Meltdown and Spectre – hardware gone wild!

We’ve had some big doozies over the last 2 years from a security point of view, but the latest CPU hardware-related bugs called Spectre and Meltdown, that started making headlines early last week, surely take the cake. One has to be careful though in classifying these as bugs, because those affected would say these were conscious design choices in their CPUs, although they must have seen the potential side-effects of their choices.

So what are we actually talking about here?

First, Google’s Project Zero was started in 2014 and is a group of security analysts dedicated to finding vulnerabilities in IT systems. Some of the biggest vulnerabilities in IT systems over the last few years, have been found by GPZ so when they talk, people tend to listen.

GPZ found some interesting cache timing attacks in CPUs in the 1st half of 2017 and advised the affected  vendors on June 1st 2017. The attacks (can) effectively lead to leaked information from kernel memory, a very bad situation to say the least. Public inclusion was limited to give all vendors time to come up with resolutions however in December, another security group caught wind of the issues, released their findings and as of the beginning of this year, the rest is history.

The issues exist in most CPUs (especially Intel) going back to 1995 and are classed into 2 groups:

  • Meltdown
  • Spectre type 1 and 2

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Meltdown has a fairly straightforward fix (which has been released by most OS vendors already) however there can be a performance penalty (sometimes significant) depending on the configuration and circumstances of systems. Intel specifically has tried to downplay the extent of performance degradation, but it is so severe in some cases, that affected vendors are advising not to implement the fixes.

Amazon Web Services (AWS) applied their meltdown patches this weekend past and many of their large customers have been showing light to medium performance impacts.

Note that these issues affect everything from desktop PCs, embedded and mobiles to servers and cloud systems.

Microsoft have advised that older processors with older versions of Windows are likely to suffer more. In addition, Microsoft has pulled their patch for PC systems based on AMD processors due to a compatibility issue.

Another aspect of the Meltdown issue on Windows OS’s is that certain AntiVirus packages have very deep hooks into the kernel to detect rootkit and other kernel-related malicious activity. And these are not playing nice with the patches leading Microsoft to implement a registry key system requiring AV vendors to set a key that confirms their compatibility with the patch. Messy mutch?

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. Most vendors do NOT have fixes for Spectre yet at this moment or at best, existing fixes are incomplete. The reason for this is that the fixes require co-ordination between firmware, CPU microcode and operating system – a delicate and difficult balancing act requiring all vendors to work very closely together.

So where does that leave the general public? On the one hand, Meltdown is mostly sorted but with performance penalties probable and Spectre fixes are an ongoing project leaving unprotected systems at the mercy of potential 0-day attacks.

Most users or organisations running endpoint and perimeter security systems should be ok as these have been retrofitted with protections against potential attacks.

But the situation remains pretty fluid at the moment and we’re likely to see a lot more activity on this over the next few weeks. As usual, patch everything that can be patched.

Multichoice and some news

DSTV has always been a contentious subject amongst South Africans.  Multichoice paved the way for pay-tv with the introduction of Mnet in the mid-80’s; following this, they introduced the digital satellite service DSTV in 1995 effectively becoming a monopoly in South Africa. High costs, many repeats and channel binding seem to show Multichoice as the face of corporate greed,  and a product set that leaves much to be desired. It’s no wonder that in recent times, millennials and others, have been leaving the channel in droves, and looking at alternatives like Netflix and Multichoice’s own streaming solution, Showmax.

However there is now another reason to leave DSTV/Multichoice – it seemingly appears they have been complicit in funding the Guptas, albeit indirectly through (very) large payments to ANN7, the formerly-owned Guptas propaganda mouthpiece. Most of us know ANN7 as a channel that spews non-factual nonsense concerning everyday events in SA.

Multichoice have allegedly paid ANN7 around R250 million over the last 5 years to ‘host’ the ANN7 channel on DSTV. Multichoice had been lobbying former comms minister Muthambi to push through a decision in favour of encrypted set-top boxes for another controversial project, SABC’s Digital TV migration. That project is now mired in legal squabbles over tender and project irregularities due to the question: should the set-top boxed be encrypted or not?

In actual fact, the question comes down to: should the boxes be allowed to host paid-for content/channels (read Multichoice) as opposed to only free-to-air channels. There are opposing views on whether allowing encryption would benefit poorer households. One view is that if decryption had been included in STBs, some poorer households may eventually have been able to purchase pay TV channels without having to buy completely new devices. An opposing view is that since the STBs are going to the country’s poorest people, it would be predatory to use these households as the foundation for a new business venture.

So the question comes back to why have Multichoice (and indirectly its parent Naspers) been paying ANN7 what appears to be a lot of money, for a channel that is by all accounts, a Gupta mouthpiece? Some may argue that this was done to curry favour with the Guptas who seemingly have extended their influence into every sphere of government. Some might argue further that the Guptas had enough pull in government circles to get the vote regarding STBs, to swing in Multichoice’s favour.

Whatever the reason is, Multichoice paying to host ANN7, has irked many in South Africa. A number of other companies, including global-based like KPMG, SAP and McKinsey, have been implicated in irregular dealings with Gupta-affiliated companies and Multichoice’s actions in this matter paint them in a similar light.

The fact is that the South African public may have unwittingly been party to, and funding, corruption through their monthly DSTV premiums. That does not sit well with many.

While Multichoice continues to tout impressive statistics for their pay-tv membership, I think the truth is slightly different and with alternatives becoming available, things are likely to change further.

I left DSTV over 3 years ago and have never looked back. I know many others in my peer group who have done the same. It’s only diehard sports fans who remain loyal to DSTV’s admittedly good sports channel lineup, although the fact that you need their premium package for this, grates.

Will you stay with DSTV?

South African Security (Fails)

It’s been a while since my last post but recent events in SA around security have prompted me to write this post.

It starts with an open website containing what is now believed to be upwards of 70 million entries for names, ID numbers, income, addresses and other information on South African citizens/residents including possibly around 12 million children. This data leak was originally exposed by Troy Hunt from HAVEIBEENPWNED fame, and came in the form of a website from (now believed to be) Jigsaw Holdings, an apparent IT partner of ERA, the property group. It took service provider almost 3 days to plug the leak.

The data was also available in the form of a database file seeded through torrents which means there was widespread access to this data. The fallout from this leak is likely to be big and long lasting, and identity theft is a primary result from leak data such as this. Everyone needs to be extra vigilant on their personal data in the coming years.

Ster Kinekor is also on HAVEIBEENPWNED’s list and unfortunately SK have not come forward with details or advised their customers of this breach. I’ve contacted them on 3 occasions in an attempt to get details on the breach but so far they have  remained mum. #sterkinekor #securityfail …

#computicket also remains stubbornly out of touch with web security  and the safety of their customers – their public website has offered non-SSL access to their site/booking system forever and after contacting them 3 times over the last 2 months to advise them as such, nothing has been done. This is a simple matter of putting in a web-redirect from HTTP to HTTPS which should take a seasoned admin all of 30 seconds to do.

Their front-end staff responses to my calls show their utter ignorance on the matter:

Apparently the main login to their site that is used by all customers is not a transactional page …

So let’s take a look at the site as of last week:


Yip no padlock, no security …

There are many examples of this kind of incompetence all around the web/world and also here in SA. There are a lot of people without the necessary skills, putting up websites and publicly accessible systems and not securing them properly.

The best advice I can offer on these types of shenanigans is to use a password database (like KeePass) and a unique password for each site. If one of the sites you use is compromised, at least that data can’t be used to access your other sites.

Stay safe!

Email anti-spam, authentication and signing solutions

There are many solutions providing encryption, anti-spam, authentication and others  available on top of the venerable SMTP protocol. Some of these require management overhead, others require end-user input. But the holy grail is to provide all these features with no user input and low management overhead.


The most important information needed before starting with any anti-spam or advanced email solution is an understanding of the message triplet. The triplet is made up of:

  • sender email address
  • sender server ( IP/host-name )
  • recipient

You will see later on in this document how important the triplet is but in essence, these 3 values constitute the limits of what can be used for address-based services ( eg. rDNS, blacklist, etc. ).

TLS SMTP encryption

TLS is an extension of SSL designed for, among others, SMTP traffic.

It’s important to understand that TLS does not provide any form of anti-spam or authentication. It’s primarily there to encrypt communications between clients and servers, as well as between  servers. It doesn’t care who is sending to whom, it simply takes the MIME envelope ( a binary composition of the email ) and encrypts it with an agreed upon cipher, if the recipient system supports it.

Anti-spam options

Let ‘s take a look at some of the AS options that are available to us.

address-based AS options

There are quite a few address-based options available for AS purposes and these should be implemented as the very first step in a full AS solution.

  1. black-/white-list – this is a simple list which can block specific sender or recipient addresses based on either the full email address or the domain.
  2. reverse DNS (rDNS) – when the sender server connects, it’s DNS host-name and IP address are provided as part of the SMTP transaction; the recipient server can do a rDNS/PTR lookup for the host-name ( ie. for a particular host-name, give me the IP address ), and then compare that to the IP address of the connecting server; if the 2 do not match then either the recipient server is misconfigured or is being spoofed.
  3. Real-time Blackhole Lists (RBLs) – these are internet-based lookup lists which maintain known spam sources ( in IP address form ); when the sender server connects to you, your server checks to see if the recipient server’s IP address is in the configured RBLs; if it is then the connection is blocked before the setup is complete.
  4. SASL authentication – usually used for client to server connections to send email; if you are not authenticated, then you can’t send email.
  5. invalid host-name/non-fqdn host-name – if the sender server does not provide a fully formed and valid DNS host-name, then the connection is terminated before setup completion.
  6. unknown sender domain – the recipient server checks that the sender domain is in fact valid; if not, then terminate the connection.
  7. unknown recipient domain – same as above but for the recipient.
  8. HELO/EHLO checks – determine if the sender server is who they say they are according to DNS

The above options can provide a powerful solution for address-based AS. However spammers have become very clever over the years and a large percentage operate valid mail servers which can successfully bypass some of the protections above.

content AS

Most MTAs have the ability to block email based on content – eg. phrase or words

heuristic AS options

Heuristics play an important and powerful role in AS as these systems can intelligently ( based on email address and content behaviours ) identify spam.

Heuristic-based solutions use a scoring system and advanced statistical analysis, breaking the email down into component pieces and then assigning sub-values to these pieces. These are then totaled and if greater than a predefined score, the email will be marked as spam. Some of the component checks are:

  1. local and network tests to identify spam signatures – the AS can determine the difference between users sending email from inside or outside your network
  2. DCC, Razor, Pyzor – online email hash sharing databases – email hashes are checked against online databases; if a hash matches, then the email is dropped or tagged.
  3. Bayesian learning ( the big one )  – the AS can automatically learn ( without external input ) what is and isn’t spam
  4. integration with AV
  5. integration with SMTP authentication solutions like SPF, DKIM
  6. URI (RHSBL) blacklists – a blacklist served via DNS to identify UCE/UBE specifically
  7. RBLs – a blacklist served via DNS to identify spam servers
  8. training of the BAYES statistical analysis engines can improve the accuracy of the AS

Remember that heuristic AS uses a combination of the above to compute a total score, not the individual items.


Grey-listing makes use of the message triplet to identify a unique sender/recipient combination. If the grey-listing system receives an email where the triplet has not been seen previously, then the recipient server will reject the email with a temporary defer code. If the greylisting system has seen the triplet previously, then it accepts the email.

This system works on the premise that spammers do not operate receiving SMTP servers and as a result will never receive the defer message. As such, they will never resend the email to be accepted by the recipient’s grey-listing system the 2nd time around.

Grey-listing on average will effectively block 90% of spam.

Greylisting systems also support spam traps, where if designated email addresses receive emails, then the sender servers are blacklisted.

client-based AS

Some email clients ( eg. Thunderbird ) have their own built-in AS solutions which can be very useful in conjunction with the server-side solutions. Once again, training will significantly increase the accuracy of the solution.

Message signing/encryption

This is not specifically an AS solution so is listed here in a separate section. This function is performed at the client side ( and in some solutions, a combination of the client and sending server ).

The  first requirement for this solution is that people who want to communicate with each other using signed emails, need to:

  1. each generate a private/public key set
  2. send their respective public keys to each other

If you don’t know the sender, then you can’t authenticate that the sender is in fact who they say they are. Anyone can generate a private/public key set using any information. This is a major disadvantage to message signing – it’s only useful for people who know/trust each other.

There is also significant management overhead associated with the PKI ( Public Key Infrastructure ) required for message signing. Provision needs to be made for secure storage and retrieval of keys. Lost private keys will mean that you can’t sign or read signed messages.

Public stores/directories are available for storage of public keys.

S/MIME ( Secure MIME ) is the most widely accepted method of digital message signing. Microsoft has the following to say about message signing:

A digital signature attached to an email message offers another layer of security by providing assurance to the recipient that you—not an imposter—signed the contents of the email message. Your digital signature, which includes your certificate and public key, originates from your digital ID. And that digital ID serves as your unique digital mark and signals the recipient that the content hasn’t been altered in transit. For additional privacy, you also can encrypt email messages.

The authentication provided by digital signatures is predicated on the fact that the person who originally generated the keys, is who they say they are so take the above with a pinch of salt.

For use of message signing in Windows AD environments:

As an administrator, you can enable S/MIME-based security for your organization if you have mailboxes in either Exchange 2013 SP1 or Exchange Online, a part of Office 365. To use S/MIME in supported versions of Outlook or ActiveSync, with either Exchange 2013 SP1 or Exchange Online, the users in your organization must have certificates issued for signing and encryption purposes and data published to your on-premises Active Directory Domain Service (AD DS). Your AD DS must be located on computers at a physical location that you control and not at a remote facility or cloud-based service somewhere on the internet. For more information about AD DS, see Active Directory Domain Services.

Outside of Windows AD environments, you can use Enigmail with Thunderbird.


As we’ve seen above with the AS and digital signature options, there is no clear way of confirming the authenticity of the sender.

From Wikipedia:

The need for this type of validated identification arose because spam often has forged addresses and content. For example, a spam message may claim to be from, although it is not actually from that address or domain or entity, and the spammer’s goal is to convince the recipient to accept and to read the email. It is difficult for recipients to establish whether to trust or distrust any particular message or even domain, and system administrators may have to deal with complaints about spam that appears to have originated from their systems but did not.

SMTP authentication solutions are specifically designed with this in mind.

SPF -Sender Policy Framework

SPF is a simple and elegant solution to authentication and does not require any configuration or adjustment of clients.

To implement SPF, one needs 2 items:

  1. a TXT DNS record with SPF arguments
  2. an SPF plugin or ability on your email server ( when receiving email )

The primary purpose of SPF is to generate the TXT DNS record with a list of the IP addresses of all servers which can send email for your domain.

When an email is initiated, the recipient server will do a DNS lookup on the sender domain’s SPF record to determine which servers are responsible for sending email for that domain. If that lookup matches the actual IP address of the sending server, then the transaction is authenticated.

In this case, the IP address of the sending server is the 1 item in an email exchange that can not be spoofed.

SPF provides options for different levels of authentication ( PASS, NEUTRAL, SOFTFAIL, FAIL ). These can be used in conjunction with testing or for sender domains which do not publish SPF information.

DKIM – Domain Keys Identified Mail

DKIM provides a similar solution as SPF except it uses digital certificates instead of IP addresses to confirm authenticity.

Digital certs are arguably more secure ( ie. the cert is authenticated by a CA ) than using IP addresses but in practice, the 2 solutions are very similar.

There are 2 parts to DKIM

  1. signing – the sender server, with the help of a DKIM plugin or feature, signs the outbound email with its private certificate
  2. verifying – the recipient server compares the provided certificate against the certificate published in DNS – if a match, then the email is authentic

DMARC – Domain Message authentication, reporting and conformance

DMARC is essentially a combination of SPF and DKIM. The admin for a domain will create a policy defining SPF, DKIM or both, and how failures are managed. It also provides a reporting mechanism ( aggregate and forensic ) on the actions performed in the policy, allowing the recipient to detail messages that pass and/or fail.

These reports are an advantage of DMARC, as neither SPF or DKIM will provide feedback on passes or failures ( except for the SMTP logs ).

The purpose of these authentication systems is to make sure that the sender is who they say they are. In practice, these work quite especially considering that up to 50% of all email servers support 1 or the other solution.

3rd party

There are some 3rd party email client plugins that perform a form of grey-listing.

What can you do to protect yourself?

If you are running your own email server(s), then you need to at the very least, implement address-based AS options including grey-listing and RBLs. The next step is to implement heuristics-based AS – if you’re running MS Exchange then you can use a Linux-based front-end with SpamAsssasin to do this. Alternately there are some commercial solutions that run on Exchange servers.

The next step is domain authentication with SPF, DKIM or DMARC. Note that MS Exchange itself does not have the ability to check SPF/DKIM for incoming emails from other domains. If you run Exchange then you can only create an SPF/DKIM record for your own domains so that others can check it when receiving email from you.

Exchange Online/Office 365 and many other online services like GMail, Yahoo mail, MimeCast, Messagelabs, etc. support SPF and DKIM.

If you need to authenticate incoming email from other domains, then you need to run a FOSS SMTP server that supports SPF/DKIM/DMARC plugins ( eg. postfix ).

There are also other solutions like PGP/SMIME gateways, certified email ( eg. OpenPec )and other libraries but they are beyond the scope of this article.

What else can you do?

  1. increase the intensity of the AS heuristics solution
  2. learn to read message headers – user training (SAT) is crucial for end-users to identify spam email
  3. don’t click on attachments or links
  4. use additional AS solutions like Fortinet’s FortiMail or Cisco IronPort
  5. push your email through a 3rd party message scrubbing solution like Mimecast


There are many solutions available to solve a number of issues with email including spam, authenticity and delivery. Email as a system, was never designed with reliability in mind, and the spectre of spammers and malware actors, means that the industry needed to respond in kind.

A little bit of ransomware with that Sauerkraut?

This past weekend’s shenanigans with WannaCry have been painful for many people. But the simple fact is that solutions for this specific issue ( and many others ) have been available for a long time.

The initial patch for the MS17-101 issue was released by Microsoft in March 2017. Didn’t update?

Many AV vendors have had virus definitions for WannaCry for some time already and at latest, on Friday evening. Don’t have ( updated ) AV?

Have an office  internet connection without a decent firewall?

Still running XP or Vista without extended support?

No 3-tier backups?

The only one to blame is yourself …

IT seems to be treated as an afterthought at many companies. Yet it is IT that helps facilitates your business and income.

Thom from OsNews says:

“Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions – they’re all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different – they’re not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low – an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.”

It’s time to put some effort into your IT – especially if you value your data and your business. It may be a difficult pill to swallow, but it’s a necessary one.

The NSA and Ransomware. Oh and a bit of HPE on the side.

If ever there was a perfect example of stupidity, the new highly virulent strain of WanaCrypt ransomware that is currently spreading like wildfire, is it. And that stupidity is care of the NSA; who in their infinite wisdom, wrote exploits based on 0-day vulnerabilities that should have been reported to the relevant vendors, but was instead appropriated.

Well the Shadow Brokers have now in turn appropriated this code from the NSA and and someone else has gotten hold of it to create a self-replicating variant of WannaCrypt or Wcry malware, that is currently causing havoc in hospitals, banks, telecom services, utilities and others, by encrypting drives and blocking access to systems.

Another cause for concern: wcry copies a weapons-grade exploit codenamed Eternalblue that the NSA used for years to remotely commandeer computers running Microsoft Windows. Eternalblue, which works reliably against computers running Microsoft Windows XP through Windows Server 2012, was one of several potent exploits published in the most recent Shadow Brokers release in mid-April. The Wcry developers have combined the Eternalblue exploit with a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to vulnerable machine, without requiring operators to open e-mails, click on links, or take any other sort of action.

The exploit spreads via vulnerabilities in network -accessible Windows subsystems although the exact details are still vague. Microsoft has released a patch in March for the issue however many companies have yet to install the update.

Numerous companies have been affected during the course of today including Telefonica, Vodafone, 16 NHS hospitals across the UK, and many others. The ransomware has been detected in over 74 countries already and the demands include Bitcoin payment of up to $600 per infection. The speed and violence of infection show a highly capable piece of malware with advanced network replication techniques bypassing standard methods of protection.

What can you do to protect yourself?

  • shutdown any non-critical network file access/shares
  • seeing as the malware is probably initiated via email, be especially vigilant for spam emails
  • update all Windows systems with the patch listed above
  • segment sections of your network where possible

And in other news, HP has been including a dodgy Windows audio driver from Conexant for the last 2 years on many HP Laptops which, wait for it … logs all your keystrokes! Yay!

Symantec, Google and the SSL Monkey

Some education first

PKI or Public Key Infrastructure is a technology that allows website visitors to trust SSL certificates presented by SSL encrypted websites. An example is when you visit your Internet Banking website – you can verify the authenticity of the site by checking the SSL Certificate of the site ( ie. clicking on the padlock ) – but that certificate is underpinned/backed by a CA or Certificate Authority and you are trusting that the CA has correctly issued the website’s SSL Certificate.

CAs ( issuers of SSL certificates ) have possibly the most important role to play in an ecosystem based purely on trust. If a CA does something to break that trust, then the entire secure website solution that we rely on daily for critical functions, is put in jeopardy.

Our browsers are the conduit through which CAs are “allowed” to exist – browsers contain the CAs’  root certificates through which all SSL certificates are issued and validated. If a CA does not have a root certificate present in a particular browser, then that browser will not implicitly trust sites issued with certificates backed by the CA, and the user visiting that site will be presented with errors. The user could ignore the errors and continue, but they would have no way of validating the authenticity of the site.

Considering that typosquatting ( website addresses with  purposefully incorrect names ) is a serious security issue, it makes no sense to ignore certificate errors. Here is an example:

I want to go to my internet banking so I type ( by mistake instead of ). I don’t realise the problem and end up at a site that looks exactly like I expect; however this is not the correct site and I could potentially be entering my internet banking login details in an unrelated and malicious site. Once the credentials are captured, the false website redirects me back to the real site so that I don’t suspect a problem. The “attackers” now have my login credentials and can act as they want.

SSL certificates will solve the above issue ( as long as we trust the CAs ) by showing an invalid or unrelated certificate for the false site.

History of abuse

With this ( somewhat simplified ) background, we can now understand the issues surrounding CAs that act badly with respect to the issuing of certificates. And there have been more than a few instances of bad behaviour on the part of CAs.

  1. DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar’s systems. That same month, the company was declared bankrupt.  An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that the Iranian government was behind the hack.
  2. According to documents released by Mozilla Corporation, Qihoo appears to have acquired a controlling interest in the previously Israeli-run Certificate Authority “StartCom”, through a chain of acquisitions, including the chinese-owned company WoSign. WoSign also has a CA business; WoSign has been accused of poor control and mis-issuing certificates. Furthermore, Mozilla alleges that WoSign and StartCom are in violation of their obligations as Certificate Authorities in respect of their failure to disclose the change in ownership of StartCom; Mozilla is threatening to take action, to protect their users.
  3. In 2015, Symantec’s Thawte CA mis-issued an EV ( Extended Validation –  the highest trusted certificate type ) for the domains and These were just test certificates but if let out into the wild, anyone could have posed as Google.
  4. In June 2011, StartCom suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks. The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so). StartCom was acquired in secrecy by WoSign Limited (Shenzen, China), through multiple companies, which was revealed by the Mozilla investigation related to the root certificate removal of WoSign and StartCom in 2016.

And now for some current news

As recently as last year, Google ( and now Mozilla – the 2 browsers with biggest market share ) has found wrongdoing on the part of Symantec and many of its subsidiary CAs. Symantec owns 2 of the most popular brands in SSL certificates – Verisign and Thawte – so this is a considerable issue. As of March this year, Google has laid out a plan to gradually distrust SSL Certificates issued by Symantec and any of its subsidiary CAs, and push for their replacement.

“As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.”

“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.”

As you can imagine, if CAs mis-issue certificates, this breaks the fundamental trust required for using secure encrypted websites.

I very seldom mention my affiliated businesses in my blog however, in this case it’s important to mention that the primary upstream provider for SSL Certificates for my internet service business, eMailStor, has as of February this year, stopped distributing certificates from Symantec, Verisign, Thawte, GeoTrust and RapidSSL. This gives you an idea of how serious the problem of certificate mis-issuance is.

For end-users, it’s a matter of checking the certificate presented by a site to ensure that it’s valid. If there is a matter of mis-issuance, then most CAs have an insurance facility which may cover losses.

Website operators have a little more work to do – as follows:

  • make sure all critical internet services use SSL Certificates
  • have a complete SSL Certificate generation policy in place, along with all required documentation and procedures
  • do not pin certificates to one CA
  • do not assume that popular CAs are by nature and reputation secure
  • continually review the performance of your CAs
  • follow the instructions of CAs to the letter for installation

SSL Certificates, and their issuers, play a critical part in making sure that websites can be authenticated, and that users can transfer information with websites in a secure manner. Browser makers also play a part in making sure that CAs toe the line and work together to build an infrastructure that can be trusted.


Password Managers

The current mainstream method of authenticating to applications and systems remains a difficult prospect for most people. Password re-use is not a good idea but remembering a separate password for each system is not feasible. Biometrics and 2-factor-authentication are great solutions but not available in all circumstances, and typically the 1st factor is still a password.

My suggestion is to use a password manager. But which one?

PMs are split into 2 primary types: online/cloud and offline/local.

The online type is basically a web service/app that provides a password database along with various features like browser-assisted ( eg. via plugin ) form filling, 2FA, random password generator and more.  Examples include LastPass, Dashlane and Encryptr.

The offline type is a discrete application that you run on your device to provide these services. Examples include KeePass ( and the X variant ), 1Password, Gnome Keyring and KDE Wallet ).

My personal preference is the offline type because even if online apps indicate special protection of your data, no one has to date displayed perfect security. At least with an offline app ( and one that is audited for security issues ), your data is stored locally and protected by you.

Most recently, security flaws have been found in the LastPass browser extensions – although these flaws were patched quickly, the risk remains.

On the whole though, password managers significantly increase overall security, by allowing users to use strong passwords for internet and other services, without having to remember those strong passwords. And that is a win for everyone.


So my words were barely penned when another LastPass issue came to light:

“on Saturday, Ormandy came up with a new way to perform code execution in LastPass for Chrome 4.1.43 (the current latest version of the extension). He sent the working exploit and bug report immediately to LastPass, and the company acknowledged it.”

“This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

So it’s quite clear that online password managers are subject to the same vulnerabilities as other software and it’s probably a good idea to stay with discrete apps.

Your TV is being creepy

Of all the points of electronic insecurity one deals with every day, your TV is probably the last you’d expect. Not so, because Vizio has been caught spying on its customers – through approximately 11 million smart TVs in the US and since 2014.

These TVs have automatically tracked consumers’ viewing habits and sent that data back to its servers. Vizio was collecting a selection of pixels on screen that could match a database with movies, series and advertising content. It could also match data from set-top boxes, ISPs, streaming devices, dvd players and  OTT broadcasts resulting in as many as 100 bllion data points per day.

It gets worse – Vizio then sold that data to advertisers and others! Because IP addresses were part of this bundle of data, the data aggregators could match the data with individual consumers or households, and track their viewing and online habits. Privacy much?

Equality and security

Trending on Twitter right now: There are no US ambassadors because Donald Trump just fired them all

True or False?

I recently wrote a piece on “fake news and false information” in the context of online security. The feedback was interesting because most commenters did not ( immediately ) equate fake news/false information with their own security in the online space. To put it bluntly, false information significantly increases the risk of decisions leading to compromise. Plain and simple. The terms phishing, vishing and whaling all come to mind as the results of false information.

As an extension of this, online social behaviour also impacts on our ability to interact online safely. The expressions of netizens who deal in, and react to, false information in a fashion that is above what we would call “the norm”, seems to now be “the norm”. This in particular effects all forms of equality. In the context of gender equality specifically, Ashley Judd recently gave stunning TED talk relating her own experiences ( and those of many others ) online.

( note: the following features graphic language )

This abuse online is now the norm.

But past gender equality alone, there are numerous issues that plague online socialisation. Is the hate, vitriol and abuse continuously hurled in online platforms simply a manifestation of online personas or is this the reality that simmers just below our daily lives? Is this who we are now? We’re not face to face with someone so it’s easy to say …

The spectre of Trump is a paradox being forced onto a world which has in recent decades ( mostly ) been fighting for all manner of equality and diversity: gender, politics, race, work, sex, location, creed, religion, caste, etc. Does the election of Trump ( and similarly the election result of Brexit ), and all its retrograde rhetoric, mean that a large portion of the US ( and other parts of the world ) really believe that equality is no longer important?

This may seem like a tangent but the fact is that we’ve seen a reduction in expectations of online privacy and an escalation of online abuse in recent years.  Governments all of the world are reducing electronic privacy in the name of increasing citizen security, a fallacy perpetuated ad nauseam with little effective proof.  And as online and real-life socialisation blur, so does our security, or threat thereon.

It’s not just direct electronic threats ( malware, phishing, botnets, etc. ) that we have to concern ourselves with, it’s our lives online.

Fake news and false information

We live in the information age and information is arguably the most important form of currency now and we’re bombarded with it 24×365. A never ending stream of information, news and data fed through channels like Facebook, YouTube, Twitter and Instagram. And it’s this overload of information that can lead to bad decisions and behaviour. Wikipedia has an excellent quote in their article on information overload:

“Information overload occurs when the amount of input to a system exceeds its processing capacity. Decision makers have fairly limited cognitive processing capacity. Consequently, when information overload occurs, it is likely that a reduction in decision quality will occur.”

This “reduction in decision quality” and ease of information dissemination through social media outlets is leading many to simply forward and repeat information without thought for bias or quality. While on the face of it, the results of this may seem fairly harmless, looking closer shows obvious instances where incorrect information can lead to serious consequences including loss of life.

Cause and Effect. The information we put out can have indirect and direct effects on people. To the point this becomes violent and peoples’ lives and families become targets for hate, violence, criminality.

Cause: we posted false information

Effect: someone believed this and acted

Fake news websites deliberately publish hoaxes, propaganda, and disinformation to drive web traffic inflamed by social media. These sites are distinguished from news satire as fake news articles are usually fabricated to deliberately mislead readers, and profit through clickbait. So the aim here is profit beyond the safety of ordinary people.

There have been numerous instances recently where fake news has had serious ramifications:

  • website purporting to be a news source but with a disclaimer (which it curiously spells “desclaimer”) had Facebook buzzing recently with numerous shares in South Africa and worldwide. It claimed that the United Nations had declared South Africa the most corrupt country in the world, one ahead of North Korea. A quick ( 30 seconds ) trip to Transparency International shows that South Africa is not even in the top 2/3rd’s of corrupt countries.
  • Pizzagate is a debunked conspiracy theory that emerged during the 2016 United States presidential election cycle alleging that John Podesta‘s emails, which were leaked by WikiLeaks, contain coded messages referring to human trafficking and connecting a number of restaurants in the United States and members of the Democratic Party with a child-sex ring. It has been discredited by a wide array of sources across the political spectrum. The result of this fake news was a gunman firing 3 shots in a New York restaurant based on this false information. This case described in detail in this Wikipedia article makes for a fascinating case study on Internet social psychology.
  • The Gamergate controversy concerns issues of sexism and progressivism in video game culture, stemming from a harassment campaign conducted primarily through the use of the Twitter hashtag #GamerGate. Gamergate targeted several women in the video game industry, including game developers Zoë Quinn and Brianna Wu, as well as feminist media critic Anita Sarkeesian. After a former boyfriend of Quinn wrote a lengthy disparaging blog post about her, other people falsely accused her of entering a relationship with a journalist in exchange for positive coverage and threatened her with assault and murder.
  • Marco Chacon created the fake news site RealTrueNews to show his alt-right friends their alleged gullibility. Chacon wrote a fake transcript for Clinton’s leaked speeches in which Clinton explains bronies to Goldman Sachs bankers. Chacon was shocked when his fiction was reported as factual by Fox News and he heard his writings on Megyn Kelly’s The Kelly File. Trace Gallagher repeated Chacon’s fiction and falsely reported Clinton had called Bernie Sanders supporters a “bucket of losers” — a phrase made-up by Chacon. After denials from Clinton staff, Megyn Kelly apologized with a public retraction. Chacon later told Brent Bambury of CBC Radio One program Day 6 that he was so shocked at readers’ ignorance he felt it was like an episode from The Twilight Zone. 
  • Forbes reported that the Russian state-operated newswire Sputnik International reported fake news and fabricated statements by White House Press Secretary Josh Earnest. Sputnik falsely reported on 7 December 2016 that Earnest stated sanctions for Russia were on the table related to Syria, falsely quoting Earnest as saying: “There are a number of things that are to be considered, including some of the financial sanctions that the United States can administer in coordination with our allies. I would definitely not rule that out.”

The list goes on ….

Rumours and false information are not specific to the Internet phenomenon and have been around since the dawn of man. But the Internet has made it very easy to disseminate information, be it true or false. The Spiral of Silence theory comes to mind:

The spiral of silence theory is a political science and mass communication theory proposed by the German political scientist Elisabeth Noelle-Neumann, which stipulates that individuals have a fear of isolation, which results from the idea that a social group or the society in general might isolate, neglect, or exclude members due to the members’ opinions. This fear of isolation consequently leads to remaining silent instead of voicing opinions. Media is an important factor that relates to both the dominant idea and people’s perception of the dominant idea. The assessment of one’s social environment may not always correlate with reality.

And that last statement says it all – social environment vs reality. The Social Internet has turbo-charged our ability to both disseminate false information and repeat it, as opposed to reality. And based on a sample of shared stories on Facebook, we’re pretty good at it.

So what’s with all this philosophy in a tech blog? Because false information can have a direct bearing on our online and real security. It’s in our interests to assume information is false before acting on it. We need to be scrutinising news and information published through social media in the same way we need to be suspicious of a phishing email. There are numerous online resources for determining the quality and validity of information so there is no excuse for forwarding on false information. In fact, Social Media can be used as an exercise in learning about false information as a prelude to identifying other online security issues such as phishing, malware, spyware and spam.

If you’re keen to share something on Social Media, make sure you validate that information first. And don’t take offense when someone points out that something you’ve posted may be incorrect – rather accept the correction with grace and move on from there. We all make mistakes from time to time – we’re “only human”.

Windows 10 updates and privacy settings

Windows 10 has put a heavy burden on network administrators due to its overhauled update system and numerous privacy settings. The results are a significant increase in network traffic, a slow down in machine operation and information leakage. Here follows a number of suggested settings to help minimise the impact of these changes and safeguard your privacy.


Start -> Settings -> Privacy

  • Switch everything off in the General section except for SmartScreen filter
  • Switch off Location services in Location section
  • Switch off syncing in Other Devices section
  • Switch off feedback in Feedback and Diagnostics section
  • There are additional settings in the left menu where you can adjust further privacy settings

Spybot anti-beacon is an app specifically designed to block all of this stuff.


Start -> Settings -> Update & Security -> Windows Update -> Advanced Options

  • Give me updates for other microsoft products – disable
  • Choose how updates are delivered – enabled
  • Choose updates from local sources only

Start -> Settings -> Update & Security -> Windows Defender

  • real-time protection – enabled
  • cloud-based protection – disabled
  • sample submission –  disabled

Wifi Sense

Settings -> Network & Internet -> Wi-Fi -> Manage Wi-fi Settings

  • connect to suggested open hotspot – disable
  • connect to networks  shared by my contacts – disable

Metered connections

If you are using a Wi-fi dongle or 3g connection

Settings -> Network & Internet -> Wi-Fi

  • click on the Wi-Fi connection you are currently connected to
  • set as metered connection – enable

These settings should improve your privacy as well as reduce your data consumption.

Computing, Security, Biking and other news

%d bloggers like this:
x Logo: Shield
This Site Is Protected By