The Weak Link In Cyber Security: Humans

It’s no surprise that we humans are our own worst enemy when it comes to security.  We tend to be lazy, complacent, and far too confident in our defenses. We don’t keep our software patched, our curiosity causes us to open dangerous attachments or click on dangerous links, we use poor passwords and we’re often too eager to be helpful to the social engineer on the other end of the phone.  Here is the link to a great write up on how human nature helps the cyber criminal.  One of the important takeaways from the story is that the vast majority of exploits target security holes in software that have been round for months or years. According to the article, “the top 10 known vulnerabilities accounted for 85 percent of successful exploits.”  The vulnerabilities are well known yet nothing has been done to patch them for whatever reason.  63% of data breaches involve weak or stolen passwords.  Phishing attacks are also on the rise and are succeeding because of the things people do – like click on attachments or links in suspicious emails.  Many of these phishing emails are well crafted and thought out.  They can convince employees that a manager within their organization is requesting data when it is really a spoofed email from an attacker outside the organization.  In one case a community college employee was tricked into emailing sensitive employee data to a criminal.  The data was gone as soon as the email was sent.  When these attacks are successful the compromise happens quickly (93% within minutes of the breach).  However, detection is much slower – 83% of breaches weren’t discovered for weeks or months afterward.  In cases where network penetration occurs the data is gone within minutes in 28% of the cases.  There are often three prongs to the modern attack:

1. Send phishing email with malware or link to malicious website

2. Install malware on target computer

3. Elevate privileges and access more data or use the site as a jumping off point for attacks on yet more sites.

The defenses are basically the same as they have always been – train your employees not to do dumb things (good luck with that), use two factor authentication, keep your software patched and up to date, back up your data, monitor your network and look for users who don’t belong or exceed their authorized access levels, and encrypt your important data.  Whether at work or at home be vigilant.  Good security practices pay for themselves.

Malware Threat Is Getting Worse

Keeping your computer, smart phone, and home network safe isn’t getting any easier. Unless you’ve been living under a rock the past few years you probably already know the malware to exploit your digital life is getting easier to obtain and more effective all the time.   Ransomeware is becoming big business and much more common.  Criminals who aren’t technical or command line proficient can now launch malware they don’t understand from a GUI interface. This article gives a good description of how these exploits work. Simply visiting an infected website can allow malware to attack your computer or smart phone. Cyber criminals are also going after smart phones with exploits designed just for them. People often use their phones to browse the web and check email even though the phones don’t have the security features likely to be found on a well secured desktop.  One nasty exploit is called “Angler” and it will inject malicious URLs into website ads redirecting the victim to another website where malware is installed.  In response to such attacks this article recommends a layered defense to protect your computer.  It offers some insights into various ways malware infects a system, hides itself, and does its dirty work.  Malware can disguise itself quite well and hide from your antivirus. If you want to stay safe online the same old rules apply - keep your system updated and patched regularly, don’t let Adobe Flash run automatically (Flash accounts for some 80% of the exploited software vulnerabilities), don’t click on attachments in emails if you aren’t 100% about them, and don’t say “yes” to enabling macros unless you know what you are doing.  If you’re concerned about the safety of your system I suggest reviewing my simple tips for securing your computer. After that you can explore more advanced means of protection.

Tor Needs Exit Nodes - Help Them Out!

It is no surprise that Tor needs more exit nodes. It is also not surprising that few people volunteer to host one. When you hear stories of people getting raided by the police for hosting a Tor exit you are bound to think twice. I’ve been wondering if there was a way to help facilitate more exit nodes without having to host one myself. I thought it would be nice if those of us who support Tor could make donations to help those that are willing and able to run the nodes. It turns out that we can do that very thing. The Tor Project refers people to four charities that run nodes. They need donations to keep going. The four are: (Germany)

Noisebridge (San Francisco)

Nos-Oignons  (France)

DFRI  (Sweden)

Check them out and make a donation if you can. I did. Remember, every little bit helps.  If you have other ideas on good ways to help please leave a comment.



Government Case Blurs Line Between National Security Investigation and Ordinary Crime

The Washington Post has run a good story showing how easy it can be to blur the lines between national security and ordinary criminal investigations. It seems the FBI obtained a secret search warrant on national security grounds to search the home of Keith Gartenlaub, a Boeing employee. The FBI suspected him of spying for the Chinese in an effort to get China information on the C-17 military transport plane. In the process of searching for evidence of spying the agents found child pornography on four hard drives. Spying charges were never brought, but the pornography charges were used instead. The net result is that Mr. Gartenlaub has been convicted of a crime without proper due process as afforded by the fourth amendment to the Constitution. He was not allowed to see the warrant against him and challenge its validity. Any other defendant would have had that right. What makes this even more disturbing is the apparent weakness of the government’s case. A forensic expert said there was no credible evidence the pornography was ever viewed by anyone using the computer. Another forensic expert said there was no evidence of the illegal material ever being downloaded to the computer leading to speculation it was copied there - but no one can say for sure by whom. Two of the four drives in question had been at a beach house where numerous people had access to them. Another disturbing aspect of the case is the fact that the FBI obtained the warrant to search his personal email because he was the “nationwide Unix military administrator for Boeing.” Two other Boeing employees said there was no such position. When the case is viewed in its totality it really seems that the FBI was on a fishing expedition looking for any evidence of spying no matter how unlikely they were to find it. It even agreed to drop the pornography charges if he would talk about the C-17. When he denied the espionage charges (and everyone knew there was no evidence of spying) the government went with the next best thing. If they had not found the pornography they would have left the house and the defendant would never and know they were there. The bottom line is that the government went fishing on national security grounds but caught a common criminal. It may be legal, but it is not in keeping with the spirit of the Constitution or the Bill of Rights.