Category Archives: Internet

Microsoft news: all bad today

The hits just keep on coming for Microsoft. I suppose it’s inevitable that a company as large as Microsoft will make mistakes, but when their products reach into our lives as thoroughly as Microsoft’s, those mistakes can lead to major disasters.

Global Windows 10 search failures

A huge proportion of Windows 10 users worldwide lost the ability to search their own computers recently. According to Microsoft, the problem stemmed from a glitch on a Microsoft server. Exactly why local search should be affected by some mysterious remote Microsoft server is yet to be explained.

In reality, search in Windows has been variously broken since Vista. I discovered a particularly horrible search bug in that garbage dump of an O/S soon after it was released, and was eventually able to convince Microsoft that it was a real problem; a fix soon followed. But even that didn’t fix all of Windows search’s problems; getting it to find all your files in all their locations was — and continues to be — a never-ending, and ultimately ineffective, exercise.

That’s why most people who need a search function that’s actually useful have long since switched to third party software, such as the excellent, fast, accurate, and free Fileseek. There’s also the blazingly fast (and also free) Everything. Both of these work perfectly out of the box, requiring no special setup to be useful, unlike Windows’ built-in search.

Still, many people assume that the Windows search feature is adequate, and never switch to anything else. Those people discovered the recent problem the hard way, when the already basically worthless search stopped working completely. Those people are understandably angry.

Implicit trust of driver software is a gaping security hole in Windows

Malicious folks have discovered yet another way to fool Windows into executing code that it shouldn’t. The new technique takes advantage of the fact that Windows implicitly trusts drivers. A driver is a small piece of software that connects Windows with hardware, allowing that hardware to be used by the O/S.

In this case, a specific driver that contains a serious security vulnerability — but is neverthless trusted by Windows — was used by hackers to deploy ransomware to affected systems.

There’s no word from Microsoft on how they intend to deal with this glaring hole in Windows security.

A treasure trove of illicit data awaits the buyer of corp.com, thanks to Microsoft

Decisions made by Microsoft years ago are poised to create massive problems for many business and educational customers worldwide. When the person who owns the generic corp.com domain sells it, the new owner will be able to gather credentials and other supposedly private data from Windows computers that assume they are communicating with internal systems.

The problem stems from an ill-considered decision to use corp.com as a default setting and in documentation provided by Microsoft. Server administrators who didn’t change that default are now faced with a huge task that involves bringing down entire networks and possibly creating new problems.

Microsoft has known about this problem for years, and their advice to customers is basically “you shouldn’t have used the defaults”. Thanks for nothing, Microsoft.

A strong case for encrypting all web sites – even simple ones

Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.

You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by https:// rather than the unencrypted http://. If you try to access any part of this site using http://, you’ll be redirected to the equivalent https:// address.

Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.

Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.

After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.

Troy Hunt’s video

If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.

Update 2018Aug08: Sadly, people in remote and underserved locations are having a lot of trouble accessing sites via HTTPS. While that certainly sucks for them, I’m confident that solutions to the specific technical issues involved will be found.

Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Continue reading this post

Anonymity isn’t the problem

There are good reasons to be anonymous online. And yet most people assume that anonymity is just a license to be a jerk. The fact is that some people will be jerks online whether they’re anonymous or not.

Sadly, some less-well-informed people have decided that anonymity is somehow the root of all evil on the net, and think that forcing people to use their real names online will magically make everyone nice. This kind of thinking has even pervaded some very high profile companies, including Google and Facebook, both of which have pushed hard to make people use their real names.

Anonymity is a frequent topic of discussion over at Techdirt, where the comments section is open to the public and allows anonymity. Because the Techdirt staff actually engage with commenters (jerks and otherwise), the debate rarely gets out of hand, and some of the most interesting comments are posted by anonymous users.

Google gets tougher on scammy web sites

If you use Google search (and really, who doesn’t?), you’ve probably noticed the big warnings that appear when you try to click on some search results. That’s Google Safe Browsing (GSB), protecting you from a malicious web site.

GSB flags sites that fail to comply with Google’s Malware, Unwanted Software, Phishing, and Social Engineering Policies.

To get rid of the warning, the owner of a site flagged by GSB must remove objectionable content and resubmit the site for verification in Google Search Console. Until recently, this process could be repeated indefinitely.

To counter repeat offenders, Google has changed the way GSB works. If a web site repeatedly fails to comply with Google’s Safe Browsing policies, it will be flagged as such, and the warning users see will appear for at least 30 days.

In the announcement for this change, Google points out that the new repeat offender policy will not apply to sites that have been hacked (i.e. changed without the owner’s permission).

Stay away from Certificate Authority WoSign/StartCom

A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.

Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.

Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.

The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.

On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.

Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.

Let’s Encrypt’s finances

I’m a big fan of Let’s Encrypt, an organization committed to encrypting all web traffic by proving free security certificates.

I’m also a big fan of transparency, so when LE published a summary of their financial information recently, my regard for their efforts clicked up another notch.

Highlights from LE’s financial information post:

  • Let’s Encrypt will require about $2.9M USD to operate in 2017.
  • The majority of LE’s funding comes from corporate sponsorships.
  • You can donate to Let’s Encrypt using PayPal.

For the record, this web site (boot13.com) and all my other secure sites now use Let’s Encrypt certificates.

Someone out there is testing the Internet’s breaking point

Security analyst Bruce Schneier reports on the recent increase in Distributed Denial of Service (DDoS) attacks against critical Internet infrastructure. He’s unable to go into details about exactly which companies and resources are involved, but the attacks are real. Someone is engaged in a series of DDoS probes that are clearly meant to test the Internet’s ability to cope with extreme stress.

Most DDoS attacks are perpetrated by angry hackers against web sites they don’t like, or simply to demonstrate their skills. Underground DDoS attack services are available for those not possessing the requisite skills. But the attacks Schneier is talking about stand out: they’re much more calculated and methodical than usual.

Assuming that Schneier is correct, and someone is gathering information about the Internet’s potential breaking point, one can only wonder what they have in mind. If the perpetrators are – as Schneier suggests – a state actor like China, the possibilities are the stuff of nightmares.

Cory Doctorow on the future of the privacy wars

Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

Doctorow is worried about this, and so am I.

Connecting everything to the Internet is dangerous

By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.

Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.

Recommendations:

  • Where possible (and unless you have a good reason not to) avoid purchasing any non-computer device that’s Internet-capable.
  • If you must use such a device (and unless you have a good reason not to) disable any Internet-related features.
  • If you’re unable or unwilling to disable a device’s Internet features, at least configure it to maximize security.

Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.