How *not* to patch a security vulnerability

If you’re a vendor… don’t do what Fiat Chrysler did:

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

It’s hard to believe a company as Fiat Chrysler could be this boneheaded about security. But somehow, this ridiculous plan to send USB sticks out to Jeep Cherokee owners got greenlit. Some 1.4 million Jeeps are said to be affected by the aforementioned vulnerability, which is a lot of vehicles.

Fiat is making a bad problem much worse, as Pete Bassill explains:

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

Fiat did issue a voluntary recall, allowing owners to bring affected vehicles into dealerships to get their firmware upgraded. They should have left it at that — if pushing out updates over the air wasn’t possible. Perhaps Fiat went with USB sticks thinking it would be an inexpensive way to help their customers update their vehicles’ firmware. But in the long term, I imagine it’s going to be more expensive, because of the can of worms they’ve opened for themselves.

Ad-blocking is good from both a security and privacy standpoint

Every now and I then, I come across a story which reaffirms my long-held belief that ad-blocking is good from both a security and privacy standpoint. That happened again recently when I saw this article in The Register:

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

As the article goes on to explain, malvertising has simply exploded in recent years, and is now an extremely serious problem. But unfortunately, big players in the web advertising business aren’t doing enough to combat it:

The industry’s top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

What can users do to protect themselves from malvertising? The answer is simple: Block ads and block JavaScript from executing by default.

There are ad-blockers available for all major browsers, notably AdBlock Plus, which has extensions for Internet Explorer, Firefox, Safari, and Chrome/Chromium. All the major browsers also contain controls that are capable of turning off JavaScript execution, but since most of us want sites to trust to be able to run scripts (for example, I want to allow JavaScript to execute my own domain and my credit union’s domain), it’s better to install a tool like NoScript, which allows JavaScript to be selectively turned on for trusted sites. (NoScript has 2 million users and maintains an average review of five stars. It’s well-deserved).

Using these and other tools (like HTTPS Everywhere, RequestPolicy, Better Privacy, and Cookie Controller) can greatly improve our security and privacy as users. The tools I’ve mentioned essentially act as browser armor, and can safeguard against all sorts of threats on the Web, not just malvertising. We all stumble into bad neighborhoods on the Internet from time to time, often by accident. Having browser armor in place greatly minimizes the risk of harm to our computers. Prevention, as they say, is the best cure of all.

I’ve heard some people make the argument that ad-blocking is unethical. I disagree. I believe that as users, we all have the right to decide what content we want to come into our homes and workplaces through our personal computers, tablets, and smartphones. That means having the freedom to block JavaScript, cookies, cross-site requests, ads, images, or anything else. We all ought to be able to control our own computing and decide how the Internet connectivity we pay for gets used.

This is especially important in the context of mobile Internet access, because most of us are on plans with fixed data allotments.

I understand the economics of publishing and content creation, and I agree we need to support artists and writers. The best way to do that, though, is to purchase a subscription to a favorite publication, or put money in a site’s tip jar.

Tips for crafting a strong password for your Wi-Fi network

Recently I had an opportunity to evaluate the latest incarnation of Actiontec’s MI424WR (GigE) router, a workhorse designed for use with FiOS service offered by Verizon and Frontier Communications. While navigating through the administration console of the router, I noticed that the security settings page now incorporates a long list of useful tips on crafting a strong Wi-Fi password. (WPA2 is also now the default security protocol, which is great, because WPA and WEP are flawed and easier to compromise). Here are the tips I found, which concur with the guidance I offer to clients:

User Guidance on Password Selection

Your wireless network security depends on having a good password. A good password contains Sixteen (16) or more letters or numbers, with each letter or digit chosen at random. This initial password shipped with your router is an example of a good password. The initial password is printed on the serial number sticker under the router. The Letters in the password are case sensitive and the initial password provided on your router is in Upper Case
If you wish to change your wireless password, try to pick a password similar to your router’s initial password. You must include at least one letter and at least one number in your password. It is recommended that the password should be at least sixteen letters and numbers, with no spaces or special symbols. However, you can shorten the password at your own risk. At a minimum there has to be 8 characters and a maximum of 63 can be used.

Here are some suggestions to help you choose the safe password:

  • The password should be 8 to 63 ASCII characters long, and it is highly recommended to use 16 or more.
  • Characters that are upper case. ASCII is categorized as Alpha and Numeric characters.
  • DO choose each letter or digit at random. Try one-finger typing with your eyes closed.
  • DO use a longer password, and write it down somewhere safe. A short password is easier to remember, but also much easier for attackers to guess. It is OK to let your PC save your wireless password so you don’t have to remember it.
  • DO NOT use anything directly related to you, such as your street address, phone number or car license plate.
  • DO NOT use the name of any person or place in your password. The attackers know all the common names.
  • DO NOT use any word from the dictionary. The attackers have dictionaries, too.
  • DO NOT use a phrase or sentence. Once an attacker learns any portion of the phrase or sentence, the rest is easily guessed.

This is great advice. I often find when asking for the Wi-Fi password at a particular location that it is just a couple of words, the telephone number of the establishment, or the address (spelled out).

A secure password should not include any personally identifiable information. Birthdates, license plates, phone numbers, addresses, Social Security numbers, and other sensitive data should never be used in any password, ever. Length is good. Random characters are good. Mixed-case letters are good. Punctuation, if allowed, is great. Here is an example of a weak, bad Wi-Fi password:


The following, courtesy of the Strong Password Generator, would be a strong Wi-Fi password:

Ay#{$.}n7 s$Q~sM*;.}73*CS

It’s easier to remember as ALPHA yankee # { $ . } november 7 [space] sierra $ QUEBEC ~ sierra MIKE * ; . } 7 3 * CHARLIE SIERRA

Do yourself, your family, and your business (if you have one) a favor and set a strong Wi-Fi password, using the WPA2 protocol. You’ll be glad you did.

Open for business!

Today marks the launch of, my new business website. I’ve decided to become a security consultant, specializing in WordPress security, because it’s plain to me that there are a lot of individuals, businesses, nonprofits, and groups out there who need someone to be able to advise and assist them with locking up their websites and implementing best practices.

I’ve always been a believer in the mantra, do what you love… and I love helping people stay safe. More and more societal interaction and commerce is taking place in the digital realm, and while that presents opportunities for collaboration and networking that weren’t possible before, it also comes with downsides.

We are not doing enough to protect and safeguard our digital domains, perhaps because the Internet is still a new medium and changing rapidly. However, there are parallels between cyberspace and the physcial space we inhabit. For example, a website is analogous to a house, usernames and passwords are like keys, and emails are analogous to sensitive documents carried around in a briefcase.

Most of us would never leave our home unlocked and unprotected… we take reasonable precautions to guard against theft of our personal property and real estate. A website is no different than a house. It needs to be cared for, looked after, maintained, adequately secured.

Out of the box, WordPress is simply not secure. It’s like a brand new house that is structurally complete, with plumbing and electrical systems installed, but without improvements that would make it more secure, like a reinforced door, a guard dog, dowels in the sliding doors, or an alarm system. WordPress can be made, secure, though, and a top objective of my practice will be helping clients lock up their WordPress sites so they can greatly reduce the likelihood of being compromised.

I’m looking forward to beginning this journey and seeing where it takes me. If you’re interested in hiring me, please don’t hesitate to get in touch.

Force Kubuntu to let you install new login themes

Problem: You’re tired of the default Kubuntu login theme and want to install a new one. But when you try to add new themes by going to System Settings > Login Screen (under the category System Administration) > Theme, nothing happens.

Cause: A flaw in KDE

Solution: Open Konsole and type:

kdesudo kcmshell4 kdm

This will open the Login Screen module, but as root. Now try installing a login theme. You should be able to see the newly installed theme in the list once you install, and be able to specify it as the default.

Help Thunderbird display emoticons in messages sent from Microsoft Outlook

Problem: Mozilla Thunderbird (running on a GNU/Linux machine) doesn’t display emoticons in messages that were sent using Microsoft Outlook. Instead, emoticons appear as the letter “J”.

Cause: Microsoft’s lack of concern for web and email standards

Solution: Install the “Wingdings” font so that Thunderbird can actually render the emoticons. On the latest versions of Ubuntu, this is as simple as clicking on the wingding.ttf file and then clicking Install. You can get Wingdings from your Windows computer. Just go to C:WindowsFonts and look for wingding.ttf. It should be near the end. Copy this file to your GNU/Linux machine and install it. Next time you start Thunderbird, you should be able to see emoticons in any message sent by a friend using Microsoft Outlook.

What to do when GParted crashes on your Live CD

Problem: GParted crashes while starting up when launched from the Ubuntu 10.10 Maverick Meerkat Live CD, or from a Maverick USB installation. Restarting the computer and beginning another live session fails to help matters.

Solution: There’s actually a pretty simple solution for this very annoying problem: Upgrade GParted. A user dealing with this problem could, of course, fall back on an older Live CD with an older version of GParted. But older versions may run into “unknown errors” if a newer version of GParted has been used to configure a drive. Furthermore, it makes sense to just grab the latest and greatest version.

If you’re running Maverick on a USB stick, just open a terminal and type:

sudo apt-get install gparted

Ubuntu will upgrade GParted. Next time you try to start it, it should come up okay and not crash.

If you’re running a live session from a CD or DVD, use the disc to make a USB stick that can save data. Then upgrade GParted using the command above.

What to do when Flash audio stops working on Ubuntu/Kubuntu

The situation: You’re trying to watch a Flash movie in Firefox and you can see video just fine, but the audio is stuttering like a broken record, making it impossible to hear the sound. Audio does not stutter in non-Flash applications. You have the latest version of Flash from the Ubuntu repositories.

What’s going on? This appears to be a bug that many Ubuntu/Kubuntu users are experiencing. It looks like it’s a glitch with Flash. Messing around with your sound architecture is unlikely to help matters, so don’t do that.

Solution: There is a fairly simple workaround. Go to Tools > Add-ons. Select “Plugins”. Disable your Flash plugin. Restart Firefox. Then, go back to Add-ons and enable the plugin. Try playing a Flash video again and see if the audio works. Repeat this workaround if the problem occurs again.

In some (but not all) other browsers, this problem can be alleviated by simply restarting the browser.

Comment: If you’ve found this post, I hope the above troubleshooting advice helps. I can’t wait for the day when proprietary software is no longer required to view video on the Web. Flash sucks. The advent of HTML5 will hopefully make Flash problems irrelevant and a thing of the past.

Recovering a lost blog post: What to do when you’ve tried everything

The situation: You’ve just spent the last few hours writing a post for your blog or newsletter, using the editor built into your blogging or mailing platform, which you access inside of a web browser. You go to hit Publish, and you get prompted to login (because it auto-logged you out for some reason). Or you see an error message, maybe something like, We’re sorry, we couldn’t process or request. Or you see a blank web page.

You login again (or go back) and discover that all that’s left of your blog post or newsletter is an incomplete fragment…. or worse, nothing! You curse your blogging tool and wonder if there is anything you can do to retrieve your lost draft.

As it so happens, there is.

The solution: Assuming your data is not saved in a cookie or in a cache file, and can’t be retrieved using a tool like Lazarus Form Recovery (which you MUST install if you are a Firefox or Chromium user, after you are done following the steps outlined below), your only recourse is to dump the browser’s memory and search for the draft.

I have successfully recovered a draft using this method (which was pioneered by Thomas Strömberg) more than once, either when Lazarus failed me, or I was running a browser that did not have Lazarus installed. So can you… but only if you are capable of reading carefully and following directions!

This tutorial assumes you are running Windows, because that’s the operating system most people have on their desktop or laptop.

Prerequisite: For this method to work, the browser you were/are working in needs to be kept open and undisturbed. Do NOT close your browser and do NOT close the browser tab your data was lost in! Leave it open. Don’t touch it. Open a different browser and proceed with these instructions in that browser.

Ready? Let’s go!

  1. Determine whether the browser you were working in is multi-process or single-process. If it was Internet Explorer 8 or Chromium (i.e. the spyware-infested Google Chrome – yuck, or ChromePlus – free of Google’s spyware), then the browser is multi-process. If it was Firefox or a previous version of Internet Explorer, the browser is single-process. If you use some other browser, search for the answer on Bing.
  2. If you use a single-process browser, proceed to the next step. If you were using a multi-process browser like IE8, maximize that browser now and begin counting how many tabs are currently open, beginning at left. Stop counting when you get to the tab you were working in, where your draft was eaten. Write this number down.
  3. Next you need to download two tools: pmdump and strings. These tools will permit you to dump the browser’s memory into a text file for examination so you can look for the contents of that lost draft. Go here to download pmdump. Then, go here to download the Sysinternals strings utility. Download these files to your Desktop.
  4. Click the Start button. Choose “Run” and type “cmd”, then hit Enter. (Vista/Win7 users: Just type “cmd” into your search box and hit Enter).
  5. A black screen will appear and will display a copyright message, then it will show a command prompt, like this: C:Documents and SettingsYour Username>
  6. Navigate to the folder where you downloaded pmdump and strings (should be Desktop), by typing the following and hitting Enter:
    • cd Desktop
  7. Now it should say C:Documents and SettingsYour UsernameDesktop> Type the following and hit Enter:
    • pmdump -list
  8. You should see a list of currently running processes ending in .exe with numbers to the left of them.
  9. Now it’s time to dump the memory. First, however, we have to narrow down which process contains that lost draft. (If you were using a single-process browser, skip to the next step). To do this, we’ll isolate all processes related to the browser. So, for instance:
    • pmdump -list | find "chrome" OR
    • pmdump -list | find "ieexplore"

    Once you have executed this command (again, by hitting Enter), you’ll see a smaller list of processes. They will all have the same name, but different numbers preceding them. Start counting the number of processes, beginning at the top of the list. When you reach the number you wrote down earlier (of the tab you were working in), stop.

  10. Now write down the four-digit number of the line you’re on.
  11. To dump, type the following and hit enter, where “XXXX” is replaced by the number of the browser process. This command may take some time to run. Let it finish.
    • pmdump XXXX recoverdraft.dmp
  12. Now you’ll get rid of all the non-text data from the memory dump you just made using the strings utility. Type the following, hit Enter, and then be patient while it finishes:
      strings recoverdraft.dmp > recoverdraft.txt
  13. Leave the command prompt window open.
  14. In the folder where you downloaded pmdump and strings, you should now see recoverdraft.dmp and recoverdraft.txt. Right click on recoverdraft.txt and choose Open With > WordPad. The file may take a while to open, so be patient. If you were using Firefox and had many tabs open, the file will be huge.
  15. When the file finishes loading (assuming WordPad doesn’t crash) hit Ctrl+F to open the search box. Type a unique phrase from your draft and hit enter. If all goes well, you’ll stumble across decently-sized fragments of your draft, or maybe even the draft in its near entirety. If you find nothing, try another phrase, and then another.
  16. If you don’t find any fragments at all after several tries, it could be that you dumped the wrong process. Go back to the command prompt window and verify which process you dumped.
  17. If you miscounted, dump the correct process.
  18. For multi-process browser users: If you didn’t miscount and suspect the list of processes top-to-bottom does not correlate with the tabs open in your browser left-to-right, try dumping and running strings on each one of them. Obviously, this could be time consuming, but trial and error usually is!

Ideally, after following the steps above, you’ll succeed in recovering most or all of your lost draft. If your draft has been separated into a great many fragments, piecing it all back together will be tough. You are more likely to encounter fragments if you were switching back and forth between writing and doing something else (like researching) while you were composing the draft. If all you were doing was typing your post or newsletter for an uninterrupted bloc of time, you are likely to find your draft mostly intact.

You can close your browser and the command prompt after you are all done, and have successfully recovered your draft… or given up 🙁

In the future, save yourself a lot of time by installing Lazarus Form Recovery. This add-on is available for Firefox and Chromium (if you want to use Chromium, I recommend ChromePlus, not the spyware-infested Google Chrome).

Lazarus securely saves all the data you type into forms, so in the event of a crash, disconnection, or other mishap, you can get your input back with just a couple clicks. Lazarus works more reliably in Firefox. It may not save your bacon if you’re a Chromium user, because it is still in early development.

Remove Google Analytics from OpenVBX

If you’ve installed OpenVBX on your server to provide an administrative backend for your virtual phone system, then you may have noticed that Twilio, Inc. – the company that released OpenVBX – has slipped a Google Analytics tracking script into the package’s source code. I consider this unethical, because they don’t state upfront that they’ve done this. They can embed Google Analytics in their own website if they want, but it’s wrong of them to put it in the software that they’re distributing.

Essentially what Twilio is doing is spying on their customers without their consent. That Google Analytics tracking script is sending information to their Google Analytics account, by default!

I make a point of avoiding doing business with Google because Google is obsessed with destroying the whole idea of user privacy, which is sacred to me. I pay good money for full-fledged webhosting partly so I don’t have to rely on any of Google’s products.

So naturally, when I discovered that there was a Google Analytics tracking script hidden inside of OpenVBX, I wasn’t happy. I set about removing the tracking code as soon as I had a spare moment. If you’d like to do the same, here’s what you do:

  1. In the shell (or your FTP client) navigate to where you have OpenVBX installed, i.e. /home/user/
  2. In your OpenVBX installation, there will be a folder called OpenVBX. You want to navigate into this folder, then “views”, then “layout”. (Example path: /home/user/
  3. Navigate into the content subfolder. You’ll see a file called analytics.php. Open this file. Replace the entire contents with <!-- --> or, alternatively, tracking code provided by your Piwik installation. (Piwik is the open source alternative to Google Analytics, which you can run on your own server).
  4. Save the file. Now navigate back up to the “layout” folder and into the “flow-editor” folder. Again, you’ll see a file called analytics.php. Repeat the last step with this file.
  5. Save and you’re all done.

You have just removed Google Analytics from your OpenVBX installation. Privacy assured!