Those moments between Wi-Fi connect and VPN launch can give away a lot.
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don’t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn’t widely appreciated.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a “captive portal,” which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
Configuring firewall software on your PC to block non-VPN traffic isn’t all that easy. It varies across operating systems and products, and it may not even be possible in Windows 8.1. On Windows, here’s a summary of what you’d need to do:
- Connect to the VPN of your choice using the normal procedure for that product.
- In the Network and Sharing Center in Control Panel, make sure the VPN connection is set as a Public network, and the home or public Wi-Fi network is set as Home or Office (Home is better). (In Windows 8 and later this can be problematic unless the network connection is brand new, because Windows 8.x provides no user interface with which to change the location type—so the whole exercise may be impossible—unless you first delete and recreate all your network connections.)
- Finally, in the Windows Firewall in Control Panel go to the Advanced Settings. Create a rule to block all programs from connecting on Public networks. Then create a rule to allow both the VPN program and the browser you want to use for the captive portal to be allowed to connect on Public networks. You will need to set these rules both for inbound and outbound connections.
Source: Even with a VPN, open Wi-Fi exposes users | Ars Technica
“Encrypting your Windows hard drives is trivially easy; choosing which program to use is annoyingly difficult… Based on what I know about BitLocker, I think it’s perfectly fine for average Windows users to rely on, which is especially convenient considering it comes with many PCs. If it ever turns out that Microsoft is willing to include a backdoor in a major feature of Windows, then we have much bigger problems than the choice of disk encryption software anyway. ”
Source: Encrypting Windows Hard Drives – Schneier on Security
Clearing your browsing history is a crime in United States according to the Sarbanes-Oxley Act of 2002
In a recent article published in The Nation, it revealed the improper use of a law meant for completely different purposes by by federal prosecutors. The Sarbanes-Oxley Act of 2002 was meant to provide authorities with tools to prevent criminal behavior by corporations. It was put into practice after the Enron meltdown when it was found out that executives or their servants following orders torn into shreds every document they could think of which may prove them guilty. The legislation’s goal was to stop companies from committing large fraud and then damaging the evidence of their conspiratorial criminality while investigations were under way.
As Hanni Fakhoury of the Electronic Frontiers Foundation put it, the government is saying:
“Don’t even think about deleting anything that may be harmful to you, because we may come after you at some point in the future for some unforeseen reason and we want to be able to have access to that data. And if we don’t have access to that data, we’re going to slap an obstruction charge that has as 20-year maximum on you.”
Source: Deleting your browser history could land you up in prison for 20 years in United States – DigitalMunition
OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds.
If you are using a gate or garage which uses “fixed codes”, to prevent this type of attack, ensure you upgrade to a system which clearly states that it’s using rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with traditional brute forcing attacks. Suggested vendors: current products from LiftMaster and Genie.
Source: OpenSesame – hacking garages in seconds
Chinese hackers are suspected of carrying out a “massive breach” affecting the personal data of millions of US government workers, officials said.
The Office of Personnel Management (OPM) confirmed on Thursday that almost four million current and past employees have been affected.
The breach could potentially affect every federal agency, officials said.
Using a new cyber security system known as Einstein, the OPM detected a “cyber-intrusion” in April 2015. The FBI said it was investigating the breach.
Ken Ammon, chief strategy officer of Xceedium – a cyber security firm – warned that the hacked data could be used to impersonate or blackmail federal employees with access to sensitive information.
Source: Millions of US government workers hit by data breach – BBC News
As you may have heard, criminals used the Internal Revenue Service’s own website to steal taxpayer information for about 100,000 U.S. households, the agency said Tuesday, showing how vulnerable it remains as fraud proliferates.
The IRS will send you a letter if your records were at risk.
The criminals attempted to crack 200,000 accounts and made it into about half of them. The IRS will send you a letter if your account was among those 200,000, regardless of whether or not it was hacked. The agency will not call, email or send letters that ask for your personal information in response, but scammers might. Cyber thieves often take advantage of incidents like this by calling people and posing as taxmen , or emailing taxpayers malicious links.
Nasty links could infect your computer with malware in an attempt to steal your personal information, or lock up the machine until you pay a ransom — a tactic hackers began using this year while sending fake refund receipts to taxpayers, according to KnowBe4, a Clearwater, Fla.-based security company.
Source: IRS data theft: 5 things you need to know – MarketWatch
An apparent security vulnerability has left iPhone users susceptible to having their phones shut off with a simple text message.
The vulnerability appeared to have been first discovered on Reddit.
The security loophole gained widespread attention on social media Tuesday night, with individuals sending the string of code to friends as part of pranks or to simply see if it worked.
Source: iPhone Users Beware: If You Get This Text Message, Your Phone Will Likely Turn Off Immediately | Video | TheBlaze.com
Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.
This particular campaign apparently targets only users of Google’s Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.
Source: Massive campaign uses router exploit kit to change routers’ DNS servers
What is a social engineering attack?
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- epidemics and health scares (e.g., H1N1)
- economic concerns (e.g., IRS scams)
- major political elections
How do you avoid being a victim?
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don’t send sensitive information over the Internet before checking a website’s security (see Protecting Your Privacy for more information).
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
- Take advantage of any anti-phishing features offered by your email client and web browser.
What do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
Source: Avoiding Social Engineering and Phishing Attacks | US-CERT
An estimated 630 million phones fail to purge contacts, e-mails, images, and more.
In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.
Source: Flawed Android factory reset leaves crypto and login keys ripe for picking | Ars Technica