Lipani Security LLC

A Security & Privacy Company

Category: blog

Reason For Secure Boot

Posted on by admin

Microsoft Secure Boot is a component of Microsoft’s Windows 8, 10, and 11 operating systems that relies on the UEFI (Unified Extensible Firmware Interface) specification’s secure boot functionality to help prevent malicious software applications and “unauthorized” operating systems from loading during the system start-up process. Mac computers that have the Apple T2 chip support secure boot options. Mac computers, unlike Windows, support three settings to make sure that your Mac always starts up from a legitimate, trusted Mac operating system.

Why is this important? In an office environment, someone can again plugin or boot off unsecured media like a password manager or an operating system that’s on a jump drive or Live CD and gain access to the computer. This is probably not an issue in your home but in an office environment, it can be a major security hole for a network administrator to protect against.

A Windows password reset disk is a specially created disk or USB flash drive that can be used to gain access to Windows if you’ve forgotten your password. It’s a useful step to take if you tend to forget your password, and it’s easy to create; all you need is a USB flash drive or disk. Great for the home user who forgets their password no so good for a large company network to boot off of and reset a local administrator password.

A live CD is a complete bootable computer installation including an operating system that runs directly from a CD-ROM or USB Stick. Linux has been adapted to the needs of modern computer users by offering a live CD. This type of operating system type can be booted from a CD, DVD, or USB drive without actually being installed on the computer’s hard drive. Again, great for troubleshooting a computer issue and not so good for a secured network.

Microsoft Windows 11 even has a version that you can use to boot off a jump drive with preloaded tools to help you hack a secure network this is why secure boot is so important and is coming on by default on a lot of new computers.

Google Ecosystem And Privacy

Posted on by admin

I am not trying to scare anyone but I think that everyone needs to know when it comes to Google how their Ecosystem works. Let’s first talk about Google’s Nest. We have all seen the Google Nest in Home Depot. If you don’t know what a Google Nest is it’s an internet-connected thermostat connected to your Google account. So now Google has data on when and how you like the temperature of your home and what heating and cooling system you have.

Since Google Nest offers door locks now Google knows when you lock and unlock your doors if you have those locks installed. Since Google Nest offers key lending Google knows who you lent keys to and who you trust to enter your home.

Google offers as well Google Chromecast and Android TV devices. You guessed it these devices need to be connected to your Google account. So now Google knows what shows you watch and what services you use like Netflix, Hulu, Pandora, and any others you cast to the TV.

One of Google’s most popular services is Gmail. Gmail is by far one of the most popular email services in the world but like anything free, it comes with a cost of privacy. Google has always made it known that they read your email to target ads at you.

Encase you didn’t know YouTube is owned by Google since most people log in with Gmail and the accounts are connected to YouTube Google knows what kind of videos you are watching on YouTube and unless you have YouTube Premium they are going to target video ads on YouTube to you to get you to buy products. Google even ties music in now with YouTube Premium so they can make money on their subscription music service and see what kind of music you are listening to and when you are listening to that music.

YouTube has broken into the television market as of late with YouTubeTV. This is another way of Google collecting data knowing what TV and movies you watch and finding out your TV viewing habits. While YouTubeTV is a service you pay for they are still collecting your data since you need to again use your Gmail account to log in to use the service.

We all love Google Maps and Google places but every time you use your GPS to find a location in Google maps don’t think that information is not stored somewhere for later ad targeting by Google. Google has even admitted to using the speaker on your phone to listen to help improve their Google Assistant and AI programming but has never said they delete that information.

Google Drive or Google Photos is another issue to think about remembering everything you save in your Google drive is subject to Googles review so if you store all your photos and files on Google Drive it’s a good possibility you are building Google a repository of information to scan through at some time.

The Google picture data is rather concerning considering Google uses metadata from the picture and cell phone used to take the picture to determine where it was taken then uses facial recognition to find which Gmail users are in the picture.

Google Chrome is another great invention by Google, and I really mean that they have made the most secure browser with the best extension store. Google Chrome has even expanded its Chrome browser in recent years into a full-fledged operating system that can compete with Microsoft and Apple. Again, this very secure browser and operating system come at a cost as Google is collecting all internet traffic you are doing and using it to target ads at you since you must sign in to Chrome using you guessed it your Gmail account.

Part of the thing that’s concerning about all this information is Google uses this information to target Google Searches, News, Videos, and Ads. While the ads are for Google to make revenue on, and Google Searches are used to bring you the correct information to entice you to continue to use the service the issue becomes Google giving you the News, Searches, and Videos they think you would most likely enjoy keeping you on the platform longer.

While I do not see an issue with this Google has been known to co-operate will law enforcement on issues. While I have nothing to hide Google turns over these records and of who has done what in a certain area it does technically violate some of our privacy rights. Even though the law in enforcement not looking for me just because I was in that area at a certain time now, they have my files and access to certain data.

Source Code: Open-Source Vs Proprietary

Posted on by admin

I get asked by people all the time. What is the source code? Source code contains everything a program needs to run including coding functions like variable declarations, instructions, functions, loops, and other statements that tell the program how to function.

Beyond providing the foundation for software creation, the source code has other important purposes, as well. Developers can use the source code to create similar programs for other operating platforms for example if a program that was designed for Windows needs to now run on a Mac. Access to source code also allows programmers to contribute to their community, either through sharing the code for learning purposes or by recycling portions of it for other applications like the old saying goes why reinvent the wheel.

Typically, proprietary software vendors like Microsoft don’t share source code with customers for two reasons: to protect intellectual property and to prevent the customer from making changes to source code in a way that might break the program. Proprietary software licenses often prohibit any attempt to discover or modify the source code.

Open-source software, on the other hand, is purposely designed with the idea that source code should be made available because the collaborative effort of many developers working to enhance the software can, presumably, help make it more robust and secure. Users can freely take open-source code under public licenses, such as the GNU General Public License.  The security issues come into play when hackers use source code to find vulnerabilities in the software to attack, steal trade secrets, or reverse engineer code to avoid paying for software.

The other security issues with source code are programmers may also add comments to their source code that explain sections of the code. These comments help other programmers gain at least some idea of what the source code does without requiring hours to decipher it. Comments can be helpful to the original programmer as well if many months or years have gone by since the code was written. You can see how these comments can be an issue because they explain how the software works and makes the hacker’s life much easier.

Source Code is a valuable thing since you can compile it and use the software for free that you would normally get charged for using. For hackers, it tells them how the software works behind the scene making it much easier to find and create vulnerabilities.  Back in 2012 VMWare Got Source Code Stolen. In 2017 Microsoft fell victim to having source code stolen as well.  

Open-sourcing code makes it less of a target since it’s free and anyone can read it and find bugs. Offering bug bounties is a great way to get hackers to report bugs to you. A bug bounty is a sum of money offered by the software manufacturer to hackers to report bugs to them instead of selling them on the black market. Businesses like HackerOne have perfected the bug bounty business by offering a platform for manufacturers and bug bounty hunters to interact.

The issue is proprietary code as you would not want to open that up to hackers even in a bug bounty program cause some hackers would join the bug bounty program just to look at the code. I think this is an issue was can do our best to combat but since we can’t release all software openly we will always have issues like this going forward.

Access Control

Posted on by admin

Access Control is defined as “any mechanism by which a system grants or revokes the right to access some data, or perform some action.”  Physical access by a person may be allowed depending on payment, authorization, etc.

Physical security access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons.  Restriction to physical access control can be achieved by a human (a guard, bouncer, or receptionist) or through mechanical means.  Historically this was partially accomplished through keys and locks.

When a door is locked only someone with a key can enter through the door depending on how the lock is configured.  Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person.  Physical key management is a nightmare to control due to the ease of copying keys at local hardware stores and if keys are lost the lock must be rekeyed.

Physical access control is a matter of whom, where, and when.  An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit.

Electronic access control uses computers to solve the limitations of mechanical locks and keys. A wide range of credentials can be used to replace mechanical keys. The electronic access control system grants access based on the credential presented. When access is granted, the door is unlocked for a predetermined time and the transaction is recorded. When access is refused, the door remains locked and the attempted access is recorded. The system will also monitor the door and alarm if the door is forced open or held open too long after being unlocked.

Electronic access allows for temporary keys for one-day access or room.  There are time limitations so if you would a person to only be able to access a room from 1 pm – 3 pm on Monday and Tuesday that is possible.  This is a great idea where a physical key would allow for 24/7 access.

There are MANY types of access control devices for your home and business.

  • Access badge
  • Biometrics
  • Card reader
  • Electronic lock
  • ID Cards
  • Key cards
  • Magnetic stripe card
  • Optical turnstile
  • Photo identification
  • Proximity card
  • Smart card
  • Swipe card
  • Finger Print

Access control is a very important part of business and personal life protecting your information and assets is one of the most important things you can do.  There are relatively low-cost solutions for homes and businesses.  There are high-cost solutions it all depends on how seriously you would like to take your access control.

Pycharm CE Vs Pycharm Professional

Posted on by admin

I recently have been working on a Python programming project and I wanted to point out the differences between the Pycharm community edition vs the paid addition. I want to start out by saying that I think Pycharm is the best Python editor on the market. While I like VSCode, Pycharm makes the virtual environment for you and loads the plugins for you rather than having to do all that manually in VSCode. But VSCode has one advantage over Pycharm it’s entirely free and while the Pycharm community edition is free it’s not totally functional.

Pycharm community edition lets you code apps using PyQT, PyGTK, and Tkinter so basically any kind of desktop app for free but if you want to code anything using web frameworks like Django or Flask you need to have Pycharm Professional. Pycharm community edition does not include any web framework platform editing.

Pycharm Community Edition as far as web development only supports HTML, XML, YAML, JSON, and RelaxNG while Pycharm Professional supports many others including remote development tools like Docker, SSH, and FTP. Both versions are free and paid support Github.

One of the things that really personally annoyed me was the support for SQL. You can use SQLite which is supported by Python but to use other free database tools like PostgreSQL or MySQL you need Pycharm Professional. I could understand that for Microsoft SQL Server or Oracle SQL but not PostgreSQL or MySQL which are free and open-source for everyone. Even Microsoft and Oracle offer express versions that are free why do you need the pro version to access and modify free databases.

If you are just learning Python I think Pycharm Community edition is great it’s fast and creates a Virtual Environment for you every time it makes it easy. While I do think that the community edition is great if you are going to be doing any real project work I strongly recommend buying the Pycharm Professional at 8 dollars a month it’s worth the cost for anyone who is serious about development it’s a great tool and I recommend it to anyone working with Python.

Background Checks Are A Must For All

Posted on by admin

Background checks are one of the most important things you can do when hiring someone, especially when hiring anyone who works with kids.

It drives me nuts when I see ads on craigslist for people needing a nanny or sitter ASAP. I just hope those parents do their best and get background checks from one of the companies like Enanny. I always recommend that you go and get a background check yourself. I tell everyone never to let someone bring you background check paperwork because this can be doctored up so easily.

Anyone who works with kids should have an FBI Federal Criminal History Check, Child Abuse Clearance check, and a drug test. I know that might be a little overkill and at times might make it hard to get volunteers for events but to me, it’s better to be safe than sorry when it comes to kids. Most schools now require these three clearances since 2016.

These clearances are important not just for schools but for anyone working with kids Scout leaders, coaches, or anyone working with kids. Never assume that just because someone has kids of their own they are ok they should still have clearances. Remember most issues with kids come from people that you would not expect. Close friends and family members are most of the time the ones arrested for inappropriate behavior with children.

Anyone working with the elderly should get FBI Federal Criminal History Check and Abuse Clearance. While the elderly are adults some cannot report issues of neglect or abuse. If you are taking a loved one to a private nursing home be sure to ask to see the staff clearance policy. Make sure people like janitors, maintenance, and kitchen staff have clearances. Just because they do not work with the elderly directly does not mean they cannot be an issue.

I would like to say not everyone with a record is not an issue and sometimes people with a record can be trusted but sometimes in certain situations better to be safe then sorry in the long run when dealing with children and elderly.

Credit Checks For Security

Posted on by admin

In 2008 when the economy took a nose dive into the great recession as I call it many investigations were done into bank employees who were using their loan officer positions at banks to help bail out friends and families but loaning them money under false pretenses and committing fraud. Part of the entire financial crisis of 2008 was due to people getting mortgages on homes they could not afford or taking out loans on homes that were not worth the value they got in cash.

There is an old saying that money is the root of all evil and it can be in some cases. We live in a world where credit and money are needed to live and the way people handle money can be important to know.

I personally think anyone who works with money from a bank teller to the bank president should have a mandated credit check. This does not just go for banks this applies to anyone in any company who has access to company funds.

Employers are increasingly running credit checks on job applicants and using that information to make hiring decisions. If someone is being hired for jobs that deal with money or especially if they are in any position to be able to disperse funds they should need to agree to a credit check.

Companies like Nerdwallett, for example, give potential employers or businesses modified credit reports showing debt and payment history. This is great because getting your credit pulled can actually lower your credit score so a modified report does not show the credit score because it’s not running your credit just showing your payment history and debt to income situation.

I would like to say people with bad credit or no credit are not bad people but seeing someone’s financial information can tell you something about them.

Lots of late payments could indicate you’re not very organized and responsible, or don’t live up to agreements.

Using lots of available credit or having excessive debt are markers of financial distress, which may be viewed as increasing the likelihood of theft or fraud.

Any evidence of mishandling your own finances could indicate a poor fit for a job that involves being responsible for company money or consumer information

Like I said not everyone with bad credit is an issue but it can give a company a better understanding of you as a person. Sometimes people might have bad credit due to a divorce or bankruptcy in that case the people took care of their issue and are recovering their credit and may be a good fit everyone’s situation is different.

Remember credit checks are important as handing company funds is a sensitive thing and needs to be done by people you can trust a credit check is important I have seen to many times where a simple credit check could have really saved a company’s issues.

Benefits of a VPN

Posted on by admin

If you need to use public wireless at any time and need to send sensitive information like banking or credit card information, I suggest using a VPN network.

VPN stands for Virtual Private Network and is a network that is constructed using the Internet to connect to a private network, using encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. This type of network is designed to provide a secure, encrypted tunnel in which to transmit the data between the remote user and the company network.

There are tons of different VPN services on the market companies like AVG Internet Security and ProVPN are all reputable services that you can pay for and use to keep your data safe while using services. I strongly recommend using a VPN if you are going to be using any insecure wireless connections on either your phone or computer. I strongly recommend that you get a paid reputable service many of the free services you find online may not be secure or maybe watching and logging your traffic which not what you want in a VPN service. VPN services are using not expensive, and you can pay them monthly or yearly.

Most VPN services have software for your computer, plugins for your web browser, or an app for your iPhone or Android. VPN software is now very easy and simple to use and may even be included with your Anti-Virus software.

Everything I mentioned may be a lot to take in but all of it is important for you to remember if you are going to be browsing the web or doing financial transactions online. Remember one thing when using the internet, it’s always better to be safe than sorry when it comes to security and privacy.

Any questions please contact us.

Messaging With End-To-End Encryption

Posted on by admin

Just like computers, there are security vulnerabilities in smartphones and even messengers. We all remember using AOL Instant Messenger and MSN Messenger back in the day, but messengers have evolved over the years. We now have Skype, Facebook, iMessage, WhatsApp, and many others too many to list at this point. Just like a hacker can spy on you using free Wi-Fi they can also grab your messages.

Not all messages are at risk of being spied on by hackers. Messengers like iMessage and Signal use end-to-end encryption meaning only you and the person receiving the message can read it no one else can sense it’s encrypted from beginning to end. Facebook has started using secure messaging on Facebook Messenger as well as WhatsApp. But Facebook has admitted to being able to not read the message but the metadata and the geolocation and other small pieces of data to me that’s not end-to-end encryption.

Services like Skype and Google Hangouts do not support end-to-end encryption meaning Microsoft and Google can read your messages or pictures. Any message that goes over  WIFI or the cellular can be spied on if not using end-to-end encryption. That goes for SMS text messages as well which are never encrypted.

Snapchat like Facebook has enabled end-to-end encryption with a catch. End-To-End encryption is used for photographs exchanged between Snapchat users but text messages and other messages transmitted using Snapchat are not encrypted. Meaning Snapchat can see the data.

Telegram offers encrypted. It secures everything, including chats, groups, media, and so on. But it’s not on by default to use Telegram’s end-to-end encryption, you must start a secret chat by tapping the person’s name, the more or menu button, and Start Secret Chat. Secret chats appear separately from non-secret chats

If you want to keep your data private from someone, I suggest using iMessage or Signal for everything.

Dangers of Free Wi-Fi

Posted on by admin

Free Wi-Fi is something almost everyone uses currently and has become used even more due to the data caps on cell phone plans. Places like restaurants, hotels, and many other establishments offer free Wi-Fi while you enjoy your stay at their place of business, but these free Wi-Fi networks are usually very insecure. Before I go into the danger of free Wi-Fi let me explain to you the difference between secure and insecure wireless connections.

A secure wireless network means that to join your device (tablet, smartphone, or laptop) to the wireless you need the password to the wireless network. For example, where you work has a secure wireless and only machines allowed by the network administrator are allowed or your home where you only allow family and friends on your network.

These places are secure and for the most part, places were using your device is safe and free of information scanners that might get data off your device. Some home routers even have a guest and a secure wireless connection this is called a segmented network. What that means is if a friend would say come over for drinks you could give them the guest password to your Wi-Fi while your work laptop is upstairs on the secure Wi-Fi. This means that whatever happens on your work laptop cannot be affected by your friend’s device if it should have a virus or something that could cause harm to your laptop.

Unsecured wireless is basically the hotel wireless, café wireless, or bar wireless system. These are places that have no password on their wireless and let anyone who wants to connect to them here is how these networks are dangerous.

Say you decide to go out to the bar and the reception on your phone is not the best and you decide to connect to the wireless so you can surf the web while you are waiting for your food. While surfing the web you check in on Facebook then go to Instagram to check on photos then you check on your orders on Amazon you have coming.

A skilled hacker could sit two seats or more away hooked up to the same network running a network scanner. A network scanner reveals vulnerabilities on devices on a network that pose a serious risk to security regardless of Firewall or AV. A vulnerability is a system weakness that can be exploited by a hacker, to get unauthorized access to an electronic device.

Let’s say you’re running an outdated or old version of Android which has a security vulnerability that lets the attacker see your network data you can now become a target. This kind of thing does happen on both Android and iOS remember a smartphone is a computer. Security vulnerabilities get found all the time and hackers know about them quickly some of the best places to use them are places with free Wi-Fi. Sometimes hackers hang out in the parking lots of places with free Wi-Fi, so no one notices them.

I have even seen where hackers themselves set up free Wi-Fi just so you connect to them so they can try and hack your phone or computer. It’s so important to stay off free Wi-Fi as it can cause you some serious headaches.

Any questions contact us.