Everyday is Cybersecurity Awareness Day

Topics in this category pertain to planning. Discussions include how to prepare yourself, your family and your community for catastrophes and what you plan to do when they hit you.

Moderator: ZS Global Moderators

User avatar
JayceSlayn
* * *
Posts: 681
Joined: Wed Mar 05, 2008 3:07 pm
Location: North Carolina

Re: Everyday is Cybersecurity Awareness Day

Post by JayceSlayn » Wed Sep 18, 2019 8:08 am

I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.
Rahul Telang wrote:If you don’t have a plan in place, you will find different ways to screw it up
Colin Wilson wrote:There’s no point in kicking a dead horse. If the horse is up and ready and you give it a slap on the bum, it will take off. But if it’s dead, even if you slap it, it’s not going anywhere.

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Wed Sep 18, 2019 4:18 pm

JayceSlayn wrote:
Wed Sep 18, 2019 8:08 am
I'd like to make a few comments on browser extensions, and maybe a plug for one or few relating to cybersecurity.

Most modern browsers already include a baseline of decent security against common kinds of attacks or security risks by default. You obviously still have to do your part to not visit unknown links/sites, double-check the URL and site every time your are asked to enter credentials, etc.

There are many browser extensions that claim to help with privacy, ads, or security, but I try to be very cautious about the ones which I install. Reducing your attack surface by having fewer extensions, and only ones from sources you can reasonably trust, are good steps. Also, monitor the news or vendor websites for updates to your browser and any extensions you have - if you learn of any vulnerabilities disclosed, stop using them immediately until they are patched, and double-check your versions are current.

Some extensions that I use and therefore advocate:
  • LastPass: Yes, it recently had a vulnerability disclosed where it could leak (ironically) the "last password" it filled in, but that has been patched in the latest version already. Compare this to the advantage of having unique passwords for every site, which allows you to compartmentalize any potential leaks from either your own browser or third-parties, and that is still a benefit in my mind. Turn on two-factor authentication for your LastPass account (and every other account that allows you that option)!
  • HTTPS Everywhere: This extension with its "Encrypt All Sites Eligible" mode helps to ensure that you are only ever requesting to use a secured connection wherever you go, and blocks you from using unencrypted connections. Some sites (or short links) still don't have HTTPS versions for whatever reason (no good reasons I can think of, it's easy to implement), and even if they are just a blog or news or something, I just don't visit them anymore.
  • NoScript: This extension blocks the execution of JavaScript from any domains which you don't explicitly set to Trusted, or Temporarily Trusted. It is very useful, but it will also initially break most sites you visit. You may need at least a broad idea of how JavaScript is used on websites to effectively decide how to use this extension.
  • Privacy Badger: Published by the EFF, which is the leading non-profit advocate for online privacy, this extension attempts to block trackers which do not conform to their ideals of user consent, while also trying to avoid breaking trackers which are less invasive.
I don't have any experience w/LastPass, although I did hear about the vunerability. Nothing & no one is immune.

I use HTTPS Everywhere & I have used privacy Badger. There easy to use. You will need to do your homework w/NoScript. I've had better luck w/uBlock Origin.

And yes, keep extensions to a minimum. If you do the Mozilla, learn you your about:config. :)

User avatar
JayceSlayn
* * *
Posts: 681
Joined: Wed Mar 05, 2008 3:07 pm
Location: North Carolina

Re: Everyday is Cybersecurity Awareness Day

Post by JayceSlayn » Wed Dec 18, 2019 8:45 am

Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
Rahul Telang wrote:If you don’t have a plan in place, you will find different ways to screw it up
Colin Wilson wrote:There’s no point in kicking a dead horse. If the horse is up and ready and you give it a slap on the bum, it will take off. But if it’s dead, even if you slap it, it’s not going anywhere.

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Wed Dec 18, 2019 10:01 am

JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
:shock: but not :o

boskone
* * * * *
Posts: 1288
Joined: Wed Oct 17, 2012 4:07 pm
Location: Aggieland-ish

Re: Everyday is Cybersecurity Awareness Day

Post by boskone » Wed Dec 18, 2019 2:00 pm

JayceSlayn wrote:
Wed Dec 18, 2019 8:45 am
Listening to the news, you may have heard about the recent rash of Ring home cameras being hacked. I don't own a Ring camera (I generally despise "Home Automation"/IoT devices that I see a superfluous), but when I read a Motherboard article (We Tested Ring’s Security. It’s Awful) describing their (lack of) security features, I was astounded how poor it was. I have little wonder how so many have been getting hacked lately.

Some highlights of the current era of Ring devices and web portal security:
  • Two-factor authentication option, but not required.
  • Users/hackers attempting to access the account/device are NOT validated against number of users logged in, previously-known IP addresses or geographical locations, or additional tests to distinguish humans from automated tools (CAPTCHA, headers).
  • System does not lock down (or even notify) accounts for too many failed logins, and login history is not readily provided to end-users.
  • Username/password combination for the account is not checked against known security breaches (this is not a widespread practice, but some services are beginning to do this - good idea).
Let's hope these get fixed in a hurry, especially now that efficient tools for accessing Ring cameras are being deployed by hacker groups. And we are reminded that this device is marketed as a "home security" device, which instead has the potential to allow anyone (or everyone) in the world to see not only a live stream of video from your house, but archived video as well, and talk to you though the included speaker. So great.

What have we learned here? That security of your devices (especially those which are designed for the mass consumer market) is still largely up to you. You should assume that they are NOT secure by default, unless you have taken some additional steps to research how to secure it yourself.
Don't forget that Amazon/Ring actively but silently disclose footage to official organizations on request. Not when presented with a warrant, just when asked. There's even a portal for the police to use that automatically discloses the Ring cameras in an area. Oh, and they're partnering with police to recommend Ring cameras and supplying sales materials.

My parents were looking at Ring, and fortunately it won't work with their shitty rural internet. I bought a standalone camera system with recording for them instead; it doesn't have the doorbell speaker thing, but if they decide they want that I suspect I can manage something. :p

Cloud services are convenient, but they're also a security nightmare.

User avatar
NT2C
ZS Forum Administrator
ZS Forum Administrator
Posts: 8670
Joined: Wed Oct 19, 2011 2:37 pm
Location: Outside of your jurisdiction officer

Re: Everyday is Cybersecurity Awareness Day

Post by NT2C » Sat Apr 04, 2020 3:08 am

Image
Nonsolis Radios Sediouis Fulmina Mitto. - USN Gunner's Mate motto

Sic quemadmodum gladius neminem occidit; occidentis telum est - Seneca the Younger, Epistles

Cake? Pie? Nay! Cherpumple FTW! Where is your God now, bitches?

zombiegirl23
Posts: 3
Joined: Thu Apr 09, 2020 2:12 pm

Re: Everyday is Cybersecurity Awareness Day

Post by zombiegirl23 » Thu Apr 09, 2020 2:19 pm

Remember most privacy flaws come down to the user. I've seen people with the dumbest passwords. Please use strong passwords people. Don't make it easy on cybercriminals.


MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Fri Jul 10, 2020 1:37 pm

I *HATE* these things :evil:

User avatar
woodsghost
* * * * *
Posts: 3574
Joined: Thu May 16, 2013 3:45 pm

Re: Everyday is Cybersecurity Awareness Day

Post by woodsghost » Fri Jul 10, 2020 1:39 pm

MPMalloy wrote:
Fri Jul 10, 2020 1:37 pm
I *HATE* these things :evil:
Right with you. I hate hackers. I'm not overly fond of street thugs either, but I really hate hackers.
*Remember: I'm just a guy on the internet :)
*Don't go to stupid places with stupid people & do stupid things.
*Be courteous. Look normal. Be in bed by 10'clock.

“It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” -Bilbo Baggins.

User avatar
Stercutus
* * * * *
Posts: 14286
Joined: Wed Feb 10, 2010 8:16 pm
Location: Safe On Base

Re: Everyday is Cybersecurity Awareness Day

Post by Stercutus » Fri Jul 10, 2020 3:41 pm

Lately they have been going after our city phone lines. Since for them it is a full time job I guess they may eventually get in.

We are now talking about actually murdering people through hacking. If you interfere with fire, EMS or police assistance during an emergency that results in their death that is essentially murder. I am sure some psychotic loser is sitting in a closet somewhere all excited over the thought of possibly killing people on line.

Since it crosses state lines it will be interesting to see the involvement of the Federal Government. I still don't understand why we don't have a large agency dedicated to counter-hacking.
You go 'round and around it
You go over and under
I go through

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Fri Jul 10, 2020 10:53 pm

I'm not sure what happened, but I got all worked up before I remembered that I have a good BU program and all I need to do is click on yesterday's incremental. :crazy:

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Mon Jul 13, 2020 6:00 am


MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Sat Jul 25, 2020 12:05 am

Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?

boskone
* * * * *
Posts: 1288
Joined: Wed Oct 17, 2012 4:07 pm
Location: Aggieland-ish

Re: Everyday is Cybersecurity Awareness Day

Post by boskone » Sat Jul 25, 2020 12:46 pm

MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Sat Jul 25, 2020 6:56 pm

boskone wrote:
Sat Jul 25, 2020 12:46 pm
MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.
Thanks bos. I'll keep looking. If I find something reasonable, I'll post.

How's life?

boskone
* * * * *
Posts: 1288
Joined: Wed Oct 17, 2012 4:07 pm
Location: Aggieland-ish

Re: Everyday is Cybersecurity Awareness Day

Post by boskone » Sat Jul 25, 2020 7:05 pm

MPMalloy wrote:
Sat Jul 25, 2020 6:56 pm
boskone wrote:
Sat Jul 25, 2020 12:46 pm
MPMalloy wrote:
Sat Jul 25, 2020 12:05 am
Did the Garmin hack affect the receivers ability to nav? I'm not finding a clear Y/N so far :?
I couldn't find anything either, so consider this a semi-educated WAG: It won't effect navigation for maps already stored on the device, but you won't be able to acquire new maps or data.
Thanks bos. I'll keep looking. If I find something reasonable, I'll post.

How's life?
I'm full and still breathing, so not bad.

tony d tiger
* *
Posts: 167
Joined: Sun Nov 13, 2011 12:49 pm

Re: Everyday is Cybersecurity Awareness Day

Post by tony d tiger » Sat Jul 25, 2020 11:34 pm

The Garmin hack did have an impact on civilian flight plans. Apparently there's an APP for that, too. Google Garmin Server Maintenance and check out the story on ZDNet
Tony D

tony d tiger
* *
Posts: 167
Joined: Sun Nov 13, 2011 12:49 pm

Re: Everyday is Cybersecurity Awareness Day

Post by tony d tiger » Tue Jul 28, 2020 10:48 pm

Garmin servers are back up and running... :oh:
Tony D

MPMalloy
ZS Member
ZS Member
Posts: 5881
Joined: Mon Aug 22, 2005 2:48 am

Re: Everyday is Cybersecurity Awareness Day

Post by MPMalloy » Wed Jul 29, 2020 6:40 am

tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?

boskone
* * * * *
Posts: 1288
Joined: Wed Oct 17, 2012 4:07 pm
Location: Aggieland-ish

Re: Everyday is Cybersecurity Awareness Day

Post by boskone » Wed Jul 29, 2020 6:40 pm

MPMalloy wrote:
Wed Jul 29, 2020 6:40 am
tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?
I have not yet seen a confirmation either way.

Lots of speculation with phrases like "may have paid", but without anything vaguely resembling a support other than the services coming back on-line.

If they had a robust backup regime, they might have been restoring systems. If so, I gotta offer props to Garmin's IT department.

tony d tiger
* *
Posts: 167
Joined: Sun Nov 13, 2011 12:49 pm

Re: Everyday is Cybersecurity Awareness Day

Post by tony d tiger » Sat Aug 01, 2020 8:52 am

MPMalloy wrote:
Wed Jul 29, 2020 6:40 am
tony d tiger wrote:
Tue Jul 28, 2020 10:48 pm
Garmin servers are back up and running... :oh:
Did they pay the ransom?
Who knows? My Garmin connect app still shows server maintenance being performed but at least the functionality is back online.
Tony D

Post Reply

Return to “Contingency Planning & Preparation”