LSW

Web Developers, much of my posting to date has covered protecting yourself. Lets talk about protecting your customer and their users. I cannot state this any stronger, Strong Passwords! If it takes little effort to break a password than the site you built can be hi-jacked to pass out malware. Database design, consider making it a tiered design. Sensitive data in a red zone, encrypted and password protected with strict access permissions. Less sensitive data in a Yellow zone that has lesser protection and more access and simple stuff in a green zone with just password protection and general permissions. If you use look-up tables that state that "2 = married with children", that is a look-up table and needs liuttle protection. But all sensitive data should be encrypted so that if adversaries do get to it... they can't read it. Be aware of SQL Injection attacks. If you allow data to be added to a website, make sure it is checked. If you allow basic comments with no security, an adversary could insert JavaScript into that comment that does really bad things. Malware Detection - Discovering Cross-Site Scripting Attacks Watering Hole Attacks. I think LastLine blog defined it rather well: "In a network watering hole attack, cybercriminals set traps in websites that their target victims are known to frequent. Often the booby-trapped websites are smaller, niche sites that tend to have limited security. These sites can include business partner sites or small websites that provide specific products, services, or information to the target company or industry. When visited, the compromised website infects the target end-users computer or device with keyloggers, ransomware, and other types of malware." The issue here is really about protecting web sites you build from being the water holes that infects your customers users. Network Security and Watering Hole Attacks As I come across tips for securing your web sites, I will expand this thread.

Here we have a hardware trust issue: Built-in Keylogger Found in MantisTek GK2 Keyboards - Sends Data to China, now one can see how counts of key presses may be of interest to a manufacturer, but you ae not being told that data about your usage is being collected. I could be modified to log all that you type to get passwords. But every language has its most common characters so we know those are pressed alot, we know what keys gamers use as well so those get alot of hits. So considering that is there really a reason to log key strokes? This person uses these keys more than average so they are likely a gamer so we will sell that data to a game company for them to advertise to. Do you see the issue here? Any data about you can be monatanized so someone else makes a profit off your data but you.

TOR Project What's New Tor Browser 8.5.2 Released — Update to Fix Critical Firefox Vulnerability [6/19/2019] Tor Gets An Upgrade – The Fall Harvest [11/28/2017] The Tor Project to Beef Up Privacy with Next-Generation of Onion Services [11/6/2017] Vulnerabilities Warning: Critical Tor Browser Vulnerability Leaks Users’ Real IP Address - Update Now [11/6/2017]

She's Back! Oooohhhh Hoooohhh!

We get a lot of questions about learning, but part of getting a job is also experience. Volunteering is not just a way to get experience but also built up a body of work and employers do tend to like people who volunteer. So how can I get experience? What are you thinking with volunteering? 1. Teaching: This will depend on your experience and area. In Germany I helped Youth Club staff build good web sites. Here in Juneau I did a seminar for local businesses. Here at Killersites I have learned things or made “mental connections” as I have tried to teach or help many of you with your issues. Often when helping others you realize other ways of doing things that you never considered before, you learn things answering other’s questions. Maybe teach a local high school computer club good web design. 2. Free web work: Like many others I did web work for some non-profit sites. I did the work for free, so they got a cheap web site and I had a web site to show besides my own and a professional reference for my application. Look around at charities, churches, and other non-profit entities online or your area. 3. Volunteering: Naturally any place you volunteer will aid you. I will stick with IT work here though. Even if it is not web design, you have more computer experience than most average folks to you can be of great help just doing basic IT stuff. You will also learn new skills and experience other IT areas you like more. I started in web design, then went to programming and am now my divisions cyber security person. So, do not fear volunteering for “other” IT work. A. Red Cross/Crescent – The Red Cross works differently is different countries, so I can only speak to the American Red Cross (ARC), but my guess is that the Canadian Red Cross, Deutsches Rotes Kreuz e.V., etc. will have the same needs, just other terms. i. Disaster Services Technology (DST): The ARC is going digital more each year, many of the tools they use are online. Every time ARC volunteers deploy to a disaster, some of the first ones in are DST, and there are never enough DST volunteers. So, as long as volunteers are in the field at disasters, so are their technical support. Computers: There is a sub-team that handles passing out, setting up, managing and maintaining and collecting computers. Also support for the apps used. Networking: A sub-team that specifically deals with networking, connectivity, and Servers. Big disasters like this fall will have field servers deployed, many communications may be down, so we set up satellite internet connections. We use wired and WiFi connections, routers, switches and set up printers. Communications: This sub-team passes out and supports smart phones, tablets, handheld and mobile radios, radio base stations, antennas etc. Customer support: This is basically the help desk folks who help the users. [NOTE: these are the four official jobs in DST, but the disaster decides the actual build. You may find yourself doing multiple jobs if the disaster is not as big or there are not enough volunteers. DST from hurricane Harvey is still in the field from all over the country, and it is usually a two week deployment, so they constantly need people, so there may not be enough. I am the only DST member for all of SE Alaska] ii. IT End User Services (IT EUS) – Another ARC group to consider for those times between disasters. This is really just the IT shop for the ARC broken into regions. I am currently going through the process. As an EUS volunteer I will be dealing with maintenance and troubleshooting of ARC computers in my area, helping other volunteer and staff with their computer problems, running updates etc. Again, I am the only EUS person for SE Alaska, the nearest are almost 6 miles away in Anchorage. iii. There are many other volunteer jobs for logistics, shelter workers etc. with any of the Red Cross/Crescents as well both day to day and disaster situations. B. CyberPatriot – CyberPatriot is a national youth cyber education program run each year by the Air Force Association (AFA) and partners. The AFA sees the lack of cyber security trained people on the US workforce to be a National Security Issue. They want to get more youth interested in STEM and computer jobs and increase the number of women in the IT sector. You can volunteer as an assistant coach for teams in your area, or you can contact schools or organizations in the area to coach your own teams. This competition is not just for the geeks, it is built for people, teens or coaches with no idea about computers and or cyber security to be able to comete as the whole idea is to get kids not interested in computers to reconsider. It is a two-part program. i. The education part entails teaching youth to use the internet in a safe manner. They support schools or others running cyber safety summer camps and such activities. ii. Part two is the CyberPatriot Cyber Defense Competition where teams from across the US (I think Canada too) made up of teenagers, compete nationally for the best score finding vulnerabilities and securing a server system. Teams can be from schools, military organizations like JROTC or Civil Air Patrol Cadets for instance and other groups like boy scouts. They are even pushing for all-female teams. C. Civil Air Patrol – Quite wide spread down south, CAP is a civilian corporation owned by the US Air Force. Its task is the primary Search & Rescue agency in the US. Primarily for missing aircraft, but also hikers, boaters, etc. They are all volunteers and always need pilots, air crews, ground search personnel and those to run the search. Among other squadron jobs, there is an official job for IT personnel. So, check your local CAP squadrons, volunteer and maybe be their IT shop or if they have Cadets, offer to coach a Cadet CyberPatriot team. D. National Collegiate Cyber Defense Championship – I have not dealt with this group, but it is a college version of CyberPatriot more or less, just for college students. If you live in a college town this may be another possible point to help out. This is just a partial list based on what I generally have had experience with. Anyone else have suggestions, even from their own countries, go ahead and add it. Just remember that when you volunteer you help your community and yourself. You can gain much broader experience that can only help you get jobs or pad your university application. Getting into cyber type stuff will give you a deeper grasp of computers and servers and help ensure your future web design customers have secure web sites.

I do not need to get into detail about the high profile data breaches of recent times, you are sure to know of most of them. Maylaysia just had a breach of 46 million mobile phone numbers and some have been found for sale or free on the dark web. So how do you find out if your data is out there in the dark web? One way is: Have I been pwned? https://haveibeenpwned.com/ Just enter your data, for instance your email and it will check it's database to see if your email has been found on any websites serving up breach data.

Senate Grills Tech Giants Over Russian Fake News

I leanred C/C++ back in '02 in Germany... I have never had a reason to use it in all the years since. I learned Python back in 2000 in Germany as well, they said it was the future. It took over a decade but sure enough I do see alot of job postings and references to Python applications now. I found it easy to learn and remember. I would write Python in my head trying to talk my kid top sleep... "Bracket open, bla bla bla, bracket closed", I actually fell asleep first and she wants nothuing to do with programming now that she is in college! I might also add that more and more cyber security software I see is Python based. Java has so many vulnerabilities it is scary. So yea, C/C++ knowlege has helped me learn other languages because I already understood much of the theory and structure, but in fact I would say as a career, Python is a better choice. I am trying toi get our new boss in my office to switch us to Python as a security issue.

Firefox/Mozilla What's New Firefox Web Browser Now Blocks Third-Party Tracking Cookies By Default [6/4/2019] Firefox Quantum: New Firefox browser [11/16/2017] Firefox 58 to Block Canvas Browser Fingerprinting By Default to Stop Online Tracking [11/1/2017] Vulnerabilities Firefox 67.0.4 Released — Mozilla Patches Second 0-Day Flaw This Week [6/20/2019] Firefox Releases Critical Patch Update to Stop Ongoing Zero-Day Attacks [6/19/2019] Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw [1/31/2018]

Microsoft Engineer Installs Google Chrome Mid-Presentation After Edge Kept Crashing This was just too funny not to post.

iPhone Apps With Camera Permissions Can Secretly Take Your Photos Without You Noticing https://thehackernews.com/2017/10/iphone-camera-spying.html

Oh oh, now they will come after me, they'll think: "Oh they like are key idea!" and then ehwn they see what I really wrote about it... I guess all my wifes packages will not only be wet but left in the drainage ditch. LOL

On the oither hand, being open source, more good folks are snooping through it as well and any bad code is quickly found and fixed. It seems counter intuitive, but in the security community open source is considered a positive, because the code can be reviewed at all times. Code that is closed source is looked upon cautiously because we don't know what all it does and if there are poor proactices, vulnerabilities or even back doors in place. So as we have touched on good and bad, ALWAYS download open source software from known and trusted developers and they often include a signature you can check against to ensure it is the real deal, other wise I can download opensource, stick my own coade in and offer it for download.

Hackers Could Turn LG Smart Appliances Into Remote-Controlled Spy Robot https://thehackernews.com/2017/10/smart-iot-device-hacking.html

jQuery Official Blog Hacked — Stay Calm, Library is Safe! https://thehackernews.com/2017/10/jquery-hacked.html

Amazon Key takes deliveries to new level: Inside your home https://www.cnet.com/news/amazon-key-takes-deliveries-to-a-new-level-inside-your-home/ This is another example of IoT (Internet of Things). A house lock and cameras connected to the ionternet. Now I will admit like many other IoT items this sounds very usefull. Here in my little rain foprrest corner of Alaska it has literally ranined 90+% of the days this summer. My wife buys alkot online and then we get home and find soaked boxes infront of the door. Yea, so this would be an awsome service! But is it secure? It may net be well covered in local news but in the security fiekd it is well known that most security camers in homes these days have crap for security software and are easy to hack into. When they created the lock, did the manufacturer have a good team looking at it from the security point or can a hacker easily crack your house lock online and let people in? There is a case recently where a lock company downloaded the wrong update to locks: Smart Locks Receive Bad Update; Hundreds Taken Offline. So, aside from general human laziness etc. saying how great the idea is... Anyone wondering if this is a real good idea from the cyber security point of view? Anyone feeling a bit queezy at the idea? Anyone wondering what your insurance will think about this (not pay or raise rates?) Anyone wondering who is liable if it is hacked and your house is ransacked?

That is a question that in some variation you have all asked, that is good. Telling yourself your unimportant in some variation and at lesser threat, that my friends is not so good. I do believe this link is posted in another thread, but I decided it needs to be highlighted, right here at the top for new visitors to this forum so it catches their eye and they hopefully come to understand that regardless of who you are: Hackers ARE interested in YOU! As well as you grandparents, parents, spouses, siblings, and children who have computers. So get your PC squared away and then start working on them and help them protect themselves. This article is about why they want your computer, but alot of it is the same for your mobile devices and in some cases even your IoT (Internet of Things) devides like smart TV's and gaming systems with Online access. Your data is valuable, from identitiy theft to selling your data and movements to advertisers. Your email has its own value as I will show in another article. Regardless of who you are or who you think you are not. You are still a target! The Scrap Value of a Hacked PC, Revisited https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

For Dell users, Dell recently lost control of the servers used to save your backups. This server is called on automatically and behind the scenes without your imput. It is used to reset your your computer to factory fresh settings. They lost control of the server this summer. On the off chance that you did a refresh of your coputer to Dells purchase state in June or July, you might want to keep an eye on the story as Dell is not being very forth coming with details. It is again a matter of trust. Dell lost control and Dell users can suffer. If you are concerned you can get a version of your windows straight from Microsoft that will also be free of Dell's bloatware they force on us. Or best yet just install Debian (Linux). Dell Lost Control of Key Customer Support Domain for a Month in 2017 https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

You may have seen my two recent posts about Cyber Threats, Bad Rabbit and CoinHive. In the first I said top block all Flash, in the second block all JavaScript. Flash: As many of you know this is dying out and has always been a major security vulnerability. As it is dying out you can usually block it without much issue. JavaScript (JS): I have always preached against JS, before because it was not always supported like with early cell phones and because people like me often turned it off and web site readers could have issues with it. But face it, web sites still use it and it has grown rather than diminished in popularity. You cannot reasonably block it without breaking many sites you go to. So, what to do? Eventually I will post a tools thread, but this is important enough for its own thread. In the CoinHive story I pointed out that more and more sites are placing JS on their sites that mine cryptocurrency like Bitcoin using YOUR CPU, but WITHOUT your knowledge, WITHOUT your permission, and WITHOUT sharing the profits with you (.05 Bitcoin I about $285 as of this writing). NoScript: This is the quickest and easiest thing to use. It is a Firefox Plugin you can get from Mozilla. It by default, blocks everything. Once installed most web sites will be broken. It takes patience, but as you visit sites, you will need to give permissions for the sites. You can allow the base website permanently. Same goes for some other clear needs. The rest, you can leave them blocked, or allow them temporarily to see what are required for the site to work and which ones are just fluff or downright invasive. Don’t need it? Don’t allow it. Don’t allow Facebook, don’t allow Google analytics, these are tracking you and are not needed to use the sites. It also blocks Java (many vulnerabilities), Flash (massive vulnerabilities), and some other hazardous things you may not know about. uBlock Origin: This name exactly! uBlock is a different software! uBlock Origin is another Firefox plugin. It does much the same as NoScript and much much more. It is theoretically the better of the two if you have serious issues with your privacy/security. It also has a bit of a learning curve. I intend to use it but have yet to find the time to really sit down and learn how to use it correctly. NoScript is fine for most of you, but if you want more control over what happens in your browser or your paranoid, put the time in to really understand uBlock Origin so you can set it up correctly. There are videos on YouTube on how to use it, so check it out first. It can also replace add blockers. uMatrix: uBlock Origin’s big beefy brother. It is almost identical, but offers the ultimate control over what happens in your browser. It can also replace add blockers. This should be held in reserve until you are well versed and comfortable with uBlock Origin. It is only for advanced techno types. Remember, these will be a pain in your but to begin with and you will want to just get rid of them… do not do that. These can protect your privacy while surfing. Google Analytics tracks you to decide your interests and then make money off your habits by using targeted adds. Yea the data is nifty for web site owners… but it is bad for us users. Go ahead and install Noscript/Ublock Origin and visit a few sites and see what pops up for scripts: Killersites Forum: Killersites and Google Analytics Forbes.com: Initially you will get a white page as all is blocked. Now go to the tool and look, you will see Forbes & ForbesImg (Forbes Image Server), so approve both of them. Now look again after a refresh, the list has grown to about 25 scripts trying to run/connect and you normally would have no idea. Even having an idea they are there, do you know what they do, what data about you they handle and why they need it? Hulu: Hulu has 23 scripts, but my films work fine with only 10 approved. I often listen to Keith Olberman on GQ’s web site. It took me at least 20 min. to get the video collection page working correctly and playing the video. I had to grant temporary permissions to each one until something worked and then make that permanent and try again with the next. It can take a lot of time and energy. But once done, you can surf in more privacy than you did before. Some of these or those like them ar available for Chrome. But Chrome is developed by the folks tracking you for a profit so there are fewer. If you want privacy, use Firefox.

Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites https://thehackernews.com/2017/10/coinhive-cryptocurrency-miner.html There are really two issues here folks: The basis of the article - CoinHive was hacked and web sites using it made money for the Hacker rather than themselves. Websites are using JavaScript to mine bitcoin using your CPU for their profit. They are not asking you for permission and they are not sharing the profit YOUR CPU makes. Are you OK with others using your computer to make money without your knowledge, agreement, and participation? I have preached it for years. Block JavaScript, do not allow it to run if you do not know what it does. Any web site you visit can run JavaScript you do not know about. -LSW

Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html This may only be in Europe and target Corporations, but if you get it they will want the same money from you. Importatnt to note here is that they are using a fake Flash to get installed. You need to keep Flash blocked on your computers. Only allow it hwere you really need it and you strust the source. - LSW

Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet https://thehackernews.com/2017/10/iot-botnet-malware-attack.html

Chrome/Google What's News Google Stored G Suite Users' Passwords in Plain-Text for 14 Years [5/23/2019] Google Chrome to Introduce Improved Cookie Controls Against Online Tracking [10/15/2019] Google releases Chrome extension to check for leaked usernames and passwords [2/11/2019] Google Removes 85 Adware Apps That Infect 9 Million Android Users [1/9/2019] Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure [1/4/2019] Google Faces GDPR Complaints Over Web, Location Tracking [11/29/2018] Google launches reCAPTCHA v3 that detects bad traffic without user interaction [11/8/2018] Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users' Data [10/10/2018] Google Forced to Reveal Exposure of Private Data [10/10/2018] Google Announces 5 Major Security Updates for Chrome Extensions [10/3/2018] Titan Security Keys - Google launches its own USB-based FIDO U2F Keys? [7/26/2018] From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure' [7/25/2018] Google launches 'Data Transfer Project' to make it easier to switch services [7/23/2018] Google Enables 'Site Isolation' Feature By Default For Chrome Desktop Users [7/13/2018] Google Blocks Chrome Extension Installations From 3rd-Party Sites [6/13/2018] Google Redesigns Gmail – Here's a List of Amazing New Features [4/25/2018] Google turns on default adblocker within Chrome [2/16/2018] Google to Block Third-Party Software from Injecting Code into Chrome Browser [12/1/2017] Google Begins Removing Play Store Apps Misusing Android Accessibility Services [11/14/2017] Enable Google's New "Advanced Protection" If You Don't Want to Get Hacked: Note, this is for the truly paranoid or those in risky situations or trying to seriously protect something against well resourced adversaries. The average user really would not need this service. Vulnerabilities New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild [3/7/2019] Fresh Google+ Bug Exposed 52.2 Million Users' Data [12/11/2018] Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store [4/23/2018] Password Stealing Apps With Over A Million Downloads Found On Google Play Store [12/13/2017] 8 More Chrome Extensions Hijacked to Target 4.8 Million Users Someone Hijacks A Popular Chrome Extension to Push Malware Attacks Thousands of Google Chromecast Devices Hijacked to Promote PewDiePie [1/4/2019] Fake WhatsApp On Google Play Store Downloaded By Over 1 Million Android Users Gmail Reminder—Third Party Gmail Apps Can Read Your Emails, "Allow" Carefully! [7/3/2018]

Bummer, less work for me annotating and deactivating scum. That sounds boring