Tag Archive for Security

| March 18, 2016
Comments Off on Michigan Leader in SPAM

Michigan Leader in SPAM

Michigan Leader in SPAMIn a surprise finding, the New Jersey based anit-malware company Comodo’s Threat Research Labs found that Michigan is one of the leading sources of unsolicited e-mail on the Internet. Unsolicited bulk email is also known as “SPAM.” SPAM is usually considered junk e-mail. The Great Lake state ranked third behind California and New York in spewing out the most SPAM.

MichiganThe Comodo researchers examined all the emails Comodo filtered for customers in the second half of 2015, specifically looking at SPAM. In doing their research, they conducted an IP address analysis of the millions of pieces of email SPAM that came into the Threat Research Labs from their customers.

Through this analysis, researchers have been able to break down SPAM by state and find where it originated from. IP addresses from California (24.37%) and New York (22.36%) sent nearly half of the spam Comodo filtered, while Utah (19.42%), Michigan (10.79%), and New Jersey (3.68%) IP addresses rounded out the top five states.

Comodo State SPAM Map

Fatih Orhan, Director of Technology and lead at the Comodo Threat Research Labs said:

California and New York were not really surprising in terms of the top two states because of population and technology innovation taking place in those geographies — but finding Utah and Michigan in the top five was somewhat shocking

rb-

I have followed the battle against SPAM since 2009. Here are some tips to help protect yourself from SPAM

  • Keep your Junk E-mail Filter updated

Updates are available at Downloads on Office Online. Under Office Update, click Check for Updates.

  • Block images in HTML messages that spammers use as Web beacons

By default, Outlook is set to block automatic picture downloads. To verify your settings are, on the Tools menu, click Options. Click the Security tab, and then click Change Automatic Download Settings. Verify that the Don’t download pictures or other content automatically in HTML e-mail check box is selected.

  • Watch out for checkboxes that are already selected

When you buy things online, companies sometimes add a check box (already selected!) to indicate that it is fine to sell or give your e-mail address to other businesses. Clear the check box so that your e-mail address won’t be shared.

  • DO NOT sign up for commercial mailing lists.
  • DO NOT reply to email or unsubscribe from a mailing list that you did not explicitly sign up for.
  • Configure your email client to send and receive emails in Plain Text or Rich Text Format.

For Microsoft Outlook go to: Tools > Options… and click the Mail Format Tab. Change your Message format to Text Click OK.

Lest we forget, this is the same Comodo that was responsible for releasing 9 fraudulent certificates onto the Internet which, Sophos says impacted the trusted root authority on all default Windows and OS X installations, as well as high-profile websites like:
mail.google.com
www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org

Sophos states that this breach allowed an attacker to easily masquerade a malicious website as one of the above with the HTTPS authentication succeeding.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| January 25, 2016
Comments Off on 2015’s Worst Passwords

2015’s Worst Passwords

2015's Worst PasswordsFollowers of Bach Seat know that passwords suck. For even more proof that passwords suck, the password-management company SplashData released its fifth annual list of the most popular passwords. SplashData studied more than 2 million passwords that were leaked in 2015 and identified the most commonly leaked passwords and those that were least secure from Western European and North American users according to Business Insider.

2015’s worst passwords

SplashData logoMost of the 2015 results are not surprising.

  • 123456 is the most common password. It has been #1 since 2013.
  • Password is the second most common password. It too has been #2 since 2013. Password was the most common password in 2012 and 2011.
  • 12345678 is the third most common password found in the Splash data results. In fact, 12345678 has been the most consistent performer, having been in the #3 place four of the past five years.

One surprise was that the Disney marketing machine was able to get Star Wars related terms into the top 25 worst passwords in 2015.

  1. princess
  2. solo
  3. starwars

Here’s SplashData’s full list. If your password is on here, think about changing it.

25 Worst passwords

20152014201320122011
1123456123456
123456
password
password
2passwordpasswordpassword123456
123456
3123456781234512345678
12345678
12345678
4qwerty12345678
qwerty
1234
qwerty
512345qwertyabc123qwertyabc123
612345678912345678912345678912345
monkey
7football1234
111111dragon
1234567
81234baseball
1234567pussy
letmein
91234567dragoniloveyou
baseball
trustno1
10baseballfootballadobe123
football
dragon
11welcome1234567123123
letmein
baseball
121234567890 monkey
admin
monkey
111111
13abc123letmein
1234567890
696969
iloveyou
14111111abc123
letmeinabc123
master
151qaz2wsx111111photoshopmustang
sunshine
16dragonmustang1234michaelashley
17masteraccessmonkey
shadow
bailey
18monkeyshadow
shadowmasterpassw0rd
19letmeinmastersunshinejennifer
shadow
20loginmichael
12345
111111
123123
21princesssupermanpassword1
2000
654321
22qwertyuiop696969princessjordansuperman
23solo123123azertysupermanqazwsx
24passw0rdbatmantrustno1harleymichael
25starwarstrustno10000001234567football

 

Protect yourself

keep your passwords secureTo keep your passwords secure, you definitely shouldn’t use any of the passwords on the list.

SplashData offers three simple tips to help people protect themselves:

  1. Use passwords or passphrases of twelve characters or more with mixed types of characters;
  2. Avoid using the same password over and over on different websites
  3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.

rb-

What to do if you are responsible for securing systems where your users use these passwords? Stop Them!

This is what makes passwords suck – Implement complexity rules:

  • Minimum of 8 characters
  • A mix of characters, UPPER CASE, lower case, numbers, and special characters.
  • Prevent reusing passwords
  • Blacklist all the above passwords so they can never be used again.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| December 30, 2015
Comments Off on Target Wish List Leaking Your Data

Target Wish List Leaking Your Data

Target Wish List Leaking Your DataThe holiday shopping season has not been merry for mega-mart Target. You would think the mega-retailer that leaked info on 110 million customers would learn how to keep their customers’ info secure but NOOOO. The anti-virus firm AVAST has discovered the Target (TGT) Wish List app is leaking your data, your personally identifiable information (PII).

Data leakThe Avast Blog says that if you created a Christmas wish list using the Target app it is leaking your data.  it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses.

Alarmingly, for a firm that has privacy issues, the Target app’s backend interface is not secured. This allowed the database to be accessed over the Internet. The author reports that the Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need to parse all the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

Leaking your data

while developers investigate

The JSON file that the AVAST researchers requested from Target’s API leaked lots of interesting data. The leaked data included: users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. The AVAST researchers did not store any PII, but they did aggregate data from 5,000 inputs for statistical analysis.

The AVAST researchers took the sample and looked at which some of the data they got. It included; brands, states the Target app users are from, and the most common names of people using Target’s app.

Leasked info

This appears to be a classic case of security by obfuscation. The app developers created the online API for data that is uploaded by Target. They also set up a separate API in tandem so that the retail chain could download and process the uploaded data – but without any security measures in place.

Target has reached a $39.4 million settlementIn a post on Ars Technica, a Target spokesperson said that it has suspended elements of the app while developers investigate. Hopefully, this should mean that the data-leaking has stopped while the backend has been disabled.

In other Target data breach news FierceITSecurity reports that Target has reached a $39.4 million settlement with banks and credit unions over claims they lost millions of dollars as a result of the massive 2013 data breach at the retailer. The massive data breach at Target exposed the credit and debit card numbers of 40 million customers to hackers and personal information on another 70 million.

The settlement, if accepted, will resolve class-action lawsuits by the banks and credit unions seeking reimbursement for fraudulent charges and issuing new cards. Of the $39.4 million, $20.25 million will be paid to banks and credit unions, and $19.11 million will be paid to reimburse MasterCard card issuers.

cautionary taleThis follows settlements that Target reached with Visa card issuers for $67 million and with customers for $10 million. Target estimated that the breach so far has cost it $290 million, with insurers picking up $90 million, according to a filing with the Securities and Exchange Commission last week. Target is not out of the woods yet. It still has to deal with shareholder lawsuits and a probe by the Federal Trade Commission and state attorneys general related to the data breach.

Fred Donovan at FierceITSecurity says Target is a cautionary tale for any enterprise. Despite handling billions of dollars in credit card transactions, the retailer did not have one person responsible for IT security at the time of the breach. While it had a network security system in place, it did not have IT security personnel skilled enough to recognize an alarm the system set off months before Target discovered the breach.

rb-

Cash is king, especially at Target.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| December 7, 2015
Comments Off on Let’s Encrypt Lives

Let’s Encrypt Lives

Let's Encrypt LivesLet’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Lets Encrypt logoLet’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Secure Socket Layer/Transport Layer Security certificatesLet’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

automated issuance and renewalThe automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| November 24, 2015
Comments Off on Television Sells Your Viewing Habits

Television Sells Your Viewing Habits

– Updated 03-26-2017 –  Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ television-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

Television Sells Your Viewing HabitsJust in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart Television from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio privacy policy says;

Vizio logo… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

Data miningAccording to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or a show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

Data collectionProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

TechHive reports that backlash against intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuse Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

Legal systemThe suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale, or delivery of audio-visual content and not necessarily just videotapes from divulging any personally identifiable information about its customer to a third party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a videotape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TVs are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »