TRR = Totally Risky Referrer

Totally-Risky-Resolver
TRR Is Anything But Trusted

When Homer Simpson says “doh”, you know that something stupid is about to happen. Unfortunately, I believe that the same thing is true about the upcoming Firefox feature called DNS over HTTPS (i.e., DOH). Developers at Firefox noted a real problem: DNS queries aren’t secure. This has been axiomatic for years. That’s why DNS developers created DNSSEC. But DNSSEC is taking forever to roll out. Consequently, the Firefox developers baked Trusted Recursive Resolver (TRR) into Firefox 61. [Note: TRR has been available since Firefox 60. But TRR will move from an experiment to a reality as Firefox 61 rolls out across the Internet.]

Background

One of the key design points of TRR is  the encapsulation of data in a secure transport mechanism. Theoretically, this will limit man-in-the-middle attacks that could compromise your browsing history (or redirect your browser altogether). Of course, theory is not always reality. Yes, SSL/TLS is more secure than plain text. But it is widely used. So it is burdened by the need to retain backward-compatibility. Nevertheless, it is more secure than plain text. And security conscious consumers can implement TRR even if their local DNS provider doesn’t currently offer DNSSEC.

Risk

So why is TRR so risky? That’s simple: Mozilla is implementing TRR with a single recommended resolver: Cloudflare. I don’t think that anyone has an axe to grind with Cloudflare. From all that I have read, Cloudflare has never used customer data exclusively for its own benefit. That’s not true for Google, or OpenDNS, or a lot of other DNS providers. Of course, Cloudflare is a relative newcomer. So their track record is limited. But the real issue is that Mozilla has designed a system with a single point of failure – and a single choke point for logging and control.

Mitigation

Fortunately, Mozilla has enabled changing the TRR mode and TRR URI. Unfortunately, it is currently managed only through the about:config interface. That’s fine for a technician. But it is a dreadful method for end users. I am hopeful that Mozilla will provide a better interface for users. And I certainly hope that it is implemented on an “opt-in” basis. If they don’t, then folks who use their own DNS (e.g., every Pi-hole user) or folks who specify a different public provider than Cloudflare (e.g., Google, OpenDNS, DNS.Watch, etc) will be forced to “touch” every workstation.

Bottom Line:

Is Firefox acting badly? Probably not. After all, they are trying to close a huge DNS hole that infrastructure providers have yet to close (i.e., DNSSEC). Nonetheless, their approach is ham-handed. Mozilla needs to be transparent with the why’s and when’s – and they need to trust their users to “do the right thing.”
 

The Hack-proof Conceit

John-McAfee-Invites-Hack-Attack
John McAfee Invites Hack Attack

John McAfee and Bitfi offered a bounty to anyone who could hack a Bitfi wallet. After a very short time, John and Bitfi raised the bounty to $250,000.  As of two days ago, a hacker has claimed that bounty. Bitfi (and John) are saying that this was not a valid hack of their wallet. So there is a tremendous disagreement about whether John (and Bitfi) will pay the bounty.

I do think that the hack was successful. But whether I believe that the hack occurred or not is irrelevant. What I do believe is that no system is impenetrable – or “hack-proof”.  Over the past few decades, I have seen every secure system successfully attacked (and usually overwhelmed) by a determined hacking entity. These successes come in many forms. For some systems, hackers have leveraged a software vulnerability. For other systems, attackers have leveraged a vulnerable person. If you don’t believe this, then look no further than the DNC in the 2016 election cycle.

I would say that anyone who boasts in their impenetrability is merely inviting an attack. This axiom should remind us of a few important things.

1. Don’t boast! Pride is a deadly sin.

2. If you can be inconspicuous, then strive to become (and remain) inconspicuous. If you are not a target of a determined person or group, then don’t offer to become a target. For companies like Bitfi, the organization should not make outlandish claims. For you, I recommend that you not boast (on social media) about the things that you own. And don’t tell people when you are leaving your house for a splendid vacation. And for John McAfee, I say that he has exceeded his “best used by” date. Therefore, we need to dismiss him.

3. If you are part of a large group of targets, then be better (and more secure) than the other members of the group. For example, if you have online accounts, then use strong passwords. If you use strong passwords, then use two-factor authentication. If you use two-factor authentication, start using a virtual private network that will obscure your identity.

4. Remember that if you are a discrete target, then a determined hacker will probably defeat you – unless you are an equally skilled hacker. Therefore, make sure that you have a plan for the time when you are hacked. This includes backups. But it also includes a press statement about what you are doing (and will do) to minimize risk to your customers. After all, they are trusting you to protect them.
 

Two-Factor Authentication (2FA) Goes Mainstream

Google-Does-2FA
Google Enters 2FA Token Market

2FA for the masses…

Two-factor authentication (a.k.a., 2FA) has been around for decades. I first used early versions of this technology back in the mid-nineties. When I first used it, I authenticated to secure servers using an RSA token. Since then, I’ve used numerous 2FA tools for numerous work assignments.  

Over the years, the token has changed

My first token was a card. It had a small LCD screen that displayed an access code. After a fixed time had elapsed, a new code was generated. From this beginning, I migrated to a standalone (i.e., disconnected) token.  Since the nineties, I’ve had dozens of RSA tokens. But when I was with the Department of Defense, I used a Common Access Card (or CAC) to log into most systems. And in the past few years, I’ve used mobile phone apps that would display time-based access codes.

A few years ago, I decide that I wanted to enable multi-factor authentication on every public service that would support it.  And I wanted to make sure that I used a token that I could carry with me. I chose the Yubikey token. I can use that token by inserting it into a USB connection. I can also use near-field communications (NFC) to tap the token on my phone. Once authenticated on the device, I got the traditional rotating code that I could use on almost any service.

Google finally gets into the 2FA token market

Google has supported multi-factor authentication for a number of years. But until today, Google never produced a token. Their new product – branded the Titan key – will provide 2FA for cloud services. And let’s be clear about this: the Titan key is nothing new. However, it is coming from Google. And Google WILL support this device. More importantly, other service providers will support this device. Most importantly, since it is coming from Google, consumers will purchase the product in dizzying numbers.

Bottom line:

Google just put their enormous stamp on 2FA for consumers. If you’re not yet using two-factor authentication (either at home or at work), then Google has now put you on notice.

Security Is Top Concern For Sm(all) Businesses

Security-Top-Concern
Security a top concern for SMB leaders

Do you own a small business? Are you concerned about security? Do you care about your customers’ privacy?

If you say “yes” to these questions, then you are in good company. In a recent study of small and medium-sized businesses (conducted by Kaseya and summarized at BetaNews), business owners stated that security was a key business concern for them. Fifty-four (54) percent believed that security was the most important issue which they faced.

Eighty-six (86) percent of these same survey respondents experienced network availability issues. And forty-five (45) percent of them experienced network service interruptions that lasted longer than five (5) minutes.  Yet despite these risks, over seventy (70) percent of small business have chosen to use “external” services. Apparently, businesses – regardless of size – are accepting these risks. Indeed, many executives think that these risks are the very ‘table stakes’ that they must pay to stay “connected” to their customers.

What services do other companies purchase?

According to Mike Puglia, “Microsoft Office 365 leads the way as the most deployed solution (72 percent) followed by Dropbox (29 percent) and Salesforce and Google Suite both coming in with 17 percent.” Undoubtedly, every organization (with the possible exception of the telecos and the government) gets its connectivity from a service provider. And almost every company gets key services (like domain naming, site hosting, and email connections) from an external provider. Consequently, very few businesses can compete unless they are connected to the Internet. And very few businesses can make these connections on their own. Bottom Line: You must be connected to compete. And whenever you connect your resources to those of others, you are accepting the risk of exploitation.

What should you do to compete – and survive?

If you are a small or medium-sized business, then you need to use the same services that the big “enterprise” corporations use. But you can’t afford to maintain an entire department of IT professionals. So you need “corporate-sized” professional services at an affordable price. If you want scalable solutions that are affordably priced, then you should contact Lobo Strategies. We can help you walk this tightrope.

Password Re-use: Physician, Heal Thyself!

password re-use abuse
Password Re-use Is Abuse

A survey of professionals at the Infosecurity Conference 2018 in London has revealed that 45% of their attendees are guilty of password re-use across multiple accounts. And depending upon the source that you cite, up to 73% of consumers are guilty of the sin of password re-use. If you’re part of these groups, then you need to move out of that neighborhood. And you need to do so as quickly as possible. But how do you do that?

There are really only two methods: memorize unique passwords for each account, or store unique passwords for each account in a secure place. For me, I have over one hundred and fifty accounts. So memorizing complex random passwords for that many accounts is impractical.  And writing these down in an unsecured file or on a piece of paper is truly unacceptable. Does anyone remember the scene in “Wargames” when Matthew Broderick’s character opens the office administrator’s drawer and sees the password list? 

So I am part of the 8% that use a password manager to create and store complex passwords for every account. As of this moment, I don’t remember any of my passwords – except the password to my password safe. Every password I use is unique. And my password manager encrypts every entry ensure its security. If you are looking at password managers, then the two best tools (both of which I’ve used) are LastPass and 1Password. I prefer LastPass because it has tools to help create new passwords on (or before) the date when each account expires. And there is a testing tool that helps you to ensure that you don’t accidentally re-use a password.

Whatever you do, it’s time to get on with the business of properly managing passwords. It is the best “first step” that you can take to secure your identity.
 

Default Passwords = Bad; Continuous Testing = Good


Well, the verdict is in. The drone documents found on the dark web were drone maintenance documents. These documents were found behind a Netgear router whose FTP (file transfer protocol) password had not been changed.

This is a simple mistake. You might even say that this was a “rookie” mistake. Nevertheless, I am stunned that this kind of mistake would be made on a program that had already been granted its authority to operate (ATO). But the fact that this has happened proves that continuous vulnerability testing and compliance monitoring are keys to ensuring the ongoing (and safe) operations of a program.

And if this is true for the U.S. Department of Defense, then it is also true for each of us. So here is my simple question: have you changed default passwords on every system that you access?

Learn From Drone Documents Found on the Dark Web

Today, the Wall Street Journal reported that secret data about combat drones had been stolen and had been made available on the “dark web”. This revelation should not be surprising. In a world where every document and every conversation can be digitized, there is ample opportunity for data to fall into unexpected hands.

Is this a problem with the “dark web” itself? No, not really. Yes, the dark web is inhabited by denizens. But it is also inhabited by those seeking relief from oppressive political regimes. The real problem here is that either secure systems have been breached or someone within the “military-industrial complex” has released sensitive data to an unauthorized recipient.

I am sure that an inspector general is already investigating. In the meantime, there are lessons to be learned – and applied – for your personal assets:

  1. Know your data. While you should protect everything, you should be able to say what data is truly valuable.
  2. Protect your valuable data. Have  layers of security. This should include strong (and unique) passwords, multi-factor authentication, encrypted “data at rest”, and also encrypted communications for valuable data.
  3. Review your protection plans on a regular basis. Perform threat simulations wherever possible. This is not something that should be done just by governments and corporations. You should do this for your own data – lest you be awoken to the sad truth that you have been hacked.
  4. Review all access attempts to determine if you have been breached. This means that you should check access logs (if possible) to see if they match what you actually did. For example, check last login times on tools like Facebook and Twitter. But this also means using tools like “Have I Been Pwned” so that you know whether your credentials have been compromised. You might even want to use tools from credit sources (like Experian).
  5. Always have a remediation plan if your data is compromised. This should include contacting service providers (especially banks), changing passwords, etc.

You may not have military-grade secrets to protect. But with a little investment of time, you can be craftier than the slower antelopes.

If Vigilance Is Required At Home…

… then how much more important is it at work?
It is well said that the price of freedom is eternal vigilance. Similarly the price of personal freedom must be paid on a recurring basis. For me, activity during the week focuses upon work. And updating of security at home is almost always deferred until the weekend change window – when my wife (i.e., the CAB chairperson) can accept a more protracted outage.
So the change was scheduled for last night. And what were the contents of the change? Security updates were the sole focus.
Last month, the Talos team (at Cisco) issued a warning about an old threat (i.e., VPNFilter) that had returned from the dead – in a much more virulent form. Talos (and the FBI) recommended immediate reboots of home routers. I did this the same day of the warning. But after Talos (and the FBI) repeated their warnings about VPNFilter, I determined that it was time to rebuild the router from scratch following a factory reset. So once my wife disconnected from her “work” network, I started the changes. And it went reasonably well.
 
Since I coupled the change with a complete renumbering of the IP address space at home, the time before service restoration was longer than it would otherwise have been. In fact, the total rebuild of the router – and the assignment of new IP addresses across the network – took about two hours. After that window, normal services were successfully restored. But it took another two hours to clean up a few items – including the rebuilding of my Home Assistant hub. So the total change window lasted approximately four hours. At the end of the change window, we had a completely rebuilt home network.
 
When I got up this morning, I realized that it was also time to further secure my browser. My posture was immeasurably better than most of my neighbors. I browse via a VPN. I use uBlock Origin and Pi-hole to block ads. I use Privacy Badger for another layer of browser protection. But “good enough” is not good enough for me. So I decided to deploy uMatrix as an additional means of both understanding all network interactions and controlling those interactions.
 
For those not familiar with uMatrix (which is pronounced “micro matrix”), think of it as the next step beyond the NoScript tool. With uMatrix, you see a matrix of external sites and access types used when you load pages from any site (or domain). And you can allow access on either a temporary or a permanent basis. Once you get past the first shock of seeing all of the cross-site and cross-domain activity, you realize that uMatrix does provide you with incredibly granular control over how pages are rendered in your browser.
 
The first thing that I realized when I started to dig deeper was that securing my browsing experience almost always results in a “broken” user experience. This was not a new revelation. When I first used NoScript, I had to whitelist a whole lot of sites – or live with reduced functionality. So the process of evaluating sites and functions was both expected and welcomed.
 
The first sites that I decided to validate were those associated with security-related podcasts. And as expected, every podcast was accompanied by necessary changes to enable streaming. The most ironic thing that I saw was just how much cross-site activity was required to even listen to security podcasts. But knowing the precise elements that were needed by a page allowed me to open just those elements that were truly required. Basically, uMatrix provided me with fine-grained access control. And it also reminded me that “free” almost always means trading function/feature access against limited access to me (and my data) by advertising agencies/networks.
 
Once I dealt with the security podcasts, I wanted to see just how pernicious Facebook access was. Currently, I do not use any Facebook “apps”. Instead, I use a simple browser. I run their browser pages inside of a “container” that limits data leakage. Nevertheless, I still expected some additional cross-site activity. What I saw was positively astonishing. Over two-hundred elements requiring cross-domain access were requested. And that was after ad blocking was done by my Pi-hole and by uBlock Origin. Am I surprised? No, not really. But the scope of what remained – even after ad blocking – was positively astonishing.
 
So what are the key takeaways from yesterday and today?
 
  1. Change control is always needed – even at home. Of course, the discipline that you follow at home will depend upon the willingness of family members. But this is no different than how things function at the office. Build your processes to meet your stakeholders’ and customers’ needs. Please remember that there are differences between the needs of both groups. At home, you and your spouse are the stakeholders while your kids (and guests) are the customers. As the stakeholders, you need to make the choices about how much security is too much security. And I guarantee that whatever you decide, your kids will probably disagree with you. 😉
  2. There is no such thing as secure enough. You can always do more in order to be even more secure. And if you do nothing, you will just lose ground over time. To stay secure, you need to always do more.
  3. Always remember that “free” just means that the price may not be immediately discernible or quantifiable. Use tools that help you discern the heretofore indiscernible. I do recommend uMatrix. But other tools can be used.

The work of ensuring security is never complete. Your home is not safe just because you have a door lock. You need to lock it. And then you need to realize that your windows are a threat vector. In the same way, information security is not just about having an ISP-provided router and a password on you primary system. But whether you are totally insecure or currently “state-of-the-art” in your practices, there is always more that you can do. So take the next steps to further secure your home. Then remember, your workplace is no different than your home. It requires constant tending – by both the security professionals and by every employee.

“The Dark Web”: New Bogeyman…of Madison Avenue

Every conflict needs a villain. This is true for Thanos, the Mad Titan (i.e., the protagonist of the latest “Avengers” movie). It is true for worldwide safety and security (e.g., terrorism in general and weapons of mass destruction in particular). It is also apparently true for online security services.

While doing my casual morning browsing of news sites, I ran across an ad for “dark web” scanning (linked below). I am not necessarily recommending the services offered by Experian. I am sure that it is a fine, general-purpose service. But I did want to highlight the use of fear and uncertainty as a motivation. Today, the “dark web” is the undeniable ‘big bad’ for online users. We are now told that it isn’t trusted companies (who abuse your identity for their revenue). It apparently isn’t the NSA (who collects everything about you in order to “protect” you). Listen carefully: according to Experian, it is the ‘dark web’ that seeks to hurt you.

Please don’t misunderstand my subtle (and not-so-subtle) prodding. The ‘dark web’ does provide a hideout for those who wish to lurk. At the same time, it provides a sanctuary for those escaping tyrannical pursuit (by hostile governments or hostile corporations). The ‘dark web’ is not – in an of itself – something to be feared. Rather, it is something to be understood.

At its foundation, the ‘dark web’ is a non-indexed part of the Internet whose content is obscured via encryption. So if you desire to be anonymous (and untraceable) while on the Internet, then you are a potential user of the dark web. And if you want to host content that is neither indexed (by Google) nor unencrypted, then you are seeking some of the attributes of the dark web.

Yes, Experian (and other companies) are offering you a “detector” that will let you know whether key pieces of your identity have been compromised by known individuals, groups, or sites that are identified as part of the “dark web”. Of course, they cannot tell you if some unknown individual, group, or site has your PII data. Unfortunately, it is the unknown threat that should concern you.

So here is a novel thought: assume that anyone can access the information that you move across the Internet. If you assume that everything is possible to compromise, then you will take the right steps to protect essential data that must move across the Internet. Don’t let someone else do the hard work for you. You must decide what is important to you. And you must decide which steps are appropriate and which are too onerous. For some folks, remembering to lock their back door is an onerous task – until they learn that their neighbors experienced a break in. Then, all of a sudden, locking the doors is not too onerous. So assume that your neighbors have been ransacked. And assume that your nosy neighbor wants more than just a smile in return. Be charitable. Be gracious. And be prepared.

And if you want to check out some free resources, then consider https://haveibeenpwned.com/.

http://bit.ly/2L5Uxny