People Hacking: What does the future hold?

So, generally, the easiest way for hackers to get into an organization is by convincing users do to something: click on an email attachment or a link, make a phone call, share information, etc. For all the technological advances that have sprung forth in the past decade, this is still among greatest challenges faced by security professionals: figuring out how to keep people from following hackers’ instructions.

Our biggest vulnerability is also our greatest asset. We can make thoughtful decisions quickly. And sometimes our decisions aren’t so thoughtful because we’re in the midst of doing other things, or generally too distracted to slow down and think through what is being asked of us. This little glitch in our code is all an attacker needs.

Exploiting this human vulnerability is all an attacker needs to get us to act in a way that is not in our best interest. This is the nature of a hacker-victim relationship. But are there other ways that people are getting hacked that maybe aren’t as overt as this? Think of the decisions we make daily. How many of them are in our best interest or the best interest of our friends and family.

We make snap decisions all the time that aren’t really based on sound logic. I bet any one of us can look back over the course of the case and think about an action we took that wasn’t ideal. It’s a given. If we didn’t make decisions relatively quickly, our brains would grind to a halt and we’d become mostly ineffective at making our way through this world. But as technology gets better and better at humans hacking other humans (think targeted advertising through machine learning algorithms), we should pause to ask ourselves whether we’re on the right track. Will this lead us to a better humanity? Just throwing that question out there. It can go a myriad of different ways. Thanks for reading.

Jeshua

MFA for Flip Phone Dinosaurs Like Me

I’m one of the last remaining people in this world who don’t have a smart phone. I’ll often be in a group if fellow IT professionals and pull out my flip phone to check the time. “Is that a flip phone?” someone will ask as they lean forward in their chair and peer down at my hands, attempting to figure out what would cause someone who is steeped in technology every day to carry this sort of relic. As I lift it up, all heads turn my way, mouths open and nostalgic signs fill the air. Onlookers talk of a simpler time when we were free from 24/7 social media and and subservient to on-the-fly navigation from real maps and sheets of MapQuest printed haphazardly on white glossy paper, barely legible.

Because I don’t have a smart phone, I’m often looking for alternative ways of doing things that people normally do with smart phones. One of these things is MFA or multi-factor authentication. If you use AWS, it is generally a good idea to have MFA for your root account. They don’t allow SMS for their second factor any more, so I spent a few hours looking around for an option. I did look at some hardware keys like the Yubikey, which I may check out eventually, but I needed something cheap and now. Enter the “Authenticator Extension” (https://github.com/Authenticator-Extension), which you can get through your Chrome browser extensions.

It is TOTP compatible, which covers quite a few sites. I can use it for AWS, Facebook, etc. I probably won’t use it for LastPass because I’d like to have a paper backup of such a critical second factor. The “Authenticator Extension”, as it is so generically called, works great for me using my Chromebook, which often acts as more cumbersome, less convenient, and less connected Smart Phone for me. I recommend it.

Jeshua

Chromebook Chrazy

I’ve been a Linux user at home for quite some time. We were a Windows family very early on but ran into issues with viruses. I resurrected a super old laptop and put Lubuntu on it and gave it to my wife.  It worked well for years. After a while, one thing or another wouldn’t work, so on a whim I got her a Chromebook. Nearly everything she does is online, and she’d already started using Google docs when on the Lubuntu PC. As a result, the transition was peachy! After watching her tote that thing around the house for a year or so, and noticing how carelessly she worried about charging the battery or booting it up, I decided I needed one too!

It’s done quite well for me. Occasionally, I have to jump over to my Ubuntu desktop for more high-powered activity, but 80% of my computing at home is on the Chromebook. This experience and the evolution of computing as it moves into the cloud is leading me to believe that the days of everyone running around with what is essentially their own personal server, are numbered. I’m guessing in about five to eight years, computing will be cloud focused even more than it is now and people won’t really own traditional laptops any more.

Jeshua

AWS, Lightsail, Bitnami, WordPress, and SSL

I’ve got just about everything marked off my list on the AWS learning front for the weekend. This domain is now transferred over from my old host: jeshuaerickson.com. I started up a WordPress instance using AWS Lightsail. Then I assigned a static IP to that instance. I also got my DNS zone set up.  Finally, I got my SSL cert completed and integrated with Apache. (There are pretty straightforward Bitnami guides for this. It’s not done through the regular “Services” interface. Just remember when you’re in Lightsail, you’re in the Bitnami world now!)

The other piece that I worked out was taking a snapshot and doing a restore, which is basically getting rid of the old instance and assigning the new instance to the static IP I created. I was expecting to see a “restore” button in Lightsail, but that’s not how it works. Makes sense now that I’ve gone through the process once. (I had to do this because I hosted the SSL cert integration the first time around.)

Throughout all of this I am attempting to keep track of AWS billing. I had some Directory Service charge pop up and didn’t find it until I started poking around in another region. I did some quick back and forth with AWS and got a credit for those charges. Ultimately, I was very happy with how responsive they were. The variety of services that they offer inside AWS is INSANE and billing can get a little tricky to navigate if you’re not familiar with the AWS administrative console.

Jeshua