Posts Tagged

security

More Antivirus is Not Always Better!

Elizabeth Technology August 9, 2022

Built-In Antivirus

Microsoft Windows has come with it’s own antivirus for quite some time. Windows 10 and 11, for example, came with Windows Defender built in and on automatically unless another antivirus was installed, at which point it would automatically switch off. Windows Defender by itself is plenty of defense for the kind of run-of-the-mill threats you’d run across browsing unsecured websites or trying to download games from websites other than big, trusted ones like Steam (given you’re listening to it when it suggests you double-check the source and double-check that you meant to download a .exe file) but some people would rather have this protection from a paid-for antivirus like Kaspersky or McAfee. The fact that those programs cost money doesn’t necessarily mean they’re better, but it can be a peace of mind thing – complaining about something that cost money means that some penalty can be extracted if the user isn’t satisfied, even a penalty as small as a partial refund.

This Computer’s Not Big Enough for the Two of Us

Windows Antivirus is unique for automatically stepping down when another program steps up. Many others don’t!

Antiviruses do not get better the more that you have. They interact in ways that step on each other’s toes and lead to false alarms. As an example: say a computer has both Norton antivirus and McAfee antivirus installed. McAfee will try to scan the computer for new threats upon startup, but will be interrupted by Norton, who interprets the file-checking as potentially hazardous behavior. Norton isn’t wrong, because ransomware will often sweep through files in some way or another, but it doesn’t recognize McAfee, and almost no other program has a reason to do that anti-viral scanning. Thus, Norton then tries to report McAfee to you! Some antiviruses have safety rails that literally will not let you whitelist (whitelisting refers to telling a program that a file or action is okay, or ‘whitelisted’) certain executable programs, so you get stuck in this horrid, unbreakable loop of antivirus fingerpointing every time you boot up your computer.

These interactions actually make your computer less safe – if both antiviruses have deadlocked themselves out of scanning because the other one says it’s a virus, your computer is not being scanned. That’s bad! Scanning is not completely foolproof, and a regular residential antivirus won’t necessarily be able to catch or handle something industrial grade, but it catches plenty of small things like trojans before they become serious problems that can cripple your computer.

Your computer is much better off with just one brand of antivirus on it at a time. Instead of more, buy better. And if you’re unsatisfied with one brand’s performance, completely uninstall it before you install the program you replace it with. Not only does that prevent them from interacting in a negative way, it also prevents the previous program from hassling you to renew it with pop-ups (McAfee is infamous for this). Either way, it’s going to save you some annoyances!

And in Other Realms

The antivirus problem is a pretty unique one because most programs don’t interact with every file on your computer in the way that they do. Two art programs are not going to start fighting over which one you should use, for instance. However, some other cases can be pretty similar. Like VPNs! Having more VPNs is going to slow down your computer without much additional benefit. The way a VPN works is that it takes your request, encrypts it, sends it to a server, unencrypts it, completes the request, encrypts it again, and then sends it back to you. This keeps your ISP from seeing this request, but it doesn’t necessarily anonymize the data – after all, the VPN’s server has to unencrypt the data to actually complete the request, so the VPN knows what the data is, and it knows where the request is coming from in the first place. The VPN has the same visibility the ISP initially had. Adding more VPNs to your computer will not solve this problem, it will just move it down the chain, and add extra time to each request you make in the meantime as it bounces around VPN servers.

If you only need to protect your data from the coffee shop’s open Wifi or want to watch Netflix Canada, the kind of VPNs you see advertised on Youtube will be able to do the job – the data won’t be strictly, unsubpoenably anonymous, but it will be encrypted and rerouted well enough to make those two things happen. If you’re trying to search for things that nobody can know about, you’d be better off downloading TOR (which stands for The Onion Router), a popular VPN with an excellent reputation for encryption and security. Using TOR to do illegal things is illegal, of course, but the act of downloading it and using it by itself is not.

It is Sort Of Weird to be Watching Interrogation Footage Recreationally

Elizabeth Technology August 4, 2022

But Why?

It is very human to see something horrific and ask ‘why?’. Even moreso if the scale is small, and petty, if the stakes come down to ruining a handful of people’s lives for reasons that later seem transient. However, there isn’t always a good reason why… that doesn’t stop the asking.

Jim Can’t Swim and Similar Channels

I appreciate the work that goes into interrogation analysis videos, so long as those videos are made by people who know what they’re talking about. Jim Can’t Swim (often abbreviated to JCS) is a channel on Youtube that reviews and analyzes footage of interrogations released to the public. JCS is one of the biggest and most well-known channels following this premise; JCS’s narrator speaks with authority, is able to identify common tactics used by either the police or the suspect during the interrogation, and is generally respectful of the subject matter. While sometimes the subject matter is humorous because the suspect or the interrogating officer does something that’s weird or pathetic, JCS doesn’t turn serious crimes into jokes.

It also doesn’t devolve into ‘copaganda’, a term used to describe media that paints the police in an overly positive light. Copaganda may suggest that the police never make a mistake, or anyone who asks for a lawyer before speaking to the police is guilty, or that it’s okay for the police to break some of the rules as long as they ‘know’ the suspect is guilty – it’s a nasty trend that leads to well-meaning, otherwise innocent people giving up rights they are legally entitled to for the sake of not ‘looking’ guilty.  JCS often clarifies that the police are allowed to lie to you to get more info out of you during an interrogation because it so often works in the detective’s favor during taped interrogations.

Other channels mimicking his format began cropping up, and then the format began to turn into a problem.

Visibility Bias

There are two issues with the popularity of these channels. The first one is that, with the benefit of knowing how the case turns out, of course you can spot the tells of the suspect. It’s like watching a poker match when you already know who wins! For instance: many channels, JCS included, will point out body language or certain tics as indicators of lies. However, you can’t use those in court – many people tic when nervous, and it would never hold up because everyone tics a little differently. The focus on body language is for the interrogators, who are looking for certain clusters of behaviors as indicators that the person they’re interrogating might not be telling the whole truth. It’s an interrogation tactic to extract a confession, not a hard science that always yields results. While JCS and a handful of the other big channels that started after him will clarify this as they describe why the suspect is likely doing what they’re doing, many others do not – they simply point to a behavior and say “this is where they started lying” because they know how the case ends. The tendency to use big, flashy cases where the murder was gruesome and the suspect left behind tons of evidence worsens the effect, because every video ends in a conviction, giving the viewer a false sense of efficacy when it comes to certain techniques.

You don’t see the videos where the tactics lead to investigators pressuring someone for an hour because they struggled to make eye contact with the interrogator, because that’s not interesting or cool and the channels realize that. However, if every video you see where the suspect couldn’t make eye contact ended in a conviction, you’d be inclined to believe everyone who can’t make eye contact is guilty, and it’s not just something nervous people do – sort of an ‘every square is a rectangle, not all rectangles are squares’ deal. Channels have to be very careful what they’re pointing out as recognizable nervous or lying tics because it’s not a science, they know how the case ends and so may be seeing tells where there aren’t any, and there’s no frame of reference for ‘innocent’ behavior elsewhere on the channel.  

Speaking of which, the second issue is that it often ends up accidentally turning into copaganda anyway – at least, the copycat channels do. When you stop focusing on how inexact many of the tactics are because they always seem to work in the videos and the channel narrator always points certain things out when they happen, it can be easy to fall into the trap of [X] is guilty because when the cops interrogated [Y], this same thing happened. Almost every video on JCS with a few exceptions were cases where the murder suspect either took a plea deal or went to trial, meaning the prosecutors already had a ton of evidence against the suspect. In the one or two cases on his channel where the suspect had been pulled in and later cleared, he points out how not-guilty the suspect acts during the interrogation. The rest? The huge percentage of interrogations that don’t provide any meaningful answers because the police had more or less said ‘this guy was in the area and we’re out of ideas’ to drag that guy in? Those interrogations aren’t the ones that end up on the channel. Why would they? They’re boring. The convicted suspect’s interrogation was probably more interesting anyway, right? The five people investigators went through to get to the prime suspect are never seen, and so the police look hypercompetent on these channels, always nailing the right person and always managing to extract something incriminating related to the case within an hour or three. These channels end up stripping quite a bit of valuable context from the case. It’s actually built into the formatting of this style of channel, because all people want to see is the case and the interview. Nothing else.

Inexpertise

And then there’s the issue of the analysis itself. Many of these folks could be amateur experts (we don’t know what credentials the vast majority of them have), meaning they’ve done extensive research online for specific cases, and specific interrogation techniques… but don’t know much beyond that. While the internet is huge and useful, you can’t research yourself into a self-made Master’s degree. Usually, that’s fine. You don’t need to have a degree in botany to be giving advice on tomatoes, you just need some research from people who do that you can cite when someone asks you how you know something will or won’t work. The field of psychology is not quite this simple, and when mixed with matters of law, sometimes even people in the system confuse themselves into messing up a case! For an outsider to be able to just leap in and begin analyzing footage of two human beings interacting within a specific legal circumstance, and having that analysis be trusted because of an air of expertise despite few credentials and sometimes sparse citations, may as well be a television show.

The problem then is that there’s no official, end-all-be-all way to describe why a new channel’s videos aren’t as good at describing the interrogation as an older channel like JCS is. A huge chunk of these interrogation-analysis videos don’t have any official training, just ‘experience’. Experience is useful, yes, but when anyone can just start making videos on such serious subject matters, you’re going to end up with a lot of pop-psychology and bias making it’s way into the analysis. JCS, with scripters, can avoid some of it, but can a teen with no editor or scriptwriter avoid accidentally suggesting something completely incorrect because it just happens to pan out in this case?

Just like everything else online, you should avoid taking the word of an interrogation channel without a grain of salt. They’re there for your entertainment first – anything else comes second!

2FA Do’s and Don’ts

Elizabeth Technology July 26, 2022

We’ve said it before, we’ll say it again – 2FA is one of the biggest steps you can take to keep your account secure. 2FAs serve as heavy reinforcement for bad passwords, and protect you from brute-force, password stuffing attacks that might otherwise work. However, 2FA has a host of it’s own rules, so here are some dos and don’ts!

For Security Questions

Don’t: Make the Answer to 2FA Questions Something Too Obvious (Or Give Those Answers Out)

Social Engineering played a part in a major EA hack a few years or so ago. If you can imagine a coworker wanting to get into your stuff, and you don’t want them to, pick something that’s not common knowledge about you. “Favorite Musician” is a really easy question when you’ve got BTS memorabilia scattered around your desk!

Knowing this, you should also try and avoid mind-gaming yourself! A joke answer, or an answer that is technically correct but not the first one you would have picked if you’d never seen the question before, will make your answer more obscure, but it might also lock you out if you don’t remember what you wrote. Same goes for things that can change over time. On that note,

Don’t: Make the Answer Something Too Obscure for you to Remember

If you had to go back and look it up so you’d know what the answer was, chances are you’ll have to do that again when you’re asked to verify! Mother’s maiden name, your third grade teacher, what year model your first car was – if it’s too tough to remember after a few seconds, it’s probably not a good answer, even if nobody else would know it either.

Additionally, picking questions with multiple “trick” answers can also trip you up! For example – do you consider your first pet your family’s dog, or the pet you adopted as a teen, the first pet that was really ‘your’ pet? When considering what address you grew up at, is it the one you and your family moved away from when you were six, or the address you actually remember at seven? If you can think of multiple answers, it might not be a good question.

Do: Check Your Formatting

Some sites don’t care about case, others treat 2FA as a second password where everything must be precisely as you typed it the first time. Either way, it’s good to know some things about your habits: do you always capitalize the name of your pet, or if it’s something like ‘spot’, did you not do that this time? Do you include the dot when typing out your 3rd grade teacher’s name? Do you care about apostrophes? All of these are things that can trip you up when asked to verify with a typed answer to a question.

For Texts and Emails

Don’t: Click ‘Remember Me’ Unless it’s Your Device

Don’t click ‘Remember Me’ on your school or library’s computer – ‘Remember Me’ usually means either the computer will keep you logged in, or it will forgo the 2FA because you trust that device, via cookies. Most public computers soft-reset every time they’re logged out to prevent things like keyloggers and other nasty spyware from being left behind, but they can only do that if you remember to log out. If you don’t log out, and the computer isn’t set to restart after a period of inactivity (or someone gets to it before it does) it can mean your accounts are under threat, even if you closed out the browser window and logged off of your account. Similarly, this assumes the public computer is configured correctly to do that in the first place.

Do: Set it to Something You Can Access on Your Phone or On The Go

It might be a good idea to download Outlook if your backup email is Outlook. Most folks have their phone on them all the time, and if you end up at the bank or in front of a doctor without access to your account because 2FA sends to your computer, you’re going to be tempted to remove 2FA for next time. Don’t! Instead, make sure you can access whatever number or email it’s going to send that message to.

You should also try to update 2FA as you migrate across accounts – if you have something set to send to your old, abandoned email address or phone number, you may lose access to that account.

Do: Enable it Where You Can

2FA prevents the vast majority of password-stuffing attacks. If you need help, password managers like LastPass are an excellent choice – although you’ll have to add your security answers in the notes section, if you’re signed up with security questions instead of texts or emails.

Intro To Phishing, And How To Avoid It

Elizabeth Technology July 14, 2022

What is Phishing?

Phishing is the action of sending someone messages with the intent to deceive them into parting with information they otherwise wouldn’t have shared. While it’s commonly used to try and steal logins, cookies, and other digital data, it can be used to snatch things like government-assigned identification numbers, important medical information, and more.

It’s also not limited to email, despite the common perception – ‘smishing’ is phishing over text using things like fake verification texts, and the ever-popular phone scams can phish by pretending to be a bank or other service that the victim may actually use.

What’s the Risk?

Getting your PII (your personally identifying information) stolen is kind of a nightmare. You probably don’t need me to explain all the ways identity theft can really screw up your credit and reputation!

If a scammer gets ahold of the login to your bank service, and you don’t have 2FA enabled on your account, they can do quite a bit of damage to your account by requesting cards, making fraudulent purchases, or transferring out money. Even if your bank has policies to protect you and undo all that mess, it’s still going to be a very frustrating and anxious few weeks of reclaiming control of your account, communicating with the bank, and the bank trying to track down the phisher (if they even can). That’s just one login!

Aside from the big, important services like your bank and utilities, getting your password and login stolen from a service you don’t consider important can still really suck. It can even lead to the phisher getting into the services you do consider really important. Take a smishing attempt that looks like Fedex has tried to deliver a package, but couldn’t. Were you expecting a package? If you were, you’re probably a little concerned. You don’t notice there’s a typo in the text, or that the number it sent from is different than usual. You click on the link, and it leads you to Fedex Smart Delivery manager, prompting you to log in. If you type in the login, then you just gave them your Fedex credentials! That doesn’t sound like a big deal – Fedex is easy to reset, right? But it is a big deal. Your address is in Fedex. You have your telephone number in Fedex. Your delivery history is in Fedex. The phisher can use some of that information to open accounts in your name that they don’t intend to pay for, which can impact your credit score. Plus, if you reused that password anywhere else, you have to reset it everywhere it was used, because odds are the phisher is going to try and get into everything they can to gather more data and steal working accounts.

How to Better Protect Your Accounts

All of this sounds really painful. Luckily, there are a few tips that can make your information safer! Firstly, don’t re-use passwords. You may groan at the thought, but reusing a password for services makes it much easier to steal an account of yours if they get that password via a site breach or a scam. We recommend a password manager like LastPass – it makes it much easier to store and create unique, strong passwords for every site!

Secondly, you’ll be better protected if you use two-factor authentication on every website that has the option to. If you do fall for a phishing scam, the scammer won’t have the code necessary to get in! Of course, some scams are sophisticated enough to think of that beforehand: Craigslist, for example, had a bad rash of scammers a while back who would “text a code” to a seller “to make sure they were a real person”. The seller then gives them the code, and the scammer now has a Google Voice number with the seller’s phone number as the verified number behind it! They just social-engineered their way into bypassing 2FA. This is why you should never give out verification codes – especially if you didn’t request them. Instead, it might be time to reset the password of the account that verification email came from. Just don’t click any links in those verification emails, either: go straight to the home page of the site instead to log in. The verification email might be a phishing attempt all by itself, hoping you’ll click a fake link to the website!

How To Avoid it in the First Place

It’s better if they never get to test 2FA at all. There are a few key tips to avoid phishing scams. Firstly, is there a sense of urgency? Your utility companies aren’t going to call and say they’ll shut off your water without at least a few mailed reminders that your bill is due! The same goes for your bank. If they demand that you resolve a problem right then, right there, out of the blue, it’s probably a phishing scam (if you’re nervous it’s not a scam, call the alleged company using their number off of their Google page or their real website). This goes for both phone and email phishers.

 If it’s an email or a text, ask yourself if you were expecting an email or a text from that company. If you get a Fedex text update that you didn’t sign up for, it might be a phishing scam. If you got a notification from Walgreens that your photos have finished printing, and you didn’t print any photos, it might be a phishing scam. They want you to click or tap the links they include to see what’s going on. Spelling errors are also a common tell – it’s not impossible for a company to make spelling errors in their communications with you, but they won’t be littering the page with them! Phishing scams do that to weed out people who know better so they won’t waste time on targets that won’t crack.

You should also check the sender of the email! Spoofing is a technique that attaches a real name that you might know to an email address or phone number that definitely doesn’t belong to them. Anyone can set their name to George Smith or Big Company Customer Service in Gmail, but they can’t change the email address they’re sending from. If it’s [email protected] and not [email protected], for example, it’s probably a phishing scam.

The same goes for caller ID, although it’s getting harder and harder to tell real calls from fake ones – scammers can set their name to something like “Hospital” or “School” to make it more likely you’ll pick up. Some more sophisticated operations can even make it look like they’re calling from a different number altogether, using VOIP technology to match the area code of the caller to the person being called. Just like in the urgency tip, you should be able to call a legitimate company or organization like a school back from the number they have on their website, or the number you know to reach them at. If they’re really resistant to you hanging up and calling back for reasons that don’t make sense, it might be phishing. Unfortunately, some scam calls are really tough to pick up on, and the FCC can’t do much to stop them if they’re not in the US. Many people today don’t answer their phone unless they were explicitly expecting a call as a result, and phone companies themselves sometimes offer up call and text screening.

Spear Phishing

Spear Phishing is much more sophisticated by default. It’s a scam that can’t just be blasted out to 500 people, they want to get you! They’ll use every trick in the book they can to get you to click a link or give out information you shouldn’t. If they think you have valuable information on your company, for example, they may send an email pretending to be a coworker by using spoofing, and they will write more carefully to avoid misspelling anything. If something doesn’t feel right, it’s important to check the ‘coworker’s’ email address for spoofing, which should stop most spear phishing attempts in their tracks. If you examine the entire domain name for misspellings, you may find one! For example, somebody using [email protected] or [email protected] instead of [email protected] might snag a few people who didn’t look closely enough. A scammer may also try to use a line like “I’m locked out of my work email, so I’m using my personal one” to try and impersonate your coworker. Many organizations have policies against using personal addresses for this exact reason – how can you verify they’re with the company if they’re using Gmail or Yahoo? Anyone could make an account with their name at that point! In this case, if the coworker didn’t warn you or share this address with you beforehand, you shouldn’t interact with the email further. Don’t click any links or attachments in the meantime.

You can even forward the email to IT! If you’re worried that the coworker really needs that sensitive data (which fits into creating a sense of urgency, like mentioned above) consider the risks of falling for a phishing scam vs. the risks of standing your ground when you didn’t need to. A phishing scam can completely pull down your entire operation, lock up or steal files, and wipe computers of their data, setting a company back with nearly nothing. Not giving information out to an email address you don’t recognize can delay a project or annoy a client, yes, but it’s much better than wrecking your organization, in which case you’ll also delay projects, but for much longer as your company recovers from a phishing-based security breach. Better to be safe than sorry!

2FA: Do’s and Don’t’s

Elizabeth Technology January 26, 2022

We’ve said it before, we’ll say it again – 2FA is one of the biggest steps you can take to keep your account secure. 2FAs serve as heavy reinforcement for bad passwords, and protect you from brute-force, password stuffing attacks that might otherwise work. However, 2FA has a host of it’s own rules, so here are some dos and don’ts!

For Security Questions

Don’t: Make the Answer to 2FA Questions Something Too Obvious (Or Give Those Answers Out)

Social Engineering played a part in a major EA hack just a year or so ago. If you can imagine a coworker wanting to get into your stuff, and you don’t want them to, pick something that’s not common knowledge about you. “Favorite Musician” is a really easy question when you’ve got BTS memorabilia scattered around your desk!

Knowing this, you should also try and avoid mind-gaming yourself! A joke answer, or an answer that is technically correct but not the first one you would have picked if you’d never seen the question before, will make your answer more obscure, but it might also lock you out if you don’t remember what you wrote. Same goes for things that can change over time. On that note,

Don’t: Make the Answer Something Too Obscure for you to Remember

If you had to go back and look it up so you’d know what the answer was, chances are you’ll have to do that again when you’re asked to verify! Mother’s maiden name, your third grade teacher, what year model your first car was – if it’s too tough to remember after a few seconds, it’s probably not a good answer, even if nobody else would know it either.

Additionally, picking questions with multiple “trick” answers can also trip you up! For example – do you consider your first pet your family’s dog, or the pet you adopted as a teen, the first pet that was really ‘your’ pet? When considering what address you grew up at, is it the one you and your family moved away from when you were six, or the address you actually remember at seven? If you can think of multiple answers, it might not be a good question.

Do: Check Your Formatting

Some sites don’t care about case, others treat 2FA as a second password where everything must be precisely as you typed it the first time. Either way, it’s good to know some things about your habits: do you always capitalize the name of your pet, or if it’s something like ‘spot’, did you not do that this time? Do you include the dot when typing out your 3rd grade teacher’s name? Do you care about apostrophes? All of these are things that can trip you up when asked to verify with a typed answer to a question.

For Texts and Emails

Don’t: Click ‘Remember Me’ Unless it’s Your Device

Don’t click ‘Remember Me’ on your school or library’s computer – ‘Remember Me’ usually means either the computer will keep you logged in, or it will forgo the 2FA because you trust that device, via cookies. Most public computers soft-reset every time they’re logged out to prevent things like keyloggers and other nasty spyware from being left behind, but they can only do that if you remember to log out. If you don’t log out, and the computer isn’t set to restart after a period of inactivity (or someone gets to it before it does) it can mean your accounts are under threat, even if you closed out the browser window and logged off of your account. Similarly, this assumes the public computer is configured correctly to do that in the first place.

Do: Set it to Something You Can Access on Your Phone or On The Go

It might be a good idea to download Outlook if your backup email is Outlook. Most folks have their phone on them all the time, and if you end up at the bank or in front of a doctor without access to your account because 2FA sends to your computer, you’re going to be tempted to remove 2FA for next time. Don’t! Instead, make sure you can access whatever number or email it’s going to send that message to.

You should also try to update 2FA as you migrate across accounts – if you have something set to send to your old, abandoned email address or phone number, you may lose access to that account.

Do: Enable it Where You Can

2FA prevents the vast majority of password-stuffing attacks. If you need help, password managers like LastPass are an excellent choice – although you’ll have to add your security answers in the notes section, if you’re signed up with security questions instead of texts or emails.

Parler Was An Objectively Poorly-Made Website

Elizabeth Technology January 21, 2022

Parler was poorly made. Good websites can lose data, sure, but generally it’s not dozens of TB all at once.

Perfect Timing

Parler. The website started as an attempt to regain internet-footing lost when Facebook, Twitter, and others began banning hate speech. The worst of the alt-right can’t survive without hatred, so this was a very big issue for them. The creators of Parler hoped to cash in quick and assemble a website just for them.

Regardless of what you believe politically, making websites as a reaction to other website’s actions almost never works well, especially if they want to keep that other site’s format. If the website’s creator couldn’t manage a good, testable idea, then it’s very likely they don’t fully understand what makes Facebook or Twitter tick. The knock-off’s going to have problems the original took care of ages ago.

They also don’t know why the original made the decisions they did. Websites don’t just make changes because they hate their users, they make changes because something is inefficient or broken. Maybe a feature just didn’t scale like it was supposed to, maybe the change is just to make the site more tolerable to advertisers. Inefficiencies. See VOAT: Reddit dropped those problem pages because they were creating problems, VOAT picking those guys up essentially doomed it. Reddit wouldn’t have dropped them unless they were forced to!

Security – Anyone Else Would Have Caught It

It’s important to have security pros on the team somewhere, but Parler’s founders genuinely didn’t know how poor their security was. Alternatively, they might have been so small that security wasn’t an issue until they got big.  

For example, their API. The API, or the Application Programming Interface, acts as the exchange between the software of the application and the world. The API takes requests from the user to the server, and then information from the server to the user. It acts as a middleman between the front end and back end of a website. Normally, the API prevents direct access to the backend because it makes DDoSing a site harder. The more steps there are in front of a server, the harder a botnet is going to have to work to crash it. The API is also supposed to be protected by credentials, to allow access to the back-end by authorized users. This prevents content-scraping by outside forces.

It’s like the truck door in a warehouse, and only employees are allowed in. To get in, the employees need to have credentials. In Parler’s case, that truck door was left open, and the guy who downloaded the 54 TB of data just strolled right in. Anybody could have done this, at any time, given a little bit of knowledge about APIs. There was no protection! The API also controls how much information can leave the warehouse at a time, but since that wasn’t set up right either, the white-hat hacker who downloaded the information was able to do so before the site was forcibly shut down, 24 hours after Amazon’s warning.

That’s not the worst of it for the users. The EXIF data attached to scraped images alone incriminated dozens of people all by itself post-insurrection-attempt. For those of you who don’t know, EXIF data is meta-data, or data about an image that isn’t the image itself. Included in EXIF data is things like the make and model of the camera that took the picture, internal watermarks if applicable, and geotagged information unless that setting is deliberately turned off. Generally, Geotagging defaults to ‘on’, so people were posting their pictures of the Capitol riots alongside their exact physical location at the time of the picture, which was also in the EXIF data. Many websites scrub EXIF data during upload – Parler did not. Once again, this is something a security expert would have noticed.

Parler Wasn’t Even That Good at Being a Home Base

Reports say that a hacker got the info and shipped it off. He did, and many people were caught (and charged) much faster than they would have been if he hadn’t. But that wasn’t the only source of information! Allegedly, Parler did send information about violent threats to the FBI before the capitol event. Generally, websites do this to save their own skin – it passes responsibility to the guy they reported to, and it keeps them out of trouble because they acted reasonably.

 Parler may have wanted to be a safe haven for the alt-right, but just like every other website has to, it had to police speech to stay out of serious legal trouble. Reactionary websites never quite seem to get this, no matter what kind of site they are. If Facebook, a well-funded company generally viewed in a positive light,is struggling to keep up with what counts as a real threat, Parler never stood a chance.

Is It Coming Back?

…Maybe.

The mass-dumping by hosting websites and App stores doesn’t mean the website is done for, it just means it’s going to take some doing to get a host. The fanbase isn’t great, the website lacks mass appeal to advertisers, and in general, it seems like they don’t have any reliable funding options, aside from donations and the sketchier ad vendors. Besides, Parler turned itself into a nuclear waste dump by letting QAnon fester into full-blown attack-planning. Again, no matter your political beliefs, big advertisers and web hosts really want peace. Anything that the government has to step into will make the hosts angry. At a bare minimum, leaving everything about the politics and optics of big hosts out of it, Parler shot itself in the foot by letting very real, actionable threats slide without bans or other content moderation.

 However…

That’s not always a killing blow. Gab recently hit the news for being just like Parler. Alt-right websites, especially ones that cater to the fringe of the fringe, are worse than the hydra. Ban a website, and it comes back with the rulebook plastered in highlighter.

Sources:

https://dev.to/mackenziejj/parler-wasn-t-hacked-it-just-lacked-the-most-basic-security-privacy-measures-n9c

https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/

https://www.forbes.com/sites/rachelsandler/2021/03/25/parler-says-it-reported-violent-posts-to-the-fbi-before-the-capitol-attack/?sh=2b04afa11a45

Razer Mouse Driver Causes Breach

Elizabeth Technology January 19, 2022

Peripherals

Peripherals. Your keyboard, mouse, drawing pad, Apple Pen, game controller, and more are considered peripherals. Peripherals, by their nature, don’t have much computer power inside them – generally, they have just enough to do their job and not more. In terms of hacking, they aren’t quite as vulnerable as IoT items because they’ve been in the computer world for much longer.

That doesn’t mean that it’s impossible, it just means that other targets are often easier – and other methods, such as hiding a hacking device in a corded mouse’s plug in a la the Juice Jacker are easier than trying to get in on a device’s protected Bluetooth connection.

However, some peripheral devices require things like drivers. Drivers are programs that give the computer instructions for how the device is supposed to work. A computer won’t know how a specific drawing tablet works until that drawing tablet is hooked up and the drivers downloaded, and a Dell won’t understand the Apple Pen without it’s related software. However, most mice and most keyboards don’t take any drivers because they’re so common that computer manufacturers assume they’re a given, and so the instructions for how the computer is meant to interpret the commands are already programmed in. It’s why you can just plug and go for most Bluetooth mice.

In this case, Razer’s mouse was so complicated that it took a driver to use to its fullest extent. It could change the color of its internal LEDs, and the computer didn’t have the built-in instructions to understand those commands. Downloading that driver is what presents the vulnerability!

The Flaw

Razer’s mouse doesn’t magically make the user an admin just by plugging it in – the end user still has to know what they’re looking at. The way Razer peripherals work, plugging one in downloads the drivers that specific device needs. To do so, it opens up a Wizard, and if you catch it when it asks you where you want to save the file, you can (or could) left-click and open PowerShell. Now you have access to PowerShell, one of Microsoft’s automation and task frameworks, without needing to get the administrator’s permission first. And PowerShell has admin privileges by its nature! Now that it’s been opened up, even previously limited or restricted profiles can access and change settings within the computer as though it were an admin, something it couldn’t have done without Razer’s Wizard.

This is a pretty big flaw.

The issue is that the file’s set-up is asking the user where they want to put their file, instead of stuffing it in the drive in its own folder or on the desktop by default, like many programs do. Or, alternatively, the computer shouldn’t have allowed the driver + Wizard download without admin permission in the first place!  

This is a big flaw. However – it also means that any malicious user would still have to get access to the computer, either physically or remotely, so while it’s a vulnerability if the person with the driver is in the physical location of an unlocked, open computer (or manages to scam their way into remote control of one), it’s not necessarily time to toss the Razer mice.

Razer

Razer peripherals are generally marketed towards gamers, but they can be used as regular device peripherals too. They’re sort of expensive to buy as just a mouse, and their especially great precision is designed for games, not Excel sheets, so many people (and many businesses) would prefer to use something lighter and cheaper for their office computers. Why bring an 18-wheeler to something if a simpler pickup truck will do the trick, right? The same goes for their gaming chairs, computers, keyboards, etc. – if something is perfectly designed for gaming, it can also do office stuff, but that would look and feel sort of ridiculous.

Razer’s whole image is the scorpions and snakes, green and black, Matrix, high-tech imagery. They may occasionally sell multipurpose stuff, but their marketing is overwhelmingly towards gamers, promising them the top-of-the-line peripherals with accuracy and speed that plain Dell or third-party peripherals can’t always deliver.  

The company knows this. Razer, understanding that their main function is ease-of-use and not security, may overlook basic security flaws every once and a while, and I don’t really blame them for missing something like this while testing – after all, Windows itself should have protested the download, too, right?

Sources:

https://www.razer.com/?gclid=Cj0KCQjwg7KJBhDyARIsAHrAXaHQ4v_RWuKn-7YKiB_B-QzTgur_Bg_GEZmcuBTCEreQ8P_JlWMp1a4aAoO2EALw_wcB

https://lifehacker.com/you-can-gain-admin-privileges-to-any-windows-machine-by-1847537634

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

The EA Hack

Elizabeth Uncategorized November 19, 2021

The EA hack isn’t a special case. Not anymore. Hack, after hack, after hack, data leak after data leak, stolen game engine and asset, one after another. Game companies are being targeted deliberately for IP and code theft because it’s one of the few things that hackers can still steal with relative ease.

EA’s Track Record

This hack was due to a mix of authentication fraud and social engineering – it also seems to be their first major hack, if the lack of news about anything else is any evidence. Even Wikipedia doesn’t have much to say about past security instances. The one chance hackers had to get customer data was sealed off back in 2019, when a white-hat hacker group discovered the vulnerabilities and then alerted them that a sufficiently capable team would be able to get in, and then steal all of their customers’ payment data. EA’s record is cleaner than the industry average.

EA has a good track record with overarching security – many companies in the same worth bracket, including other game companies, can’t say that! Fellow gaming company Capcom got dinged with Ragnar ransomware, and while it “only” lost about 350,000 people’s worth of account data, it also lost its internal logs and couldn’t tell if they also lost credit card data. Blizzard, another big company with a good track record, suffers from persistent bot plagues that they’re unable to clear out. Human players then lose their data to particularly conniving bots and data thieves directly, no middleman hacked server necessary.

This Particular Hack

This hack was especially devious. A hacker used authentication cookies (cookies that “remember” the device or browser being authenticated with a code) to get into an EA slack channel, and then socially engineered their way past IT into the company’s internal network.

From there, downloading stuff was easy.

More than 780 GB of data (most of it source code) was captured, but the hacker group states that they couldn’t find a buyer. Source code is often trademarked, after all, and the consequences of buying another company’s coding aren’t worth having it. Many hackers would much rather have payment personal info than code. They then tried to extort EA by promising to release it, and uploading a little bit of the next FIFA game as proof that they were capable. After EA refused to pay the ransom, they released the remainder of the code as promised. Once again, using another company’s source code just doesn’t make sense in the long run, so it’s unclear what the long-term consequences will be for the company. However, they’re not the first ones to get extorted in this way: CD Projekt Red’s failed ransom should have served as a warning!

The CD Projekt Red Hack

CD Projekt Red, the game studio that created such classics as CyberPunk 2077 and Witcher 3, was hacked early last year. At that time, the hacker group responsible stole their game engine, and not much else – their customers were surprisingly uncompromised after the incident. The hacking team seemed to have a personal grudge against Projekt Red, so I can only assume the customer information was better-secured than the game engines themselves: who wouldn’t steal customer data if they were trying to completely trash a company’s reputation?

EA similarly partitioned customer data away. This is a good thing! Sort of like in a cruise  ship, separating data means that the entire company isn’t compromised as long as a gate somewhere stops the water from getting into other rooms.

And Other Examples

A Blizzard hack snatched emails (but not the unscrambled passwords) of an estimated 12 million players in 2012. This was easy to recover from – resetting the password was good enough for most accounts, but having those emails made the players unfortunately vulnerable to password stuffing attacks in the long run.

In 2011, an even bigger attack on Sony’s Playstation Network compromised the details of approximately 77 million users. This one stands out because both encrypted and unencrypted data was taken – credit card information that was encrypted wasn’t theoretically unscramble-able, but Sony, even with a week-long delay, couldn’t determine how much a hacker could actually squeeze from that data. Unencrypted data, which was basically all of the other personal details that could be attached to a player, was useable as soon as the hackers obtained it. Events like these served as warning for Blizzard, who encrypted much more, and then eventually for Xbox, Microsoft, CD Projekt Red, etc. as hacks became more prevalent.

Sources:

https://therecord.media/hackers-leak-full-ea-data-after-failed-extortion-attempt/

https://www.newsweek.com/electronic-arts-ea-origin-account-takeover-hacking-cybercrime-check-point-cyberint-1445976

https://www.ea.com/security

SQL Injections

Elizabeth Uncategorized October 13, 2021

Sanitize your Inputs.

If you’ve been following cyber security news over the past few months, you’ve probably seen ‘SQL Injection’ somewhere. It’s usually in reference to a security failure – maybe a breach happened, and you saw it written in the post-mortem of the attack. What is it?

SQL

What is SQL? SQL stands for ‘Structured Query Language’. It’s widely considered the language of databases! Essentially, SQL is really good at handling structural data, which is data that keeps the relationships between variables coherent. SQL is more like an umbrella term than a thing in and of itself: language for controlling data, language for relating data, language for defining data, etc. all fall under the scope of SQL. Different vendors also have different methods of implementing SQL, so even SQL that does the same thing across websites may look different. It’s basically everywhere!

Especially on the back-end side of websites. Passwords and login info have to be stored somewhere, and preferably somewhere where they are A) secure and B) accessible. That’s not as simple as it sounds. If a website stores its data in a simple table, with no hiding, hashing, or scrambling of the credentials, it’s only a matter of time before some malicious party comes for it. Hashing is mandatory nowadays, and in fact, hashing and hiding data is often the only thing turning major breaches into minor events. See Blizzard’s hack, for instance – having the data somewhere else and scrambled saved them. Proper SQL usage saved them.

Retrieving that information is also important, and SQL does that too. SQL specializes in uniting all of these tasks. However, it’s widespread use doesn’t mean it’s invulnerable, and mistakes while putting it together for a site can render it a dangerous weapon.

SQL Injection

An SQL injection is an attempt to interfere with the requests the SQL is sending to the database. If a hacker can deliver a little bit of code to that otherwise impossible-to-reach database, they may be able to grant themselves access to it, or damage it, among other things. For example: a new user signs up. They put their name and password in. SQL directs that information to the database with the instructions “Store this (USERNAME)”. However, in an injection attack, the username actually contains code, which then leads to the SQL misreading the instructions as “Store this (AND DELETE ALL DATA)”.

These are so incredibly simple to execute that it would be foolish not to try at least a couple of times. It’s as simple as figuring out what kind of inputs the data field will allow (i.e are semicolons allowed in passwords? Can I use @ in my username? Are brackets included, or not?) and then trying to abuse that as hard as possible to get results.

Even big websites are susceptible. Why? The process to prevent it is separate from the process of putting SQL into the website in the first place. Picture trying to drive a car with no automatic headlights at night. Eventually, you may forget to turn them on manually – and that may cause an accident even if you’re an otherwise excellent driver. Turning the headlights on, or sanitizing the inputs, is the safest way to prevent harm from coming to that database behind the scenes, but it’s easy to forget.

Sanitizing Inputs (Or Making Them Unreadable)

This method of hacking doesn’t work if the program doesn’t see the code. Now, there is some contention as to what sanitizing actually means specifically – generally, it means make computer not read input wrong, which can be achieved in a number of ways with coding.

There’s telling the database to convert data, which may produce undesired results in the database.

There’s telling the code that’s taking the input to split the query used to ask for data and the resulting data itself apart, which prevents that data from being misinterpreted as a command.

And then there’s simply not allowing certain things to be used in the input fields, which is kind of sanitizing by elimination.

If the database never gets anything it doesn’t expect, then it can’t do things that its programmers weren’t expecting, thereby making it safer. Validating the inputs is equally as important to prevent attacks! You’d never see letters in a phone number or brackets in a name, anyway, so this is also good for the data itself.

KXCD’s Bobby Tables Comic: https://xkcd.com/327/

Sanitizing, validating, or otherwise controlling inputs, no matter how a business decides to approach it, is good for database security. However, it’s often difficult to do right if the website is assembled by the business owner themselves. Luckily, Wix, Squarespace, and other big DIY-website places do this automatically. The folks in the most danger are people and companies with just enough expertise to make a public-facing webpage from the ground-up, without enough expertise to secure it ground-up.

Dangerous, Even Now

Technology improves, and some things get better.

And then there’s things like sanitizing inputs. The code may be cutting edge, the machines themselves may be top of the line, but forgetting to include some verification for data is just like forgetting to put out a candle before leaving your house for the day. The action is insignificant… the consequences are not. And, just like candles, there isn’t really tech that turns that off. Either you blew out the candle, or you didn’t. If you’re lucky, nothing happens while it’s unattended.

SQL injections have compromised tens of millions of files of legal and healthcare data around the world because they’re so simple! It’s easy to automate, and often overlooked. It’s painfully easy to introduce weaknesses via plug-ins as well – WordPress has over 50,000 plug-ins, and many are outdated or obsolete when it comes to SQL security, so using a DIY website designer is no guarantee of safety if the customer strays too far outside the presets.

SQL injections are a big threat that’s easy to avoid… if the website creator knows to look for it. Free resources for fixing vulnerabilities scatter the web, but nothing beats expertise. (Don’t just slap something into a site willy-nilly – go to an expert!)

Sources: https://www.veracode.com/security/sql-injection

https://kevinsmith.io/sanitize-your-inputs/

https://www.smashingmagazine.com/2011/01/keeping-web-users-safe-by-sanitizing-input-data/

Smishing

Elizabeth Uncategorized September 27, 2021

Do you get strange solicitations for all sorts of things in your messages? Are you getting texts from email accounts, or massive group-texts to you and everyone within a couple of digits of your number?

That’s Smishing.

Phishing

Phishing is the process of sending emails with dangerous, annoying links in them hoping that someone on the other end will click them. These emails can be broadly targeted or narrow, well written or not – it all depends on the person on the other end of the line. Broadly targeted emails with many people on the receiving end tend to be poorly written to weed out people who would flake out halfway through. Narrowly targeted emails aimed at individuals or specific companies tend to be much better, because they’re willing to invest the time needed to get them.

Phishing happens via email, but it comes in a variety of flavors, and setting rules such as ‘don’t click links’ and ‘don’t look at ads for services you didn’t sign up for’ can wipe a lot of the problems out. Phishing is still incredibly common, and many people (including the elderly, people who are reading in a different language than their native tongue, younger kids with email addresses, etc.) still fall for them… but where tech innovation goes, scams soon follow!

Improvement to the Tech 

There was a time when sending mass texts in hopes of securing some personal data was time consuming and expensive. There was a time when you couldn’t just send emails to a phone number or vice versa. Nowadays, all of these things have become possible. Everyone worth scamming has a smartphone. Very few plans ask users to pay per text, instead of per gig (or meg).

VOIP and assorted messaging apps all blur the lines between email, phone calls, text messages, app-based messaging services, and more. Of course, the market has encouraged this. If users have to trade apps to stay in touch with friends on a different app, they’ll generally do so. It’s in every app’s best interest to work with eachother, and most will enable users to send and receive messages with minimal issues. There aren’t a ton, but the handful in existence is plenty. Plus, Google and Outlook will allow you to direct-message phone numbers now, as long as you have the full ten digits.

Smishing

Smishing, just like phishing, involves sending messages trying to get people to click sketchy links inside or engage further with the scammers. Sometimes it happens with one number sending directly to one number, or one number to many, and sometimes an email address is able to send you messages directly.

Shot-gun blast smishing, just like regular phishing, is targeting people who don’t know better than to click on strange links or respond to “adult links” texts with incoherent rage. Now that many delivery services use text messages, unsolicited texts about a meal or package delivered to the target’s house may cause them to click the link in the message without pausing for a second to think about all of the other messages they should have received beforehand. The phone is new territory, and they hope you’ll fall for it because it’s new and blends in a little better.  

There is a more dangerous version of smishing – if they know who they’re texting, and they can text coherently, getting info or clicks out of the target becomes much easier because they can custom-fit those texts to said target. If someone uses your name, you’ll assume you know them from somewhere – and a text is already so personal, it’s hard to blame people who fall for it. Shotgun blast smishing only gets the folks who were vulnerable, but a good, targeted attack could fool many more. This obviously also applies to regular phishing, but because phone numbers all look the same, and phones can be misplaced while desktops can’t really be, bluffing your way into getting ‘emergency information’ from someone is just a smidge less difficult.

Viruses are still a potential problem for phones. The only issue is that they have to be custom-made for the phone type the end user has, or else they won’t be able to successfully infect that device. While many people use their phones for their internet browsing, a great many more use their desktop for everything, and so the scammers of the past would just use the desktop virus and hope they caught something.

Smishing introduces a new angle – phone numbers will generally lead to phones, meaning that they can use that custom-made phone virus and almost guarantee themselves a win as long as the target actually clicks the link.

Epidemic

Unfortunately, unlike phishing calls or emails, smishing is easier to spam with and doesn’t usually require a list of preexisting emails. Think about it: a phone number has a set number of digits with ten possible placements, 0-9. An email not only has the entire alphabet on top of all of the numbers, the length varies from the shortest possible username to the longest one. You can’t simply BS your way into a working email the way you can with a phone number, you’d have to buy a list and plug it into the spam machine to send messages.

Enforcement, too, is easier to evade. If a smisher’s email gets banned, they can simply make another one by the same mechanism that makes spamming emails without a list difficult, and continue to spam phone numbers. As emails and phone numbers get blocked out, online services allows them to continue messaging. If those services get complaints about the spam? Simply make a new account there, too. Easy, fast communication is vital to many people, businesses, and services today, so all of this is easy and accessible by design.

Sources:

https://www.androidauthority.com/apps-send-text-sms-pc-ways-740669/

https://www.techrepublic.com/blog/microsoft-office/use-outlook-to-send-e-mail-to-a-cell-phone/