“In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian…
Nixon said because of Russia’s unique legal culture, criminal hackers in that country employ these checks to ensure they are only attacking victims outside of the country.
“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”—Brian Krebs, “Try This One Weird Trick Russian Hackers Hate.” krebsonsecurity.com. May 17, 2021.
The Cyber Policy Center‘s report, “Securing American Elections: Prescriptions for Enhancing the Integrity and Independence of the 2020 U.S. Presidential Elections and Beyond” makes for some discouraging reading. In short, our election are as secure as most everything else these days, i.e., not very secure.
“The reality is that your sensitive data has likely already been stolen, multiple times. Cybercriminals have your credit card information. They have your social security number and your mother’s maiden name. They have your address and phone number. They obtained the data by hacking any one of the hundreds of companies you entrust with the data — and you have no visibility into those companies’ security practices, and no recourse when they lose your data.
Given this, your best option is to turn your efforts toward trying to make sure that your data isn’t used against you. Enable two-factor authentication for all important accounts whenever possible. Don’t reuse passwords for anything important — and get a password manager to remember them all.
Do your best to disable the “secret questions” and other backup authentication mechanisms companies use when you forget your password — those are invariably insecure. Watch your credit reports and your bank accounts for suspicious activity. Set up credit freezes with the major credit bureaus. Be wary of email and phone calls you get from people purporting to be from companies you do business with.
Of course, it’s unlikely you will do a lot of this.”
—Bruce Schneier, “Protecting Yourself from Identity Theft.” Schneier on Security. May 6, 2019.
“GPS and other Global Navigation Satellite Systems (GNSS) are used in everything from cellular communication networks, to basic consumer goods, high-end military systems, and stock trading inputs. But these systems are vulnerable: by attacking positioning, navigational, and timing (PNT) data through electronic warfare (EW) capabilities, state and non-state actors can cause significant damage to modern militaries, major economies, and everyday consumers alike. With recent technological advances, the tools and methodologies for conducting this interference are now at a high risk for proliferation. GNSS attacks are emerging as a viable, disruptive strategic threat.
In this report, we present findings from a year-long investigation ending in November 2018 on an emerging subset of EW activity: the ability to mimic, or “spoof,” legitimate GNSS signals in order to manipulate PNT data. Using publicly available data and commercial technologies, we detect and analyze patterns of GNSS spoofing in the Russian Federation, Crimea, and Syria that demonstrate the Russian Federation is growing a comparative advantage in the targeted use and development of GNSS spoofing capabilities to achieve tactical and strategic objectives at home and abroad. We profile different use cases of current Russian state activity to trace the activity back to basing locations and systems in use.”“Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria.” C4ADS.org. April 2019.
“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”
—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.
“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.
Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”
—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.
“The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.”
Beyond security, the first game, “Bandit,” is a useful introduction to the command line, common tools, e.g, ssh, man, grep, etc., and basic operating system concepts, such as permissions.
Secure Accounts is comprised of five different modules, each designed to function as a standalone resource on a specific aspect of account security, or as a series, with each module building on one another.
The five modules include:
- Secure Your Accounts: A comic that explains why people should take their account security seriously
- Account Phishing and Civil Society: A brief explanation of what phishing is and two examples of phishing attacks against civil society groups based on recent Citizen Lab research
- 2-step verification in 2-minutes: A comic that explains what 2-step verification is and why it’s important
- Set up 2-step verification now: A collection of links to instructions on how to set up 2-step verification on popular online platforms
- Who could get access?: A app that users humour to highlight how adopting better security habits will mean hackers need more time and skill to break into your accounts
Troy Hunt provides a detailed explanation why you should be using a password manager.