Security Blog

When you enable the Personal Hotspot feature on your iPhone, iOS will generate a password on your behalf.

It’s convenient, but it’s not very secure – because the password uses a short English word with a couple of numbers added on (would you believe it?)

Change your hotspot password from the default one that is generated by iOS to a strong password of your own.    It’s easy enough to do — just tap Settings > Personal Hotspot or Settings > General > Cellular > Personal Hotspot, depending on your device and software.     Then tap the WiFi password field and type in a new phrase.      The new password must be at least eight characters long and use ASCII/Unicode characters.

You can read more about the Personal Hotspot feature on Apple’s iOS support page.

Once a machine has been infected with some form of malware, of the most urgent steps is to disinfect that machine so it can be put back to use. Safely.

Unfortunately this is not as easy as it may well seem. There are many products out there that claim to be able to clean infections off a machine, and it turns out that they can all clean most infections off a machine, but not necessarily all. The safe option is to wipe the machine and re-install from safe media.

Of course some tools are fine for some infections, and those who are experienced in the use of such tools can safely remove some infections. But not all; the safe option is to wipe the machine and re-install from safe media.

This does assume that malware is not being written to the firmware of the computer, it’s graphics card, network card, or other device; in which case the safe option above is not safe. However infections that write themselves to firmware seem to be more in the nature of lab experiments rather than real threats today.

Further reading :-

• http://www.wipethedrive.com/WTD-detail.pdf
  
• Meet ‘Rakshasa,’ The Malware Infection Designed To Be Undetectable And Incurable
  • Hardware Backdooring Is Practical

A laptop containing the personal information and bank account details of thousands of people and businesses has been stolen from Glasgow City Council.   It was one of two laptops stolen during a break-in at the council offices in Cochrane Street on Tuesday 29 May.

The information on the laptop relates to 17,692 companies and 20,143 individuals, including names and addresses and, in the case of 16,451 customers, bank account details.

The local authority is now contacting 37,835 affected customers, including suppliers and people receiving winter fuel payments and care grants.

The laptop was password-protected but not encrypted.

Editorial:

Why was so much important data stored on a laptop?   My guess is it was kept by someone as an unofficial backup  “just in case” …

Why was the laptop not encrypted?    Who knows?  But even laptops that never leave the workplace are not exempt from encryption.

http://www.bbc.co.uk/news/uk-scotland-glasgow-west-18399576

The full story:-

http://www.theregister.co.uk/2013/04/23/hacked_ap_tweet_dow_decline/

But basically what happened here is that the Associated Press twitter account(s) had weak passwords, and the “hackers” found out what the passwords were and used that knowledge to post a fake announcement.

We can blame the hackers for probing for weak passwords, finding one, and then posting something to an account that didn’t belong to them.

But should we also not blame the Associated Press for using weak passwords in the first place? This isn’t just some individual’s twitter account blathering on about what they ate for breakfast, but an organisation’s account that is used for publishing news.

And that news was pounced upon by HFT traders causing a big share price drop (itself a matter of concern). So some people may well have suffered a genuine financial loss here, and whilst the blame needs to be shared out appropriately, Associated Press is at least partially to blame.

One of the things we get asked about the most is spam (not SPAM!) where somebody has been sent some sort of junk email. Spammers are learning a trick from phishing attacks – not surprisingly as spammers send out email-based phishing attacks – which is to forge a sender from the same domain as the – if you were fred@example.com, the spam would come from harry@example.com.

The use of the same domain like this, is technically no more than what spammers have been doing for years which is to forge the mail address headers so that the sender appears to be an innocent victim. But the key change is to use the address of someone at your organisation to add extra credibility.

When getting a strange email, there are several things to do :-

1. Don’t click on any links until you are sure that the email is genuine and isn’t likely to cause any damage.
2. If it came from an email address you recognise, you can always check with that person to see if they really sent it.
3. If the spam contains a link, use the right-click menu to Copy the link into the clipboard and check it with http://www.mywot.com/ (there’s a search form at the top right). If the links go to somewhere that isn’t trusted by the “Web of Trust”, it is likely there is something wrong with the spammed site.
4. There’s also the standard advice: If it looks too good to be true, it probably is. Although sophisticated spam may try to avoid this, a great deal of spam makes exaggerated claims, promises the world, etc.
5. Put it aside and think about it later.

https://docs.google.com/file/d/0B1141u7A3O44NDRuSm5Ud3p6R2M/edit?usp=sharing

As the subject suggests … if you want to ask us questions, please do so! Specifically for suggesting new topics for this blog, but any questions would be appreciated and answered. Either here or as an individual reply.

There is also now a new google group for anyone interested in IT Security – see here. Anyone can join!

The following video is a vendor trying to sell something :-

httpv://www.youtube.com/watch?v=jooV0HG01wg

The mechanism itself can be provided using a standard DNS infrastructure using the RPZ feature; the difficult part is the “Malware Data Feed” as this needs a high quality source of data with regards to DNS names that should be blocked.

Windows (and OSX) make it quite easy to share directories and files with other people on the same network. Which is all very well, but if you move to a different network those shares may no longer be appropriate.

As an example, imagine you share a directory containing family photos and videos so that your family can grab copies of them. And then you take your laptop into work; all those photos and videos are visible to anyone using the same wireless access point you are using.  There is of course the reverse – you could be intentionally sharing some work documents with your colleagues and unintentionally also sharing them with your family when you take your laptop home.

In the first case, it is your decision on whether you want random strangers to see your family photos and videos. However in the second, you should really not be using shares on your laptop to share documents at work. There are plenty of other options for sharing documents – the K drive, the EDM system, Google Docs, etc., so there is no real need for turning on file sharing.

If you want to disable sharing :-

• Windows 7
• Windows XP
• OSX

You can set up sharing so that it is only enabled on a “Home” network, but that looks to be quite complex so you may have to spend some time working out what gets enabled and where.

One of the very first things that is mentioned on any course on penetration testing (or related fields) is that any use of “hacking” tools is dangerous. Even if it is your job to look for security holes, you really need a “get out of gaol” card to explicitly grant you permission to use such tools. The consequences of unauthorised use of such tools can be drastic, and take many years to fade away. There are a number of stories of the consequences of not paying attention to this, but the most recent is :-

http://nakedsecurity.sophos.com/2013/01/21/computer-science-student-first-praised-then-expelled-for-poking-around/

I would really hope that we would not react in such a way.

Of course this student was doing something wrong, and he deserved some sort of action after scanning the vulnerable web site a second time. But not being kicked out!

In fact in addition to being an example of what could happen when using security tools without authorisation, it is also an example of how dealing with security incidents can be tricky. Security incidents need a proportionate response; in this case the response was more damaging to the institution than the incident itself.