Absoblogginlutely! » Posts in 'Security' category

Ransomware decrypters No comments yet

Filing for future reference for reference in case of a ransomware infection. This list gathers together a list of tools and references that may allow you to get access back to encrypted files.

Book Review – The Art of Invisibility by Kevin Mitnik No comments yet

The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick
My rating: 4 of 5 stars

A cautionary tale of just how visible you are on the internet and in todays connected society.

First off I am fully aware of the irony of posting a review of this book online on Goodreads, my blog and Facebook after reading a book on how to be invisible on the internet…..

This was a an entertaining read and although I work in the IT field, there were still some security facts in the book that I was not aware so I learnt a fair amount. There are also some useful references for security tools that I had not been previously aware of (although I’m not a security professional).

Despite the above, the book isn’t too technical to make the non IT person bored but it may well make them paranoid! There is a huge emphasis on becoming invisible in the book through extreme measures such as paying a complete strange to buy some gift cards at a store that doesn’t have cameras in the store OR on the way to the store, then using that to buy bitcoins – twice to ensure they are completely laundered and then using those new coins to purchase various items. Not something that the average person in the street is likely to ever do ……and I must admit I do wonder if someone needs to go to all that trouble, would they be reading this book?

There are useful hints and tips about using secure messaging, email etc that can be used by everyone just to keep their internet usage secure which are not too extreme for the day to day consumer.

But for the ultra paranoid/nefarious, this book will either help you solve some of your issues or make you even more paranoid as it brings up points you hadn’t thought of before….

Thanks to Netgalley for the opportunity to read and review this book.

View all my reviews

Cloudflare checker for Lastpass in PowerShell and .net No comments yet

With the recent report of cloudflare credentials being cached/available in search engines, it is always wise to see just how many sites you’ve logged into recently. If you don’t use a password manager, then you will have a fun time going through your browser history, working out what sites you logged into and then changing your passwords.

Hopefully you are using a Password Manager by now and there are several routines available (with source) to check an exported list of urls from your manager of choice against a public list of cloudflare protected sites.
I used CloudFlareChecker as I could use powershell to filter out my password list to url’s first and then run the site list through the tool (which required the .net runtimes installed).
Out of 1200+ url’s in my password export, there were 25 sites using cloudflare. It didn’t take too long to change credentials and update the passwords in LastPass. Yes it’s worth doing for all sites – but I really don’t have time to log into that many websites!

If you don’t use LastPass then there are several other resources at your search engine of choice that will help you check firefox saved passwords (hopefully you don’t), Keepass or even check an individual website for potential issues.

As an aside, I’ve been trying out Dashlane as an alternative to LastPass but I’ve not been very impressed with it so far. It fails to recognise any saved credentials for Office365 and the extension doesn’t even activate in Chrome so I’m staying with LastPass. If you haven’t signed up for a Password Manager yet, then signing up with this Lastpass premium link gives us both a free month of premium access and if you have any questions then let me know.

Last.fm password breach – you’re doing it wrong. No comments yet

Last.FM logon page

I received an email from HaveIBeenPowned this morning – the incredibly useful service that lets you know if your username and password was released in a data breach. This time around it was last.fm – a streaming radio station that was pretty popular a long, long time ago.   I went to log into the system and checked my gmail account for email from last.fm to see if I had my membership confirmation email – nothing. I had 1 email from last.fm back in 2008 when I had received a friend request (I am so popular!) – that was actually a spam request.

Obviously I had not used the service for a very, very long time. The data breach occurred in 2012, was known about in 2012 and yet they had done nothing about it then. They had also not done anything about it recently after the data breach was leaked as I had not received an email lfrom them etting me know my account had been breached.

To add insult to injury, the old password was still active and I was able to log in with it. I can understand a small pokey geocaching website not understanding security correctly and leaving passwords the same after a data breach with only a small notification on the website, but even they reacted after I sent them an email to say they need to do something better and at least inform their visitors and ideally change their password.  Last.fm really have no excuse as they are big enough that they should know better and all of the accounts should have had their passwords changed once the breach was public or better yet, when they knew about the breach.

Instead, the list of usernames and passwords are still out there for people to search and log in with.

I guess the argument for not changing the account password is to let the subscriber log in with their original password that they know about. If the email address was now invalid and the password was changed by last.fm then the user would not be able to get into their account anymore….on the other hand if last.fm does not change the password, anyone could log into the account,reset the password, have access to all the data (including the persons email address) and the account holder would not be able to gain access. The hacker will not be able to change the email address though as they have put protection in place to prevent the email address being changed without a verification email link being clicked on so I guess that is something…..

This is also yet another reminder to use a password manager to “remember” all of your passwords for each site – don’t use the same one at each location. I highly recommend LastPass (unless you are a user with multiple accounts at Office365). At $12 a year  for syncing between all of your devices it is well worth the cost and if you sign up with the link above we both get an extra month for free. I used to use the free KeePass software which is standalone and doesn’t hook into your browser like LastPass but it can also sync between devices (with a bit of finagling.

What do you think – should last.fm have changed users passwords when the data breach went public?  Have you signed up for HaveIGotPowned?  If not – what are you waiting for – it’s free and a great first response tool to keep your accounts more secure.

Arj compression – anyone remember this? 1 comment

We had an interesting ticket come in today where an antispam system had let through a file compressed with the arj format. This immediately brought back memories of compressing files back at university – in the very early 90’s and a format that used to be very popular but nowadays most people, including the rest of our techs had never even heard of.
I am guessing the spammers were hoping that their recipients have winzip, winrar or 7zip installed so they will be able to open the infected file and that as the file format is so old, av scanners will not check them.

Anyone else out there remember Arj files and anyone (dare to admit that they) still use it?

Bing and Google links to report malicious/fake content in Search engines. No comments yet

You can report url’s to Bing via http://help.bing.microsoft.com/#apex/18/en-US/10011/0 – It took a while to track that link down – hopefully they won’t change it again unlike the rest of the links I found.

Google’s report site is https://www.google.com/webmasters/tools/spamreportform?hl=en which is a much better url and one that doesn’t look like it will change much.

Would/Should you block linkedin to your Exchange Server? No comments yet

Apparently Linkedin now have a feature that allows users to provide their corporate passwords to a third party so the users can then send invites to other people in their office.  I really don’t see how this can Be A Good Thing 😉 – Paul Cunningham has a post on ExchangeServerPro on this feature and links to Adam Fowler’s post on how to block LinkedIn to Exchange. This is interesting as we’ve also seen this issue with Verizon doing something that we expect is screenscraping to provide email information to phones. Admittedly this was a while back but we have found it hitting the Exchange server so it will be interesting to see if this successfully blocks the server.

In a meantime, maybe it’s time to not only educate LinkedIn that this is a really bad idea but also your corporate users.

For what it’s worth the solution is to do the following:-

There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed.

Next, you need to add LinkedIn into the BlockList. This is done with the command “Set-OrganizationConfig -EwsBlockList LinkedInEWS

Bypass two factor authentication to gmail? 1 comment

Update – Never mind – see bottom of article.
Discovered an interesting flaw in the requirement for two factor authentication with gmail today. I like to use the application on my cell phone to ensure that only I have access to my account – and if somehow a keylogger was in place, my password to gmail is not any use as the 2nd factor authentication would also require access to my cell phone.
However, today I logged into google reader first (which doesn’t support 2nd factor authentication) and used my username and password only. I then clicked the gmail tab at the top of the reader – and hey presto I’m into gmail.
Bottom line – don’t think that just because you have enabled 2nd factor authentication you are safe from keyloggers on a pc or network sniffing/man in the middle attacks. I’ve not reported this to Google yet but it will be interesting to see what they say.
Update After signing out AND restarting firefox I was prompted for the 2nd factor password. Interestingly I wasn’t prompted until I restarted the browser – so as usual – always restart browsers once you’ve finished with them.

Fixed: DigitalPersona fingerprint reader with roaming profiles not saving passwords 1 comment

The new laptop has a fingerprint reader included and comes with DigitalPersona’s fingerprint software. At first glance, this looks like a useful piece of software but after trying to use it, I’ve found it very buggy and the support is non-existant.  DigitalPersona offer no support for the product and refer  you to the OEM partner, in my case Dell, who have nothing in their knowledge base about this product either.

My problem was to do with our roaming profile. After receiving the laptop last night I synched (or so I thought) to the domain, took the machine home and logged in. Windows7 decides that it can’t load my profile and uses the temporary saved copy – all well and good for now, my desktop background, images, shortcuts etc all exist.  However every time I go to add a new website in DigitalPersona, it seems to take the information but does not actually save it to the machine.  Suspecting roaming profiles, I created a local user, logged on as that user and registered my fingers. Note that if you do this, when you use the Windows Login Screen and your finger to login, the pc automatically logs you in without asking which user you want to use. I’m not sure how it determines which user to use, but in my case it used my local user (which was also the most recently created user).

After logging on as the local user I was then able to launch Internet Explorer (9), log into gmail, facebook and this blog and register my usernames and passwords and DigitalPersona kept the information. At this point I also used the option to download and install updates to the software – the most recent version that is now running on the pc is 5.30.252a. Note to get to the updates, click on the plus sign by central management and then the update tab appears.

I then logged off the machine and logged back as my domain account. Tried to use DigitalPersona and yet again the software refused to take my passwords.  I opened explorer up, browsed to %appdata% and sure enough – there was no DigitalPersona directory.  I then browsed to c:\users\localusername\appdata\local and checked out the DigitalPersona directory. This contains an OTS directory and then a _dp_ots_tmp and DPIconCache directory. The tmp directory was empty and the DPIconCache directory contained an icon for the sites I’d saved the password to. I copied the DigitalPersona directroy from the localusers\appdata\local directory to my own %appdata% directory and magically was able to start saving passwords in IE9.

Unfortunately I’ve yet to get the program to work with Firefox or Keepass – the program is unable to detect Firefox or Keepass having a login window.

If anyone has a better (preferably free) password manager that works with IE, Firefox, Chrome and Keepass (last is optional) then please let me know.

Interesting analysis of Sony password No comments yet

Troy Hunt has a nice analysis of some of the passwords that were recently stolen from Sony. As usual, most of the characters are pretty easily cracked, although in this case the hackers didn’t need to as the passwords were stored in plain text. The scary thing is how many of the passwords were the same between the Sony site and the Gawker site that was also broken into earlier. Naturally the key (no pun intended) between the sites is the userid is commonly the email address which then also means there is a fairly good chance of having your gmail account broken into. One of these days I’ll break this information up into a password guide for users to show then how it “really could happen to them” and the risk it generates to the company as well as their personal information. I’m actually surprised at the number of people who use their work email address for things like Facebook and other social applications. After all, work email address’s are not exactly permanent nowadays and definitely not private. It would also be really interesting to take all of our email address’s from our clients and run them against the login id’s from this database to see if anyone was in the database.  Alternatively checking previous web site history viewing would give a clue if people were using this site (but would be a very painful and time consuming process).  The only problem is the time it would take and the fact that only a subset of the data was made available for download to the general public.

Top of page / Subscribe to new Entries (RSS)