Sep 24, 2017

The Equifax Breach: It's too late to protect yourself (but not too late to form good habits)

What can I do about the Equifax Breach?

Nothing.

The fact is, when Equifax announced the breach on September 7th, it was far too late.
  • The breach happened in May...
  • ...Equifax executives discovered the breach at the end of July...
  • ...dumped their company stock a few days later...
  • ...but waited to inform the public until another month had passed
By the time you learned about this breach, your data had already been compromised for months.

But it's all over the news!

Much of what you see in the news and on social networks is exaggerated, outdated, or just plain wrong. Facebook is a reliable source of cat videos and friend requests, but it's useless for security recommendations.

To learn the facts, you must do some research, track down the original sources of information, and develop your own picture of the incident. But doing all that takes time, requires reading some fairly dull professional articles, and when all is said and done, the final conclusion will be the same: follow best practices, limit your exposure, and be alert for anything out of the ordinary. You cannot prevent or fix a breach. You can only weather the storm.

So I should just do nothing at all?

No, not at all. You should keep doing the same things you have already been doing to protect yourself from fraud and scams. You have been doing these things all along, haven't you? If not, you should start.

If this breach made you think it's time to get serious about security, that's good. But ask yourself: why I didn't get serious about security after the huge Yahoo breach of over a billion accounts that was revealed just last year? Or the Anthem Insurance breach of 2015? Or the JP Morgan Chase breach of 2014? Or the Home Depot breach of 2014? Or the Target breach of 2013? Or the Adobe breach of 2013? Or the...

See my point? All of these data breaches were extensively covered in the media, but you probably don't even remember most of them. It's useless to worry about a single specific breach, because similar big breaches are happening every year, and smaller ones are happening every day. You are ALWAYS at risk of having your personal information stolen, and you will NEVER know about it until after it has already happened.

Humans can't constantly live in a state of hyper-vigilance, their brains simply don't work that way. So instead, you need to form habits and routines that minimize your risk. If you have doubts or suspicions about something, you're almost certainly right, so assume you are and act accordingly.

If news of this breach makes you more cautious than you were before, that's good, but it would be better if you just made a habit of always assuming the worst, and planning for it.

So what are these things I should have been doing all along?

  • Don't Panic: Think before acting
    • Don't trust warnings from random strangers
    • Never open an emailed link or attachment unless you know exactly what it is and why you got it.  
    • If you think it's suspicious, it is suspicious
    • Never believe anything in an email that has been forwarded to multiple people
    • Never believe any email that prompts you to act quickly to avoid serious consequences Never believe anyone who tells you they're going to prevent your personal information from being compromised in a data breach, or fix your credit after identity theft - they are lying to you
  • Practice good password security
    • Use strong passwords that have nothing to do with your work, your family, or your personal interests
    • Use different passwords for different accounts
    • Use a secure password database such as KeePass to store passwords and other confidential information
    • When possible, use multi-factor authentication for important accounts
  • Regularly review all online accounts for unusual activity 
    • Not just bank accounts, but phone, internet, cable, utilities, insurance, investments, and gaming accounts
    • Never use any service that automatically deducts money from your bank account to pay a bill
    • Pay your bills online, but do it every month, using your own bank's service, and review each bill carefully before making the payment
    • Challenge any discrepancies BEFORE you pay the bill
    • Ask your bank and your vendors about their data security plans, and challenge them if they balk
    • Don't trust a third-party to do this for you; they can't do as good a job as you, and they don't really care about you personally
  • Take advantage of account features that help you protect your information
    • Sign up with your bank to get email or text notifications for transactions. If your bank doesn't provide this service, switch to one that does
    • Consider using fraud alerts and credit freezes. A fraud alert ensures you will be notified of any attempts to open new credit lines. A credit freeze prevents anyone, including you, from checking your credit unless you unfreeze it first
    • Review your credit reports regularly, and dispute anything you don't recognize
    • Cancel unused cards and close unused accounts
    • Some banks offer free credit monitoring
  • Limit your exposure of personal information
    • Shred or burn any offers for credit you receive in the mail
    • Keep all social media profiles private
    • Read terms of service and rules for all services you sign up with, and always choose the options that expose the least amount of your personal information
    • Use throwaway generic email accounts or anonymous email services when a site requires you to register
    • Use an ad blocker or internet security program to protect your browser
  • Recognize that security is inconvenient, and you can't control everything
    • To be secure, you must sacrifice some convenience
    • There is no silver bullet, no magic solution that will keep you safe automatically
    • You can't do anything about other people and companies
    • Your own family could accidentally cause your data to be stolen

Well this is pretty depressing...

It can be if you let it, but really it's no different than how you are constantly thinking about your safety when driving a car.

You obey the law, keep your eyes on the road, never text or make calls while driving. You maintain safe following distance, always use your signals, look before changing lanes, and never ever drive after drinking. But you don't assume the other driver is going to follow the rules, because you know they often don't. So instead, you assume that everyone else on the road is a drunken, texting, idiotic, suicidal maniac, and plan for the worst.

Umm, I don't do all that.

Then you're a bad driver, and you're putting yourself and others at risk every time you get behind the wheel, but that's a rant for another day.

The point is, it's easy to become complacent about everyday situations (like driving) and forget how much danger you're in. You see a horrible accident, and for a little while, you are more careful. But you forget soon enough and are back to trusting random strangers on the road not to kill you.

The same complacency applies to your personal information security.

The Equifax data breach is just the latest in a series of major data breaches where millions of people's personal information has been compromised. Unfortunately, we cannot consider this a unique or unusual event anymore. Going forward, you should assume that your personal data will be breached - not once, but many times.

These are not lonely hackers working in basements. These are organized, coordinated, well-funded teams of professional criminals, and they will find ways to steal your information. You can't prevent it, can't stop it, and may not even find out about it until years after it has happened.

Law enforcement agencies cannot help - They may arrest a few individuals, but these kinds of breaches are funded by powerful organized crime syndicates located overseas, many with ties to foreign governments. Those behind the scenes running these operations will probably never be identified, let alone prosecuted.

Credit Protection Services cannot help - These companies charge fees to monitor your credit for activity, but they can't prevent someone from emptying your bank account, or using your name to get a job, or using your personal information in many other ways.

Credit Bureaus cannot help - and have no incentive to. These agencies have no financial interest in protecting your personal information. You are not their customer, you are the product they sell. Equifax took a beating in the stock market after the announcement, but the people who made the decisions that led to this breach sold their stock before the announcement, and now that the price has started to recover, they can buy it back at a discount. So they're actually profiting from the breach.

The desire to do something to fix the problem is a powerful motivator, and fraudsters and unethical companies are quick to cash in on this. You will see advertising and get emails claiming that you can protect yourself by buying a product, or signing up for a service, or forwarding a message to all your friends. You should be very skeptical of such claims, even if they come from companies you think you know and trust.

Are there any good guys out there?Yes, there are. Some people are genuinely interested in helping you protect yourself, because they themselves have been victimized, and want to help others, or because they feel it's the morally right thing to do.

Information about malware and viruses, including advice and support for fixing problems
https://www.bleepingcomputer.com



https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
https://www.us-cert.gov/ncas/alerts
http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference
http://clark.com/personal-finance-credit/equifax-breach-how-to-protect-yourself-from-whats-coming-next/
http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/


Posted by at No comments:

Sep 14, 2017

Don't use spaces in names of files, objects, etc.

Don't give objects names with spaces in them. Spaces are used to separate words. Names of objects should be single words. Object names are metadata about the object, and that metadata may need to be used by another person or system in ways you did not anticipate. Save the detailed grammatically correct wording for descriptions and comments.

Different systems handle spaces in different ways, and some don't even allow them. Avoiding them completely eliminates an entire class of possible errors when working across platforms or environments

Spaces in object names lead to inconsistency. Inconsistency leads to errors. 
  • Spaces are interpreted as word separators by many editing shortcuts. Using them reduces efficiency and contributes to errors when editing source code
  • Spaces may be ignored or treated differently than you expect when searching, sorting, etc.
  • Some systems will automatically change spaces into other symbols, such as underscores, other systems may simply remove the spaces. Still others will allow the spaces. Inconsistency leads to errors 
  • Spaces are interpreted as argument delimiters by command lines
    • Even if you yourself never use a command line, someone else may need to do so
    •  Some GUI software may use command line interpretation behind the scenes that you are unaware of
  • Spaces in names must be escaped when used in URLs, but there are multiple ways to escape them. Inconsistency leads to errors.
  • Using spaces in a file name may require that the name be surrounded by quotation marks in order for it to work with parsers or command line tools. The fact that you have to use quotes then itself leads to more problems
    • One system requires single quotes, another uses double quotes, a third accepts either, but with different meanings
    • Quotes get nested within other quotes, have to be escaped
    • Different databases have different rules for escaping strings
    • Different platforms have different support for Unicode and ANSI character sets
    • Some programs (MS Office for example) will automatically change quotation marks into special symbols (Smart Quotes)
    • Symbols in URLs must be escaped differently than those used in other contexts (command lines, database keys, etc)
It all gets very complex very quickly. You can completely avoid an entire class of confusing errors and problems by simply avoiding spaces in names.
 
  1. Best option:Use only letters and numbers, no spaces or special characters. Use camel case for improved readability
  2. Mediocre option: prohibit spaces, but allow other symbols (typically underscores) to take their place
  3. Terrible option: Make long names with lots of spaces, laugh like a supervillain at the pain you are causing others
Posted by at No comments:

"Thread Necromancy considered harmful" considered harmful

Many online message boards have rules against "thread necromancy," the posting of a new message to an older discussion, because it is considered harmful to the community to have an old discussion from the past brought back up again.
 
In some cases this is true:
  • If the previous discussion was controversial and topical, reviving the discussion may only lead to renewed hostilities and drama
  • Many discussions are topical, and have little value once the events are past (nobody wants to debate who will win the Superbowl/Election/Oscars after it's over)
  • If the new post is a response to the original poster or one of the original participants, there's a good chance the people are not even around anymore, so the feedback is likely to be unseen
  • A new post to an old discussion may generate a large number of notifications to users who are no longer interested in the subject, or even no longer members, possibly causing lots of email notices to bounce among other things
  • Having old discussions reappear as new content may annoy readers of the forum
These reasons are legitimate, but are primarily focused on the forum from the somewhat selfish perspective of existing participants.

A public forum with no restrictions on membership will always be fighting the problems of new users who don't follow the rules. There's nothing anyone can do to stop this, people simply won't bother to read the rules, no matter how insistent you are. So rather than drive yourself crazy trying to enforce unenforceable rules on a random population, limit that population. Make the forum private. A private forum will have a more selective and limited membership, making rules enforcement practical.

Private forums have advantages, but unless the membership is huge they will not generate much advertising revenue, nor will they achieve search engine ranking.

This is why revisiting an old discussion can be helpful not only to the readers of the forum, but to the forum itself. Generally speaking, if you have any of these goals for your forum
  • Attract new members
  • Generate revenue from advertising
  • Generate awareness of a product, service, or system
  • Provide technical support or product help to end users
then it's counterproductive to prevent all responses to old threads. Very few people will find an answer to a question because they first found your public forum and then used its built-in search functionality. Almost always, people will visit your forum because they found a specific reference to a problem or question in a search engine (Google, Yahoo, Bing, etc) that brought them to your forum. In some cases, your forum's discussion may be one of the top search results for the subject. When that happens, you are getting traffic specifically because of that old discussion. Hundreds, maybe thousands of people are coming to your site hoping to find a solution based on your search engine ranking.

If you prevent any future updates to the discussion, you are actually hurting the user experience for search engine visitors. They see your site highly ranked, they visit, and they find that your sites information is out-of-date, or has no good answers. They leave, frustrated, and move on to another site that does allow new information to be added to old posts.

A commonly reported bug with a sound driver has a solution on your forum which has helped many people over the years, but after the release of Windows 10, suddenly a slightly different solution is required for the same problem. Your policies prohibit a user from adding a new response to the discussion pointing out the new solution.


Which is the more appropriate place to post the new solution to the same problem? In a new discussion that nobody currently knows exists, or in the existing, highly ranked discussion where many people will go?

Would you rather have visitors to your site consider it a helpful resource, or a waste of their time?

Make your site more valuable by allowing additional information to be added to old discussions. Enforce thread necromancy rules selectively per discussion, not with a blanket rule.
Posted by at No comments:

Mar 23, 2017

Finger Macros

Macros are a great way to automate repetitive tasks when correcting errors in text or documents.


If you frequently do the same repetitive task, making a macro or hotkey that repeats the same sequence of keystrokes can save time and improve accuracy. There are only two problems: you need to have some sort of software or hardware to implement the macros with, and you need to actually set up and configure the specific macro you need.


If you frequently do the same task day after day, this is worthwhile, but if you don't do it often enough, it may not be worth the trouble, so sometimes it just makes more sense to manually type in your changes. But manually correcting specific bits of text in a document is tedious, and error prone.


Judicious use of search and replace functionality can be a big help, but sometimes the change you need to make is positional rather than content-based. Built-in keystrokes which position the cursor, select, copy, or paste text, and taking advantage of mouse multi-click selection can make repetitive edits faster, more accurate, and even somewhat fun.

The concept is that you use keystrokes which move the cursor to known reference points, and then type or edit as appropriate. By reducing the edit to a short sequence of the same keys, it's possible to rapidly type that sequence over and over, causing the desired edit to occur in multiple places without having to hunt for the desired locations.



Since I do not in fact have fingers, this technique was merely theoretical until I found a test subject willing to perform the procedure. He confirmed that it was very helpful in specific cases where you are performing repetitive edits in a text-editing environment.


Very Simple Example:
You are editing some source code in Notepad, and you want to indent a bunch of lines by typing in spaces. You have a series of lines all aligned to the far left, and you want to insert several spaces in front of each line.
  1. On the first line, type a space
  2. Your cursor is now on the first line. You want to get it to the very beginning of the next line. Two keystrokes accomplish this: [HOME]-[DOWN]. Regardless of where you are on the line, pressing those two keys in sequence will always put you at the beginning of the next line. 
  3. Press [SPACE] to insert one space. That's it. 
  4. Now just repeatedly press [HOME]-[DOWN]-[SPACE] until you reach the last line. Keep hitting those same three keystrokes repeatedly, and you will find you build up a rhythm that allows you to go very fast
  5. Go back to the top, and do the same thing again, inserting more spaces
  6. Repeat until you have the desired number of spaces
The reason this is helpful is that you don't need to think about what you're doing; your existing fine motor skills for typing ("muscle memory") take over and allow you to execute the sequence much more quickly than you could if you had to think about each step.

The only cognitive effort is pay attention to the output and recognize when to stop. And even if you go too far and have to undo one or two, you've still saved some time, and had more fun than if you used reading and mouse movements to achieve the same goal.


Posted by at No comments:
Labels: , ,

Feb 27, 2017

SSRS error - The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version. There is an error in XML document (1,xxxxx).

The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version. There is an error in XML document (1, NNNNN).

'#',hexadecimal value 0x1A is an invalid character. Line 1, position NNNNN.

This weird error appeared when trying to populate an SSRS parameter drop-down list with a list of names of organizations from a query.

In order to populate the drop-down list, SSRS runs the query to retrieve the list of values, then stores it temporarily as XML. The problem is, if there are any characters in the returned values which are invalid in the XML, then the report chokes, and throws this error.

To fix the problem, you need to figure out which record(s) that appear in the drop-down contain the unusual character and correct it.

The error includes the hex representation of the invalid character, so you can search for it in the database with some variation on this query...
SELECT TheID, TheString
FROM SomeTable
WHERE CONVERT(VARCHAR(MAX), CONVERT( VARBINARY(MAX),CONVERT(NVARCHAR(MAX),theString)),2) LIKE '%1A%'

I would have hoped that Microsoft would fix this issue by doing something to address the underlying cause, such as escaping the invalid characters when generating the XML, but they don't seem to have any interest. Even their own devs had to manually retype text to address the issue when it affected SCCM.
Posted by at No comments:

Dec 4, 2016

Today I flossed my keyboard

I used an old nylon knee-high stocking. Stretch it thin enough to insert between keys, then release one end and drag it through by the other.

Posted by at No comments:

May 13, 2015

Applying a wildcard SSL certificate to Unifi controller software

Running the Unifi controller software on a Ubuntu machine, and wanted to replace the self-signed certificate with my own wildcard cert. This was surprisingly easy, here are the steps I took...
  1. Download and install  Keystore Explorer from SourceForge on my Windows workstation. 
  2. Keystore Explorer insists on installing unlimited strength jurisdiction policy, but provides straightforward wizard to do this. Run Keystore Explorer as administrator, then follow the prompts to complete the update
  3. Once updated, launch Keystore Explorer and create a new empty keystore. Go to File - New and choose JKS for the type of keystore
  4. From Tools menu choose Import Key Pair - PKCS #12
  5. Click Browse, locate the PFX file for the wildcard certificate
  6. Provide decryption password and click Import
  7. When prompted for a password, enter aircontrolenterprise
  8. Go to File, Save As, and save the keystore file with the name keystore
  9. When prompted, enter the same password for the keystore, aircontrolenterprise
  10.  Using Putty PSFTP, upload the keystore file to a known location on the Unifi controller machine
  11. Oops, I forgot that I didn't have SSH running on the controller, so needed to install that on the Ubuntu machine... sudo apt-get install openssh-server
  12. Now on the Unifi controller machine, need to copy the new keystore file to the correct location. 
  13. Make a backup of the original keystore file just in case...
    sudo cp /var/lib/unifi/keystore /var/lib/unifi/keystore.bak 
  14. Copy the new keystore file I just uploaded to /var/lib/unifi...
    sudo cp ~/keystore /var/lib/unifi
  15. Restart the Unifi controller service, or just reboot the machine, and new certificate is now in place.
Posted by at No comments:
Subscribe to: Posts (Atom)