TechByter Worldwide

Speak softly and carry a large microphone

 

June 12, 2016

Be Careful Out There!

Maybe you're old enough to remember Hill Street Blues in which Michael Conrad's character, the Hill Street Station's watch sergeant (Phil Esterhaus) always ended roll call with "be careful out there." The program ran from 1981 through 1987. When you're anywhere on the internet, it's a good idea to keep that warning in mind.

Remaining safe on the internet involves avoiding the doxer. "Doxing" refers to the internet-based practice of researching and broadcasting personally identifiable information about an individual based on the documents (dox) that can be found.

Publicly available databases and social media websites are used, but so are social engineering and breaking into private systems. Sometimes law enforcement agencies use the practice, but it's more commonly used by internet vigilantes.

If you're concerned with your privacy, there are steps you can take to mitigate the threat, but it's impossible to eliminate it.

Outsmarting the Doxer

  • The first level of defense continues to be the the use of strong passwords and making sure that you don't use the same user name and password combination on multiple sites -- particularly sites that maintain personal information about you or financial data.
  • Consider what you're posting on social media before you post. Unless you restrict access, anyone can see your information. And keep in mind that people who are friends of your friends may not turn out to be your friends.
  • Everything you post is another clue for a doxer. Or a burglar. "Looking forward to being in Spain for a week" is not a wise message to post unless you want to invite burglars to come play at your house while you're away.
  • I started using multiple email addresses several years ago. There's an address I use for things like email subscriptions and other semi-public activities, one that I use exclusively for bank transactions, and one that's restricted primarily to people I know. If I get a message purporting to be from my bank and it's sent to the wrong address, I know immediately that it's a fraud.
  • Follow the money. If you see an on-line offer that seems just too good to be true (40% off everything at Kohl's, for example), think about it. Airlines don't randomly hand out $1000 vouchers for travel, so don't take the bait. Even for legitimate operations such as Google, realize that if they're giving you something for nothing (G-Mail) they have to do something to make money. That means you're the product and you're being sold to businesses. That's OK if you're willing to make the trade. Just be aware of what you're signing up for.
  • There's only one good reason why you would ever list your phone number on the internet: If you need to do that in order to receive calls from prospective clients. If that's the case, maybe it's time to pay a few dollars per month to get a Skype number or a number from some other source so that you don't have to put your personal number on the website.
  • If you own a domain name, your registrar may offer a privacy option. This carries a small annual cost, but it's a good way to keep doxers from learning your address and other information that you've given the registrar.
  • Maybe you even want to consider an alias, a fake name with a separate email address for on-line activities. I know people who have done this and I consider the action to be just a bit more paranoid than I'm comfortable with. Still, if you've ever been harassed or stalked, it's worth a thought.

Website Security Looks Like an Impossible Dream

A new report from WhiteHat Security suggests that most web applications have multiple serious vulnerabilities that make them vulnerable to data loss. The information is included in the 11th annual Web Applications Security Statistics Report. The report was compiled using data collected from tens of thousands of websites.

Findings are based on the aggregated vulnerability scanning and remediation data from web applications that use the WhiteHat Sentinel service for application security testing and covers 12 business sectors, from retail and healthcare to banking and financial services.

The best performers, as you might expect, were banking and financial services, but more than 40% of the sites tested had vulnerabilities. IT and retail industries were among the worst, each with more than 50% of the sites tested having vulnerabilities. Even worse, vulnerabilities found on these sites typically persisted for more than 200 days.

The number of days it takes for a flaw to be identified and eliminated is another key metric that organizations need to pay attention to and for obvious reasons: The longer a security flaw exists, the more vulnerable the system is.

The report says that across all industries, a substantial number of web applications remain always vulnerable:

  • Information Technology (IT): 60% of web applications are always vulnerable.
  • Retail: Half of all web applications are always vulnerable.
  • Banking and Financial Services: 40 and 41 percent of web applications are always vulnerable, respectively.
  • Healthcare: 47 percent of web applications are always vulnerable.

WhiteHat's Tamir Hardof says that some organizations have hundreds of consumer-facing web applications and each of these can have several vulnerabilities. This could mean that thousands of vulnerabilities exists across an organization's web applications. The key is determining which of the issues are the most critical and need to be addressed first.

Generally more critical vulnerabilities are more complex to understand and fix. For 9 of the 12 industries analyzed, remediation rates are below 50% and for IT organizations, it's less than 25%. The average age of a vulnerability in the information technology industry is 875 days. Yes, that's almost 3 years. The average time-to-fix for vulnerabilities varies by industry from approximately 15 weeks in the energy industry to 35 weeks in IT.

Key trends from 2013 through 2015 show that the security situation is not improving, but there are some bright spots.

  • Remediation rates declined significantly in IT, which saw a drop from 46% to 24%, and in banking, which dropped from 52% to 42%.
  • Financial services and retail saw modest increases in their remediation rates, from 41% to 48% for financial services, and from 42% to 48% for retail.
  • The greatest improvement was in the food & beverage industry, where remediation rates quadrupled, from 17% to 62%.
  • In manufacturing, rates almost doubled from 34% to 66%, while healthcare and insurance increased from 26% to 42%, and 26% to 44%, respectively.

Short Circuits

New Lightroom and Camera Raw Versions

This week Adobe released new versions of Lightroom CC (2015.6), Lightroom (6.6), and Camera Raw (9.6). According to Adobe, this release provides additional camera raw support and lens profile support as well as addressing bugs that were introduced in previous releases of Lightroom. The primary new feature this time around is called Guided Upright for Creative Cloud members.

Lightroom and Camera Raw, which is used in conjunction with Adobe Bridge, are always released in tandem because they are based on the same technology. Support has been added for 64 more lenses and you can see the list here.

Several additional camera models are now supported (Canon PowerShot G7 X Mark II, Leica M-D Typ 262, Nikon COOLPIX B700, and 3 models of the Panasonic DMC). Tethered support has been added for the Canon EOS-1D X Mark II, Canon EOS 80D, Canon EOS 1300D, and Canon Rebel T6.

A previous release included an Upright tool designed to allow users to straighten images, fix horizons, and reduce or eliminate the keystone effect caused by tilting a camera up or down. Upright works well when the image includes prominent vertical and horizontal lines, but wasn't very effective for images that didn't have features that the process could identify.

Guided Upright allows users to provide their own hints to guide Upright. Draw vertical and horizontal lines directly on the image and Upright will perform the transformation.

Press ESC to close.Here's an example that shows how subtle the differences can be.

I had this picture of a rhinoceros at the Wilds and the way the road seems to tilt up near the top left of the image bothered me, so I decided to see what a Guided Upright modification might be able to accomplish.

These kinds of changes used to be in the Lens Corrections panel, but now there's a new Transform panel.

Click any of the smaller images for a full-size view.
Press Esc to dismiss the larger image.

Press ESC to close.I drew 2 lines on the image to tell Lightroom what should be level. The line at the top of the image was slanted. The one at the bottom of the image was straight. The lines help Lightroom to understand which part of the image to show within the rectangular canvas.

After thinking about it for less than a second, Lightroom made slight changes to the image's geometry and provided a corrected copy.

In this case, I drew 2 lines. Guided Upright needs at least 2 guides, but can also use 3 or 4 lines.

Additional updates include the ability to merge images to panorama and HDR with Smart Previews. Previously, Lightroom required the use of original images for these features. The Lightroom Mobile section of the Preferences dialog includes a Pending Sync Activity item that can help users identify potential problems related to image sync across the desktop, mobile, and web versions of Lightroom.

Camera Raw 9.6 is available only in Photoshop CC or later. Customers using older versions of Photoshop can use the DNG Converter for continued camera support. Mac users need at least version 10.9 of OSX.

Recommended Reading: Software as Weaponry in a Connected World

New York Times technology writer Nicole Perlroth wrote this week about the technological equivalent of germ warfare. It's the disturbing story of how governments are stockpiling software bugs so that they could be used in internet warfare.

Perlroth describes the early visionaries who created the network of networks and says that "even the early internet pioneers at the Pentagon could not have foreseen that half a century later, the billions of mistakes made along the way to creating the internet of today and all the things attached to it would be strung together to form the stage for modern warfare."

Today everything is connected and that's convenient. But it's also convenient for those who are planning to use our massively interconnected system as a weapon. Your computer, tablet, smart phone, and maybe even your watch are connected to the network and so are millions of systems that could be considered to be targets.

You and your gear could be "collateral damage" in the eyes of the warriors. "Nothing personal. Sorry about that."

What they're doing, the article says, is cataloging software vulnerabilities and there are lots of them. The article quotes Steve McConnell, the author of Code Complete: "On average, there are 15 to 50 defects per 1,000 lines of code in delivered software." Each individual application on your computer (Microsoft Word, Firefox, Adobe Reader) probably contains millions of lines of code, so the problem is obvious.

Perlroth's article says most governments are "stockpiling vulnerabilities and exploits in hardware, software, applications, algorithms and even security defenses like firewalls and anti-virus software." These governments pay anyone who can find the defects as is clear from the FBI's public willingness to pay more than $1 million for a hack that gave them access to data on an Apple smart phone.

If you're looking for something to keep you awake at night, read the rest of Perlroth's article on the New York Times website.

Are You Smarter than Mark Zuckerberg?

You've probably heard that Mark Zuckerberg's Pinterest, LinkedIn, Twitter, and Instagram were hacked. Now Zuckerberg is a pretty smart guy. He created Facebook, after all. And yet apparently he used the same credentials for multiple sites.

That's just dumb, whether you're Mark Zuckerberg or Bill Blinn. Don't do it!

Yes, keeping track of a few dozen passwords is a pain if you allow it to be, but you don't. I have to manage more than 200 passwords and find it not at all difficult. That's because I use LastPass, a password manager. Other password managers exist. Pick one. Sign up for it. Use it.

A group called "OurMine" says that it has broken into LinkedIn, Twitter, Pinterest, and other sites. Engadget has screen shots of messages sent to Zuckerberg to tell him that they had accessed his account. In part, the message says "We are just testing your security."

LinkedIn has removed a fake Zuckerberg account.

A Hidden Threat

A story like this makes it easy for malicious creeps to convince people to hand over their credentials. Here's how it works:

You've just read a story here (or elsewhere) about the continuous and ongoing dangers of having your credentials stolen.

You receive a message that claims to be from YouTube or LinkedIn or Facebook or Twitter or any of dozens of other sites. The message says that you must change your password immediately. "Click here" the message says.

You click, enter your user name, your old password, and a new password. Now you think you're done. Wrong. That link might have taken you to a fake site that accepts your credentials and then pretends to make the change. Instead, you have just given a creep your user name and password.

When you receive a message such as this, don't click the link. Instead, just go to the site the way you normally do, log in, and use the site's normal procedure to modify your account.

And when you change your password, make sure that the one you change it to isn't being used for some other account.