Tech Faceplant: Dropbox Infinite
Posted on by Beau AdkinsCategories Computer Security, Opinion, SecurityLeave a comment on Tech Faceplant: Dropbox Infinite

Dropbox Project InfiniteLast month, Dropbox pulled back the curtains on their next new major feature, titled “Dropbox Infinite”. However, the details about how they were going to implement this feature left the majority of the audience dumbfounded. This is another one of those occasions where tech companies make a decision against the outcries of their customers, and even in the face of that backlash, just chug happily along.

Dropbox Infinite sounds like a pretty cool idea. It would make your Dropbox storage area appear as its own drive in your OS. It’s an idea that few people would complain about. However, when Dropbox revealed that they would implement this with kernel mode extensions, people’s heads started exploding.

By implementing this in the kernel, it puts the user’s system security at much higher risk than if it were implemented in user-mode. When code runs in the kernel, it has complete system access. It can read, write, or delete any file. If malware gets a foothold in your computer’s kernel, then it’s no longer your computer. Any programming mistake in the kernel means the whole system crashes (the infamous Blue Screen of Death). For these reasons, users should be wary of every piece of code they allow to run there. A product like Dropbox, used to manage remote shared file backups, seems like a poor candidate for kernel level code. It would be like Microsoft announcing the next version of Internet Explorer will run primarily in the kernel. It would be the worst idea in the history of computing.

The Dropbox article mentioned an open-source project called FUSE, which could have been used to implement this in user-mode. But they scrapped that idea because it incurred an extra kernel-mode context switch which has performance implications. Like a commenter observed, the performance of a context switch is practically nonexistent compared to the cost of performing network operations with the Dropbox servers.

The article received numerous comments, which were mostly negative. A common theme in those comments was the hope that this feature was optional. Dropbox never clarified if this was mandatory or not. If they make it mandatory, it will be an enormous faceplant. It’s quite obvious that the users are not ready for it. Maybe one day they will be, but not today. Forcing it on users now will only hurt Dropbox.

Sadly, this sort of thing happens all the time. Tech companies come up with an idea that they believe their users will go gaga over. But when they announce it, it is met with vitriol. Instead of just admitting a mistake and scrapping the idea, they double down, and shove it down their users’ throats anyway. Think Windows Metro or Chrome removing support for plugins. Listen to your customers. If you announce a new product change that causes your customers to threaten to leave, its not too late to go back to the drawing board.

Light Point Security CEO Discusses Cybersecurity and Terrorism Prevention
Posted on by Beau AdkinsCategories Computer Security, Opinion, SecurityLeave a comment on Light Point Security CEO Discusses Cybersecurity and Terrorism Prevention

Zuly Gonzalez discusses cybersecurity and terrorismLight Point Security CEO, Zuly Gonzalez, was interviewed on the Emmy Award winning Live TV show Fresh Outlook, which aired on Saturday April 2, 2016 at 2pm ET. Fresh Outlook is a weekly talk show that airs every Saturday Live, and examines a variety of topics and current events.

Zuly discussed Apple vs the FBI, encryption, terrorism, and how to protect yourself from cyber threats, among other topics. For example, she was asked why if less skilled adversaries are able to hack into devices, does the FBI with all of the resources at their disposal have such a hard time getting into the encrypted iPhone of one of the San Bernardino terrorists. Zuly talked about how not all things are equal and that a combination of skill level and protection mechanisms must be taken into account when comparing successful and unsuccessful attacks. She also discussed the importance of the data being protected and how consumers should also value their data. Zuly also touched on the irony of Apple asking the FBI for help in strengthening their protections.

It was an informative segment with several other security experts on the panel. The segment is below for your viewing pleasure.

Two Ways Google Chrome Sacrifices Security in the Name of Speed
Posted on by Beau AdkinsCategories Computer Security, Security, Web SecurityLeave a comment on Two Ways Google Chrome Sacrifices Security in the Name of Speed

Google ChromeGoogle Chrome is now the most popular web browser in the world, with an estimated 45% of all website views. Google claims that security is a top priority, which is why they push frequent, automatic updates and use a sandbox. But an even higher priority for Google is speed.

Sometimes they need to make the choice between speed and security, and this article lists two cases where they chose a minimal speed improvement at the expense of introducing a much larger security risk.

Prerendering

Prerendering is a technology used in Chrome that can make pages appear to load faster. For example, if you browse to http://example1.com and that page includes a link tag like “<link rel=”prerender” href=”http://example2.com”>”, Chrome will automatically and silently load example2.com in the background while you are viewing example1.com. The hope is that the next link you click will be to example2.com, so the browser can display it instantly, making things seem faster.

The most likely place you see this feature in use is on google.com. Based on a user’s search terms, they may decide there is a very high likelihood that they can anticipate which link the user will click next. In that case, they can mark that link to be prerendered, so the page appears to load faster.

Google Chrome itself can also decide to prerender pages. If you start typing “reddit” into the URL bar, there is a decent chance that Chrome will begin prerendering reddit.com in the hopes that is what you were in the process of typing.

What’s so Bad About Prerendering?

  1. Exposure to malware: When a page is prerendered, it has limitations. It can’t initiate downloads, or play audio. But it can execute scripts, and that is all that is needed for a malicious site to infect your computer. Because of prerendering, you can be infected by a site just because a link to it appears in a Google search results page, or you typed something similar to it in the Chrome address bar. You don’t even need to visit the page anymore.
  2. Loss of privacy: When Chrome prerenders a page, it exposes your IP address and browser information to the website. For users performing sensitive online research, this can be a big deal. Some users need to learn about a company or organization without tipping their target off about it. Because of prerendering, just Googling the name of the target will likely expose them.

How to Turn Off Chrome Prerendering

  1. Open the Chrome Settings by clicking the 3 horizontal lines icon in the top-right of Chrome and choose “Settings”.
  2. Scroll to the bottom and click “Show advanced settings”.
  3. Under “Privacy”, uncheck the box labeled “Prefetch resources to load pages more quickly”.

Disable Chrome Prerendering

Automatic Downloads

By default, Google Chrome is configured to automatically download any file that a website decides to push to you. In the interest of speed, instead of asking you if you want to accept a download, it will happily download it immediately, into the “Downloads” folder of your user profile.

The obvious threat here is that malware can get downloaded without your permission. But just downloading a malicious file isn’t actually enough to infect you. You have to execute it somehow.

After the download completes, it will show up in a box in the bottom left corner of Chrome, until the user dismisses it. If the user clicks the box for a download, Chrome will open that file. If this file is malicious, there is a good chance you will be infected.

However, this attack method is weak because it requires the user to decide to click that box. A more sinister approach involves the use of DLL hijacking. When a Windows executable loads, it often also loads a set of DLL files that it requires. These DLLs can be specified with an absolute path (like C:\Windows\System32\user32.dll) or with just a name (like user32.dll). When the DLL is specified with just a name, Windows will search for a DLL with the right name across a few different places. The first place it looks is the same directory as the executable.

An attacker can then create a malicious DLL with the same name as a common Windows DLL, like user32.dll, kernel32.dll, or UxTheme.dll. Chrome will happily automatically download this DLL into the user’s Downloads directory. After that, it’s just a matter of time before the user downloads a legitimate executable (into their Downloads directory) that doesn’t specify an absolute path to the DLL, and when the user executes it, the malicious DLL gets loaded and the user is infected.

How to Turn Off Automatic Downloads

  1. Open the Chrome Settings by clicking the 3 horizontal lines icon in the top-right of Chrome and choose “Settings”.
  2. Scroll to the bottom and click “Show advanced settings”.
  3. Under “Downloads”, check the box labeled “Ask where to save each file before downloading”.

Disable Chrome Automatic Downloads

Light Point Web Protects Against Both of These Threats

Light Point Web protects against these, and other security issues commonly seen in web browsers. Learn how our secure remote browser can protect your home or business.

Light Point Security CEO, Zuly Gonzalez, to Speak at CyberMaryland 2015
Posted on by Beau AdkinsCategories Events, SecurityLeave a comment on Light Point Security CEO, Zuly Gonzalez, to Speak at CyberMaryland 2015

Our CEO, Zuly Gonzalez, will be speaking at the CyberMaryland 2015 Conference later this week. She will join other cybersecurity founders on a panel discussion about their experiences with the Northrop Grumman and bwtech@UMBC CYNC Program as part of the conference’s Cyber Innovation Track. If you will be attending the CyberMaryland Conference, stop by Room 303 on Thursday, October 29 from 9:45am – 10:30am to hear about industry partnerships and the benefits they provide to growing cybersecurity companies.

If you plan to attend the conference, but haven’t registered yet, use our discount code SpeakerGuest to receive a 25% discount off of your registration.

Presentation Information

Model of a Successful Industry Partnership – Northrop Grumman at bwtech@UMBC Cyber Incubator: CYNC Program

The Northrop Grumman Cync Program is a unique partnership between Northrop Grumman and the bwtech@UMBC Cyber Incubator, with an eye towards commercializing technology to protect the nation from a growing range of cyber threats. The Northrop Grumman Cync Program builds on bwtech@UMBC’s successful business-incubation framework by offering a scholarship program for companies with the most promising cybersecurity solutions. Selected participants are able to draw on UMBC’s extensive research resources, bwtech’s programming and entrepreneurial services, and Northrop Grumman’s technical and business advisory support to further the development and market readiness of CYNC company technologies. Hear from four innovative product companies currently in CYNC and members of the CYNC Executive Committee.

Moderator
Ellen Hemmerly, Executive Director and President, UMBC Research Park Corporation and Special Assistant to the Vice President for Institutional Advancement at UMBC

Speakers
Mike Gormley, Vice President for Government Services, Ayasdi
Christopher Valentino, Director, Contract Research and Development Cyber Solutions Division, Northrop Grumman Information Systems
Tim Gooch, CEO and Executive Director, iWebGate
Gregg Smith, CEO, OptioLabs
Zuly Gonzalez, Co-founder and CEO, Light Point Security
Dr. Jennifer Reynolds, Director of Venture Creation, bwtech@UMBC

Zuly Gonzalez at the CyberMaryland 2015 Conference

Light Point Web Integrates With Metascan Online to Protect Against Malicious Downloads
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web Integrates With Metascan Online to Protect Against Malicious Downloads

OPSWAT LogoWe recently added a new feature to Light Point Web that warrants some extra recognition. We have added a server-side integration with OPSWAT’s Metascan Online service to provide yet another best-in-class layer of security for our users.

Metascan Online is a cloud service that can scan files with over 40 anti-virus engines, and do so in a matter of seconds. The fact that Metascan Online uses so many anti-virus engines is important. Just because one anti-virus engine claims that a file is safe, it doesn’t mean it is. It could be safe… or it could just be that this is a newer virus that has not been identified by that anti-virus vendor yet. It is actually common for new malware to only be identified by a small number of the anti-virus engines. With Metascan Online using so many anti-virus engines, we can get a much greater level of confidence that a safe file is indeed safe.

With our integration with Metascan Online, our users will get an extra level of assurance that every file they download is safe without having to wait around for the results. We offer this service for no extra charge for our cloud users.

How Does It Work?

When a user wants to download a file, Light Point Web will ask for their permission. If they say yes, that file will be downloaded to the Light Point Web server. Light Point Web will then ask Metascan Online to scan that file. If it is safe, the file is streamed to the user’s computer and the user is informed of the scan results.

LPS download no threats detected

If, on the other hand, the file is found to be malicious, the download is blocked and a message informs the user why.

LPS download threat detected

This all happens seamlessly to the user, so no extra work is required by the user to get this additional layer of protection.

Coming soon: If a file is found to be malicious, the dialog will also include a link to the scan results so that you can see further details on the threat detected and which engines detected it.

Enterprise Options

For our enterprise customers, we offer a couple of options: Metascan Online or Metascan on-premises. OPSWAT offers both a cloud version and an on-premise version of Metascan. This gives our enterprise customers the flexibility of choosing the option that works best for them.

If you are interested in learning more about how Light Point Web protects you while browsing the web, contact us, or sign up for a free trial to experience worry free web browsing for yourself.

Light Point Security Named Finalist for 2014 Maryland Incubator Company of the Year
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Light Point Security Named Finalist for 2014 Maryland Incubator Company of the Year

Maryland ICOY 2014We are pleased to announce that Light Point Security has been chosen as a finalist for this year’s Maryland Incubator Company of the Year (ICOY) Awards for the Best Cyber Security Company category. The Maryland ICOY awards support current clients and graduates of Maryland incubators by helping increase awareness and visibility for promising young companies.

The finalists were chosen by a team of more than 3 dozen industry experts and investors. The winners will be announced at the ICOY awards ceremony, which will be held at the American Visionary Art Museum in Baltimore on Tuesday, June 10.

We are thrilled that Light Point Security continues to receive industry recognition for the amazing work we are doing to stop web-based threats.

Light Point Security Selected As a Finalist in the 2014 InvestMaryland Challenge
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Light Point Security Selected As a Finalist in the 2014 InvestMaryland Challenge

Light Point Security advances in the InvestMaryland ChallengeWe are excited to announce that Light Point Security has advanced to the final 6 companies of the InvestMaryland Challenge in the Cybersecurity category. The InvestMaryland Challenge is a national business competition aiming to help fund promising startups. This year there are 4 categories, and one winner will be chosen from each. Each winner will receive a $100,000 grant.

A total of 260 companies applied this year across four catagories: Information Technology, Cybersecurity, Life Sciences and General. A total of 41 finalists are still in the running for the 4 top prizes.

The next phase of the competition will be a face-to-face pitch to the judges. Each company will give a 15 minute presentation, followed by a 10 minute Q&A session. The final winners will be announced at an awards ceremony in April.

We are honored to have been selected as a finalist in the competition, and there are still a lot of great companies in the running. Please wish us luck!

Say Hello to Our New CEO – Zuly Gonzalez
Posted on by Beau AdkinsCategories Light Point Security UpdateLeave a comment on Say Hello to Our New CEO – Zuly Gonzalez
Zuly Gonzalez - CEO of Light Point Security
Zuly Gonzalez – CEO

When I first had the idea for what is now Light Point Web years ago, I knew that I needed a partner to help me turn it into a business. Zuly Gonzalez joined me as that partner, and her initial role was as our CFO. After things got rolling with our company, it quickly became obvious that she could do much more than that. So we refocused our roles: I would be the CEO and CTO, and she would be the COO and CFO.

But if you have ever met or talked to Zuly, you will know she never fails to impress. She has been doing a lot of public speaking for our company, she talks to customers, she coordinates sales, pilots, and partnerships, and she keeps us in the news.

In short, she has become the face of the company. Light Point Security is a high tech company on the bleeding edge of the next wave of computer security. As such, my role as CTO leaves me with no time to perform the CEO role. All these things combined left me with a decision to make with an obvious answer.

I have decided to step down as the official CEO of Light Point Security, and name Zuly Gonzalez as the new CEO.

These roles are better suited to each of our skillsets. Zuly has been performing above and beyond as our COO, so if she keeps doing what she has been, she will be a terrific CEO. I can now stay focused on what I do best; making technical innovations and keeping our customers safe online.

Please send your congratulations and wishes of good luck to Zuly on Twitter at @ZulyGonz.

Light Point Security Advances to Final 10 in Wall Street Journal’s Startup of the Year
Posted on by Beau AdkinsCategories Light Point Security Update1 Comment on Light Point Security Advances to Final 10 in Wall Street Journal’s Startup of the Year

Light Point Security selected as a WSJ Startup of the YearAs we mentioned before, the Wall Street Journal selected Light Point Security as a contender for their inaugural Startup of the Year competition. When the WSJ Startup of the Year series launched in June Light Point Security was one of only 24 startups, chosen from more than 500 companies across the country. We are excited to announce that Light Point Security has advanced to the final 10 remaining companies!

The first round of eliminations went from 24 companies down to 20. In the second round of eliminations, the WSJ editors narrowed the field down from 20 companies to 10. Here is a short video from the Wall Street Journal announcing the final 10 companies.

We are honored and very excited to have made it this far in the competition. Take a look at our profile page on the WSJ site to see our behind the scenes videos. And be sure to take a second to vote for us!

Securing Your WordPress Site: Top Plugins
Posted on by Beau AdkinsCategories How To, Security, Web Security4 Comments on Securing Your WordPress Site: Top Plugins

WordPress LogoWordPress is huge. It is currently the most popular blogging system in use, and it manages 22% of all new websites. We use it for our site, and I would personally recommend it to anyone thinking of creating a new website.

However, because it is so popular, it becomes a target for hackers. Right now, automated bots are crawling the web looking for WordPress sites to attack. If you take some time to protect yourself, you can greatly reduce your chances of having a problem.

With that, I decided it would be useful to share some of the tips and tricks I have learned to protect our site. There is too much for one blog post, so I will release others over time, but I will start with the most important ones.

So, here are my recommendations for the 4 best WordPress security plugins. All WordPress plugins are easy to install, but some may take some time to configure correctly.

  1. WordPress File Monitor Plus. This plugin is used to alert you anytime a file on your site changes. When a WordPress site gets hacked, what actually happens is the attacker adds one or more files to your site, or they alter one that is already there. A WordPress installation consists of hundreds of files, so it’s very easy to blend in and not be noticed. But with just one file, attackers have the ability to change your site however they want, including attacking your site’s visitors with malware, and eventually getting you banned from Google.

    WordPress File Monitor Plus will regularly check your WordPress installation for new files, deleted files, and changed files. If it finds anything, it will send you an email with details. It is your responsibility to read these emails to see if any changes are unexpected. For example, uploading a new image, or upgrading a plugin will cause an alert. If you see something you can’t explain, investigate it immediately. This plugin will not stop you from being hacked, it will only let you know when you are attacked, and help you clean it up.

    Out of the box, this one is pretty easy to set up. You just tell it how often to scan your files. But most likely, you will want to tell it which files to not scan. For example, if you have a caching plugin, it will cause the File Monitor to tell you things over and over. The best plan is to set it up with no excludes, and when the alerts start coming in, you can identify which directories to not pay attention to anymore. Eventually, it will only tell you about important changes.

  2. Limit Login Attempts. This plugin protects you from automated password guessers. If you install this plugin, it will let you configure how many tries someone gets at logging into your WordPress site before they are locked out for some amount of time. The guess count and lockout time are configurable. If someone guesses incorrectly too many times, you will be sent an email about it, and they will be stopped from trying again for some amount of time.

    So how useful is this? You would be surprised. Once you install this plugin, you will find out that there are automated bots that will find WordPress sites, and try to brute force the password. Without this plugin, they will eventually guess it. Depending on the speed of your server, they could guess hundreds of passwords a second. With this plugin installed, they may get 6 guesses every 2 days.

    This plugin is simple to install and configure. So you have no excuse.

  3. Secure WordPress. This plugin is more of a hardener. It does a lot of little things to make an attackers life harder. While none of these things make it impossible to be hacked, they will make hacking your site harder than hacking someone else’s, and that is usually enough.

  4. TimThumb Vulnerability Scanner. There is a library called TimThumb that people use to dynamically create thumbnail images for websites. It is used by millions of sites. In 2011, a vulnerability was discovered in it that allowed attackers to easily take over any site using it. The vulnerability has been corrected, but sadly old versions are still out there years later. This vulnerability is probably still the most common way WordPress sites get hacked. This plugin will automatically determine if you are using an out of date version of TimThumb, and if so, it will upgrade it for you.

Please let me know if these recommendations helped you, or if you know a WordPress plugin that belongs on this list.

Categories
Archives