Friday, September 26, 2014

Justification for Your Paranoia

It is that time of the month where I sit down and tell my employer everything that is wrong in the world of information security. My boss is off at DerbyCon and I am writing reports. So here is your latest report on things that suck in cyber-land...only a few of which are actually security related this week...

1. Shellshock
If you use any *nix (Linux, Unix, Mac) flavored system, you have probably heard of the bug in Bash which has been dubbed "shellshock". Patch it. Now. Seriously. Right, freaking, NOW. 
Shellshock is a very serious vulnerability because it allows remote code execution and gives the attacker full access to the system. Being able to get shell and execute any kind of program on the target system is a major coup for attackers. Many versions of Bash, from 1.13 to 4.3 are vulnerable. There have already been reports of targeted attacks hitting this vulnerability.
The Free Software Foundation put out this statement about it, but you should check with the creators of your individual distro to see if a fix has been released yet for you.
 2. Why if you are not in CS you are in the wrong line of work...
Here is fifteen minutes of doom and gloom regarding the job market for you...
My last job was almost entirely automation driven, with the clearly stated goal of replacing my own job. It worked. My team built a mixture of physical robots, code-based automation, and web-deployment automation tools that made our previous functions completely redundant. Of the eight of us, only two are still employed at that company, doing other kinds of automation, the rest of us were let go...we literally coded ourselves out of a job. Of course, when it came time to look for new work, that was actually a good thing to have on a resume.
The problem will come for those of you who don't code for a living. There really isn't anything that a human can do that a robot can't...
 3. SHOCK! Netflix doesn't have the movies you want to watch.
If you, like me, have a Netflix account none of this will come as a surprise, but it still might make you angry at the motion picture distributors. Netflix is responsible for a third of all internet traffic during peak hours in the US, dwarfing both online piracy and all other legal video platforms. Why, then, does the most popular and convenient subscription platform not carry most major titles? 
This new study, funded by the NBC Universal and the MPAA no less, shows that only 16% of the 808 major films titles researched were available through streaming subscription services (SVOD). The executive summary of the report tries to paint that that major films are available online, claiming that 94% are available through one rental service or another...but fails to mention that 84% of the films are missing from THE MOST USED MOVIE SERVICE in the US.


Dear MPAA, we use the internet because we like convenience. If you want a share of our money, maybe you should put the movies where we can get them.
Now I need to go torrent something just on principle...then watch some crummy movies on Netflix.
4. For those of you who have purchased or are thinking of purchasing the new iPhone...
Or for any of you who updated your iDevice to iOS 8, there are some new privacy settings you should care about. ZDnet looks at this in depth (with screen shots), but here is the quick rundown:
  1. Some apps will be able to track your location even while the app isn’t currently running. If this sounds highly unpleasant and overly invasive to you, the good news is that these apps should have a pop-up window that requires you to pick between allowing or not allowing this background location tracking.
  2. iOS 8 now allows you to decide whether personal info from your device can be accessed by specific apps. If you go to Settings > Privacy you can toggle on-and-off which info certain apps have access to. But turning these permissions off now does not remove any data that has already been accessed by the app previously.
  3. Apple’s iMessage now gives you the ability to determine how long you want to have these stored on your device, effectively setting an expiration date. Go to Settings > Messages and tweak the settings for Keep Messages, Audio Messages, and Video Messages to your liking. 
  4. In addition to those apps that can track your location in the background, there are some native iOS 8 services that keep track of where you are for everything from advertising to finding lost devices. Go to Settings > Privacy > Location Services > System Services to select which services can track your location and which can’t. (You probably want to keep Find My iPhone on). That service also needs to be turned on under Settings > iCloud > Find My iPhone.
  5. Safari now lets you minimize the amount of info advertisers can track your Web-browsing habits and location, but oddly it’s not in the setting for Safari. Instead, go to Settings > Privacy > Advertising and enable “Limit Ad Tracking.” Then be sure to choose the Reset Advertising Identifier option, and follow the prompts to clear existing tracking cookies.
 For all that I bash Apple for pretty much everything they make a do, Apple released the following notice last week, indicating that your data is now encrypted by default so that even they can't get to it. Which is a huge improvement over the back doors that were revealed in previous versions of iOS.
And hey, FBI director James Comey whining about it is definitely a good sign.
5. Regarding that last bit about iOS encryption...
Google is following suit with the next Android release.
Good for them for doing it. Bad for Apple having to do it first...