Tag Archives: Security

Ohio Section Journal – The Technical Coordinator – February 2020 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at:

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

Well. Windows 7 reached end-of-life on January 14, 2020. Systems didn’t meltdown. Internet is still running. The world didn’t end. Reaching “end of life” in Information Technology verbiage means the vendor no longer supports the software (or hardware in other cases), won’t provide security updates, and won’t fix bugs or problems. End-of-life (often abbreviated “EOL”) also implies there is a more recent version or iteration that is supported for those things mentioned above. Supported as opposed to the developer throwing in the towel or the company going out of business where there are no updates for other reasons. Windows 7 was my favorite version of Windows – the look and feel was nice, functionally made sense, and it was fast. Reality is that computers running Windows 7 will continue to work as they always have, but start considering alternatives.

No: Windows 7 will not stop working, you don’t need to run out and buy a Windows 10 computer, your files won’t be removed, past Windows 7 updates won’t be pulled from Windows Update, ISPs won’t disconnect you from the Internet for using Windows 7, caches of Windows 7 exploits will not be unleashed.

As with all past Microsoft operating systems, patches and updates will be available on their website and through the Windows Update service for all EOL operating system versions. An install of Windows 2000 can still receive all updates until it went EOL. No updates will be available to implement the latest in encryption enhancements, support newer hardware or protect from newer exploits found in the OS. One thing to note about Windows 7 is there were updates to the Windows Update process during its lifetime. You will run into problems updating a fresh Windows 7 install through the regular Windows Update process.

Your ISP won’t disconnect you for using older versions of Windows. The company you work for will most likely update your machine if it hasn’t been done already. This depends on license and support agreements with Microsoft or reseller. Most companies actively replace equipment to comply with those agreements, replace depreciated assets, and keep equipment current as a way to mitigate exploits that propagate through older operating system configurations.

Yes: you need to stop using Internet Explorer, you can still get the free upgrade from Windows 7 to Windows 10 (for now), you can dismiss the full page Windows 10 update nag screen, you need to patch Windows 7, extended patches from Microsoft are available for a fee, there are third-party alternative patching systems; software, devices, and browsers will continue to work, most programs will still support Windows 7 – at least in the short term.

For the love of all that is holy, stop. using. Internet Explorer. Not only is it riddled with bugs and security flaws, Microsoft keeps flailing round with standards even in Microsoft Edge, which is never a good sign. Chrome is the market leader at over 80% and reports suspected security issues to Google for mitigation or blocking in the browser. However, if you’re not a fan of “the Goog” knowing everything you view on the Internet or heavy-handed implementations in the name of security, alternatives are: Firefox the favorite with Linux users, the privacy focused Brave browser, or Opera if you want to be a one-percenter.

Microsoft offers extended patching (with associated fees) for Windows 7, usually for corporate customers. Consumers can get in on the action but they make it very complicated. Third-party patching is available through companies such as 0patch. The service is free for personal use and non-profit educational use. There are good reviews and many recommendations to use this service. Using these services requires a certain level of trust leaving the responsibility of fixing complex programs to a third-party – because we all know Microsoft has NEVER had problems getting their updates right.

Early Microsoft Windows 10 free update notification aimed at tricking the user into installing software they don’t want, similar tactics are used by spyware authors

The nag screen which recently started (re)appearing for Windows 7 users, reminding them to upgrade, can be dismissed. Click the text that says “Don’t remind me again” – and it actually seems to work as opposed to the weird mind games that were played during the initial push after Windows 10 was launched. Displaying this message raised awareness and reminded users about the impending DOOM of end-of-life. Continuing to offer the free upgrade is an incentive for moving users to a supported OS. Netmarketshare shows Windows 7 utilization is still around 25-30% or about 1-in-3 computers still runs Windows 7.

I was contacted by Jeff – KA8SBI who felt there was a lot of F.U.D. about Windows 7 EOL in the media and he is content using his Windows XP machine. He pointed out “A lot of security flaws have been in the browser.” A small number of browsers still support XP. Anti-malware and anti-virus programs still offer older operating system support as well.

Here’s the argument against running old and outdated crap on the Internet. I am of the school of thought that if you’re connecting any device to a larger network (ie: the Internet), that device (computer, Raspberry Pi, router, switch, server, security camera, TV, printer, DVR, repeater, hotspot, phone, car) must have currently supported operating systems and software. It is each user’s responsibility on the network to be good citizens, follow best practices, and not act as a conduit for spreading malware and exploits. The most effective way to do this is by keeping devices updated and current.

The argument can be made that ‘manufacturers force consumers to buy new devices by not providing any updates.’ Everyone wants their stuff cheap and buying cheap crap leads to these problems. Manufactures barely break-even on most devices let alone leave any extra for updates beyond initial device release. Consumers want to use the device well beyond its serviceable life too. A report released by the Commerce Department outlined things manufactures should do to reduce the number of attacks. It made some good points but was mostly vague [updated link for the report].

Jeff’s point about third-party anti-virus and anti-malware programs that still support XP is a valid one and will help. I stopped and don’t recommend using third-party anti-virus because they were found to downgrade the security of an encrypted session, like ones established during financial transactions, interacting with health care providers, or really almost all Internet communications today.

Remember, though, nothing is ever 100% secure. Secure just means there are no known vulnerabilities – until a researcher or hacker finds one. To Jeff’s point about the flaws being in the browser, the number that exist in the underlying operating system and supporting technologies including OS kernel, .NET framework, Office, database engines, media players, and graphics interpreters are just as important. Microsoft has never completely rebuilt Windows from scratch which is why vulnerabilities often apply across all versions of Windows. It’s the same underlying computer code. Search for stories about important Windows patches. It will often include some verbiage like ‘affects all versions of Windows.’ Some exploits are deemed so bad that Microsoft actually went back and patched some EOL versions, like XP. That does not mean there are no other vulnerabilities because there is no patch. Microsoft is not spending resources on an 18-year-old piece of technology. Non-patched issues still make a system vulnerable and less secure overall.

Ransomware is malware that encrypts files of importance on a system. That is things like downloads, programs, documents, PDFs, spreadsheets, pictures, movies, intellectual property, databases, or public records on local and network attached storage devices. Encryption renders these files unreadable and unusable. The malware then demands a ransom payment to obtain the decryption key and restore files to their usable state. Ransomware is lucrative for the bad guys because no one has effective backups of their data. Various companies, schools, health care, manufacturing, oil and gas, infrastructure, and municipalities have all been infected with ransomware and often pay the ransom. It is an economic trade-off between how much of a payment are the bad guys demanding versus time and effort it would take to restore their systems. Do a search for “ransomware attack” in your favorite search engine and browse the stories to get an idea of the scope and effectiveness of ransomware.

One thing that caused me pause around the details of the ransomware attack on the Georgia Department of Public Safety was a comment about the communication systems being affected. Believe it or not, their old radio system was still functional. This got me thinking about the radio system that covers the state of Ohio or regional systems and how they could easily be taken offline because of this type of attack. I have no knowledge of any instances where these systems were involved in such an attack – this is simply theoretical. As evidenced by the news story, it’s realistic to believe these attacks can take down a state-of-the-art radio communications system. Could be due to a targeted attack, a single computer where someone clicked a malicious link, someone viewed an infected attachment in a dispatch center, or even because of an infected authorized vendor or reseller of radio equipment for the system. Target anyone? It was an HVAC vendor that was compromised which lead to Target’s massive credit card breach. How many public service agencies still have their old/analog communication systems functional to fall back on if something like this took place?

Ransomware infections are utilizing and spreading through the EternalBlue exploit and BlueKeep exploit. EternalBlue, in particular, is present in all versions of Windows (see?) back to Windows 95!! It targets and attacks weak configurations of the SMB (Server Message Block) protocol used for sharing files, printers, and devices between hosts on a network. Microsoft has patched all versions back to Windows XP, even though XP is EOL. Win95, Win98, WinNT, and Win2000 were never patched and won’t be patched. The EternalBlue vulnerability still exists in fully patched systems running those operating systems.

Impending DOOM

I will keep using Windows 7 in the shack and as my Virtual Machine OS when I need a Windows VM. It will get replaced eventually. The reason I replace it will probably come due to loss of functionality, loss of application or hardware support for a particular program or device I want to use. Firefox was noted for supporting older operating systems. However, after 3 years of extended XP support, Firefox dropped support due to low usage and significant development time being devoted to working around issues in the operating system instead of providing enhancements on supported platforms. Sooner-than-later Windows 7 support will be dropped in favor of more recent and supported platforms.

Don’t have to jump ship on Windows 7 now unless there is a specific reason. Maybe a new computer device purchase is imminent, which will include Windows 10. Or if it’s desired to still use the old machine, maybe consider a move to a supported version of Linux!

Windows 7 is dead, long live Windows 7!

2020 ARRL Great Lakes Convention

The Great Lakes Division Convention and Hamfest 2020 sponsored by the Toledo Mobile Radio Association will be here soon. It is a two-day event with ARRL Great Lakes Convention Forums on Saturday, March 14, 2020 followed by the Toledo Hamfest on the 15th. I’ve been asked to give two presentations back-to-back on Saturday. Tentatively, the first on the Raspberry Pi and how it became a popular device with makers followed by NBEMS philosophy. I’m very proud of both presentations. The NBEMS philosophy has been presented as training in the Ohio Section and adopted by other ARES groups in other Sections. Details, locations, times, and tickets are all available on the convention’s website. Hope to see you there!

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – July 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jul-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

Around the time of Dayton, the FBI asked everyone to reboot their routers. Why would they do that? Over the last two years more than 500,000 consumer and small business routers in 54 countries have become infected with a piece of malware called “VPNFilter.” This sophisticated malware is thought to be the work of a government and somewhat targeted with many of the infected routers located in Ukraine.

Src: Cisco’s Talos Intelligence Group Blog

Security researchers are still trying to determine what exactly VPNFilter was built to do. So far, it is known to eavesdrop on Internet traffic grabbing logon credentials and looking for specific types of traffic such as SCADA, a networking protocol controlling power plants, chemical plants, and industrial systems. Actively, it can “brick” the infected device. Bricking is a term to mean ‘render the device completely unusable’ and being as useful as a brick.

In addition to these threats, this malware can survive a reboot. Wait, didn’t the FBI ask all of us to reboot our routers? Won’t that clear the infection? No. In order for this malware to figure out what it needs to do, it reaches out to a command-and-control server. A command-and-control server issues commands to all infected devices, thus being “controlled.” C&C, as they are often abbreviated, allows the bad guys in control a lot of flexibility. It can allow infected devices to remain dormant for months or years. Then, the owner can issue commands to ‘wake-up’ the infected devices (called a botnet) and perform intended tasks. Tasks can range from attack a site, such as DynDNS which I wrote about in November of 2016, to steal logon credentials for users connected to the infected router. Back to the question, the FBI seized control of the C&C server. When an infected router is rebooted, it will try to reach out to the C&C server again but instead will be contacting a server owned by the FBI. This only gives the FBI a sense of how bad this infection is. Rebooting will not neutralize the infection.

Affected devices include various routers from Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP network-attached storage (NAS) devices. There is no easy way to know if your router is infected. If yours is on that list, one can assume theirs is infected. As if that wasn’t bad enough, many manufactures don’t have firmware updates to fix the problem. The ones that have fixed the problem did so years ago. Since no one patches their routers, that’s why there’s half a million infected.
First thing to do is gather information about the make, model, and current firmware of your router. Then check for announcements from the manufacturer about affected firmware versions or preventative steps. The only known way to clear this infection is to disconnect it from the Internet, factory-reset the router, upgrade the firmware (if one is available), and reconfigure it for your network – or simply throw it away.

If those last couple words strike fear into your heart, there are a couple options:

  • See if your ISP has a device they will send or install for you. It can be reasonably assumed that devices provided or leased by the ISP will be updated by the ISP.
  • Find someone in your club that knows at least the basics of networking to help reconfigure things
  • Many newly purchased devices come with some sort of support to get you up and running

If you’re a little more advanced and want to learn more about networking:

  • EdgeRouter-X
    Use 3rd party firmware. Currently they are not showing signs of being vulnerable to VPNFilter or other infections. 3rd party firmware projects are often maintained by enthusiasts. They are updated LONG past when the manufacturer stops supporting their own products and updates often happen quickly. Some of those projects include: OpenWRT/LEDE, DD-WRT, or Fresh Tomato.
  • A Linux box could be setup with Linux packages to mimic router functionality or use a distribution such as pfSense or OPNsense.
  • Another great device to use is the Ubiquity EdgeRouter-X for $49.
  • Check the “Comparison of Firewalls” for other ideas.

That $5 hamfest deal isn’t sounding so great anymore. It’s the law of economics for these companies too. $10, $30, or $100 for a device isn’t going to sustain programmer’s time to find, fix, troubleshoot, test, and release firmware updates for a 7-year-old device. It’s a struggle. I think it will come down to spending more on better devices which will be upgraded longer or spend $50-$100 every 3-5 years to replace an OK one.

The Department of Commerce released a report on the threat of botnets and steps manufactures could take to reduce the number of automated attacks. It hits on a number of good points but lacks many details. “Awareness and education are needed.” Whose responsibility is it to educate? I can write articles in the OSJ but I’m not going to be able to visit everyone’s house and determine if your devices are infected. “Products should be secured during all stages of the lifecycle.” Automated updates could take care of this problem but doesn’t address what-ifs. What if the update fails or worse yet, bricks your “Smart” TV as an example? Who is going to fix or replace them? Will they be fixed if it’s out of warranty? Not to mention operating system “updates” are bundled with more privacy violations and ways to monetize users.

There’s a lot of work to be done. I wish I had the answers. Regardless, we all need to be good stewards of the Internet making sure ALL attached devices are updated and current.

More technical details on VPNFilter and citation for this article: https://www.schneier.com/blog/archives/2018/06/router_vulnerab.html
https://blog.talosintelligence.com/2018/05/VPNFilter.html

Finally this month, thank you to all the clubs and groups that sent messages to this station via WinLink or NTS over Field Day weekend. It was the most I’ve ever received, about 12 – 15 messages altogether.

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – January 2018 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/2018/OSJ-Jan-18.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

So nothing really tech news related happened this month. Eh, not so much. The New Year brought two major flaws in nearly every modern microprocessor: Meltdown and Spectre.

In the past, major security issues were able to be corrected through software or firmware updates. This is because almost everything is now run by small amounts of software and can be easily updated. Design issues are harder to fix because the problem is fundamental to the design of a device.

Description from Meltdownattack.com:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Meltdown affects nearly all Intel microprocessors manufactured since 1995. In modern computing, an operating system “kernel” handles all interactions between applications (web browser, word processing, spreadsheets) and hardware (CPU, memory, network, USB devices). By its nature, the kernel must know everything about system interactions.

CPUs have different operating modes. Two modes apply to Meltdown: unprotected (called kernel mode) and user mode. Kernel mode has access to everything while instructions executed in user mode should not have access to the same memory as the kernel.

Meltdown is the demonstration of an unauthorized user mode process accessing kernel mode memory. This means a user process can access information to which it doesn’t have permission. Think of systems that share data among many users like an online cloud service. Isolation techniques are one of the major selling points of the cloud. Multiple users can be using the same physical hardware and not impact or know anything about other users also using the same hardware. A malicious process could use meltdown to access the data of other people’s applications running on the same device.

Spectre affects nearly all microprocessor implementations of speculations and predictions. In an effort to make systems run faster, a huge amount of speculative processing is engineered into processors. Speculation is the processors answer to the question: what is most likely to happen with this instruction set? Being able to “guess” the right answer provides a massive performance boost and we all want fast systems. To explain one part of this vulnerability, consider two math equations are given to a microprocessor:

a + b = c
d + e = f

The processor will recognize calculation of the second equation does not depend on anything from the first equation. This means the processor will execute these equations simultaneously until it reaches a common dependency. That dependency would be something like:

a + b = c
(d + e) * c = g

The answer c is used as an input into the computation of the second equation. Running this set through the processor would be slower because they couldn’t be calculated simultaneously. An input into the second equation is dependent on the answer to the first.

Using the same equations, let’s assume for everyone in the Ohio section, the answer to c = 5. A programmer could write an instruction set following that calculation to say: if c = 5 then take fork #1, otherwise take fork #2. How do humans know which fork to take? Calculate the value of c. However, processors try to use “speculative execution” to perform the work of both forks before it knows the answer to c.

Let’s add super-secret data to fork #1: “the Ohio Section IS the best section.” We don’t want fork #2 to know anything about that data because it might be someone from another section trying to break-in. A processor would execute both fork instruction sets speculating on the outcome. This speculation could allow someone from another section to see our secret in fork #1 when they should only see something else in fork #2. Consider a malicious smartphone application taking advantage of this to access text messages, instant messages, mobile baking data, or critical documents.

The lengthy process of dealing with these issues has begun. The only way to truly “fix” these problems is to design new CPUs architectures and replace existing ones. Yeah, sure. Remember, these issues are fundamental to processor design. If these flaws are ever corrected, it will be over a period of time – not tomorrow, next week, or even next year. In the meantime, operating systems are implementing methods to prevent attacks.

In the rush to get these fixes out, as one might expect, more problems are being caused. Microsoft has reported issues with anti-virus applications not playing nice and claiming AMD’s documentation was incomplete. Ubuntu 16.04 users had issues forcing them to roll back the kernel. In addition to all this, processor performance is impacted. Testing done on operating system patches shows slowdowns of 2% – 30%.A forum post on Epic Games included the above graph showing CPU usage of 3 cloud servers. After their cloud provider patched one server at about 23:00, CPU utilization of that server increased nearly 2.5x over the other two. Though the CPU wasn’t maxed out, it was enough to cause service disruption. Gamers really don’t like it when their services don’t work.

For most users, stay current with system patches and updates. In particular, Microsoft is requiring anti-virus programs to set a registry key before Windows will apply system updates. As of this writing, if you do not run, have an out-of-date, or have a non-compliant anti-virus application, your system will NOT receive any future Windows updates including the patches for Meltdown and Spectre. Current versions of Windows can run the free Windows Security Essentials available for Windows 7 or Windows Defender is included in Windows 8, 8,1, and 10.

Bruce Schneier, a well-known cryptographer and security researcher states: “… more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.” Link to his blog post.

More information:

https://meltdownattack.com/ – research papers, technical information, FAQ, videos in action, and info from companies affected.

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

Thanks for reading and 73… de Jeff – K8JTK

Ohio Section Journal – The Technical Coordinator – October 2017 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://arrl-ohio.org/news/OSJ-October-17.pdf

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey gang,

October is National Cyber Security Awareness Month. I either made your eyes roll because security can be complicated or piqued your interest because of the TWO Equifax breaches. I can certainly get into the weeds with data and cybersecurity because it’s an interest of mine – as a user and programmer. Realizing that most readers won’t have a background in programming or system administration, I’ll set aside the technical details. I’ll briefly cover some cybersecurity issues and give tips anyone reading this article can use.

The whole concept of computing is built on trust. The list of things we trust is infinitely long: trust programmers of the operating system and program developers are following good practices. Trust the company stands behind their product, fixing problems and issues. Trust “Information Security Officers” of a company actually have a background in information security. Trust audits are taking place to uncover problems. Trust customer data is being stored in accordance with good security practices. Trust the website you’re browsing to is really CompanyWebsite.com. Trust “[insert name of company here] Free Wi-Fi” is really that company’s free Wi-Fi. Trust that devices in your home aren’t spying on you. You start to get the idea.

Security is a tradeoff between safety and convenience. Computing could be made very secure but those systems would be completely unusable due to the layers of security. There is no such thing as a “completely secure” system or device – it just means the mistakes, problems, and bugs haven’t been found yet. “Shellshock” is considered to be a very severe security bug. Disclosure came in September of 2014. This bug affected millions of servers connected to the internet. It was determined the bug, in some form, had existed in the UNIX (and Linux) command-line interface since 1989.
Humans program computers. Humans use computers. Humans make mistakes.

Hackers leverage these mistakes and use them to their advantage, often to gain unauthorized access. The word “hacker” has two meanings. “White-hat hackers” are the ones who experiment with and modify devices and software to make it work better. Hams are examples of these because we take commercial gear and make repeaters or use off-the-shelf routers for things like Mesh networking. “Black-hat hackers” are the bad guys and the ones we hear about on the news stealing credit card data from Target and personal data from Equifax. These are the ones I will be referring to.

Hollywood gives us the perception that hackers are in some 3rd-world country or in a dark basement, no lights, and only the glow of their computer screens. Hackers come from all parts of the world and sometimes are acting on a government’s behalf. In fact, legitimate companies exist solely to sell their black-hat hacking tools. They have buildings, employees, call centers, and help desks – as does any legitimate company.

What’s the motivation behind hacking?

Money. It’s hard not to tie everything back to money. The first reference to malicious hacking was “phreaking” (pronounced freaking. AKA: phone hacking) where one of the goals was to manipulate the public phone system and use it to make long-distance calls when it was very expensive to call around the world. More recent financial examples include everything from disrupting nation-states (economic), blackmail, and ransom payments for access to data. Ransomware encrypts all documents and pictures. It demands payment before it will (hopefully) decrypt your files allowing you to use those files again. Ransomware utilizes the same technology, strong encryption, which you use to securely transact with your bank online.

My social media, computer, or online account has no value [to me] / I only check email / I don’t store anything on my computer / why would anyone want access to my email or computer?

I hear these alot. Many of us don’t realize all the things a bad guy can do with computer access or an email account. Brian Krebs is a blogger who covers computing security and cybercrime on his website Krebs on Security. He is known for infiltrating underground cybercrime rings and writes about his experiences. His site is highly recommended reading for anyone with an interest in cybersecurity.

Brian posted two articles titled “The Value of a Hacked Email Account” and “The Scrap Value of a Hacked PC…” When signing up for any online service, an email address is almost always required. In 2013, according to Brian’s article, hackers who have access to email accounts can subsequently gain access to other services such as iTunes and sell that access for $8 each. FedEx, Continental, United accounts go for $6. Groupon, $5. Hosting and service accounts like GoDaddy, AT&T, Sprint, Verizon Wireless, and T-Mobile, $4 apiece. Facebook and Twitter accounts were $2.50/ea.

Aside from the monetary value, bad guys have access to family pictures, work documents, chat history, can change billing and deposit addresses on banking accounts, drain financials like 401K, bank or stock accounts, and target other individuals like family members. In 2012, a hacker went after Wired journalist Mat Honan locking him out of his digital life. The attacker used flaws in Amazon and Apple’s services, which helped them gain access to Mat’s Gmail and ultimately his Twitter account.

Access to a personal computer can be gained through a number of schemes including: fake ‘you have an out-of-date plugin/flash version’ on a webpage, receive an email about a past due invoice, notification of a problem with some shipment, or by innocently installing a program thought to be legitimate. A recent example of a compromised program was the widely popular PC maintenance program, CCleaner. Untold millions of people unknowingly downloaded a malicious version of the program from the vendor’s site.

A hacked PC can be used for: generating email spam, harvesting other accounts (see above), gain access to a work network, steal online game keys and characters, be part of a Denial of Service attack, infect other devices on the network (like DVRs), create fake eBay auctions, host child porn, capture images from web-cams or network cameras and use them for extortion purposes.

What can I do to protect myself?

Unfortunately in situations of compromise like Target and Equifax, there was nothing you could do – other than not use a credit card at Target or not apply for any kind of credit reported to Equifax. Unlikely for many. You can only react after-the-fact by closing accounts with fraudulent charges and place credit warnings or freezes on your credit.

The SANS Institute, which specializes in information security and cybersecurity training, offers a “monthly security awareness newsletter for everyone” called “Ouch!” Their October 2017 newsletter outlines five steps to help anyone overcome fears and securely use today’s technology. Check the newsletter for more information on these points.

  1. Social Engineering: is an old technique which creates a sense of urgency to tick people into giving up information they shouldn’t: someone needs money quickly, boss needs a password, the IRS is filing suit against you, Microsoft Tech Support calls you about a “virus” on your computer, etc. Never give a password, any personal information, or remote access to any solicitor.
  2. Passwords: Create unique, strong passwords for all online devices and online accounts. Use a password manager which will assist in creating strong passwords. LastPass utilizes a web interface and cloud storage, KeePass is an application and stores the database locally on your computer. Both are excellent solutions for a password manager.
    If you’re uncomfortable with a password manager, use pass-phrases which are passwords made up of multiple words. Passphrases can be written down, but store these in a secure location. Use two-step verification, often called two-factor authentication. Two-factor authentication (2FA) is a combination of something you know (your password) and something you have (a smartphone). A list of services offering 2FA with instructions can be found at: twofactorauth.org. Note: text messages are NOT a secure two-factor method because the cellphone network is not secure and attackers have been able to re-route text messages.
  3. Patches: Put all devices connected to the Internet behind a firewall (router) and keep all systems connected to the internet up-to-date. This includes home routers, computers, smartphones, tablets, streaming media devices, thermometers, Raspberry PIs, lights, automation systems, speakers, and video cameras. If devices are not being updated by the vendor, potentially dangerous mistakes are not being fixed. It’s time to consider better devices.
  4. Anti-virus: can protect you when you accidentally click on the thing you shouldn’t have and infected your system. It won’t protect against every form of infection. Windows Defender, available for all current Windows operating systems, is sufficient.
  5. Backups: I cannot stress this enough, backup, backup, backup! Many times I’m asked something similar to: ‘how can I recover my daughter’s wedding pictures from my computer’s crashed drive?’ Maybe you can, but often not. ‘I lost my phone, didn’t have cloud backup enabled, and had vacation pictures on there.’ Yea, they’re really gone. Backups serve as a way to recover from your own mistakes like accidentally deleted files and ransomware cyberattacks. A “3-2-1 backup strategy” includes 3 copies of your data, 2 on different media, 1 off-site. For most of us, this means: the original data is the 1st copy, an external hard drive (disconnected when not copying data) or network storage drive houses the 2nd copy, and a copy on a USB flash drive stored at work or backed up using a cloud backup solution – is the off-site 3rd copy.

A layered approach to security is considered best practice. As an example, creating strong passwords AND using two-factor authentication. The more layers the better, but more layers means less convenience. Brian Krebs also offers his “Tools for a Safer PC” which includes switching to OpenDNS in your home router. DNS is the service that turns human-readable URLs into IP address. OpenDNS blocks communication with known malware sites.

Hopefully this information has grabbed your attention and guided you to take steps to become safer online. Thanks for reading and 73… de Jeff – K8JTK

Imgs: Krebs on Security, Ars Technica.

Ohio Section Journal – The Technical Coordinator – February 2016 edition

One of the responsibilities of the Technical Coordinator in the Ohio Section is to submit something for the Section Journal. The Section Journal covers Amateur Radio related things happening in and around the ARRL Ohio Section. It is published by the Section Manager Scott – N8SY and articles are submitted by cabinet members.

Once my article is published in the Journal, I will also make it available on my site with a link to the published edition.

You can receive the Journal and other Ohio Section news by joining the mailing list Scott has setup. You do not need to be a member of the ARRL, Ohio Section, or even a ham to join the mailing list. Please sign up!

If you are an ARRL member and reside in the Ohio Section, update your mailing preferences to receive Ohio Section news in your inbox. Those residing outside the section will need to use the mailing list link above.
Updating your ARRL profile will deliver news from the section where you reside (if the leadership chooses to use this method).
Go to www.arrl.org and logon.
Click Edit your Profile.
You will be taken to the Edit Your Profile page. On the first tab Edit Info, verify your Email address is correct.
Click the Edit Email Subscriptions tab.
Check the News and information from your Division Director and Section Manager box.
Click Save.

Now without further ado…


Read the full edition at: http://n8sy2.blogspot.com/2016/02/february-issue-of-ohio-section-journal.html

THE TECHNICAL COORDINATOR
Jeff Kopcak – TC
k8jtk@arrl.net

DSCF5081 K8JTKHey Gang,

I was contacted this month by someone concerned that Fldigi would install a “trojan” on their computer and wanted to know where to get a clean download of the program. Before panic sets in, there is no reason to smash your hard drives. Why did I receive this question? I’ll explain the tech behind the issue.

The place that Fldigi, Flmsg, Flrig, and all other applications are now hosted is at a place called SourceForge (also abbreviated “SF”). SourceForge is a web service launched in 1999 that offers tools for developers to manage their projects for free. They host source code (for those who wanted to read, audit, modify, or learn from raw code), web pages for the project, mirrors (hosting in multiple locations in case any-one server is down), bug tracking, and many other features. It was the place for hosting free and open-source software. A ton of very well-known projects were (some still are) hosted on SourceForge: Apache Server, GIMP, OpenOffice, Firefox, Thunderbird, Audacity, Filezilla, Drupal, WordPress, JT65-HF… list goes on.

Some users were discouraged by the number of advertisements on the site. Though it is an ad-supported free service, there weren’t any viable alternatives.

In July 2013, SourceForge created an optional service available to developers called “DevShare.” Any developer who participated in the service would knowingly push additional unwanted programs to anyone downloading their project. This is commonly referred to as ‘crapware’ encompassing adware, download managers, antivirus programs, browser toolbars, homepage modifications, search engine replacements, and the like.

In May 2015, it was reported that SourceForge seized control of what they considered ‘deprecated or abandoned’ Windows projects. In taking control, they locked out the developer and “updated” project downloads to push similar ad-supported content.

This is a problem because the open-source community is just that, a community. They are made up of enthusiasts that like developing programs. Much like ham radio, they donate their time and do it for free. When a company takes the good name of a well-known project and tarnishes it by installing adware on users’ computers, this doesn’t go over well with the community. Their business practices effectively destroyed what was left of SourceForge’s reputation.

The DevShare project started a movement within the community to find replacements for SourceForge; GitHub primarily. SF since stated they are not taking control of unmaintained projects. It was too-little, too-late. Many developers deleted their projects from SF and moved their content elsewhere. It is up to each developer to make a decision about their project. I’ve provided links at the end of the article that go more in-depth for those into tech stories. SourceForge is not the only site that bundles crapware in downloads. Download sites like CNet’s Download (dot) com and many other free file hosting services also push ads and unwanted programs.

slusbBack to Fldigi. The developer of Fldigi maintained the installer and source files on his own server. Somewhere near the end of last year, his site was hacked. The decision was made to move the files from his server over to SourceForge. Likely in an attempt to be more secure.

This created a problem for many who are aware of the issues with SourceForge. Unfortunately, it is the only place where the Fldigi Suite updates and downloads reside. I have installed many Fldigi updates since the move to SourceForge and have not seen anything to suggest any unwanted programs are included. The issue is something to be aware of.

Good security practice dictates not downloading anything you-yourself didn’t go looking for. If you do download Fldigi and it is prompting you to install an antivirus program, this is a huge red flag. Another example: never click anything that says ‘your plugins, Java, Flash, antivirus, or system… is out of date’ because you weren’t looking for those updates.

In other news, I would like to welcome Technical Specialist Eldon – W5UHQ. If that sounds familiar, it’s because he is the Net Manager for the OHDEN HF digital net. The Ohio Digital Emergency Net meets Tuesday evenings at 8pm on 3585 using OLIVIA 8/500 at 1 kHz. The purpose is to provide statewide communications to EMA and EOC’s in Ohio using sound card digital modes. If that wasn’t enough, he brings an extensive background in communications and electronics to the group. OHDEN net: http://ohden.org/

I will be at the Mansfield Hamfest on February 21. I’ve been invited to present during the Digital Forum at noon. This is assuming the weather is better than it has been the last few days, hi hi. The Digital Forum will contain a presentation on digital voice by Duane – K8MDA and I will present passing messages using Fldigi. Hope to meet you at Mansfield! More: http://hamfest.w8we.org/

Thanks for reading and 73… de Jeff – K8JTK

Articles on SourceForge:

http://www.infoworld.com/article/2929732/open-source-software/sourceforge-commits-reputational-suicide.html

http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/