We need a broader education in ”Practical Paranoia”

A few organisations already send out fake phishing emails, offering the employees caught up in these pseudo-scams additional training (and, presumably, unbeknownst to them, additional monitoring). While a good beginning, we need a broader education in ”Practical Paranoia”: how to tell the difference

between commercial interest and national interest;
between marketing hype and political propaganda;
between authentic relationship and clever manipulation.

Without that training – and the techniques flowing from it – technology will remain the plaything of those who have mastered the arts of control

https://www.theregister.co.uk/2018/11/13/security/

Common password attack methods

81 percent of hacking-related breaches occurred due to either stolen or weak passwords. -/-

The easiest way to gain access to information is by guessing an end user’s password. Many hackers extensively analyze both the keywords used in an organization as well as the keywords used in competitor organizations.
Hackers typically string together a set of potential keywords that may be commonly used by employees to get into a company’s network.

Instead of trying multiple passwords for one user, hackers try the same set of passwords for many users until they eventually get one password right. To their luck, if they happen to land an administrator-level password, the organization is doomed.

https://www.inuit.se/ebook-active-directory-password-policy-enforcer

Most enterprise vulnerabilities remain unpatched a month after discovery

More bugs are being squashed by the enterprise, but the time it takes to do so leaves organizations at risk.

According to CA Veracode’s latest State of Software Security(SOSS) report, up to 70 percent of bugs remain unpatched four weeks after disclosure, and close to 55 percent are not resolved three months after discovery.

Vulnerabilities impacting organization networks, apps, and infrastructure are not all equal, and part of responsible security practices require that IT staff triage issues to resolve and patch the bugs which are considered the most dangerous to that company.

However, according to the cybersecurity firm, 25 percent of vulnerabilities which are attributed high-severity ratings are not addressed within 290 days, and a quarter of disclosed bugs which may not be so critical remain unpatched well after a year.

https://www.zdnet.com/article/the-majority-of-vulnerabilities-remain-unpatched-a-month-after-discovery

How to protect your phone or computer when crossing borders

Border agents have broad powers to search people crossing borders, including their phones and laptops.But there are ways to protect your data when crossing international borders if you understand the technology and the law.

-/-

US Customs and Border Protection (CBP) agents are responsible for enforcing immigration laws and preventing the entry of criminals. Courts have so far ruled that they are allowed to search your devices for any reason or no reason at all. You might get flagged for a device search because there is something wrong with your travel documents, your name is in a law enforcement database, or you were simply chosen for random search.

There are two levels of search, according to the CBP policy on device searches. A basic search is a simple inspection of your data, including your apps, photos, chats, and other files. An advanced search involves using external equipment to access files (including deleted data), copy data, and analyze it. CBP agents need to have reasonable suspicion of a crime or violation, or a national security concern and supervisor approval.

Agents can also “detain” your device for a “reasonable period of time” while they extract your data, copy it, or attempt to break your passwords or encryption.

https://protonmail.com/blog/border-crossing-protect-electronics/

Krönika: Ett smutsigt slut för internets största spökstad

Trots miljardinvesteringar, tvångsanslutning av alla Gmail-användare och sju år, fick Google aldrig sitt sociala nätverk Google+ att lyfta. När nu nätverket stängs ner är det efter att användarnas integritet hotats p g a säkerhetshål.

-/-

Men anledningen att Google äntligen ger Google+ silkessnöret är allvarligt. I mars i år upptäcktes ett säkerhetshål som gjorde en halv miljon användarnas privata uppgifter tillgänglig för vänner och tredjepartsappar. Att avslöja ett allvarligt säkerhetshål ett halvår efter upptäckten, efter att Wall Street Journal avslöjat säkerhetshålet, hade varit allvarligt brott mot GDPR som trädde i kraft två månader efter läckan. Sannolikt blir de också stämda i USA.

https://www.jajja.com/jajja-magazine/ett-smutsigt-slut-for-internets-storsta-spokstad/

Skydda datorn mot nätfiskeförsök och andra former av onlinebedrägerier

https://support.office.com/sv-se/article/skydda-datorn-mot-n%C3%A4tfiskef%C3%B6rs%C3%B6k-och-andra-former-av-onlinebedr%C3%A4gerier-be0de46a-29cd-4c59-aaaf-136cf177d593

https är inte lika med säker domän

https kan misstolkas som Säker

Det betyder egentligen endast att trafiken är krypterad, och det är i sig bra! Men det betyder inte att du har fått en krypterad förbindelse med den du tänkt dig.

Domännamn = omkring sista punkten före snedstreck

Det registreras tusentals med certifikat som krypterar kommunikationen med sajter som ser exakt likadana ut som den du tänkt besöka men adressen är inte exakt utan endast snarlik.
Du går till den domän som står före och efter den sista punkten och innan ett eventuellt snedstreck.

Exempel på falska domäner;

  1. servicesonline-americanexpress.com
    Det är inte en punkt innan americanexpress.com.
    Hela adressen är domänen men man kan tro att det är servicesonline hos American Express
  2. dropbox.com.login.verify.danaharperandfriends.com
    Det är inget snedstreck efter dropbox.com.
    Domänen är danaharperandfriends.com
  3. login-appleid.com-direct-apple.com
    Det är inte en punkt innan appleid.com och det är inte heller något snedstreck efter appleid.com.
    Domänen är com-direct-apple.com

Vissa internet-program visar i svart det som är själva domännamnet. Alla program ger också möjlighet att se vem certifikatet är utställt till, vanligen genom att klicka på hängläset.

Mer om falska certifikat hos Netcraft, https://toolbar.netcraft.com/stats/certificate_authorities.

Google Chrome skriver inte längre att en sajt är säker bara för att den har https. https://blogg.loopia.se/tag/google-chrome/.

Put your trust in green certificates. They are Extended Validated!

Extended validated server certificates may be shown as a green address. They are expected whe the transactions you do with the site is extra valuable, eg banking and health businesses.

An EV Certificate is a quite new type of certificate that is designed to prevent phishing attacks better than normal SSL certificates An SSL Certificate Provider has to do some extensive validation to give you one including:

  • Verifying that your organization is legally registered and active
  • Verifying the address and phone number of your organization
  • Verifying that your organization has exclusive right to use the domain specified in the EV Certificate
  • Verifying that the person ordering the certificate has been authorized by the organization
  • Verifying that your organization is not on any government blacklists

EV Certificate image at sslshopper.com

https://www.sslshopper.com/cheapest-ev-ssl-certificates.html

It is even better if the Certificate Provider is one that can be trusted.