All posts by Marc Kranat

Some Simple Security Advice for Bloggers in advance of #OpUSA

With #OpUSA a little more than a week away, and having seen that the vast majority of hacks and defacements came from last months #OpIsrael were just individual bloggers and small “mom ‘n’ pop” businesses using simple WordPress style sites that were unlucky enough to have “.il” at the end of their domain names, or had FaceBook accounts and pages that showed their location as being in Israel. I have seen some estimates putting the number of small businesses and private bloggers at 100,000.

opusa

Looking at the sophistication and targeting used in previous attacks, we can only guess that anyone with a “.com” domain name will be seen as a legitimate target. I haven’t looked at Anonymous’s political reasoning for these attacks, I am sure they have one, but doubt attacking such easy targets could ever be justified.

I wanted to offer 2 suggestions to protect you from this and attacks like this. With any online security, the first line of defense is always the password, it needs to be strong. Sophos provide a great video here which helps you build memorable but complex passwords.

And although this has been around for probably more than 10 years, GRC provides the best password strength meter, as well as some great understanding of what makes them strong.

Something not always thought of, and adds a lot more strength to a password, is actually using a different username for each account, which normally being a password alone, if you have your own domain name with a “catchall” anything@domainname.com setup, although you use info@ or firstname@ for your general email, there is no reason you shouldn’t use wp@ for your WordPress account and fb@ for your FaceBook account. The hacker can try any combination of passwords, but if they don’t know what email address you used, they haven’t got a chance.

A little beyond the scope of this article, but people often ask “how am I meant to remember all these usernames, email addresses and passwords?” Well there are plenty applications and browser plugins that will help you with this, sometimes called password lockers and keychains with options to safely store backups on their hosting service, so leaving you only needing to use one set of credentials to access all. Personally for a few years I have been using an encrypted usb key with a simple text life, which allows me to copy and paste the passwords in when requested, I’m not paranoid, although I get the added protection of being immune to snooping by some keylogger, I just have so many to remember and many were not chosen by me.

The second line of defence on WordPress has got to be making sure your script and plugins are up to date, don’t ignore that nagging little button. There are a number of free plugins available that lock down security, a search when you go to add plugins for the word “security” brings a list up of over a thousand. Install one and enable it. A backup, well as a backup is always a good idea, again there are plenty of free plugins available, but it’s essential once you’ve installed, to actually press the backup button occasionally.

facebook securityThe other target in previous attacks were just taking over FaceBook accounts, this is fairly simple to combat and should be done anyway. Start by going to “security” with is an option on the “account settings” page. Enable the as many of the options as you can, the “login approvals” option gives you very strong protection, but can cause logging in issues if you use multiple devices in different locations. The login notifications will fire of an email to you each time you connect with a new device, with a link that will notify FaceBook if you believe that login was fraudulent allowing you to undo any changes they may have made, they don’t only use password guessing, but try to reset the password using information that’s readily available on your profile.

It’s possible that Anonymous will stick to just targeting major corporations, government and military sites this time which really doesn’t bother me, as they are quite capable of both protecting themselves and following the hackers with a legal process. But the reality is, no legal authority wants to know when a corner store or an individual gets hacked, no one will help, there will be no criminal charges laid or compensation paid, so it’s better you take responsibility yourself.

German state teaching Hackers that crime pays

Last week, 200 homes of Germans were raided by police across the state of Rhineland-Palatinate, this is being reported. Also reported is that the Government had paid €4m for the data that lead to these arrests. It’s unknown if the person that leaked this information is an insider employee or an external hacker, both equate to the same thing really, either way the data was retrieved illegally.

flagThere would have been no illegal action if this person had advised the police where this data existed and assisted authorities in gathering it, but that’s not what happened, they simply paid for stolen property.

An interesting simple question here is did the government commission this crime, or did the thief go to the government with an offer. Which leads to another question, if the hacker had been caught, would he have been able to plead mitigation as he was stealing with intention to sell to the Government?

Does that mean that any hacker in Germany can penetrate any system looking for information to sell to the government? €4m that’s a big incentive and totally the wrong message to be sending out. This should reinforce the message to everyone is even though you are breaking no laws, strong controls to protect data are essential, and encryption should be the second line of defence with the first being controlling access.

That’s funny; I don’t remember ticking that box

parkingYesterday, the UK’s Daily Telegraph reported that the DVLA, that’s the UK’s Driving Vehicle and Licensing Agency were reported to have been selling drivers personal details that were given for the purposes of licencing, taxation, police and court enforcement to private parking and car clamping firms that have long been known to be abusive, here is a list of some of the worst abuses the AA came across last year.
  • Clampers threaten to take three-year-old girl hostage unless mother pays the clamp ransom;
  • A hearse clamped with a body in the back on the way to a funeral;
  • Clampers demand gold tooth from lady in lieu of payment;
  • Clampers demand sexual favours in lieu of cash;
  • Good Samaritan clamped after stopping to help hit-and-run victim;
  • Female teenager left stranded overnight in Birmingham after clamper demands £300 for overstaying ticket by 10 minutes after concert;
  • Pensioners charged £390 when paying 15p fine on library book;
  • Marked police car clamped, with the clamper ending up with an Anti-Social Behaviour Order;
  • Queen’s official protection guard clamped while on duty;
  • AA patrol charged extortionate and record £1,180 while fixing lady’s car.

This still concerns me, as although I live in Canada, I do still have a UK driving licence

This has been going on for at least ten years, last year alone the DVLA were paid £10m ($15m) selling confidential details to these companies. There is actually legislation in place which says you do not even have to even pay their fines, of course when they hold you hostage you don’t really have a choice. While I am not even resident in the UK, the DVLA will still have my information as I still have my European driving license which was registered through them.

This selling of information is in itself a breach of the DPA the exact wording being;

“Regulations allow for the release of information from DVLA’s vehicle register to the police, to local authorities for the investigation of an offence or on-road parking contravention, and to anybody who demonstrates reasonable cause to have the information. Regulations also allow for a fee to be charged to cover the cost of processing requests, but not for a profit to be made.

As a general rule, reasonable cause for the release of data from the DVLA vehicle register relates to motoring incidents with driver or keeper liability. These can include matters of road safety, events occurring as a consequence of vehicle use, the enforcement of road traffic or other legislation and the collection of taxes.”

It looks like they are stretching the understanding of “and to anybody who demonstrates reasonable cause to have the information” after seemingly excluding off-road parking by implicitly stating “on-road parking”.

The correct action if the DVLA considered this a breach would be to inform the victim that their information had been disclosed, this of course has not been discussed. In fact the DVLA is continuing to sell this private data regardless.

One of the biggest problems we have with data security is making relevant data available to authorised users; there are plenty of valid reasons for the DVLA to hold and to share our information. This action will not endear regular people to the same industries that are trying to improve all of our lives for the better.

Could this happen in Canada, the selling of our private information by government agencies to disreputable companies? Well it shouldn’t, while local clamping companies have proved to be just as aggressive, relevant Provincial privacy law is a little different from the UK’s in that it doesn’t allow the passing of personal data from public to private bodies.

This is not clear though, I would suggest that a change is made to the New Brunswick’s Driver’s Licences application webpage, which doesn’t specifically mention Privacy except on the sites generic Privacy link, which in turn links to the entire Right to Information and Protection of Privacy Act, which really is beyond the comprehension of the majority of drivers. Disclosure of the protection your privacy is given not only increases comfort level but will make everyone’s lives a little easier, especially in light that some provinces are rolling out combined Healthcare/Drivers Licences? This should be welcomed.