Category Archives: Security

No it isn’t: Missouri governor says viewing HTML source code containing private data the state published on every page, is a crime 

Republican Gov. Mike Parson on Thursday condemned one of Missouri’s largest newspapers for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.

Source: Missouri governor slams newspaper for uncovering state data security flaw | NewsNation Now

The state’s education department online database public interface posted private information within the HTML page layout code, easily visible by (in many browsers) right clicking on the page and selecting View Page Source.

The Governor thinks it is a crime to right click in your browser and view the HTML source that the state’s web site delivered directly to every user of the web site, and has asked the state and a prosecutor to conduct an investigation.

The Missouri Governor, when it comes to information security laws, is an idiot. Lots more here.

Oops: All your Twitch belongs to us

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

Source: The entirety of Twitch has reportedly been leaked | VGC

Should you get rid of Windows 10 passwords?

Microsoft’s new approach is to rely (mostly) upon an Authenticator app on your phone.

Whether this is important depends on what type of passwords you use now. The Authenticator app model is useful to those who have secure access to their phone and currently use simple (not complex) passwordsand have access to cell phone service when needing to use your Windows 10 computer.

…it’s still a win-win for most people, most of the time. That’s because most people don’t have unique, long, complex, random passwords for every account and use a password manager to, well, manage them. That said, if you do, then there’s no real rush to dump your password access route to be honest.

The problem, though, is ensuring those users who would benefit both know the option is available and encouraging them to take it.

Source: Delete Your Windows 10 Password Now: Microsoft Suddenly Issues Security Update For Millions

You do not want to rely on the Authenticator app to log in to your Windows 10 notebook computer when traveling in areas without cell or Internet access.

You can set up an alternative PIN or facial recognition (if your device has a camera) or finger print recognition (if your device has a fingerprint reader) as alternatives. A PIN can contain numbers – or be the same as an alphanumeric password. The only difference between a PIN and a password is the PIN is unique to your device, not your Microsoft account.

For example, I use a notebook computer to read Kindle books when in campgrounds having no cell phone service. The new Microsoft Windows 10 “passwordless” model would require I set up a PIN as an alternate, putting me right back in to the password model. I use complex passwords anyway so the Authenticator app mostly adds complexity to basic Windows desktop login without adding much additional security.

An easy way to create and remember a complex password is to remember a sentence or phrase from a movie – or some other phrase that is important to you.

To illustrate, consider the famous line “May the Force be with you” from Star Wars (I do not recommend you use this). Make your password be the first letters of each word:

MtFbwy

Now, make some obvious substitution like changing “Force” to the number 4.

Mt4bwy

Perhaps add some non-numeric characters such as

Mt4bwy#?

Again, do not use an obvious phrase like this one but pick a sentence that is meaningful to you. Then change some values such as converting the word “to” to 2, or the letter I to 1, and so on.

A phrase or sentence that is meaningful to you will make it easy to remember a complex password that otherwise looks like a sequence or random letters.

Also consider choosing a longer phrase than the example above. For example, “My mama always said life was like a box of chocolates.”

Mmaslwlaboc

Then look for simple substitutions to add numbers and symbols.

As long as you do not re-use your password on multiple accounts and services, you do not actually need to periodically change your password. If you use the same or similar passwords elsewhere, then you should periodically change passwords in case those accounts are compromised in a security breach.

For critical accounts – including those with access to your email, or access to financial accounts (banks, brokerages), or to retailers where you have saved a credit card, you should set up 2-factor Authentication that relies (ideally) on an authentication app or SMS confirmation (less secure). Additionally, if your telephone service provider enables you to set up a separate PIN for account modifications, do that. Some hackers figured out ways to change your cellular service provider account to redirect SMS messages – but the additional account PIN can stop that too.

Orwell rolling in his grave: Australian penal colony gets even stricter

Intrastate travel within Australia is also severely restricted. And the government of South Australia, one of the country’s six states, developed and is now testing an app as Orwellian as any in the free world to enforce its quarantine rules. People in South Australia will be forced to download an app that combines facial recognition and geolocation. The state will text them at random times, and thereafter they will have 15 minutes to take a picture of their face in the location where they are supposed to be. Should they fail, the local police department will be sent to follow up in person. “We don’t tell them how often or when, on a random basis they have to reply within 15 minutes,” Premier Steven Marshall explained. “I think every South Australian should feel pretty proud that we are the national pilot for the home-based quarantine app.”

Source: Is Pandemic Australia Still a Liberal Democracy? – The Atlantic

Meanwhile, Australia’s NSW has proven beyond any doubt that lock downs served no useful purpose. Even NSW’s premier is giving up on containing Covid without vaccines. Given time, everywhere ends up at the same destination.

Vaccines work. Masks work when proper masks are used, in proper fashion, in limited circumstances, but do not work to contain the spread at a societal level. Most mitigations do not work and eventually succumb to the virus.

Awkward: Hacker’s ransomware attack code avoided computers set to use Cyrillic languages

Trustwave said the ransomware “avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic.”

Source: Code in huge ransomware attack written to avoid computers that use Russian, says new report

My blogs are under attacks every day, all the time. I have had to set up multiple layers of security to defend against the attacks and to evolve those security levels often.

Criminals encrypted 1 million devices in $70 million ransomware attack

When these attacks become so large, at some point this will be seen a declaration of war, no different than bombing a country’s infrastructure:

The hacker gang behind an international crime spree that played out over the Fourth of July weekend say they’ve locked more than a million individual devices and are demanding $70 million in bitcoin to set them all free in one swoop.

The gang, the Russia-connected REvil, is best known for previously hacking JBS, one of the world’s largest meat suppliers, and briefly halting its operations across much of North America. But this attack’s potential scope is unprecedented, according to some cybersecurity experts.

Source: Hackers behind holiday crime spree demand $70 million, say they locked 1 million devices

1000s of companies, world wide, may have been impacted by this ransom-ware attack

Sweden’s Coop grocery store chain had to shut all 800 retail stores after the attack:

The number of victims affected by the attack is unclear due to a ripple effect of managed service providers, who have their own clients, that may have been affected as well.

Source: Software supplier hit with “sophisticated cyberattack,” potentially affecting thousands of businesses – CBS News