Anachostic

My tagline, let me show you it.

Tag Archives: security

Wasteland Highlights

Two trips to the hometown in one year!  Wow!  I mean, wow.  I actually mean, meh.  No really, blah.  So, to summarize the best/worst highs/lows of the trip, here we go.

Before I even left for the airport, six hours before my flight, my flight was delayed.  The flight was already a late one at 7:00pm, now it was 7:30.  When I got to the airport, they announced, “your plane will not be arriving until 8:00.”  A very odd way to announce a delay, but that’s what they did.

The TSA experience on the way out wasn’t too bad (oh, just you wait for this one…).  A couple new regulations (aren’t there always?) to deal with.  Everything electronic larger than a cell phone must be taken out and all liquids must be out as well.  Ok, no big deal, a couple of Kindles and shampoo.  I went on with my life.

nerdcat-t-shirt-tn-258x258[1]At my destination, I went to pick up my rental car at the ungodly hour of 11:30.  When I went up to the counter, the agent just stared at me with a big smile on his face.  I said, “Hi, I have a reservation” which seemed to break his trace and he said, “that… is awesome.”  And I understood.  It was my shirt – “Quattro Gato”.  Basically, this image here on the right, colorized and duplicated four times over. The agent asked me if I liked cats, had a cat, what type of cat, etc.  Naturally, cat people are awesome.  And awesome cat people get… Mustangs!  Or at least that’s what he believed.  Me paying for the cheapest rental car, and wearing a cat shirt, means I get upgraded to the sports car category.  I guess I’m ok with that.

WP_20171015_13_42_02_ProI got my car in the lot.  There are SO many goddamn buttons on the console and steering wheel.  What the fuck.  I don’t touch anything.  I try to get GPS directions out of the airport to a familiar highway (I always take the wrong route), but my phone has no signal.  Finally, I get a weak signal and a route.  I leave the airport and immediately get in the wrong lane and miss the proper exit.  GPS simply changes the route, without even scolding me with “ROUTE RECALCULATION!”.  Not sure exactly how much time I lost in that, but I made it to the motel and fell into bed at 1:30am.

I thought I had everything planned out well for this trip, which meant little to no personal time for me.  In the end, I had way too much personal time because my brother kept bailing on our plans.  So I saw and did everything I could think of.  That’s a very short list in a very small town.  And I ended up sitting in my upgraded rental, parked downtown for extended periods of time.

Everything’s closed in the wasteland.  The mall lost Sears and JCPenney anchor stores, leaving only The Bon Ton.  I asked a couple people I visited, “where do you buy clothing?”  The only options were KMart, WalMart, and the Bon Ton.  One said Amazon, the other said the outlets (a 45 min drive).  How can you live like that?

After only two days, I was ready to get back home.  My outbound flight was at 3:30, a time where you either get to the airport super-early, or risk being late.  I chose the former, since there was nothing else to do.  I got to the airport, returned the car, and chilled in the airport lobby for an extended time, reading.

When I got up to get some lunch, I found out all the food was behind security, so I guess I’m going through security now.  I was ready.  I remembered the changed regulations, even though none of the agents were making announcements about it.  Ha!  I was ahead of the game.  I put my laptop and kindle and shampoo in a tray and confirmed with the agent that was right.  He said the laptop had to go in a tray by itself.  Fine.  Anything else?  Shoes.  Oh crap.  How did I forget that?  Shoes on the conveyor.  Then over to the scanner.

I got chided last time about doing a body-building pose when they told me to lift my arms, so I kept it simple.  I got out and the guard stepped in front of me.  “Anything in your pockets?”  I patted my pockets.  Oh fuck.  My phone.  I usually put my watch and phone in my carryon while I’m in line.  I forgot.  I pulled out my phone and handed it to him.

“Anything else?”  I patted again.  I had my handkerchief, which I didn’t think was any big deal, my passport, which I sometimes have in my hand when I get scanned, and oh crap, coin change.  I pull the change out sheepishly and hand it to him.  “Anything else?”  Ok, I’m stressing now.  My passport?  He takes that too.  “Anything else.”  Uh, a handkerchief?  He has everything now.  He calls for a bowl from the other agents and sends everything off to get scanned.

“So, you want me to go through again?” I ask.  The agent replies in a very annoyed tone, “No.  Since you had so many things in your pockets, you’re going to have to be patted down.”  Ohhhh FUCK.  The agent then goes into a very long and detailed description of all the different ways he’s going to feel me up.  I’m somewhat in shock, so I don’t hear much of it.  He asks if I want a private room or just do it here.  I said here is fine, as if I give any sort of a shit right now.

I have to take off my belt (which should have come off earlier, I guess), and hold it.  Not much to say.  I got groped plenty around my balls and swiped and rubbed.  That might be bad, but hey, they gotta do their job.  But here’s the stupid thing.  They wiped my hands with some sort of device that probably was checking for explosive residue or similar.  Now, if I was a “t-word”, would I have been so stupid to leave my pockets full going through the scanner?  Bad guys are smarter than that.  I’m just an idiot, and you’re checking me for residue?

I pass with flying colors, gather my shit and get the fuck out of there.  The experience ruined my day completely.  I tried to eat lunch but ate very little.  I wasn’t upset or scarred or anything.  Just mad at myself that I was so focused on the details I totally forgot the basics.

The flight back was much less fun than the flight up.  Much more turbulence and many more passengers.  Two very large women in my row.  Idiot children in front of me, and a baby across the aisle.

But I did make it home safe and my cat was thrilled to see me.  That’s enough travel for a while, I think.

Advertisements

The Social Security GUID

With the recent Equifax debacle, I froze my credit file at all the places I was able to.  But the news still keeps on coming.  Whenever I read about these events, I think, “Why can’t we just request a new Social Security Number, like we can request a new bank account number?”

Well, for one, there’s not a lot of SSNs available. 1.2 billion at the max, and I’m certain that you can’t have SSNs like 000-00-0000, and there’s probably a few other notable blocks that couldn’t be used, so it’s less than that.  And with people constantly dying and being born, those numbers are always getting used up.  If we were to allow people to request new SSNs easily, we would exhaust the available supply very quickly.

So, if we were to reimagine how our country’s income tracking system could be implemented, we should make sure it’s not going to need an update for a very long time.  And when you think of things that are going to last a long time, I think of 128-bit values – GUIDs.

I understand that the retrofit of a new field in databases around the world to accommodate this new ID value would be nigh impossible, so this is just a thought exercise in what we could want from a national identifier.

Foremost, we would want our ID to be replaceable at will, but we would also need to be able to keep a history of former IDs.  For example, if your ID was stolen or leaked, you would simply request a new one, and the old one would be archived.  The old ID would continue to be valid for existing credit lines and other previously established links, but would no longer be valid as a lookup for new lines of credit or other interests.  Ideally, you would update your old accounts with your new number.  Maybe it would be mandatory to keep your ID up to date within a year of changing it.

Second, your ID should not be able to be guessed or calculated.  There are guidelines for the structure of SSNs that indicate approximate year of issue and state issued in.  With a random GUID, there is no such pattern (although it could be somewhat implemented with the resultant loss of security).  The vastness of a 128-bit space would nearly eliminate guessing.  The length of a GUID also means it would be difficult for people to memorize upon overhearing someone else reciting it.

So, if we were going to do this, do it right, do it big. Go from 10 bits to 128 bits and never think about it again.

They Robbed Me Blind

Saturday morning, I went to get in my car and noticed the door wasn’t latched.  Weird.  I got in the car and my glove box was hanging open and my center console door was open.  Really weird.  Then it dawned on me.  My car had been broken into.  I use the term “broken into” loosely because I rarely lock my car doors.  I figure there’s nothing really of value for anyone to steal, and if they do steal something, it’s just an excuse to upgrade.

I looked around and nothing was missing.  This puzzled me.  My CDs were still there, my GPS/dashcam was still there, my MP3 player was still there.  A card wallet with probably $150 in gift cards in it was still there.  Yeah, I don’t expect anyone to steal my CDs, and yeah, they could have grabbed the MP3 player and said, “Oh, it’s a Zune”, but hey, doesn’t everything have some value to a pawn shop?  Are these smart thieves that only steal things of real value?

So whatever, I closed everything up and went about my day, puzzling over the experience.  I didn’t feel violated or anything, just confused.  Like I had such shitty stuff it wasn’t even worth stealing.  As I think about it now, maybe someone just wanted to know what it was like to sit in a car like mine?  But why wouldn’t they close up the storage areas before they left?  By Sunday evening, it didn’t even really mean anything to me.  As I was driving home, I needed to put on my glasses.  I wear glasses only for distance viewing and I need them especially at night to reduce the halo effect of lights.

Where’s my glasses?  They’re not in their usual place.  Seriously?  That’s what they stole, my prescription glasses?  What good will my glasses do them?  What a stupid criminal.

So now, I have to get another eye exam (which is overdue anyway) and get a new pair of prescription glasses.  Like most “disasters” in life, it’s just an inconvenience.

Never Let Your Guard Down

Today, I learned I had been “hacked”.  I say “hacked” in a figurative sense because there wasn’t really a whole lot of hacking involved.  I somewhat left the door open and someone just fiddled around and got in.

I have my own email server that manages a few domains.  I have one domain I don’t do anything with, and on that one, I had created a couple of test accounts for, well, testing.  The problem is, I never disabled them when I was done.  It’s been a while since I did that, so either I didn’t think about the consequences or assumed that since I was working on an inactive domain, no one would try accessing it.  You can’t assume that.

Since “hackers” just use a bunch of scripts to automate “hacking”, they can just let the scripts run and go eat some more pizza.  And that’s what happened to me, probably.  A script found my domain, then immediately went to work trying out different common username/password combos.  And although I have security features that will temporarily blacklist an IP address after so many failures, that had no effect.  The script will just wait until the ban is lifted then continue on.  Time is not a concern.

So, once they got some working credentials, then it was time to deliver the spam.  And boy did they ever.  I had gigabytes of log files and 22k email messages queued for delivery.  How I learned I was hacked was by chance.  I happened to try sending an email during one of the spamfests and got the email returned with the message:

DED : You’ve reached your daily relay quota

At the time I got that message, I thought it was being returned by the domain I was sending to.  Later, on a whim, I decided to check my own server and was shocked at what I saw.  I immediately shut down the email service and started clearing out all the trash.  Then I changed all the account passwords and disabled all the unused accounts and restarted the server.  The log files showed someone trying to log in using test2@mydomain.com and failing.  Bastards.

It’s my own fault, for sure.  But it’s terrible that you can’t stop being paranoid for a second on the Internet.  They’re always out to get you.

SpamBastard–1aauto.com

I had an application idea at one time and actually finished writing it, but ended up never doing anything with it once it was live.  It was spambastard.com and its purpose was to catch companies that would sell, lose, or otherwise mishandle your email address info.  The concept was simple.  You sign up for their site using their domain name @spambastard.com and if any email comes in with a mismatch between the FROM domain name and the TO domain name (as the username, before the @), the email address would be considered compromised.

That domain and application is long dead, but I’ve been able to replicate the same concept with my personal email domain.  That eliminates the hassle of creating a second account for every site I sign up for (one with my real email and one with a spambastard email).  To date, I’ve only had a few cases where I’ve had to take action.  Those cases are:

  • albumartexchange.com – There are many people including myself who posted on their forum and complained that they received PayPal phishing emails to their unique email address.  The website did not respond.
  • lakelandlelectric.com – That debacle was chronicled already.  The utility company did follow up with an explanation of how it happened and how the process was unfortunately legal.  They said they would push for tougher laws on keeping customer information private.  This prompted a follow-up email from the spammer who was incredulous that government would try to reduce transparency.  See, transparency is only good when it works in your favor.
  • paypal.com – This got compromised after only nine people knew of its existence.  Whether it was sold or stolen, I don’t know for sure, but I am pretty confident that some eBay seller has a compromised account and a spammer is looting their customer list.

Now we can add to the list – 1aauto.com.  I placed an order with their site in January (remember when the punks broke the mirror off my car?).  Today, I get a political email from John Kasich’s New Day For America to that email.  So I immediately send a message to 1aauto.com saying they’ve either sold or given away my info or their customer database has been hacked.  So which is it?  I got a pretty quick response.

Hello and thank you for your email.

I do apologize that you received a spam email to your account. I can assure you that your information is secure and we have not experienced any kind of hacking. We do keep our customer information confidential and secure and have several measures put in place to prevent against fraud and stolen identity.

Thank you for notifying us. We will keep tabs on this and look into what we can do to prevent this from happening in the future.

So, I guess the answer is the owner sold out his customers to promote his choice of political candidate.  The fact that this happened at all negates the statement “We do keep our customer information confidential“.  As far as what they can do to prevent it from happening in the future, that’s simple.  Don’t do what you did again.

Thanks to spam law requirements, the spam email footer confirms the email address that it was sent to.  It tells me that I was added to the list on 2/24/16 via opt-in (gee, I don’t remember that), and gives me ways to unsubscribe.

There’s no sense in unsubscribing.  The email address is out in the wild and is now worthless.  Do I want to spend my life unsubscribing from every email campaign that gets that email or do I want to kill off the email?  The choice is pretty simple.

This scenario makes me pity people who only have a single email address, like @gmail.com or @outlook.com or @yahoo.com.  They don’t have the option of closing their account or changing their address.  Consider how easy it is for me, every email (except my personal email) is known to exactly one company.  Email gets compromised, only one place to change it.

But It Was The Right Thing To Do

I’m sorry, Kaitlynn.

WP_20151115_005

Your ATM card is dead.  You left it in the Publix parking lot tonight.  There were no other cars around, so I couldn’t try and find you.  I had a thought to turn it in at the customer service counter and see if you would call and say you left your card there.  Instead, I called your bank.

Bank of America.  What a great bank.  In their phone queue, they ask for my (your) account number.  I enter it from the card.  They ask for the last four of your SSN.  Hell, I don’t know.  I said 0000.  I was wrong.  So they start to blow me off (a machine, saying eff off –  wonderful) and I say “operator” (that’s supposedly a trick to get to a human).  Sorry, their customer service center is closed and no one can help me (or you).  Instead of getting pissed off and hanging up, I got pissed off and listened to the rest of their message.  I could report a stolen or lost card by saying “lost card”.  Bingo!

The lady handling the situation was pleasant.  She said she would deactivate your card right away.  I said that deactivating a card could result in a huge hassle.  Can’t you call the person and tell them their card will be waiting at the Publix service desk?  Nope.  Who knows who’s seen and copied the information on that card already before I found it.  Fair enough.  Goodbye, ATM card.  Goodbye, scheduled online payments.  Goodbye, electronic means of buying cigarettes (my assumption).  Oh, and they’re not going to call you either and say your card was found.  They’ll just wait for you to notice it’s gone and report it missing.  Seriously, that’s what they said.

So, I’m sorry.  But you should be happy it ended like this instead of the alternative.  Also, you need to sign your card before using it.  It says right on it: “Not valid unless signed.”

Happy holidays.

My Level Of Security

I’ll admit, I get around on the web.  I go places that you shouldn’t go.  But for the activity that I do, I’m pretty safe.  There’s only a few precautions I take and I don’t think it’s all that difficult for anyone else to do.

First and foremost, I installed the MVP Hosts file.  This file does a system-level blocking of any network application that tries to access an internet address that is considered advertising or malware.  This makes nearly everything better, because websites don’t get bogged down with ads.  There are some times that I do need to disable it, but those times are few and far between.  Because it’s system-level, that means IE, Chrome, Firefox, or any other application is immediately protected.

If you go looking for it, there is a growing argument that ads should not be blocked on websites, especially legitimate content sites.  I disagree.  I recently read an article on the analysis of the spread of an unpatched vulnerability.  The malware authors used a legitimate ad service that was utilized by many legitimate websites.  This means that there is no ad service that can be fully trusted.  My position is, if you want to display ads, you host them on your domain and you will take full responsibility for their content.  And because the ads are on the same domain as the content, I can’t and won’t block them.  Even if the ads aren’t malicious, legitimate ad services still serve up misleading ads, designed to trick you into clicking them.  They make them look like authentic messages or toolbars or status bars.  That’s not advertising, that’s flat-out deception.

Back to my security.  Next, I block Flash, Java, and all other plugins by default on all websites.  I used to do this in IE by changing the Flash plugin from blacklist to whitelist, but have come to prefer the ActiveX Filtering feature.

And I’m sure certain people would be screaming “You’re using the most insecure web browser evar!”  I would respond with a hearty rolling of the eyes.  Of the three precautions I take, this is the only one I perform at the browser level and without ActiveX, the majority of exploits are defeated.  That leaves JavaScript exploits.  How are these exploits delivered?  Through ads.  Ads that are blocked by the MVP Hosts file.

So, what’s the last piece of defensive software I use?  Microsoft’s EMET utility, which blocks vulnerabilities at the code level.  This is a really low-level utility and is not exactly user friendly, so I pretty much just run it at the default level.  It’s hard to tell if EMET is working because it’s so low-level.  I’ve seen it do its job twice.  Once, when I was using a Java applet on Verizon’s pages to play my voicemail and another on a sketchy website where it looked like the website was trying to perform an SVG image exploit.  I admitted already, I go to bad places sometimes.

Because I take these precautions, I hadn’t thought about being attacked in quite a while.  On a whim, I ran MalwareBytes and it came back with zero results.  My database was over 2 months old, if I saw correctly.

The only thing that I am vulnerable to is downloading Trojans and installing them myself.  And that is simply a personal fault – no fault of my computer or software. I will comment that downloading software from websites has really become a minefield, with sites displaying many different “Download” buttons at once.  You have to study the page and find the correct context for each button to make sure you are choosing the right one.

In summary, I feel I’m doing pretty good with the tools that are made available: KeePass, VeraCrypt (the replacement for TrueCrypt), MVP Hosts, EMET, and IE’s ActiveX filtering.  I use two-factor authentication whenever it’s available.  It’s not something I did all at once.  I added each little piece as I went.  And in total, it doesn’t slow me down at all.

2014 In Spam

It was in April of 2013 that I made a change to the way I use my email.  Unlike most people, I don’t just have an email address, I have an email domain.  And I use that entire domain namespace by creating a specific email address for every business I deal with.

My email server processes the emails against a blacklist instead of a whitelist.  That means that I can create any email address I want, and it will get delivered to me unless I put it on a list to be blocked.  That reduces the amount of administrative headache I have.

The purpose of this is so that I can tell where my emails are being lost, stolen, or sold.  The instances of this in 2014 were pretty low.  Someone got my paypal email from someone I did business with, some political spammer used a public records request to get my electric company email, and one website’s user database got hacked (and they won’t admit to it).

What I was a little fearful of when creating this wildcard email account was that some automated script would hit my mail server and try a whole slew of predictable emails, like admin@, webmaster@, accounting@, president@, etc.  My wildcard account would catch these and I’d get inundated with mail.  However, this hasn’t happened yet.  I did get some spam by someone who guessed an email address using the firstname.lastname@ structure, so that email was then blocked.

My blacklist only has 6 entries, which I think is pretty good.  And to not have any spam is plenty wonderful.  I just did some checking and it seems my mail server software is rather old.  I think an upgrade will be in order sometime this year.

Prediction

A while ago, the world was abuzz with the celebrity nudes hack.  I was recently reminded of a recent update I had seen for Dropbox.  It’s easily understood that anything that can be used by you for good can be used against you for bad by someone else.  This feature is no different.

The specific feature that was added to Dropbox was “Remote Wipe”, which is intended to be used if you lose your phone or other portable device.  By triggering a remote wipe, your data is no longer available to steal.  That is a good thing.  This is presumably done through the Dropbox website.

But what happens if someone gains access to your Dropbox website account?  They can remotely wipe your data.  Now instead of your portable device being a backup copy if the service ever became inaccessible, now it’s vulnerable whenever the service is accessible.

Naturally, the hacker would either change the password and/or copy off all the files for their own potential ransom request or personal use.  Can you imagine opening up your Dropbox folder one day and have it be empty except for a text file with instructions on submitting a ransom in bitcoin?

I keep saying it one way or another.  The cloud is not to be trusted. 

You need to:

  • Keep your data locally.
  • Have unique usernames at each website – Use a password manager like KeePass
  • Have unique passwords at each website – Use a password manager like KeePass!
  • Keep a PIN on your phone.
  • Keep catastrophic data in an encrypted file – Use TrueCrypt 7.1a

The more of this you do, the more secure you will be, which means the more comfortable you will be. 

It Has Come To Pass

So, something I’ve been expecting has finally happened and now I don’t really know what to do about it.

Back in April of last year, I made the decision to use unique passwords for every web site and at the same time, use a unique email address for every web site.  This wasn’t difficult to do, I just made a catch-all email address on my mail server, then started using unique emails on every website.  For example, amazon.com@mydomain.com would indicate to me that the email was from my amazon account registration.

And yesterday, I get a piece of spam from paypal.com@mydomain.com.  How many people have I shared this email with?  Exactly nine.  I don’t make a bunch of purchases via paypal.  So now, I don’t know what to do.  I don’t know exactly who sold off my email address or if they didn’t even sell my email, but their computer was hacked and their address book stolen.  Maybe they use a 3rd party cloud-based POS system and that was hacked.  The bottom line is, I don’t know. 

I’m going to work on the assumption that they were hacked.  Someone got into their EBay account (like they did for me) and mined their recent customer list.  This makes sense because I can’t imagine any of the people I dealt with having a large enough customer list to monetize it for any decent value.

I would love to email each of them and tell them what’s happened.  Someone out there has compromised my personal information.  They wouldn’t be able to do a whole lot of damage, but they probably have a full profile of me: name, address, phone, email.  That sucks.

So now, I have to set up a blacklist on my server for paypal.com@… and create a new email, like paypal.com2@…  That sucks, too.