Newsletter Archives

  • Patch Lady – 31 days of Paranoia – Day 23

    Posted on October 23, 2018 at 23:36 CDT by Comment in the Forums

    Small and even medium sized businesses often use consultants to help them in their network and security setups.  Recently the US computer emergency readiness team showcased that these very consultants are being targeted.  Often Managed Service Providers use remote management tools to remote into systems.  Attackers are using phishing attacks, going after remote portals, or attacking the software that MSP’s use to gain control of their customer’s networks.

    While the recommendations that the US Cert have some merit, there are some suggestions that either don’t make sense, or miss a step.  One of them I would add is multi factor authentication to remote access solutions to ensure that any new or unusual remote access demands a code verifier from a cell phone or other two factor means. Also the other recommendation that doesn’t make sense is the recommendation that MSP accounts don’t have domain administrator access.  Especially with smaller firms that are monitored by MSP’s, that’s the entire point… they often are the remote domain administrators.

    If you are a small business that relies on consultants, send them that link and ask them…what are you doing to ensure that you are not targeted to that I am not targeted?  And ask them if they have a technology checklist they can share with you.

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 22

    Posted on October 23, 2018 at 00:56 CDT by Comment in the Forums

    We come to our 22nd day of paranoia and today is about a topic that is near and dear to many of you….. end user license agreements.  Those statements that vendors provide that we all click through and most of us don’t understand them, nor read them like we should.  The electronic foundation recaps most of the terminology that we miss, but there’s another end user license agreement issue that we often overlook.  One where the terms change and we don’t realize that it has changed:

    For example… let’s look at the Windows 10 end user license agreement.

    In Windows 10 the eula specifically says this:

    Section 2 c (v):
    use the software as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users;

    Windows 8.1 Pro the eula says this:
    The software is not licensed to be used as server software or for commercial hosting, so you may not make the software available for simultaneous use by multiple users over a network

    One could argue that the eula specifically disallows the ability to set up a headless Windows 10 machine that one can remote into and use remotely.

    Given that they have announced a Microsoft virtual desktop hosted on Azure, you can see that’s where they want the remote experience to be.

    Bottom line, never assume that end user license agreements are static.  They can be updated with newer terms.  Keep reading ….and keep reading between the lines… as necessary.

    Uncategorized ,

  • Patch Lady – 31 days of Paranoia – Day 21

    Posted on October 21, 2018 at 23:19 CDT by Comment in the Forums

    Ever heard of swatting?  It’s when someone calls the police and tells them that something is happening that isn’t just to harass the person.   The police arrive at the door with sirens going and guns pulled thinking they are walking into a situation where someone is being hurt or robbed by someone or held at gunpoint.   It can often lead to horrible consequences.  Just the other day I heard of something that made me go… really?  Has it gone THAT far?

    You can now sign up in the Seattle area to be on a swatting list so that the Police know that should they get a call to the address that it may be a swatting event, and not just a normal incident.  So the police are now put on notice that an individual or business may be harassed.  At times the person harassed is involved in online gaming and the swatting is done to enable others to watch the harassment.  Other times Technology journalists like Brian Krebs have been swatted and harassed.

    Bottom line it’s a prank that isn’t funny one bit.  And it’s a bit sad that police departments have to set up programs to ensure people don’t get hurt.

    Doxing is another term that is a side effect of having so many databases and so many ways to post information.  Someone either researches or has access to private information and then posts that information to the web.  Often it can be phone numbers, or addresses or other private information that when the information is posted to a public venue, it can put the person at risk, or encourage harassment.  The best way to anticipate doxing is googling yourself and seeing what information you can find about you, your family members, phone numbers, addresses, and then attempt to lock the information down.  In some databases you can unsubscribe and ask that your information be removed.

    Technology can be used for good, but there are times like this that technology brings out the worst in people.

     

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 20

    Posted on October 20, 2018 at 23:51 CDT by Comment in the Forums

    Here’s a paranoia item for you… what happens if…or rather when… the Internet goes down for enough time that you have to make a plan B?  Note this post is slightly influenced by the fact that just as I sat down to write the nightly paranoia item, Comcast experienced an outage in my area and won’t be back until 1 a.m.  So now I’m on a much slower cellular connection writing this.  And I must say you get spoiled with highspeed access.

    But it reminds me that there will be a day when there will be an Earthquake in California, possibly large enough to impact a major Internet connection and thusly impact services and experiences that I’ve come to take for granted.  It’s one of the reasons that I keep this laptop that has built in cellular connectivity as a backup.

    What alternatives do you have in place to provide alternatives should a major catastrophe impact technology that you are used to?  In some areas of the country generators are the norm (they aren’t in California).  Do you have flashlights and radios.

    But bottom line there will be a cyber attack or an Internet outage…. and then what will we do?

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 19

    Posted on October 20, 2018 at 00:19 CDT by Comment in the Forums

    Since it appears that I didn’t win the Mega Million Lottery, I will continue with my posts about paranoia.  Tonight’s topic is about Small Business scams.  Small businesses often have the least amount of resources to help protect them against cyber security attacks.  The website staysafeonline.org recently had a small business series going over several key issues.  This month’s session was about Small Business Scams, many of them even individuals have been targeted.

    So take a short 30 minutes and watch was the typical scams are and how you can protect yourself.  One of the key ways I stay aware is always ask yourself “does this sound too good to be true?”  If the answer is yes, then it’s a scam.

    Here’s from the Staysafeonline.org web site:

    The link to the latest webinar “Small Business Scams: What to look for & how to protect your business” is now live. Slides are also available to download.

    Access them here: https://staysafeonline.org/resource/csmb-webinar-small-business-scams/

    The entire CyberSecure My Business Webinar series can be viewed online. Visit https://staysafeonline.org/resources/ and select “videos” under the “all types” drop down menu to replay any of the following webinars:

    • Let’s Talk About Ransomware and Phishing
    • Learn to IDENTIFY Key Assets & Data
    • Learn to PROTECT Key Assets & Data
    • Learn to DETECT a Breach
    • Put a RESPONSE Plan in Place
    • Know what RECOVERY looks like
    • Learn How to Choose and Protect Your SMB Website Hosting Service
    • Learn How to Protect Your Business Email Accounts
    • How to Assess Vendor Security
    • Email Authentication Basics
    • SMB Cyber Basics: Where to Start

    Don’t forget to register for the November 6th (not our usual 2nd Tuesday) webinar: “Cybersecurity Insurance” https://staysafeonline.org/event/csmb-webinar-cybersecurity-insurance/

     

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 18

    Posted on October 18, 2018 at 23:19 CDT by Comment in the Forums

    Today we’re taking a break from our normal paranoia to discuss a recent vulnerability.  The headlines imply that a guest user can gain admin rights via this attack.  But that’s not how I’m reading this.  The Windows RID hijacking as per the blog “Assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled.”.  That is the account you attacked can then assign the rights to another account.  IF the account you hijacked is the administrator account you can then assign those admin rights to a lower level account.  So it does hide the fact that one has a back door in the system.  But… here’s the thing… you already had to have been hacked by something or someone before the RID hijacking could occur in the first place.

    Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
    The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
    But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

    So the real issue is that you were hacked by something else first… and then this obfuscation can occur.

    Sometimes in security it’s hard to get a real sense of the true risk.  We spend hours in TSA lines but aren’t really any more secure than we think.

    Bottom line don’t be quite so paranoid about this vulnerability.  Be more concerned about something you probably have absolutely no control over.  The bigger vulnerability we all should be freaking out over is the Libssh authentication vulnerability.  This vulnerability “it allows anyone to authenticate to a server without any credentials, simply by telling the system that they’re a legitimate user.”  As is written on the Threatpost post, it’s the equivalent of the Jedi mind trick… the attacker can just say “these aren’t the droids you are looking for” and gain access.  Do you know what applications you currently use rely on Libssh?  No, we don’t.

    That my friend is true paranoia.  When we know we probably are at risk, but don’t know what software might be at risk.

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 17

    Posted on October 18, 2018 at 00:12 CDT by Comment in the Forums

    So you know you’ve been hacked.  Now what?  You can tell your passwords have been reset and you can’t get into your accounts.  You have evidence that a bank account has had funds transferred without your permission.  What can you do?

    Well it honestly depends on exactly the level and damage of the attack.  Financial crimes have a higher impact and thus will often get action.  Low impact crimes, for example where someone is spoofing you online and pretending to be you in Facebook and asking for “friend” requests won’t get police action.

    But what can you do to at least make authorities aware of the problem?  Obviously with any hacking or cyber activity that has a financial impact, immediately call your financial institution.  They can change bank account numbers, put in place positive pay processes to ensure that no authorized transactions get made without your explicit permission.   For high impact intrusions you can contact the FBI or the Secret Service or the Internet Crime Complaint Center.  For lesser impactful attacks you have much less options.

    Think the cyber attack is originating from Azure, or Amazon Web Services?  You can contact them.  And that’s often the best place to start.  See if you can determine where the attack originated from and contact the hoster or ISP that  the attack came from.  Often you can narrow this down by reviewing email header files.

    Tomorrow I’ll talk about the ways you can recover from an attack and some of the investigation tools you can use on machines.

    Other ,

  • Patch Lady – 31 days of Paranoia – Day 16

    Posted on October 16, 2018 at 23:23 CDT by Comment in the Forums

    Today we live in a world where recording devices are ubiquitous.  There are recording devices on public streets, recording devices in the door bells of houses, and in general, there is often a video recording that Authorities can obtain to gain more information.  California has a law that states….

    California’s wiretapping law is a “two-party consent” law. California makes it a crime to record or eavesdrop on any confidential communication, including a private conversation or telephone call, without the consent of all parties to the conversation. See Cal. Penal Code § 632. The statute applies to “confidential communications” — i.e., conversations in which one of the parties has an objectively reasonable expectation that no one is listening in or overhearing the conversation. See Flanagan v. Flanagan, 41 P.3d 575, 576-77, 578-82 (Cal. 2002).  A California appellate court has ruled that this statute applies to the use of hidden video cameras to record conversations as well. See California v. Gibbons, 215 Cal. App. 3d 1204 (Cal Ct. App. 1989).

    If you are recording someone without their knowledge in a public or semi-public place like a street or restaurant, the person whom you’re recording may or may not have “an objectively reasonable expectation that no one is listening in or overhearing the conversation,” and the reasonableness of the expectation would depend on the particular factual circumstances.  Therefore, you cannot necessarily assume that you are in the clear simply because you are in a public place.

    If you are operating in California, you should always get the consent of all parties before recording any conversation that common sense tells you might be “private” or “confidential.” In addition to subjecting you to criminal prosecution, violating the California wiretapping law can expose you to a civil lawsuit for damages by an injured party.

    If you have security cameras in a location where there is no expectation of privacy – out in the street in front of your house – you would not be under a wiretapping law.  However if your security cameras are inside your house, there is an expectation of privacy and thus wiretapping laws would come into play.  Now let’s layer on how some of these video cameras have less than stellar security and now layer on the ability to search for such internet of things devices through a specially crafted search browser, it’s no wonder that we’re all a bit paranoid these days.  Make no mistake, video cameras often help law enforcement put evidence together.  Case in point a local homicide in my City was able to spot an assailant’s truck in several videos captured by surrounding homes and businesses and was able to use the video as additional evidence of proof that the assailant was in the area where the homicide occurred.  So video capturing helps a great deal.  BUT… as with all technology – it can be abused both in terms of privacy and as well as being used by attackers.

    If you set up a home video camera consider the vendor security features:  Make sure it doesn’t have embedded passwords, demands complex passwords, can be updated relatively easily among other things.

    Cameras can help make you safer, but they can also introduce security risks as well.

    Other ,
  • « Older Entries
    Newer Entries »
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.