Ohio Section Journal – The Technical Coordinator – October 2020 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

October is associated with a number of things: apple cider, fall weather, foliage displays, pumpkins, and Halloween costumes. One thing that might be gruesome, like some Halloween costumes, is most people’s cyber hygiene. Cyber hygiene relates to practices and precautions users take to keep their data safe and secure from outside attacks. October, in addition to the above, is Cybersecurity Awareness Month. It is a way to raise awareness about the importance of cybersecurity and give everyone resources to be more secure online.

uBlock Origin on mlb.com

First up, web browser. This is the portal and gateway to modern computing. A browser should be current, supported, and one that is updated. Current web browsers are ones like Chrome, Firefox, Microsoft Edge, and Opera. These are constantly being updated to support newer technologies, protect users, and eliminate known vulnerabilities. Don’t use a camera, microphone, or other accessories during browsing interactions? Disable access to them in the browser’s options. I’m not sure the last time I used a MIDI interface. Disabling it hasn’t affected my browsing in Chrome.

Browser extensions (or plugins): Limit the number of installed extensions and make sure they are also current and being updated. The one extension I have on every browser I use, including at work, is uBlock Origin. It is an excellent ad-blocker and does it very effectively. Additional features include ability to block other sources of vulnerabilities, such as scripts, large media items, like videos, and known bad domains. A lot of people love NoScript. It’s even better, security-wise, than uBlock Origin. However, like everything in security, there are tradeoffs. NoScript does what it says, block scrips like JavaScript because they are a major source of security problems. This is great in principle but it basically breaks every site on the Internet. Whitelisting necessary scripts to make a trusted site work, I think, is more effort than it’s worth. Choose the better option for you. For me, it’s uBlock.

Another good browser extension is HTTPS Everywhere. When a site is loaded over an unsecure connection, this extension upgrades it to a secure connection is one is available. Most severs configured by capable admins are now serving up HTTPS by default and redirecting HTTP connections to HTTPS. Finally, PrivacyBadger is good at blocking third-party tracking and browser fingerprinting. Browser fingerprinting is the ability for a site to interrogate the browser about the system it is running on. For example, which browser, is it accepting cookies, plugins installed, time zone, screen size and color depth, system fonts, language, OS and platform, touch device, and device memory. PrivacyBadger blocks sites from accessing many of these properties.

Bad sites: In August, I talked about the Pi-Hole security device. This device provides similar blocking to uBlock Origin but at the network level. Any browser plugins only add protection to sessions in that browser. It doesn’t block tracking, malware, or ads in other applications running on the PC. It doesn’t offer protection for any other device on the network such as phones, tablets, streaming, surveillance, and “smart” devices. That is where Pi-Hole comes in by blocking known bad domains at the network level. It will keep ads off smart TVs, Roku’s, and keep digital footprints to a minimum. A caveat, devices using hardcoded DNS servers (usually IoT, DNS over HTTPS) will bypass any Pi-Hole filtering. Routers that can perform NAT Redirection can re-route requests to Pi-Hole and block DOH.

If you don’t want to add a device like Pi-Hole, changing DNS servers in a home router will offer more protection. I recommend OpenDNS as a security focused DNS service. OpenDNS is free to use and enabled by simply setting Primary DNS and Secondary DNS to these IPs: 208.67.222.222 & 208.67.220.220 – does not matter which goes into primary/secondary. They do offer paid services which can categorically block sites and does require a little more setup. Another good DNS filtering service is “Quad 9” or 9.9.9.9 as the DNS server. These services block access to known infected sites made through DNS requests.

Password managers: sites do a relatively poor job of securing their user and password databases. On the other hand, users do a poor job of choosing strong passwords. We know this because of sites like Have I Been Pwned (pronounced “owned”) which search stolen password databases for associated Email addresses. Showing as ‘pwned’ on that site indicates the Email address was found in a database breach. Searching an old Email address of mine found two services I did not recognize. I suspect the data changed hands through company acquisition but, more likely, my information was sold to the highest bidder.

KeePass main window (keepass.info)

Lists are published of the most commonly used passwords from these breaches. Many are even easy to guess like 123456, password, qwerty, dragon, baseball, monkey, and letmein. A password manager will generate strong passwords and remember them so you don’t have to. In general, if you can remember passwords for services, you’re doing it wrong. It’s good to know the password for logging on to the computer and the password for your password manager. That’s about it anymore. Being able to remember passwords means they’re probably easy to guess. 55@[hg@owtWF(6eDOXR0 – is not be an easy to guess password, has lots of entropy, and would take around 1.15 thousand trillion trillion centuries to guess using one thousand guesses per second.

LastPass & KeePass will do the job of creating strong passwords and remembering (saving) them. Both of these password managers are considered best-of-breed because of their features, history of responding to issues quickly, and constantly squashing bugs. Other password managers do not have this reputation and most don’t offer adequate protection from attacks. LastPass is an online service. They have a free option but useful features will be found in the $3/month for single user and $4/mo. for families. If you don’t trust “the cloud” or want to manage your own password database(s) offline, KeePass is what you want.

Both have the ability to generate, store passwords, and save notes associated with an account. Largely they’re both available on multiple platforms in multiple browsers. LastPass apps tightly integrate many device types with their service. KeePass relies largely on the community to implement addons and create apps for platforms like Android. LastPass has nice features allowing sharing among family members or sharing banking credentials with a spouse. Another feature I like in LastPass is the ‘dark web’ monitoring and alerting for breached credentials. These alerts let you know it’s time to change that password. To retrieve stored usernames and passwords from a password manager, they’re copied and pasted from the app or automatically filled into a webpage using a browser extension.

LastPass interface (lastpass.com)

Both services require some sort of master password which MUST be remembered. LastPass gets its name from the password used to access their service as the ‘last password’ you’ll ever need. An easy way to generate such as password would be to find a famous speech, song, or lines from a movie. Take the first letter of each word, throw in some numbers, and voila! Strong master password. This method will create a password that is hard to crack but easy for you to remember. As an example, take the first line of the Gettysburg Address:

Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.

Taking the first character of each word: Fsasyaofbfutc – even to the first comma is 14 characters and already on its way to being very strong. Get creative, maybe take the second or third letter of every word. Throw in some random capitalization. Then add maybe parts of an old phone number, an old address, old work address, old dorm room number, kids ages, etc. Then it becomes: FsasyaOfbfuTC219419216 – all of a sudden you have a password that takes 8.75 hundred trillion trillion centuries to guess. Sure, you’ll want to write down this password until its memorized. Destroy the written copy after it’s definitely committed to memory.

All this assumes there is no monitoring of the computer or device, no key logging, no intercepting communications, no monitoring the clipboard, etc. The strongest password does no good if it’s used on a compromised machine or used over an unsecure communication channel such as HTTP, FTP, or Telnet – which all use plain-text passwords.

Google Authenticator (play.google.com)

Should there be a situation where you can’t create a completely random password in a password manager or want to use a password that can be more easily remembered in certain situations (not your master password, that would be bad practice), use the xkpasswd generator. Inspired by an XKCD comic, it uses a method of random numbers and common words to create memorable passwords. The example they give: correcthorsebatterystaple – correct, horse, battery, staple.

Last practice I’ll mention this time around is use multifactor authentication. This is also commonly referred to as 2-factor authentication (2fa) or MFA. MFA uses more than one authentication method to validate identity. Usually consisting of something you know, a password, and something you have – a phone app or hardware token. This approach is an additional layer of authentication with the hope that miscreants don’t have access to one or more of those authentication methods. Good multifactor auth changes or rotates every time it’s used or changes after a set amount of time. Modern multifactor technology has been around for more than 15 years. Many companies are rapidly adopting it for all employees because they see value and it has proven to be a good way of keeping miscreants out of their systems. More and more services are adding two factor authentication.

Multi-factor works by going to site-I-login-to[dot]com. Enter your username and password. Usually after clicking log on, you are presented with a multi-factor prompt. Consisting of a pin that rotates frequently, clicking ‘approve’ in a mobile app, hitting a button on a hardware token, or being sent a unique code via SMS text or Email to enter into the site. A lot of services use SMS text messages and Emails. Those two should not be the primary multi-factor validation. SMS messages can be intercepted by miscreants who could have hijacked or cloned the SIM card from the carrier. If they have your password and hijacked SIM card, they might as well be you. Email is readily accessible to organizations hosting the mail server and often transmitted on the wire in the clear – though progress is being made to encrypt email messages in transit.

I like TOTP (time-based one-time password) solutions such as Google Authenticator on a phone or tablet. The password manager database is on the computer or in the cloud. The app lives on the phone, separate from the database. TOTP is an open standard, supported in nearly all services that offer multi-factor auth, doesn’t need a data connection, and isn’t stored anywhere except in a protected database on the phone. These passwords change every 30 seconds and are 6 digits long. In the case where a phone might get lost, there are “recovery” tokens that are generated at the time TOTP is configured. Where should the recovery tokens should be stored? They can be printed and stored in safe, or use your new password manager to secure them!

Scrap Value of a Hacked PC (krebsonsecurity.com)

It’s a couple years old, but Krebs on Security’s Scrap Value of a Hacked PC takes a look at all the things miscreants could do with information learned from a compromised machine. Things like hostage attacks through ransomware (encrypt files and demand payment to decrypt) and reputation hijacking of the social medias or credit scores. Brian’s site is also entertaining reading for taking a peek into the ‘dark web’ on things criminals do with stolen data and credit cards. Other useful security tools are Security Planner which walks you through creating a customized security plan based on interests and goals. PrivacyTools provides tools and knowledge for protection against mass surveillance. These steps and suggestions from known good resources will greatly improve your cyber hygrine for Cybersecurity Awareness month.

Thanks for reading and 73… de Jeff – K8JTK