How to send sensitive data

How should you send sensitive data like passwords?

  • Putting them in an email and praying that nobody finds it is very much not the best way to do it.
  • Encrypting your email with PGP is secure (and recommended), but most people don’t have the technical knowhow to set that up and use it properly.
  • Texting is a little better than email, but still could be hacked.
  • Encrypted texting with an app like Signal is better, IF both you and the recipient use Signal.
  • Sharing them through your password manager (LastPass, KeePass, etc) is good, IF both you and the recipient use the same password manager.
  • A phone call can be inconvenient.

We’ve recently started using one of several services (that we are currently aware of) which generate a random web address which you send to the recipient. The notes are encrypted using a key that is never stored on the server. Only the valid URL can display the notes – it is the key.  The resulting web page can only be opened and viewed a specific number of times or for a specific duration, then the data is wiped forever from the server.  (Or at least that’s what the operators of the services tell us. We have no way of verifying that they actually do …or don’t.)

https://1ty.me/ – one time read; you can set it to notify you by email when it has been read.

https://privnote.com/ – can notify you when opened, allows you to set a password for reading the page, allows either automatic expiration (1 hr to 30 days) OR deletion on first reading.

https://onetimesecret.com/ – allows you to set a password for reading the page, allows you to set an automatic expiration (5 min to 7 days), and allows you to delete the data before it has been read.

https://safenote.co/– allows you to set a password for reading the page, allows you to set an automatic expiration (1 hr to 14 days) OR deletion after it has been read a specific number of times (not both, but if you set 3 times and it’s only read twice it will still be auto-destroyed after 14 days), and allows you to delete the data before it has been read.

Disclaimer: ProtectYourWP.com has no connection to any of the above, and takes no responsibility should your data be lost or leaked.

SSL Security Certificates and https://

What is an SSL Certificate and what does it do for me?

An SSL Certificate allows your site to serve your data – and receive input from visitors – in an encrypted form.  This means that if either side is sending sensitive data, it becomes extremely difficult for anyone else to see what is being sent. It’s an important tool to thwart Man-In-The-Middle attacks.

The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

We’re advised to never send sensitive information to a website which does not have the https:// and a padlock icon on the address line, as pretty much anyone can read it if they know how.

However, security expert Brian Krebs points out that the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Here’s a sobering statistic: According to PhishLabsby the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates.

The reason Mr. Krebs brings this up is that “many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.”

The problem is that those government sites are misinforming the public, including statements such as “The https:// ensures that you are connecting to the official website….”

No, it does NOT.

All it ensures is that you’re connecting to a site which has an SSL Certificate in place. It’s not particularly difficult to obtain a .gov domain name, and it’s a fairly trivial exercise these days to get a basic SSL Certificate.  So all that the https:// on a .gov site ensures is that someone got a .gov domain name and put an SSL Cert on it – nothing more.

The moral?  Make sure you’re going to the right site!  Both for government anything else you do online.

Original article at Krebs On Security

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/

Ring doorbell app packed with third-party trackers, open to password theft

Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.

An investigation by Electronic Freedom Foundation (EFF.org) of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.

The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it. All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills.

Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system. In the past, EFF has illuminated the mismanagement of user information which has led to data breaches, and the attempt to place the blame for such blunders at the customers’ feet.

This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship. As we’ve mentioned, this includes information about your device and carrier, unique identifiers that allow these companies to track you across apps, real-time interaction data with the app, and information about your home network. In the case of MixPanel, it even includes your name and email address. This data is given to parties either only mentioned briefly, buried on an internal page users are unlikely to ever see, or not listed at all.

More details at:  https://boingboing.net/2020/01/27/ring-doorbell-app-packed-with.html

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using Man In The Middle attacks against other devices connected to the same network.

The smart doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html

 

Definition: Phishing and Spear-Fishing

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device or can be lured into entering their login details on a fake version of the trusted site. They may try to steal your passwords, account numbers, or Social Security numbers.

In the first case, the malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

In the second, the user’s login details are recorded by the fake site. The user will often get a generic message indicating that the login failed or that the system is down for maintenance and they should try later.  Meanwhile, the criminals now have the actual login details and can clean out the account.

Spear Phishing is similar, but is more directed.  While phishing is often performed in a shotgun approach, where the scammer sends email or text to a list of random addresses, spear phishing aims at a particular person or company, and often refers to people or circumstances known to a specific circle of target email addresses.

Spear phishing can be quite convincing, whereas the shotgun style is often more easy to spot – for instance, if you don’t have an account with the bank or other service the scam email uses as bait.

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.

They may

  • say they’ve noticed some suspicious activity or log-in attempts
  • claim there’s a problem with your account or your payment information
  • say you must confirm some personal information
  • include a fake invoice
  • want you to click on a link to make a payment
  • say you’re eligible to register for a government refund
  • offer a coupon for free stuff

Fighting Phish

  1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
    • Something you have — like a passcode you get via text message or an authentication app.
    • Something you are — like a scan of your fingerprint, your retina, or your face.
  4. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
  5. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

What to Do If You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the tips in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.What to Do If You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.

How to Report Phishing

If you got a phishing email or text message, report it. The information you give can help fight the scammers.

Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726).

Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Holiday shipping confirmation scams

Brian Krebs, a respected authority on security and all-things-cybercrime, wrote a cautionary post earlier this week. “If you receive an email this holiday season asking you to ‘confirm’ an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.”

The trick with any phishing campaign is to make the message or website appear legitimate. Poorly designed scams are often easy to spot, but cybercriminals are getting much better at crafting believable fakes.

“Scammers have become incredibly good at making fraudulent emails look legitimate to the untrained eye,” agrees Craig Young, security researcher with Tripwire. “Attackers will commonly flood the web with spam mail claiming you have a package waiting to be picked up, an order awaiting confirmation, and a plethora of other emails designed to get users to click links.”

Amazon’s Ring may not be all that secure

Five U.S. Senators are demanding that Amazon disclose how it is securing Ring home-security device footage – and who is allowed to access that footage.

The demands come on the heels of several security vulnerabilities and privacy-related incidents surrounding Amazon-owned Ring devices.

“Ring devices routinely upload data, including video recordings, to Amazon’s servers,” the senators wrote, Wednesday. “Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes.

Last week, researchers discovered a (now-fixed) vulnerability in Ring doorbells that left Wi-Fi network passwords exposed. Previous vulnerabilities have been discovered over the past year, including a flaw reported in February that could allow an attacker to spy on families’ video and audio footage.

separate report earlier this year alleged that Ring employees in Ukraine were provided with “virtually unfettered access” to a folder containing every video created by every Ring camera globally, and that some U.S. Ring executives and engineers were given “highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras.”

Other reports have drawn privacy concerns about the video footage collected by Ring doorbells. Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, drawing concern from privacy and consumer advocacy groups.

Amazon said that it does not require law enforcement to delete materials shared through a video request after a certain period of time. Furthermore, if videos are downloaded by law enforcement, they may become public records, Amazon said.

“Amazon plays on people’s fears to sell them surveillance products, and then turns around and puts them and their neighbors in danger,” said Evan Greer, deputy director of digital rights advocacy group Fight for the Future, in an email. “Through consumer products like Ring, Amazon is collecting footage and all the data needed to build a nationwide surveillance network. They leverage government relationships to promote their own products, gain consumer trust and secure their position in the market. This is an unprecedented assault on our security, constitutionally protected rights, and communities. Amazon’s admissions to Senator Markey show that we need an immediate full scale Congressional investigation into this tech titan’s surveillance practices.”

According to reports, Ring has also applied for a “facial recognition patent” and employees a “head of facial recognition research.” Senators asked Amazon to describe its plans regarding facial recognition for Ring devices – including Amazon’s own platform, Rekognition.

Full article here

InfoSec Tip: Call the number on your card

Interesting (in a bad way) hack here. This guy’s wife got a message from an ATM telling her that her card had been compromised, giving her a number to call. Luckily for them, they were alert enough to not give the account number and credit card number!

 https://twitter.com/RealGeneKim/status/1187756958608027649

Tip: Any time you need to contact your credit card issuer, use the number on the card – not one provided by a 3rd party, even if it’s theoretically from the same bank.

Should this happen to you, report it!  And leave a note on the ATM so the next person doesn’t get scammed.

Definition: 2-Factor Authentication

You have probably heard the words “2 Factor Authentication” (2FA), but do you understand the concept and the increased level of security they provide? (Even despite the mild annoyance factor.)  And do you know the preferred way to set it up for your WordPress website?

The basic idea is that logging in requires more than just your user/password combination.  User names can be fairly easy for a hacker to discover, and there are many tools available for them to obtain likely passwords – from brute force attacks to “dark web” sites which sell lists of user/password or email/password combos stolen during the unfortunately high number of breaches over the years.

So we add a second factor – something you HAVE, which the hackers probably don’t have: typically your phone or other device. You enter the code from your device as the last step of logging in.

Note: there are methods which involve sending a code to a designated email account or send an SMS text to your phone.  The downside is that the hacker may already have gained access to your email too.  And text messages can be intercepted, as happened in 2019 to the CEO of Twitter.  Yes, any 2FA is safer than no 2FA, but they’re not the safest way.

Right now (March 2020) the safest way to implement 2FA on your website is to use an Authenticator application – either on your phone or as a stand-alone device.

Some well known authenticators include:

Password managers 1Password and LastPass offer the service as well.

Rather than send you an SMS, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device, rather than your phone number, extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.

We suggest using one of the above Authenticators along with the 2FA available through Wordfence, which we install on all our clients’ sites.  Download the Authenticator of your choice, Log in to your site as an administrator, go to the Wordfence menu in the left hand navigation, and go to Login Security.  

You should now see a QR code (with a text key below it).  Follow the instructions at https://www.wordfence.com/help/tools/two-factor-authentication/ to get it set up.

It would be wise to require all Administrator and Editor level users on your site to implement 2FA. You get used to the extra step pretty quickly.

 

If you want to get really hard core, Yubico’s YubiKey is a hardware-based 2FA solution. It’s a small card-like device with one end that slots into a standard Type-A USB port. It can verify authentication with a button press instead of manually entering a short code. YubiKeys are also very durable and waterproof making it difficult to ruin these devices. These are probably the most secure solution overall, but to my knowledge Wordfence does not yet support YubiKey.

 

 

 

Plugin Conflicts

You may or may not have heard of or experienced the “joy” of running into a plugin conflict, but since we found one on a client’s site this past month, I’d like to take a moment to explain what they are and what can be done about them.

There are many different developer teams working on WordPress software – the WordPress “core” software, various third party developers building plugins and themes. Since there are currently 54,970 plugins and thousands of themes available in the WordPress repository as of this writing it’s nearly impossible to check to be sure that one developer’s code works well with every other developer’s code.

So what will happen is that two plugins name a particular chunk of code with the same name. When that function is called, the two plugins butt heads and your site fails – sometimes catastrophically. In the case we saw this month, the site worked fine, but attempts to log in to the Admin area were met with a blank page with a big “503 Error” warning after a plugin update. Sometimes you’ll find something glaringly obvious like that or your site’s layout gets all wonky, and other times it’ll be more subtle – perhaps your contact form won’t send, or some other function doesn’t perform as expected.

1) Plugins are great, but keep them to a minimum. The fewer you use, the less likely you’ll run into a conflict. Ask yourself if you really need the function the plugin provides before installing it. It’s highly unlikely you’ll need more than 20 or so.

2) Delete any plugins or themes which you’re not currently using.  Deactivated plugins can still be a source of conflicts and a pathway to being hacked.  You can always re-install later.

3) Find what software is in conflict and remove the less critical one.

Typically this is a process of elimination. Deactivate half your plugins (leave critical plugins like security running). If the conflict goes away, you know that at least one of the problem plugins is in that batch. If not, it’s in the ones you left activated, so switch those back on and the others off. Then turn off half of the plugins in the problem batch to narrow it down still further. Keep going until you find one or two which, when deactivated, make the problem go away.

4) Report the problem to both software developers. Let them know which plugin(s) are in conflict, what the symptoms are, and any other details which might be relevant. Chances are they were unaware of the conflict (remember, there are 54,969 other plugins they’d have to test against to find all potential problems) and will try to reproduce and issue an update which addresses the problem. They may ask for temporary access to your website if they can’t reproduce it on their setup.

If you don’t report it, some other poor soul will likely encounter the same problems you did.