Thursday, September 25, 2014

The Bourne Legacy

The Bourne Again Shell or BASH has a new remote code vulnerability CVE-2014-6271 requires your sysadmins to bust out the package manager and patch this.  The risk is that you could end up running an attackers code instead of your own.

Thursday, August 28, 2014

Dropbox goes big with new 1TB of space for $9.99 a month

Dropbox today emailed me with the most awesome information. Dropbox has upgraded all of it's pro users to 1TB of space at no additional charge!

Hi Robert,

We're excited to let you know that Dropbox Pro just got even better!

What’s new with Dropbox Pro?
  • We're giving you 10x the space — for the same price. You'll have 1 TB of space for your photos, videos, docs, and any other files you want to keep safe in Dropbox.
  • With new sharing controls, we’re making it easier to manage access to the stuff you share. You can set passwords and expiration dates on your shared links and grant view-only access to shared folders.
  • Keeping your stuff safe is our top priority. For extrapeace of mind, remote wipe lets you delete your Dropbox files off a lost or stolen device.
Learn more about Pro changes

If you are not a Dropbox Pro Member you should become one now.

Thursday, August 14, 2014

The escalation of cyber warfare

The Register website reports "Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar".
Rogue NSA sysadmin Edward Snowden says his former employer has developed software that will automatically attack foreign computers deemed to be a threat –without checking in with a human first.
This only scratches the surface.  If the media is reporting this then you be assured that at a technical level it goes far deeper.

While I do not have specific facts to back that up what I do have is a ton of experience.   I know that throughout my career I have seen many things that have been downplayed for the people who had to receive the news.  This is done for a few reasons.  Most people don't understand the technology they are using beyond the user interface.  I still see people confuse hard drives with memory.  Most people don't want to know how the technology works.  Cell phones and personal computers are as mainstay as the television.  If I ask 10 people how a television works I am lucky if 1 can tell me.  Most people do not have the capacity to learn about computers.  Knowing how a computer works requires logic and math skills.  The large part of the population lacks math skills beyond pre-algebra.   That being said it takes a lot of dedication and education to become good with computers.

I personally think Snowden took a huge bullet for America and he is indeed a hero for doing so.  I have for a very long time known that the information on a computer is completely accessible to the government if they wanted it.  Most people in IT will share this same sentiment too.

So why the concern over this particular article you ask?  Simple they are reporting about an impending cyberwar that is already happening.   The reasons most people don't notice is I already talked about.  Let's take a quick look at just Wikipedia:

Three heavy hitters there and these programs already exist and are currently operating.  Everyone hears about China and Russian hackers however your focus should include the Unites States.  The US culture has been feeding this machine at an alarming rate.  Cell phones are the biggest concern.  While most people have access to the internet we as Americans have taken this a step further to include our children.  The government wants you to have a cell phone because there is no easier way to track you than your cell phone.  Claims that "all Americans have the opportunities and security that phone service brings" may have applied in 1985 with land lines but this expansion into cell phones is unnecessary.  I know I personally grew up without a cell phone.

So how does all this play into Cyberwarfare?  Freely available cell phones and internet access makes it way too easy.  Large companies like Google, Facebook, Yahoo, Twitter all have backup locations where your data is kept.  While the production server may be impossible to hack chances are the backup data is easy to get at.  Companies often leave the front door open to their data.  I recently heard about an organization who has a credit card payment gateway in the basement of their office building.  The basement!  There is no secure facility involved here and this is your credit card data.  Everyone looks at high value targets like Google, Facebook as the places to get your personal information.  Fact is your personal information is stored without your knowledge in locations that would scare you. 

Cyberwarfare and in particular the article at The Register reveals a scary truth.  Bots (not humans) are out there capturing your data.  What happens when the bot gets the information wrong or a bug makes you out to be a terrorist instead of an activist.  When the human reviews this data they are not going to question the software that captured it.   Bots attacking targets is just as dangerous.  Misinformation could easily attack your company website without anyone knowing.  Bots could also attack foreign countries and cause escalation of wars without the government involved at all.  What would happen if this bot suddenly started attacking Russia right after the President released a statement condemning Russia's actions in the Ukraine.  Matthew Broderick 1983 portrayed a character who was simply playing a game but the W.O.P.R. (Whopper) took control and nearly started a war.  The WOPR while fictional at the time is becoming very real today. 

We have opened the pandora's box on this and it will never get closed.  The governments of the world will continue to spy on electronic data even if we pass laws prohibiting it.  People will continue to use cell phones and computers knowing they are being monitored.  This is a hard pill for people to swallow however the truth is that we need to just start accepting it.   We should be focusing our efforts on making sure we have legal rights to prevent the government misusing the data they already have.  It is more important right now to know you have rights and that the fourth amendment applies to your personal data.  This is far more important because once we have these laws in place even if the government has your data, they can't use it in court.  The cyberwarfare will continue but at least we will have some common rules of engagement domestically.  


Tuesday, August 12, 2014

Cutting the cord: Antenna vs. Cable and DirecTV

Most of my readers already know that I am all about cutting the cord on cable and DirecTV.  If it was not for cable internet I would truly have all cords cut coming to my house.  That being said I did a lot of trial and error on antennas for my home setup.  This is my personal experience and the products that worked well for me.  I am very cheap so the cost impacts much of my buying decisions.  I tried many indoor antennas until I finally invested into attic antennas.

First thing to know when buying an antenna is that today TV signals are digital.  They are still transmitted over an analog antenna but your reception will either be on or off.  There is no middle of the road with a digital signal.  The skipping you may see with some channels is simply your TV catching some of the signal on or off and doing its best to render it.    That being said don't get fooled into thinking that you need a signal booster.  In fact my experience with them is that they simply don't work.  They amplify both good signal and noise.  My best results were simply using the antenna itself.  Receiving signals from all stations requires that your antenna be able to receive both VHF channels (channels 2-13) and UHF channels (channels 14-51).  You can get an all-in-one antenna or you can get 2 antennas and combine the signals.

I recommend you take the multiple antenna approach.  The reason is that it is very unlikely the TV station will be transmitting both UHF and VHF.  This means the UHF stations may be in a completely different direction from the VHF stations.  Having two antenna's you can mount them on the same pole.

The antenna I used for VHF was this Winegard HD-1080 HDTV High Band VHF Antenna. I was able to mount this on a pole in my attic and avoid going outside.  This antenna instantly picked up all the VHF channels with no problem at all.

UHF antennas are a different story.  This represented only a few channels and they were more difficult to tune in.  I used a WINEGARD HD-9032 UHF High-Gain 35-Element HDTV Antenna.  I have no affiliation with Winegard they just happened to be low cost antennas on amazon that did the job.  They actually exceeded my expectations and I was able to mount both of these on a pole in my attic.

Once you have the two antennas mounted you can get this very cheap RCA Antenna Satellite Diplexer Splitter signal combiner.  The splitters also can be used to combine signals.  Combine the two antennas into one and then feed that into your TV/Media Center PC.  All of these parts on Amazon are less than $125.

Once you have this all hooked up in the attic have someone man the TV signals. Then adjust the direction of the antennas until all of your signals are coming in.  Sometimes a turn as small as half an inch makes the difference between getting the digital signal or not.  I had this on the UHF signals all the time.  There is some setup in making sure that you have a good signal.  Once you have this setup then you simply tighten up the mounts.  One more reason that I have these in the attic is that the weather does not impact my reception.  No blowing winds, snow or ice build up or connections that get moisture in them.

Good luck installing your antennas.  Please share or post this article if you found it helpful in cutting the cord.

Monday, August 11, 2014

Machines that control us and could kill us

You should be very afraid of bots. Most people think of bots as automated avatars in a game or perhaps that search engine that crawls the web.  Bots are much more than that and you should worry about the machines that control you.

I'm not talking about The Matrix where the human race is enslaved to machines but rather the control that machines already exhibit on you day to day.  Your phone sends you a reminder and you are forced to respond to it.  Your car turns on the tire pressure light and you check the air pressure while at the gas station.  The robocall that tells you that your Dr. Appointment is tomorrow at 11 instead of 3pm.  All these seem like widely accepted pieces of technology we never second guess.

So on your way to the appointment that was moved to 11 you are sitting at the light in the left turn lane.  Your arrow turns green and pulling into the intersection you are suddenly struck by a semi going 45.  The driver did not run a red light rather the light was still green.  The computer program controlling the lights was reprogrammed.  How?  Any number of ways.  Most people however would not second guess the green arrow.  In fact this was planned because someone had hacked into the Robocall system and the street lamp.  Why?

Hacked Road Sign
Today people talk about securing their private information.  Credit cards, medical records, finances are all secured with encryption and countermeasures to hackers.  Hackers can still get in but we make it more difficult for them.  Nobody ever thinks about the Robocall system or the street lights.  We implicitly trust these systems day to day and they are vulnerable to attack.

Systems that we trust implicitly and systems that control our lives can just as easily kill us.  That may sound far fetched but the Zombies Ahead sign could have easily said MINIMUM 45MPH into a work area with a 25MPH limit.

Take this principal of hacking into low security systems and imagine the possibilities.  Hacking into web cams, personal computers, street lights.  You could use some of the simplest of systems to not only control someone but kill them.  While this may sound far fetched it is so much closer to a reality than you think.

Daniel Suarez wrote the book "Daemon" that illustrates this in brutal detail.  Being in IT I have read this book several times and it should be on every adults reading list to see just how far anyone can be manipulated by a machine.  In Daemon and it's successor Freedom (TM) Daniel outlines very real and very plausible ways a computer can kill you.

Books like this are not just works of fiction either.  The Therac-25 killed many people because of a computer bug.  A Medtronic heart device was found vulnerable to remote attacks in March 2008.  You can read about many major software bugs and vulnerabilities on Wikipedia's List of software bugs.

Does this mean we should be paranoid about computers controlling us?  Certainly not.  We should simply be looking at security and taking a holistic approach to it instead of securing systems at high risk.  A perfect example of this is the recent Russian hacker attacks and stealing of 1 Billion passwords. Security is often an afterthought.  It should be built in with everything that we do.  Sadly it's not.  We should also have some common sense about using technology but sadly we don't.  The only real way to combat this problem is to educate people.  Daniel Suarez does that in his book and I'm doing that on this blog.  I challenge everyone to review their own security and see just how hackable your life is.

Sunday, August 10, 2014

Chances are Russians hacked your password!

Chances are at least one or more of your passwords are probably hacked.  How?  Quite simply there is not enough security surrounding your password or security in most websites.   You can change this behavior easily and without having to remember a 28 random character password.  In fact it is quite easy to do.

Stories like this one where one billion passwords were stolen illustrate why most passwords are a poor way to secure information.   Passwords are hackable through any number of means.  From simple cryptography decryption to guesses with common words against hashes. Storage of the password is often very insecure.  For example you have web hosting as cheap as $1.99 a year.  You can be assured that security is not at the top of the list for that hosting company.

Secure Password Vault
Getting your password is not that hard in most cases.  Open source software often can have exploits in it that hackers can get the password file.  Most of the time it is a MD5 hash or SHA1 hash which can not be decrypted.  However it can be guessed easily if you use a password like "snookie24" or "sean2014" using very common words.  You may have signed up on a discussion forum and used the same password as your bank account or even your kids school website.  Using weak passwords which use common dictionary names/words with numbers is very limited in protecting you.  Why?  I can show you rather easily.  Let's say you're using "goldmine" as the password for your bank account.  You also use that password for 5 or 6 other sites including a discussion forum.  Open source for a while has been using a simple MD5 hash to store a signature of your password.  While the password itself can not be pulled out of the hash, the hash can be created and compared against the password database.

To see what I'm talking about just use a simple MD5 Hash Generator to create a hash for "goldmine".  The hash for goldmine is 73f74ce5596373a5c4b5cb43486015ef.  So how do hackers get your password from this?  Easy, a database with dictionary words.  You create a database with 2 columns the password in plaintext "goldmine" and that hash "73f74ce5596373a5c4b5cb43486015ef".  Then you simply compare the database you created with all the hashes against the stolen password file.  It's that simple.  Adding numbers before or after the word don't help much as they are usually 4 digits or less.  That being said you only added a little less than 20,000 more variables which are very easy to check for.

So my password is hacked now what?  There is some hope.  First if possible for accounts like Gmail use the 2 factor authentication.  This will send you a text message with a 6 digit code that makes it a lot harder to hack your password.  The odds of a hacker stealing your phone and your password is very low.

Make stronger passwords to protect yourself.  Yes, everyone says this but how practical is it to enter a random string of 12 characters and remember it.  This is where I have a very simple trick that will allow you to enter better passwords.  I call it the per-site-password method.  This means that even if my password is hacked its only hacked for that one site.

To make an easy to remember but harder to hack password simply add part of the website domain to your password.  Then use something easy to remember for the rest of the password.  Let me show you how we can make that "sean2014" password considerably more secure with almost no work at all.

So lets say we're going to create a password for facebook.com.  Look at the domain name and use that as part of the password.  You can use "Facebook" you can use "fb" or you can use "f.com" or any number of easy to remember ways to add the domain to the password.  Just make sure whatever method you use, its consistent for all websites.  That way you know it should be in the format you remember.

Now take that domain information and inject it somewhere, although consistently in your password.

fb.com-sean-2014
sean-2014-fb.com
sean-fb.com-2014

There are 3 versions that add considerable amount of complexity in decrypting or running hash databases up against it.  This gives you something unique per site.  It's unlikely an attacker is going to know how that works and track you down on another site.  You can even be more creative and add in multiple words before and afterwords.  For example .nets use "steve", .com's use "sean" and .orgs use "charlie".  So long as you know how the password is created then your password is going to be considerably more secure without having to remember complex passwords. 

I also suggest you start changing your passwords.  The russian attack at the top I cited is using passwords and logins to send spam.  I'm sure your family and friends will appreciate you changing your passwords instead of your facebook account sending them a message about ED medicine. 

Friday, August 8, 2014

Uninstalling Facebook Messenger is as effective as a tinfoil hat.

Tinfoil protection against Facebook
This article has been gaining popularity and has been reposted on facebook numerous times.  Claims that Facebook Messenger can spy on you. I've seen my friends re-post this and try to uninstall the application.  I have seen comments from many cursing Facebook and a few others commenting that it is completely inaccurate.  I finally could not take any more and had to blog in response to this article which is inaccurate and full of conjecture.  It is time to stop this hoax in its tracks.

I have been working in IT over 20 years.  Sam Fiorella (the articles author) from what I can tell from his biography has no real experience in IT.  What his bio claims he does have experience in is Influence Marketing.  Clearly his article proves that he is able to influence a lot of people through conjecture and scare tactics.  I don't claim to know anything about Marketing but I can say I know a lot about IT and software development.  I also like to think I know when someone is trying to pull one over on you. 

Sam's article is completely preposterous.  Sam states, "Facebook Messenger's attempt to collect so much information and take control of our devices is unprecedented and, quite frankly, frightening". First, none of this is unprecedented.  This is all based on some permission settings which authorizes the application to control your phones camera, audio, text messaging and calling functions.  He states that 1,000,000,000 users have downloaded the app and it is "alarming insight into the future of mobile apps".  This really is nothing new in the mobile world.  

Let me explain quite simply why Sam's article has no substance to it.  We will put the article aside for now and we will presume for a minute that this nefarious application is  hell bent to steal your information.  First lets figure out why we would want your personal information.  The only purpose I can see for any of your personal information is for marketing & sales.  Your phone could in theory report stores you went to, people you socialize with and interests you and your friends have.  However you give all this information up freely to Facebook all the time.  Through posts, likes and your biography , Facebook already has the information it needs and it uses it to target you with relevant advertisements.  Tracking cookies contain far more information about you.  I am sure that you have noticed that when you visit a blog like this after doing some shopping the sidebar fills with ads from that store you last visited.  It's not magic is tracking cookies and remarketing.  The Messenger application is not involved in any of this.  Yet this seems to be of little concern in the article.  


Actual photo from inside my pocket
Application permissions are used to grant the application access to many things.  Android is good at telling you what you are letting an application do to your phone.  If you happen to have an iPhone, don't expect the same treatment.  Sam completely missed that point and indeed iPhone users have been having their data used by Apple and other partners without consent for some time now.  Facebook Messenger may have the ability to record audio, video, SMS and make phone calls but the bottom line is that it doesn't.  How do I know you ask?  Very simply it is too much information for even Facebook and Google to process.  1 Billion downloads of messenger right?  Let us cut that in half to 500 million.  1 minute of HD video is approximately 60MB.  1 Minute of audio at 160Kbps is approximately 1MB in size.  So for just 1 user, for 1 minute you're looking at 60MB of data.  Now multiply that by the 500 million users for a grand total of 30,000,000,000,000,000 bytes per minute.  Or roughly 30 Petabytes of information every minute.  This much information in one minute would not only crush every server Facebook owns but it would likely crash every cell carrier on the planet.  This becomes even more insane when you think about 24 hours in a day.  I can tell you that my phone personally is looking at a ceiling or a nightstand for 8 hours a night.  Then for another good 8 it is on my desk at work.  So for 16 hours a day all you would record is blackness or a ceiling.  Then the 8 I sleep you can hear me snore.  The other 8 you can listen to me at work.  We shouldn't forget all that time my phone is in my pocket either. I frankly am honored that Mark Zuckerberg finds me that interesting.  If you still think Facebook is using your camera, audio, SMS and phone then you probably put on the tinfoil hat.  The lawsuits that would be generated by gathering this information would put Facebook out of business.  Here is another thought, if all this information was being sent to Facebook wouldn't your data usage be off the chart?  


Image: wikimedia/Jangelo9397
Your privacy is important.  I am in no way minimizing privacy for individuals.  You should have privacy but expecting it on a social media platform is ridiculous.  I am surprised that the Huffington Post article gained so much attention.  The news has had far more interesting privacy issues.  Hold Security reported 1 Billion passwords have been hacked.  This barely hit the radar with most people.  What is amazing is that most people have maybe one or two passwords.  Instead of focusing on real threats to your privacy we have an article that bashes Facebook.  Seriously?  

If the fact that Russian hackers likely have your password doesn't scare you then you should stop over at Packet Storm Security and read some articles there.  This is where the real news is regarding your privacy.  Facebook is protecting your data far more than it is using it.  If you are still concerned by all means stop using Facebook Messenger.  You might also want to stop using your phone all together.  All those pre-installed apps that you have on your phone have the same permissions as Facebook.  Oh yeah and the phone manufacturer can do even more. 

The media is not helping anyone by creating sensationalism and using conjecture to scare the public.  People without IT backgrounds certainly should not be suggesting that we uninstall applications to protect ourselves.  Uninstalling Facebook Messenger in no way is going to make you more secure on the internet.