How to Keep Your Stuff Safe While You’re at College (or anywhere, really)

There’s a well written article by iFixIt.com aimed at college students, but really it’s applicable to everyone who ever does anything in public space. Granted, that’s not happening as much with Covid19 precautions, but these suggestions should be part of your regular routine anyway.

Of particular note is the section on USB chargers and thumb drives. Many are not aware of the potential dangers, and some good tips are given on how to protect yourself.

See the article at https://www.ifixit.com/News/43770/how-to-keep-your-stuff-safe-while-youre-at-college

Why do we back up?

A perfect example from my security focused Twitter feed today:

well <explitive> my server colocation facility just burned down

“halon is great for when equipment is on fire, but not as useful when the whole entire west coast is on fire”

This of course is during the raging wildfires on the US west coast.

Frequent offsite backups are also a critical method of fighting Ransomware attacks.

FYI, we keep backup copies of all sites in several locations, using several different backup methods.

Stay Alert to New Scams and Tricks

Phishing attackers can play with web addresses in a number of ways to trick you into following the link:

Hiding the link with a link shortener (bit.ly, goo.gl, etc)

Hiding the link under a “Click here” or similar button

Substituting numbers for letters (the number 0 for the letter o, as in “dr0pb0x.com”)

Spelling an existing address incorrectly (Facbook.com instead of Facebook.com)

 

Page experience: a new Google ranking factor

A couple of weeks ago, Google announced Web Vitals — a new set of metrics to measure the speed and user experience of websites. Last week, Google announced that these metrics will make its way into a core algorithm update as new ways of judging and ranking sites based on the page experience they offer. This update is due to arrive some time in 2021.

Read up!  Article by Yoast SEO: https://yoast.com/page-experience-google-ranking-factor/

Don’t use names in your password!

Password management company NordPass has urged the general public not to include people’s names in their passwords.

Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name.

According to NordPass, the name that cropped up most frequently in passwords is “Ashley.” The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.

The second most common name, used 78,914 times, was the similarly gender-neutral “Charlie.” The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole.

….

Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable.

According to the Department of Homeland Security, “most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them.”

“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet’s name, the word ‘password,’ and any alternations of it.”

Full article at https://www.infosecurity-magazine.com/news/netizens-urged-not-to-use-this/

When Your Biggest Security and Privacy Threats Come From the Ones You Love

Research examines the risks and design challenges of accounting for privacy threats in intimate relationships.

As technology has become more ubiquitous in people’s everyday lives, a new class of privacy threats has emerged in family, romantic, friendship, and caregiving relationships. Dubbed “intimate threats” by a recent academic paper in the Journal of Cybersecurity, these are the thorny risks that are intertwined with issues around location tracking, always-on monitoring or recording, online surveillance, and the control over technology accounts or devices.

Written by Karen Levy, a lawyer and sociologist, and information security luminary Bruce Schneier, the paper examines how the dynamics of different intimate relationships break the security model in a lot of systems. It examines real-world examples of this in action and also provides some recommendations for technology designers and security professionals to start rethinking how they build products and think about threat models and security use cases.

The use of technology in intimate relationships can quickly turn dark with very little recourse from the victim because the product was never designed to account for abuse cases.

“Facebook had a system for a while where you’d get your account back because they’d show you pictures and you’d click on the ones that are your friends, assuming that you know who they are but other people don’t,” Schneier says. “But your partner and your parents all know that stuff too. So it’s a great system, but it fails in the intimate context. It fails when your boyfriend takes over your account.”

 

Full article at https://www.darkreading.com/risk/when-your-biggest-security-and-privacy-threats-come-from-the-ones-you-love/d/d-id/1338053

How to send sensitive data

How should you send sensitive data like passwords?

  • Putting them in an email and praying that nobody finds it is very much not the best way to do it.
  • Encrypting your email with PGP is secure (and recommended), but most people don’t have the technical knowhow to set that up and use it properly.
  • Texting is a little better than email, but still could be hacked.
  • Encrypted texting with an app like Signal is better, IF both you and the recipient use Signal.
  • Sharing them through your password manager (LastPass, KeePass, etc) is good, IF both you and the recipient use the same password manager.
  • A phone call can be inconvenient.

We’ve recently started using one of several services (that we are currently aware of) which generate a random web address which you send to the recipient. The notes are encrypted using a key that is never stored on the server. Only the valid URL can display the notes – it is the key.  The resulting web page can only be opened and viewed a specific number of times or for a specific duration, then the data is wiped forever from the server.  (Or at least that’s what the operators of the services tell us. We have no way of verifying that they actually do …or don’t.)

https://1ty.me/ – one time read; you can set it to notify you by email when it has been read.

https://privnote.com/ – can notify you when opened, allows you to set a password for reading the page, allows either automatic expiration (1 hr to 30 days) OR deletion on first reading.

https://onetimesecret.com/ – allows you to set a password for reading the page, allows you to set an automatic expiration (5 min to 7 days), and allows you to delete the data before it has been read.

https://safenote.co/– allows you to set a password for reading the page, allows you to set an automatic expiration (1 hr to 14 days) OR deletion after it has been read a specific number of times (not both, but if you set 3 times and it’s only read twice it will still be auto-destroyed after 14 days), and allows you to delete the data before it has been read.

Disclaimer: ProtectYourWP.com has no connection to any of the above, and takes no responsibility should your data be lost or leaked.

IMPORTANT UPDATE: Make sure that you’re using the correct site.  There are imposter sites such as “privnotes”, “privnoté” and “prívnote” which are dangerous. https://krebsonsecurity.com/2020/06/privnotes-com-is-phishing-bitcoin-from-users-of-private-messaging-service-privnote-com/ and https://twitter.com/briankrebs/status/1275120887633715201

SSL Security Certificates and https://

What is an SSL Certificate and what does it do for me?

An SSL Certificate allows your site to serve your data – and receive input from visitors – in an encrypted form.  This means that if either side is sending sensitive data, it becomes extremely difficult for anyone else to see what is being sent. It’s an important tool to thwart Man-In-The-Middle attacks.

The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

We’re advised to never send sensitive information to a website which does not have the https:// and a padlock icon on the address line, as pretty much anyone can read it if they know how.

However, security expert Brian Krebs points out that the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Here’s a sobering statistic: According to PhishLabsby the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates.

The reason Mr. Krebs brings this up is that “many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.”

The problem is that those government sites are misinforming the public, including statements such as “The https:// ensures that you are connecting to the official website….”

No, it does NOT.

All it ensures is that you’re connecting to a site which has an SSL Certificate in place. It’s not particularly difficult to obtain a .gov domain name, and it’s a fairly trivial exercise these days to get a basic SSL Certificate.  So all that the https:// on a .gov site ensures is that someone got a .gov domain name and put an SSL Cert on it – nothing more.

The moral?  Make sure you’re going to the right site!  Both for government anything else you do online.

Original article at Krebs On Security

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/