Security Concept: Attack Vector

Our last discussion looked at the security concepts of lock down and layered security. Attack vector is another important security concept. Different agencies and organizations have different words for this but it all comes down to the same concept.

Your adversary wants to attack you and they will attack you through some perceived weakness, a vector. Vector means a pointy little arrow. You can think of the arrow going through the path they’re trying to attack you. If a burglar kicks in your front door, the attack vector is the front door. Burglar crawls in through window, attack vector is the window.

In our last post, ThoughtfullyPrepping correctly said the best “lock down” to your PC being hacked over the Internet is pulling the connection to the Internet. The Internet is the primary attack vector hackers use to get into your system. We can subdivide this into smaller attack vectors. Some of the most common computer hacker attack vectors:

1) Your web browser
2) Your e-mail client
3) JAVA installed on your system
4) Flash player
5) Acrobat Reader

Some attacks go through one thing and then use another: A web browser attack taking advantage of flash player. These last three items have had tens of thousands of vulnerabilities over the years. How can you nullify attacks through these popular attack vectors?

If you don’t need it, uninstall JAVA. You could go without flash player, but how then would you play sheep dash or online flappy bird? Too great a sacrifice. Inside your browser you can install an add on (flashblock) that blocks flash content from automatically playing. This give you control over which flash content is allowed. Keep flash player updated. Visit the Flash Player Settings Manager website to check your settings and choose stronger settings than the defaults.

You can replace Acrobat Reader with a less targeted and less bloated pdf reader like Sumatra PDF.

For an e-mail client, choose one that doesn’t support scripting or one which can turn it off. Avoid Outlook and anything that supports Active X on Windows platform. Don’t open attachments in e-mails from strangers. Just delete them.

You could run your web browser sandboxed, using the free program Sandboxie. It will break many sites, but you can install browser add ons like NoScript which keep javascript and other scripts from running. Turn the extension off when you need scripting. For privacy, add Ghostrey to your browser.

By looking at known attack vectors you can reduce your vulnerability to attacks. By listing possible attack vectors you can get a good idea of how you can be attacked. It gets you thinking about how you can secure each line of attack.

The greatest weakness is entirely missing an attack vector. You’ve secured your home. The doors are bullet proof. The windows, impenetrable. A tiny burglar crawls through your dog door. A missed attack vector.

In the book, I devoted a page to securing window air conditioners. Why? It’s an overlooked burglar attack vector. Most ACs just sit in the window frame, held in place by a few tiny screws at the top. Burglars can easily push the AC into the home and crawl through the window. If you have a window AC, spend some time to secure it.

Securing your garage door from having the traveller disconnected is another overlooked home security attack vector.

When you secure anything, be it your home, computer, survival retreat, vehicle, anything, make a list of possible attack vectors. Don’t be overwhelmed. If you’re on the ball, you’ll see a huge amount of attack area. You can’t bulletproof everything. You don’t need to. The vast majority of attacks look for easy vulnerabilities. Something as simple as a locked door discourages break ins. A reinforced door makes a kick in difficult. Most burglars will move on to the house down the road when confronted with a few hardened attack vectors.

The same is true with computer hackers. Unless you’ve pissed off the NSA, when a hacker finds their favorite attack vectors closed, they’ll move on to hacking somebody else.

Two Important Security Concepts: Lock Down & Layered Security

Two important security concepts are Lock Down and Layered Security. These concepts apply to personal home security and online computer security.

Lock Down means different things to different people. A prison lockdown is different from a school lockdown during the threat of a crazed shooter. Lock down implies containment of things as they are. It denies harmful forces the chances to make progress and advance. It keeps things as they are, allowing the white hats to ride in and save the day.

A computer user can “lockdown” his computer. This means the computer is hardened against malicious attempts to change it. There are commercial programs (AppGuard) which prevent malicious code from changing your software. There are free programs like Microsoft’s EMET which help you “lock down” weaknesses.

The simplest things can be the most powerful. Any computer user without adding any special software to his PC can tighten security with the simple “lock down” procedure of creating non-administrative user accounts for daily use. Limited user accounts have limited ability to change your operating system and install software. You can still browse the web, check your e-mail, and spend way too much time on youtube with a limited user account. What you can’t do is make fundamental changes to the operating system. You need to log in as administrator to do that.

If a hacker gets control of your limited user account, his rights are limited. His ability to compromise your system is limited. Researchers have shown 92% of the malware out there can’t overcome being contained in a limited user account.

Limited user accounts are an example of the concept of allowing the minimum access and rights and privileges needed to a person. Don’t let strangers walk through your house.

An intruder entered the White House. The news said the White House is the most secure house in the country. O Contrair. MY house is the most secure house. I keep my door locked and I don’t have tourists. “Ah, that’s my stack of dirty underwear. I’ve been meaning to wash it. Moving over here, we see…”

Layered Security is just what it sounds like. It’s layers of defense to stop an intruder. A pit bull behind a locked door is layered security. If the intruder gets past the door, he must still deal with the dog.

A good example of layered computer security is using a DNS name server like Norton DNS Connect Safe to complement your firewall and virus protection.

DNS is like the phonebook for the Internet. DNS works as follows: When you want to visit a website, your computer needs to find the IP address of the site you want to visit. It gets this information from your DNS, which is a computer usually run by your Internet Service Provider (ISP).

A secure DNS will look at the IP address you want to visit and check if the site hosts malware or viruses. If the site is malicious, the secure DNS will let you know and won’t connect you to the site.

If a virus/malware got past your antivirus protection and past your firewall, one thing it would try to do is “phone home” to connect to a malicious web server to download more viruses or to send your private information to hackers. When it tried to make this connection, if your DNS were secure, the secure DNS would likely deny this connection.

I don’t recommend Google’s DNS because of privacy issues. Google likes keeping personal information way too much. You can layer your anti-virus with Google’s VirusTotal website which checks downloads for viruses.

Give some thought to these two security concepts as they relate to your personal security. What layered defenses have you? What is your daily “lock down” and what is your emergency “lock down”?

***

For airgun shooters, there’s some great information over at ThoughtfullyPrepping.

A great essay about where to start prepping. Not about fighting zombies, but about reality.

Protecting Your Computer, Blackshades commentary

Many people were arrested for “Blackshades” infiltration of computers.

http://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/

 

http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/International-bust-targets-BlackShades-malware.-Is-your-computer-safe-now-video

 

Be aware if you visit the wrong website your computer could be infected by malware. Everybody should have a firewall, antivirus, and anti-malware software. Keep you OS updated.

If you’re keeping an older computer like XP, look into running your browser in Sandboxie or a virtual system browser. Any changes made by a malicious site are only made to your “virtual” machine and can’t harm your system.

Another point: If you run windows and surf the net, make a second account without administrator privileges. If somebody hacks your system, they can only do what a limited user could do to your system.

An alternative is DropMyRights. It does the same thing.

Preppers must learn to protect themselves and their families from all threats. Online threats are a concern today.

Armageddon XP Rant (& A Tale of Two Hardware Stores)

Let me start by saying I’m not an old fuddy duddy who can’t stand change. I like good change. I like positive change. I like real innovation. The Internet rocks. What I don’t like is arbitrary, pointless, counterproductive, time-wasting change. When those things are at play, I’ll take the conservative option every day.

I don’t want my refrigerator connected to the Internet. I don’t want to worry it’s sending out spam to your cell phone. Do I need to monitor its online usage to be sure its not paying undue attention to the new Maytag models?

I don’t want start-stop vehicle technology. I had that back in the 1970s; it’s called stalling. I don’t want electronic throttle control. Drive-by-wire, die in a fire. I don’t want a computer controlling my dryer.

I like simplicity. I like tossing underwear in the dryer, turning a dial for time, pushing a button, and woahla. I’ve never wanted a dryer that could twitter the world about the status of my underwear.

In the day, we were more civilized. This article would be called an editorial or an opinion piece. In the day, we were less truthful. Today, we call it a rant. It’s a rant.

I’m already in a bad mood because of the closing of 7 Corners Hardware. They were Saint Paul’s premier hardware store for 80 years. If you needed special bolts for a project, you could find them. They were the Midwest’s largest tool distributor. If you needed a Milwaukee right angle drill with a 36″ snout, they had one. It’s in their catalog. I have a Milwaukee right angle drill, but can’t imagine why I’d need 3 feet of reach with it. Somewhere out there is a guy who needs it for something. Where will he go? I’d be surprised if any big-box retailers carry it.

Hardware stores that carry odd hardware are disappearing. Hardware stores that carry quality bolts are disappearing. The guys who understood tools are disappearing. I went into a Harbor Freight looking for a brush. It was on their website. The kids there were clueless. They thought they might have seen it, somewhere, sometime, in the past. Sorry, no help today. They were nice enough kids. But they weren’t “tool” guys.

This is reflective of today. As Americans, we just don’t fix stuff anymore. We toss it out and buy new. If we must fix it, we call in a professional.

Another prepper-blogger posted a similar observation asking “We’ve all got skills, redundant skills, but what do you do with all that ‘unusual’ knowledge in a throw away world that doesn’t care about the old ways?”

The answer is obvious. We annoy our wives by bringing home a lot of stuff we can fix, which she calls useless crap. Because it makes more financial sense to buy a new dryer than replace the computer module in the old one, an otherwise serviceable machine is tossed.

As citizens and consumers, we’re told spending more money to buy new stuff is good. Tossing the old is good. It’s beneficial. Planned obsolescence makes sense.

An example of this was the “Cash for Clunkers” program. In 30 days, over $3 billion of taxpayer money was spent overpaying for used vehicles to “take them off the road.” Car murder, more like it. They literally poisoned the poor cars till they died, just to be sure nobody would salvage the engines.

This is bad news if you’re in the market for a used car today. Far less supply and prices are at record highs. The program benefited some, but like all government programs, it came at a cost to others.

The hope is that the “maker culture” with their interest in electronics and 3D plastic printing will revive the interest in tinkering, repairing, and rebuilding things.

The best example showing how helpless citizens are becoming is our reliance on software. If it goes buggy, the best we can usually do is restart our PC, and soon, our toaster. We have no practical capability to ferret out the problem ourselves. We’re at the mercy of Microsoft.

In two months, we’ll face XP Armageddon. That’s when Microsoft will stop supporting Windows XP. They’ll no longer offer patches for bugs or security vulnerabilities. This is a hacker’s dream come true.

Nearly 1/3 of all PCs still run Windows XP. It’s used by hospitals, law firms, small businesses, governments, ATMs, and individuals. These people will all be put at risk.

The Target hacking debacle occurred because an HVAC vendor was compromised.

How many small business vendors will be targeted and what will the consequences be?
Agree with his motives or disagree, Edward Snowden, was a contractor who had access to the NSA’s computers. How many mission-critical systems will be compromised because of outsourcing to vendors still using XP?

I understand Microsoft’s position. They want to sell us Windows 8. Without being compelled to purchase it, nobody would. If you must upgrade, look into Windows 7.

Microsoft isn’t offering Windows 7 anymore. But there are a ton of copies at the retailers, so it should be available for a while. My understanding is that it will be supported until 2020. Be sure your older system can run it and that you purchase the correct 32 bit or 64 bit version. Those with more computer skills are migrating to Linux.

If you want to continue using XP, backup your full system. Run a firewall program. Maybe do your web browsing in Linux and install a dual-boot system. You’ll have XP if needed for older programs.

Just because Microsoft won’t be supporting me and you, doesn’t mean everybody’s in the same boat. The dirty secret is that Microsoft will continue to support some big clients. England’s National Health Service, for example. Microsoft will patch their systems and keep their patient data safe. Sharing the patches with us, not so much.

How many remember the fear over Y2K which drew many new converts to prepping? We were prepared for Y2K. Because of that, the transition was seamless. Are we prepared for the end of XP? In two months, we’ll find out.

End Of Privacy In America II (Opinion)

A few days after the news the NSA is tracking phone caller “meta data” throughout America, new reports prove the government is busy at work tracking our online associations too.

Sites included for eves-dropping include Microsoft, Yahoo, Google, Facebook, PalTalk, AOL (are they still around?), Skype, YouTube, and Apple. To summarize: Pretty much everything you do online is being monitored by the American government. The records will remain, indefinitely.

A whole parade of politicians and bureaucrats are endorsing the practice as no big whoop:

“It’s called protecting America,” said Senator Dianne Feinstein.

“The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats.” Director of National Intelligence

We are assured this information won’t be misused: Trust us, we’re told. The whistleblower who released this information has come forward. He didn’t feel Americans knew the extent to which they were monitored.

Whistleblowers play a key role in exposing government wrongdoing. They expose corruption and misdeeds. Without honest people in government and business, more stuff sneaks under the radar.

What if a special interest inside a country wants to start a war that isn’t in the best interests of its citizens but only serves the agenda of some special interest? How do you do this?

The ploy is well known: You fabricate intelligence and leak it to friendly newspapers. The fabricated intelligence, provocatively reported, proves the country to be attacked is an immediate threat to your own country. The people become outraged, fearful, and they follow the script. Yes, we must attack!

What if somebody inside the intelligence agency knows the truth? What should they do? Should they let thousands of Americans die needlessly by keeping quiet or destroy their own career and life by exposing the truth? It takes a tremendous amount of courage to step outside of the machine and become a whistleblower.

Whistleblowers are a cog in the machine. If an intelligence agency can ferret out all whistleblowers and those who object to their agenda, they can operate in secrecy and with impunity behind the scenes manipulating a population.

Destroying this level of protection is a key goal for certain groups. In my humble opinion, total information awareness, PRISM, the “Big Brother” database, or whatever you want to call the newest program is all about snuffing out whistleblowers.

Here’s how it works: Something the government shouldn’t be doing suddenly appears on page one of the Washington Post. How could the “Big Brother” database be used? The reporter’s phone numbers are searched. All calls the reporter ever made are examined. All incoming calls to him are looked at.

If the whistleblower made the error of using his home or cell phone, he’s instantly exposed. If he made the error of using his credit card to purchase a prepaid cell phone, he’s exposed too. The government plans to track our credit card purchases, if they don’t already do so.

In the future, when databases get larger, even the cell phone you carry and don’t use could be used to track you. Even if you used a pay phone, you’d be exposed, if you carried your cell phone. The ping data from your carried phone could be used to find out who made the call. Lacking that, surveillance video around the pay phone, whose number was recorded, would trap the prey. Hey, whatever happened to all the pay phones?

Such a database could be used to pressure reporters by pressuring associates. The phone for the reporter’s boss is searched and the associated number of a hooker appears. It’s suggested the boss tells the reporter to kill further reporting of this topic or his wife will be angry. Toss in a possible IRS audit for extra emphasis. The reporter is fired. He never knows why.

Of course, most people haven’t worked for the CIA and don’t have inside information. Most of us aren’t reporters, exposing corruption and wrongdoing. Most of us have nothing to fear by the politician-approved databases. That’s what we’re told.

To show how harmless this information is, the politicians supporting this data collection scheme should make their personal phone records public. Every outgoing call and incoming call made, with the time of the call, and location data, should be released.

If a lobbyist calls Senator Dianne Feinstein on her private cell phone and they talk for half an hour, shouldn’t Americans know this? The senators would never vote for that! Public officials should have a much higher level of disclosure than the average American. If they have all our data, it’s only fair we have theirs.

***
My Post: The End of Privacy In America