Discover how mastering email communication can boost business efficiency, avoid common pitfalls, and ensure secure, respectful online interactions.
Turkey Revenge
The turkeys are pissed this Thanksgiving they are seeking revenge.
Germs Infest 60% of Americas Phones
60% of Americans sleep with their phones, harboring germs. Cleaning regularly with UV sanitizer or alcohol wipes can help keep your phone and bed germ-free.
Smartphone Sanitizing: A Practical Guide
Securely erase personal data from your old smartphone before recycling. Protect your identity from hackers—easy steps to follow.
Why Soft Skills Matter in Today’s Job Market
Boost your career with essential soft skills like communication, teamwork, and emotional intelligence. Learn why they’re crucial for workplace success.
Another Hole in Internet Armor
Another hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
Researchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.
The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.
To prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.
They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.
There is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.
What should you do?
1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}
2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;
Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.
3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;
We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.
4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.
5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.
The researchers have also provided guidance:
- If you have a web or mail server, they recommend – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
- If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
- If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.
rb-
Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way.
Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Mobile Malware FUD?
Just last week, I wondered out loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?”
The author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise are overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.
• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better chance of getting hit by lightning than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.
Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.
These reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cybercriminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?
The truth of the matter is that mobile users tend to get their apps from high-quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread.
The article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out as many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.
rb-
What do you think?
Loading ...
Related articles
- Your BYOD implementation checklist (powermore.dell.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
What Triggers a Data Breach?
Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable.
When it comes to cyber risk, it is not a question of if or when, but how – how can an organization proactively prepare for and then quickly respond to cyber-related breaches and interruptions?
ACE has a unique position to speculate, according to ClaimsJournal ACE has over 15 years of experience with cyber-risk. The firm has cataloged a considerable amount of lost data. They recently shared several key insights from their proprietary data. FierceITSecurity explains that based on cyber insurance provider ACE data, the top triggers for data breaches are:
Network security attacks – 25%- Lost or stolen devices – 20%
- Human error -16%
- Rogue employees – 15%
- Faulty policies – 9%
- Use of paper – 6%
- Software error – 3%
The firm’s data says that lost and stolen devices that led to data breaches are:
- Laptops – 70%
- Memory devices – 28%
- Smartphones – 2%
Former employees accounted for 25 percent of insider attacks, and financial incentive was the motive in 72 percent of insider attacks, according to ACE.
rb-
I have written about the cyber insurance market here and here. The most surprising factoid to me is that lost or stolen smartphones lead to data breaches 2% of the time. Perhaps the ACE data is old, or the security marketers have spread FUD and hubbub about the need for MDM, EMM, and remote wipes just to make a buck.
Do you agree with ACE’s stats?
Related articles
- Why small businesses should consider cyber liability insurance (hiscoxsmallbizblog.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2015, Computer security, Credit card, Data breach, Insurance, Laptop, PII, Security
World’s First Hacker?
The story of the first hacker could be a 21st-century tale. It includes a zero-day exploit, patent trolling, a live demo, egos, and industrial espionage. New Scientist has identified its candidate for the world’s first hacker. The hacker found a security hole in Marconi’s wireless telegraph technology and used it to publicly show the inventor up.
The first hacker
New Scientist’s first hacker was, Nevil Maskelyne. Nevil Maskelyne was a stage magician who disrupted a public demo of Marconi’s wireless telegraph in 1903. He disrupted the demo by wirelessly sending insults in Morse code through Marconi confidential channels. Visitors to the Bach Seat should be sophisticated enough to know the risks of running a live demo, but 110+ years ago, they didn’t.
According to the author, the first hack occurred at the Royal Institution in London. As Marconi associate, John A. Fleming (inventor of the vacuum tube) was preparing the Marconi equipment for a public demo of the long-range wireless communication system developed by his boss, the Italian radio pioneer Guglielmo Marconi when something unplanned happened.
Scientific hooliganism
Before the demonstration was scheduled to begin, the demo gear began to receive a message. The unplanned message included a poem that accused Marconi of “diddling the public.” Then it started in with some Shakespeare.
Arthur Blok, Fleming’s assistant, figured that someone else was beaming powerful wireless pulses into the theater. The new signal was strong enough to interfere with Marconi’s equipment. Unfortunately for Marconi and Fleming, Nevil Maskelyne figured out the hack first. Mr. Maskelyne’s hack proved that Marconi’s gear was insecure. It also proved it was likely that they could eavesdrop on supposedly private messages too.
In response, Fleming fired posted a complaint in The Times. In the paper he dubbed the hack “scientific hooliganism.” He asked the newspaper’s readers to help him find the hacker.
However, Maskelyne, whose family had made a fortune making “spend-a-penny” locks in pay toilets outed himself four days later. He justified his actions on the grounds that he revealed the security holes for the public good. (Sound familiar?)
Maskelyne who taught himself wireless technology had a great deal of experience with wireless. According to the article, he would use Morse code in “mind-reading” magic tricks to secretly communicate with a partner. And in 1900, Maskelyn sent wireless messages between a ground station and a balloon 10 miles away. But, his ambitions were frustrated by Marconi’s broad patents. The overly broad patent left him embittered towards the Italian. Maskelyne would soon find a way to get back at Marconi. It turned out that the Eastern Telegraph Company, worried that Marconi’s wireless would kill their global wired communications business hired Maskelyne as a spy.
Revealed security holes for the public good
Maskelyne built a 50-meter radio mast near the Marconi Wireless offices. From these offices Marconi was beaming wireless messages to vessels as part of its highly successful “secure” ship-to-shore messaging business. From there, Maskelyne could easily eavesdrop on the “confidential channel” Marconi wireless messages.
Maskelyne gleefully revealed the lack of security by writing in the journal The Electrician in November 1902,
I received Marconi messages with a 25-foot collecting circuit [aerial] raised on a scaffold pole. When eventually the mast was erected the problem was not interception but how to deal with the enormous excess of energy.
To further publicize his results and perhaps extract some revenge on Marconi, Maskelyne staged his Royal Institution poetry broadcast.
The New Scientist concludes that Maskelyne’s name had been forgotten but now he is in the history books as the world’s patron saint of hackers.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedIn, Facebook and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2015, Espionage, Hacking, Hacktivism, Marconi, Maskelyne, Patent troll, Security, Shakespeare, Wireless, zero-day
iPads Stalled
Readers of Bach Seat know that I have been a skeptic of the iPads role as the leader of the “post-PC” era. The Verge looks back nostalgically to 2010 when Apple (AAPL) first introduced the iPad. Steve Jobs heralded the iPad as a “magical and revolutionary iDevice.” It was predicted to play a part in the “post-PC” era of devices. In the subsequent years since the launch of the iPad, many have debated whether the laptop is dead and the PC era over. That hasn’t quite happened yet.
Post-PC era?
The latest financial figures from Apple seem to have gotten this “post-pc” epoch upside-down. Apple now earns more money from Macs than it does from iPads. According to The Verge, Apple made $5.6 billion in revenue from its Mac sales in the most recent quarter and $5.4 billion in iPad revenue. The surprise revenue turnaround casts some doubt on Apple’s “post-PC revolution.” Apple’s iPad sales have been decreasing consistently in recent quarters. Apple doesn’t have an answer to counter the trend.
Rumors of an iPad Pro with a stylus have surfaced over the past year. Sadly, Apple has only chosen to refresh its line with very few improvements. The decrease in iPad sales is likely related to several factors. Consumers not refreshing tablets as much. The lack of big improvements to the iPad. Smartphones are still revolutionizing the industry more than tablets.
Macs out-selling iPads
Apple CEO Tim Cook famously rejoiced at iPad sales beating rival manufacturer’s PC sales, at the peak of iPad popularity. It’s no longer beating Apple’s own PC sales revenue. Without a major change to the iPad, this could be a trend that continues.
Apple is seeing impressive growth on the Mac side. A 10 percent increase year-over-year in Mac sales has helped push revenues past the iPad level, and Apple has been consistently bucking the trend of a PC market in decline. As for CEO Cook, he still believes in the iPad. “It is what it is. It will play out, and at some point, it will stabilize,” Cook told analysts when asked about the lackluster iPad sales. “I am not sure precisely when, but I’m pretty confident it will.”
CEO Cooks’s confidence may be misplaced. As far back as March 2015 people were saying the iPad had no clothes. The Business Insider pointed out that sales of the iPad hit a wall. They cite Credit Suisse analyst Kulbinder Garcha who believes and has the data to prove it that phablets are eating the iPad for lunch.
rb-
Credit Suisse’s Garcha is right when he speculates why would you buy an iPad when you can buy a big phone that does everything the tablet does, and more?
Related articles
- Unreleased Apple iPad Prototype Stolen In Kidnapping (valuewalk.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Tablet computing |
Tags: 2015, AAPL, Apple, iPad, Mac Book, Post PC era, Steve Jobs, Tim Cook