Jason Brown

IT. SECURITY. OPEN SOURCE.

CCPA Logo

The California Consumer Privacy Act And The .US Domain

As I start this off I would be remiss to state that yes, I have a .us domain, however so do many Americans. You see, the .us top level domain (TLD) is only available to those who reside within the United States. There are other requirements too such as keeping your WHOIS records up to date. Ensuring that WHOIS records show that those who register a .us domain reside within the US. The major downfall to that is the fact that you cannot purchase privacy protections for your domain. So all of you who have purchased .com, .net, .org and so on have those privacy protections available. But not for .us domains. In fact, .at, .be, .ca, .cn, .cx, .de, .eu, .pl, .pro, and .tw TLD’s do not have those protections either – but that is different story for a different day. What makes the .us TLD so important?

The California Consumer Privacy Act of 2018, soon to go into affect on January 1, 2020 provides protections of personal information. You see, in order to maintain a .us domain one must accurately state their personal, or business, information in the WHOIS directory. Under the CCPA, personal information is defined as real name, signature, address, telephone number, insurance policy number, education, employment, employment history, bank account information, credit card number, debit card number, alias, postal address, unique personal identifier, online identifier such as an IP address, email address, account name, social security number, drivers license number, password number, or other similarities. Whew!

If you have never seen a WHOIS lookup on a domain before, it tends to look like:

Domain Name: JASONBROWN.US
Registry Domain ID: D20196051-US
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T13:04:07Z
Creation Date: 2009-05-31T22:47:12Z
Registrar Registration Expiration Date: 2019-05-30T23:59:59Z
Registrar: GoDaddy.com, LLCRegistrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR17632448
Registrant Name: Jason Brown
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jason@jasonbrown.us
Registry Admin ID: CR17632450
Admin Name: Jason Brown
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID: CR17632449
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country: US
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: jason@jasonbrown.us
Name Server: ATHENA.NS.CLOUDFLARE.COM
Name Server: LOGAN.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

I obviously deleted a bunch of stuff but a simple Google search would show you the real results.

Do not get me wrong, California’s Consumer Privacy Act has provided guidelines that the rest of the country should follow. However, law makers continuously make decisions and place deadlines on mandates without fully understanding the impact. How long will it take for law makers to understand the nuances of how the internet works? I myself think its bullshit that one cannot purchase privacy protection for a particular TLD, but I see its reasons.

The amount of data mining, and the cost of providing that information to marketers is astronomical. CSO Online ran an article in 2018 which stated that records on an individual would cost around $141. Take someone 2 minutes to enumerate the entire .us TLD, compile that information and provide it to a marketing company; the amount of data retrieved is priceless.

As you can see, the CCPA has brought to light privacy implications that no one has thought of before. The collection of personal information, the sale of personal information to other companies, and even the disclosure of sale of information. However no one is looking at the information that we have to give up freely in order to do business. It is my hope that we shed a little California sunshine on this situation.

Password Rotation And The Problem Of Not Doing It

Since the release of NIST SP 800-63-3 I have been asked, “Why does our company still perform password rotation?” This question is easier said than done. It is one that requires user awareness training, implementation of auditing and alerting software, and most importantly – multifactor authentication. All of which are necessary, though it can take months to years to implement depending on a companies resources and regulatory requirements.

User Awareness

We still seem to be failing at user awareness training. Our parents, grandparents, kids, co-workers, and yes even us still use easily guessable passwords. Studies have shown that for the past 5+ years the top passwords being used on the internet are, “123456”, “password”, “qwerty”, and “111111.” Talk show host Jimmy Kimmel and his television crew have shown how easy it is to social engineer someone to give up their password. These episodes also show the simplicity of the password with some saying their password is a pets name and a birth date.
Companies such as Microsoft have developed ways to prevent its users from picking simplistic passwords. With its new, “Password Protection for Azure AD” service, it prevents users from creating easily guessable passwords. This is performed by Microsoft’s massive database of commonly used passwords. If a user were to pick a password that was found in the database, the service presents an error message and the user must pick another one.

Auditing and Alerting Software

People often make mistakes, that is a given. Companies make similar mistakes as well. Facebook recently announced that the company was storing user passwords in clear text. What can be worse than that you ask? That database had been queried over 9 million times by Facebook staff. Facebook has been on the defensive stating that this was not a breach. While technically no it was not a breach, it shows how lacking they are in their security and privacy.

There are similar cases where companies lax in their security policies. It certainly opens the question of how we can protect ourselves online. With users picking easily guessable passwords, and the reuse of those passwords, auditing and alerting tools are a necessity. Organizations need tools in place to be able to send alerts when an account is being brute forced. They also need to alert when someone is logging in from a country where there is no organizational presence. These are key indicators of account takeovers. Without this in place, a security operations team will never know if an account has been compromised.

What Is Multifactor Authentication

Multifactor (also known as 2 factor) is defined as:

  • Something you have
  • Something you know
  • Something you are

To suffice this definition, one must utilize two of the three listed. Something you have and something you are is the most common. How does this protect against account take overs? If one were to use a semi-guessable password and configured multifactor authentication, account take over would be extremely difficult to pull off. The reason is that even if someone were to have your password, that person could still not log into the account as the second factor has not been met. The second factor in most instances is something that you have. Examples of this are a smart app on your mobile device, a hardware device such as a YubiKey, or a text message. Though using text messages as a form of second factor is now highly discouraged. Without having physical access to any of these devices, it can be nearly impossible to log into an account. There is a website dedicated to help in configuring multifactor authentication by heading on over to Two Factor Auth List. This website will show you which popular online services allow for multifactor authentication, and if they do not, you are able to send a message to the service asking them to enable it.

Final Thoughts

Password rotation is an evil necessity without properly thinking things through. Yes it does not prevent an account take over, however rotation will eventually keep an attacker from logging in. The use of multifactor authentication, auditing and alerting, coupled with user awareness training are essential to good password hygiene. Without these in place, the organization will be stuck on rotation – like a broken record.

Facebook Exposes Millions of Passwords in Clear Text

Facebook has been under the spot light for quite some time now for its poor security and privacy practices. With this latest privacy blunder, its obvious that the company has not learned from its past. Last week it was uncovered that the company is storing passwords in clear text. This not only affects Facebook users, but InstaGram users too. It was not revealed as to why these passwords were stored in clear text, however what is known is that it affects millions of the company’s users.

In a Facebook blog post by Pedro Canahuati, VP Engineering, Security and Privacy mentioned that the company uncovered the error in January during a routine security review. Canahuati also stated that these clear text passwords were only viewed by those who worked for the company.

At least LinkedIn has your back… Oh nevermind.

Let’s not forget the many security breaches which affected passwords in the past. LinkedIn in 2012 had millions of passwords stolen from the company by hackers. In the breach, the passwords had been hashed, but with a low grade hashing algorithm. At least in LinkedIn’s case we can say the passwords were somewhat protected. In Facebook’s instance, they did not even bother to encrypt the passwords. If the passwords were ever stolen we would see another Yahoo! breach in the making.

Protecting Yourself Online

Canahuati did not mention in his post how to remedy the issue other than to say that the passwords are hashed and salted when an account is created. I would still suggest that everyone change their passwords anyway along with activating multifactor authentication for their account. This way even if someone were to have the password, they would not have the secret token generated by a smart app or hardware token like YubiKey. This also includes those who have InstaGram accounts as well since they were also affected.

One cannot trust the privacy and security that a service provider offers. We must take it upon ourselves to better protect our online identities from mishaps of the services we use. By using password managers to ensure we do not reuse the same password between services to ensuring multifactor authentication is used on every service that offers it is the only way to protect ourselves.

State Sponsored Probing Internet of Things Devices

In order to beef up security of consumer based Internet of Things devices, Japan will now scan IoT devices within its borders. Beginning mid-February, the National Institute of Information and Communications Technology will attempt to break into an estimated 200 million devices. The institute has compiled a list of generic usernames and passwords commonly used by manufacturers for default login credentials. Is this a good thing?

In 2018, the FBI warned citizens of a potential threat to their home routers to reset them (Why the FBI wants you to reboot your router — and why that won’t be enough next time). In 2016 Duetsche Telekom in Germany was down due to an infection of consumer based routers which affected 900,000 consumers (900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack). It took the telecom provider two days to get the word out as most, if not all, of its customers used it for data and voice. Why did it take so long and how did 900,000 routers get infected? One simple answer, the management interface was exposed to the public internet. This allowed the botnet to quickly infect consumer based routers. Once a router became infected, it then scanned the internet looking for other routers to infect.

Japan’s attempt to detect unsecured IoT devices is a good thing, to a point. The Institute has not come out to say what they will do when an unsecured device is detected. Will they send notices to citizens? How will manufacturers be held accountable? What types of fines will be given for poorly secured consumer IoT devices? This is definitely a step in the right direction however it does not appear at this time that they have fully thought through the repercussions.

2019 State of Password and Security Behaviors

This year Yubico teamed up with the Ponemon Institute to deliver the 2019 State of Password and Authentication Security Behaviors report. The report was sampled from around 15,000 participants from around the globe which touched on topics which included privacy and security. The report depicts the grim reality of which we still live in today with regards to passwords and their use. For instance, 69% of respondents share passwords with their co-workers. That number equates to 10,350 of the 15,000 people who responded to the survey. Other statistics show:

  • 51% reuse passwords across business and personal accounts
  • 67% do not use multifactor authentication (or 2 factor authentication)
  • 57% have experienced a phishing attack and never changed their password

Though the report depicts what security professionals have stated for years of what not to do, respondents were asked what their 3 top concerns for data security and privacy:

  • Social Security Numbers or Citizen ID’s
  • Payment Account Details
  • Health Information

Their top reasons for the concerns were:

  • Government Surveillance
  • Connected Devices
  • Growing Use of Mobile Devices

The report also when on to state that the annual loss due to employee misuse of password and poor authentication averages around $5.2M. Again, we need to start doing a better job at evangelizing security best practices to our family, friends, and co-workers on what to do to better protect themselves. You can read the full report at the following link Yubico Authentication Report.

The Need for Better Transparency In Data Breaches

We hear of new data breaches almost everyday, so many that we have reached the pinnacle of “breach fatigue.” A feeling where consumers are tired of hearing about theft of personal information due to carelessness on part of a company. From Equifax, Yahoo!, to Cambridge Analytica, our personal, sensitive information is out on the public internet. Poor cyber security practices is just one of the main issues of data theft among organizations. The second is how companies respond after a breach occurred.

Google is now part of a long standing problem we see today and that is hiding information from consumers with regards to a data breach. This latest breach affecting the Google+ platform, exposed half a million user records through a flaw in their API. A flaw in which the company knew about since 2015. To make matters worse, Google knew of the breach in March of 2018 and yet it did not disclose this information until October 8.This is not the first time a company failed to disclose a data breach. Yahoo! was fined $35 million for not disclosing its breach which occurred in 2014. Why was there such a delay in the announcement and why do law makers allow this to continue?

The U.S. does not have a federal law which protects consumer privacy. This need for protection has been left up to the states to enact privacy laws, which most states have done. However, more oversight is needed to ensure better transparency between companies and consumers. Without additional oversight, this unfortunate practice of withholding breach information will only continue.

So what is next for Google? The typical, “…the implementation of better privacy and security protections.” We have heard this story before. The surprising action is that Google is now shutting down Google+ for good. Google+ could have been a great platform though the market is saturated with social networking sites. Hopefully Google will make true to their word and congress will have a wake up call.

For more information on Google’s breach head over to the Wall Street Journal – Google Exposed User Data, Feared Repercussions of Disclosing to Public.

CloudFlare’s DNS Over HTTPS Service

How does DNS work?

Protecting your privacy online is a hot topic for many. Though many websites have transitioned from HTTP to HTTPS, allowing web traffic to be secured, this does not protect your overall privacy. The internet still relies on older protocols to ensure you are accessing the right website or other online resources.

DNS, or the Domain Name Service, is one of those protocols we rely heavily on everyday. Every internet connected device has at least one IP address. DNS allows you to type in google.com and it resolves the IP address associated to it. One of the biggest issues with DNS is that it is one of those legacy protocols we rely on everyday. It has no built in security and runs completely in clear text. This allows your Internet Service Provider, or anyone capable of capturing internet traffic, to see what websites you access. This means that even if you are accessing a HTTPS website, others can still see your internet history.

Why is this bad?

As we continue on in the digital age, our internet history is being used against us. Website cookies, internet searches, and DNS queries are being sold to marketing companies. Everything you do is being bought and sold to a number of companies and marketing firms. These companies then take this information and use targeted ads in order to get you as the consumer to purchase online goods and services. There have been steps made to discourage and even eliminate this type of intrusion into our privacy however they have not been totally adopted due to complexity.

Protecting your online privacy

Using HTTPS over HTTP is a great first step in protecting the security and privacy of your internet traffic. The next step is to look at protecting the privacy and security of your DNS queries too. Many online DNS services provide this level anonymity and security. CloudFlare’s 1.1.1.1 DNS over HTTPS is one such service that provides this level of protection. Their privacy policy states that under no circumstances will they ever sell your internet searches to outside third party companies. Quad9 by IBM states the same information in their privacy policy too. However just setting your DNS settings to either of these services is not enough. Your router or computer will still send clear text DNS queries without additional configuration.

CloudFlare offers a number of different ways to protect your online searches. If you are looking to just configure the service on your local machine, instructions and downloads can be found at their Downloads page. Quad9 offers the same level of integration.

If you are looking to provide DNS over HTTPS for your entire household or business your in luck as well. There are simple ways to get this configured so that everyone can take advantage. Different types of routers, including pfSense, can be configured to run DNS over HTTPS. To do so, you can utilize Untangle and configure it to run DNS over port 853. The configuration will be placed into the custom option area and will look like this:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Once that is in place, and you have saved your configuration, you will now have an additional sense of privacy and security while online.

Russian Hackers Targeting US and UK Critical Infrastructure

Over the last few weeks, Russian hackers have coordinated attacks against personal, government, corporations, and Internet Service Providers. These attacks are currently being directed toward IoT devices, home based modems, and corporate routers, switches and firewalls. This is in an attempt to create an organized attack against the US and UK and potentially bring down critical infrastructure.

There are a couple of reasons why these attacks are occurring against these two countries. First, the exile of diplomats from Russian embassy’s after a Russian spy was poisoned in the UK. Second, in early April, hackers went after Russian network equipment using a known Cisco configuration tool that was exposed to the public Internet. Once hackers had access to the network equipment, they were able to not only delete the configurations, but the hackers also left behind a message saying, “Don’t mess with our elections” and a picture of the American flag.

There are simple changes that you can make to your company infrastructure, even your home equipment, to safeguard assets that you own.

  • Change default passwords – The default username and password on most Cisco equipment is cisco/cisco. This credential provides administrative access to the router or switch and must be changed prior to placing the device into production. Changing the default password on all equipment should be the very first thing you do.
  • Maintain system level updates – Ensure that you are patching your network equipment at least quarterly if not sooner depending on the types of known vulnerabilities. The Cisco configuration tool that was used to hack into the Russian routers, had a known vulnerability.
  • Place access lists on management interfaces – There is no reason to have a way to log into a piece of equipment from anywhere in the world. There are ways of placing firewall rules on network equipment to only allow authentication attempts from known trusted networks.
  • Replace end of life/end of support equipment – High end network equipment can cost hundreds of thousands of dollars. Ensure that your organization is budgeting for replacement of aging devices so that you can continue to apply patches to your network and security equipment. A breach of information, or a complete network outage, could have significantly higher costs to fix the issues due to downtime than it would have if you purchased newer equipment with support and maintenance.
  • Stop using clear text protocols – Most legacy equipment only support Telnet or clear text web traffic. This equipment should either be pulled out of production and placed into a lab, or discarded altogether. It is a requirement nowadays to use encryption for all remote administration and even network monitoring protocols such as SNMP. If you cannot remove the equipment out of production, it is recommended that a project plan is in place to replace older legacy equipment. If replacement cannot be performed in a timely manner, the use of compensating controls such as authenticating from known trusted networks to creating an out-of-band management network is advisable.

There are definitely some quick wins that you can put in place to better protect your network equipment from being attacked, whereas others may take a while to implement due to budget constraints. In either case, these tips will help create a heightened layer of security for your overall network equipment.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act

On March 23, 2018 President Trump signed a $1.3 Trillion dollar spending bill to keep the US government from shutting down. In that spending bill, congress snuck in The Clarifying Lawful Overseas Use of Data (CLOUD) Act. The premise of the CLOUD Act is widely overreaching in that it allows the US Government to access data which resides in foreign countries. According to the Electronic Freedom Foundation the act will allow:

“…the CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:

* Enable foreign police to collect and wiretap people’s communications from U.S. companies, without obtaining a U.S. warrant.

* Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.

* Allow the U.S. president to enter “executive agreements” that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.

* Allow foreign police to collect someone’s data without notifying them about it.

* Empower U.S. police to grab any data, regardless if it’s a U.S. person’s or not, no matter where it is stored.”

As you can see, this not only allows the US government to obtain information stored in foreign countries, it also allows foreign countries to also request information on US citizens. The fact that this can be done without a warrant, obviously violates an American citizens 4th amendment rights for reasonable search.

Though many privacy advocates in have been outspoken against the bill, Microsoft, who has been battling against US Justice Department for years is in favor of the bill. They have been battling the DOJ against releasing information in their Office 365 OneDrive service which is stored in a data center in Ireland. Due to the privacy regulations in the European Union, Microsoft was stuck in releasing such information.

The United States is already very weak in privacy laws, the fact that there is no federal law or amendment to the Constitution which protects the privacy of the American citizens; this further weakens privacy. It will be interesting to see how the CLOUD Act plays out not only in the courts in the years to come. It will also be interesting to see how this will play into the EU’s new General Data Protection Regulation (GDPR) which is meant to strengthen the privacy rights of EU citizens from countries which have weak privacy laws like those in the US.

Read more on the EFF’s websiteResponsibility Deflected, the CLOUD Act Passes

Page 2 of 2

Powered by WordPress & Theme by Anders Norén