Tech Friday with Dave Hatter - April 3rd 2020 - SPONSORED BY INTRUST IT


  • Website security tips for businesses:
    • More businesses do business online so it's increasingly important to ensure website security
    • Unfortunatley, many developers don't make security a priority, which can lead to the breaches we regularly read about
      • There are a number of things that can be done to "harden" a website so that it is more difficult for hackers to penetrate
      • Use strong, unique passwords
      • Disable all unnecessary accounts
      • Disable all unnecessary ports
      • Disable all unnecessary services
      • Harden systems.CIS Benchmarks can help admins harden and secure servers
      • Install all operating system, web service, application server and firmware patches
      • Sanitze and validate all input against at whitelist
      • Use TLS certificates
      • Set a low time-out threshold for session inactivity
      • Limit the types of files that can be uploaded to your website
      • Encrypt server configuration information
      • Use a Web Application Firewall (WAF)
      • Use a SIEM to review logs for malicious activity
      • Ensure all secured pages require a unique token along with complete mediation. Never display session information in a URL
      • Install anti-malware software
      • Conduct regular vunerabulity testing
      • Conduct penetration testing
      • Make security a priority and build it in from the beginning
    • "The biggest mistake we see in cyber security is the mindset that it is all or nothing. You don’t need to budget a million dollars a year to have a full time cyber-security consulting firm watching your every move. For most businesses, especially small businesses, all they really need is some very minor protection from firewall software, an SSL certificate, and 2-factor authentication of their passwords. You can absolutely find free and cheap tools to protect your website from 90% of attacks without bankrupting your company. Once you can afford a more robust security apparatus, then you can buy one. Don’t be afraid to take a few minor steps, because those may be enough to save your business from the majority of attacks."- Alexander M. Kehoe, Co-founder and Operations Director at Caveni
  • UK Government working an app to display nearby COVID-19 carriers:
    • Using smartphones to track people is increasingly common
    • The English government is preparing to release an app that will alert people if they come in close contact with an individual who has tested positive for COVID-19
    • The existence of the app was first revealed by the Health Service Journal. Key technical details have only recently been agreed to by NHSX, the unit of the National Health Service (NHS) responsible for it
    • The app is opt-in, and NHS officials hope to convince more than 50% of the population to use it. As the number of users grow, the app becomes more effective
    • The app detects other smartphones in close vicinity using Bluetooth
    • Nearby phone information is captured, if someone tests positive for COVID-19, they can be able to upload the capture information so that those individuals can be notified
    • Alerts are sent on a delay to make it difficult to identify a specific individual through the app
    • Because the data is not sent to a centralized system until there is a need to notify individuals of exposure, NHSX officials hope this approach will reduce privacy concerns
    • Recently a group of "responsible technologists" wrote an open letter to NHSX warning that "location and contact tracking technology could be used as a means of social control"
    • This app apparently follows the example of a Bluetooth-powered app used in Singapore called TraceTogether
    • TraceTogether was downloaded more than 800,000 times and is credited with helping to substantially suppress the COVID-19 outbreak there
    • A source who witnessed work on the app called it a "hot mess" and said it was run by "a hodge-podge of suppliers and contractors" with "no clear voices in the room speaking to the privacy implications of the technology they were using."
    • Other counties have taken a variety of approaches to using technology. South Korea broadcast details about infected people to anyone within 100 meters via text
    • In the US, companies such as Unacast, collect and analyze phone GPS data
    • Unacast launched the "Social Distancing Scoreboard" (SDS) to rate how Americans are practicing social distancing
    • Unacast’s location data is collected from many apps installed on millions of Americans phones
    • While there may be significant public benefit to this approach, it once again illustrates how much information your smartphone is collecting and how telling it can be
  • Experts continue to warn about Zoom thanks a long list of privacy and security issues:
    • Zoom is a very popular "free" video conferencing tool
    • Thanks to the COVID-19 pandemic and the need for people to communicate and collaborate while working from home, Zoom's popularity has skyrocketed
    • Daily downloads of Zoom in the USA rose more than 1,000% in March 2020 according to Apptopia
    • The Zoom iPhone app has been the most downloaded app in the US for several weeks
    • Analysts at Bernstein said the service had added 2.22 million monthly active users so far in 2020, more than the 1.99 million it added in the whole of 2019
    • Sadly, a large number of security and privacy issues have surfaced, as have some dubious practices
    • Some researchers have called Zoom "a privacy disaster" and "fundamentally corrupt". One said "Zoom is malware"
    • Here's a quick run down of the most recent issues:
      • Zoom falsely claimed to be using end-to-end encryption. Zoom recently confirmed on their blog that end-to-end encryption was not currently possible on the platform after being outed
      • Zoom has as "attention tracking" feature that allows a host to see if a user clicks away from a Zoom window for 30 seconds or more
      • Attackers can use the Zoom Windows client's group chat feature to share links which expose the Windows credentials of anyone who clicks it
      • The Zoom Mac client has flaws that could be used to hijack a Zoom user’s Mac computer to access the camera and microphone
      • Motherboard outed the fact that Zoom was sending data from iOS app to Facebook, even if the user does not have a Facebook account.This has stopped
      • Motherboard has also reported that Zoom was sharing the email address and photos of at least thousands of Zoom users who signed up with an email address sharing the same domain
      • The FBI recently announced it was investigating "Zoom-bombing", an attack in which hackers infiltrate video meetings
      • Consumer Reports found Zoom’s privacy policy allowed the company to use video and other user content for advertising and other business purposes. Zoom has since revised its privacy policy to block that
    • This issue once again illustrates that you must be very careful when using "free" software
    • If you're not paying with money, you're paying with data. You're the product, not the customer
    • Here are some Zoom alternatives:https://www.theverge.com/2020/4/1/21202945/zoom-alternative-conference-video-free-app-skype-slack-hangouts-jitsi
    • I use and recommend Microsoft Teams and/or WebEx.
    • This past Thursday, Zoom announced it would freeze new feature development and shift all resources to security and safety issues.
    • If you MUST use Zoom, there are some good tips in this article to secure it:https://www.usatoday.com/story/tech/2020/04/01/zoom-demand-zooms-but-problems-coronavirus-drives-stay-home-video-chats-zoom-has-issues-beyond-deman/5102150002