Passing of Allstar Network’s Jim Dixon

Jim Dixon of Alhambra, CA was one of the developers who worked on hardware drivers for the Asterisk Voice over IP software. He took his knowledge and created app_rpt which then allowed Asterisk to function as a radio repeater controller usable by radio amateurs and commercial users. On the amateur radio side, this grew into a VOIP linking system for repeaters that is known as Allstar.

Steve Rodgers announced on the app-rpt-users mailing list that Jim passed away on December 16, 2016.

Jim’s contributions to IP telephony and to the amateur radio hobby were significant and he shall be well remembered.

Grizzly Steppe

It should come as no surprise to anyone even slightly knowledgeable about information security that the human factor is the biggest risk to unwanted exposure of information. The most dangerous way that a human can put himself or his organization at risk is to read an email. It is way to easy to embed malicious content in an email that can get past the rudimentary security filters that are in place in many organizations and especially on personal devices.

Malicious content in an email can masquerade as a harmless web link. It may seem to be from your your bank or from an email provider. It can direct you to a forged page and ask you to update some personal information or to enter a password. Are you sure that email is legitimate?

Malicious content can be easily embedded in a graphic or a pdf. Take a look at your spam folder. See any files with attachments? Subject lines like “Invoice” or “Purchase Order” from people you were not expecting or don’t even know signal trouble. Do not open those files! You may have been spearphished, targeted because of who you are or where you work.

So with all the talk about “Russian hacking”, this Department of Homeland Security Release detailing what they believe to be an organized campaign against employees of critical infrastructure, academia, and business puts the talk in perspective.

It is probable that no vote tally was changed as a result of any “Russian hacking”, but to discount the real threat to American society of organized hacking campaigns by foreign governments is foolhardy.

I Love Ransomware

I had a few minutes to timesink yesterday and was reading stories on Google News. One link leads to another, and before I knew it, I was sucked into a story on 40 little known facts about TV’s most popular situation comedy ever, “I Love Lucy”. What could be more wholesome web viewing?

I rather quickly noticed that the text accompanying the pictures was very poorly written. Words were misspelled and misused with alarming frequency. I was convinced that the writing had been outsourced to an offshore bot that had stolen the content elsewhere on the interwebs.

And then, this happened.

fake-virus

My computer was crazily beeping and there was a fake virus alert displayed on the screen. Of course I took the time to close the browser (despite the false warning that I would not be able to) and make sure that my workstation was not actually infected. Such fun!

A brief Google survey revealed that the call center number displayed, (877) 337-7936, is often connected with malware scam artists. Most of the displayed pages seem to be further attempts to get you to install real malware on your system. Don’t fall for them.

Then I made the call. I was the end user from hell that these cyberpirates deserve. Imagine if Ransomware Inc. got hundreds of calls like this every day? They’d have no time to hold up their other poor victims and their profit margins would take a dive. The obvious annoyance of the Ransomware Agent at about 7 minutes into the call, when he lets out an exasperated “Yeeeeessss”, is priceless.

Remember, October is National Cyber Security Awareness Month. Stay safe online.

Windows 10 Anniversary Update DHCPV6 (Still) Broken

According to threads on Microsoft’s Developer Network, DHCPV6 has been broken since the first deployments of the Anniversary Update last August. I first noticed an issue on October 4 where several Windows clients would no longer register their IPV6 DNS address post update.

While this has been broken for a couple of months, I was advised today by Adam Rudell, a Microsoft Support Escalation Engineer, that the “PG is actively investigating. I just updated the TechNet thread and will follow up as soon as PG has provided me some more information.”

The full thread can be read here.

Windows 10 Update – Unhappy Anniversary

The Windows 10 anniversary update came recently to my radio room computer. The folks in Redmond have some quality assurance problems to resolve. Here’s what I’ve noticed so far.

All my firewall rules were deleted. This means that as I run applications which require external access, I have to reauthorize them. While it is not a bad practice to occasionally review these settings, I would have preferred to do so at a time of my own choosing.

The WINUSB driver used by my Perseus SDR was deleted. I had to reinstall the driver and to do so, I had to go through the multiple reboots to allow installation of the unsigned 64 bit driver. Not fun.

My sound device settings were changed. The friendly name for the SignaLink USB sound card device that is connected to my Kenwood TS-2000 reverted to “USB Audio CODEC” and Windows decided to make that device my default sound and communications devices.

This update was hardly the best anniversary present that Microsoft could have given me.

September RF Bits in CQ – Erratum

cq-contents-sept-2016As luck would have it, a key URL for the software mentioned in my September CQ Magazine RF Bits column no longer works. That is because the author, Mike Guenther, DL2MF, decided to withdraw support for the DV4MF2 console for the DV4mini. Whatever his reasons, we have luckily archived a copy for your convenience. So if you arrive at a German language page with a “no more available” caption in English at the top, fret not and get your copy of DV4MF2.exe right here.

While the author has withdrawn support, the software nonetheless functions as it did when my article was prepared for your enjoyment. Other software for the DV4mini is also available and supported by Wireless Holdings, although lacking the nice Brandmaster XTG support that DV4MF2 offered.

It would be great if more radio amateurs released their software under some open source license so that work by and for the community could be continued as needed. We have far too much orphaned software in regular use in the amateur community. A perfect example of this is UI-View32. The author’s last wishes upon his death included the destruction of the source code. Yet, the program is still used by many amateur stations around the world. Imagine how much more useful the orphaned software could be if the source code were available for further development?

Android Security Just Got a Whole Lot Better

While Marshmallows are soft and gooey, Android 6.0.1 (Marshmallow) is one tough cookie. Marshmallow provides granular security controls that allow you to decide whether an application gets access to particular information. Tired of LinkedIn or Facebook trying to grab all your contacts?

Android Marshmallow allows for more granular control of application permissions.
Android Marshmallow allows for more granular control of application permissions.
Now you can control this behavior.

To take a look at these settings, go to Settings->Apps->Application manager. Pick an app and you’ll see a bunch of sliders that let you turn access on or off for that control. Newer app versions directly support the Marshmallow security model. Older apps don’t and may malfunction, but don’t let that stop you from trying out settings that meet your security requirements.

Blackberry has had this level of application security control for many years. It is good to see that Android is now taking application and data security very seriously.

Chrome OS – The Right OS for Many

I am convinced that Google’s Chrome OS is highly underrated and under appreciated. I have been testing an ARM based Chromebook as well as an ARM based Chomestick with great results. If your primary email address is @gmail.com, and if most of your computer activity is email, messaging, and light document prep, you don’t need the complexity of Windows or Linux. And, if you think that Mac OS is simple to use, you have not tried Chrome.

The Asus CS10 boasts a quad-core RockChip 3288-C CPU, 2 GB RAM, and 16 GB eMMC.
The Asus CS10 boasts a quad-core RockChip 3288-C CPU, 2 GB RAM, and 16 GB eMMC.

I especially like the Asus Chromebit that arrived yesterday and which is now stuck on the back of a several year old Sony Bravia in the den. I plan to use it where I need a web browser to access content that is not already integrated into TiVo. Paired with a small Logitech wireless keyboard, it is all I need in the den and will free up the i5 Windows 10 machine that was previously used for web streaming.

WordPress Security 101

When I installed WordPress on this site, one thing that concerned me is that login and administrative functions were not using SSL by default. OK, I didn’t have an SSL certificate installed at that point, fair enough. But once the SSL certificate from Let’s Encrypt was installed, I set about learning how to secure these functions.

It is very simple.

In the same directory where WordPress is installed you’ll find a file named “wp-config.php”. Add the following line toward the bottom, right above the “That’s all” comment:

define(‘FORCE_SSL_ADMIN’, true);

Save the file and you’re good to go. Assuming that an SSL certificate is properly installed on your web server, login and administration will now go over SSL.

I then set out to further validate my WordPress security. I found this free web based tool.

I ran it against this site and found that my user accounts could be enumerated. This is clearly information leakage that should be avoided. The solution is to enable a WordPress plugin that stops this behavior. The plugin can be found here.

Download the plugin and copy it to the plugins directory as described in the Installation section of the above page. Using the plugins menu of the WordPress administration console, activate the plugin.

Run the scan again against your WordPress site and you’ll see that this issue has been resolved.

Let’s Encrypt – Free SSL Certificates for Everyone

One of the best things I learned at Hope XI is that we no longer have to pay for SSL certificates. In an effort to make web encryption universal, the Internet Security Research Group (ISRG) has started Let’s Encrypt. Lest you think that this is an evil hacker plot to steal your encryption keys and data, you may feel better to know that the Technical Advisory Board is comprised of representatives from Akamai, Cisco, Electronic Frontier Foundation, Mozilla, and the Internet Society. This project is on the level and taking off.

My first certificate will be used to encrypt connections to this site. I’m sure that it will be the first of many. One downside is a short validity window (90 days) but Let’s Encrypt is offering automated tools to make the entire installation process simple and transparent. Unfortunately, this site is my free Optimum 60 website and I have limited control over the server, so I must wait for Optonline tech support to install my certificate.