BTA Blog Rotating Header Image

Security

Web Security for All

Accessing a web site sends information back and forth as you access pages and click on links.  This data travels through numerous computers on its way to the web site’s server and to your computer.  This varies depending on your Internet provider and the provider of the web site.  Recently, I traced my access to this site and counted 13 computers passing my data, to and fro.  And I only control one of them.  Many more people have access to these 13 computers and their connections.

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the World Wide Web.  HTTP Secure (HTTPS) provides authentication of the website and associated web server and provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with the website and ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

HTTPS is especially important over insecure networks (such as public WiFi access points), as anyone on the same local network can packet sniff and discover sensitive information (user name, password, etc.) not protected by HTTPS.

The security of HTTPS is that of the added Transport Layer Security (TLS) protocol, which uses public key encryption to generate a session key which is then used to encrypt the data flow between client and server. To validate public keys, certificate authorities (CA) and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. Certificate authorities are trusted by web browser creators to provide valid certificates.  The top three certificate authorities, in 2016, issued over 75% of all certificates in use.

  1. Comodo CA – certificates for $63.95 to $809.10/year.
  2. Symantec Corp. – $399.00/year.
  3. GoDaddy – $62.99 to $269.99/year.

As of April 5, 2016, 41.7% of the Internet’s 141,160 most popular websites have a secure implementation of HTTPS.  That adds up to a lot of revenue for CAs using standard protocols and freely available software. The certificate costs are only a few cents to generate a certificate and a few dollars to administer.  That makes selling TLS certificates one of the biggest cash cows in the world.  All the certificates are exactly the same!  Otherwise they would not work in our browsers.  The only difference in certificates is marketing hype.  Even Comodo CA sells cheaper certificates for $9.00/year through their PositiveSSL brand.

Now there are free certificates available issued by Let’s Encrypt certificate authority sponsored by Cisco, Hewlett Packard Enterprise, mozilla, and facebook among others.  These certificates work the same as the certificates costing much more.  You can verify this using Qualys SSL Labs’ SSL Server Test for this site which uses a Let’s Encrypt certificate.

Password Shenanigans

There seems to be a trend in web security that requires that you type your password, no pasting allowed!

This combined with other password “requirements” are creating problems for people like me that use very secure long passwords.  That means I use a password safe that generates long random strings of letters and numbers like:

kUTaVYPuw6KdCLsqhfJ35qHdZcgCqR

BTW, this password is random and not used by me, anywhere!

So when I sign up for a site that does not allow pasting my really secure password, but requires that I type it manually, I end up with passwords like:

Secure4Stupid!

Making my password much less secure. Also most sites use the “onpaste=return false;” trick.  This only stops the stupid people, as 5-15 minutes with a Greasemonkey script will defeat that “security” feature.  So let’s not think that every idea about password security is a good idea.

Even the following idea is probably not that secure given that password crackers use dictionaries that contain the words: correct, horse, battery, and staple.

xkcd comicAnother annoyance is sites that do not tell me what the maximum length is for a password on their site.  Almost no one tells you this even though they tell you, you must enter at least 8 characters, using letter and numbers….  Since I have had several sites truncate my password, without error or warning, I now have to look at the HTML source code to see if a hint is there.

So here is some password advice for web-site developers and their customers.

  • Do tell us the minimum and maximum lengths, characters allowed (numbers, letters, symbols, etc.).  Make the maximum something like 255, to allow secure passwords and phrases.
  • Do use a hashing algorithm to store passwords for you password protected applications.  This also allows for very long passwords, but fixes the hash value length that you need to store to authenticate your users.  A really useful function is the Unix crypt() library function that is implemented in numerous languages including C, Perl, PHP, Python, and Ruby.
  • Do use standard HTML for accepting passwords for compatibility with more devices.
  • Do not disable pasting which causes users to create weaker passwords.
  • Do not store passwords in plain text on any system.  For clients, use a password safe program to generate and store passwords. For applications and servers, use a strong hashing algorithm to store and compare passwords.
  • Do not use JavaScript for security as it is easily circumvented.
  • Do not reuse passwords for multiple sites.

For more advice on password security:

New Year Resolutions

I usually do not make New Year’s resolutions because I mostly forget them by the Super Bowl. But this year I am getting my online life more secure.

  1. I will change all my passwords to 20+ random characters.
  2. I will store these passwords in a secure format.
  3. I will encrypt more email.

The first 2 are pretty easy since I have used a password safe program for many years. When the Heartbleed web security bug hit, I changed many passwords and upgraded to 20+ character length passwords in the process.

The third resolution will be more difficult!  Sending an encrypted email to someone requires setting up both the sender and the receiver with software and cryptographic keys.  The “easiest” setup seems to be using Thunderbird with Enigmail add-on with versions available for Linux, Mac OS X, and Windows.  Now I just need to convince someone else to do it.

Antivirus is Dead!

So declared Brian Dye, Symantec’s senior vice president for information security. “We don’t think of antivirus as a moneymaker in any way.”  Mr. Dye went on to say “antivirus now catches just 45% of cyberattacks.”

So because they cannot make money, this segment of the software industry is dead?  Maybe they are not any good at it!  Or maybe it is the wrong solution to the problem.  Or maybe it is too narrow of a solution.

I believe that this problem can only be dealt with effectively at the operating system level.  But the stage was set by Microsoft years ago when they allowed third party companies to deal with the problem of poor security on Microsoft Windows.  But that is just like plugging holes in a leaking boat, it just slows down the problem.

Microsoft has made feeble attempts to increase security on Windows® with equally feeble results.  A code-signing mechanism was introduced in Windows called Authenticode, but even Microsoft does not use this technology to protect the integrity of all of its software.  Microsoft finally added a firewall application, in a usable form, to the Windows operating system in 2004.

The problem of malicious access and modification of computer systems needs to be dealt with at the lowest levels and with a variety of methods.  Intrusion prevention and intrusion detection software are both needed to prevent system attacks.  Many intrusion prevention solutions exist in the form of stand-alone systems like routers and applications that can be installed on end-user systems.  For Linux systems numerous intrusion detection applications can be found such as AIDE and Tripwire.  There is even an cross-platform, open-source application called OSSEC that runs on Windows based systems.

Some of these solutions are not the “next big thing” required by most “for profit” companies.  So many solutions will come from the open-source community.

Stop Using Microsoft Internet Explorer

If you are using Microsoft Internet Explorer (IE), there are hackers actively using a software bug to gain control of Microsoft Windows computers.  Stop using IE now! This is twice as dangerous as the Heartbleed Bug because an attacker can take control of your computer and do whatever they want with it.

US-CERT issued an alert about the active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. If you are still using Windows XP, Microsoft will not provide updates or solutions and you should consider installing and using an alternate browser such as Mozilla Firefox (free) or Google Chrome (free).

For more details, please see VU#222929 and FireEye’s Blog entry.

Heartbleed Bug – End of the World or Non-event?

heartbleed xkcd comicThat about covers the risks.  Now what can you do about it?  First, update your computer (Windows, Mac OS X or Linux/Unix), right now!  Before you read the rest of this post.

Most software vendors/service providers recognized the serious nature of this bug and updated their software (the easy part).  So getting the fix is usually easy. The biggest problem is trying to determine if your information has been compromised.  You can’t!  Attacks leave no trace or very little on the computers that gave up their private secrets.  This bug has been out in the wild for 2 years!  Maybe nobody found it and took advantage OR somebody did and has all our passwords.  N.S.A is that you?  The actual risk is probably somewhere in between those extremes.

Most security experts are recommending that we change all our passwords and replace all of our SSL certificates.  At the very least change your password on you bank account log-in, but you probably don’t need to change your Facebook password (everybody has all that info).  And definitely change your password if you use one password for everything.  Yea, it is hard to remember all of them, but you can let your computer do the remembering.  Start using a password safe like KeePass or KeePassX to create and store long secure password using one password, that you have to remember, to save them on your system in an encrypted file.

More info about Heartbleed Bug:

 

Microsoft dropping XP support

Microsoft has finally made good on their threat to stop supporting Windows XP and on April 8, 2014 will stop providing update and fixes for one of their most popular operating system releases.  Microsoft released Windows XP in 2001 and end development of it in 2008.  They have continued to provide bug-fixes and minor updates until April 8, 2014.

To find out what version of Windows you are running you could go to this page on Microsoft’s web site, but it said I was running Windows 8.1 even though I am running Ubuntu.  So if you know you are not running Ubuntu or Mac OS X the following steps will help you find your version of Windows.

The minimum hardware you need to run Windows 8.1 is:

  • Processor: 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2
  • RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
  • Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
  • Graphics card: Microsoft DirectX 9 graphics device with WDDM driver

I stress this is the minimum to even install and doubling these minimums is needed to run Windows 8 in a efficient and productive way. Also this does not take into account any other applications you might install and run.

So you either need to buy new hardware, which will come with a newer version of Windows or switch to another operating system.  To use Mac OS X you need to buy an Apple Macintosh PC which, in my opinion, is a much better interface and less of a target for computer viruses that Microsoft Windows.

If do not want to buy new computer hardware there are alternatives that will run on your existing PC.  Check out the free Lubuntu, a lightweight variation of Ubuntu.

If you use you computer for just email and browsing these free alternatives will fit the bill.  You can also edit documents (in most Microsoft Office and other formats) with the free LibreOffice office suite software.

There are other free Linux distributions that will run on older computers and here is a link to the DistroWatch.com web-site that lists some of them.  Most of these offer a “live CD” download that allows you to download and create a CD that you can use to try out the new operating system and application software without installing it on your system.  A try before you install option!

If you don’t have a writable CD/DVD drive or don’t know how to create a CD, you can order a Lubuntu CD from OSDisc.com for $2.95 +S/H.  They also sell other Linux variations as well.

Other benefits of most Linux distributions are ease of update and less computer viruses that are designed to attack Linux-based computers.

Before your old Window XP system is hacked, check out the alternatives.

D-Link Router Backdoor Vulnerability

The US-CERT, a part of the Department of Homeland Security,  has issued a warning that certain D-Link routers have firmware that contains a backdoor for remote users to access router administrative functions without entering the administrator password.  Besides D-Link, Planex and Alpha Networks devices may also contain this firmware.

According to D-Link, the following D-Link routers are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

For more detailed up-to-date information go to this D-Link page on this issue.

According to the original vulnerability report, the following Planex routers are likely affected:

  • BRL-04R
  • BRL-04UR
  • BRL-04CW

If you have one of these routers, check to make sure that the remote configuration from the Internet is not allowed (default setting).  This may have been changed by ISPs that remotely administer customers Internet connections.

Security researcher Craig Heffner found these routers’ internal web server will accept and process any HTTP requests that contain the User-Agent string “xmlset_roodkcableoj28840ybtide” without checking if the connecting host is authenticated.

DNSChanger malware

If you use default passwords on your home or office gateway/router, then you maybe at risk from the DNSChanger malware.  This can affect how your computers translate domain names such as apple.com, microsoft.com and other domain names to the unique Internet Protocol (IP) address such as 198.51.100.1 that we ultimately depend on to access other computers.  A company in Estonia called Rove Digital has been operating since 2007 and may have affected more that 500,000 computers in the United States alone.  If your computer is affected, it will fail to access the Internet after July 9, 2012.

The Domain Name System (DNS) is a critical Internet service that converts user-friendly domain names, such as www.fbi.gov, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

  1. The malware changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.
  2. The malware attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

The following table list sites setup to help you determine if your computer is affected.

URL

Language

Maintainer

http://www.dns-ok.us/ English DNS Changer Working Group (DCWG)
http://www.dns-ok.de/ German Bundeskriminalamt (BKA)
Bundesamt für Sicherheit in der Informationstechnik (BSI)
http://www.dns-ok.fi/ Finish CERT-Fi
http://www.dns-ok.ax/ Swedish CERT-Fi
http://www.dns-ok.be/ Dutch/French CERT.be
http://www.dns-ok.fr/ French CERT-LEXSI
http://www.dns-ok.ca/ English/French CIRA and CCIRC
http://www.dns-ok.lu/ English CIRCL
http://dns-ok.nl/ Dutch/English SIDN

For more technically oriented people the following is a list of IP address the criminals used for their activities.

List of Rogue DNS Server Addresses

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

For more information see the following links:

http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

DNS Changer Working Group (DCWG)

http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business

Update 2015-01-02: Many sites linked from this page are no longer available.

Uncle Sam Needs You!

We need your help prevent United States Senate Bill 968 (PIPA) and HR 3261 (SOPA) from becoming U.S. law. These bills are essentially a technical solution (a flawed one) for a business problem.  These laws would short-circuit due process of existing laws and provide a sledge hammer for businesses to take down their competitors.  These laws are the wrong solution for the described problem.  A group of Internet inventors and engineers have voiced their opinion in an open letter to Congress stating their opposition to the SOPA and PIPA bills.  Ironically some provisions in these bills would attack Free Speech in ways we condemn in China and Iran.

Uncle Sam needs youWe need you to help over come the well funded lobbying effort to create these laws!  Some opponents of PIPA and SOPA: Google, Yahoo, Wikipedia, craigslist, Facebook, Twitter, LinkedIn, eBay, AOL, Mozilla, Reddit, Tumblr, Etsy, Zynga, EFF, ACLU, Human Rights Watch, Darrell Issa (R-CA), Ron Wyden (D-OR), Nancy Pelosi (D-CA), Ron Paul (R-TX), Tim O’Reilly.

To find out how you representative is voting go to SOPA Opera to find out.  Then contact them and tell them how you feel about keeping the Internet a fair and open place to socialize and work.

Here are some of the people and companies that are working against your interests and for their own profit: RIAA, MPAA, News Corp, Time Warner, Walmart, Nike, Tiffany, Chanel, Rolex, Sony, Juicy Couture, Ralph Lauren, VISA, Mastercard, Comcast, ABC, Dow Chemical, Monster Cable, Teamsters, Rupert Murdoch, Lamar Smith (R-TX), John Conyers (D-MI), Michael F. Bennet (D-CO).