Insights For Success

Strategy, Innovation, Leadership and Security

Microsoft

Google's new Pixelbook ad is a hard jab at Windows

GeneralEdward KiledjianComment
Capture.PNG

Windows is the most popular operating system in the world and Google will naturally target it, in an attempt to win new customers for its upmarket Pixelbook offering.

Statistic: Global market share held by operating systems for desktop PCs, from January 2013 to January 2019 | Statista
Find more statistics at Statista

January 2019, according to Statistica:

  • Windows market share 75.47%

  • MacOS market share 12.33%

  • Linux market share 1.61%

  • ChromeOS market share 1.17%

Google released a one-minute promo video entitles “If you want a laptop you can count on. You Chromebook. “ .

Truth be told the latest version of Windows 10 has been incredibly stable but this ad will be fun to watch for any Windows user annoyed with constant forced patches, badly designed progress bars and the infamous Blue Screen of Death.

This is an exaggeration of issues users experience but does highlight the main reason why many security professionals have moved to Chromebooks. Patching is almost seamless, the device is normally very stable (except v 72.x has introduced some bugs Google does need to fix) and security is on by default.

Current belief is that on a Chromebook, you have no regular maintenance, no need for an antivirus, no big bang updates that take 30-45 minutes to complete, etc.

Let’s just say Google got even with Microsoft for running the Scrooggled campaign years ago.

Best URL shorteners

GeneralEdward Kiledjian4 Comments
UTL_short.jpg

URL shorteners are something you either use a lot or never. Google launched it's own URL shortening service in 2009 with unique (at the time) features like third-party API access, QR code generation, ability to use easily on mobile. 

But Google is retiring this public facing service and replacing it with Firebase Dynamic Links (FDL) accessible by developers only. 

This is not surprising since Twitter retired Deck.ly when it acquired TweetDeck.

If you have links, Google is giving you until March 30, 2019, to figure out what you are going to do (even though you will lose the ability to create new short links on April 13). 

google_short1.PNG

What are the best Goo.gl alternatives?

bitly.PNG

1 - Bit.ly

The first alternative has to be Bit.ly which is one of the most popular URL shortening services on the internet and one of the oldest. You create an account and then generate short links as required (you can also choose a tag to group your URL). 

Bitly allows you to create custom branded short URLs, which is excellent for marketing. 

Owly.PNG

2 - Ow.ly

Hootsuite runs a service called Ow.ly. Ow.ly offers all of the features of Bit.ly but integrates with HootSuite. So if you use Hootsuite to manage your social media presence, this could be the best option for you.

The big difference is that Bit.ly allows you to quickly shorten a link from their main webpage without having to sign-up whereas Ow.ly does not.

rebrandly.PNG

3 - rebrandly.com

Many lists include Firebase from Google but I am omitting it since it is only designed for use by developers in apps (not useful for the average Joe). My last recommendation is Rebrandly.com which offers custom URL shorteners. Many large cloud companies are Rebrandly customers (such as Microsoft, Dropbox, etc).

rebrandly1.PNG

Before you get scared and look away, they offer a free tier that will meet the needs of most users.

Conclusion

A URL shortener is a service that you will rely on for years, and I have presented the companies (services) that look to be the most stable. Remeber that when the service disappears's your links break which could wreak havoc on your social strategy.

OPSEC : Backup Strategy for the Security Conscious

GeneralEdward KiledjianComment
backup_hero.png

RELATED: The best way to protect your data - images, music, documents

Even with all of the technological advancements we have made, backups are usually overlooked by the "average Joe" until something significant occurs (causing a massive shift in paradigm). 

Why backup

Traditionally we backed up our information in case the physical media we used (hard drive, DVD, ZIP Drive cartridge, Bernoulli Box, etc.) had a catastrophic incident. 

Modern headaches that we add to the justification list now include malware and cryptoware data modification, seizure at a border crossing or shutdown of a cloud service. 

When thinking about backups (as a security conscious individual), you are concerned about:

  • Recovering your files in their original format (not some compressed low-quality version of your precious originals)
  • Ensuring that only YOU can access your backed up information 

Know thyself

Before we can discuss how to protect your information, we need to know what and where that information is

Inventorying your information is not as simple as it first appears... Think of everywhere you have stored digital data. 

  • You have one or more email accounts possibly with various providers (Hotmail, Outlook, GMAIL, Yahoo Mail, your ISP, etc)
  • You could have contact information on Google, iCloud, Samsung Contacts, etc
  • You may have documents in Dropbox, Google Drive, Microsoft OneDrive, various 3rd party apps (diaries, note taking apps, etc)
  • You may have information (sometimes even forgotten) on USB keys, SD cards, CD/DVD disks, etc
  • This blog has information (articles) going back 7+ years

You get the picture. What first seems like a basic easy to answer question could quickly turn into a monstrous inventory activity. 

Once you know what you have, you then need to figure out which of these sources is the "master" copy. It is not uncommon for people to knowingly or unknowingly load duplicate information across multiple different storage mediums. This of the master as the version that you are likely to keep the most up to date. 

As an example, I recently did a photo duplicate cleanup and realized 15% of my total 1.5TB photo storage was duplicate files I had accumulated over the years. 

RELATED: OPSEC - How to securely delete files

It's time to strategize

In a previous article, I talked about the 3-2-1 backup strategy. The exact entry from my previous article was:

This is a simple way to remember the right way to backup and protect your data. 

  • You should always have 3 copies of your important data. This means one primary (aka the one you use on a daily basis) and 2 copies as backups.
  • You should always have your backups on 2 different types of media (one of your backups can be to an external hard disk while the other one should be to another type of media like DVD disk or to an online service).
  • You should always store 1 copy of your data to "somewhere else". This is to ensure recoverability in case your house or business experience a natural disaster. Now in most cases, this can be one of the popular online backup services or it can simply be you manually storing the media in another location like your office, a bank vault or leaving it in a friends house. To be extra careful, it is recommended to built-in some distance between you and the offsite backup in case a natural disaster eats a good part of your city. 

The reason we create the information inventory in the previous step is so that you can also backup your application datasets. As an example, if you use Google contacts, maybe export the file monthly in CSV format and make sure it is backed up (don't rely on the goodwill of the provider since they always cap their liability in the event of a catastrophic incident). If you use a journaling application, maybe export your entries in PDF and back that up. If you have pictures sitting on your smartphone, make sure a copy is taken and added to your backup strategy (Google Photos is good but it stored an "optimized" version which is not original). 

People often forget to back up basic information like their emails. To do this, you may need to install a "fat" email client on your computer and pull all the emails (or copies of them) from your mail provider then backup the local program database. Google isn't going away but there have been countless tales of users "losing" access to their accounts for months because Google made an arbitrary decision. Unless you are running your own infrastructure, assume the provider can stop your service and hijack your data at any time. 

A couple of years ago, I spent weeks scanning all my paper documents so that I could have digital easy to move, easy to backup versions. You will likely have to do the same.

Where to store your backups

Back to my 3-2-1 backup model, you should have 2 copies of the data you physically control and one up in the heavens we call "the cloud".

The size of your backup will dictate what kind of physical media you store it on. When backups were small, many users could get away with storing them on CD/DVD/Tape drives but these aren't practical for most modern users.

Most of you will likely store your local copies on some type of large local storage medium such as a USB key and/or hard-drive. If possible, store your local copies on 2 different mediums (USB key AND hard drive) or Spinning hard drive and SSD drives. 

You need one copy in the cloud. Local copies are great because you can restore access almost instantly, but if a major incident occurs, you may lose both of your physical copies. That is when your backup of last resort comes in (aka cloud backup). Remember to protect your cloud backups. You can do this by pre-encrypting the information before uploading it (which works if your backup is small and you are uploading to a service like Google Drive, Microsoft OneDrive or Dropbox). The other option is to use a backup service that lets you hold on to the encryption/decryption keys like Carbonite and Backblaze.

Make sure your backup provider has version control enabled. This means they store multiple versions of files. This is useful if you are infected with cryptolocker like malware that encrypts your files, you can go back to a version pre-encryption. This is also useful if you delete a file by mistake and want to go back in time and bring it back.

It's a process

Once you figure out what your backup strategy will be, you need to ensure it is "run" regularly. Nothing is worse than having a plan and then losing six months of data because you forgot to backup. Most cloud services offer near-line backups which is a nice set it and forget it model. 

You will have to ensure your local copies are regularly updated also. On my mac, I use the built-in and free RSYNC command in the terminal to synchronize via a scheduled task. There are also a tone of reasonably priced on device backup apps (if you don't want to fiddle with the terminal). These are examples but not endorsements:

OPSEC - Security when making calls

GeneralEdward KiledjianComment
radar-2799606_1920.jpg

RELATED: OPSEC - Introduction to Malware

RELATED: OPSEC - How to securely delete files

If you are making calls using a cellphone or landline phone then you should assume that your conversation can easily be intercepted by the carrier (providing the service or a government agency that has control over that carrier). Security researchers have even proven that with $1,500 in parts, they can build a cell phone call interception device by pretending they are a cell tower.

Regular phone calls on your cell phone (including SMS and MMS messages) are easily intercepted and should be considered insecure.

What about VOIP?

VOIP stands for Voice Over IP and any app that allows you to make voice calls is typically using VOIP (Whatsapp, Skype, DUO, etc). Many carriers have started offering Voice Over WIFI and Voice Over LTE. VOWIFI and VoLTE have the same security (or insecurity) as making a regular call using your carrier's normal cell network.

Some VOIP software offers decent or good end-to-end encryption. These require both parties to have the same software and typically callout that they use encryption in their literature. But be careful, not all encryption is created equal. Telegram Messenger advertises that it is secure but a deep dive into its model shows it uses "bad" (my opinion) encryption and shouldn't be trusted. 

RELATED: Telegram Messenger isn't as secure as you think

So some VOIP services offer good reliable encryption and others don't. Here are the ones you can rely on.

Signal

I have written about the free open-source Signal messaging app for years. Signal is the defacto reference on how to build solid end-to-end encryption. Their model was so good, they helped Whatsapp when it wanted to improve its security. 

RELATED: Whatsapp to become more secure than Apple Messages

Signal is cross-platform (Windows, Mac, ChromeOS, Chrome Browser). Signal offers a simple encrypted text messaging service and secure encrypted calling service. 

Signal uses your existing number and address book to simplify your authentication and connection with other users. Therefore there is no separate username or password to remember.

I have to highlight the fact that a motivated attacker can still collect metadata from signal calls because the central management servers are still owned by Whisper Systems. Whisper Systems does not have a way to listen in on calls or read messages but they do know who you spoke to, when and for how long. Having said this though, they still offer the most secure and best build encrypted messaging app around, and it is all offered for free.

Jitsi for encrypted video chats

If you want a free open-source tool for encrypted video chats (does audio too) then take a look at Jitsi. It also supports group chats. There is no requirement to sign-up for anything and therefore your personal information isn't sitting on some third-party server, 

You visit the site, enter a meeting name (without spaces and difficult to guess) and share that link with the other participants. It's really all there is to it. Safe, Easy and Secure.

What about Skype or Google Hangouts?

Most VOIP solutions offer transport encryption (which means a third-party like your carrier can't eavesdrop) but the data is managed unencrypted once it reaches the provider's network. In most cases, I discourage the use of these services for situations where security is the utmost priority. One caveat is that Skype has announced that it will work with the Signal team to implement end-to-end encryption (like Whatsapp did) but that is still many months away.  

There are dozens of products that use security to differentiate themselves and most have not been independently reviewed. I recommend you stick to the 2 products mentioned above.

Conclusion

Good security requires some planning but is well worth the effort. Hopefully, this article helps

Was Google, Apple, Facebook & Microsoft traffic redirected to Russia?

GeneralEdward KiledjianComment
network-2402637_1280.jpg

TL;DR: Internet traffic to and from major tech companies (Apple, Facebook, Google, Microsoft, Twitch, NTT Communications and Riot Games) were redirected through a Russian provider Wednesday. This appears to have been a deliberate hijack and not an error. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BGP is a routing and reachability protocol used on internet backbones around the world. It is what allows carriers to find routing information between each other (in simple terms).

2 BGP monitoring services have reported short changes to the routing of key internet giants, and they do not believe this was a mistake. 

BGPMon recorded two three-minute hijacks affecting roughly 80 address blocks.

One of the interesting things about this incident is the prefixes that were affected are all network prefixes for well known and high traffic internet organizations. The other odd thing is that the Origin AS 39523 (DV-LINK-AS) hasn’t been seen announcing any prefixes for many years (with one exception below), so why does it all of sudden appear and announce prefixes for networks such as Google?
— BGPMon

Qrator Labs recorded a two-hour hijack affecting 40 to 80 address blocks.

Qrator dashboard for the offending AS

Qrator dashboard for the offending AS

As mentioned in the BGPMon release, AS39523 is a Russian organization that has been inactive for years. The last time we saw them, they were involved in another BGP "incident" that involved Google.

Luckily most of the traffic that passes through these providers is encrypted at a level that is believed to be currently unbreakable. The concern is that a state-sponsored attacker could have new decryption algorithms that are not yet publicly known and it does means the traffic "could" have been decrypted (however unlikely it remains a possibility).