Steve's Views Rotating Header Image

Computer 101

Security by obscurity…

Today I spotted this reply someone gave to how to secure something online:

I mean its secure, generally, but your best bet is security by obscurity. hide them (robots.txt), make them accessible from only certain ports / IP addresses.

I felt the need to enlighten the thread rather than leaving such a bad advice:

I’m sorry but security by obscurity is not security. No security consultant worth his salt would ever suggest obscurity is secure. True, it can be a layer on the security union, but you sure cannot rely on it.

It takes mere seconds to locate the unusual port or file name.

There are many common misconception and natural conclusion that people arrive at when they are not actually familiar with the details, and there are indeed very technical details behind computers, software and networking. And not to forget social engineering which is a very effective tool. I saw a survey which indicated that a large percentage of people would give away the company login for a piece of chocolate.

Security is one of the least understood subjects. For your own wellbeing read up on some well established professionals such as https://www.schneier.com.

Large corporations are, unlike popular belief, not automatically more secure. For one they usually have a much larger attack vector (more things open to attack) than a small operation. Take Microsoft, they had their Crown Jewels (source code to Windows) stolen by some hacker.

My stable rule is that if there’s something I really don’t want to share I don’t put it online at all. Before coming here I saw someone’s website advertising a tool to scrape web pages that are hidden behind a login wall.

That’s not to suggest you can’t put reasonable security on things online, but the operating basis you establish is how to deal with a break-in once it has occurred, not if but when.

If you don’t get violated – great! But you are well prepared for it.

As for reason to hack you is not an applicable logic. I often hear people saying that they don’t have anything worth stealing. For one the criminal hacker does not know what you have or not until after he’s broken in. Secondly you have something valuable to any hacker – a different online identity than his/hers.

That is valuable, nay vital, when you go about your criminal activities. Much better to put you in the middle. There is certainly a lot of organized crime and then you have the script kiddies (people who don’t know how to break in but relies on scripts that does it for them).

I have a great story from many moons ago on a security forum. A person, presumably a kid, was challenging people to give him their IP address, saying he would hack them. After a while we got fed up with the noise and one of us gave him an IP address. (Each computer has local IP address which is there so that you can test networking without having an actual network connection. That IP isΒ 127.0.0.1, also known as the loopback address.)

So the kid was given the loopback IP which he immediately fed into whatever script he was executing and he was announcing – Ah you have a E: drive. Watch it disappear. Ah a D: drive, C: drive… and then he was gone. He’d just wiped out his own computer. πŸ™‚

We got a lot of laughs from that one.

Online Security, is it really needed?

What value does security have anyway? Misapplied it can become a great stop, a barrier to get anything done.

This includes information that you don’t want to be publicly available to anyone, it does not matter if they are specifically interested in it or simply stumbles upon it. That includes information which could be used against you, sometimes in ways you never considered. It does not have to be something illegal, simply embarrassing, or more commonly have a financial value.

Security the art of applying an optimum balance between functional and inaccessible.

The harder it is to make and retain resources, such as money, to care for yourself and your family, the more common it becomes that people come up with what is known as Unusual Solutions.

Examples of unusual solutions are robbing banks, old ladies, becoming a drug dealer, online theft and sabotage for profit, just to mention a few.

With technology running ahead of common knowledge it starts to become a mystery that only the few can understand and master. I think it’s safe to say that computer technology has pretty much always been ahead of common knowledge. Typically we have young people reaching to master this mystery and become its master. Their curiosity can put them on a path of criminal activities without the balance of personal ethics and integrity.

The more you learn about computers the more you realize things you can do with it. One thing that has always been very popular is being able to communicate between computers. Some of you remember modems. A device used to connect a computer with another computer. Huge progress!

Then we got networks where one computer can reach many, which eventually resulted in the internet. Now we have huge portions of the world able to reach anyone across the world.

That opened the door for even more exciting opportunities, which for some, meant seeing how many computers they could get into, just for fun. Some people were more oriented towards destruction and would laugh gleefully (I imagined) at wrecking havoc on someone else computer.

At some point some individuals got the idea that some people would pay to cause or prevent damage. Which of course grew to groups, political parties, and governments in different countries. Today it is so prevalent that most computers are likely to be “touched” by someone else who does not have your best at the forefront of their mind. What they can do depends on how your computer is set up and your activities.

Fortunately individuals, groups etc. exist who wish to prevent the damage being caused.

However, ultimately it is up to you, the individual with a computer connected to the internet, to take some positive action towards maintaining some security. The more you don’t know the more it can hurt you. You can pass the need for knowledge onto someone who knows more than you and that you have a reason to trust.

Statistically it is safe to say that it is better to find someone you have a reason to trust than waiting for someone to approach you. Trusting one, any one, that you chose to give good advice is better than not doing anything to stay safe, or at least safer.

For many this whole subject is a big black mass of not knowing. But you can do something about it using common sense. You can establish, by yourself, some basic policies that will be better than ignoring it all. Just don’t fall into the group of deniers that think that because they don’t have anything of value on their computer they will not become a victim.

For example, you probably lock your car which is a simple policy that you probably do every time you use it without even thinking. A computer is harder to keep secure but still there are simple things you can do. The first is to ensure you have a password which is not obvious which means it is not the birthdate of someone in your family, in fact it should not be any birthdate. That is not enough (or different) characters, rather it’s better to let your computer generate a password for you. Today it should probably be at least 10 long and contain a mix of lower and uppercase letters, numbers and if allowed some symbols.

Then ensure each have a unique username (if possible) and password for each online login you have. Often people loose security from using the same login across different locations. (Your password manager easily keeps track of them for you.) When one organization is hacked your data can be part of it. These lists of logins are then spread across the internet with people who loves to make it work for them

The most basic datum should be that if you put any information (data) on a networked computer then it can end up in someone else hands. If you think with that and accept the possibility then you are less likely to suffer too much.

Email is a very popular and unfortunately effective tool to get you to open the door for them to get into your computer, which includes making you go to your bank and giving them your money on some pretense that has but one purpose – to steal from you. This is called social engineering, they pretend to be someone else in some imaginary situation where you feel sorry for them being in that imaginary situation and then give them your money (sometimes even thinking it’s their money you are returning).

There are security updates coming out somewhen frequently, these should be applied when they come out. Any online tool are in a direct position to cause great harm to your computer and whatever you have on it or access to. Thus ensuring they are kept up to date is of outmost importance.

General bug fixes are good as well. Unfortunately some companies creates new problems when they fix the old one. Unless you really need that fix, wait for one or more fixes before applying it which allows time for them to solving it properly.

Another security issue is using software running on their servers, for example, online accounting, or whatever service offered that is running on their servers (I’m not including running your website).

For one you have no physical control of your information, if they go down you will too. Someone else is in charge of looking after your information, at whatever pay grade and motivation that you will never know. Imagine hiring someone to work for you where you don’t know when they are there, what they are actually doing, from whatever country or organization with whatever motivations?

It can be as simple as something goes wrong anywhere between you and them and you cannot access your company information. It could be someone digging a trench and accidentally cuts off the network cabling below ground. They could be under attack and brought down since they are hosting many other companies and maybe one of them is a target. In the end you have no control.

Such a company might be a life saver when you don’t know enough to have these computer functionality in your own operation, if so, ensure to have a definitive plan to get it in-house and maintain full backups of YOUR data, even if it is on their servers.

Avarice, which is defined as extreme greed, have put many in the “poor house” from having lost all their savings through some scam. Even plain greed makes people go for that quick buck. This is often a case where the person believes they cannot make enough money and will happily be fooled into thinking the fast buck will be their ticket to permanent happiness.

When I receive a call from some stranger, even if I know the company they claim to work for, I never accept the “good fortune” they are presenting me with. If it was legitimate I would also receive an email and a physical letter proclaiming my good fortune. AND that is not enough to convince me I’ve won something. I would have to have enrolled in that something AND if it comes through an email it would know my name and other details AND have proper grammar AND be professional sounding, then I would still be on my guard and NEVER make ANY payments to release my funds, boat or whatever they claim. They would also have a number I could compare to a publicly posted number.

In other words I NEVER believe it to be real unless I could use some different method to verify their claim that is not coming from them.

If it is a phone call the easiest way to call their bluff is to ask for their name and a call back number. If given a number I then search the internet for that number with the word scam. Usually someone else have been targeted and it has been noted online.

Any legitimate organization that would have a reason to give you ANYTHING, would be easily accessible and 99% well known.

Regardless of how someone else could possibly determine if you have, or don’t have, anything of value to them without breaking into your computer, there IS something you have of value which is a computer connected to the internet. Any computer is valuable even if it is empty as a tool for someone else to use to wreck more havoc on the internet.

Of course if your computer is an office computer of some organization, that organization might very well be a target for nefarious activities. There better be someone who understands computer security or it’s just a matter of time.

A little example from years past. A country deemed untrustworthy of harnessing nuclear power was approaching some level of being operational that another country decided to put a roadblock there.

The challenge was the lab was not on the internet and could not be broken into remotely. They solved it by ensuring some computer code was inserted into a printer being sold to that government, specifically that nuclear lab. When they connected that printer to their internal network the code sprang into action and established connections to other devices, devices which were then sabotaged in way that was not obvious but delayed their progress towards having the bomb.

Spend a little time towards at least understanding the concepts of computers. A computer is a tool, a stupid tool without any real intelligence. Any perceived intelligence is programmed into it, without that programming it is a door stop, with great potential but still a doorstop. It can only follow exact instruction one after the other. It is programmed to make logical decisions that again is programmed into it.

Most of the times computer terms comes from terms used in daily life. If you look at the plain English definition you can usually figure it out. Take “network” you have heard of networking, getting together with a group of people to maybe promote each others products and services, or home made cookies. For a computer it is also networking by connecting a communication cable called a network cable. That cable in turn connects to one or more devices which ends up creating a connection to the physical wiring across the world known as the internet.

You have the intelligence to do networking a lot easier for you not requiring special shared programming amongst all the computers and having a radio (for WiFi) and/or a cable to connect it to others. Computers follow protocols, much the same as we have protocols in how we address each other. The difference is that a computer will fail if the protocol is not followed EXACTLY.

Though everything a computer does is based on human principles, after all, humans built it. πŸ™‚

Microsoft requires disabled man to have email & cell phone

Today I helped an old man who wanted help restoring Windows 10 to his laptop that his kid gave him. The hard drive was broken and needed replacing.

The install went fine until Microsoft asked for an email account. He does not want to receive any emails from anyone but family so I gave it a test domain email address to use, and then it came to needing to send a text to his cell phone on order for them to be able to verify who he was. We entered his number, which is not a cell phone and cannot receive texts and that was the end of the install.

They try to send you a text which you are then supposed to enter into the computer. But without the ability to receive texts you are left out. There was no way of moving forward.

Looks like a dangerous road where they are limiting people with disabilities just because they are not fully on-board with technology.

Networking 101

I’ll share some basics here:

All computers and devices on a network are each called a host. Each must
have a unique IP address just like each house has a unique address.

IP addresses are broken into the older IP version 4 (IPv4) which has
four numbers separated by a period ‘.’ like this 8.8.8.8.

Each number must be in the range of 0 to 255, but no host can have an IP
that ends on 0 or 255.

There are three main ranges of IP addresses which will not be routed
(forwarded) across the internet. These ranges are intended to be used in
local networks, which in practice means you can have a number of
computers with their own IP address on your network without it being
open to the world.

In other words these ranges will not work across the internet and is a
direct solution to not wanting to give up a “routeable” address for each
internal device. Otherwise the available IP addresses would be used up
very rapidly by large corporations. Plus, this way we have a layer of
security. There is a technology called Network Address Translation (NAT)
which ensures internal communication traveling from the inside of a
network to the outside is properly tracked.

The three ranges are:

10.0.0.0 – 10.255.255.255 with 16,777,216 IPs
172.16.0.0 – 172.32.255.255 with 1,048,576 IPs
192.168.0.0 – 195.168.255.255 with 65,536 IPs

There is an address for all computers to test networking without needing a
network card which is 127.0.0.1. It is called the loopback device.

The new IP version is called IPv6 and in theory allows for 2 to the
power of 128 (128 digits) versus IPv4 which only have about 4.3 billion
addresses. I’m not going into the details of it here.

A network that is under another one or is internal is generally referred
to as a subnet.

Each network reserves a few IPs for its own use:

For a network able to use all 256 addresses on a subnet , for example, 192.168.1.0 is called the network address, which obviously is the beginning of it.

Usable addresses then would be 1 through 254, except generally the first
usable one is usually the gateway to the network “above” it. So .1 is
usually reserved as the gateway IP.

Then the last IP is usually the broadcast address. The purpose with that
is when a device needs to reach another computer and does now know has
the IP sends out a broadcast asking “who has (IP)?” which is sent to the
.255 address. The gateway will then answer.

192.168.1.0 is the network IP
192.168.1.1 is the gateway
192.168.1.255 is the broadcast IP

We humans have a hard time tracking IP addresses so a system was
designed to allow up to use names instead. A server function called
Domain Name Server (DNS) translates the name to an IP address which is
needed to actually reach another computer.

Now for a computer to save time and not bother the DNS with questions
that it could answer a network mask was created which by its design can
tell if the computer you are trying to reach is on the local network or
needs to be sent to the gateway server to figure out. (And if it does
not know it sends it up to its gateway and so on.)

It is called subnet mask and for the above example it would look like
this 255.255.255.0. Thereby knowing that any host on 192.168.1.0-192.168.1.255 can be sent directly, anything else would need to be sent to the gateway, 192.168.1.1 for it to forward up the line.

Due to criminal elements online it is crucial that you have layers of
security. The first one is called a border firewall and is the first
layer of security. Other layers can be local firewalls on each computer,
educated users on what to do and not, log files that are monitored,
security patches applied in a timely fashion (immediately) and so on.

You do NOT need a separate subnet for VMs unless you WANT to have it. I
rarely do it. But if you do then simply assign IPs for the VMs that are
on the same subnet. If they need to go outside that subnet then make
sure you have a gateway assigned which sits across both subnets. That
will have port forwarding turned on which allows traffic to flow between
the network cards. (Google linux router.)

When you use virtual machines they too will each need an IP to talk to
any other host.

(You could create a subnet which does not have the ability to talk
outside that specific network, which could be handy when testing
something that could be interrupting other hosts on the main network.
Being totally isolated means it cannot be hacked nor leak something
outside that network.)

When you sit inside your subnet you may not allow random external (on
the internet) traffic to reach your internal computers unless there is a
hole on the firewall to allow some traffic in. For example, you might
have a web server which is reachable from the outside, which in turn
uses a database. Access to the database must be guarded to ensure it’s not reachable directly or via a flaw in the code.

You have to make the call if you can or should allow the VMs access to other networks.

Gray Body Text Is Non-Optimum, Try This:

A number of developers and designers have gotten the idea that having dim text is the way to go. And I can see for a number of youth that stares on the screen all day long it might be annoying, even infringing. Especially if you sit in a dimly lit room where the only light comes from the monitor(s).

May I make the suggestion that black on white is not my first choice either, but rather than making it hard to read for a good percentage of people, use a different color, for example, a blue.

Blue would immediately change the impact to those with sensitive eyes. Not to say that dimming the monitor would create the same effect across the board.

It appears that too many developers are not fully considering who their public might be. Which of course also applies to any designers that use the same.

Now, I’m not at all totally against using gray to separate a section of text, or copy for marketing people. It does not require much change to stand out either, as you saw there.

How about a site function where you can store the color value in a cookie ensuring everyone can read it the way they like! Much like we can often choose different languages. Which is very handy when traveling to a country with a language you are not fluent in.

Point being making websites available for as many as possible is the goal for most websites wanting maximum return on investment, by attracting people with all kinds of eyesight on normal monitors. I’ve yet to try this out on the new 4K monitors, but I’d bet it is still true.

We have come a long way in making the web a universal tool that everyone can use, lets not go backwards by making it hard for a good swath of the population.

How To Give Away Your Bank Accounts To Criminals

Sherri Davidoff, Author of “Network Forensics: Tracking Hackers Through Cyberspace” has documented a real life example of someone giving away all their credentials which means someone else now have the same access to your identity and subsequently, money, that you have.

It is a very effective demonstration of what not to do, share it with others!

And not necessarily very hard to protect yourself from. The best is of course to never accept and use links in emails, IM, etc. Which can be hard when you think it is from your friend or family member, or in the above case, your bank.

A safer method would be to use a LiveCD (a CD which you boot and run programs from) which does not have the ability to be altered. Which means each time you boot it – it is completely untouched by any virus. But it means booting into it each time you want to visit your bank, or other sensitive websites.

Joanna Rutkowska is a Polish security researcher who released a modified Operating System called Qubes OS which I think is a great compromise, and the best I have seen. It accomplishes that by setting up virtual environments in a particularly nifty way. First the whole O/S have been modified to be hard to break into, then it uses dedicated virtual computers for each sensitive website (all according to your preference).

I created one environment for each bank, Paypal etc. Then I ONLY visited that one website using that virtual environment. In other words if you have Paypal you would use the Paypal virtual environment to only visit Paypal. And so on.

Now it requires that the banks website gets infected with the malware needed to infect my virtual computer but only for that bank. Not for any other. It is also particularly easy to fix. Remove it and add a new one.

Another virtual environment is used for casual browsing. Another for business, email etc.

This means an infected email cannot corrupt your other environments and you have a very effective tool against online malware.

Security is about balancing security and work-ability. Too secure and nothing can get done. Too easy and you’ve given easy access for criminals. You need to strike a balance. It took very little to get used to and is about the safest and best balance I’ve seen anywhere.

As you can see at the bottom of the above article LMG Security offers workshops and her book is a very good read.

Make the extra effort to be security aware and avoid being a victim while at the same time not being the tool used to wreck someone else’s life.

Abandon IT Dept for the Cloud?

People have some interesting affinity for the latest and greatest solution, which gets applied to any and all problems. The grass is apparently so readily seen to be greener on the other side, that even common sense is left behind. I’m guessing there’s frustration afoot, which might be because of a slow or inept IT dept. But could also be because not enough funds are allocated to properly run the IT dept. Just saying.

This urge to always jump on the latest new technology is often done as if there’s a great emergency. The idea behind the Cloud is certainly interesting. But is moving your IT into the Cloud the right move, or are you asking for even more trouble?

Your IT dept has physical control, are motivated by how you run your business. In other words you can hire, fire and make demands to ensure they are aligned with supporting your business plan.

The Cloud however, is ENTIRELY out of your control.

In-house you can observe and handle security issues. On the Cloud you are hoping that they don’t have a staff failure, upsets, or whatever, which results in them not caring properly for your data/information.

In the Cloud which you are part of, you are part of many others, which certainly makes the Cloud a bigger target as far as, in the eyes of the criminal hacker, having higher potential payoff to hack. It’s more worthwhile to break into the Cloud.

When that happens, how do you act to protect your data?

There are many ways to “hack” into something. For example, in social engineering, where by pretending to be someone else, you talk people into giving you knowledge that opens the doors you want “unlocked” A simple phone call, or email, and someone might hand out the “keys”. It is very popular and easy to succeed with. It could also very well be that the people working the Cloud know better than Your average staff, than to fall pray for it.

Ultimately you need to look at your budget, evaluate the business impact of not having much of an internal IT dept, versus handing it out to someone else, and hope for the best.

True, you might already be hoping for the best. That your computers don’t get broken into, that IT knows what they are doing, etc. Data loss, for example, are more often caused by an upset employee, than some outside body. Making an argument for the Cloud. In theory it looks like the Cloud can be viable alternative.

I just don’t trust my business information, to be kept completely safe where things such as motivation, competence, reliability, etc. is not only unknown, but mostly unknowable. Where you can’t take advance action to ensure that the person being fired will not be able to cause you harm in a vengeful moment. Where, if the internet is down, you can’t do anything because all your data lives elsewhere.

Simply jumping on the Cloud because it is the hot thing that “everybody” is talking about, is not a very well evaluated reason. Most of the time common sense is the most reliable tool you have. Use it!

What does Windows 2000, XP and Vista have in common?

What does Windows 2000, XP and Vista have in common?

They don’t ship with a decent word processor, never mind office suit.

Fortunately that does not have to be a bad thing. Thanks to the efforts of the OpenSource community we have choices. One of them is OpenOffice. This suit can read and write MS Office files and actually includes a bit more.

How much does it cost?

This is the fun thing. Thanks to the different philosophy of OpenSource you don’t have to pay anything. That’s right, it’s available for free. OpenSource developers make money on after sales efforts like support, training and modifications. Sometimes OpenSource applications and Operating Systems, are simply a facilitator to enable other products and or services.

Here you can read the OpenOffice license. It is only slightly different than the General Purpose License (GPL) that Linux follows, and is intended for certain software libraries. But the idea is the same. The freedom to use it the way you see fit.

Fortunately for us, OpenSource is usually good enough to be used even in enterprises, where downtime is not acceptable. You can read about efforts from companies like IBM, HP, Novell, RedHat & Google, just to mention a few, whom have poured their expertise into supporting and furthering what they see as the next great thing after sliced bread.

Unlike commercial software, the openness of OpenSource allows anyone and everyone to see the code and modify it as they see fit. Bugs can be noticed by anyone and fixed without the the threat of lawsuit. An organization can find an OpenSource application that is close to their needs and modify it as needed. As long as those modifications are kept “in-house” you don’t even have to share them. It’s only when you distribute modified OpenSource code outside your own organization that you have to license your altered code under the GPL.

This user have been using it since it’s early days and have never looked back.