Maybe you're old enough to remember Hill Street Blues in which Michael Conrad's character, the Hill Street Station's watch sergeant (Phil Esterhaus) always ended roll call with "be careful out there." The program ran from 1981 through 1987. When you're anywhere on the internet, it's a good idea to keep that warning in mind.
Remaining safe on the internet involves avoiding the doxer. "Doxing" refers to the internet-based practice of researching and broadcasting personally identifiable information about an individual based on the documents (dox) that can be found.
Publicly available databases and social media websites are used, but so are social engineering and breaking into private systems. Sometimes law enforcement agencies use the practice, but it's more commonly used by internet vigilantes.
If you're concerned with your privacy, there are steps you can take to mitigate the threat, but it's impossible to eliminate it.
A new report from WhiteHat Security suggests that most web applications have multiple serious vulnerabilities that make them vulnerable to data loss. The information is included in the 11th annual Web Applications Security Statistics Report. The report was compiled using data collected from tens of thousands of websites.
Findings are based on the aggregated vulnerability scanning and remediation data from web applications that use the WhiteHat Sentinel service for application security testing and covers 12 business sectors, from retail and healthcare to banking and financial services.
The best performers, as you might expect, were banking and financial services, but more than 40% of the sites tested had vulnerabilities. IT and retail industries were among the worst, each with more than 50% of the sites tested having vulnerabilities. Even worse, vulnerabilities found on these sites typically persisted for more than 200 days.
The number of days it takes for a flaw to be identified and eliminated is another key metric that organizations need to pay attention to and for obvious reasons: The longer a security flaw exists, the more vulnerable the system is.
The report says that across all industries, a substantial number of web applications remain always vulnerable:
WhiteHat's Tamir Hardof says that some organizations have hundreds of consumer-facing web applications and each of these can have several vulnerabilities. This could mean that thousands of vulnerabilities exists across an organization's web applications. The key is determining which of the issues are the most critical and need to be addressed first.
Generally more critical vulnerabilities are more complex to understand and fix. For 9 of the 12 industries analyzed, remediation rates are below 50% and for IT organizations, it's less than 25%. The average age of a vulnerability in the information technology industry is 875 days. Yes, that's almost 3 years. The average time-to-fix for vulnerabilities varies by industry from approximately 15 weeks in the energy industry to 35 weeks in IT.
Key trends from 2013 through 2015 show that the security situation is not improving, but there are some bright spots.
This week Adobe released new versions of Lightroom CC (2015.6), Lightroom (6.6), and Camera Raw (9.6). According to Adobe, this release provides additional camera raw support and lens profile support as well as addressing bugs that were introduced in previous releases of Lightroom. The primary new feature this time around is called Guided Upright for Creative Cloud members.
Lightroom and Camera Raw, which is used in conjunction with Adobe Bridge, are always released in tandem because they are based on the same technology. Support has been added for 64 more lenses and you can see the list here.
Several additional camera models are now supported (Canon PowerShot G7 X Mark II, Leica M-D Typ 262, Nikon COOLPIX B700, and 3 models of the Panasonic DMC). Tethered support has been added for the Canon EOS-1D X Mark II, Canon EOS 80D, Canon EOS 1300D, and Canon Rebel T6.
A previous release included an Upright tool designed to allow users to straighten images, fix horizons, and reduce or eliminate the keystone effect caused by tilting a camera up or down. Upright works well when the image includes prominent vertical and horizontal lines, but wasn't very effective for images that didn't have features that the process could identify.
Guided Upright allows users to provide their own hints to guide Upright. Draw vertical and horizontal lines directly on the image and Upright will perform the transformation.
Here's an example that shows how subtle the differences can be.
I had this picture of a rhinoceros at the Wilds and the way the road seems to tilt up near the top left of the image bothered me, so I decided to see what a Guided Upright modification might be able to accomplish.
These kinds of changes used to be in the Lens Corrections panel, but now there's a new Transform panel.
Click any of the smaller images for a full-size view.
Press Esc to dismiss the larger image.
I drew 2 lines on the image to tell Lightroom what should be level. The line at the top of the image was slanted. The one at the bottom of the image was straight. The lines help Lightroom to understand which part of the image to show within the rectangular canvas.
After thinking about it for less than a second, Lightroom made slight changes to the image's geometry and provided a corrected copy.
In this case, I drew 2 lines. Guided Upright needs at least 2 guides, but can also use 3 or 4 lines.
Additional updates include the ability to merge images to panorama and HDR with Smart Previews. Previously, Lightroom required the use of original images for these features. The Lightroom Mobile section of the Preferences dialog includes a Pending Sync Activity item that can help users identify potential problems related to image sync across the desktop, mobile, and web versions of Lightroom.
Camera Raw 9.6 is available only in Photoshop CC or later. Customers using older versions of Photoshop can use the DNG Converter for continued camera support. Mac users need at least version 10.9 of OSX.
New York Times technology writer Nicole Perlroth wrote this week about the technological equivalent of germ warfare. It's the disturbing story of how governments are stockpiling software bugs so that they could be used in internet warfare.
Perlroth describes the early visionaries who created the network of networks and says that "even the early internet pioneers at the Pentagon could not have foreseen that half a century later, the billions of mistakes made along the way to creating the internet of today and all the things attached to it would be strung together to form the stage for modern warfare."
Today everything is connected and that's convenient. But it's also convenient for those who are planning to use our massively interconnected system as a weapon. Your computer, tablet, smart phone, and maybe even your watch are connected to the network and so are millions of systems that could be considered to be targets.
You and your gear could be "collateral damage" in the eyes of the warriors. "Nothing personal. Sorry about that."
What they're doing, the article says, is cataloging software vulnerabilities and there are lots of them. The article quotes Steve McConnell, the author of Code Complete: "On average, there are 15 to 50 defects per 1,000 lines of code in delivered software." Each individual application on your computer (Microsoft Word, Firefox, Adobe Reader) probably contains millions of lines of code, so the problem is obvious.
Perlroth's article says most governments are "stockpiling vulnerabilities and exploits in hardware, software, applications, algorithms and even security defenses like firewalls and anti-virus software." These governments pay anyone who can find the defects as is clear from the FBI's public willingness to pay more than $1 million for a hack that gave them access to data on an Apple smart phone.
If you're looking for something to keep you awake at night, read the rest of Perlroth's article on the New York Times website.
You've probably heard that Mark Zuckerberg's Pinterest, LinkedIn, Twitter, and Instagram were hacked. Now Zuckerberg is a pretty smart guy. He created Facebook, after all. And yet apparently he used the same credentials for multiple sites.
That's just dumb, whether you're Mark Zuckerberg or Bill Blinn. Don't do it!
Yes, keeping track of a few dozen passwords is a pain if you allow it to be, but you don't. I have to manage more than 200 passwords and find it not at all difficult. That's because I use LastPass, a password manager. Other password managers exist. Pick one. Sign up for it. Use it.
A group called "OurMine" says that it has broken into LinkedIn, Twitter, Pinterest, and other sites. Engadget has screen shots of messages sent to Zuckerberg to tell him that they had accessed his account. In part, the message says "We are just testing your security."
LinkedIn has removed a fake Zuckerberg account.
A story like this makes it easy for malicious creeps to convince people to hand over their credentials. Here's how it works:
You've just read a story here (or elsewhere) about the continuous and ongoing dangers of having your credentials stolen.
You receive a message that claims to be from YouTube or LinkedIn or Facebook or Twitter or any of dozens of other sites. The message says that you must change your password immediately. "Click here" the message says.
You click, enter your user name, your old password, and a new password. Now you think you're done. Wrong. That link might have taken you to a fake site that accepts your credentials and then pretends to make the change. Instead, you have just given a creep your user name and password.
When you receive a message such as this, don't click the link. Instead, just go to the site the way you normally do, log in, and use the site's normal procedure to modify your account.
And when you change your password, make sure that the one you change it to isn't being used for some other account.
