Link – What happens when you reply to spam email (Veitch)

There are people who enjoy messing with scammers by replying to scam, or implementing the Jolly Roger Telephone company.

While its a few years old, I just watched a couple of James Veitch Ted Talks on what happens when you reply to spam email. Its hilarious.

This is what happens when you reply to spam email | James Veitch

Watch this video on YouTube.

Tuning up my WordPress Install

Dreamhost was sending me cryptic emails about my site using too many resources then dieing as a result.

Then Jetpack site monitoring was finding the site down, presumably due to running out of resources.

And the homepage loaded too slowly.

So a technical problem was at hand.

There aren’t a lot of resources out there for troubleshooting this sort of issue. GoDaddy has a long abandoned plugin that would tell you which WordPress plugins were using the most RAM. It no longer worked. The current state of site troubleshooting is to disable your plug-ins one at a time, and use another plugin to monitor site RAM usage. I found it better to start with a list of plugins known to cause excessive resource usage, and then run a speedtest at gtmetrix.com.

So I said goodbye to some plugins. The one I’ll miss the most is one that posted related posts on if you viewed a post from the single post page. Plugins like that are designed to keep eyeballs on that page. I also disabled the Better Tag cloud plugin. I liked it there in the sidebar. Tags are better than categories in my opinion. But Tag Clouds are really a think of the past. So is blogging for that matter. Yet here I am.

Jetpack is frequently a target for people trying to save resources. After reviewing the features I used, I decided to disable it.

The main thing slowing down my page, was the embedded Youtube videos. I installed WP Youtube Lyte, a plugin that now displays a screenshot of the video rather than embedding the actual video. When you click on the screen, then the video loads. If you’re on mobile, you’ll need to click twice. If you’re in a RSS reader, you’ll need to click the view on Youtube link.

Lastly, I made some changes to caching at Cloudflare following the cloudflare site settings listed in an article on W3 Total Cache and Cloudflare. I did not install W3 Total Cache. I’ll have to keep an eye on it to see if I’ve successfully enabled caching without delaying when people see my content.

When I started the front page of InfosecBlog.org was loading in 3 to 4 seconds according to gtmetrix. Its now loading in 0.6 to 1 second.

SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy.   You’re breaking things, and not introducing new features.  You’re fixing theoretical future attacks.   Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program.  Are you sitting around waiting for an attack so you have the justification of making a change.  Are you sitting around waiting for a vendor to do it for you.  (“I didn’t want to disable SSL3, your default browser did that.  Guess you need to update the server application.”)  Disabling it before an attack or before a vendor disables it for you is a better idea.  You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road.   One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality.   This is the other problem.   Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.

Battery Backup PSA

One of the better things you can do to protect your money spent on electronics devices is have a good surge protector and battery backup.   If you’re like me, you only buy the kind where you can disable the audible alarms.  The problem with this is now you might not get any warning if the battery goes bad.

In some cases you’ll have the battery backup connected to a computer via USB and receive notices that way.  But in other cases where the battery backup is protecting home entertainment equipment, your cable modem or your router, you might not know you have a problem until you happen to be home during a power hit.   Imagine how many times your equipment may have taken a hit that you didn’t know about.

The battery backup I just purchased says the battery is good for about three years.   So put it on your calendar.   If your battery backup has a visual indicator that its broken check that.   And you may want to use the software that comes with the battery backup to connect to each and manually run a self test.  (consult your own UPS manual about the best way to do that.)

Wanna Get Away – Generals Password

I see this was posted 3 months ago to Youtube, but its new to me.

 

Southwest Airlines Commercial – General saying he hates his job.

Watch this video on YouTube.

This being blogging, lets over-analyze.

The General’s password is ihatemyjob1.

Not a bad password.  Using a passphrase is easy to remember.  Easy to type.
No doubt he should have capitalized the “I”.  Most systems can handle spaces, which would add some length.  Putting in a “@” in for a and a “0” in for o would add some complexity.  If the password file is compromised, this wouldn’t be enough to prevent breaking the hash.  But its good for a day-to-day logon.  For accounts where a password safe can be used to ease login, random would be better.  But that doesn’t work for every account.

The General’s password is echoed to the screen.   Typical security controls require that your password not be displayed on the screen.  It should be replaced by asterisks.  The General would also have been better entering it himself and not telling a subordinate the password.  He could have turned off the output of the computer to the big screen temporarily to prevent the room from seeing the password.

In pressure situations, its easy to take actions that compromise our security.  This is the type of feeling that phishers, and fraudsters often try to create so you just act and not thinking about if what you are doing makes sense.

Yes, it’s just a funny commercial.  But it can also be used as a teachable moment.  Hopefully without sucking all the fun out of the commercial

Configuring GMail to check ISP Mail

My primary email address assigned by my ISP can’t be changed.   It gets a lot of spam  In the past that wasn’t really a problem because I rarely used it for anything, but a few years ago I foolishly began using it on resumes.   Its format is first initial + lastname @ ISP so its relatively professional.   Unfortunately there are other people in the world who think that is their email address.   That doesn’t help the spam problem.

I could just not check it.  But I might miss important emails from my ISP.

I decided that rather than continuing to see spam on my iPhone, then subsequently opening webmail in order to report the spam that I would use GMail to pull my ISP mailbox.   GMails spam filters are much more robust, and thus far I haven’t had a single false negative or false positive.

Configuring GMail to check external accounts using POP3 is easy.   You can google that up if you really want to know how.  During the config, you select whether to leave a copy of the message on the server.   While setting this up, you can set up all mail from this account to be stored with a specific label so it doesn’t get lost in all your other Google Mail.

When I was searching for how to do this, I did see some people who caution that Google pays attention.  And if don’t get that much mail, it will check less and less frequently.  That isn’t an issue for me since nothing of importance occurs on that account.  But it is something to be aware of.

Happy with my decision to leverage Google Mail’s spam filter against my ISP mailbox I then configured my iPhone to no longer check that account separately.

Siri Lock Screen Bypass in news your non security friends read

This morning I read an article on Good HouseKeeping (don’t make fun, it was a link on one of the news links that get pushed in your face on my start page.  I think it was Bing. I hate the news links but like the pictures).  It’s interesting to see what security items make it into websites for ‘normal’ people.

The scare headline read “A New iPhone Hack Lets Anyone Use Your Phone”.  It reports that Siri by default allows some actions even when the phone is locked.    Pranksters can use Siri to send texts to contacts, make calls, and update Facebook.

In the past full access to the device has been achieved though this type of Siri access.  This is one argument for disabling Siri at the lock screen (Settings -> Siri -> Allow Access on Lock Screen (off)).   While you lose some functionality, you are no longer susceptible to practical jokers or people with more nefarious intent.

I’m not aware of a Mobile Device Management platform that can disable this setting.  If you’re managing an enterprise environment where the MDM platform cannot enforce this setting all you can do is educate, instruct, and require.  (Where I work, I had to sign a form confirming I’d disabled this setting).

 

Password Expiration

FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes.

Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

The prime reason given is users pick bad passwords.   That doesn’t seem like a justification to me to not change passwords.  It is a problem that could be avoided by using a password similarity rule in your password rules.  You could force longer passwords to encourage passphrases.   I do agree government password policies get a bit ridiculous (8 digit pin that must be changed used in conjunction with SecurID.  That just seems like overkill).

I like to use a password manager.  This allows most of my passwords to be something long and unknown.   They are protected by a strong password, and a second factor of authentication.   Educating people about using these tools seems like a great way to go.  At any rate, I didn’t want to make this rare post a rehash of old password arguments.   The Cranor post is worth reading.

This week Troy Hunt of haveibeenpwned.com received a copy of 68 million accounts from Dropbox.  A hack occurred in 2012 and at the time Dropbox forced a reset to some accounts.  If a user didn’t change their password since that hack they would be effected.   If they changed that password, but used the same credentials elsewhere they would be effected.

The idea of changing the password only in case of known compromise is defeated when you realize that you don’t always know about compromise.  Companies don’t disclose.  Or they don’t force a password change and you miss the announcement.  Or you change the password for that account but use the same password somewhere else.

While changing a password every 90 days is overkill for most accounts, there is a happy medium between that and never changing them.   Using a password manager (or at least the correct password manager) will let you know the age of your password (age starting from the point you add it to the database . Obviously it doesn’t know the actual password set date.  Some password managers are able to attempt change the password for you, so you only have to click a button (works on specific sites only).

In either case proactive monitoring for compromise is important.  You can enroll your username or email at haveibeenpwned.com to be notified about new breaches that affect your accounts.  Some password managers have this functionality built-in.