Tag Archive for Security

| November 7, 2020
Comments Off on Why Do We Call Them Dongles

Why Do We Call Them Dongles

Why Do We Call Them DonglesIf you remember the days before digital rights management (DRM) you also remember having to connect a piece of hardware to your PC to make a piece of software work. The hardware required to activate your software was commonly referred to as a ‘Smart Key.’ Smart keys or dongles are plugged into a computer port and controlled your access to one or more software applications – early copyright protection.

Avid dongleThe first time I ran into a “smart key” was setting up an Avid video editing system on a fancy new PowerMac G3 back in the day. More recently I saw techs struggle to set up a way to use a “not so smart key” in a high availability VM environment. “Dongle” now refers to “any small module that plugs in and sticks out of a socket.” But why are these things commonly call dongles and where did the weird word actually come from? That’s a matter of debate — The Atlantic dangles several promising origin stories.

Dongle origin stories

A Poetic Origin – The oldest theory is that dongle came, from the literary world. The article explains that the word “dongle” has been frequently used in poetry, as an onomatopoeic term for the ringing of bells (as in “ding-dong”). As an example, this 1915 poem, “The Bells of Berlin”:

ding-dong"

The Bells of Berlin, how they hearten the Hun
(Oh dingle dong dangle ling dongle ding dee);
No matter what devil’s own work has been done
They chime a loud chant of approval, each one,
Till the people feel sure of their place in the sun
(Oh dangle ding dongle dong dingle ding dee).

Ummmm – Does that ring a bell with anybody?

A College Entrance Exam – If the poetry idea does not ring true for you – the author offers another theory. They found a claim by Ian Kemmish in a chat about the etymology of “dongle” has its roots in a logic question in a Cambridge college entrance exam.

The first time I saw the word was … in 1976 … It was a “logic” question. The question college entrance examdescribed a mythical computer with various controls … described various combinations of control actions and their outcomes (‘the babbocks break’, ‘the dongles droop’ etc) … ‘dongle’ was coined by someone who had taken that paper … remembered the word used to describe something on a computer that drooped….

Well – Does that origin story make the grade?

Another UK theory  – The University of Pennsylvania’s language log says the word ‘dongle’ emerged around 1980. They base the claim on the U.K. magazine MicroComputer Printout’s report that dongle, “has been appearing in many articles with reference to security systems for computer software.”

Rainbow serial dongleA Madison Avenue Invention – If U.K. origins don’t work – the article tries to sell you another one. The word “dongle” appears in a 1992 ad for the information-security company Rainbow Technologies (SafeNet >> Thales), in Byte Magazine. The ad claimed that “dongle” was a derivation of its inventor, Mr. “Don Gall.” This was untrue, Ben Zimmer on the NYT notes, that the story, “was so egregiously false that the company happily owned up to it as a marketing ploy when pressed …

A Corruption of the Word “Dangle”- According to P.B. Schneck in the 1999 IEEE paper Persistent access control to prevent piracy of digital information… the word may be a corruption of ‘dangle,’  … given the shape of most dongles … though it doesn’t directly explain the shift in vowels form “a” to “o.”

It is Magic – The Atlantic seems to give up and attributed the origin of “dongle” to an unknown neologizer. They conclude that “dongle” just sprung up from the minds of some unknown figure in a process of “de novo creation.” One expert blames the phenomena of phonesthesia, or sound symbolism. He believes dongle, ” … appeared out of the blue in recent decades — among them bling, bonkers, bungee, dweeb, glitzy, gunk, and wonk.”

rb-

Despite not knowing why we call them dongles – dongles are still with us.

Want to connect your laptop to a television? You’ll need a dongle.

Want to track your dog’s activity? Buy a dongle.

Trying Chromecast? You’ll also be dongling.

They are still causing much frustration and controversy.

The ultimate solution to the HA VM dongle problems was to and replace the application – In the interim, they used a Digi usb anywhere device to get more than one VM to connect to the Digi device.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| October 11, 2020
Comments Off on 10 More Times McAfee Was in the Spotlight

10 More Times McAfee Was in the Spotlight

Updated – 06/24/2021 – John McAfee was found dead in a Spanish jail on 06/23/2021 from an apparent suicide. The Guardian reports his body was found hours after Spain’s highest court approved his extradition to the United States. Mr. McAfee faced federal criminal charges for tax evasion. The charges carried a prison sentence of up to 30 years.

Updated – 10/26/2020McAfee’s second IPO did not go as planned. IPO shares of MCFE were pegged to open at $20.00 per share. It was only able to hit a high of $19.50 per share. Barron’s called the McAfee IPO “a broken deal.”

10 More Times McAfee Was in the SpotlightFollowers of the Bach Seat still recognize the name, McAfee. John McAfee founded the anti-malware company McAfee Associates in 1987. By 1994, he’d been forced out after telling everyone that the Michelangelo Virus was going to smash up the world’s computers on March 6, 1992. It didn’t. He looked stupid.  McAfee Associates debuted on Nasdaq in October 1992. Even today, McAfee anti-malware still protects 500 million people’s computers. 

McAfee anti malwareMcAfee was bought by Intel in August 2010 for $7.6 billion. Intel (INTC) had hoped to integrate security into the company’s chips. Intel renamed McAfee – Intel Security in January 2014. Intel lost interest in running the cybersecurity company and in September 2016 sold 51% of the security firm for $4.2 billion to VC’s TPG Global, LLC, and Thoma Bravo. The VCs resurrected the McAfee brand and filed to go public in September 2020.

Now Mr. McAfee is back in the news too. The former 2016 and 2020 Libertarian Party candidate for U.S. president was arrested at the Barcelona airport, boarding a flight to Istanbul with a British passport. He is awaiting extradition to the U.S. on federal charges, including anti-fraud provisions and tax evasion.

Uncle Sam wants youThe U.S. Department of Justice and the Securities and Exchange Commission filed criminal charges against him. The DOJ has charged with tax evasion they claim Mr. McAfee did not file tax returns between 2014 and 2018. McAfee was said to have received up to $23 million in compensation in the form of tokens, ethereum, and bitcoin. The SEC has accused McAfee and his bodyguard, Jimmy Watson Jr., of “illegally promoting initial coin offerings (ICOs).

The SEC maintains that “McAfee promoted multiple ICOs on Twitter, allegedly pretending to be impartial and independent even though he was paid more than $23 million in digital assets … denied receiving any compensation from the issuers … McAfee made other false and misleading statements … he had personally invested in some of the ICOs and that he was advising certain issuers.

CryptocurrencyThe SEC complaint against Mr. Watson alleges that he, “assisted Mr. McAfee by negotiating the promotion deals with the ICO issuers, helping Mr. McAfee cash out the digital asset payments for the promotions and … having his then-spouse tweet interest in the ICO. Mr. Watson was allegedly paid at least $316,000 for his role .. investors were left holding digital assets that are now essentially worthless.

This is not McAfee’s first time in the spotlight.

1 – April 2012 – Mr. McAfee’s compound in Belize, was raided by the Belize Police Gang Suppression Unit on suspicion it was a front for making meth. Police discovered an arsenal of weapons and a drug lab that he apparently used in an attempt to purify MDPV, a drug that’s said to enhance sexual pleasure.

John McAfee2 – November 2012 –  Mr. McAfee was wanted by Belize Police for questioning in the murder of his neighbor, American expatriate Gregory Faull, 52. He refused to speak with authorities about the case, making him a fugitive in the eyes of Belize authorities. He disappeared for a month.

3 – December 2012 –  Mr. McAfee was arrested in Guatemala for illegally crossing the border from Belize in an attempt to find asylum from police in Belize. He was about to be deported back to Belize when he faked a heart attack, telling ABC News “Sure, I faked it … What would you have done?” His attorney was able to obtain a stay of deportation to Belize for him and Guatemalan authorities deported him to Miami.

4 – June 2013 – Mr. McAfee released an NSFW video on YouTube slamming the McAfee product.

5 – November 2013 – Mr. Faull’s family filed a wrongful death suit against Mr. McAfee. In June 2018 a Florida court issued a default ruling against (PDF). The court ordered Mr. McAfee to pay the Faull family more than $25 million.

under the influence.6 – August 2015 – Mr. McAfee was arrested by the Tennessee Highway Patrol. He was arrested for DUI and possession of a handgun while under the influence. McAfee blamed Xanax. He told CNBC, “I had just that morning received a prescription for Xanax from a doctor, I’d never taken them before.” 

7 – May 2016 – He was appointed chief executive chairman of MGT Capital Investments. The penny stock mobile gaming company became a “technology company” under McAfee. MGT surged more than 1,200% after the announcement it would transform into a cybersecurity company led by John McAfee. MGT changed its name to John McAfee Global Technologies, Inc.  

Bitcoin miningIt was then when McAfee decided to move to the mining of bitcoin and cryptocurrencies. He said that this would help MGT to increase their funds as well as their expertise in dealing with blockchains. Resulting in an SEC subpoena and stock crash and delisting from the NYSE.

8 – July 2017 – Mr. McAfee in full cryptocurrency hucksterism mode tweeted about how cryptocurrencies like Tron (TRX), Verge (XVG) and Reddcoin (RDD) could revolutionize the world. He even promised to do something NSFW to himself if cryptocoin Bitcoin (BTC) didn’t hit $500K within three years.

9 – Mr. McAfee taunted U.S. regulators – January 2019 he tweeted he hasn’t filed a tax return for eight years because “taxation is illegal.” June 2019  – He tweeted from Cuba –  promoting BeatzCoin (BTZC) – “Yes SEC, I’m promoting. Fucking come and get me.

10 – July 2019 –  The Dominican Republic military arrested Mr. McAfee and associates in Puerto Plata after they found several large-caliber weapons without proper documentation. He was deported to London. After landing in London he asked his Twitter followers whether he should also campaign to be British prime minister.

rb-

John McAfee had $100 million when he left McAfee. Now he broke, paranoid, and a tax dodger. Sound like a good candidate for U.S. President.

What next? Prison? Up to 30 years if DOJ has its way. The SEC, wants him to pay back his profits and to ban him from serving as an officer or director to any company that sells securities.  Let’s see if he can worm his way out of this.

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| October 3, 2020
Comments Off on Seven Social Engineering Classics

Seven Social Engineering Classics

Seven Social Engineering ClassicsSocial engineering describes various non-technical attack techniques cybercriminals use to manipulate users. The attackers hope the user will bypass security or other business process protocols, perform harmful actions, or disclose sensitive information. Beware of these social engineering classics.

Business Email Compromise

Business Email CompromiseDon’t get fooled by official-looking emails even though the email appears to be work-related. Subject lines such as “Invoice Attached” or “Here’s the file you needed” might be a social engineering classic. To be sure, you should hover your cursor over email addresses and links before clicking to see if the sender and type of file are legitimate. BEC is the most costly form of cybercrime. It stems from faked emails called “Business Email Compromise” or BEC scams. A typical BEC scam involves phony emails in which the attacker spoofs a message from an executive at a company and tricks someone into wiring funds to the fraudsters.

VishingVishing

Corporate phone systems are often set up to forward voice mail audio files to employees’ inboxes. While this is convenient, forwarding the files can be risky. It makes it harder to determine if the email is phony or legit. Since 2014, scammers have been installing malicious software through emails designed to look like internal voicemail messages, making vishing a social engineering classic.

With vishing, cybercriminals use an urgent or alarming voicemail message to try to get potential victims to call back with their personal information. Fake caller ID information is often used to make the calls appear to be from a legitimate organization or business.

Free Stuff, a social engineering classic

Free pizzaFree Stuff is one of the oldest social engineering classics. Most people can’t resist free Stuff, from pizza to software downloads, and they will click just about any link to get it. Of course, nothing is truly free. Sophisticated attackers might send a link to genuine free software, but they’re sending you through their website, which means you may get infected or compromised.

Baiting

Baiting is a variant of “Free Stuff.” The attacker hopes to trick their victims into executing code by piquing their curiosity or convincing them to run hardware or software with hidden malware. For example, innocent-looking USB sticks handed out at a conference or casually “dropped” in the parking could contain malware. They then detonate when the curious user plugs it into their PC. This is how Stuxnet attacked the Iranian nuclear program.

Quid pro quo social engineering classic

Seven Social Engineering ClassicsAnother version of “Free Stuff.” In Latin, Quid pro quo means “something for something.” In exchange, the attacker offers something of genuine worth to the victim and will work their way into the target’s network. An example: The attacker poses as tech support and solves a problem for you, then convinces you to type in a line of code that serves as a “backdoor.” On the other hand, it may be as simple as trading a candy bar in exchange for a password!

Waterholing

This attack plants malware on a website you and your colleagues frequently visit. The next time you surf the site, the malware—such as a remote-access Trojan or RAT—is downloaded to your computer. And just like that, the attacker can begin exfiltrating data from your employer’s network.

Pretexting

Pretexting is another form of social engineering in which attackers focus on creating a fabricated scenario that they can use to try to steal their information. It is a true con game. It relies on the crook fostering a sense of trust in the victim.

Pretexting

Pretexting can also impersonate co-workers, police, banks, or tax authorities. It pretends to be any individual who could have perceived authority or right-to-know in the targeted victim’s mind. In some cases, all that is needed is an authoritative voice, an earnest tone, and an ability to think on one’s feet to create a pretext scenario.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 26, 2020
Comments Off on Why Do We Call Them Uppercase?

Why Do We Call Them Uppercase?

Why Do We Call Them Upper Case?The typical U.S. user can have up to 130 online accounts and hopefully, they have 130 different passwords on these accounts. When setting up the 130 different passwords on these 130 accounts – you have undoubtedly seen the hate message

Password must include at least one upper case letter, one lower case letter, a number, and a special character.

Why is it called an uppercase or lowercase letter?

It is Gutenberg’s fault

Printing pressThe story goes back to Gutenberg‘s innovation of moveable type and the printing press (1450 A.D.). With Gutenberg’s printing press the compositor (“person who sets the type or text for printing”) stored the individual pieces of metal type in boxes called cases. The smaller letters (along with the type for punctuation and spaces), which were used most often, were kept in a lower case that was easier to reach. Capital letters, which were used less frequently, were kept in an upper case. Because of this old storage convention, we still refer to small letters as lowercase and capital letters as uppercase.

Upper print type case

Lower print type case

Notice the uppercase letters had slots of equal size, while the lowercase letters (more often used) had slots proportional to their frequency of use (in English). 

The terms quickly became convention, because then a typesetter from one press could quickly adapt to another press. Now the terms are so generic that they are used even in handwriting instruction.

 

No more uppercase in passwords

use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase or special charactersFortunately, the tide against using case as a password complexity factor has turned. The National Institute of Standards and Technology (NIST) now recommends everyone use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase or special characters. NIST 800-63B says enforcing unnecessary password complexity requiring a mix of special characters, numbers and uppercase letters is a practice that can stop.

rb-

The distinction between uppercase and lowercase letters doesn’t exist in all languages, though. Certain Eastern and Asian writing systems, including certain Indian, Chinese, and Japanese alphabets, do not distinguish between uppercase and lowercase letters.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| August 30, 2020
Comments Off on No Love for 2FA

No Love for 2FA

No Love for 2FAEveryone has gone to the ATM to grab some cash. Swipe your card – enter your PIN and out comes your cash. We have been doing this for years. Using the ATM is one of the most established uses of the IT security best practice of two-factor authentication (2FA). Lets break that down.

  1. You present your ATM card to the machine (something you have),
  2. Next, you enter a secret PIN (something you know).
  3. Without both of these things (authentication factors), you don’t get your cash.

Two-factor authentication (2FA) provides an extra layer of protection for system access, by asking a user for a second means of identification. 2FA also called multi-factor authentication (MFA), requires at least two authentication factors, including:

  • authentication factorsA knowledge factor (something only the user knows, such as an ATM PIN);
  • A possession factor (something only the user has, such as an ATM card);
  • An inheritance factor (something the user is a fingerprint or retina pattern).

The most popular forms of 2FA include answers to secret questions, a code sent to your phone, or one-time password-generating tokens.

Two-factor authentication2FA is a way to mitigate risks associated with unauthorized access, especially in the current COVID-19 era of increased work from home (WFA). And yet, despite these benefits. Computer Economics has posted a report, Two-Factor Authentication Adoption, and Best Practices, which studied the adoption and practice of 2FA. The report says that firms are not using 2FA to the extent they should be to ensure organizational security:

  • 18% do not use 2FA;
  • 25% are implementing 2FA for the first time;
  • 34% practice 2FA formally and consistently.

Why is 2FA needed? Because as followers of the Bach Seat know, username and password pairs as authentication factors suck. CE writes that passwords can be “phished,” stolen, discovered, and cracked in many ways. Humans are as bad at making good passwords and changing them regularly as they are at eating their daily requirement of vegetables.

In the presser Tom Dunlap, director of research for Computer Economics, said,2FA can go a long way to protecting a company

The big picture is that 2FA is inconvenient, and users just want access … Users often rebel against it because the extra layer is seen as onerous or unnecessary.  However … companies face a wide array of security and privacy threats and 2FA can go a long way to protecting a company

Inconvenience isn’t the only issue. As I have chronicled on the Bach Seat each form of two-factor authentication has its own weaknesses. For instance, security questions can often be easily guessed. tokens can be lost and SMS can be hacked.

rb-

Another issue with 2FA is that it is unevenly implemented and there’s no central place to check if a firm has enabled it on its public-facing site. However, a website, Two Factor Auth (2FA) is trying to fill that void. Two Factor Auth (2FA) is a list of websites and whether or not they support 2FA.

Most of the well-known and commonly used sites and services are listed. The site explains what types of 2FA the firm supports. There’s even a Twitter or Facebook link where you can poke them on social media to start using 2FA – if they don’t support 2FA.

Only 1/3 of firms love two-factor authentication to use it well, despite the security benefits it provides to the firm and their customers.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »