Category Archives: Boot13

Recent Infosec highlights

It sometimes feels like news in the world of information security (infosec) is a never-ending tsunami. With the almost-daily reports of breaches, malware, phishing, vulnerabilities, exploits, zero-days, ransomware, and the Internet of Things (IoT), it can be difficult to identify stories that are likely to be of interest to typical computer users.

Stories about infosec issues that are primarily academic may be interesting, but they’re unlikely to affect most users. Sometimes the impact of a security issue is exaggerated. Occasionally the threat is later found to be nonexistent or the result of faulty reporting.

In the past, I collected infosec stories and wrote about the most interesting and relevant ones in a single month-end roundup. This helped to manage the load, but it introduced an arbitrary and unrealistic schedule.

Starting today, I will occasionally post a few selected infosec stories in a single ‘highlights’ article. Without further ado…

Don’t be a victim of your own curiosity

Researchers in Germany discovered that most people click phishing links in emails, even when they don’t know the sender, and even when they know they shouldn’t do it. Why? Curiosity, apparently. It doesn’t just kill cats any more.

Promising new anti-phishing technology

On a related note, there’s a new reason to be optimistic in the fight against phishing. A proof-of-concept, prototype DNS greylisting service called ‘Foghorn’ would prevent access to unknown domains for 24 hours, or until the domain is identified as legitimate and whitelisted. Hopefully Foghorn will prove effective, and become available for regular users in the near future.

Scope of 2012 breaches of Last.fm and Dropbox finally revealed

Popular Internet radio service Last.fm suffered a breach way back in 2012, but the details were not revealed until very recently. According to a report from LeakedSource, as many as 43 million user passwords were leaked, and the passwords were stored using very weak security. If you had a Last.fm account in 2012, you were probably instructed to change your password. If you didn’t do it then, you should do it now.

Massively popular file sharing service DropBox was also breached in 2012, but again, the complete details of the breach are only coming to light now: passwords for as many as 60 million Dropbox user accounts were stolen. The validity of this information has been verified by SANS and Troy Hunt.

The usual advice applies:

  • If you have accounts for these services, change your passwords now, if you haven’t already.
  • Avoid using the same password for more than one service or site.
  • Use complex passwords.
  • Use password management software so you don’t have to remember all those unique passwords.

New: browse boot13.com securely

You may have noticed that web sites everywhere are moving toward secure browsing. There are a couple of reasons for this. First, Ed Snowden confirmed our fears, revealing that the NSA and partner organizations are snooping on everything we do. Second, Google is pushing for encryption everywhere by penalizing sites that don’t offer secure browsing.

Boot13 may now be browsed securely, by pointing your web browser to https://boot13.com.

A big shout out and thank-you to Let’s Encrypt, an organization that provides free security certificates and related tools to anyone who operates a site or service that can use them. The certificate we’re using on Boot13 was provided by Let’s Encrypt.

Secunia’s Online Security Inspector is no more

The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.

Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.

The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.

Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.

PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.

Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.

Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.

Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.

What the heck is boot13?

Why boot13?  It’s the first program I ever ran on a microcomputer.  The computer was an Apple II+, and the full command was BRUNBOOT13:

BRUNBOOT13

I was trying to run a game for the first time: The Dragon’s Eye.  It wouldn’t boot from the 5 ¼” floppy disk I had.  So I called Wally, the guy who provided the computer.

Wally realized that the game disk used a slightly older format, with 13 sectors per track, instead of the newer 16 sector format.  The solution was to boot from the Apple II+ System Disk, then enter the command above from the command line.

On the Apple II+, parsing of command lines was a bit strange, in that commands built into the operating system were reliably parsed even when not separated from arguments.  In this case, the built in command was BRUN, which loads a binary program from disk and runs it.  The program was BOOT13, which, when run, allowed booting from 13 sector disks.

It worked.  The Dragon’s Eye turned out to be one of my favourite games, and I ended up figuring out how to modify it, first removing the copy protection, converting it to a 16 sector disk format, then changing the game’s Applesoft BASIC code.  I added a few features, most notably a system for recording and displaying high scores.

I still have a heavily-customized, home-built Apple II+ and that hacked version of the game, but these days when I want to play it, I use an Apple II+ emulator like AppleWin.

So: first program run, first command entered, so that I could run the first game on my first microcomputer. BOOT13.