Brand Hijacking: doppelgänger domains, typo squatting, and counterfeit apps

Does your cyber security program address doppelgänger domains, typo squatting, and counterfeit apps?Organizational impersonation (brand hijacking) uses your reputation to dupe a victim. These attacks never hit your firewalls.  

Let that sink in. A brand impersonation/hijacking attack is unlikely to touch any of you apps, websites, networks, firewalls, or logs. It occurs completely outside of and independent of any resources under your organizational control.

Fortunately, basic defenses against these kind of risks can be implemented with rather simple tools; yet, this topic is overlooked by many organizations and security teams. Yet, it yields a two for one benefit… the same practices that reduce risks of brand hijacking are also applicable to verify the apps and services your organization consumes from others are legitimate and secure.

Advertisements

Who assesses your security configuration management practices?

Who assesses your security configuration management practices?

In follow up to Security Misconfiguration is the #5 risk in 2017.

Are assessments an internal processes? Do you rely on auditors (often an adversarial experience for staff)? Do you rely on Pentests and vulnerability scans (often limited in scope)? Or wait for the post-mortem after an event occurs?

If these options seem lacking, perhaps its time to consider adding a 3rd party assessment to your security program.  A few of the benefits include:

  • reduced burden on Security Operations team.
  • fresh perspectives and insights.
  • assistance preparing for Audits.
  • determination if scope of Pentests and Vulnerability Scans are appropriate and adequate.
  • evaluation of Security Configuration Management practices.  If needed, can provide coaching (or assistance) in establishing configuration management.
  • an SOW thats right for you and the current needs of your organization, not driven by the agenda of an auditor or a product vendor.

Even if your organization is not bound by regulations requiring specific security measures or audits, you may want to be proactive about your organization’s security health for more fundamental reasons.

Good security practices have numerous benefits:

  • fewer work errors and better quality control.
  • fewer occasions of unplanned down time.
  • better confidence in ability to handle exceptions quickly and efficiently.
  • better understanding of business relationships, dependencies, and trust decisions.
  • better understanding of roles and responsibilities.
  • better cost controls of the products and services purchased by your organization.

As you can see, good security practices can achieve much more than audit compliance.

Is your security program achieving it’s potential?

Security Misconfiguration is the #5 risk in 2017.

The latest “OWASP Top 10” lists “Security Misconfiguration” as the #5 security risk in 2017. Does your organization review it’s security configurations? Do you validate and test them? Does your organization practice configuration management?

 

 

Being agile, it’s not that complicated.

Some of the conversations I’ve been drawn into about Agile have been nothing short of mind-numbingly overcomplicated.  The Manifesto for Agile Software Development and the Twelve Principles of Agile Software are actually quite straightforward.
The manifesto only contains 62 words (354 characters).  The principles are described with 180 words (1,081 characters).
Yet, Amazon.com currently offers 4,521 books on “agile”.
If you really feel the need to read (or promote) a book about being agile… read “Corps Business: The 30 Management Principles of the U.S. Marines”.


   According to the “Scrum Alliance: Certified Agile Leadership Program”, an Agile Leader:

  – Operates effectively amid uncertainty, complexity, and rapid change
– Is knowledgeable about Agile values, approaches, and practices
– Surfaces more creative solutions through increased self-awareness, a growth mindset, and engaging others
– Aligns and empowers teams toward delivering more customer value
– Personally integrates feedback and experiments, and adapts their ways
– Takes a collaborative continuous-improvement approach to organizational effectiveness
– Catalyzes change in others and facilitates organizational change

Um… yeah… just give me a couple Marine Privates and stand back.  I’ll take someone whose earned their Eagle, Globe, and Anchor over a certificate of attendance, any day.

Still seeking a robust Bento replacement.

Still seeking a robust Bento replacement.  It’s been five years since the last update (Mar 16, 2011) and about two and a half years since it was discontinued (Sept 30, 2013).  And yet, two things still surprise me.  (1) There still isn’t a feature complete replacement product, and (2) I’m still using Bento.  It still works.

The short list of leading Bento replacements: 1Password, HanDBase, or TapForms.

* as of 2016-01-25, FileMaker would still be a >$350 buy in, require dev work, incur heavy “ease of use” penalties, and still leave me exposed to the poor Apple-FileMaker long term risks.

2016-01-25: tried/purchased 1Password and was left frustrated by missing features.

The 2nd worst of all is: any “schema” changes are only “per record”… i.e., adding a field only adds it to the record being currently edited… it’s doesn’t change the underlying table structure… because… they don’t have an underlying table structure… they don’t have a record/table/db schema… each record is just a bag of bits.

The #1 worst problem is: after customizing the fields for a record, and trying to export the record, the result is nearly gibberish.  It would be very labor intensive to create my preferred “schema” in 1Password and then subsequently export/migrate to even a basic spreadsheet.

2016-01-25: evaluated TapForms and elected not to purchase those apps.

The MAC App is $34.99, 13.4MB.

The iPad app is $8.99, 29.9MB.

The iPhone app is $8.99, 32MB.

From the support forum, the developer has been responding to “wifi-sync” requests, with “it’s four or five months away”… but he’s been saying that for a year.  Until he gets that option figured out, TF is a non-starter.

2015-03-01, really need to find a replacement before the Bento apps quit working altogether.

Must have features: wifi sync, ipad forms.

1Password is iOS universal, HB and TF are not.

The HandDBase folks are leaving basic features, like form design, out of the MAC App.

** 2015-10-10, HDB pulled out of the MAC App Store over some little bitchy thing earlier this year.

1Password has too many integration points with too many things; it’s a high risk product in the long term.

** 2015-10-10, 1P began requiring IOS 9 less than a 1 week after Apple released the new OS. No backwards compatibility at all!

TapForms may become the defacto choice at some point… but I’ll wait a bit longer (Bento is till working today).

** 2015-10-10, TF is only syncing thru iCloud or DropBox (not an option for secure content).

2015-10-10, still looks like a DIY custom app is my best option…

Delete individual items from OS X 10.11 El Capitan “Messages 9.0” app.

To delete individual items from OS X 10.11 El Capitan “Messages 9.0” app.   *this is for deleting specific messages within a conversation thread.  if the same Messages/iMessage account is active on multiple MacBooks, this will likely only delete the items on the specific macbook where you do this (ie., it doesn’t auto-delete the items from all connected devices).

  1. press and hold the command key
  2. click each of the individual messages to delete from a conversation.
  3. use the delete key.

It’s easy once you know the option is there, but it’s not obvious.


To delete individual items from a Messages conversation in iOS 9

  1. press and hold a finger on one of the items to be delete.
  2. look for the ” Copy | More… ” popup to appear.
  3. tap “More…”, now the selected message will get a checkmark and an option to delete.
    • if there are multiple items in the conversation, each will now have a circle which can be checked (tapped) to select for deletion.
  4. tap the circles to select any additional messages to be deleted.
  5. tap “Delete All” at the top left of the screen.

*This doesn’t delete message items from other devices.  Nor does it remove/retract sent items from recipients.

quirky things you can learn from having a blog

Yes, this is self indulgent, but I’m doing it anyway.  Why? Because this is kind of interesting to me… and maybe I’ll take a similar look in another few years and see if any of it changes.


Well, not sure these really count as things I’ve learned from having a blog.  More like some things I can wonder about, some things I can guess at, and some things that are obvious.

  1. it appears a lot of people are still using OS X Mountain Lion.  And that a lot of people are still having problems with it’s DNS Cache.
    • suggestion:  try a system update folks.  at least get the security updates, there are recent ones available from 2015.
  2. folks from the Bahamas, Jamaica, and the Cayman Islands don’t spend a lot of time reading obscure blogs.
    • I’m going to assume they’ve found better things to do.
    • If I were there, I would have joined them rather then write this.  🙂
  3. folks from Russia are not real big on Apple products.
    • not really a surprise, given Moscow’s approach to most foreign corporations.
  4. my blog consistently gets two to three times the traffic from Germany (population 80 million) than from India (population 1.2 billion).  In fact…
    • German traffic has been one of my top five country sources since starting this blog.
    • and, German traffic has been higher than almost all other “non english speaking” country sources combined.  I know Germany has very high english literacy, but the stats are still interesting.
  5. some posts about managing Apple IDs have actually seen traffic double over the same time the rest of my traffic has dropped off.
    • although aging, those posts are accounting for a very significant portion of my traffic, and the stats keep increasing.
    • in addition to views/visits, I’m getting a lot of search hits and click throughs on those posts.
    • feels like a lot of people are getting frustrated with Apple’s haphazard way of managing IDs across Apple services, stores, devices, and applications.
    • wonder how much traction I’d get if I did an updated series including descriptions/guides to how all of the wacky two-factor-authentication variations currently work.  Actually, I don’t think I could… unless I enlist some additional people.  Some (er, many) of the Apple ID Authentication scenarios vary based on hardware and iOS version, and cannot be recreated in the Xcode simulator.
  6. Big surprise ( /sarcasm ), Google really dominates search.
  7. Web Crawlers generate so much comment spam that I thought they would account for a lot of views/visits… but not so much… actually a minuscule amount of traffic.
  8. Apparently VMware and Excel spreadsheets are both quite popular.  Fortunately, VMware related traffic edged out the Excel related traffic.  LOL.
    • Unfortunately, Excel edged out serious security topics.
  9. Wow, if I’d enabled Apple App Store bounty links (kinda like Amazon referral links), I could have reaped, hmm… carry the three… I could have reaped about $0.03 in referral bounties this summer.  LOL.
  10. Cross posting (WordPress Sharing) to Twitter yields dramatically more blog views than Facebook, LinkedIn, or Google+.
    • Twitter yielded more than the other three combined.
    • That one surprised me a bit; but then I’ve never really gotten into the twitter client usage.  I usually bail out and go back to information sources which use sentences and paragraphs. ( /snark )
  11. Overall, most of my posts are literally just notes on how I performed some specific technical task.  Occasionally I take notes (which don’t contain any customer proprietary information) and post them in case I might need to refer back to that sequence again six or eighteen months later.
    • those HowTo / InstallConfig notes account for more than 95% of my views and visits.
    • I’ll pretend everyone found those notes really helpful.
  12. A couple of my posts with the best traffic were closer to being long form articles.  Despite being very heavy in dry technical topics, the traffic and comments were quite positive.
  13. Fortunately, on my blog at least, a mention of laser beams beat out a mention of YouTube.  There is hope for humanity after all.  LOL.

Well, that was interesting review.  I’ve accumulated hundreds of notes on various design, development, testing,  installation, configuration, and maintenance issues.  It appears that it would be worthwhile to sort thru and find a few dozen relevant items for posting.  queue things to do on the eleventh snow day.

T-Mobile Binge On free video streaming? How about free system, security, and app updates?

Free video?  I’ll be impressed when a carrier enables free system, security, and application updates for all devices connecting to their network.


Ok.  I get why people are going to think the T-Mobile “free” Binge On video streaming is great.

But, do you know what would be really good for users?

Free OS and App updates over mobile data plans.  Yes.  Really.

Show me a carrier with a data plan that doesn’t burn your quota against downloads and updates from the app stores out there.  A good beginning would include the mobile app stores from Google, Apple, Motorola, Samsung, Microsoft, Blackberry.  When fully deployed, this should extend to any and all devices connected to a mobile hotspot.

The top carriers already have the kind of infrastructure needed to build this.  It would be easy compared to T-Mobile’s streaming video solution.  By combining “CDN” infrastructure with “QoS/MPLS” traffic management features, carriers could allow app stores to deliver device updates in the background at a lower priority than other data streams. Carriers and app store operators would both be able to shift most of the update traffic to non-peak network times, thereby avoiding the need for additional network capacity (at least in most areas outside of LA and NY).

The carriers stand to gain enormously from the increasingly number of connected devices entering the market.  And if the “Internet of Things” (IoT) is to really get off the ground with even a mediocre chance of remaining secure and reliable, then carrier provisions for free OS and security updates should be considered a core requirement.

As for our typical cell phone and tablet usages… here’s a common situation, and an alternative.

scenario one (the status quo):

CUSTOMER:  my phone doesn’t work right, it’s acting weird.

CARRIER REP:  have you updated it?

CUSTOMER:  uhm, how?

CARRIER REP:  uhm, ?  (mutters a lot of gibberish)

scenario two (carrier’s mobile data allows free updates): 

CUSTOMER:  my phone doesn’t work right, it’s acting weird.

CARRIER REP:  have you updated it?

CUSTOMER:  uhm, how?

CARRIER REP:  Uhm, turn it on, and let it connect to the network, and click ok when it offers to update your software.


Given that many people and organizations have strong concerns about the security and reliability of the networks they allow their devices to connect with… the carrier who implements a strong solution for system updates, security updates, and app updates is going have a substantial advantage over those who continue to pretend they have no customer facing responsibilities for this issue.

Apple App Store problems – expired app certificates are causing installed purchases to break.

As described by AppleInsider today (2015 November 12), the Apple App Store is creating problems for users due to expired app certificates.

I unknowingly encountered this yesterday (2015 November 11).  While opening Bento, I was prompted to authenticate with the App Store with a message that “this app was purchased on a different computer.”

Today, I’ve received the “this app is broken or damaged” message when trying to open BBEdit, Coda, and Sketchbook Pro.

Although the error messages were different, each of these apps have one thing in common.  They are older apps which are no longer available for purchase on the app.  Yes, I can “re-download” them from my purchases history… but this does increase my concern about how Apple treats past purchases of apps which are no longer sold or updated by their developers.

An additional annoyance… I’m currently traveling, so re-downloading these apps requires tethering the macbook to a wireless hotspot or phone and consuming a data service which is currently costing $10/GB.

This is not the first time Apple users have experienced problems due to app certificate expirations.  Until Apple solves this problem, this issue should raise concerns for anyone needing long term reliability from their software purchases.  What happens to users and businesses when the next batch of affected apps include password keepers, electronic healthcare apps, or the app which unlocks your home security system?

Hydrologic Sensor Engineering

Many improvements in remote sensing available, but not quite ready for the Internet of Things (IoT). Data availability and data privacy aren’t big obstacles. But, for data integrity, still need solutions for issuing and managing digital signing keys for remote sensors.