Cyber Defense Skill: URL Reading

Want to quickly sort out real emails from spam? Spot a bad links on web pages? Identify sham web sites? I have a suggestion: learn to read URLs.

Learning to read URLs is like taking a class in street self-defense or carrying a can of mace. Actually, much better because reading URLs can’t be turned against you. You might end up in the hospital or worse if you resist a street thug with your self-defense skills, but you will never be injured spotting a bad URL.

Uniform Resource Locators (URLs), more properly called Uniform Resource Identifiers (URIs), direct all the traffic on the World Wide Web. Almost every cyber-attack directs traffic to or from an illegitimate URL at some point in the assault. If you can distinguish a good address from a bad address and develop the habit of examining internet addresses, you will be orders of magnitude more difficult to hack.

Addresses are constructed according to simple rules. You can master the rules you need to know in order to distinguish legitimate addresses from scams in a few minutes. And be much safer.

If you want to dig deep into URLs, take a look at RFC 3986. There is much more to URLs than I cover here.

Here is a typical simple URL:

http://www.marvinwaschke.com

HTTP

The first part, called the scheme, “http:” tells you that it is a HyperText Transfer Protocol (HTTP) address. You need to know two things about the HTTP scheme. First, almost all data on the web travels to and from your desktop, laptop, tablet, or phone over HTTP. In fact, if an address does not begin with “http”, it’s not a web address. There other schemes, the most important of these is “mailto:”, which designates an email address. More on this below.

Secure HTTP

There is an important variant of HTTP called HTTPS. The “S” stands for “secure.” Data shipped via HTTPS is encrypted and the source and destination are verified with a security organization. HTTPS used to be reserved for financial transactions, but now, with all the dangers of the network, HTTPS is encouraged for all traffic. When you see “https” in a web address, hackers have a hard time snooping on your data or faking a web site. HTTPS is especially important if you are on open public WiFi at a coffee shop or other public place.

Not too long ago, security experts said HTTPS guaranteed that a site was legitimate. That is no longer good advice. HTTPS is not a guarantee that a site is legit. Smart scamming hackers can set up fake sites with HTTPS security. You have to check the rest of the address for signs of bogosity. However, setting up a fake site with a legitimate address is still hard, so a good address with HTTPS is still a strong bet.

HTTP address “authority”

The part of the address following the “//” is the “authority.” Most of the time, the authority is a registered domain name. The authority section of a URL ends with a “/”. Notice that the slash leans forward, not backward. A backward slash is completely different. The “query” follows the forward slash. The query usually contains search criteria that narrow down the data you want retrieved and is often hard to interpret without specific information about the domain. You can ignore it, although sometimes hackers can learn things about a web site from information inadvertently placed in the query.

Domain extensions

In the above address, “marvinwaschke.com” is a domain name that I have registered with the with the Internet Assigned Number Authority (IANA). “.com” is the extension. In the old days, there were only a few extensions allowed: “.gov”, “.edu”, “.net”, “.com”, and “.mil”. They are still the most common, although many others— such as “.tv”, “.partners”, “.rocks” and country abbreviations— have been added.

You can use extensions as a clue. For instance, most established firms and organizations still use the old standbys. A web site with a “amex.rocks” domain is likely not the American Express you think it is. We all know that some countries harbor more hackers than others. If an address has an extension that is an abbreviation for a cyber rogue state, be careful.

Remember, these are clues, not rules. A street lined with wrecked cars and broken windows may be crime free, but more often than not, it is a dangerous neighborhood. The same applies to incongruous domain names. They could be safe, but there is a good chance they are not.

Authority subsections

The authority section is divided by periods (“.”s) and reads in reverse. The extension that immediately precedes the first forward slash is the most important. “.com” in “marvinwascke.com” indicates that the marvinwaschke.com domain is in the vast segment of the internet made up of commercial ventures. “marvinwaschke” determines which commercial venture the address refers to. “www” indicates that the address points to the “www” part of the “marvinwaschke” venture. I could set up my website to have a “public.marvinwaschke.com” section or a “public.security.marvinwascke.com” section if I cared to. The “www” is historically so common, most browsers will strip it off or add it on as needed to make a connection.

“Microsoft.marvinwaschke.com” only indicates that my web site has a section devoted to Microsoft. “Microsoft.marvinwaschke.com” has nothing to do with Microsoft Corporation. Hackers make use of this to try to fool you that “Microsoft.pirates-r-us.ru” is a Microsoft site. It’s not! Hackers are creative. Make sure that the right end of the domain name makes sense.

Email URIs

Email addresses are URIs that follow a different scheme but use the same domain name rules. Usually, email addresses drop the “mailto” scheme but they can always be fully written out like mailto://boss@example.com. If you see an address like captain@microsoft.pirates-r-us.ru you can be fairly certain that the mail did not come from Bill Gates.

When in doubt, Google it

When you see a link or address with a suspicious domain name, Google the domain name before you use the address. Most of the time, Google will pick up information on dangerous domains.

Look at every link with caution

The internet is all about grabbing your attention. Absurd promises abound that that few people would take seriously after they took a moment to think. Losing weight is hard, wealth management is useless if aren’t already accumulating wealth the hard way, and no miracle food will prevent cancer or make you a genius. Not all ads are scams, but  don’t tempt fate by clicking on links that prey on impossible hopes.

Finally

Make a habit of looking at internet addresses. If you place the cursor over a link or address, most browsers and email tools will display the working address. Look at the address. Does something look wrong? If so, use care. The habit of looking at addresses will make you much harder to hack than unsavvy computer users.

Ransomware Protection Strategies for Small Business

I was chatting with a lawyer yesterday about cybersecurity and he mentioned that he has heard that law offices in our county have been hit with ransomware in the last few months. Law offices are a ripe target for ransomware because the confidentiality and integrity of their records are vital. Lose their records, lose their business. The same applies to many other small businesses.

What is ransomware? Ransomware is malicious software used by a criminal to deny the rightful owner of a computer system access to vital system resources and demand payment to restore the resources. Usually, ransomware encrypts data and demands Bitcoin or other untraceable cybercurrency payment for decrypting the data.

What should these offices and other small business do to protect themselves from ransomware? I suggest a two-pronged approach: prevention and damage control.

Prevention

Take steps to avoid a ransomware assault in the first place. The practices below are basic cyber hygiene for everyone that will lessen the chances of all forms of cybercrime.

  • Use a good anti-virus scanning utility. Keep it up-to-date and scan regularly.

    Wondering which utility? Windows Defender, the default Windows 10 anti-virus is a good choice. It’s already installed, doesn’t get in the way, and does a competent job. Are 3rd party tools better? The anti-virus business is highly competitive. Which utility is best changes rapidly. I use Windows Defender myself because it is convenient, and Microsoft has invested in keeping Defender among the best, which is good enough for me. Whatever you do, use an anti-virus utility and keep it up to date.

  • Use only supported operating systems and applications and subscribe to automatic updates. New vulnerabilities show up every day. Accept the manufacturer’s help in patching up the holes as the appear.

    If you don’t trust your vendor’s updates, get rid of their software. If you don’t, you put your business at risk. The only exception to this rule is when you have special software that is frequently broken by security patches. At that point, you are strapped and dependent on the maintainer of your special software. Avoid this situation if you can.

  • Be cautious of links in web pages, emails, and messages. If a link looks dodgy, skip it. Be doubly cautious about attachments to emails and messages. If you are not sure where something came from, don’t open it. If there is a question, call the sender and confirm that it is legit. Links and attachments are the most common entry points for ransomware.

Damage control

If you are diligent in following these three practices, a criminal will have a hard time entering your computer system and might pass it by for easier prey, but you have no guarantee. Let your guard down an instant and you are vulnerable. A smart criminal who is intent on assaulting your system is likely to eventually succeed no matter what you do. However, if you plan ahead, the game is not over when you get a ransom note. Your backups are critical in recovering from a ransomware assault and a lot of other computer system mishaps.

  • Backup your system regularly. I favor reputable cloud backup services because they tend to be automated and trouble free. The most likely time for ransomware to hit is the day someone forgot to run backups, or the janitor switched off the external backup drive by mistake.
  • Test your backup system regularly. All backup systems are complex mechanisms that sometimes fail. Your only assurance that they are working is a recent successful test. I always assume that a backup system that has not been tested recently does not work. I have seen disasters in the aftermath of backup systems that were assumed to be working but were not.
  • Protect your backups. Smart ransomware attempts to mash your backups. Put up barriers to protect them. Check the documentation on your system or talk to your IT technician on how to do it effectively.
  • Have a plan. A rock-solid backup system is the foundation for recovery but consider what you will do the instant a ransom note pops up. I suggest immediately ceasing all activity, detaching from all external networks, and running a virus scan. Then contact an experienced technician for help. Do not shut the system down or restart if you can avoid it. Some recovery methods depend on recovering data from memory that disappears on shutdown or reboot.

Call law enforcement

Local law enforcement may not be able to help because the criminal is likely to be in a different state or country. Keep them informed anyway. Unreported crimes encourage law breakers. Some states have cyber crime task forces with real muscles that work with the FBI and the Department of Homeland Security to shut these operations down. If local law enforcement can’t help, report the crime to the FBI’s Internet Crime Complaint Center. (IC3) If cyber crimes are not reported, funds will not be allocated to fight cyber crime and laws will not be written or changed to reflect the injuries done by these criminals.

Consider cyber insurance

Cybercrime is not that different from conventional theft and damage. I understand that cyber business insurance is becoming more common. I am not familiar with the costs involved or the efficacy of the policies, but your business insurance agent is likely to be able to help. Nonetheless, remember that avoiding or controlling damage is less disruptive to business than insurance compensation and insurance seldom makes up the whole cost of an assault.

A final note

Ransomware and other forms of cyber crime are real threats. In 2016, over 1.3 billion dollars in losses were reported to the FBI. Those who take steps to protect their business will suffer less and may completely avoid becoming victims.

 

KRACK!

The foundation of secure home wireless networks cracked this week. (I apologize for the pun. Well, No, I don’t!) KRACK is a Key Reinstallation AttaCK on WPA and WPA2 (Wireless Protected Access and Wireless Protected Access II). If you read my book, Personal Cybersecurity, you know that WPA2 is the best choice for protecting your home wireless system from intrusion. It still is, but without some timely updates, WPA2 is vulnerable to hacking.

Don’t panic

No intrusions have been reported yet, although there almost certainly will be some in coming weeks and months. The vulnerability is in the WPA and WPA2 standard. Consequently, everything that follows the standard is vulnerable. The problem is not with particular implementations. Anything that uses WPA or WPA2 correctly is vulnerable. The security of a component that uses WPA or WPA2 incorrectly is anyone’s guess, but there is a good chance it was insecure even before KRACK was discovered.

What must be patched

The Windows operating system (all versions), Linux, and Apple all are affected.  Internet of Things (IoT) gear such as wireless security cameras, smartphone controlled wireless door locks, thermostats, and light switches are also vulnerable. Practically anything wireless must be patched. Fortunately, the necessary patches have already been written for many components that need them.

Your wireless router must be patched. I read a comment in a Comcast forum that the common Xfinity Technicolor TC8305C combined cable modem and wireless router does not need patching, but I haven’t found any acceptable confirmation of that, and therefore I assume it is wishful thinking. I would appreciate a comment here from anyone who knows more.

Microsoft’s automatically delivered October security update fixed the issue for supported versions of Windows, so you are most likely already safe there. Linux distributions have patches written and it is possible your Linux installation is already safe too. I’m not as well tapped in to the Apple world, so I am not sure what the status is there, but I’m sure lights are burning late in Cupertino if they haven’t spiked it already.

The good news is that the patches are backwards compatible— that means patched components can work side by side with unpatched components without interrupting service.

The bad news

The bad news, and very bad news it is, is that a hacker can use the vulnerability to get into your wireless network from any unpatched component. The IoT is scary: Windows is easily patched automatically and is likely to be safe already, but many IoT devices have no automated patch mechanism and the device manufacturer has no means to even inform you that you are vulnerable. White label gear is especially dangerous because you have few ways to contact the manufacturer. In other words, you are on your own in the IoT.

Some reports say that Android phones are the most vulnerable. For them, you are dependent on your cellular carrier for patches to your phone. Some are more prompt than others. If you are worried, to protect yourself, turn off wireless support on your phone and only use the cellular network for network connections. When your carrier gets around to patching your device, turn wireless back on to save on data charges, if that is an issue.

Switch to wire where you can

If you have a means to switch IoT gear to a wired ethernet connection, that will render the device no longer vulnerable. Same applies to any computer or printer that you are unsure of that uses a wireless connection; turn off wireless and jack the device into your wired network if you can. If you can’t connect by wire, turn the device’s wireless service off or turn the device off entirely. You may have to turn wireless back on to download patches when they are available.

Other reasons for optimism

If you live in a low density population area, you may be less vulnerable. In order to exploit the vulnerability, a hacker must have access to your wireless signals in the air. Ordinarily, that is only within 300 feet from your wireless access point (usually your wireless router). Special antennas can extend that limit, but if strangers can’t get closer than 300 feet, you are pretty safe. The exception to that is if a hacker happens to have taken control of a computer within the 300 foot sphere that can connect to your wireless network. Still, many people in low density areas are fairly safe from intrusion.

Final advice

If you know you are in area where wireless hackers are active, turn off all unpatched wireless devices or use a wired connection. Take inventory of your IoT devices and make sure they are all secure. One way to do this is to log on to your wireless router and review the list of attached devices. Some may be turned off and only appear on the inactive list. If there is any chance that the device might connect in the future, put it on your list of devices to be secured. I estimate that you have some weeks to react, but that margin will disappear quickly. You can expect that criminals are working weekends to write cheap exploit kits for sale to script kiddies on the dark web. The kids will then drive around with laptops looking for vulnerable wireless. It has a name: “war driving.” Stay in front of them. If you have to trash some unsafe unpatchable IoT gear, do it now, swallow the loss, and take a lesson.

Even if your network is vulnerable, you are much safer using secure HTTPS connections. If you haven’t installed HTTPS Everywhere from the Electronic Frontier Foundation on your browsers, now would be a good time. Get it here.

For further technical information on KRACK, check out Brian Krebs and this post from the discoverers of the vulnerability.

Late update

A friend pointed me to this article in Ars Technica. The gist is that most Android phones are not yet patched against KRACK as of December 1, 2017, but the Android layers of security are strong enough to render the threat negligible. I will not rest easy until my Android phone is patched, but my fears are likely excessive.

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.