Thanks to everyone who read my ruminations here in 2013. May you Flourish and Prosper in 2014.
It’s hard to believe that Windows XP is almost 13 years old. It seems like yesterday when it was first released. Microsoft will officially end support for Windows XP in less than four months (April 8, 2014) meaning — for one thing — that they will no longer release security updates for the operating system. Moreover, third-party vendors will likely stop development of XP-compatible drivers and whatnot. This will leave anyone still using XP with a machine stuck in time, forever doomed to insecurity and running stagnant software. To all intents and purposes, it’s time to upgrade to Windows 7 or Windows 8.
But what if you can’t (or won’t) upgrade? Some older hardware may not run Windows 7 or 8 properly or you may have a special application that won’t run on anything but XP. Perhaps you’ve kept your system finely tuned and, like me, see no need to invest in new equipment (I still run some some amateur radio software under FreeDOS on a 90’s vintage IBM ThinkPad and it works just fine).
Get used to the idea that you are not going to be able to maintain the level of security you enjoyed before and that you are going to have to upgrade eventually (or switch to Mac which is, in the main, what I am doing). For now, there are still some things you can do to maintain some relative security while running XP. I’ll cover the other points in Part 2. For now, the main thing you can do is switch away from Internet Explorer. Version 8 is as high as you can go on XP and version 8 is just not that secure. Most exploits happen via the web browser these days and you don’t want to help out the hackers by using one that’s easily exploited. Move to Chrome or Firefox. You must keep IE 8 installed and updated, just don’t use it for web browsing.
Now, go have a great New Year celebration and I’ll see you in 2014.
For both personal and technical reasons, I am posting this a few hours late. But, since the spirit of Christmas should be with us every day of the year, it’s never really too late. Merry Christmas to you and all your loved ones.
Your PC or laptop is a disloyal little traitor. She (or he, if you prefer) is happily sitting there chattering away, revealing your RSA keys to anyone who cares to listen. Yes, my friend, even RSA isn’t good enough anymore.
No, it’s not April first, and no, I’m not making this up. A Debian Security Advisory, DSA-2821-1, CVE ID, CVE-2013-4576, issued December 18, 2013, gives the scoop:
Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.
The Shamir is Adi Shamir, the S in RSA.
Those of you who have been around for awhile will recall that “listening” to the emissions of CRT screens — known as “Van Eck phreaking” — was once used as a way to eavesdrop. (The link points to a fascinating video. Check it out.) The researchers’ approach is similar, but exists in the acoustic rather than the electromagnetic realm.
I admit my lead is a bit over the top. For someone to pull off such an attack requires physical access to the equipment and a whole lot of tinkering as detailed in their report. But it works, and if the obstacles can be overcome, it’s a real threat. I highly recommend you study the paper. You’ll learn why data security isn’t as simple as you think.
For those of you who may be super paranoid about such things, here are some ways to interfere and, perhaps, thwart such an attack as presented in the Naked Security blog post:
1. Disabling auto-decryption of received emails.
2. Putting your mobile phone in your pocket or bag before reading encrypted emails.
3. The presence of background noise.
4. “Decoy processes” running on other CPU cores at the same time.
I don’t often write short posts that are mostly the content of others’ blogs, but this one is too good not to share with you. From Naked Security, “Five minute fix: Keeping your kids safe online with parental controls:”
We hear too often about predators targeting and grooming kids online. But the internet has also increased the potential dangers for kids in other ways too. The biggest of these, and perhaps most well publicised, comes in the form of cyber bullying.
. . .
By following our tips for some of the more popular platforms your kids are likely to be using, you can increase their chances of staying safe and emotionally secure online.
Hopefully the short summaries above should allow parents to implement a degree of control that they are happy with over the devices their children are likely to be using.
Data breaches have been big news over the past couple of years with some big players leaking huge numbers of online accounts and email addresses. These accounts are now “pwned,” being subject to illicit use by hackers. Here are some of the big players and the number of compromised accounts:
- Adobe – 152,445,165 accounts
- Statfor – 859,777 accounts
- Gawker – 532,659 accounts
- Yahoo – 453,427 accounts
- Pixel Federation – 38,101 accounts
- Sony – 37,103 accounts
The countermeasure is to make sure all of your accounts have strong passwords and that the passwords are not duplicated from one site to the next.
To find out if any of your accounts have been pwned, you can visit http://www.haveibeenpwned.com, enter your email address (you can check as many email addresses as you want) and click the “pwned?” button. You’ll get one of two responses as shown below:
The one above shows you’re OK. No need to fret about it. If you get the one below, you had better take action.
Oh, oh! You’re pwned. Change your password immediately to something strong and be sure you’re not using the same passwords on multiple sites.
If you don’t understand Net Neutrality, perhaps this video will enlighten you. It shows what the ISPs want to do to kill the idea, and why. That’s all I’m going to say. Arrive at your own conclusion after viewing this informative (and refreshingly snarky) video.
In its annual report issued in April of 2013, the Electronic Frontier Foundation examined the policies of major Internet companies to assess whether they publicly commit to standing with users when the government seeks access to user data. This, of course, is in response to the revelation that the NSA has literally been spying on every single U.S. citizen. They have been posting updates regularly showing who is doing what. The latest, UPDATE: Encrypt the Web Report: Who’s Doing What shows a good picture of what is happening to your information as it passes through various providers and services.
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. We’re pleased to see that four companies—Dropbox, Google, SpiderOak and Sonic.net—are implementing five out of five of our best practices for encryption. In addition, we appreciate that Yahoo! just announced several measures it plans to take to increase encryption, including the very critical encryption of data center links, and that Twitter has confirmed that it has encryption of data center links in progress. See the infographic [Which I have also provided below… Ed].
Regardless of your opinion of what Edward Snowden has done by leaking NSA documents, the result is that ISPs and other public service providers have become security conscious to a high degree. This is a good thing.
Microsoft Security Advisory (2914486) warns of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003 that can result in an elevation of privilege: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”
It does not affect newer versions of the desktop or server OS beyond XP and Server 2003.
It’s not critical. “An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.”
If you’re worried about it, here’s what to do:
“For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.”
To implement this workaround, follow these steps:
- From an elevated command prompt, execute the following commands:
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f
- Restart the system.
Microsoft warns: “Disabling NDProxy.sys will cause certain services that rely on Windows Telephony Application Programming Interfaces (TAPI) to not function. Services that will no longer work include Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).” If you have problems after doing this and have to undo the workaround, here’s how:
- From an elevated command prompt, execute the following commands:
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\ndproxy.sys /f
- Restart the system.
The recent Adobe hack revealed that people still haven’t been listening, don’t care or are just too lazy to bother coming up with good passwords. Here is some interesting data about that hack from this article at ITProPortal:
Security researcher Jeremi Gosney conducted a study on the massive dataset, assessing which passwords were most frequently used by Adobe users.
According to the research, “123456” came out as the most popular password, with 1.9 million instances, representing 1.26 per cent of all users. This was closely followed by “123456789”, “password” and “adobe123″.
“1234567890”, “1234567”, “1234”, “123123”, and “abc123″ were strong contenders too, all featuring in the top 20 passwords used.
Slightly more surprising are “qwerty” and “azerty” (the first six letters used on keyboards in France and Belgium), as well as the touching “iloveyou”.
I hope you’re not one of those whose password matches any of these. Better yet, I hope you’re not one of the people whose credentials were compromised.
You can check to see if your email is among those who were leaked by entering it here: http://adobe.cynic.al/ at the “Adbobe Leaked Credentials Checker.”
Even if you find you are safe, please change your password if it’s a weak one, especially if it’s one of the ones listed above. And if you have ever used that password — or any password — at more than one site (heaven forbid at your banking site), fix that problem, too.