Page 4 of 4

Re: Everyday is Cybersecurity Awareness Day

Posted: Tue Sep 17, 2019 7:32 pm
by MPMalloy

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Sep 18, 2019 8:08 am
by JayceSlayn
I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Sep 18, 2019 4:18 pm
by MPMalloy
JayceSlayn wrote:
Wed Sep 18, 2019 8:08 am
I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.
I don't have any experience w/LastPass, although I did hear about the vunerability. Nothing & no one is immune.

I use HTTPS Everywhere & I have used privacy Badger. There easy to use. You will need to do your homework w/NoScript. I've had better luck w/uBlock Origin.

And yes, keep extensions to a minimum. If you do the Mozilla, learn you your about:config. :)

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 8:45 am
by JayceSlayn
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 10:01 am
by MPMalloy
JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
:shock: but not :o

Re: Everyday is Cybersecurity Awareness Day

Posted: Wed Dec 18, 2019 2:00 pm
by boskone
JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
Don't forget that Amazon/Ring actively but silently disclose footage to official organizations on request. Not when presented with a warrant, just when asked. There's even a portal for the police to use that automatically discloses the Ring cameras in an area. Oh, and they're partnering with police to recommend Ring cameras and supplying sales materials.

My parents were looking at Ring, and fortunately it won't work with their shitty rural internet. I bought a standalone camera system with recording for them instead; it doesn't have the doorbell speaker thing, but if they decide they want that I suspect I can manage something. :p

Cloud services are convenient, but they're also a security nightmare.