Tag Archives: security

Turning off Web Proxy Auto-Discovery Protocol (WPAD)

Along with blocking some trackers, running my own DNS with Pi-hole gives me the “super power” of being able to see what DNS queries my computers are doing. This morning, I happened to notice that my desktop PC had made a bunch of lookups for “wpad.lan”.

Pi-hole appends “.lan” to the name of any machine on the local network, but that’s not a name I recognized. So what’s going on here?

Googling for “wpad.lan” lead me to discover that it’s a protocol for automatically discovering and configuring proxy servers. Most operating systems have it off by default, but Windows defaults it to on. More concerning, having proxy auto-discovery turned on is a security concern. Not so much on a home or corporate network (indeed, it’s likely helpful for corporate networks, which is perhaps why it’s on by default), but if you have it on and connect to a public network (e.g. a coffee shop, library, etc.) an attacker may be able to see all the details of your http requests (not breaking https, but working around it).

The desktop PC isn’t super-portable, so I’m not too concerned about unfamiliar WiFi, but apparently this is even a risk if you’re using VPN, so I definitely want to lockdown the laptops.

A bit more digging led me to a How-To Geek article summarizing the problem and including detailed instructions on how to turn off the auto-discovery.

In a nutshell:

  1. Launch the settings app
  2. Go to “Network & Internet”
  3. In the left navigation, choose “Proxy”
  4. Turn off the slider for “Automatically detect settings.”

Resetting Your Password

You can change your password on any enterprise system by following these simple steps:

  1. Login to the password reset page by answering security questions anyone with Google can look up.
  2. Generate a strong password, such as
    yK5*BDbYv91xAaU!BukN
  3. Discover you can’t paste the secure password into the form.
  4. Click your password manager’s “Generate password” icon which generates a password into the field.
  5. Click Save.
  6. Discover that your password manager was blocked from saving the new password and that you no longer know your password.
  7. Discover that you can’t reset your password twice in one day.
  8. Email the system administrator, requesting that your account be unlocked.
  9. Login to the password page again, using those same easily Googable security questions.
  10. Set your password to
    P@$$word123

(Pro-tip: Substituting a dollar sign for each ‘s’ makes it extra secure.)

Password rules

Some very basic rules for managing your passwords:

  1. Don’t even think about using “password” as your password. That’s the number one most used password in the world.
  2. Consider using a password manager. No one will ever guess that your password is qwb5Qauz36H9Kleqyotx and with a password manager, you won’t have to remember it.
  3. If you must use a password you can remember, at least use a passphrase. “SixSillySwansSangSonnets” is much more secure than “Tr0ubad0r” (and a darn sight easier to remember the correct spelling).
  4. Never, ever, ever use the same password on two different sites. In short: if one site has a breach and the bad guys get hold of your username and password, they’re going to try using them on other sites as well.
  5. Faithfully following those rules doesn’t guarantee that none of your accounts will ever get hacked, too much of that’s out of your hands. But they’re a solid start and they’ll definitely help limit the damage.

    A non-technical relative admits to not understanding why people would use a password manager. Couldn’t someone just hack your password manager?

    Yes. That could potentially happen. The aforementioned password rules also apply when setting the password for your password manager.

    And you have to ask yourself, which system is more secure? A well-vetted, “battle tested” password manager (and I’m referring to the likes of LastPass, 1Password, or KeePass), storing passwords which are composed of 20 random letters and numbers? Or just using the site’s name with a couple letters and maybe a number?

    And which is easier? Keeping track of a single strong password for the password manager? Or trying to remember what password you used for 30, 40, or more different web sites? (Hint: you’re gonna remember the Six Silly Swans example for a long time.) The main reason people re-use passwords is that they need to keep track of so doggone many of them!

    The idea behind a password manager is that you only have to remember one really good password, and then the password manager remembers the rest of them.

    And the good password managers (I personally use LastPass and KeePass) use heavy-duty encryption. If you use a good password, it’s extraordinarily unlikely that anyone’s going to break into your password manager by brute-force guessing.

    (Image via Life of Pix on Pexels.com under Creative Commons 1.0 Universal)

Protecting Your Online Data

Advertisement for Norton VPN Dad forwarded an email he got from Symantec today. The subject line was “Breaking: New legislation affects your online privacy” and went on to suggest he could subscribe to their “Norton WiFi Privacy” product to stop his Internet Service Provider from selling his browsing data.

My take is that he should save his money. This is just Symantec doing some very opportunistic, and cynical, marketing. The place where a VPN is most valuable is when you’re using a network you don’t know whether to trust (e.g. the free WiFi at your neighborhood sub shop).

For now at least, Comcast, Verizon, AT&T and probably others are making a big deal about how they’re not collecting/selling your web browsing behavior (though they’re certainly leaving room to change that once the furor dies down — they did after all spend a huge amount of money lobbying against those rules).

Even without VPN, when you visit a web site that uses HTTPS (and more than half of the web does now), your internet provider can’t tell what you did there. They can certainly tell that you visited https://www.mybank.com, but because it’s https:// instead of http://, they can’t tell what specific pages you visited.

USA Today had a good article about some ways to protect your online privacy. Subscribing to a VPN service wasn’t one of them.

Dropbox

So, I woke up this morning to an email from Troy Hunt, or rather, a message from his Have I Been Pwned? service. It seems that my account was one of the 68,648,009 compromised in the Dropbox breach.

From the sound of things, there’s some mixed news. The bad news is, at the time of the breach, four years ago, many passwords were still being stored as SHA-1 (MD5) hashes. The good news is that they appear to have been salted hashes and the hash values weren’t included in the breach.

Dropbox did send out an alert a few days ago saying that they had reset passwords for anyone who hadn’t updated their password in the past four years (guilty!). The email said it was done as a precaution, but didn’t go into detail about what it was a precaution again. To find that out, you had to click through and read a blog post.

I’m probably OK. My password probably wasn’t as secure as it might have been, but thankfully, the lack of salt values for the SHA1 passwords should make them quite difficult to break. And perhaps most importantly, I’ve never used that same password anywhere else.

(But yes, I changed my password to something a bit more secure. It’s now 40 random characters generated by KeePass.)

Some important takeaways:

  1. Change your Dropbox password.
  2. Don’t use the same password in more than one place.
    • Consider a password manager. I’m mostly happy with KeePass, but also hear good things about LastPass.
  3. Consider turning on two-factor authentication.
  4. Consider also signing up with Have I Been Pwned?
  5. Why are you still reading this? Go change your Dropbox password!

(Photo from Pexels, free for non-commercial use.)

Three Minutes of Fame

Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.

Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)

So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)

Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)

The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.

One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.

Is Your Computer at Risk?

If you have 10 minutes to spare, read about The Virus That Really Will Kill Your PC.

If you only have 5 minutes, the super-condensed version is that there’s a virus which may have altered your computer’s settings and if you’re infected, your web browser and email will stop working on July 9. To find out if you’re infected, visit http://www.dns-ok.us/. If the page shows up with a green background, then you’re in the clear (or at least, you don’t have this particular problem). A red background however means your internet connection will stop working in July.

The linked article is worth a read. In short, the FBI busted some bad guys who were hijacking people’s internet traffic by way of a virus that changes DNS settings. (DNS is the system that turns human-friendly address – such as www.thatblairguy.com – into computer friendly IP addresses.) For the time being, the FBI is running the DNS server the bad guys had been using, but that won’t go on forever.

The interesting question to me then is how does that web page work? Viewing the page source, there’s nothing but static HTML.

It turns out The Good Guys are taking advantage of the compromised DNS to set up an “eye chart”. If your computer is using a safe DNS system, then www.dns-ok.us resolves to an IP address where the “green light” page is displayed. But if your computer is using an unsafe DNS system (the one the bad guys put in place), then www.dns-ok.us resolves to the IP address of the “red light” page.

Thoughts on Blocking Malware

A friend just got her computer back from “the computer doctor.” Evidently it had been compromised with a root kit (the really nasty sort of software that runs at such a low-level your anti-virus software can’t see it). She uses three different anti-malware tools and was quite surprised that none of them caught it.

The problem with anti-virus software is it can only protect you against problems that are already known. The bad guys are constantly looking for new ways to attack your computer and the anti-virus programs are playing catch up. I’m not saying don’t use anti-virus software (the free version of Avast has saved me several times), just don’t count on it as your only defense.

So, is there any 100% guaranteed way to stop malware? Well, you could always unplug your computer from the Internet and never use it to access any USB drives or CDs, but that’s not exactly practical. And if you do stay online, even visiting only “known safe” sites doesn’t help much, since even legit sites get compromised on occasion.

But there are a few things you can do to help your odds. None of these approaches is 100% guaranteed to keep you safe, but they should help.

The Basics

This is “the usual stuff” you hear any time someone talks about how to stay safe online. It seems obvious, and yet it bears repeating because it’s easy to get careless:

  • Don’t open attachments you weren’t expecting, not even from people you know and trust. Maybe that attachment from your friend Bob really is the really important document the email says, but if you weren’t expecting it, you have no way of knowing.
  • Be skeptical of clicking links in unexpected emails. Your bank isn’t going to tell you to click a link to verify your account information. (If something like this ever does turn out to be legit, you need to change banks.)
  • Don’t download pirated software. Aside from the legal issues, pirated software frequently contains malware.

Slightly more Difficult

Beyond the basics, there are a few other things that are easy enough to do, but don’t always make it into the “How to stay safe” discussions. Most attacks against your computer are targeting the applications you run, not the operating system. (Running Windows isn’t as risky as reading a PDF file with Acrobat reader.)

  • Use a browser other than Internet Explorer. Microsoft’s made a lot of progress with the safety of Internet Explorer over the past few years. But even though IE recently dropped below 50% of the total browser market, it’s still the single most popular browser out there and therefore the one most likely to be targeted in online attacks.
  • Keep your system up to date. Not just the Windows/Mac/Whatever Operating System patches, but also the software you use. Use Microsoft Update instead of Windows Update to get patches for Office. Install Secunia’s Personal Software Inspector tool to find out what other software on your computer is out of date.
  • Uninstall software you don’t use. The more programs you have, the more likely you are to have something which has security problems. Bonus: You also save disk space!
  • Run “alternate” software. The more widely-used a given program is, the more tempting a target it becomes for the bad guys. Instead of Acrobat Reader, use Foxit Reader. Instead of Microsoft Office, use Libre Office (fully compatible documents, but also available for free.)
  • Uninstall Java. Most home users don’t need it, and older versions were not only laden with security problems, but the updates didn’t remove the older versions.
  • Don’t run as the Administrator. When you set up your computer, reserve the main account for software installations and the like. Create a second, less-privileged login ID for day to day tasks.

Security journalist Brian Krebs talks a bit more about keeping software up to date and what to install or delete in his: 3 Basic Rules for Online Safety

Going for the Gusto

Wanna go really hard-core?

  • Uninstall Flash (or install a flash blocker so that you have to approve any Flash scripts that run).
  • Install NoScript (same idea).
  • Don’t do any online banking with a Windows machine, use a Linux live CD instead. (For a business, I’d consider this one an absolute must.)
  • Use a third-party DNS provider. Both Open DNS and Google Public DNS provide a facility where you change a couple system settings and if you then attempt to access a site which serves up malware, they’ll block the connection.

The Takeaway

There are no magic bullets. None of these suggestions will provide absolute protection for all users. What might be overkill for one person’s situation might not be nearly enough protection for another. But by choosing the practices which make the most sense for you personally, you can tilt the odds a bit more in your favor.

Bonus Reading: Get a Mac/Switch to Linux

In most discussions of online security, someone inevitably replies “Get a Mac!” or “Switch to Linux.” It’s a bit like going to a concert and someone yelling, “Play Freebird.” It’s a wonderful song, and a few groups have done great covers in response, but it’s not always the best fit.

But if the suggestion is inevitable, I may as well be the one to make it and bring up some of the tradeoffs.

Switching to a Mac may actually make sense for some folks, but don’t make the switch thinking you’ll be invincible. At the annual CanSecWest security conference, there’s a “Pwn2Own” contest where security professionals attempt to break into computers running the latest versions of the Mac OS, Windows and Linux. The first one to succeed, wins the computer. Every year, the Mac is the first system compromised.

Now that’s what happens at a security conference. Macs are less common than Windows computers; so the bad guys have to work harder to find them. It’s much easier to attack the more common computers.

But malware targeting Macs has been cropping up too.

Other concerns with switching to a Mac:

  • You’ll have to buy all your software again. Assuming a Mac version even exists. Otherwise, you might have to look for an equivalent program.
  • Despite the marketing pitch, a Mac doesn’t always “just work.” Just two weeks ago a co-worker returned a Mac Notebook that was downloading over his WiFi at just 1/10 the speed of Windows computer. (Apple’s support wasn’t able to resolve the problem.)
  • You may encounter problems with incompatible file formats when sharing files with people who use Windows. Particularly if the programs you were using on Windows aren’t available for Mac and you had to switch to something else.

Linux tends to be the most secure OS of all (as noted earlier, most of the problems these days are the software you run on top of it). The main downfalls of Linux are:

  • Availability. Yes, it’s free to get a copy, but you still have to find where to download it, burn a CD, and install it. Although this is getting easier, it’s still not a set of tasks the average home user will be comfortable with.
  • Commercial software. Few software vendors on Windows or Mac have Linux versions of their software. Some do, but most do not. You’ll generally have to find an open source equivalent, and then work out how to share files with others who are on Windows or Mac.