The Risks of Public WiFi

I have a love-hate relationship with WiFi. On one hand, it’s magically awesome. On the other hand, it’s invisible. The latter is where things can get murky.

In a nutshell, when you turn on your WiFi device, it’s looking for a previously connected network – your home, your office, the local coffee shop, the airport, and any other location you’ve EVER connected wirelessly. Your computer is essentially asking – Hey, Starbucks, you here? No? Hey, PHX Airport, you here? No? And it will continue going down the list of previously connected networks until it finds a network that responds or you attach to a new network. When we’re in familiar locations, we turn on our computer and if it works, we don’t even think about it.

Now let’s say I had a device that could pretend to be any network. And when your computer asks for the coffee shop, the airport, your home, or your work, my device masquerades as that network. That device can be purchased for $100. It’s very popular and its designed purpose is wireless auditing but it can also be used with malicious intent.

If you’ve heard the term Man in the Middle (MiTM), this is it. This wireless auditing device is connected to a Wifi network, your laptop connects to it, you are able to access the Internet so, hypothetically, you’re none the wiser. With this scenario, a bad actor can perform attacks against your computer, they can manipulate your traffic, and they can do bad things. This is not new. I bring it up because there was a recent report listing the 10 most vulnerable airports:

PHX ranking in at #7 for the Most Vulnerable.

So does this mean we should stop using the WiFi at PHX? No. You should, however, take some steps, not just in PHX, we should do this everywhere:

1. Clean up previously connected networks. If you’ve traveled to another city, connected to the hotel WiFi, and you’re not heading back to this location in the very near future, remove the network.

2. When you connect to a WiFi network, whether it’s a new or a previously connected network, double check the name of the network to verify you’re on the network you think you’re on.

3. Use a Virtual Private Network (VPN) with full tunnel mode. A bit of nerd speak here but we’re basically taking all of our network traffic and we’re securely tunneling it out a known and trusted network.

Will this guarantee your safety? No. But it makes you a much harder target and an attacker will probably move on to an easier victim.

If you need assistance with cleaning up your WiFi connections, VPN solutions, or any of our other services, please feel free to reach out to us through the Contact page.

Online Account Compromise

“My account has been compromised, what do I do?”

First, let’s start off with how you can determine whether or not your account has been compromised. A fellow by the name of Troy Hunt runs a website, “have i been pwned?” which performs a simple function — you enter your email address and it searches through all of the breaches to see if your address is listed in one of the breaches. You can also add your email addresses in order to receive automatic notifications if an address of yours should show up in a future breach.

Back to the original question — what do you do if you find out your account has been compromised?

1. If the password for this account was not unique, determine every location where the password has been used. Change the password on this account, and every other account with the same password, and choose unique passwords for every account you change.

2. Does the account have challenge questions and / or answers for password recovery? If so, change the questions and the answers. If the challenge questions and / or answers associated with this account, were used on other accounts, change those accounts as well.

I know this seems like a lot of work and if the account wasn’t all that important to you, it will seem like even more work. But let’s say I get an account and password for your email account. I can login, I can read all of your email, I can determine what other accounts are linked to this address. Now I can try to reuse that email address and password on another account. Or I can attempt to perform a password reset and since I have your email account, I can retrieve the password reset email. Perhaps I am confronted with challenge questions — Mother’s Maiden Name, City of Birth, or whatever, I might have those answers, or perhaps, I can find those answers. The more accounts I can compromise, the more information I can gather, the further I can move into other accounts.

More times than not, the end goal is money. Your email account has little value other than sending spam but compromised accounts are sold in bulk and some buyers are looking to leverage these accounts into profit. One account leads to another account, to another, and maybe they get a paypal account, an amazon account, a bank account, or something that can either get them goods or money.

I’m not into the full extent of “how” they are doing what they are doing and not getting caught. I just know they are doing it and we need to protect ourselves when its our account in the next breach.

[ I talk and write frequently on this topic and I can’t remember if I’m repeating myself. Repetition on this topic is not a bad thing. ]

We can’t stop the breaches from occurring. What we can do though is harden our accounts:

1. Each account should have a unique password — use a password manager and this becomes a simple task.

2. Challenge questions should not have real answers. Again, use the password manager to create unique strings for the answers. For the sake of this discussions, my city of birth is: jYue4pf.AJ,%T6+nBVZ-*uXR

3. Enable Two-Factor or Multi-Factor Authentication. If the only option for a second method is SMS, that’s better than nothing but it’s not as good as Duo, Authy, Yubikey, or Google Authenticator — to name a few.

4. Shutdown old accounts. I’m guilty of this as well. I have an old email account which used to be the catchall address for unimportant accounts. “Would you like to sign up for our rewards accounts? You’ll get ONE MILLION DOLLARS off this purchase!” You sign up, you give them your info, and then you never use them again. You’re still getting their emails and they still have your info. Login and kill the account.

If you’ve hardened your accounts and the next breach contains your login info, Two-Factor Authentication prevents them from logging into that account. You’re now using unique passwords and challenge questions for all of your accounts, the would-be attacker can’t move into any of your other accounts. Since you’ve enabled notifications from haveibeenpwned, you receive a notification email about the breach, you login to your breached account, you reset everything and all is well.

The Death of IT

Over the past few years, we’re seeing a trend where companies are reducing their Information Technology (IT) people because IT is becoming easy enough for anyone to do it. Or at least it might appear to be that way. I would argue that just because it looks easy, doesn’t mean you can’t make a colossal mistake.

I’ll give you three examples:

#1 —

A client wants to setup a data room which is essentially a secure place or space where data of a privileged nature is stored and viewed. In the early days, it was a physical room in a building but in modern times, it’s virtual. I have no affiliation with Box.com but in the world of our clients, Box.com is frequently used for housing the data. In the case of this client, they didn’t want to use Box.com because of the cost. Someone decided the data could be stored on the webserver and when the person who manages the website put the data on the server, they didn’t understand permissions, they didn’t understand site indexing, and they didn’t realize that every piece of data put on the webserver was indexed by Google. It wasn’t long before someone in the company found their information, including SSN, in a Google search.

Google had indexed literally thousands of pages with a lot of sensitive data. In order to remove data from Google, Google has a “Remove outdated content” page but it allows you to only remove one URL at a time. I wasn’t involved in this disaster or recovery but I can imagine it took quite a bit of time to remove each page from Google.

#2 —

In startups, everyone has the de facto IT guy/gal. Sometimes that person is an actual IT person and sometimes it’s someone who can spell computer. A client had someone handling their IT that was somewhere in between the two I just described. IT wasn’t his primary role but he knew a bit about computers. He lacked in the fundamentals which is where this situation got messy. They were using a VoIP phone system and when it was setup, they couldn’t get audio going both ways. The vendor suggested opening all ports inbound on the firewall which solved the problem. Opening all inbound ports on a firewall is the equivalent of unlocking all of the locks, opening all of the doors, and opening all of the windows in your home. They were breached and determining the extent was not in the scope of my project.

#3 —

Not a personal experience but I think this is a good one too because of how easily this can happen. On a corporate network, we could have a file server that houses data for various departments but we don’t necessarily want the marketing folks to access HR data, or the sales folks to access finance data. We create groups for accounting, finance, marketing, sales, etc., we place users in groups, and then we assign groups to resources. Every so often, something doesn’t work and in a panic, I’ve seen unseasoned people set incorrect permissions to resources. Not unlike the firewall situation I described above. And if those mistaken permissions work, they might get left which could leave open the door for trouble.

Cloud is a buzzword but it essentially is someone else’s computer and we can store data in the cloud rather than on our own network. Amazon.com has an even larger business than their retail, if you can imagine that, called Amazon Web Services (AWS). Last November, a Department of Defense contractor inadvertently set the permissions on a cloud based storage product hosted on AWS to “public”. I think the contractor thought “public” meant Department of Defense users but in fact, public means PUBLIC — the entire world who can find it. Someone will find it and when they did, they discovered what was described as a “massive trove of Top Secret intelligence”.

These are all easy mistakes to make but when you expand your environment, mistakes become magnified.

Reducing overhead is something we all want to do. At the same time, having an experienced set of eyes signing off on the configuration or auditing the environment is crucial as cloud widgets continue to become easier to deploy.

Guest WiFi

We recommend you setup guest WiFi for guests. We also recommend guest WiFi for employees who are using their own devices, for personal use, that want to use your business network. The only devices on your business network should be users with company equipment. But let’s say this is already your practice. The guest network is not the wild west and you should monitor it like you would monitor your business network.

We treat both networks the same and we receive alerts when suspicious activity takes place on either network. I received such an alert recently which stated the user attempted to access a site categorized as a “malware distribution point”. The traffic was blocked by the mechanisms we have in place but we want the user to be aware of the incident for education purposes and also to let them know — hey, we’re watching what’s going on over here.

I’ve been asked why we care and the answer is simple — even though it’s isolated from the business side of your network, it’s still on your network. If a user is infected, attacks can now occur from inside your network. If the user is downloading illegal software, it can be traced back to your network — bringing a headache to your doorstep.

You want to setup a guest network but you want to scrutinize the traffic as much as you do on the business side. The corporate Internet usage policy should encompass both the guest and business network, and if possible, your guest network should have a captive portal stating your policy prior to allowing guest devices to freely browse the Internet. No different than when you accept the terms of use at the local Starbucks prior to accessing their network.

Green Locks

Let me preface this by saying I’m going to be using some terms that may be interchangeable.  For example, HTTP and unencrypted.  HTTPS, encrypted, SSL, and certificate.

A website using encryption is conducted over HTTPS because the owner of the site acquired an SSL certificate.

Moving on….

When you go to a website, there are two basic options — HTTP and HTTPS.  The latter with the trailing “S” means secure.  Essentially, the HTTPS site is using encryption between the website and the browser and for all intents and purposes, the back and forth is invisible to prying eyes.  With HTTP it is visible, can be intercepted and redirected, and in general is not secure.  Does that mean that every time you go to a site using HTTP, someone is prying into your business?  No.  But it’s possible.

There’s a push to move the entire web to HTTPS and as I mentioned in a previous post, Google is pushing for this to happen.  The Electronic Frontier Foundation is making it easier to encrypt websites and they are doing it for free which is great and bad simultaneously.

The good — everyone can encrypt their sites, it doesn’t cost you a dime, and it reduces the amount of prying eyes on your web surfing.

The bad — anyone can get their site encrypted, including bad actors, which means someone with malicious intent could register a domain name which is a variation of a legitimate website and get an encrypted certificate for free which could make it look legitimate.

Typosquatting is the term used for registering domain names that are typo variations of real websites.  For example, I typed bankofamerica a few times and a couple of the misspellings were:

bankfoamerica
bankofamercia

If someone were to register those two domain names and acquire certificates, you might not recognize the difference because the little green lock would appear in the URL.

So let’s take a look at a few examples.  The following sites are using HTTP (Why?  I do not know!?!?):



These are unencrypted sites and if you were surfing one of these, your traffic could be visible to someone peering into your traffic.

Notice in the addresses bar of this site, the word “Secure” appears with a little green lock.  This site is using encryption.  If we registered a domain with a typo and encrypted it, it would look just like what you see above and you might think it’s secure.

Not all green locks are the same though.

Take a look at Bank of America’s site.  It has a little green lock but it also has their name in the address bar.  This is called an Extended Validation (EV) certificate which means that there’s more to the registration process than just a simple request for site encryption.

Not everyone uses an EV certificate.  When I looked at a few other banks, it was mixed usage between a standard certificate and an EV certificate which means you want to pay close attention to the spelling in the address bar should you use a site not using an EV certificate.

In general, it’s always wise to pause for a moment, look up in the address bar, check the spelling, and look for the green lock when you’re surfing — especially sites where there’s money or important data involved.

Before I let you go — while wrapping up this post, I had a couple of bonus thoughts —

1. When using a browser in incognito mode, the site will appear with with Secure but the lock is white, not green.
2. Sites might reference content or other sites which are using HTTPS which can also produce variations in the address bar. In this instance, if I were on my banking site and I didn’t see the site was 100% secure, I would not use the site until this issue was resolved. It might be harmless or it could be malicious and it wouldn’t be worth my risk.

Shady Practices

We have a general rule with our clients — if you’re questioning the validity of ANYTHING that comes through email, phone, text, smoke signals, or whatever, please feel free to ask us.  We want you to ask us!

We frequently receive questionable emails, attachments, and today we received a forwarded fax from one of our clients.

I won’t go so far as to call this particular fax “shady” because it’s not threatening like some we’ve seen but it is questionable in that the client does not understand the difference between this and a domain renewal.

It was forwarded to us with a question — “Should we pay?”  The answer — “No.”

This is not a domain renewal — this is someone selling a service.

When I tried to search for information regarding this SEO company, I came up with 129 results that almost exclusively point to the same website which makes me very suspicious.

We’ve seen variations that look more like domain renewals with threatening text about the expiration of your domain.

The last thing you want is your domain to expire but you also don’t want to accidentally pay the wrong vendor.  Best advice I can give is to figure out the registrar for your domain.  For example, Network Solutions is a domain registrar, among other things.   In the event you receive a questionable message, you can contact your registrar.  Or you can contact your IT provider.  Or both.

Your Vendor is Wrong

We recently picked up a new contract and while going through the devices on the network, we came across an unpatched Windows 2012 server.  When asked, the client stated their vendor, a phone provider, recommended against patching as it would likely break the software on the server.

If I hire a vendor and that vendor tells me to do something, I’m likely to follow their instructions because I hired them for their expertise.  In this case, the vendor has created a situation where my client has a problem.  A quick scan shows this server is vulnerable to MS17-010.  Let me break that down —

MS = Microsoft
17 = 2017
010 = The incremental number of this vulnerability.

With this particular vulnerability, it was identified in March of 2017, is critical, and is also the vulnerability exploited with some of the recent ransomware attacks of late 2017.

A quick scan of my client’s server reveals the server is vulnerable to MS17-010:

I knew in advance of the scan but I wanted to document the entire penetration of this server in order to show the client the issue.  It’s one thing to think it ‘could’ be bad but it’s another to see it in front of you.

Using a publicly known exploit, I was able to create a user account, add that new user to the local administrators group, and take full control of that server.

If you have an unpatched computer, running any operating system, odds are pretty good that it is vulnerable to something.  And that list of vulnerabilities increases over time.

If your vendor advises against patching, push back because it’s bad advice.

1.1.1.1

Domain Name Service (DNS) provides IP addresses for fully qualified domain names.  What does that mean?  It means that when you type www.google.com in the address bar, DNS converts that name into 216.58.216.36 which is the corresponding IP address.  We remember names not numbers which is why we need this service and computers route using numbers – not names.  In a nutshell, that’s DNS.

DNS servers are everywhere.  If you have a home router, your DNS server is on that home router and the DNS servers for resolution are likely to be those of your provider.  In the office, if you have your own server, your server is providing at least one source of your DNS (in most situations).

We’ve run our own public facing and private DNS servers for years.  We’ve also allowed our clients to point to our servers because sometimes those provided by their service providers were not always reliable.  But then Google came along with its own public facing DNS servers for anyone to use.  Not only that, they provided an easy to remember address:  8.8.8.8

Google’s servers were reliable, easy to remember, and free.  I say free like Google won’t get anything in return for you using their service but that’s not true.  Google mines everything you do and using their DNS is no different.  If you recall, DNS translates names into numbers – so when you’re browsing that site directly, even though you didn’t search for it on Google, and even though the site is using a secure connection, Google knows you went to the site and that’s another data point.  Maybe you care, maybe you don’t.

Personally, I like to think of myself as privacy aware.  I can then choose to use something but I understand at what cost.  The longstanding joke is Free WiFi.  Same concept but perhaps a bit more intrusive.  At the very least, you’re being fed DNS servers on that free WiFi and your data is being mined.

Cloudflare recently announced “the fastest, privacy-first consumer DNS service”.  Free.

Cloudflare is a provider of, among other services,  a web application firewall — which is basically a firewall for your website.  Feel free to make your own decision but despite all of my doom and gloom, this sounds legit.  They genuinely want to give us DNS, for free, and without any strings attached.  I believe them.

I’ve personally been using the service since the announcement and I’ve had zero issues.

I try not to put too much tech speak into my posts but that being said, if nothing else, DNS typically gives you at least a couple of entries.  You could setup 1.1.1.1 as the primary and 8.8.8.8 as the secondary which may only give Google a small amount of your information.  Or maybe you don’t even care at which point I’ll go back to folding my tinfoil hats.

Google Hates HTTP

In an effort to create a more secure web, Google will mark HTTP (unencrypted) websites as “not secure” in the July release of Chrome 68.   Google currently down-ranks HTTP sites and has been doing so since 2015.  In 2016, HTTP sites started appearing with a “I” inside of a circle in the Chrome address bar — clicking on the “i” reveals:  “Your connection to this site is not secure.”  This latest change is just the next step in an evolutionary process.

For all intents and purposes, this is a good thing.  Forcing everyone to encrypt their sites will create a more secure web — but not without some growing pains.  With some sites, it will be as simple as purchasing an SSL certificate and life will move on.  For others, there are hard-coded references to HTTP which can break the site or at the very least, create a “mixed content” message when you browse the site.  In the latter, I’m not sure if Chrome will mark the entire site as “not secure” or if it will render the site without the little green lock which is how it currently handles that situation.

Google Chrome makes up 56% of the market share so even if you’re personally not using Chrome, odds are pretty good that someone visiting your website is a Chrome user.  Regardless of your browser of choice, one way or another, this will impact you if you’re not already using HTTPS.

Situations vary and it’s hard to simply point to one thing and suggest you do it.  At the very least, find out if you’re already using HTTPS.  If not, determine the steps to get your site switched prior to July and put that plan in motion.

In previous times, SSL certificates were costly, and they still are, but Let’s Encrypt is a free alternative that might be a good solution for your site.

Cisco ASA WebVPN Vulnerability

CVE-2018-0101, published on January 29, 2018, describes a pair of issues regarding a line of Cisco products which can be exploited with a Denial of Service attack or Remote Code Execution.  If you understand these terms, you know this is bad and if you don’t understand these terms, you should know this is bad.

The Cisco Adaptive Security Appliance is a fancy firewall and in the world of small businesses, we install firewalls and we forget about them unless something draws our attention to them.  Even worse, because firewalls mostly just work, we may even let their support contracts expire.

Maybe you have one of these installed on your network, maybe you forgot about it, and maybe your support contract has expired.  You might be thinking:

Who will find my firewall?

Shodan.  Shodan is like Google except it finds devices connected to the Internet.  As of this morning, Shodan reports 127,263 Cisco ASA devices around the world, 64,142 Cisco ASA devices in the United States, and 135 Cisco ASA devices in Scottsdale.  The level of detail is dangerously specific.  Coincidentally, the very first Cisco ASA device listed in Scottsdale is managed by an IT company.  I can see the name of the IT provider who registered the GoDaddy SSL certificate, the IP address of the appliance, and the DNS name of the appliance which is registered to a local accounting company.

Why does this matter?

If you don’t know what you’re running, you’re not patching your devices, and you don’t have a support contract, bad actors will find your devices and attempt to exploit them.  Without a support contract, you might not be unable to patch your products. Without a Cisco support contract, you are not able to patch your products.

If you’re running a Cisco ASA, patch it or pull it off the Internet.