Sunday, November 23, 2014
Ottawa police, Supreme Court websites Was also shut down after possible hack
A hacker group claimed responsibility after the websites of the Ottawa police department and the Supreme Court of Canada flashed offline Saturday evening, one day after the same group allegedly shut down the City of Ottawa’s website.
The Ottawa Police Service’s website stopped responding around 6:30 p.m., with visitors attempting to reach the site greeted by a blank page with an error message. The Supreme Court of Canada's website shut down the same way shortly after.
A Twitter account under the name Aerith claimed responsibility for the website malfunctions."We'll start by taking OttawaPolice.ca offline, just to annoy them," it tweeted just after 6 p.m.
Ottawa police could not immediately confirm whether its website was hacked but told CBC News they are currently investigating.
"This is just the start," Aerith said in a message posted to an online forum. "We will not rest, we have already hacked Ottawa police's mail server, stolen all email logs incoming and outgoing."
CBC News could not immediately confirm who authored the message or its authenticity.
Aerith said Friday it hacked the City of Ottawa website. For about an hour, the site displayed the name of an Ottawa police officer involved in the investigation of an area teen who allegedly called in fake emergencies across North America, prompting police departments to deploy SWAT teams. The practice is often called “swatting.”
Const. Joel Demore’s name was shown alongside a dancing banana and the message: “Joel Demore: You laugh at us, you are scared of us, does this help your laughing?" the hacked website read. "We can destroy everything, this is a flex of our power. Please, test us. You know what we want."
Tuesday, November 18, 2014
NEW YORK (CNNMoney)
The nation's energy grid is constantly under attack by hackers.In fiscal year 2014, there were 79 hacking incidents at energy companies that were investigated by the Computer Emergency Readiness Team, a division of the Department of Homeland Security. There were 145 incidents the previous year.
Cybersecurity firm FireEye ( identified nearly 50 types of malware that specifically target energy companies in 2013 alone, according to )its annual report. Energy firms get hit with more spy malware than other industries, according to a 2014 study by Verizon (Tech30). ,
Wednesday, November 12, 2014
NEW YORK (CNNMoney)
Hackers attacked the U.S. weather system in October, causing a disruption in satellite feeds and several pivotal websites.The National Oceanic and Atmospheric Administration, NOAA, said that four of its websites were hacked in recent weeks. To block the attackers, government officials were forced to shut down some of its services.
This explains why satellite data was mysteriously cut off in October, as well as why the National Ice Center website and others were down for more than a week. During that time, federal officials merely stated a need for "unscheduled maintenance."
Still, NOAA spokesman Scott Smullen insisted that the aftermath of the attack "did not prevent us from delivering forecasts to the public."
Sunday, November 2, 2014
In celebration of the 100th post on Security Generation, I’ve decided that a list of 100 security and privacy tips would be appropriate. The tips start off basic then get a bit more complex, and cover a range of areas from general computer and information security, to safe web browsing, email security and privacy. Thanks to everyone who’s been visiting (and to those who are following on Twitter), I hope to keep bringing you useful and interesting content into 2011. Feel free to share this with others, and suggest any other tips that you think I may have missed out! Let’s kick off the 100 Security Tips, enjoy:
- Keep informed of current events in security by reading (or listening to) relevant security news
- Always be aware and alert for threats, and adjust your security to fit your current environment
- Be skeptical (not paranoid), and use common sense
- Ask for help or information if you’re ever suspicious or unsure about something
- Help educate others about good security practices, and point them to useful resources
- Regularly patch your system, browsers, and other software and mobile devices when updates are available
- If you use antivirus, and you probably should, update the signatures hourly at a minimum
- Don’t use an Administrator (root) account for day-to-day use. Set yourself up a standard user account
- Use good, strong passwords with a minimum of 8 characters
- Do not use “password”, abc123, 12345, qwerty, your username, any dictionary word, or any derivatives of these as your password!
- Use a good password generator if it helps
- Don’t re-use passwords, especially for important sites or services, and avoid copy & pasting password as these can remain on the clipboard
- Change your important passwords regularly (add yourself a calendar reminder every 6 months or so)
- Don’t share your passwords with others
- Don’t write down your password, and if you must, don’t write down what it’s for or its associated username (destroy it when you no longer need it). Do NOT stick the login password to your computer onto your monitor, underneath your keyboard or anywhere near your computer!
- If you need to store your passwords somewhere, use a secure encrypted password storage tool (such as KeePassX) together with a strong decryption password
- Set strong (hard to guess) secret questions and answers. If you can’t set your own secret questions and have to use something like “What is your hometown”, then enter your home town, but add a unique piece of information that only you will remember (eg. New York 1984). Weak secret questions are usually the easiest way to break into accounts!
- Consider using two-factor authentication such as biometrics, USB dongles, or smart cards to strengthen your authentication process
- Disable auto-login on your computer
- Don’t plug in unknown or suspicious USB devices into your computer
- Ensure any auto-run functionality is disabled
- Don’t leave your computer unattended in public places
- If you use and travel with a laptop, consider installing software (such as Hidden or Prey) that would help you with recovering it, if it gets lost or stolen. For iPhones, check out Apple’s free Find My iPhone service
- Beware of shoulder-surfers when typing in your password, or sensitive information is displayed on screen
- Consider buying a privacy filter for your screen if frequently working on sensitive materials in public
- Set a screensaver password and lock your screen when leaving your computer
- Use a physical computer lock and secure it to the desk or other immovable object when leaving your computer in public or even workplace environment
- Pay attention to SSL errors when browsing, and reject invalid certificates if you feel something’s wrong
- As a general rule, try to avoid using public or untrusted computers to log in to sensitive services (eg. email, banking), as these often lack patches and may have keyloggers.
- If you do use a public computer, use ‘Private Browsing’ functionality in browsers to prevent them from saving history and cache files to the disk
- Only browse to and from sites you trust
- Only install software from sources you trust (beware that a lot of bootleg software can contain malware)
- When browsing to sensitive sites such as online banking, email (or even non-sensitive sites like Facebook), force SSL by using ‘https://’ ahead of the URL. Make sure your bookmarks are set to use this too
- Use a browser plugin (such as HTTPS Everywhere) that will enforce persistent SSL on specific sites
- Regularly clear cookies to purge any unneeded or unwanted tracking cookies
- Sign up for two-factor authentication services if your bank offers them. These include pin pads, SMS codes, etc
- Only perform financial transactions (eg. transfer money or purchase goods) from sites with a known good reputation. If unsure do a bit of Google research, many scam sites are already known and talked about online
- For online services between individuals (eg. eBay), beware of scammers when selling anything of value. They will often over-bid, send you a fake PayPal (or other) payment notification email, and ask for the item to be shipped quickly. Always verify youself that the payment has been received before releasing any goods
- Learn to recognise current phishing, vishing and other scams
- Don’t store credit card details in a file on your computer. Malware can easily scan your computer in search for credit card numbers. Many secure password tools (such as KeePassX) allow you to also enter other sensitive pieces of information such as CC numbers
- Only click on links from sites or people you trust, but don’t click if you feel the link is suspicious
- Beware of URL shorteners, as these can be used to mask malicious URLs. Most services will allow you to preview the full URL (eg. adding a + at the end of a bit.ly URL)
- Use browser plugins like NoScript to block potentially unwanted or malicious scripts
- Don’t allow your browser to remember your credentials for websites. Browsers do not adequately protect this information!
- When configuring email clients, set it to use SSL when connecting to the POP, IMAP or SMTP server
- Don’t click on unknown links or attachments in emails
- Encrypt sensitive information and/or attachments in emails, and send the decryption key via another method (eg, by phone, SMS, smoke signal). PGP/GPG (GPGMail) is a good solution for encrypting and digitally signing email
- Never send credit card details by email, including scanned images of your credit card (yes, people do this for some reason)
- Your bank should never be emailing you with requests for bank details, credit card numbers, personal details, etc. They are usually phishing attacks, so don’t reply. If unsure, call up your bank using the phone number on their website (type the URL in yourself, don’t rely on links or phone numbers in emails)
- Don’t reply to emails offering you money in return for accepting funds on the behalf of the King of Umbalawi (Nigerian people want your money)
- Unless you remember subscribing to receive emails, never reply to spam or click on links to unsubscribe, you’ll simply be signed up to receive more spam and may receive malware
- Don’t trust companies or online services to keep your data safe
- Consider using disk encryption features (eg. FileVault/BitLocker) or software (eg. PGP/PointSec) to protect files on your computer
- Use encrypted disk images, volumes or files when transferring data using USB sticks
- Back-up your important files
- Make another backup
- Re-read steps 55 and 56, just for good measure. Unfortunately most people, myself included, only learn the priceless value of backups after they’ve lost something
- Consider encrypting your backups, particularly if you’re going to make backups to an online service. Note, however, that a corrupted encrypted file or volume may leave you without access to your files!
- If you encrypt your backups, make sure you remember the decryption key or store a copy securely somewhere. Your encrypted backups are useless if the key is in your KeePass file on your lost/destroyed computer
- Store unencrypted sensitive data and backups in a secure location, such as a safe
- Test your backup recovery process to make sure you can get access to your files should you need them!
- Use secure delete functionality or tools when erasing sensitive files
- Remember that deleted sensitive files may still reside in backups, or in multiple backups if you’re using incremental backups. Delete them there too if need-be
- Use secure wiping functionality (Disk Utility) or tools (DBAN) to erase drives/devices before giving or selling them on
- Disable UPnP on your router to prevent the creation of unwanted inbound firewall rules
- Change the default username and password on your router
- Set trusted DNS services (such as OpenDNS or Google DNS) in your router and computer network configurations
- Avoid connecting to untrusted wireless networks
- Avoid connecting to unencrypted wireless networks
- If you connect to untrusted or unencrypted wireless networks, enforcing SSL is even more important
- If you don’t need a wireless network, then avoid having one. Ethernet is better anyway ;)
- If you use wireless, consider having a separate network for guests that is segregated from your primary network. Some wireless routers (eg. Airport Extreme) natively support this, otherwise two routers and some firewall rules will achieve the same effect
- Use WPA2 and a strong password/key to secure your wireless networks
- Set a custom SSID on your wireless network, this will make rainbow-table attacks significantly harder
- Turn off your wifi card, either in the OS or using a physical switch (if you have one), when not in use. This is to prevent fake-ap attacks. Also disable Bluetooth when not in use
- Turn off unnecessary network services (eg. file sharing, screen sharing, remote login) if unneeded or when not in use
- Use personal firewall features/software on your computer and learn how to configure it properly
- Use outbound firewalls such as Little Snitch or Zone Alarm to alert you of outbound connections from your computer
- When setting up or using network file transfers, try to use encrypted methods such as SFTP/FTPS and SCP
- Use certificates for authentication where possible (SSH, FTPS, VPN, etc)
- Use encryption such as OTR to protect your instant messaging conversations and authenticate your contacts
- Use Tor to anonymize web browsing, but beware that the destination/content of your browsing may be visible to a third party (use SSL!).
- Use SSH Tunnels or IPSec VPNs to secure and/or anonymize browsing, email and other traffic on untrusted networks (and unencrypted wireless networks)
- Remote desktop services such as VNC are usually unencrypted. You should definitely tunnel this traffic through SSH or VPN.
- Use mechanisms such as Single Packet Authorization to protect high-risk services like SSH or VPN.
- Set up a host or network-based intrusion detection system (eg. Snort) to alert you to suspicious activity on the network.
- Read up on easy things you can do to secure your system (eg. Securing Leopard), or go as far as following NSA hardening guides.
- Be mindful of the type and quantity of information you divulge online (aka. oversharing), as it may be used against you. Even information in ‘private’ services can come out for a number of reasons
- Think before posting your location on location-aware services (Foursquare, Facebook, etc), and consider what the effects could be of doing so, particularly if this is something you do on a regular basis.
- Many types of documents are embedded with some form of personally-identifying information which may include your name, contact details or location. If you are distributing documents online, text or images, be sure to remove undesirable meta-information.
- Be aware of the relevant privacy laws and security practices of other countries before traveling. In the UK you can be forced to reveal your decryption passwords, and in the U.S. the Department of Homeland Security can confiscate your computer or portable media and make copies of any information.
- Consider traveling with an empty ‘skeleton laptop’ and access your information at home remotely over SSH/SFTP/HTTPS/etc.
- Know your rights to privacy in your country, both in private and at work
- In an office environment, challenge unknown individuals attempting to enter behind you (tailgaters) to produce a valid badge/pass
- Report those unwilling or unable to produce a valid badge/pass to security
- Be suspicious of calls or emails from unknown individuals asking for information. This could be as benign as someone’s contact details.
- If someone claiming to be from tech support says they need your credentials because your account was hacked and they need the credentials to reset it, or they’re upgrading systems and need your credentials to do so, they’re probably lying. Tech support should not need to ask you for your credentials. Call tech support back yourself to verify it is indeed them. If they still need your password see Tip #5.
- Be aware that almost any device can be used to record audio and/or video, including smarphones, music players, pens, etc.
- No matter what you do, adapt your security to be usable, reliable, and not hinder your use of your systems and devices.