Steve's Views Rotating Header Image

Uncategorized

Online Security, is it really needed?

What value does security have anyway? Misapplied it can become a great stop, a barrier to get anything done.

This includes information that you don’t want to be publicly available to anyone, it does not matter if they are specifically interested in it or simply stumbles upon it. That includes information which could be used against you, sometimes in ways you never considered. It does not have to be something illegal, simply embarrassing, or more commonly have a financial value.

Security the art of applying an optimum balance between functional and inaccessible.

The harder it is to make and retain resources, such as money, to care for yourself and your family, the more common it becomes that people come up with what is known as Unusual Solutions.

Examples of unusual solutions are robbing banks, old ladies, becoming a drug dealer, online theft and sabotage for profit, just to mention a few.

With technology running ahead of common knowledge it starts to become a mystery that only the few can understand and master. I think it’s safe to say that computer technology has pretty much always been ahead of common knowledge. Typically we have young people reaching to master this mystery and become its master. Their curiosity can put them on a path of criminal activities without the balance of personal ethics and integrity.

The more you learn about computers the more you realize things you can do with it. One thing that has always been very popular is being able to communicate between computers. Some of you remember modems. A device used to connect a computer with another computer. Huge progress!

Then we got networks where one computer can reach many, which eventually resulted in the internet. Now we have huge portions of the world able to reach anyone across the world.

That opened the door for even more exciting opportunities, which for some, meant seeing how many computers they could get into, just for fun. Some people were more oriented towards destruction and would laugh gleefully (I imagined) at wrecking havoc on someone else computer.

At some point some individuals got the idea that some people would pay to cause or prevent damage. Which of course grew to groups, political parties, and governments in different countries. Today it is so prevalent that most computers are likely to be “touched” by someone else who does not have your best at the forefront of their mind. What they can do depends on how your computer is set up and your activities.

Fortunately individuals, groups etc. exist who wish to prevent the damage being caused.

However, ultimately it is up to you, the individual with a computer connected to the internet, to take some positive action towards maintaining some security. The more you don’t know the more it can hurt you. You can pass the need for knowledge onto someone who knows more than you and that you have a reason to trust.

Statistically it is safe to say that it is better to find someone you have a reason to trust than waiting for someone to approach you. Trusting one, any one, that you chose to give good advice is better than not doing anything to stay safe, or at least safer.

For many this whole subject is a big black mass of not knowing. But you can do something about it using common sense. You can establish, by yourself, some basic policies that will be better than ignoring it all. Just don’t fall into the group of deniers that think that because they don’t have anything of value on their computer they will not become a victim.

For example, you probably lock your car which is a simple policy that you probably do every time you use it without even thinking. A computer is harder to keep secure but still there are simple things you can do. The first is to ensure you have a password which is not obvious which means it is not the birthdate of someone in your family, in fact it should not be any birthdate. That is not enough (or different) characters, rather it’s better to let your computer generate a password for you. Today it should probably be at least 10 long and contain a mix of lower and uppercase letters, numbers and if allowed some symbols.

Then ensure each have a unique username (if possible) and password for each online login you have. Often people loose security from using the same login across different locations. (Your password manager easily keeps track of them for you.) When one organization is hacked your data can be part of it. These lists of logins are then spread across the internet with people who loves to make it work for them

The most basic datum should be that if you put any information (data) on a networked computer then it can end up in someone else hands. If you think with that and accept the possibility then you are less likely to suffer too much.

Email is a very popular and unfortunately effective tool to get you to open the door for them to get into your computer, which includes making you go to your bank and giving them your money on some pretense that has but one purpose – to steal from you. This is called social engineering, they pretend to be someone else in some imaginary situation where you feel sorry for them being in that imaginary situation and then give them your money (sometimes even thinking it’s their money you are returning).

There are security updates coming out somewhen frequently, these should be applied when they come out. Any online tool are in a direct position to cause great harm to your computer and whatever you have on it or access to. Thus ensuring they are kept up to date is of outmost importance.

General bug fixes are good as well. Unfortunately some companies creates new problems when they fix the old one. Unless you really need that fix, wait for one or more fixes before applying it which allows time for them to solving it properly.

Another security issue is using software running on their servers, for example, online accounting, or whatever service offered that is running on their servers (I’m not including running your website).

For one you have no physical control of your information, if they go down you will too. Someone else is in charge of looking after your information, at whatever pay grade and motivation that you will never know. Imagine hiring someone to work for you where you don’t know when they are there, what they are actually doing, from whatever country or organization with whatever motivations?

It can be as simple as something goes wrong anywhere between you and them and you cannot access your company information. It could be someone digging a trench and accidentally cuts off the network cabling below ground. They could be under attack and brought down since they are hosting many other companies and maybe one of them is a target. In the end you have no control.

Such a company might be a life saver when you don’t know enough to have these computer functionality in your own operation, if so, ensure to have a definitive plan to get it in-house and maintain full backups of YOUR data, even if it is on their servers.

Avarice, which is defined as extreme greed, have put many in the “poor house” from having lost all their savings through some scam. Even plain greed makes people go for that quick buck. This is often a case where the person believes they cannot make enough money and will happily be fooled into thinking the fast buck will be their ticket to permanent happiness.

When I receive a call from some stranger, even if I know the company they claim to work for, I never accept the “good fortune” they are presenting me with. If it was legitimate I would also receive an email and a physical letter proclaiming my good fortune. AND that is not enough to convince me I’ve won something. I would have to have enrolled in that something AND if it comes through an email it would know my name and other details AND have proper grammar AND be professional sounding, then I would still be on my guard and NEVER make ANY payments to release my funds, boat or whatever they claim. They would also have a number I could compare to a publicly posted number.

In other words I NEVER believe it to be real unless I could use some different method to verify their claim that is not coming from them.

If it is a phone call the easiest way to call their bluff is to ask for their name and a call back number. If given a number I then search the internet for that number with the word scam. Usually someone else have been targeted and it has been noted online.

Any legitimate organization that would have a reason to give you ANYTHING, would be easily accessible and 99% well known.

Regardless of how someone else could possibly determine if you have, or don’t have, anything of value to them without breaking into your computer, there IS something you have of value which is a computer connected to the internet. Any computer is valuable even if it is empty as a tool for someone else to use to wreck more havoc on the internet.

Of course if your computer is an office computer of some organization, that organization might very well be a target for nefarious activities. There better be someone who understands computer security or it’s just a matter of time.

A little example from years past. A country deemed untrustworthy of harnessing nuclear power was approaching some level of being operational that another country decided to put a roadblock there.

The challenge was the lab was not on the internet and could not be broken into remotely. They solved it by ensuring some computer code was inserted into a printer being sold to that government, specifically that nuclear lab. When they connected that printer to their internal network the code sprang into action and established connections to other devices, devices which were then sabotaged in way that was not obvious but delayed their progress towards having the bomb.

Spend a little time towards at least understanding the concepts of computers. A computer is a tool, a stupid tool without any real intelligence. Any perceived intelligence is programmed into it, without that programming it is a door stop, with great potential but still a doorstop. It can only follow exact instruction one after the other. It is programmed to make logical decisions that again is programmed into it.

Most of the times computer terms comes from terms used in daily life. If you look at the plain English definition you can usually figure it out. Take “network” you have heard of networking, getting together with a group of people to maybe promote each others products and services, or home made cookies. For a computer it is also networking by connecting a communication cable called a network cable. That cable in turn connects to one or more devices which ends up creating a connection to the physical wiring across the world known as the internet.

You have the intelligence to do networking a lot easier for you not requiring special shared programming amongst all the computers and having a radio (for WiFi) and/or a cable to connect it to others. Computers follow protocols, much the same as we have protocols in how we address each other. The difference is that a computer will fail if the protocol is not followed EXACTLY.

Though everything a computer does is based on human principles, after all, humans built it. 🙂

VPNs, safe and unsafe use

I’m following a security investigator (Brian Krebs) who is one of the very top ones in the biz. He recently posted an article on VPN services and one in particular named 911. It occurred to me that others might not realize the liability these VPN services poses and who might be behind them and you might want to warn your loved ones in turn. A comment and definition on VPNs and some additional warnings and workarounds by me at the bottom.

Brian Krebs wraps up his article with these words (link below):

Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/

My comments, examples and workarounds on the security of VPNs

Virtual Private Network is a name given to a design which allows for traffic to travel between two network points and be encrypted.

By encrypting the content of the connection points, the communication can travel “safely” between the two points. (I say “safely” because there are a number of details which makes it safe or not.) 

(And it is a moving target, moving as decrypting encrypted communication is constantly getting better and better as computers get faster and faster and holes in encryption methods are found.)

It is all in the design. How is it designed? There are many many encryption methods, few are actually considered secure. 

It is an everyday thing whereby someone is delivering something they claim to be completely secure and they express how they go out of their way to be secure. 

Then you (a cryptologist) look into the implementation of some encryption method and discover that what they are using is out of date, or maybe never even was secure. 

Typically the “secure” tunnel is between your device and the service provider, and then they establish another connection between them and the other party. Meanwhile in the middle they have the communication entirely without encryption to do or not do whatever they decide.

To be secure the minimum requirement is that the tunnel runs between the two end points and is encrypted when passing through the service provider. For example, between my cell phone and yours. There is NO valid reason to be anything else but would be considered at best a poor design, at worst incompetent or with criminal intent.

Then we come to use a VPN, how is it being used.

Let’s say you have an office or home office, and you are on the road and like to be able to access your data at the office. You get a VPN service or some set up whereby you now have a VPN in place.

You leave on your trip and as you arrive at some location you now want to safely reach your data at the office. (In this example we are going to go with you having an actual secure connection.) 

If either device on either end also has internet access for browsing in particular, or with a cell phone where you have installed various handy apps, if anyone of those apps or locations you browse are hacked or include malware (code with evil intent), the perpetrator will now have a nice and secure connection into your home office. 

In other words if your remote device is hacked – then you are allowing hackers through the VPN into your office network with the same access as you have. (And there are many way of increasing access to administrator once someone has any user access.) 

The safest approach with using the internet is to be OK with anything that you put on it might end up available to all. (Including the ramifications if that happens.)

If you were to check applications you will find that they commonly ask for permissions far beyond what it needs. I never install those. 

For example a calculator that wants access to your contacts! Or your network. What valid reason would a calculator have accessing those?

Who puts a bunch of efforts in to designing, writing and releasing a program with no exchange? Many programmers do, from just being helpful and liking that others are using their creation. But also, many criminal intent can be traced to using the Free model to spread their malware.

(Stranger – Danger!)

What is more convenient, the feature the apps provides or getting dragged in to some criminal activity unwittingly, or discovering you owe a ton of money for a bank loan you never took? These are real ramifications, at best a bunch of wasted time and effort to sort out.

Hackers learn from what other hackers have done are getting more and more sophisticated, so much so that anyone from a teenager in his room to organized crime to country espionage is thriving. Mostly because people are ignorant about security and have low confront and misunderstoods of course.

For example Chinese law Requires Chinese to spy for them if asked…

Russian law enforcement have an unwritten rule not to go after Russian hackers as long as they don’t attack Russians… (One way they determine if you are Russian is by looking to see what languages your computer supports.)

If you find an app that looks to be the cat’s meow then do some research, not just how many are using it as that has nothing really to do with how secure it is, but search the terms [name of app] and the words “security issue”. 

That will generally tell a big tale. While you do so observe who are saying they are good or bad, many have single posters that never posts anywhere else because they are fake reviewers. Of course look at the domain name to see where it comes from.

For example someone suggested I contact them on WhatsApp. It immediately revealed that:
1) security researches recommended against it and, 
2) it comes from Facebook, 
3) WhatsApp out of the box want your contact list. 

Meanwhile Signal is an ideal option where it truly is safe encryption between the endpoints.

As our world has grown into a digital co-existing world where there is a tremendous amount of attention placed on it by Every Imaginable Player with whatever intent.

— 
Steve