Page 4 of 4

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Sep 18, 2019 8:08 am
by JayceSlayn
I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Sep 18, 2019 4:18 pm
by MPMalloy
JayceSlayn wrote:
Wed Sep 18, 2019 8:08 am
I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.
I don't have any experience w/LastPass, although I did hear about the vunerability. Nothing & no one is immune.

I use HTTPS Everywhere & I have used privacy Badger. There easy to use. You will need to do your homework w/NoScript. I've had better luck w/uBlock Origin.

And yes, keep extensions to a minimum. If you do the Mozilla, learn you your about:config. :)

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 8:45 am
by JayceSlayn
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 10:01 am
by MPMalloy
JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
:shock: but not :o

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 2:00 pm
by boskone
JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
Don't forget that Amazon/Ring actively but silently disclose footage to official organizations on request. Not when presented with a warrant, just when asked. There's even a portal for the police to use that automatically discloses the Ring cameras in an area. Oh, and they're partnering with police to recommend Ring cameras and supplying sales materials.

My parents were looking at Ring, and fortunately it won't work with their shitty rural internet. I bought a standalone camera system with recording for them instead; it doesn't have the doorbell speaker thing, but if they decide they want that I suspect I can manage something. :p

Cloud services are convenient, but they're also a security nightmare.

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Apr 04, 2020 3:08 am
by NT2C
Image

Re: Everyday is Cybersecurity Awareness Day

Posted: Thu Apr 09, 2020 2:19 pm
by zombiegirl23
Remember most privacy flaws come down to the user. I've seen people with the dumbest passwords. Please use strong passwords people. Don't make it easy on cybercriminals.

Re: Everyday is Cybersecurity Awareness Day

Posted: Fri Jun 19, 2020 12:24 am
by MPMalloy

Re: Everyday is Cybersecurity Awareness Day

Posted: Fri Jul 10, 2020 1:37 pm
by MPMalloy
I *HATE* these things :evil:

Re: Everyday is Cybersecurity Awareness Day

Posted: Fri Jul 10, 2020 1:39 pm
by woodsghost
MPMalloy wrote:
Fri Jul 10, 2020 1:37 pm
I *HATE* these things :evil:
Right with you. I hate hackers. I'm not overly fond of street thugs either, but I really hate hackers.

Re: Everyday is Cybersecurity Awareness Day

Posted: Fri Jul 10, 2020 3:41 pm
by Stercutus
Lately they have been going after our city phone lines. Since for them it is a full time job I guess they may eventually get in.

We are now talking about actually murdering people through hacking. If you interfere with fire, EMS or police assistance during an emergency that results in their death that is essentially murder. I am sure some psychotic loser is sitting in a closet somewhere all excited over the thought of possibly killing people on line.

Since it crosses state lines it will be interesting to see the involvement of the Federal Government. I still don't understand why we don't have a large agency dedicated to counter-hacking.

Re: Everyday is Cybersecurity Awareness Day

Posted: Fri Jul 10, 2020 10:53 pm
by MPMalloy
I'm not sure what happened, but I got all worked up before I remembered that I have a good BU program and all I need to do is click on yesterday's incremental. :crazy:

Re: Everyday is Cybersecurity Awareness Day

Posted: Mon Jul 13, 2020 6:00 am
by MPMalloy

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Jul 25, 2020 12:05 am
by MPMalloy
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Jul 25, 2020 12:46 pm
by boskone
MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Jul 25, 2020 6:56 pm
by MPMalloy
boskone wrote:
Sat Jul 25, 2020 12:46 pm
MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.
Thanks bos. I'll keep looking. If I find something reasonable, I'll post.

How's life?

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Jul 25, 2020 7:05 pm
by boskone
MPMalloy wrote:
Sat Jul 25, 2020 6:56 pm
boskone wrote:
Sat Jul 25, 2020 12:46 pm
MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.
Thanks bos. I'll keep looking. If I find something reasonable, I'll post.

How's life?
I'm full and still breathing, so not bad.

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Jul 25, 2020 11:34 pm
by tony d tiger
The Garmin hack did have an impact on civilian flight plans. Apparently there's an APP for that, too. Google Garmin Server Maintenance and check out the story on ZDNet

Re: Everyday is Cybersecurity Awareness Day

Posted: Tue Jul 28, 2020 10:48 pm
by tony d tiger
Garmin servers are back up and running... :oh:

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Jul 29, 2020 6:40 am
by MPMalloy
tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Jul 29, 2020 6:40 pm
by boskone
MPMalloy wrote:
Wed Jul 29, 2020 6:40 am
tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?
I have not yet seen a confirmation either way.

Lots of speculation with phrases like "may have paid", but without anything vaguely resembling a support other than the services coming back on-line.

If they had a robust backup regime, they might have been restoring systems. If so, I gotta offer props to Garmin's IT department.

Re: Everyday is Cybersecurity Awareness Day

Posted: Sat Aug 01, 2020 8:52 am
by tony d tiger
MPMalloy wrote:
Wed Jul 29, 2020 6:40 am
tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?
Who knows? My Garmin connect app still shows server maintenance being performed but at least the functionality is back online.

Re: Everyday is Cybersecurity Awareness Day

Posted: Thu Sep 10, 2020 8:44 pm
by MPMalloy