Its the most wonderful time of the year – Patching

does that say patching plaster or patch faster? ūüėČ

Remember back when Summer and Christmas break was a high time of concern.¬† The kids were out of college and ready to try out their skills.¬† Christmas was worse because so many people were out of the office, no one would notice.¬† Or if they did the response would be limited.¬† ¬†Now that’s what we call Tuesday afternoon.¬† Now days, the sysadmins have to deal not just with college code projects, but insider threat, money motivated attackers, and nation states.

This week, Microsoft’s “out-of-band” security update reminded me of the old times.¬† ¬† An out-of-band update is simply a unscheduled one.¬† Its released out of the regular schedule because it is currently being exploited.¬† This lends a sense of urgency.¬† ¬† Some companies may have already bypassed December updates because of staffing, or scheduling.¬† Anyone in retail certainly has a change freeze in effect.¬† Now on top of that there is a special update for Internet Explorer.

Information about the update for Internet Explorer is available here : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653 

Kanye’s Password

Everyone and his brother, inside of infosec and outside has been chortling at Kanye’s iPhone password.   Its 00000.

Not everyone is in on the joke.
Some express OUTRAGE.¬† ‚Äúhow dare you share that man‚Äôs password” (it was on CNN, its out there now).
Some (and these remind me of the 4D Chess MAGA people) theorize that Kanye is thinking 12 steps ahead.  He knew his password input would be on camera while at the White House so he temporarily set it to 00000.
And the last were the virtue signalers I mentioned.¬† ‚Äúhow dare you password shame Kanye, at least he has a password.‚ÄĚ

And it is true.  By HAVING a password, encryption is enabled on the iPhone.
it is also true that few of us would be able to exploit knowledge of Kanye’s password as we don’t have hands on his phone.

But lets be honest.  A password of 00000 is pretty hilarious.

Self disclosure ‚Äď one of my older accounts has failed the LastPass password audit because the password was compromised previously, and its used in more than one place.¬†¬† But given the difficulty in updating this particular password, and the low risk level, I let it be until a forced password change recently.¬†¬† Sometimes you just use dumb passwords.¬† And if it filmed I‚Äôd be razzed for it too.

Airplay Annoyance

I’ve never used Apple Airplay before.¬† ¬†I have an AppleTV that was free for paying¬† for a 3 month subscription with DirecTV Now.¬† But I hadn’t intentionally fired it up since cancelling that subscription.

This week I bought a new TV.   While watching The Dark Knight on Netflix, suddenly the TV changes inputs to the AppleTV and Katherines Ipad is requesting to perform remote control, and a PIN is displayed to be typed into the iPad.

Generally, I like to think I have a tight reign on my computer devices, but Apple has snuck this one up on me.

Apparently by default, via Bluetooth, my neighbors can connect to my AppleTV.¬† ¬†I’m guessing that with my old TV this would occur, and I just wouldn’t notice the AppleTV turn on, but the new TV is smart enough to switch to the new input.¬† ¬† So essentially Apple and Samsung have conspired to have my neighbor denial of service my movie watching.

First steps

  1. ¬†Make sure the apple TV is on my wifi.¬† ¬†Pretty sure the neighbor hasn’t guessed my 100+ character pre-shared key.
  2. Disable Bluetooth.  Of course my generation of AppleTV cant do that.
  3. change the name of the AppleTV.¬† If everyone in the neighborhood is named the default “AppleTV”, no wonder people are accidentally clicking on the wrong device.¬† ¬†On my AppleTV, this was under Settings -> General -> About.¬† On newer models it is found under Settings -> Airplay.
  4. Under Settings -> Airplay -> Airplay, set Allow Access to “Anyone on the same network”.¬† The default is “everyone”.¬† I guess “it just works” trumps security.¬† ¬†Unfortunately I cant find good documentation if bluetooth users are considered on the same network.
    Set “Also Allow Nearby to Airplay” to off.¬† Again, having trouble finding description of this setting.¬† But it seems safe.
    Enable requiring a password for airplay.

    I then turned off wifi on my phone, and verified that no airplay devices were visible over Bluetooth

    And now that I”m looking further it seems my new Samsung is in perpetual discovery mode.¬† ¬†So any rando nearby can request to pair, and on the TV, I’ll be prompted to allow, deny or close.¬† Haven’t found a way to disable that yet.¬† ¬†Lovely.

Link – What happens when you reply to spam email (Veitch)

There are people who enjoy messing with scammers by replying to scam, or implementing the Jolly Roger Telephone company.

While its a few years old, I just watched a couple of James Veitch Ted Talks on what happens when you reply to spam email. Its hilarious.

This is what happens when you reply to spam email | James Veitch

Watch this video on YouTube.

Tuning up my WordPress Install

Dreamhost was sending me cryptic emails about my site using too many resources then dieing as a result.

Then Jetpack site monitoring was finding the site down, presumably due to running out of resources.

And the homepage loaded too slowly.

So a technical problem was at hand.

There aren’t a lot of resources out there for troubleshooting this sort of issue. GoDaddy has a long abandoned plugin that would tell you which WordPress plugins were using the most RAM. It no longer worked. The current state of site troubleshooting is to disable your plug-ins one at a time, and use another plugin to monitor site RAM usage. I found it better to start with a list of plugins known to cause excessive resource usage, and then run a speedtest at gtmetrix.com.

So I said goodbye to some plugins. The one I’ll miss the most is one that posted related posts on if you viewed a post from the single post page. Plugins like that are designed to keep eyeballs on that page. I also disabled the Better Tag cloud plugin. I liked it there in the sidebar. Tags are better than categories in my opinion. But Tag Clouds are really a think of the past. So is blogging for that matter. Yet here I am.

Jetpack is frequently a target for people trying to save resources. After reviewing the features I used, I decided to disable it.

The main thing slowing down my page, was the embedded Youtube videos. I installed WP Youtube Lyte, a plugin that now displays a screenshot of the video rather than embedding the actual video. When you click on the screen, then the video loads. If you’re on mobile, you’ll need to click twice. If you’re in a RSS reader, you’ll need to click the view on Youtube link.

Lastly, I made some changes to caching at Cloudflare following the cloudflare site settings listed in an article on W3 Total Cache and Cloudflare. I did not install W3 Total Cache. I’ll have to keep an eye on it to see if I’ve successfully enabled caching without delaying when people see my content.

When I started the front page of InfosecBlog.org was loading in 3 to 4 seconds according to gtmetrix. Its now loading in 0.6 to 1 second.

SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy. ¬† You’re breaking things, and not introducing new features. ¬†You’re fixing theoretical future attacks. ¬† Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program. ¬†Are you sitting around waiting for an attack so you have the justification of making a change. ¬†Are you sitting around waiting for a vendor to do it for you. ¬†(“I didn’t want to disable SSL3, your default browser did that. ¬†Guess you need to update the server application.”) ¬†Disabling it before an attack or before a vendor disables it for you is a better idea. ¬†You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road. ¬† One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality. ¬† This is the other problem. ¬† Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.

Battery Backup PSA

One of the better things you can do to protect your money spent on electronics devices is have a good surge protector and battery backup. ¬† If you’re like me, you only buy the kind where you can disable the audible alarms. ¬†The problem with this is now you might not get any warning if the battery goes bad.

In some cases you’ll have the battery backup connected to a computer via USB and receive notices that way. ¬†But in other cases where the battery backup is protecting home entertainment equipment, your cable modem or your router, you might not know you have a problem until you happen to be home during a power hit. ¬† Imagine how many times your equipment may have taken a hit that you didn’t know about.

The battery backup I just purchased says the battery is good for about three years.   So put it on your calendar.   If your battery backup has a visual indicator that its broken check that.   And you may want to use the software that comes with the battery backup to connect to each and manually run a self test.  (consult your own UPS manual about the best way to do that.)

Wanna Get Away – Generals Password

I see this was posted 3 months ago to Youtube, but its new to me.

 

Southwest Airlines Commercial – General saying he hates his job.

Watch this video on YouTube.

This being blogging, lets over-analyze.

The General’s password is ihatemyjob1.

Not a bad password.  Using a passphrase is easy to remember.  Easy to type.
No doubt he should have capitalized the “I”. ¬†Most systems can handle spaces, which would add some length. ¬†Putting in a “@” in for a and a “0” in for o would add some complexity. ¬†If the password file is compromised, this wouldn’t be enough to prevent breaking the hash. ¬†But its good for a day-to-day logon. ¬†For accounts where a password safe can be used to ease login, random would be better. ¬†But that doesn’t work for every account.

The General’s password is echoed to the screen. ¬† Typical security controls require that your password not be displayed on the screen. ¬†It should be replaced by asterisks. ¬†The General would also have been better entering it himself and not telling a subordinate the password. ¬†He could have turned off the output of the computer to the big screen temporarily to prevent the room from seeing the password.

In pressure situations, its easy to take actions that compromise our security.  This is the type of feeling that phishers, and fraudsters often try to create so you just act and not thinking about if what you are doing makes sense.

Yes, it’s just a funny commercial. ¬†But it can also be used as a teachable moment. ¬†Hopefully without sucking all the fun out of the commercial