Airplay Annoyance

I’ve never used Apple Airplay before.   I have an AppleTV that was free for paying  for a 3 month subscription with DirecTV Now.  But I hadn’t intentionally fired it up since cancelling that subscription.

This week I bought a new TV.   While watching The Dark Knight on Netflix, suddenly the TV changes inputs to the AppleTV and Katherines Ipad is requesting to perform remote control, and a PIN is displayed to be typed into the iPad.

Generally, I like to think I have a tight reign on my computer devices, but Apple has snuck this one up on me.

Apparently by default, via Bluetooth, my neighbors can connect to my AppleTV.   I’m guessing that with my old TV this would occur, and I just wouldn’t notice the AppleTV turn on, but the new TV is smart enough to switch to the new input.    So essentially Apple and Samsung have conspired to have my neighbor denial of service my movie watching.

First steps

  1.  Make sure the apple TV is on my wifi.   Pretty sure the neighbor hasn’t guessed my 100+ character pre-shared key.
  2. Disable Bluetooth.  Of course my generation of AppleTV cant do that.
  3. change the name of the AppleTV.  If everyone in the neighborhood is named the default “AppleTV”, no wonder people are accidentally clicking on the wrong device.   On my AppleTV, this was under Settings -> General -> About.  On newer models it is found under Settings -> Airplay.
  4. Under Settings -> Airplay -> Airplay, set Allow Access to “Anyone on the same network”.  The default is “everyone”.  I guess “it just works” trumps security.   Unfortunately I cant find good documentation if bluetooth users are considered on the same network.
    Set “Also Allow Nearby to Airplay” to off.  Again, having trouble finding description of this setting.  But it seems safe.
    Enable requiring a password for airplay.

    I then turned off wifi on my phone, and verified that no airplay devices were visible over Bluetooth

    And now that I”m looking further it seems my new Samsung is in perpetual discovery mode.   So any rando nearby can request to pair, and on the TV, I’ll be prompted to allow, deny or close.  Haven’t found a way to disable that yet.   Lovely.

Tuning up my WordPress Install

Dreamhost was sending me cryptic emails about my site using too many resources then dieing as a result.

Then Jetpack site monitoring was finding the site down, presumably due to running out of resources.

And the homepage loaded too slowly.

So a technical problem was at hand.

There aren’t a lot of resources out there for troubleshooting this sort of issue. GoDaddy has a long abandoned plugin that would tell you which WordPress plugins were using the most RAM. It no longer worked. The current state of site troubleshooting is to disable your plug-ins one at a time, and use another plugin to monitor site RAM usage. I found it better to start with a list of plugins known to cause excessive resource usage, and then run a speedtest at gtmetrix.com.

So I said goodbye to some plugins. The one I’ll miss the most is one that posted related posts on if you viewed a post from the single post page. Plugins like that are designed to keep eyeballs on that page. I also disabled the Better Tag cloud plugin. I liked it there in the sidebar. Tags are better than categories in my opinion. But Tag Clouds are really a think of the past. So is blogging for that matter. Yet here I am.

Jetpack is frequently a target for people trying to save resources. After reviewing the features I used, I decided to disable it.

The main thing slowing down my page, was the embedded Youtube videos. I installed WP Youtube Lyte, a plugin that now displays a screenshot of the video rather than embedding the actual video. When you click on the screen, then the video loads. If you’re on mobile, you’ll need to click twice. If you’re in a RSS reader, you’ll need to click the view on Youtube link.

Lastly, I made some changes to caching at Cloudflare following the cloudflare site settings listed in an article on W3 Total Cache and Cloudflare. I did not install W3 Total Cache. I’ll have to keep an eye on it to see if I’ve successfully enabled caching without delaying when people see my content.

When I started the front page of InfosecBlog.org was loading in 3 to 4 seconds according to gtmetrix. Its now loading in 0.6 to 1 second.

SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy.   You’re breaking things, and not introducing new features.  You’re fixing theoretical future attacks.   Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program.  Are you sitting around waiting for an attack so you have the justification of making a change.  Are you sitting around waiting for a vendor to do it for you.  (“I didn’t want to disable SSL3, your default browser did that.  Guess you need to update the server application.”)  Disabling it before an attack or before a vendor disables it for you is a better idea.  You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road.   One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality.   This is the other problem.   Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.

Battery Backup PSA

One of the better things you can do to protect your money spent on electronics devices is have a good surge protector and battery backup.   If you’re like me, you only buy the kind where you can disable the audible alarms.  The problem with this is now you might not get any warning if the battery goes bad.

In some cases you’ll have the battery backup connected to a computer via USB and receive notices that way.  But in other cases where the battery backup is protecting home entertainment equipment, your cable modem or your router, you might not know you have a problem until you happen to be home during a power hit.   Imagine how many times your equipment may have taken a hit that you didn’t know about.

The battery backup I just purchased says the battery is good for about three years.   So put it on your calendar.   If your battery backup has a visual indicator that its broken check that.   And you may want to use the software that comes with the battery backup to connect to each and manually run a self test.  (consult your own UPS manual about the best way to do that.)

Wanna Get Away – Generals Password

I see this was posted 3 months ago to Youtube, but its new to me.

 

Southwest Airlines Commercial – General saying he hates his job.

Watch this video on YouTube.

This being blogging, lets over-analyze.

The General’s password is ihatemyjob1.

Not a bad password.  Using a passphrase is easy to remember.  Easy to type.
No doubt he should have capitalized the “I”.  Most systems can handle spaces, which would add some length.  Putting in a “@” in for a and a “0” in for o would add some complexity.  If the password file is compromised, this wouldn’t be enough to prevent breaking the hash.  But its good for a day-to-day logon.  For accounts where a password safe can be used to ease login, random would be better.  But that doesn’t work for every account.

The General’s password is echoed to the screen.   Typical security controls require that your password not be displayed on the screen.  It should be replaced by asterisks.  The General would also have been better entering it himself and not telling a subordinate the password.  He could have turned off the output of the computer to the big screen temporarily to prevent the room from seeing the password.

In pressure situations, its easy to take actions that compromise our security.  This is the type of feeling that phishers, and fraudsters often try to create so you just act and not thinking about if what you are doing makes sense.

Yes, it’s just a funny commercial.  But it can also be used as a teachable moment.  Hopefully without sucking all the fun out of the commercial

Configuring GMail to check ISP Mail

My primary email address assigned by my ISP can’t be changed.   It gets a lot of spam  In the past that wasn’t really a problem because I rarely used it for anything, but a few years ago I foolishly began using it on resumes.   Its format is first initial + lastname @ ISP so its relatively professional.   Unfortunately there are other people in the world who think that is their email address.   That doesn’t help the spam problem.

I could just not check it.  But I might miss important emails from my ISP.

I decided that rather than continuing to see spam on my iPhone, then subsequently opening webmail in order to report the spam that I would use GMail to pull my ISP mailbox.   GMails spam filters are much more robust, and thus far I haven’t had a single false negative or false positive.

Configuring GMail to check external accounts using POP3 is easy.   You can google that up if you really want to know how.  During the config, you select whether to leave a copy of the message on the server.   While setting this up, you can set up all mail from this account to be stored with a specific label so it doesn’t get lost in all your other Google Mail.

When I was searching for how to do this, I did see some people who caution that Google pays attention.  And if don’t get that much mail, it will check less and less frequently.  That isn’t an issue for me since nothing of importance occurs on that account.  But it is something to be aware of.

Happy with my decision to leverage Google Mail’s spam filter against my ISP mailbox I then configured my iPhone to no longer check that account separately.

Siri Lock Screen Bypass in news your non security friends read

This morning I read an article on Good HouseKeeping (don’t make fun, it was a link on one of the news links that get pushed in your face on my start page.  I think it was Bing. I hate the news links but like the pictures).  It’s interesting to see what security items make it into websites for ‘normal’ people.

The scare headline read “A New iPhone Hack Lets Anyone Use Your Phone”.  It reports that Siri by default allows some actions even when the phone is locked.    Pranksters can use Siri to send texts to contacts, make calls, and update Facebook.

In the past full access to the device has been achieved though this type of Siri access.  This is one argument for disabling Siri at the lock screen (Settings -> Siri -> Allow Access on Lock Screen (off)).   While you lose some functionality, you are no longer susceptible to practical jokers or people with more nefarious intent.

I’m not aware of a Mobile Device Management platform that can disable this setting.  If you’re managing an enterprise environment where the MDM platform cannot enforce this setting all you can do is educate, instruct, and require.  (Where I work, I had to sign a form confirming I’d disabled this setting).