Many of us involved in education are using the video-centric service Zoom to connect with students and colleagues. This easy to use and powerful service has become very popularity. However, with this popularity have come legitimate concerns for security issues that have been documented and shared (Google concern, request for FTC probe, NY City schools).
Zoom is attempting to address the problems that have been identified and does indicate that it was not prepared for the heavy use of its service before all issues had been identified. Here is the link to my previous attempt to explain what I know about security measures you can take as a Zoom user.
I fell for a scam this morning. In my defense it was 6 AM, I had not had my coffee yet, and I was in bed working from my iPad. The iPad version of Outlook does not reveal all of the sender’s info unless clicked.
I should have known better and I even thought it strange as I entered the requested information. Why would a university tech person send out a request for important information in the middle of the night? The email was not a work of literary genius. The form looked a little primitive like something I would do to collect information and store it in a database. I filled it out anyway. Afterwards, I clicked on the sender to reveal the address and then decided it was likely a scam. I called tech support (the local folks were not at work yet, but the state system had someone on duty) and verified I was correct.
I changed my password and hope that this will be the end of the problem.
The kid working the overnight shift told me I should not respond to requests for my password. If only human nature included the requirement of careful analysis and lack of trust.
Several posts have indicated that WordPress blogs are being hacked. The approach involves a process of guessing (via a program) at passwords.
Since this approach likely takes many attempts, a practical and easy to implement defense is to install the plugin “Limit login attempts.” Just search for this plugin. The plugin provides some useful info. It works by refusing to accept request from an IP after a specified (by you) number of unsuccessful attempts. It will store this IP and send an email if you like.
This is a follow up to my last post – I hope this scares you. At the time I made the previous past available, I was unwilling to reveal the name of the software I was describing for fear of encouraging the very behavior I was warning users about. However, the number of downloads of this software is approaching 750,000 at this moment and attempting to limit awareness seems pointless.
So, the software that concerns me is a Firefox extension named Firesheep. When used in a setting that provides open wifi, this software captures the cookies associated with certain types of social software and allows the individual capturing these cookies to login to the accounts of sites associated with these cookies. A couple of additional comments. First, this access does not apply when cookies involve https – your banking data appear to be safe. However, some services (e.g., Facebook) use https login, but then send cookies in the clear. So, you cannot be assured that because you see https you are safe. It is not possible to capture cookies sent by every online service, but this may change as the software is upgraded. Finally, firesheep is pretty much a common man’s tool providing the capabilities that hackers already have. That is the point of the developer and I guess each of us will decide what we think of the decision to make public a tool providing this capability to pretty much anyone. The motive is really to force change. Open wifi providers can do certain things (go to WPA protection and offer login info to users). The big online services can also go to https throughout.
What can you do? Here are a few ideas I have picked up. I offer no guarantee. Clearly you could simply avoid public wifi.
I would suggest when using public wifi you consider using Firefox with the following extensions:
Blacksheep – this is an extension that supposedly reveals if someone in your vacinity is using firesheep
HTTPS Everywhere – this extension from the Electronic Frontier Foundation will attempt to force https – provider must have https as a possibility
When I and pretty much anyone else writes about copyright the post usually begins with the statement – I am not a lawyer (even lawyers seem to say this). I am adapting this CYA for this situation to indicate that I am not a hardcore hacker. I can use the tool I describe here to steal cookies, but so can you. I make no pretense of knowing how much I would rely on the suggestions I make. I have tried them using two computers in an open wifi setting and know that they do offer some protection.
I have been trying to decide how to present this without encouraging the behavior I describe here. I have decided not to name the product I describe. Many who follow this blog already know the name of the free download I am describing, but I think I can spread the alarm without adding to the problem.
Be aware that in any location with open wifi, others sitting in the same location can steal cookies sent by your computer to the Internet. Among the different functions a cookie serves, a cookie allows your computer to stay connected to a site that requires a name and password login. You do not have to login for each page you view. However, cookies are basically sent through “the air” and can be captured. I picked up the cookies in the image below in 5 minutes in the coffee shop across the street from my office.
I could click on one of these icons and I login as that person.
What to do?
1) I showed the manager.
2) Be aware of any wifi that does not require you to login. As I understand the situation (via Leo Laporte and This Week in Google), everyone can be given the login name and password for a protected wifi system and no one could do what I have just done. Use WPA encryption. In other words, the name and password can be given to everyone. Hence, Starbucks could use Starbuck and Starbuck and post this information prominently. It is not the password that provides the protection but the way the encryption works to isolate users. I hope this is correct because it would certainly be a practical solution – I listened to the Security Now podcast to verify, but I have also found a little different story online.
3) https is protected, but I would think the danger would be present for those who use the same name and password on other http and https accounts. I am guessing here, but this would seem to be possible.
I have viewed stories regarding measures that may thwart this security problem or at least alert you that someone is running the software within the vicinity. I cannot vouch for these measures. I may post again to reveal more later, but this is obviously a real danger for those of us who frequent coffee shops and other locations with open wifi.
I have been experimenting with an online service called OpenDNS. I must give credit to a Leo Laporte’s podcast for bringing this service to my attention.
Most tech folks are probably familiar with the role played by a DNS server. As I understand the purpose of the DNS server, it functions to translate the web address we enter into the IP of the server. The IP number directs the query to the needed machine.
My understanding of how OpenDNS works is that the DNS server could perform functions between this translation. It could check the request against self selected filter options and tell you that you really don’t want to go to the site you have requested. It could also record information about your Internet use. It might seem that these are sinister functions, but you may want to impose well defined types of filtering on your own activity (e.g., don’t let me go to known phishing sites) and you may be interested in your patterns of Internet use. I am guessing my service provider (the University of North Dakota) at this moment has a record of the activity originating from the IP of the computer I am using anyway. Perhaps the issue is – who do you trust?
The filtering options in OpenDNS are quite specific (phishing is the only one I apply) and may be of interest to institutions/businesses who feel the need to apply filtering. The thing I found most interesting about examining the log of my “activity” was the number of connections I was making to services without my awareness. All of the services my browsers activate without recent purposeful action were there on the list. As far as I know, these were all connections I asked my browser to make by adding plugins and using a wide variety of online interactive services, but it is informative to see just how many different servers you connect to.
The process of making use of OpenDNS is fairly simple. You add the OpenDNS IP as your preferred DNS. You create an account on OpenDNS and set preferences regarding what type of filtering you prefer and whether or not you want to log your activity.
The one thing I worry about is what happens if OpenDNS goes away. It might create one of those weird problems I have so much difficulty trouble shooting. What are the odds that two months from now I will remember that I am using this unique service as my designated DNS. Maybe the operating system just defaults to something else, but probably not unless I maintain multiple DNS listings (it was my impression that my system was skipping OpenDNS when I did this, but I may be wrong). This is one problem with experimenting with so many different tools and services. I simply cannot keep track of what I have done over time. I guess if the feel the need to experiment, the message is? – Back up often and be prepared to reinstall??
I have discussed computer security and open ports in previous posts. I worry about open ports (and so do the university folks of monitor my activities) because I operate servers and must allow for interaction (port 8o for HTML, 22,23 for FTP and 25 for Email). You may have other ports open on your equipment if you do things like share iTunes. I happen to be listening to one of Leo Laport’s podcasts and he was interviewing Steve Gibson. Steve participates from time to time on this program and is a security expert. Steve has a business related to security and storage systems and offers some free resources. Try ShieldsUP! to evaluate the port security of your computers. The link I provide is from the home page and will have to navigate from this page to the ShieldsUp! page (expect some ads and product pitches). What you are looking for is a site that will evaluate the port security on your machine. This is good information.
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
You must be logged in to post a comment.