The End (Blog Post #10)

This post marks the 10th and final post in this blog. Through out my 9 previous posts I’ve tried to motivate people (not just the experts) to become knowledgeable in the field of cybersecurity. Hopefully you realize now either through the threats you face on a daily basis, or from its geopolitical importance few people are aware of, this field needs the attention of everyone – not just the experts. Unlike this blog, the importance of cybersecurity can only grow.

Post #7 should make it clear the geopolitical  importance of security. Between Stuxnet and China’s escapades into American networks, it should be apparent how much these under-exposed actions influence international relations relations as much as any of the mainstream news.

Similarly, I hope you’ve been able to grow your working knowledge of the field not just to see how it affects the world in general, but how it affects you specifically. There are a lot of threats out there that few people acknowledge. What you don’t know can hurt you. Stay aware of current threats like the news of bad root CAs from Dell and you will be a little more fearful but a lot more secure.

Finally, I hope you’re also aware now of the employment deficiencies in cybersecurity. All the way back in the first couple of blogs, I went into detail on how the educational environment causes this problem. In all honesty, when I first started writing this my main goal was to encourage more common education on the subject however, if you’re at all more interested in the subject of security I feel I’ve done my job.

The End (Blog Post #10)

Are Macs Secure? (Blog Post #9)

 

One of the most common misconceptions I’ve heard while chatting about cybersecurity is that Macs don’t get malware. Time and again my friends ignore basic rules of online safety under the ruse that fruit shaped logo on the back of their case protects them from the dangers of the internet. Things like the above ad seem to reinforce this but, while it is true there are statistically less attackers going after Macs, they are anything but secure.

The key phrase in that ad is that Macs don’t get Windows viruses. Windows dominates the market for operating systems hence the massive amount of Windows-exclusive software. Developers would have to put considerable work into moving their designs to OSX so, unless they can justify the work with projected revenue they don’t bother. The same is true for malware developers. Why develop attacks against the 10% of users who run Macs when you could spend your time and money targeting the 90% who run Windows?

The problem is, there are a number of malicious people out there who do target that 10% and, like Apple’s market share, that number is growing. For instance, the Flashback Trojan alone infected more than 500,000 Macs between 2011 and 2012.  In fact, this year (2015) was the most prolific year in history for OSX malware according to Bit9 and Carbon Black. Obscurity does not equate security and with Macs becoming more popular, the little safety it provided is quickly shrinking.

While Macs like anything are not perfectly secure, Apple’s reaction to these threats is cause for even more concern. Even when a patch was released to remedy the Flashback Trojan, Apple waited 8 weeks before releasing it to their users. Even when Apple moves quickly to protect its users, the updates they deliver don’t always work as was the case with iWorm.

Now, I’m not saying you shouldn’t from Apple based on security concerns but you should be aware that you can’t trust Apple to protect you. Get a good antivirus like ESET or Avast. In independent tests they both do well at detecting known malware samples. Never hope for safety when you can instead be secure.

Are Macs Secure? (Blog Post #9)

Big Bug Bounties (Blog Post #8)

Recently, an anonymous team of hackers claimed Zerodium’s $1,000,000 bounty for a particularly dangerous bug in Apple’s iOS mobile operating system. That’s right, by finding a software flaw that team just made more than the average American will in 20 years. Unknown security vulnerabilities are very valuable and there are plenty of reasons you should take notice.

First of all: what is a vulnerability? Basically it’s a bug in a program. While some bugs do little more than crash a program, others, like in the case of Heartbleed, might leak sensitive data, and others still like the above case allows an attacker, armed with knowledge of how the vulnerability functions, to take total control of the target device. For the parameters of that $1,000,000 payout, that means by simply opening a web page an attacker can install and run persistent, arbitrary software on up-to-date devices. Front facing camera? Check. Passwords? Stolen. Location? Tracked. In this case, you can imagine why that capability is so valuable.

Heartbleed (an example of a big vulnerability) illustrated. Source: Wikipedia

That payout, although abnormally large, is nothing new. Like arms dealers, companies like Zerodium aren’t just in the business to improve software, they exist to make money and the software developers aren’t the ones buying. To be clear, Zerodium, and Grugq (the vender from the Forbes article) only sell to reputable sources (namely NATO governmental institutions) but the fact exists, the developers are being outbid by entities who are using these vulnerabilities. Microsoft, Google, and most other tech companies offer their own programs to buy these vulnerabilities so the can be patched. Unfortunately, they offer orders of magnitude less for these weapons.

So how does this apply to you – the consumer? Most people I’ve met still carry on the assumption that the business cyber attack and defense is limited to wiz-kid outcasts and disgruntled IT guys. The truth is, hundreds if not thousands of vulnerabilities are discovered each month and they are big business.

Big Bug Bounties (Blog Post #8)

Writing Good and Memorable Passwords aka the “Your Password Sucks” Post (Blog Post #7)

Any series on personal computer security is not complete without the arbitrary “write good passwords” part. I’m sure you’ve heard it all. Pick some long word you can remember like “bookkeeper” substitute in some 3s for the ‘e’s  (bookke3per) and some 0s for ‘o’s (b00kke3per) then add some some random special character at the end (b00kke3per^). That’s secure, right? Wrong! If you were still under the impression that that’s a good way to write a password, you’ve got some learning to do.

In reality, everyone knows dictionary words are a big no-no but common substitutions doesn’t help you much either. Attackers can guess trillions of passwords every second under the right conditions so throwing in a substitute 3 for an ‘E’ or # for an ‘H’ is computationally easy. In fact, password security checkers like Kaspersky’s and My1Login’s find that this password could be broken by a consumer computer in under 10 minutes and in under one second on the right machine. If you’re using memorable substitutions for letters, your password is bad and you should feel bad.

So what then? An alternative is to create a random string of all types of characters. Lower case, upper case, special, numbers, get them all in there in no predictable order. There are even websites that will do this for you. This is also a bad idea for numerous reasons. Who knows what that site could be doing with your brand new password? The site that just generated your password might keep track of it for malicious means. Secondly, any passwords you generate this way will be a major pain to remember. Take for instance this site. It generated the password “ur-YqR9PQa46BjZg”. Sure, that would take until the heat death of the universe to crack however, I can’t see anyone but a genius remembering that.

But wait! it has a helpful hint to remember the password: “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf.” Nope, that doesn’t help at all. You could write the password down but then you have to secure the note that holds that big password. If that note gets seen, whatever you’re trying to protect is exposed. No sticky note should ever be worth as much as you bank account. There are better ways.

This comic from XKCD explains it perfectly. You should never use a password. Instead, you should use a passphrase. By combining a number of words, you have so much entropy you no longer have to worry if you’re using words or special characters. “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf” is hard to remember but “usa rope – YELP queen” is not.

While there are plenty of other solutions to this problem of password storage, hopefully I’ve dispelled some misconceptions. Common substitutions help noone and random strings are a pain. It can be a lot easier to create and remember secure passwords if, instead of using a word, you use a passphrase instead.

Writing Good and Memorable Passwords aka the “Your Password Sucks” Post (Blog Post #7)