Category Archives: Security

aka infosec

Chrome 74.0.3729.108

According to the release announcement, Chrome 74.0.3729.108 fixes thirty-nine security vulnerabilities. The full change log lists almost fourteen thousand changes in all. Good luck absorbing all that information.

Chrome generally keeps itself up to date whether you want it to or not, which is arguably a good thing, given that a lot of malware makes its way onto computers via unpatched security holes in web browsers. You can check which version you’re currently running, and — if an update is available — trigger the update process by navigating Chrome’s ‘three dot’ menu to Help > About Google Chrome.

Java 8 Update 211

Oracle’s quarterly Critical Patch Update for Q2 2019 documents vulnerabilities and updates for its entire product line. As usual, it’s the updates to Java that are important to most users.

The Patch Update details five distinct security vulnerablities in Java 8 Update 202 and earlier versions. A new release, Java 8 Update 211, addresses these vulnerabilities. The new version includes numerous other changes, most of which are of little interest to anyone aside from developers.

Keeping Java up to date is less urgent than in the past, since most of the major web browsers stopped supporting it in recent years.

If you do use a web browser with Java enabled, which is still possible with Internet Explorer and older, unsupported versions of many other browsers, you should make sure to install the new version as soon as possible.

The simplest way to update Java is to head to the Windows Control Panel, look for the Java icon, and — if you see one — open it, then go to the Update tab and click the Update Now button. Follow the prompts to complete the process.

Patch Tuesday for March 2019

You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.

Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.

Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.

It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.

Flash 32.0.0.171 includes fixes for two vulnerabilities in earlier versions.

Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.

Shockwave Player 12.3.5.205 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.

There are links to download the new versions on all the release announcement pages linked to above.

About those troubling emails you’ve been getting…

If you have an email address, and you’ve ever used it to register for online services and sites, there’s a good chance you’ve received email that threatens you in some way, and some of it is downright creepy.

This email may refer to your name. It may include a password you’ve used in the past, or even currently. The email may appear to have been sent from your own email address, and may claim to have taken over that email account.

A sextortion email I received recently.

The good news is that very little of what these emails claim is actually true. The bad news is that you still have a problem.

But why does this happen?

It all starts when someone gets careless, or someone else decides that the IT budget is too high.

Imagine that you’re the person responsible for information security at any company that… uses computers (so basically, any company on the planet). Now imagine that you’re bad at your job. Or disgruntled. Or your manager keeps cutting your budget. Inevitably, things start to slide. Security updates don’t get installed. Software that isn’t properly checked for security implications gets installed on company computers. Users don’t get security training. Bad decisions are made, such as not properly encrypting user passwords. And so, the company’s computers, and the data they contain, become vulnerable. Eventually, malicious people figure this out, and through various means — many of which are trivially simple to carry out — gain access to your data. And that data includes information about your customers. That information is then sold online, to other, even less scrupulous people. Brian Krebs documents many of these breaches; here’s one example.

You can find these lists online if you know where to look. Some are only accessible from the dark web. Some are published more brazenly, on easily-accessed public web sites, including Facebook.

Sometimes these lists contain passwords. In really awful cases, the passwords aren’t even encrypted. But usually they are encrypted, which makes them slightly less useful. Only slightly, because many people still use terrible passwords: common passwords, like 1234; passwords that are used by the same person in multiple places; and passwords that are easy to crack.

Any password can be cracked, by which I mean converted from its encrypted form to its original, unencrypted form. Short and simple passwords can be cracked in nanoseconds. Longer, more complex passwords take longer. At any given point in time, passwords that are long and complex enough simply can’t be cracked quickly enough to be worth the attempt. This is a moving target. As computers get faster, the point at which a password becomes worth cracking gets nearer.

You can find out just how terrible your password is using howsecureismypassword.net. Note: the site is safe to use: it uses a small Javascript program that runs only on your computer. Your password is never transmitted anywhere. And it’s not actually being cracked; the Javascript code just assesses the complexity of your password based on various formulae. It’s an estimate, but reasonably accurate. Go ahead, I’ll wait.

Useful lists

These shady lists of users, passwords, and email addresses can be used for lots of things, ranging from merely irritating to criminal. But there’s money to be made, as long as you don’t care about being a world-class asshole.

If you’re an asshole, and you’re looking for an easy way to make money and irritate people, just shell out a few bucks for one of these lists, and download a few scripts that turn that list into spam. Because computers are really good at things like this, you hardly have to do any actual work. Just feed a list into some crappy script, sit back, and watch the money pour in. If you had to do this with paper and snail mail, it clearly would not be worthwile.

A user’s story

Let’s look at this another way: from the perspective of Iam Notreal, an ordinary Internet user. Iam registered for an account at LinkedIn in 2011 using his real name and his NopeMail account, iam.notreal@nopemail.com. He also used the same password he uses everywhere else: banana1234.

In 2012, intruders gained access to LinkedIn servers and were able to download its user database. The database included usernames, email addresses, and poorly-encrypted passwords. Now Iam’s real name, real email address, and an encrypted form of his one and only password are on a list, and, beginning in 2016, that list is being sold on the dark web to anyone who has a few bucks to spare.

In 2016, Iam starts getting spam to his NopeMail account. Most of it is ordinary spam: poorly-worded appeals to click a link. Occasionally he receives spam that mentions his real name, which is alarming, but not particularly harmful. At some point, Bill tries to ‘unsubscribe’ from what he believes is a mailing list, by replying to one of these spam emails. Congratulations, Iam, you’ve just graduated to a new list, of confirmed, valid, active email addresses. This list will also be sold on the dark web, at a higher price than the original list.

Meanwhile, other dark forces are at work behind the scenes. Someone runs the original list through a widely-available password cracker. This software looks at each encrypted password and attempts to decrypt it based on a set of parameters, including lists of commonly-used passwords. Sadly, Iam’s password is rather short, and contains a common word, and it takes the software about a nanosecond to crack it. Now Iam is on an even more valuable list, which includes cracked passwords.

Fast forward to 2018, and now Iam is getting email that claims to have taken over his email account, or to have video from Iam’s own webcam showing him doing unmentionable things, and it also includes Iam’s one and only password, right there in plain text. Iam is panicked: if the sender knows his password, are the rest of the claims true? He doesn’t know it, but the sender’s claims are bullshit.

As scary as this sounds, it’s only the most common use of lists like these circa late 2018, early 2019. The same information could be used to take over Iam’s LinkedIn account (if he ignored warnings from LinkedIn to change his password, or if he changed it back to the same password), take over his NopeMail account (if he failed to change its password after the LinkedIn breach), or take over any other account that can be found on any other service he uses, once it’s discovered.

Questions

Why is that spam coming from my own email address or my own mail server?

Unfortunately, it remains trvially easy to spoof almost all information contained in an email message. Current anti-spam efforts like SPF, DKIM, and DMARC are focused on validation, and there’s nothing stopping anyone from spewing out email with mostly-forged headers. That includes the FROM header, which means scammers can make email look like it came from just about any address they want. Only close inspection of all the headers reveals the actual source.

Why does that spam contain my password?

If a scammer has access to a purloined user list that includes plaintext or cracked passwords, it’s a simple matter of customizing the content of their malicious spam so that the username and/or password vary, depending on the unlucky recipient.

What you should do

Stop using crappy passwords. If you’re not sure how crappy your password is, check it at howsecureismypassword.net. You can also install this extension in your Chrome browser; it will warn you if your password is too weak.

Stop re-using passwords. If site A is hacked, and your password for site A is the same as for site B, you’ll have to change your password on both sites.

Use a password manager. Yes, it’s annoying to have an extra step whenever you want to log in somewhere, but using a password manager means that you only ever have to remember one password. They can also generate passwords for you, saving you the trouble.

Check Have I been pwned to see how many breaches have included your email addresses and passwords.

Sign up at Spycloud to continuously monitor your email address for inclusion in breaches.

Making noise

Although there are ways to use purloined user lists besides spam, most of the damage we see is related to email.

Despite being really old technology, email has continually improved in terms of security. Newer technologies like SPF, DKIM, and DMARC make it much easier for email providers to determine which email is legitimate and which is not.

You can help by making sure any email domains you manage use SPF, DKIM, and DMARC. If your mail provider doesn’t use these technologies, lean on them to start. If they resist, find another provider. I have several clients who use the business mail service provided by telecom giant Telus here in Canada. Telus farms this work out to a provider in the USA called Megamailservers. The Megamailservers service does not currently support DKIM or DMARC, and there’s nothing on their web site (or that of Telus) about any plans to change that.

Password Management Software

So, everyone should use a password manager. But wait, didn’t I just read that all the most popular password managers can be bypassed very easily? Yup. Opinions vary as to whether the risk of such exploits is significant. From my perspective, the risk is this: yes, a malicious actor needs physical, remote, or programmatic access to your computer to use these exploits. But once they have access, they no longer have to waste time looking for interesting information. All they need to do is look for password manager data and sent it to themselves. That makes their job MUCH easier.

But using a password manager is still much safer than not using one.

References

Thunderbird 60.6.1

Mozilla released a new version of their email client Thunderbird recently: 60.6.1. The new version includes fixes for two security vulnerabilities.

The fixed vulnerabilities are unlikely to pose a threat to Thunderbird users. According to the related security advisory:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

In other words, since Thunderbird does not allow scripts embedded in email to execute, users are generally much safer than if the same email is displayed in a web browser.

Firefox 66.0 and 66.0.1

The latest major release of Firefox is version 66, which was announced on March 19th. The new version includes some welcome improvements and twenty-one security fixes.

What’s new in Firefox 66?

  • Audio is now prevented from playing by default. You can override this behaviour with a global setting, or add specific web sites to an exclusion list.
  • When you have a lot of tabs open, Firefox now shows a down-arrow button at the end of the tab bar. Clicking this button shows a list of all open tabs, and provides a special search function, allowing you to search your open tabs.
  • Scroll Anchoring tries to keep your content in place even as advertising and other images try to push what you’re reading off the page.
  • Extensions get a slight speed boost.
  • It’s now a bit easier to configure keyboard shortcuts for extensions.
  • HTTPS certificate error pages are easier to understand.
  • Additional performance and stability improvements, especially during page loading.
  • AV1 video support was added to the 32-bit version of Firefox.

Firefox 66.0.1 addresses two security issues in earlier versions, and was released on March 22nd.

You can check which version you’re running by clicking Firefox’s ‘hamburger’ menu, and navigating to Help > About Firefox. If you’re not yet up to date, you should see an Update button that allows you to install the latest version.

Chrome 73.0.3683.75

The release announcement for Chrome 73.0.3683.75 links to a list of sixty security issues which are fixed in the new version.

Many of the vulnerabilities addressed in Chrome 73.0.3683.75 were discovered by external security researchers, once again demonstrating the value of Google’s open attitude towards bug submissions.

Although Chrome usually updates itself within a few days of a new release, you can expedite this process by checking for available updates. Do that by navigating Chrome’s three-dot menu (by default at the top right), to Help > About Google Chrome. This will trigger an update, if one is available.

Opera 58.0.3135.90

A security update in the Chrome engine prompted last week’s release of Opera 58.0.3135.90. Opera is built on Google’s Chrome engine (also known as Blink), so when there’s a security update in Chrome, it usually finds its way into Opera within days.

Aside: The Blink engine forms the core of many popular browsers. I use Chrome, Vivaldi, Opera, Firefox, Internet Explorer and Edge for different tasks, based on my experience with those browsers. Opera, Vivaldi, and of course Chrome are built on the Blink engine. Internet Explorer is being phased out. Edge will soon be built using Blink instead of Microsoft’s own engine. The Blink engine seems poised to take over completely, which has some people concerned.

To check Opera’s version, click its ‘O’ menu (usually at the top left), then select Update & Recovery, then click Check for Update.

Patch Tuesday for March, 2019

According to Microsoft’s Security Update Guide, March’s updates, twenty-eight in all, include fixes for at least sixty-five security vulnerabilities in .NET, Flash Player (in IE and Edge), Internet Explorer, Edge, Office, Visual Studio, and Windows.

Even if you have automatic updates enabled on Windows 7 and 8 computers, it’s a good idea to check for and install the new updates. If you’re running Windows 10, auto-updates can’t be disabled, but you can still check for updates, and get them sooner that way.

There are no updates for Flash or Reader from Adobe so far in March.

Chrome 72.0.3626.121

The latest Chrome browser release is version 72.0.3626.121, and it fixes a security vulnerability for which exploits have been observed ‘in the wild’. So this is an important update.

When I try to look at the full change log using the link provided by Google, I get a blank page. Not sure what’s going on there.

If you use Chrome, it’s almost certainly updating itself on Google’s somewhat mysterious schedule. But you can check your version and initiate an update by navigating its ‘three dot’ menu to Help > About Google Chrome.