Freedome, with a fallback to KeepSolid’s VPN Unlimited. I’m a big fan of F-Secure products, so that’s why I like Freedome. VPN Unlimited is my fallback simply because I got a great price on a lifetime VPN through them.

What Is Malware?

This is a surprisingly in-depth article over at MalwareBytes regarding just what it is that makes software fall into the category of malware. Finding information or a short definition of malware is easy. Finding this much detail on what is malware, how can you tell when you have malware, how you get it, and more.

Other kinds of malware are a different story. Mac systems are subject to the same vulnerabilities (and subsequent symptoms of infection) as Windows machines and cannot be considered bulletproof. For instance, the Mac’s built-in protection against malware doesn’t block all the adware and spyware bundled with fraudulent application downloads. Trojans and keyloggers are also threats. The first detection of ransomware written specifically for the Mac occurred in March 2016, when a Trojan-delivered attack affected more than 7,000 Mac users.

This is well worth the few minutes it will take to read.

Insufficient Passwords

I love computer security. Worked in the field for half a decade, but got out of it when I moved to Memphis. Would love to get back into it, if I had the opportunity. So when I see stories like this Register article about a Western Australia Auditor General report on poor password security, I like to pass it along in hopes that others will learn a little something from it. 

Among these [60,000 easily guess passwords], ‘Password123’ was in use by 1,464 accounts, ‘Project10’ by 994, ‘support’ by 866, ‘password1’ by 813, and ‘October2017’ by 226, to pick only the top five worst offenders in popularity order.

Folks, the most secure password is one you can’t remember. That’s why I recommend a password manager. Pick one really good password to protect your master database, then let the password manager generate all your passwords going forward. Periodically change your master database password. Lather, rinse, repeat. What password manager? Well, I personally use LastPass. If you don’t want to pay for one, try out KeePass. If you don’t want to take my word for what to use, I can also advise you to consider any of these recommendations from LifeHacker (spoiler alert: they recommend the same 2 I do, plus a few others).

But the important takeaway from this story should be that you can’t do this on your own. You’ll probably mess up. People are bad at generating random passwords. People are bad at remembering hard passwords. People are bad at keeping track of hundreds of passwords (that’s how many I have – others may not use as many as I do). But computers are really, really good at this stuff, so let them do the heavy lifting here.

The Skim Reaper – a Credit Card Skimmer Detector

If you have heard about credit card skimmers, you probably know the advice to tug on a credit-card scanner before using it. That’s not really that effective against more and more of the scanners, as they are getting smaller, and more easily hidden within or on top of real scanners in such a way that a sharp tug just won’t reveal them any more. Enter the Skim Reaper, a scanner that works instead by checking for multiple voltage spikes such as those caused by a hidden reader.

We have partnered with law enforcement agencies to comprehensively characterize skimmers, with the goal of designing and delivering strong tools to reduce this kind of crime. As a result, we created the Skim Reaper™, which specifically targets overlay and deep-insert skimmers.

A better  brief explanation can be found at Ars Technica, one of the finest geek sites on the web.

SkimReaper is aimed specifically at overlays and inserts. It uses a card-shaped sensor with a printed circuit that, when powered, can detect the voltage spikes created by coming in contact with magnetic reader heads. If it detects two or more, there’s a skimmer in play.

While I have found no information yet on how to build your own nor how to buy your own Skim Reaper to keep yourself safe, I am sure that both a DIY guide and a pre-made Reaper purchase option will happen before too long.

OSSTMM version 3 coming soon?

In a previous life, I was a computer security specialist.  I had a really cool job, and worked with really, really damn cool people (hi Gerald, Doug, Jon, et al).  I read (a tiny fraction of) all the cool security news.  I kept up to date on as many security topics as I could.  I read security books.  I studied a lot of security web sites.  I took training from SANS.  I subscribed to a few security mailing lists, although much of the detail in many vulnerability announcements messages was above my understanding.

But in all that reading, research, study, training, and other learning, one of the coolest things I ever consumed was the OSSTMM project. Rather than try to explain this project, I’ll just snag the introductory text from the project home site:

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The version I read when I first found this was 2.2.  It has been years since I used it, and I periodically check in for updates on the version 3.0 release.  I haven’t seen an update on the web site, and I’m not a team member/subscriber to the service, so I didn’t expect I would know unless I checked in on my own.  Well tonight, while catching up on email, I get this message from the project:

Continue reading “OSSTMM version 3 coming soon?”

Security vulnerability attack released for Apple Quicktime

Without notifying Apple of his intent to do so, security researcher Luigi Auriemma has released an exploit that will allow attackers to take control of computers running the latest version of Apple Quicktime.

“The bug is a buffer-overflow and the return address can be fully overwritten so a malicious attacker could use it for executing malicious code on the victim,” Auriemma said in an e-mail.

. . .

Auriemma said that Apple was not been notified of the flaw in advance of its publication.

When Apple updated QuickTime to version 7.3.1 on December 13, 2007, it fixed an RTSP buffer overflow bug (CVE-ID: CVE-2007-6166) related to the content-type/content-base header. The vulnerability Auriemma has identified relates to error message handling and remains unpatched.

I’m guessing Apple will get a patch out quite quickly for this one, but in the meantime, practice safe browsing and consider disabling Quicktime until a patch is available.

F-Secure HealthCheck application patch security tool

In a past career, I was big in to computer security, and got paid well for doing the work. Since I’m now elsewhere professionally, I’m less in touch with the security industry than I used to be. However, I still keep up with a few important resources, and like to pass along really useful tips when I find them. Today in reading some security news and trying to catch up, I caught word of the F-Secure HealthCheck application patches scanning system. While this is unfortunately an Internet Explorer only tool currently, the site indicates work is in process for supporting other (and better, in my opinion, BTW) browsers. Hopefully that will happen soon.

Run HealthCheck to get a scan of applications on your system along with checks for patches and updates to those applications. This should help you track down security problems that have fixes available. If you keep up to date on these patches, it should help significantly with avoiding your machines getting taken over by a ‘bot-network. The tool appears to have been developed or at least re-announced (I’m not familiar enough with HealthCheck and it’s history nor age to know which is the correct term) as a result of an F-Secure poll regarding application patching.

It appears that many people are uncertain if their computers are fully patched when there are third party updates involved.

Q — What can you do about it?
A — F-Secure Health Check.

Health Check is a free online tool designed to help consumers identify security updates needed on their computers.

I will point out that HealthCheck requires installation of an ActiveX control in your Internet Explorer window. I personally trust the eggheads at F-Secure to not do malice as a result of this, but you need to understand that installing an ActiveX control is a security risk which gives the control vendor pretty much full access to your operating system. While *I* personally trust the F-Secure worker-bees to not corrupt, control, nor destroy my system, you’ll have to make that decision for yourself.

After running the test, here’s a snip of what I got as a result:


In my case, I’m on a work computer without anti-virus and anti-spyware protection. Sadly, I am not allowed to correct this flaw. I make up for it by using the PortableApps version of ClamWin, and regularly scan my system. I also run Firefox for my browser (actually, I use the PortableApps version of this application, too) and stick mostly to web sites I know and trust. I save my home computer for more risky online activity.

If you are unsatisfied with your HealthCheck scan results and the problem turns out to be a browser security issue, can I suggest you update to FireFox?

[tags]security, healthcheck, scanning, vulnerability, patch, Windows, Internet Explorer, FireFox[/tags]

Airport security still sucks and the rules continue to be idiotic

Recently, my wife went on a trip and chose the old standard air-travel for getting where she was going. On the way to her destination, she had to throw away her yogurt she had brought to eat while waiting for the plane. On her way home, she had to throw away her 8-ounce toothpaste that she didn’t realize she’d left in her carry-on bag. Now I understand that she screwed up in both cases because it’s well known by now to any traveler that these things cannot be taken through security.

However, the rules are still idiotic and worthless, and we can do so much better with security by spending money on things that actually help – things like, oh, I don’t know, training screeners better so they don’t miss nearly 100% of all explosives taken through security by people trying to get prohibited items through security.

Government investigators smuggled liquid explosives and detonators past airport security, exposing a dangerous hole in the nation’s ability to keep these forbidden items off of airplanes, according to a report made public Wednesday.

. . .

On March 23, a TSA screener would not let one investigator through a checkpoint with a small, unlabeled bottle of shampoo, even though it was a legitimate carry-on item. But the same investigator was able to bring through a liquid component of bomb that would start a fire.

Thank goodness that investigator wouldn’t be able to terrorize the plane with clean hair and bubbles. That’s a much greater concern than liquid fire. The TSA hand-waves away the problem by emphasizing the multi-layer approach to security in airports and air travel.

“While people think about us in terms of the checkpoints and they see us as the checkpoints, there’s a lot more layers of security,” she [spokeswoman Ellen Howe] said. In addition to the checkpoints, the TSA uses different technologies and has officials who check the validity of documents and observe people’s behaviors throughout the airport. “Just because somebody gets through one layer doesn’t mean they’re going to get through all of the layers.”

And that’s actually damn good to know and comforting. But our money needs pumped into the less visible security measures. Currently, to get through with contraband a determined attacker needs training on not sticking out more than anything else. That alone will make passing through screening nearly guaranteed, yet so much money is going into screening efforts that have repeatedly been proven ineffective (I’ve covered some, but by no means all, such issues in the past, and won’t link them again here).

Here, I’ll throw in a freebie for would-be attackers. If you want to carry in prohibited liquids, buy yourself a beer belly flask to transport your explosives or drinks. As it is right now, screeners are miserable at catching illicit items which someone is trying to take on, but nearly perfect in catching harmless things like the drinks people are consuming as they walk through the screening checkpoints (hint: if they are actively drinking it, it is either harmless to the flight or they already have ingested what they need to use to bring the flight down).

From the screeners link just above, here is what Bruce Schneier has to say.

When I travel in Europe, I never have to take my laptop out of its case or my shoes off my feet. Those governments have had far more experience with terrorism than the U.S. government, and they know when passenger screening has reached the point of diminishing returns. (They also implemented checked-baggage security measures decades before the United States did — again recognizing the real threat.)

And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane. The best countermeasures have value regardless of the nature of the terrorist plot or the particular terrorist target.

In some ways, if we’re relying on airport screeners to prevent terrorism, it’s already too late. After all, we can’t keep weapons out of prisons. How can we ever hope to keep them out of airports?

Far more insightful and accurate than all the words I’ve thrown out arguing against the money-drain our government has in place now.

EDIT: Accidentally left out part of the Schneier quote.

[tags]Airport stupidity, Air travel, Getting explosives on planes[/tags]

Crash Internet Explorer in one line

I don’t really think figuring out an exploit to crash a browser is a great and fantastic feat, given how insanely complex, large, and bloated most are.  However, crashing a browser in just a single line of HTML and CSS code is pretty impressive.

A Japanese blogger who goes by the name Hamachiya2 has discovered a single line of HTML and CSS that crashes IE 6. The line is:

Ohhhh, the suspense is killing me.  I guess I’ll just have to read the article to find out how easy it is.

[tags]Security, Crash Internet Explorer, Browser vulnerabilities, Another kick in the nuts[/tags]

Set your USB key up to auto-run on insertion

I’ve known this was possible for a while, but I hadn’t looked for nor stumbled upon instructions for putting an autorun file on a USB key and getting it to work. This week, obviously, I found the instructions over at Daily Cup of Tech for making this happen. I can see several good and nefarious uses for this.

The autorun.inf file is the key to getting your USB drive (or CD-ROM drive, for that matter) to perform certain actions automatically and customize it’s look in My Computer. The purpose of this article is to shed some light on how this can be done.

Topics covered are:

  • Autorun.inf Structure
  • Setting a Custom Icon
  • Naming Your USB Drive
  • Setting AutoPlay Options
  • Adding Context Menu Items
  • Changing Default Action
  • Viewing a File
  • School’s Out, Time To Play!

Unfortunately, the author doesn’t have anchors set at each heading, or I would link you directly to each section. Fortunately, the entire article is brief and pretty easy to follow, so this isn’t a big negative in the article layout.

USB key break-ins are a real security threat, and this kind of tutorial helps you make the security breach even easier if you are in to that kind of thing. Whether you depend on natural curiosity to cause the breach or use something like the above-linked tutorial to get a tool running and stealing what you need from your victim, the USB key is handy. This also means you should be aware that the bad guys are learning (or already know) these things and will use them to attack you some day.

So to end, the next natural question for you, the reader, should be “How do I stop this vulnerability from impacting my system/network/company?” now. Well, there are many places that have the answer. I haven’t found one that I would point out as The best way to do this – this Microsoft technet article has the necessary information if you already know your way around the registry, as does this more concise and clearer article. Other helpful points include this CD-Freaks forum post asking that question, as does this web site that seems to focus on autorun features/bugs/benefits. That last one is probably the clearest, so may be the one I point folks to in the future.

[tags]USB autorun, USB keys, Security, DIY, Daily cup of tech[/tags]