Steve and my trip to New York City and how we connected with several NosillaCastaways. On our trip we used the free Hopstop app to navigate the subways. I explain how Slau created music in front of our very eyes in his recording studio, and refer back to how he created Podsafe for Peace so many years ago. Steve reviews Tile which he hopes will help him find his stuff when he loses it. Learn more at www.thetileapp.com. In Chit Chat Across the Pond, Bart helps me answer a “Dumb Question” about using hotel computers (I got it wrong originally), Bart explains a huge boo boo he made last time we spoke, and he explains why Masque is a non-event. In Taming the Terminal part 24 of n, we cover more about how Ethernet works, why we care about ARP, and the difference between a hub, a switch and a router. We FORGOT to announce that the long-awaited version of xkpasswd.net is finally live. Send feedback to https://www.bartbusschots.ie/s/about/.
This week I started having a bit of trouble with TextExpander since I upgraded to the latest version of Yosemite. Not a huge deal but for some reason the “Edit last expanded snippet” window doesn’t stay on screen for me. I created a short video demonstrating what was going and as always I got a very quick response from the folks over at Smile. Jonathan and I haven’t found the root cause yet (doesn’t appear to be a widespread problem). He suggested that there might be a problem with the TextExpander Helper app and how it’s interacting with the Privacy/Accessibility pane.
Imagine my delight when he sent me a link to instructions on how to add the TextExpander helper to the Accessibility pane, and the instructions were over at clarify-it.com! Of course I was delighted because this gave me fodder for an ad for Clarify, but it also mean that I’d have easy to follow instructions with screenshots, sequence steps, and arrows on the graphics to help me follow along. I KNEW I’d have no problem following their instructions.
If you answer people’s tech questions all day long and get tired of answering the same questions over and over, you owe it to yourself to buy a copy of Clarify from clarify-it.com and make yourself (and your customers) happy.
Chit Chat Across the Pond – Time 25:58
Dumb Question Corner from Kathy
“I don’t understand how either one will work if you are not on a device that you own. If I am traveling and use a hotel computer, how do I log into my sites if I don’t remember the password generated by these programs?”
It’s simply not possible to do anything securely on an untrusted computer. The last thing you want to do is open your encrypted password vault on an un-trusted computer. The moment you decrypt it, any malware on that machine can slurp up all your usernames and passwords. The problem is that the OS is king, and nothing you put on top of the OS can protect you from the OS, so NOTHING can make it safe to open your password vault on an un-trusted computer. My advice is do as little as possible on an un-trusted computer. If you do have to log in to something, don’t open your password vault on the computer, open it on a portable device of your own, like you smartphone, and then type it in manually. This is why I wrote XKPasswd – I needed passwords that were long, truly random, and yet typable.
One of the reasons I love 1P is that their security people ‘get it’ – the blog post Allison found on their blog explaining that they don’t do 2FA because it would be “security theatre” is very reassuring to me: https://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/
Myself and Allison chatted around this question during the week, and the bigger point it lead me to was that it’s important to understand the scope of every security protection. 2FA, VPNs, SSL/TLS, all these things are great security tools, but all of them have a limited scope, and none of them protect you from everything.
Think if it like this – a seatbelt is a great tool for protecting yourself from injury in a car crash, but it is useless at protecting you from drowning. A home security alarm is a useful tool for protecting your home, but it won’t save your bicycle from being stolen from outside your place of work. In the real world we understand these limitations, but in the digital world we very often don’t, so we end up doing the digital equivalent of expecting a seatbelt to protect us from heart disease.
VPNs and SSL/TLS protect data in transit from being read or altered by a ‘man in the middle’ (MITM) – they provide ZERO protection on the client computer, OR on the server. Malware on your computer can read everything you type into a web form sent over SSL/TLS or through a VPN because the data is not protected until it leaves the computer, they simply read it BEFORE the encryption happens. Similarly, malware on the server at the other end of the encrypted conversation can also read the data because they can read it AFTER it has been decrypted. So – VPNs and SSL/TLS provide very good protection from network sniffing, but that is ALL they do. Don’t rely on them to protect you from anything else, because they can’t!
2FA only provides protection from sniffed credentials being re-used. An attacker trying to break into your LastPass or 1Password vault is not actually interested in your master password, their interest is in the data it protects. 2FA protects the master password, but NOT the vault. If you can read your passwords, any malware on your computer can read your passwords. So, if you use 2FA to unlock a vault so you can read it, it will protect the master password from future re-use, but will do NOTHING to protect the contents of the vault. This is why it’s GOOD that 1P don’t offer 2FA – offering it would be worse than meaningless, it would be harmful, because it would give users a false sense of security, and lead them into danger!
RELATED – Naked Security published a great blog post explaining 2FA – https://nakedsecurity.sophos.com/2014/11/14/understanding-the-options-2fa/
Correction from Last Time and Updated on Supercookie use:
Rather embarrassingly – the HTTP header tested I linked to last time was useless, because my web server was too secure! I explained that super cookies can’t be injected into HTTPS traffic, and then put my script on my own web server, WHICH ALWAYS USES HTTPS! D’oh!
I’ve moved the script to another web server that doesn’t use HTTPS so it will now give you an accurate reading on whether or not your ISP is super cookies. The direct link is: http://so-4pt.net/cgi-bin/util/httpheaders.cgi, and I;ve updated the short-cut link from last week to now redirect here, so you can get to the correct tester via http://bartb.ie/headers. Also – if you’re curious about how to write a simple script like this – I published the code on my GitHub page: https://github.com/bbusschots/httpheaders.cgi/blob/master/httpheaders.cgi
- AT&T stop using tracking cookies – at least for now, and promise that if they do use them again, they’ll let users opt out, and not insert the tracking ID into traffic from opted out users – http://www.propublica.org/article/att-stops-using-undeletable-phone-tracking-ids
- Disconnect have released a new version of their privacy protection service that protects from super cookies – http://arstechnica.com/security/2014/11/disconnects-new-app-pulls-the-plug-on-supercookies-other-tracking/
Why Masque Is a Non-Event:
It seems like only last time that we were talking about how a supposed iOS security problem (WireLurker) was nothing of the sort, and that in order to be infected users had to accept a provisioning profile from an un-known developer, well, it’s happened again, this time with a new name, and yet again the media has managed to describe a security system working properly as “a vulnerability”.
Unlike Windows, or Linux, iOS will not run code that is not digitally signed. Even if you get code onto a device, it can’t run unless it’s signature is valid, either because it came from the App Store, or, because you, the user, accepted a developer’s provisioning profile. The same is true with Masque. This is nothing more than a social engineering attack where users are tricked into installing a malicious app, but, unlike trojans on Windows, just installing the app is not enough to get you infected, you have to agree to accept the digital signature too! This means iOS is MORE secure than your average OS, and yet, somehow, this extra protection is being reported as a vulnerability. The mind boggles!
Apple were quick to point this out – http://www.macobserver.com/tmo/article/apple-says-masque-attack-security-flaw-is-a-non-issue
What the media SHOULD be telling people is not to accept un-expected provisioning profiles. They should not be lying to users that there is something broken and that Apple have to fix it.
Intego explain the situation well on their Mac Security Blog – http://www.intego.com/mac-security-blog/masque-attack-ios-vulnerability-or-feature-by-design/
This is literally like saying that because users accept out of date SSL Certs, SSL is broken. No – SSL is working as designed when it tells you a site is not secure, the problem is with users dismissing the warnings!
Important Security Updates:
- Patch Tuesday has been and gone since the last Security Lite, and saw updates from Microsoft (Windows, Office, IE & .NET) and Adobe (Flash) – http://krebsonsecurity.com/2014/11/adobe-microsoft-issue-critical-security-fixes-3/
- RELATED – Apple have started blocking un-patched versions of Flash to protect Safari users from attack – http://www.macobserver.com/tmo/article/apple-blocks-flash-player-126.96.36.199-over-security-issues
- Apple release OS X 10.10.1 which includes a number of security fixes – https://support.apple.com/en-us/HT6591
- Apple releases iOS 8.1.1 which includes a number of security fixes – https://support.apple.com/en-us/HT6590
- Apple releases Apple TV 7.0.2 which includes a number of security fixes – https://support.apple.com/en-us/HT6592
- Microsoft have released an out-of-band patch to address a serious privilege elevation vulnerability in all versions of Windows – https://technet.microsoft.com/library/security/MS14-068
Important Security News:
- Snapchat to start warning users about using 3rd party apps, and asking those who do use them to change their passwords (this is a response to ‘the snappening’) – https://nakedsecurity.sophos.com/2014/11/13/snapchat-to-warn-users-about-third-party-apps-ask-them-to-change-their-passwords/
- Security researchers warn that Android apps with minimal permissions can sniff passwords accessed via password managers on Android – a proof of concept has been developed showing passwords being sniffed as they are accessed via LastPass and KeePassDroid – http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/
- RELATED – security researchers warn that cyber criminals in general are focusing their attention on password vaults – http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/
- Security researchers warn of a malware campaign that is successfully attacking Android users in the US – http://bits.blogs.nytimes.com/2014/11/20/malicious-software-said-to-spread-on-android-phones/
- Another crack in the TOR armour as researchers find that a malicious TOR exit node was infecting Windows executables with malware as they were downlaoded through the TOR network – http://arstechnica.com/security/2014/11/for-a-year-one-rogue-tor-node-added-malware-to-windows-executables/
- A new Russian website highlights the problem of unsecured IP cameras, providing a listing of thousands of these cameras, and allowing people to watch what those cameras are recording in real time – If you have a networked camera SECURE IT – http://www.bbc.com/news/technology-30121159
- WhatsApp implements TextSecure to adds strong end-to-end encryption – http://arstechnica.com/security/2014/11/whatsapp-brings-strong-end-to-end-crypto-to-the-masses/
- FireFox 33.1 adds a handy new ‘forget’ button – this is a nice new usability feature to make privacy easier – http://www.macobserver.com/tmo/article/firefox-continues-its-privacy-crusade-adds-forget-button
- The EFF, Mozilla, Cisco, Akami and others have teamed up to create a new initiative called Let’s Encrypt – the aim is to provide SSL/TLS certs for free, and, to make management of HTTPS-protected sites easier – the CA is scheduled to launch in 2015 – http://arstechnica.com/security/2014/11/nonprofit-effort-aims-to-encrypt-the-web/
- USPS breached and employee and customer data stolen – https://nakedsecurity.sophos.com/2014/11/11/us-postal-service-breached-employee-and-customer-data-stolen/
- A great article from Wired about the problems with computer Algorithms – http://www.wired.com/2014/11/algorithms-great-can-also-ruin-lives/?+loopinsight%2FKqJb+(The+Loop)&utm_content=FeedBurner
- Net Neutrality is in the news again, so people might be interested in this great FAQ for those who’d like a better understanding if what it’s all about –http://www.vox.com/2014/11/10/7187281/9-questions-about-network-neutrality-you-were-too-embarrassed-to-ask
- RELATED – the oatmeal attack Senator Cruz’s nonsense inflammatory tweet on the topic head-on – http://theoatmeal.com/blog/net_neutrality
- The US government continue their PR attack on security with a pitiful “will someone think of the children” – http://www.macobserver.com/tmo/article/doj-warns-apple-that-ios-encryption-could-kill-children
- AT&T subsidiary Cricket come under fire from the EFF and others for apparently sabotaging email encryption used by their customers – http://arstechnica.com/tech-policy/2014/11/condemnation-mounts-against-isp-that-sabotaged-users-e-mail-encryption/
- ‘DarkHotel’ attack uses bogus crypto certs to target powerful people as they stay in hotels – http://arstechnica.com/security/2014/11/darkhotel-uses-bogus-crypto-certificates-to-snare-wi-fi-connected-execs/
- Pwn2Own goes well for Windows Phone, but iPhone 5S, Samsung Galaxy S5 and others fall – http://arstechnica.com/security/2014/11/windows-phone-security-sandbox-survives-pwn2own-unscathed/ & http://arstechnica.com/security/2014/11/iphone-galaxy-s5-nexus-5-and-fire-phone-fall-like-dominoes-at-pwn2own/
Main Topic – Taming the Terminal part 24 of n (Ethernet & ARP)
Finally – the long-promised re-vamp of https://www.xkpasswd.net is live! I’d love to hear any constructive feedback (contact form at https://www.bartbusschots.ie/s/about/). This new interface is just the start of my plans for the site – next will be a big re-vamp of the dictionaries on offer, and I hope to get that done over the Christmas holidays.
That’s going to wind this up for this week, many thanks to our sponsor for helping to pay the bills, the makers of Clarify over at clarify-it.com. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at firstname.lastname@example.org, follow me on twitter and app.net @podfeet. Check out the NosillaCast Google Plus Community too – lots of fun over there! If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.