By John Kinkopf
Our guest speaker at the August general meeting was Robert Hurlbut, an independent software security consultant, and co-host of the Application Security Podcast. Robert delivered an excellent talk that covered many aspects of the wide field of software security. An expert in the field, he managed to provide lots of useful information without becoming too technical.
Asked from the audience which anti-virus software he uses, Robert answered rather provocatively: none! Most in the computer security field don’t use an anti-virus software . . . . though he keeps Microsoft’s Windows Defender on, included with Windows 10. Why? He explained that those in the security field live in a secure way, while anti-virus software usurps elevated privilege of one’s system, more than any other application. We don’t know if anti-viruses have faults in their code or security issues. And the majority of attacks these days are not the viruses of old, but things like ransomware that anti-viruses can’t find, no way.
Updating Windows is essential to combat ransomware, and using Windows 10 over Windows 7 is his recommendation; definitely don’t use Windows XP or earlier versions. Where a couple years ago there were 100,000 new virus patterns per year coming out; now it’s 200,000 per DAY with which anti-viruses can’t keep up. Thus, restrict your machine from executing things without your permission, meaning beware of clicking on things, and don’t surf the Internet as administrator, but rather in a user account. He also mentioned that there have been recent [but disputed] allegations against Russia-based anti-virus Kaspersky Labs.
Our connected world is a tracked world. Many TVs, home devices, and Echo or Home personal assistants listen to you. Many smart devices are security openings. Stores you enter may try to hook up with your phone’s wi-fi to find out things about you. Credit card purchases leave footprints. [Yahoo scans my Trenton Computer Festival emails to pitch me “Meet Trenton Singles” ads. They guess and list my email recipient’s phone number (“No, an out-of-state friend’s church”), and “related contacts” as I compose.]
Private photos that iPhones backed up to the iCloud were obtained by fooling celebrity victims into divulging passwords with phishing emails. [Websites derive revenue from letting Facebook, Twitter, and marketing analysts observe which can be blocked by the NoScript extension for Firefox.]
Showing an RFID shield, Robert told how his Fitbit activity tracker began flashing numbers and making strange noises at the DEF CON hacker convention. Though visitors are warned to turn off any Bluetooth device at hacker conventions, a Fitbit’s listen remains on. He’s refraining from connecting it to anything until he can test it for tampering on a laptop he can wipe.
Get rid of many routers known to have vulnerabilities. Buy your own wi-fi equipment, using your own router over those an ISP provides, so you’re managing your wi-fi instead of them. Use WPA 2 for your home wi-fi encryption; DON’T use WEP.
Virtual Private Networks (VPN)
To provide a secure channel to network servers over the internet, companies commonly use Virtual Private Networks for off-site workers. Phones can also be connected by VPN. Free personal VPNs offer privacy, not anonymity — you pay by providing info of your use that may be sold. Robert advises, nothing is free; don’t use a free VPN. Use VPNs when you can, and only reputable pay VPNs [$60-$120/yr]. [Websites rate VPNs.] Robert subscribes to F-secure Freedome; it logs attempts stopped to track you and how much transmitted data was protected; they’ve been a reputable provider for 25 years. PIA is a VPN recommended by publications as doing minimal logging of the user’s IP address and usage. For banking Robert answered that he would use a VPN, but they raise banks’ suspicions of your authenticity. Asked about using a VPN to bypass media play geo-restrictions, Robert followed up by email that he once used ExpressVPN, and gave these references:
Audience members pointed out that governments may require VPNs to provide their logfiles of users. A VPN user in the audience shared that PIA’s encryption processing made his battery life prohibitively short, in his experience. OpenVPN is open source; keep its patches up-to-date. OpenVPN how to: OpenVPN How-To site.
Browsers > Tor > Tails
Unfortunately, browsers track you. While Apple is good at security, their Safari browser lags; but, at least it excludes Flash, notorious for having security and reliability issues. [July News Flash: Adobe will pull the Flash plug-in in 2020.] Search engine DuckDuckGo.com claims not to track you . . . they say. URLs beginning with https provide improved communication security over http sites.
By relaying online communication through multiple nodes on its volunteer network around the world, free download Tor (The Onion Router) anonymizes a web surfer’s identity and point of origin. Once the route for each use is established, one surfs the Internet via Tor’s modified Firefox browser – during which all other browsers must be closed for Tor’s anonymity to be effective. Downsides are that while preserving your web anonymity on your end, many websites recognize Tor exit nodes, and place restrictions. For example, Wikipedia restricts edits made through Tor; BBC blocks its use to access iPlayer. And Tor’s practicality is limited by slowed browsing from bouncing communications around multiple anonymizing nodes in world locations of varying internet speeds. Only download Tor from the Tor Project website: www.torproject.org.
Tor is used to access Tor sites on the dark web which Edge, Google, and Chrome won’t. Because it’s possible that data may still unmask you, the next step is to use Tor in Tails.
Tails (The Amnesic Incognito Live System) is a live operating system the user boots from a USB drive or DVD for the purpose of having no connection to anything on the PC, say a library PC, just the network. When your session is finished no data is saved, everything is anonymous, and traces are not left when you disconnect. But associating with, for example, your email or Facebook would give you away, of course. As using your home computer would identify you to your ISP. It’s better to get a dedicated laptop with completely separate email and other accounts that you never use in ways to identify you. The Tails website: tails.boum.org.
Early August News Flash: Robert Burr, responsible for the 2003 recommendation that secure passwords include upper and lower case letters, and symbols that render remembering passwords difficult, made the media rounds rescinding the suggestion, or “|\|3\/€R /V\1|\|D.” [Ed: Squint to see that this reads as “never mind”,] His, and Robert’s current thinking is to use long passphrases – passwords composed of words strung together into a nonsense phrase you can remember. [For example, “A wet duck only flies at midnight,” “The blue sun melts the wet snow” – from TV’s “Get Smart”]
The “Have I Been Pwned?” website is a free service to which one submits their email address. The site, maintained by Australian Troy Hunt, will reply if the account is found among the millions breached, along with when, what, and where it was found, say perhaps in Pastebin, where a lot of stuff happens. You may also sign up for its Notify Me service, to be notified in the event future account compromises are found, for which Pwned needs to save your email. Robert has met Troy; the site gets some financial support but he does this mainly as a labor of love. Website: haveibeenpwned.com.
A Password Manager (software) helps you manage your passwords with one master password that should be chosen to be especially difficult to crack. Password Managers can also manage security questions. Security question answers you choose need not be truthful, and should not be obvious. The password manager Robert uses is Blur, often recommended in books, which also can create virtual credit cards for you. Blur hasn’t shown up in any breaches or other problems, while 1Password and LastPass have had reported security fallibility.
Two-factor authentication (2FA)
An example: Upon entering my account password, YouTube requires that I submit a code sent to my email (or phone). Robert likes it; I feel my YouTube account is more secure. But he thinks that it’s crazy to give oft-hacked Yahoo his phone number. The website TwoFactorAuth.org lists whether or not websites support the additional security of 2FA.
All emails are wide open. [Like my ballot at the Putnam County polling place!] They are transmitted from server to server, where hackers can view them along the hops. Even if you delete an email, the email services have made copies for sending redundancy. Be wary of clicking on email links and attachments. For privacy consider premium email services based outside the U.S. that encrypt. OpenPGP.org can be tried for encryption. A member of the audience reported using it in Gmail. The cable (ISP) email accounts are worse regarding sharing your email information. Don’t ever send forms with your social security number via email. [Send word documents only as PDF files, for with Word file hidden histories a recipient could work back all your revisions, back to the resume I started writing this review over!]
Robert said your health care records are worth even more to criminals. Check your credit report annually, at the beginning of the year. A few months later check Experian and Transunion for whether anyone is opening an account in your name. Robert found someone had opened an account under a previous address. One can download them or receive them by regular mail, but don’t have the reports sent by email. Consider putting fraud alert and credit freezes on your credit card.
Beware of credit card skimming. July News Flash: wafer-thin “insert skimmers” stealing bank card information at ATMs are proliferating. August News Flash: tiny gas pump skimmers transmitting credit card information, as Robert mentioned, are featured on TV news. Robert mentioned that credit cards with chips are partially better, but not as good as in Europe, where a PIN is required, too. At locations credit card skimmers target, it’s better to use a prepaid card or Apple Pay. But Apple Pay’s one-time token uses near field communication (one needn’t contact, but be in proximity) and there are devices the hacker can use to connect and obtain information.
Iconic hacker Kevin Mitnick advises having someone else buy your debit cards so videocameras don’t record that it’s your purchase. NSA whistleblower Edward Snowden did this, along with using Tails.
Update to the latest operating system version and patches. [Ha! Google no longer supports Android versions predating 4.4.] For iOS definitely get the latest version, 10.3.3, which patches a chip vulnerability that was exploited at the Black Hat hacker conference. Passwords or passcodes protect your device. Adjust your permissions per app to, “No, no, no, no.” Robert keeps his Uber car service location permission set to Never, except for the few minutes he needs to switch the permission to Always to use the app. Robert answered how to, for an Android phone, go to Application Manager, click on the app, and it should show you the permissions, at least since the 6.0.0 Marshmallow release. Anything version 5 or below, you couldn’t do this. For Android you definitely want an anti-virus. Sync, back-up your data, and install a phone finder app. It is very important to turn off wi-fi and Bluetooth when you’re not home or not around trusted endpoints, which is nearly everywhere. Turn them off when they are not needed.
Pineapple is a popular device at the hacker conferences. If your phone has ever been connected by wi-fi it retains that information, and connects when in range to any of them when its wi-fi is on. The Pineapple connects to your phone, without your knowing, by pretending to be one of its former wi-fi connections.
The most secure mobile phones are the basic flip phones, turned off [in an RFID shield]. Tether your mobile phone to a hotspot in lieu of wi-fi or Bluetooth. Law enforcement uses fake cellular towers to spy. [August News Flash: Android messaging apps were found carrying SonicSpy trojanware to spy on audio, take control of phone cameras, and nearly all of a phone’s functions.]
Security News Sources
Robert said that he keeps current by following several security news sites on Twitter. KrebsOnSecurity.com is an oft-referenced website, widely sourced when it detailed how customer accounts were hacked though Target’s air-conditioner computers. [One can subscribe to his email newsletter.] Robert has Google searches set up to feed emails when certain terms come up such as router or VPN. One audience member subscribes to Wire’s news feed, another visits www.social-engineer.org.
Robert’s presentation slides are here.
Books Robert Recommends:
- The Complete Privacy and Security Desk Reference: Volume 1: Digital – Michael Bazzell and Justin Carroll
- Hiding from the Internet: Eliminating Personal Online Information – Michael Bazzell
- Personal Digital Security: Protecting Yourself from Online Crime – Michael Bazzell
- The Art of Invisibility – Kevin Mitnick
- How to Be Safe in the Age of Big Brother and Big Data – Kevin Mitnick