Proactive Computing | Optimizing IT for usability, performance and reliability since 1997

Category: #Cybersecurity (Page 1 of 9)

Why SMS Text Messages Aren’t Private or Secure

You might think that switching from Facebook Messenger to old-fashioned text messages would help protect your privacy. But standard SMS text messages aren’t very private or secure. SMS is like fax—an old, outdated standard that refuses to go away.

Read This Article on How-To Geek ›

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Chris Hoffman

Stolen computers are the least of the government’s security worries


Reports that a laptop from House Speaker Nancy Pelosi’s office was stolen during the pro-Trump rioters’ sack of the Capitol building has some worried that the mob may have access to important, even classified information. Fortunately that’s not the case — even if this computer and others had any truly sensitive information, which is unlikely, like any corporate asset it can almost certainly be disabled remotely.

The cybersecurity threat in general from the riot is not as high as one might think, as we explained yesterday. Specific to stolen or otherwise compromised hardware, there are several facts to keep in mind.

In the first place, the offices of elected officials are in many ways already public spaces. These are historic buildings through which tours often go, in which meetings with foreign dignitaries and other politicians are held, and in which thousands of ordinary civil servants without any security clearance would normally be working shoulder-to-shoulder. The important work they do is largely legislative and administrative — largely public work, where the most sensitive information being exchanged is probably unannounced speeches and draft bills.

But recently, you may remember, most of these people were working from home. Of course during the major event of the joint session confirming the electors, there would be more people than normal. But this wasn’t an ordinary day at the office by a long shot — even before hundreds of radicalized partisans forcibly occupied the building. Chances are there wasn’t a lot of critical business being conducted on the desktops in these offices. Classified data lives in the access-controlled SCIF, not on random devices sitting in unsecured areas.

In fact, the laptop is reported by Reuters as having been part of a conference room’s dedicated hardware — this is the dusty old Inspiron that lives on the A/V table so you can put your PowerPoint on it, not Pelosi’s personal computer, let alone a hard line to top secret info.

Even if there was a question of unintended access, it should be noted that the federal government, as any large company might, has a normal IT department with a relatively modern provisioning structure. The Pelosi office laptop, like any other piece of hardware being used for official House and Senate business, is monitored by IT and should be able to be remotely disabled or wiped. The challenge for the department is figuring out which hardware does actually need to be handled that way — as was reported earlier, there was (understandably) no official plan for a violent takeover of the Capitol building.

In other words, it’s highly likely that the most that will result from the theft of government computers on Jan. 6 will be inconvenience or at most some embarrassment should some informal communications become public. Staffers do gossip and grouse, of course, on both back and official channels.

That said, the people who invaded these offices and stole that equipment — some on camera — are already being arrested and charged. Just because the theft doesn’t present a serious security threat doesn’t mean it wasn’t highly illegal in several different ways.

Any cybersecurity official will tell you that the greater threat by far is the extensive infiltration of government contractors and accounts through the SolarWinds breach. Those systems are packed with information that was never meant to be public and will likely provide fuel for credential-related attacks for years to come.

Note: Changes to the Full-Text RSS free service

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Devin Coldewey

How to Use OpenPGP Encryption for Emails in Thunderbird

Mozilla Thunderbird recently integrated OpenPGP right into the main application. No add-ons are needed for email privacy. OpenPGP’s world-class encryption is easy to set up and use without additional software.

Read This Article on How-To Geek ›

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Dave McKay

Your Password Manager Can Do More Than Just Store Passwords

Strong and weak passwords on pieces of paperVitalii Vodolazskyi/

It’s common sense that everyone should be using a good password manager (we hope, at least). It’s also worth noting that password managers have tons of other amazing features that you might not be using. These features are both convenient and security-centric, and they can help you stay safe online and get the most out of your password manager.

Everyone knows the primary feature of a password manager—to store your login credentials—but they can also do tons of other cool things, like alert you to security breaches or store important files. Of course, the features a particular password manager has varies, depending on which one you’re looking at, but we rounded up all of the most common features you can expect to see in any of the most popular ones.

So without further ado, here are some other features password managers have to offer. They can:

Enter Your Login Info for You

What’s not to like about something that will fill in your stored credentials for you whenever you log in to a website? Some managers can also fill in additional fields, like contact information and credit card information. This feature is available on both mobile and desktop use so you can expect assistance no matter what device you’re using.

Generate Secure New Passwords on the Spot

This is one of the best features of password managers. Any password manager worth its salt should be able to create a random and secure password for you on demand. It’s a simple, yet nice feature, as it means you won’t ever have to come up with a less-than-unique password ever again. A good manager should also automatically update your login info with the new password it creates (or at least prompt you to).

Store Other Information, Besides Passwords

Software menu item with save command highlighted and mouse cursor selecting iteranicle/

Did you know that your password manager can store other types of information besides passwords? Yep. They can also store things like contact information or credit card numbers. Typically, this information can also be autofilled when you need it (say, when you’re shopping or putting in your lunch delivery order online).

Certain managers can also store things like bank account numbers, social security numbers, Wi-Fi router or server information, membership information, driver’s license and other ID information, software licenses, and documents. Really, the sky’s the limit here.

Store Important Documents and Photos

As kind of an extension to storing non-password information, many password managers also offer a decent amount of secure file storage. This isn’t necessarily meant to replace or be used the same way you’d use regular cloud storage, like Dropbox or Google Drive; it’s more meant to be a way to store digitized copies of important documents (like a will, title, letter, or passport) in a secure encrypted format.

Provide a Place to Take Secure Notes

Many password managers offer a space where you can make notes (and it’s a great way to keep important thoughts and information away from prying eyes). Sure you can use them just like a standard note-taking app, but this function is designed more for any type of text you’d want to keep password protected. This might include instructions for logging in to a specific site, or the directions to your buried treasure.

Typically, you’ll have the ability to share any notes you create with others (even if they don’t use the same password manager), and assign a label or tag to them for easy searching. You should also be able to import or export files, and toggle password protection as needed.

Audit Your Passwords to Make Sure They’re Strong and Safe

In addition to storing your passwords, good managers can also scan and assess them to see how strong or old they are, if you’re using duplicates (that’s a no-no!), or even if one has been compromised. Security scans usually don’t take long, and can provide helpful suggestions for how to strengthen your overall password security. Good managers can even suggest new passwords right on the spot, so all you’ll have to do is log in to the corresponding website and update your password.

Let You Share Files with Others

Two people sharing files on their smartphonesBacho/

You might want or need to share some of all of your login info or secure notes with another user at some point (your spouse, for example). A good password manager should make it easy to do so, and have built-in options for sharing something with another user on your plan or potentially even someone who doesn’t use a manager.

Good password managers also offer emergency access in the event of, well, an emergency. Typically, this grants a one-time easement into an account during a short period of time. This would most likely be used in the event of someone passing away, so a loved one could access their accounts to stop bills, for example.

Offer Secure Web Browsing

Some managers offer their own options for safely browsing the web, typically via their own secure inbuilt browser or virtual private network (VPN). Either option is nice to have any time you are using a public Wi-Fi connection, like a restaurant or café, or are needing anonymous and secure browsing.

Protect Your Account with Two-Factor Authentication

Password managers also double as two-factor authentication (2FA). If you’re unfamiliar with the term, 2FA is an additional way to keep your online accounts secure, like having to scan your face or fingerprint to unlock your phone or enter one of those six-digit SMS or email codes to access your Twitter account. That’s in addition to typing in your account password.

Good password managers offer two-factor authentication for keeping that account safe from a hacker. Similar to 2FA options for other sites (like Twitter), your manager might send you a notification with a code to scan or enter in addition to typing in your password, before letting you access your account. These notifications will also double as an alert if someone else is trying to log in to it.

Monitor Your Passwords for Breaches

Because password managers already know your login info, it makes sense that they should also be able to scan the web (including the dark web) to see if it comes up in a known security breach. Certain managers offer this feature, and will alert you in the event one of your passwords is thought to be compromised. This keeps you ahead of the curve and gives you the opportunity to change a breached password before the hacker has a chance to use the one they uncovered.

The best password managers will also actively protect you against phishing. They’ll remember the original site you created an account on, and prevent you from entering your information if you somehow end up on a different account posing as the original. While your manager won’t pop up with a huge red flag, you’ll be able to know it’s a phishing site as it won’t autofill your credentials.

Hopefully now you have a better understanding of how robust and awesome password managers are. They’re worthwhile even if you do just use them to store your passwords, but their artillery of convenient security features really makes password manager worth the cost.

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Suzanne Humphries

Google, Cisco and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case


A coalition of companies have filed an amicus brief in support of a legal case brought by WhatsApp against Israeli intelligence firm NSO Group, accusing the company of using an undisclosed vulnerability in the messaging app to hack into at least 1,400 devices, some of which were owned by journalists and human rights activists.

NSO develops and sells governments access to its Pegasus spyware, allowing its nation-state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages and listen to their calls, steal their photos and files and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia and the United Arab Emirates.

Last year, WhatsApp found and patched a vulnerability that it said was being abused to deliver the government-grade spyware, in some cases without the victim knowing. Months later, WhatsApp sued NSO to understand more about the incident, including which of its government customers was behind the attack.

NSO has repeatedly disputed the allegations, but was unable to convince a U.S. court to drop the case earlier this year. NSO’s main legal defense is that it is afforded legal immunities because it acts on behalf of governments.

But a coalition of tech companies has sided with WhatsApp, and is now asking the court to not allow NSO to claim or be subject to immunity.

Microsoft (including its subsidiaries LinkedIn and GitHub), Google, Cisco, VMware and the Internet Association, which represents dozens of tech giants, including Amazon, Facebook and Twitter, warned that the development of spyware and espionage tools — including hoarding the vulnerabilities used to deliver them — make ordinary people less safe and secure, and also runs the risk of these tools falling into the wrong hands.

In a blog post, Microsoft’s customer security and trust chief Tom Burt said NSO should be accountable for the tools it builds and the vulnerabilities it exploits.

“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” said Burt. “We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.”

A spokesperson for NSO did not immediately comment.

Note: Changes to the Full-Text RSS free service

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Zack Whittaker

Trump administration proposes splitting Cyber Command from the NSA

811de330-42dc-11eb-9fd6-408863ac6cbcThe Trump administration elevated the role of Cyber Command in 2018, and now it’s apparently ready to give the division its own berth. Defense One reports that officials have proposed splitting Cyber Command leadership from the NSA. It’s not certain…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By:

How U.S. agencies’ trust in untested software opened the door to hackers


The massive monthslong hack of agencies across the U.S. government succeeded, in part, because no one was looking in the right place.

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications. That created the blind spot that suspected Russian hackers exploited to breach the Treasury Department, the Department of Homeland Security, the National Institutes of Health and other agencies. After embedding code in widely used network management software made by a Texas company called SolarWinds, all they had to do was wait for the agencies to download routine software updates from the trusted supplier.

As investigators race to assess the damage from the hacks, experts and lawmakers are calling for increased scrutiny of the third-party code that government agencies allow on their networks and demanding a fix for a long-known weakness.

“The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn’t meet those standards,” said Sen. Ron Wyden (D-Ore.). “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”

Over the past week, agencies rushed to scrub the malicious code from their networks while senior officials huddled in emergency meetings — all amid reports of more victims in the federal government, state governments and private industry. As the extent of the attack became clearer, cyber experts warned that cleaning up the mess could take months or years.

SolarWinds, whose 330,000 customers include key federal agencies, major telecommunications firms, every branch of the military and four-fifths of the Fortune 500, is one of the most extreme examples of the dysfunction that made this hack possible, but it is far from the only poorly guarded vendor with hooks into the most important computer networks in the world.

The U.S. government relies on private vendors of all sizes to supply its agencies with software. Some have expert security teams, such as Amazon, which provides cloud hosting services, and SAP, whose software helps agencies process large quantities of data. But others, both large and small, have less rigorous security testing procedures and are more vulnerable to this kind of compromise, cyber analysts say.

On Thursday, federal investigators said SolarWinds’ Orion software was not the only way the hackers had invaded their targets, warning of “additional initial access vectors and tactics, techniques, and procedures … that have not yet been discovered.”

And now that the hackers have had months to establish a foothold in the federal networks, the Cybersecurity and Infrastructure Security Agency warned, removing them “will be highly complex and challenging.”

Building better software

The SolarWinds hack — which officials have linked to Russia’s foreign intelligence service, the SVR and which Secretary of State Mike Pompeo late Friday publicly pinned on Russia — reflects a level of sophistication that may be impossible to completely block, but technical professionals and policymakers say new approaches to software development and procurement could at least give defenders a fighting chance.

Attacks on vendors in the software supply chain represent a known issue that needs to be prioritized, said Rep. Jim Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus.

“The SolarWinds incident … underscores that supply chain security is a topic that needs to be front and center,” Langevin said.

He said Congress needs to “incentivize” the companies to make their software more secure, which could require expensive changes.

Some others are calling for regulation.

“Absolutely there needs to be more oversight of these kinds of companies,” said Emile Monette, the former chief of CISA’s supply chain risk management program. He said the government should require contractors to certify their software is free of even “moderate-impact bugs.” Typically, vendors assure only that their software is free of particularly dangerous vulnerabilities, labeled as “critical” or “high impact.”

Private companies regularly deploy software with undiscovered bugs because developers lack the time, skill or incentive to fully inspect them.

Monette said agencies must “be prepared to pay for increased security” in their purchases and encouraged the government to “double down on investments” in areas such as software security.

Buyer beware

It can be hard, however, for federal agencies and Fortune 500 companies to identify weaknesses when they don’t understand the complexity of what they’re buying or the ways in which it could be defective.

“Security is not a significant consideration or even well understood,” said Bryan Ware, CISA’s former assistant director for cybersecurity. “Plenty of sophisticated [chief information officers] bought and deployed [SolarWinds’ software], so it’s not just the vendor I’m questioning.”

There is no central inventory of which government agencies use which software in which offices, which is part of why it has taken agencies so long to determine if they have been hacked.

“The first-order problem is still trying to get our arms around all of the applications and software that reside on the 101 civilian executive branch networks,” said former CISA Deputy Director Matthew Travis.

Travis bemoaned the decentralized approach and encouraged Congress to authorize CISA and OMB “to re-architect the archaic federal enterprise” and push more applications to the cloud.

The automated gatekeepers that do exist — two CISA-run network security programs — also weren’t equipped to identify the SolarWinds intrusion, much less stop it.

One program, dubbed “Einstein,” is supposed to stop threats from crossing the threshold into federal civilian agencies’ networks, but can only spot malicious activity that it has seen before, a shortcoming that the hackers carefully exploited by using servers not previously flagged as malicious.

The other, Continuous Diagnostics and Mitigation, brings together scanning and monitoring services that are supposed to spot and block suspicious behavior on those networks. But CDM’s understanding of what should generate a red flag is limited to clearly suspicious activity, such as offsite transfers of massive encrypted files — which didn’t occur with the infected SolarWinds updates.

Calls for action on the Hill

Some in Congress are ready to act. In a statement, Rep. Ted Lieu (D-Calif.) said he was “working on legislation to ensure that vendors doing business with the United States government maintain a vulnerability disclosure policy.”

But new regulations might not solve the problem, technical specialists said.

“Government-mandated security requirements are probably more likely to HARM security than to HELP it,” Andy Keiser, a former top House Intelligence Committee aide and Trump transition national security adviser, wrote in an email. “The standards would be slow, outdated, cumbersome [and] pick incorrect winners and losers.”

Congress should “carefully explore penalties for negligence” in software design, Ware said, but only in a limited way, “because it could lead to negative unintended consequences.”

The government already runs security certification programs for cloud platforms and defense industrial base contractors. Congress could examine and modify them, Ware said, to confront this new challenge.

Regardless of who controls the Senate in the 117th Congress, the Democratic-led House will likely be more open to new federal mandates. A House Homeland Security Committee aide, who requested anonymity to discuss internal planning, said that it was too early to discuss regulation but added, “I’m sure we will have hearings on [SolarWinds] in the new year.”

Getting under the hood

Rather than imposing new security requirements on vendors, some experts say agencies should pay more attention to the software they buy and routinely test it for flaws.

James Lewis, a cyber expert at the Center for Strategic and International Studies, floated the idea of an executive order instructing agencies “to monitor and better manage their use of these kinds of platforms,” and requiring sector-specific regulators to demand the same of companies in critical industries, such as electricity and health care.

“Require something similar to what Apple does on the App Store,” Lewis said, noting that the tech giant reviews every submitted app and only approves those it certifies to be secure.

Some private companies do monitor third-party software in this way, but routine software auditing would likely be a massive burden on federal agencies, few of which have enough security personnel to handle this work on top of their existing tasks.

One approach would be to centralize software testing at one agency. The most natural fit might be CISA, which in April became the operator of a central marketplace for government cybersecurity services.

Ware said this could prevent a situation where one agency discovered a problem in software used across the government but failed to report it to those other customers.

Not everyone is convinced that this centralization would work.

“Talent is in short supply everywhere, no one [is] going to volunteer people for transfer, and DHS doesn’t have the clout to steal from the agencies with talent — the [intelligence community], DoD and FBI,” Lewis said. He suggested instead that the software security oversight start at OMB, whose authority to issue edicts to other agencies is more established.

Nascent efforts

Some parts of the government are already working to encourage better coding practices, though it’s slow going.

For more than two years, one federal agency has been convening meetings of outside experts to discuss the creation of a kind of ingredient label for software, a “bill of materials” that would provide transparency about the code used in each program. While this software bill of materials wouldn’t completely solve the problem that led to the SolarWinds crisis, Ware and other cyber experts say it would encourage more careful coding by making an application’s digital contents more transparent.

The agency behind this effort is the Commerce Department’s National Telecommunications and Information Administration, one of the first agencies to discover that it had been hacked as part of the SolarWinds campaign.

Martin Matishak contributed to this report.

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Eric Geller

Why America just gave DJI the Huawei treatment

This week the United States government added the drone company DJI to their Entity List. The United States Bureau of Industry and Security for Commerce added DJI to this list alongside 76 other entities on Friday, December 18, 2020. DJI and the rest of the entities added to the Entity List were determined to be “acting contrary to the national … Continue reading

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Chris Burns

Securing a New Windows Server

When working with a new Windows Server,  securing it against attackers is one of the first things you will want to do. A default Windows Server configuration is not inherently locked down and leaves important protection open and accessible to hackers. Let’s take a look at how we can secure our web server!

Read This Article on CloudSavvy IT ›

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Mike Sherman

« Older posts