How DNS Prefetching and Preloading Can Lead to Incorrect Conclusions | Cybersecurity, Digital Forensics, Incident Response, Expert Witness Thu, 09 Jul 2020 02:17:52 +0000 en-US hourly 1 How DNS Prefetching and Preloading Can Lead to Incorrect Conclusions Mon, 06 Jul 2020 23:28:15 +0000 Coding used by web developers to improve the user experience (UX) of web browsing can cause data to be stored within a user’s device without the knowledge or interaction of the user. An untrained digital forensic analyst or a person reviewing the results of a forensic analysis that lacks proper context may make incorrect assumptions about a user’s activities.


  • Domain Name System (DNS) serves as the phonebook for the Internet, translating the Internet Protocol (IP) addresses and domain names of Internet resources.
  • DNS prefetch is a tool used by web developers to improve the UX while browsing a website.
  • DNS preloading is another tool used by web developers to anticipate resources a user will need and download those to the user’s system before actually being requested in order to speed the browsing experience.
  • DNS prefetching and DNS preloading can create Internet artifacts on a user’s system that were not searched for, requested, or knowingly placed on that system by the user.
  • An untrained person may misinterpret DNS prefetching and preloading as user-initiated activity and make incorrect assumptions.


Digital forensic analysts and those reviewing digital forensic reports should:

  • Scrutinize Internet artifacts before reaching any charging, disciplinary, or finding of fault decisions.
  • Understand the difference between cache, cookies, searches, typed uniform resource locator (URL)s, and other forms of Internet evidence.
  • If reporting on Internet history for non-technical audiences, contextualize the forensic findings instead of simply providing a data dump of information and leaving the analysis to untrained individuals.
  • Be cautious of relying strictly on Internet artifacts such as the presence of cache, DNS entries, or cookies for decision making without other corroborating evidence.


DNS prefetching causes browsers to resolve IP addresses before a user requests the information and DNS preloading causes a browser to connect to Internet resources and download information without any knowledge or interaction of a user. The prefetching and preloading creates entries into a system that can be mistaken for user-initiated web activity and lead to incorrect conclusions during a digital forensic examination. This post describes how this can happen and the technology behind DNS prefetching and preloading.

I was asked to consult on a criminal defense case by another digital forensic analyst who had completed an independent forensic analysis of a defendant’s computer and had questions about Internet history. The law enforcement forensic analysis revealed multiple Internet browsing artifacts to websites that appeared to be related to illegal activity and these artifacts were used in part to support a criminal indictment. The defendant adamantly denied visiting any websites with names the same or even similar to what were highlighted in the law enforcement report.

Law enforcement had essentially created a “data dump” of browsing artifacts and provided that to prosecutors with no contextualization of the data, leading an untrained prosecutor to the conclusion that the defendant was involved in criminal activity.


The original forensic analyst asked me to help determine why those artifacts existed on the defendant’s computer. The defense analyst also did not see other artifacts that would normally be found such as search terms, downloads, visited pages, typed URLs, and others to support the prosecutor’s theory.

This case highlights a challenge with forensic analysts performing what is often called “triage forensics”, which essentially means that a cursory exam is done on the digital device with the intent to locate enough evidence to support the allegation(s). Sometimes a full forensic analysis (sometimes referred to as “trial forensics”) isn’t completed until a defendant disputes the allegations and by then, the wheels of the justice system are already well in motion against a defendant and often times at immense reputational and financial expense.

There are undoubtedly issues with what has been described so far, but for this post I’m going to focus on the digital evidence. I should also say that while I’ve highlights some shortcomings of a law enforcement process, my intent is not to insinuate that this represents all law enforcement analysts because I know many who are exceptional.

Upon my examination, I did find entries in the computer for websites identified by law enforcement. There was no question that the forensic artifacts existed, but the problem was the lack of context or true analysis to explain why the artifacts existed. After some testing and further evaluation, I was able to determine the cause of these artifacts were DNS prefetching and preloading.

To demonstrate how this technology works, I’ve created some videos and screenshots. I used Google Chrome as the browser for this example, however all browsers I have tested work the same for this particular artifact.

I began with a browser session that had no Internet history associated with it and validated that no artifacts existed. The below screenshot shows that no cookies were present in Chrome. I did the same to ensure there were no downloads, browser history, or other artifacts from any previous sessions.

screenshot showing no cookies

Next I opened Chrome and navigated to the website Using Google Chrome’s developer tools, I captured all of the content that is loaded in order to present the website to the user. This includes images, JavaScript, CSS, and other resources. This is all done without user interaction except for the navigation to the single URL of

In the video below, you will see the resources being loaded as the page loads. This process is transparent to the user (unless using a tool like Developer Tools). Just to load there were over 400 requests for resources.

Side note – websites often use content deliver networks (CDN)s to increase loading speed. In a very basic explanation, CDNs distribute commonly requested assets for websites across geographically dispersed servers. For example, a website may have static content like JavaScript, images, and CSS files hosted in Amazon Web Services (AWS) or use a CDN provider like CloudFlare to offload the work of a web server and have faster load times of the content.

In the next video, I drill down into some of the content that was downloaded to my computer when pulling up You will see the JavaScript, CSS, and image files as I click through them. All of the images that are clicked on and shown in preview mode would also be downloaded to my computer’s hard drive (private browsing can affect this, but for purposes of this blog, private browsing was not used). On the left side of the page, you will see sources of content such as,, and others.

The below screenshot shows the DNS prefetch that occurs with this site. Similar to the concept of Windows Prefetch in the Microsoft Operating System (OS), DNS prefetch tells a website to go get information and make connections to other web resources early on during the page loading process to speed things up. A practical example of this is when a web developer places a simple contact form at the bottom of a webpage. Part of the contact form might be Google Captcha, used to reduce the likelihood of spam submissions to the form. Instead of waiting until a user scrolls to the bottom of the page to load the Google Captcha JavaScript, the web developer does a prefetch at the top of the page, already loading that content so when the user gets to the bottom, there is no delay. Imperva has a nice writeup on DNS prefetching here.

Prefetching can be done for anything and it is simply a line of code entered into the site. A screenshot below shows the DNS prefetching done on A developer could hard code any prefetch they wanted into a website and cause a browser that is navigating the site to reach out and translate the domain names listed in the coding. prefetch code

Now just imagine if a website you visited was coded to prefetch malicious or criminal domain names. These prefetches would be done without your knowledge and would leave artifacts behind on your computer that an untrained forensic analyst (or one that didn’t take the time to do a true forensic examination) could draw some incorrect conclusions.

Going back to the Google Chrome history and artifacts on my system, below is a screenshot of the same view shown earlier of the cookies but after I navigated only to

Chrome cookies view

After just going to the single website on my system, you can see there are 169 cookies present on my hard drive. From the screenshot above, you see multiple domains that I never intentionally or knowingly visited – but my computer did automatically because of how the website was coded.

The date/time stamps shown above are in WebKit format, so a simple conversion will show them in UTC or local time.

time conversion screenshotAlso now present on my computer are additional files from some of these websites, such as Facebook, Twitter, Google, etc. Remember, these sites were never intentionally navigated to.

directories created on system after visiting

Although all of these files are now present on the computer, by looking at Google Chrome’s history from the application itself, it still only shows was visited:

Google Chrome history

Using the forensic tool Hindsight, over 620 entries are made in the software for a single visit to The entries include cookies, cache, preferences, and URLs.

Screenshot from Hindsight forensic tool

By looking at the artifacts in another forensic tool, similar results are found. The screenshot below shows Autopsy’s analysis of the Chrome history. According to Autopsy, there were 155 items of Internet cache, 197 cookies downloaded just from visiting, and then the single item of web history.

Screenshot from Autopsy forensic tool

The same test was done with Wireshark running to capture the network traffic from my workstation. As expected, Wireshark showed the same as Chrome developer tools, with all of the DNS queries and responses being shown. Below is a screenshot from Wireshark showing some of the queries:

Screenshot of Wireshark

An untrained incident responder or forensic analyst looking at network logs may also come to an incorrect conclusion that a user searched for or navigated to these websites because of the DNS queries present on the network.


Based on the testing and analysis, we were able to show that the websites in question were not visited by the defendant, nor did the defendant search for those websites.

Performing a digital forensic analysis is much more than simply pressing the find evidence button and then handing over a few hundred pages of results to someone. Forensics should include a thorough analysis of the digital evidence by a trained analyst along with proper contextualized results and explanations to stakeholders.


Digital forensic analysts should look at the totality of the circumstances with a device including Internet cache and cookies, but also typed URLs, viewed pages, timelines of activity, downloads, and the user’s normal pattern of behavior among other things when performing their analysis. They should also act as subject matter expert consultants to those consuming their forensic reports and provide the necessary explanations, context, and opinions when necessary.

]]> 0
Chain of Custody Form Mon, 29 Jun 2020 02:24:09 +0000 0 Work From Home Cybersecurity During COVID-19 Thu, 02 Apr 2020 06:15:48 +0000 The Coronavirus 2019 (COVID-19) pandemic has forced businesses, organizations, and government agencies to immediately change their operating model, resulting in furloughs and sending workers home to telework. Employers are struggling to ensure their employees are safe, healthy, productive, and equipped during this time. Many organizations who were never designed to support WFH are finding they lack the proper IT infrastructure and digital capabilities to support this model. The lack of a properly architected remote work capability is resulting in all new cybersecurity vulnerabilities that are exposing people and organizations to new risks.


We are already seeing a dramatic increase in cyberattacks exploiting the fears and concerns of people. For example:


Social engineering attacks primarily conducted through phishing emails has historically been the most common way attackers compromise systems and networks. An already successful attack vector is even more powerful in a situation such as a pandemic because clever attackers exploit the fears of people to get them to click a link or open an attachment.

Here are some examples that we are seeing in phishing attacks related to COVID-19:

  • Phishing emails offering free COVID-19 tests or vaccines
  • Malware is being embedded in COVID-19 tracking maps and mobile apps
  • Emails being sent asking for donations or assistance to help fight the Coronavirus outbreak
  • Legitimate looking emails that purport to come from a government organization with important COVID-19 information with malicious links attached or a link that goes to a malicious URL


Organizations that did not have policies, procedures, and technology solutions addressing remote work before the pandemic are finding themselves at increased risk in a number of areas. Some of these risks include:[/vc_column_text]

  • There is no remote access capabilities such as a Virtual Private Network (VPN) to allow workers to securely access company or agency assets. Or, if there are VPN capabilities the infrastructure and/or licensing limits are inhibiting the entire workforce to function
  • Organizations lack a collaboration tool such as WebEx, Zoom, Teams, Skype, Slack, etc. so employees are either using anything they can find online, or organizations are quickly procuring something without taking into account the privacy and security concerns. Zoom, for instance, has been highly criticized over its privacy policy (which was recently changed) and lack of complete encryption
  • System alerts that may normally go into a Security Operations Center (SOC), Managed Security Services Provider (MSSP) or some other monitoring dashboard may not be seen
  • Security monitoring staff may be unable to keep up with the increased remote traffic and tools such as Network Intrusion Detection and Prevention (IDPS), full packet capture, and Network Traffic Analysis (NTA) tools may not be able to keep up with the throughput, leaving the organization blind to malicious activity
  • Security staff may not be able to work from home, outsourced security staff may be getting sick, and other distractions may reduce the effectiveness or either organic or outsourced security incident responders


Organizations should consider these additional security risks:
  • Commercial Cloud Service Providers (CSPs) are under unprecedented demand for services, which has resulted in a diminished experience in some cases. This includes the timeliness of notifications such as security events. For security tools in the cloud such as a vulnerability management tool or Security Information and Event Management (SIEM) tool, they may have degraded performance.
  • Organizations must consider temporarily turning off or significantly throttling vulnerability scans against systems that are no dispersed at private residences. Network bandwidth to the vulnerability management scanner and on home networks may not be able to handle the traffic. Scanners may just need to be looking for the most several vulnerabilities only to limit traffic
  • A reduction in vulnerability information and the inability to scan systems for compliance changes (such as with DISA STIGs or other hardening benchmarks) with a SCAP tool will occur.
  • Systems and peripheral devices are being taken home that were not intended to leave an office. Because of this, systems may not be secured properly, such as having full disk encryption (FDE) and data on those devices are susceptible to unauthorized disclosure in the event of a theft or home burglary
  • Users may take it upon themselves to “get the job done” and bypass security controls such as using personal email or cloud storage that may expose the organization to risk or regulatory compliance violations


Since many organizations lack policies for telework and most employees were not setup with a home office before the pandemic, it opens the door to an increased risk to privacy. As employees begin using technologies they are not familiar with (such as video conferencing), are not working out of a secured home office, and have home technologies that introduce new challenges, employers must provide guidance to employees to protect the privacy of clients, patients, customers, and other employees.

Here are some privacy considerations that organizational leadership should consider:

  • If a policy doesn’t already exist about WFH, make sure to draft one and communicate it out to the workforce
  • Ensure employees understand how to keep computers and mobile devices secure and that family members and others at the home should not use work-related devices
  • Consider policy the require the removal of smart home devices like Amazon Alexa or Google Home from any room where work-related discussions are taking place. It’s widely known that these devices record and store conversations that they overhear
  • Make sure employees are only using organizationally-approved devices and applications to conduct work. Don’t rush to procure something without vetting it first from both a cybersecurity risk and a privacy risk.


Enact these administration recommendations within your organization:

  • Begin an immediate public education campaign with employees, highlighting the increased risk that organizations now face and reinforcing that security policies are still in place. Consider using SANS deployment kit available here
  • Ensure everyone knows how to reach the IT security team. Consider adding real-time access to the incident response (IR) team / SOC with tools like Yammer, Teams, Skype, or Slack
  • Educate users on how to secure their home networks
  • Determine a solution for dealing with derived credential expirations and other Identity and Access Management (IAM) challenges with an entirely remote workforce
  • Ask your employees to watch this quick video from SANS on securing their home


Enact these technical recommendations within your organization:

  • Block endpoints from navigating to unknown / not seen before domains
  • Consider having endpoints check for endpoint security definitions directly from the vendor instead of coming through the corporate network, if it is possible
  • Consider pushing GPO changes to have systems reach directly out to Microsoft or Apple for system patches and updates instead of coming through the VPN for centrally managed (e.g., SCCM) patches to reduce bandwidth needs and delays in patching
  • Consider minimizing monitor and control activities to focus only on those of the highest risk to reduce alert fatigue of SOC analysts and to ensure capacity for alerts you truly need to care about
  • Test your incident response capabilities by using things like the EICAR file on remote systems to ensure alerts are being sent and how long of a delay IR teams should expect


SANS: For Individuals – Securely Working From Home Factsheet: PDFDOC
 For Organizations – Securely Working From Home Deployment Kit
World Economic Forum:
C-M Alliance:
 Remote Working Cybersecurity Checklist for all organizations:
 Preventing Eavesdropping and Protecting Privacy on Virtual meetings – Blog
NIST SP 800-46r2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

]]> 2
CorelDRAW and OneDrive Failing to Install on Mac OS Fri, 27 Dec 2019 22:04:02 +0000 If you have tried to install OneDrive or CorelDRAW 2019 on a Mac and have received failure messages, read on. 

TL;DR – The issue may be with the way your drive is formatted. Mac gives several options to format drives, including case sensitivity (for more information on what that means, see this). Reformatting the operating system (OS) drive to a file system without case sensitivity solved the problem.

Crash Log


Below is the crash log data from the failed CorelDRAW installation:

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (SIGABRT)

Exception Codes:       0x0000000000000000, 0x0000000000000000

Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    DYLD, [0x1] Library missing

Application Specific Information:

dyld: launch, loading dependent libraries

Dyld Error Message:

  Library not loaded: /Library/Preferences/*/libPASMUtility.dylib

  Referenced from: /Library/Corel/*/Common.bundle/Contents/MacOS/CrlConfig.dylib

  Reason: image not found

Binary Images:

       0x10f035000 –        0x10f038ffb +com.corel.coreldrawsuite.2019.coreldraw ( – <32411D16-6E77-3D85-BCAC-87D2742DAE63> /Applications/CorelDRAW Graphics Suite 2019/CorelDRAW

       0x10f041000 –        0x10f07dff7 +CrlConfig.dylib (0) <C1B5BBCC-BE7D-3995-80CC-DB239E29C2BA> /Library/Corel/*/Common.bundle/Contents/MacOS/CrlConfig.dylib

       0x10f0e6000 –        0x10f2dbff7 +CrlUtils.dylib (0) <E8ACFE58-EFB9-384E-A075-85B81F539EC3> /Library/Corel/*/Common.bundle/Contents/MacOS/CrlUtils.dylib

       0x10f413000 –        0x10f500fff +CrlUtl.dylib (0) <4431A68A-98A9-3DD1-91B0-27739541AC0D> /Library/Corel/*/Common.bundle/Contents/MacOS/CrlUtl.dylib

       0x10f67f000 –        0x10f67fffb +CrlBoxInfo.dylib (0) <B4B51B54-595F-3D46-BB0E-64697FC55F29> /Library/Corel/*/Common.bundle/Contents/MacOS/CrlBoxInfo.dylib

       0x10f688000 –        0x10f691ff7 +CrlUtf.dylib (0) <A703F48E-BC29-3B02-826E-A13797B6AAB9> /Library/Corel/*/Common.bundle/Contents/MacOS/CrlUtf.dylib

       0x111d15000 –        0x111da5b5f  dyld (733.6) <DAFEA246-2F9A-3DCB-A37C-4246D4F92770> /usr/lib/dyld

    0x7fff63805000 –     0x7fff63806ff3  libSystem.B.dylib (1281) <1DD1BCD2-2C85-3B81-8CAF-224FB042F441> /usr/lib/libSystem.B.dylib

    0x7fff63ae3000 –     0x7fff63b36fff  libc++.1.dylib (800.7) <1D42387D-206A-3F06-9B5F-705B83EAC295> /usr/lib/libc++.1.dylib

    0x7fff65645000 –     0x7fff65676ff6  libobjc.A.dylib (781) <D866A31E-5CB1-3327-8D22-C4F83C9225D0> /usr/lib/libobjc.A.dylib




Thinking there was some library files missing based on the above log, I tried to correct that, which did not solve the problem. There were several people with the same problem on discussion forums, but I did not see any resolution to the questions. Coincidentally, I was also trying to install Microsoft OneDrive on my Mac and it also failed, but Microsoft’s crash logs provided a bit more context. According to those logs, it was because of the case sensitivity formatting of my Mac’s hard drive (I was using APFS – Case-sensitive, encrypted). This was the first time I’ve ever had anything fail like this.




Step 1 – Make a complete Time Machine backup of your Mac on a different disk for disaster recovery purposes. The Time Machine backup will not help with the rest of this because restoring a Time Machine backup also restores the drive’s original formatting. 


Step 2 – Get an external hard drive that is the same size or larger than your OS drive. Format this drive in a format that is NOT case-sensitive. I used Mac OS Extended (Journaled). After plugging in the drive to your Mac, navigate to Disk Utility, select the disk and then format it (screenshot below). 



Click the disk on the left column (in this example, Seagate FreeAgent), then the “Erase” button at the top of the disk utility screen. At this point, you can give the disk a name and select the formatting options. Select with APFS or  Mac OS Extended (Journaled). Don’t worry about encryption now, we will do that later.

Note – There is some information out there about performance with different file systems on different drives. The recommendation is that spinning disks should use Mac OS Extended and solid state drives (SSD) should use APFS.


Step 3 – Create a bootable clone of your Mac OS drive. There are several ways to do this, but I used Carbon Copy Cloner. It worked perfectly and they have a free trial if you want to try it out (note – I have no relationship with this company and get nothing for suggesting this).

Carbon Copy Cleaner has a clean interface and is easy to use. Simply select your source drive (your Mac OS drive) and your destination drive (the external drive you just formatted) and begin the clone. At the completion, your cloned drive should be bootable.


Step 4 – Tell your Mac to boot from your external hard drive that contains the cloned image of your Mac. To do this, navigate to system preferences > Startup Disk and then select the external drive. Reboot your computer.


Step 5 – Once rebooted to the cloned external drive, open up disk utility and by using the same steps from step 2 above, format your internal Mac OS drive to a format not using case-sensitivity. I chose APFS and did not select encrypted, yet. We’ll do that at the end.


Step 6 – After the internal drive has been formatted, launch Carbon Copy Cloner and reverse the previous process. You’ll now restore your cloned copy from the external drive to the freshly formatted internal drive. Note – I experienced some delays in the restoration and found two problems: 1) spotlight was trying to index the external drive, and 2) my endpoint protection software was scanning all files as they were being copied. I disabled both spotlight indexing and endpoint protection temporarily, stopped the copying process and then restarted it. It made a huge difference. Carbon Copy Cloner has a blog post about this here.


Step 7 – Once the transfer has completed, go back to System Preferences > Startup Disk and select your internal OS drive as the startup disk. Reboot your Mac to the internal drive. You may see your Mac validating different software packages and you might need to re-authenticate with some cloud-based services, but everything should be functional. 


Step 8 (Optional, but highly recommended) – If everything is functioning as expected, apply FileVault encryption to your Mac OS drive. Navigate to System Preferences > Security & Privacy > FileVault and turn on FileVault. This will begin encrypting your OS drive immediately. Make sure to either copy down the recovery key or store it in iCloud. Side note – storing your recovery key in the cloud is handy, but it also means that if your cloud storage is accessed (either via a cyberattack or by law enforcement with a search warrant) the recovery code can be obtained and used to access your Mac. If you are worried about your privacy, it is not recommended to store this recovery key in the cloud.


Step 9 – Erase your external hard drives (you should have two, one with the Carbon Copy Cloner and the other with a Time Machine backup). Remember, you have two full backups of your Mac drive on the external drives and they are not encrypted. It is recommended that you use Mac’s built in tool to securely erase the drive. To do this, navigate to Disk Utility, select the disk from the left column, and click “Erase” on the top of the screen. Next, give your disk a name (if you want), select your formatting and scheme, and then click “Security Options”. 



Security Options provides you with several choices. Essentially, you are selecting how many passes of data your Mac will write to the drive to ensure that no remnant of data will be available for someone with forensic expertise. Selecting the first choice of one pass of random data and a second pass of all zeros is perfectly acceptable and the fastest option. 



Step 10 – As your OS disk is being encrypted and you are wiping your external backup disk(s), try to reinstall OneDrive, CorelDRAW or whatever app you were having difficulties with. Immediately after I went through these steps, I successfully installed both programs.



Step 11 – Now that your Mac is properly formatted and you have tested everything, it is time to make a full Time Machine backup or clone.


Did this work for you? Please leave comments below if you have questions or if this solved a similar challenge you had with these applications or something else.

]]> 0
Cyberattacks and How To Protect Your Computer and Data – Part 3 of 3 Mon, 21 May 2018 04:21:30 +0000 If you have been following this blog series, you know that the first blog discussed the cyberattack kill chain and how hackers target individuals and systems and the second blog covered common cyberattacks and how they are perpetrated and identified. In this final post, I am going to discuss what users can do to harden their systems against attack.

Typically, criminals are lazy and take the path of least resistance. Just like locking your doors and having an alarm system will deter the majority of home burglars, there are preventative steps a computer user can take to cause a criminal to move on to someone else who is easier to compromise. The major caveat to this is if you happen to be specifically targeted by the attacker, who may not be easily deterred by basic preventative measures.

Cybersecurity is a fine balance between convenience and security; users and businesses must make an informed risk-based decision when determining the level of security that should be applied to systems and applications. Too much convenience and your systems are wide open to attacks. Too much security and work is inhibited

In no particular order, here are my suggestions and opinions on how to keep yourself cybersafe:

Multifactor Authentication

I have an entire blog post dedicated to Multifactor Authentication (MFA). If you want the details, please read it – but to summarize here, use MFA for everything that you possible can. Can it be a hassle to always have your phone with you? Yes. Does it make it nearly impossible for someone to access your online information without your phone? Yes. Use MFA like Google Authenticator or text messaging for banks, Dropbox, iCloud, Google, etc. If you are wondering what sites and services offer MFA, look at this website.

Physical Security

Equally as important as having good cybersecurity, you must protect your devices. Once an attacker has physical access to your phone, tablet, computer, etc. it is game over. Use strong passwords, use screen savers that require a password once they come on, don’t share your password with others, and don’t leave your devices unattended.

Never, ever, connect your phone or device to charging stations in public places or to a rental vehicle via USB cables. Studies have shown that in some cases, data is collected within rental car computers and in charging stations and malware can be implanted on the connected device. If you must charge, use power plugs or cigarette lighter chargers and never directly connect a USB cable to a hub. The only exception is if you buy a USB cable that has had the data wire removed or use a data blocking device in line like this one.

Password Manager

I have already mentioned in my second blog post what the dangers are of reusing the same password for everything, but it is impossible to remember multiple passwords. I have a few recommendations when it comes to passwords and it involves another risk-based decision. For instance, if you have enabled MFA on your accounts, then you have greatly reduced the risk of unauthorized access, so the complexity of your passwords is not as important as it would be if you didn’t have MFA (the convenience – security balance). Even reusing passwords on accounts with MFA is more tolerable because the one time password (OTP) used with your app or text message provides the extra security.

For me, I use a password manager to maintain all of my passwords. I don’t like having my browser save my passwords because if my system or browser is compromised, those passwords will most likely get stolen. I also don’t trust cloud password managers because if the cloud provider is compromised, my passwords may also be compromised (this has happened).

I recommend standalone databases that are installed on your system and encrypted themselves. I like KeePass and a lot of security research has been done on this program. It uses excellent encryption and you can place the database in a shared location if you want (such as a home network attached storage (NAS) device) and it is usable on mobile devices. It’s not stored in the cloud and allows you to maintain usernames, URLs, passwords, and other secure notes. It also has a password generator, which allows you to create very complex passwords immediately.

I actually do not know most passwords to websites, I use KeePass to generate hugely complex passwords for sites that don’t utilize MFA and just store them within KeePass. If I need to access the site I copy/paste the complex password into the browser and never see it.

Make sure you are using PINs, fingerprints, or complex passwords to access your mobile devices. There are pros and cons to using different methods, but make sure you are at least using something and preferably more than just a four-digit PIN.

Patch, Patch, Patch

Make sure that your Operating System (OS) (i.e., Windows, Mac OS X, iOS, Android, Linux) is setup to automatically download and install updates. Frequent patching is one of the best ways to prevent cyberattacks that leverage known vulnerabilities. In addition to patching the OS, make sure to patch all other third party software installed on your devices. This is relatively simple with iPhones for example because it will automatically update the OS as well as apps installed on the device.

This becomes more complex with computers because although the OS may update, other software like Java, Adobe, Office, Chrome, Firefox, etc. usually don’t. Mac is generally better at third party app management than Windows, but Windows is getting there with Windows 10. There are apps available to help keep your Windows third party software updated, look at for example.

Install and Maintain Security Software

Just as malware has come a long way, so has security software. Today’s (good) security software really does a lot more than the old antivirus software (hence calling it security software instead of just antivirus). Because of the sharing of common information and malware, the market for specialized security software is much different than it used to be and in fact many great products are completely free. Windows Defender for example is actually a decent security software tool and built in to Windows. The nice thing about Defender is that it updates as Windows updates and you don’t have to worry about an incompatibility with your security software anytime you upgrade your OS (used to be a common issue).

Although there are many myths around Macs being more secure than Windows computers, they face many of the same vulnerabilities as PCs. The difference really is that because Windows systems has the greatest market share and are more common in businesses, most malware is written and directed at PCs. There is plenty of Mac malware though and running a Mac without security software is no longer an option.

There is a mix of commercial and open source security software tools available and they range in price from free to an annual subscription of around to . Ideally, look for a software that provides anti-malware, firewall, intrusion prevention, web protection, and crypto-attack detection. Here are a few examples of security software tools I would consider (these are my own personal opinions and I’m not endorsing any particular vendor, but have personal knowledge of the tools below):

If you really want to compare different security software vendors, check out this site.


Note – this three-part blog series was written for Author Leslie Ann Sartor and originally posted on her blog as well as author Lee Lofland’s blog.


]]> 0
Cyberattacks and How To Protect Your Computer and Data – Part 2 of 3 Mon, 21 May 2018 04:11:42 +0000 In my first blog, I discussed the cyber kill chain and how hackers move through predictable steps to launch an attack against a target. In that blog, I used the example of an author who was targeted because of their controversial writings and the author’s system was compromised with ransomware. In this second post, I am going to discuss the most common cyberattacks and how computer users can become savvy to detect potential malicious activity. While there are many kinds of attacks, I’m going to highlight some of the most common attacks that I see. Additionally, while the technical execution of many of these attacks are different, the methods for detection and prevention are similar if not identical.

Phishing Attacks

The most common way that computers and networks are compromised are through phishing attacks. In my scenario in the first post, the author was tricked into clicking a link within an email that caused the author’s system to reach out to a server and download malicious code. Phishing is a very easy attack to create and is more of a social engineering attack than anything technical.

Sometimes these messages are clearly phishing attacks; the message contains grammatical and spelling errors, it is sent by an organization you never do business with, or it is sent by a prince in Nigeria or the U.K. lottery asking you to claim your winnings. Clever hackers though take time in crafting their message and even if it is blasted to millions of email accounts, all they need is to steal the credit card information of just a few people to make a huge return on their investment.

Below is an actual phishing email that came to me. As you can see, the message looks legitimate and there are no obvious signs of it being malicious. Remember, the rule is to never click any links until and unless you are positive the message is legitimate.

When I hovered over the links within the email, none of them went to the domain. Instead the links all pointed to hxxp[://] This URL has since been taken down as malicious, but had I actually clicked the link when the URL was still active, my system very well may have become infected.

In some cases of phishing, instead of getting a link to click, the attacker will send a specially crafted attachment. PDFs and Office documents (e.g., Word, PowerPoint, Excel, etc.) can be embedded with malicious code and once a user opens the document the code may be able to execute. This is why in the latest version of Microsoft Office, documents are opened in safe mode and in order to edit or print, users must click a button. This safe mode prevents the document from running any macros or other code that may compromise the computer.

If you are ever unsure of a URL or a file, there are several free online resources to help. For instance, allows you to enter a URL and scan it for malware, complaints, or other warnings. It also tells you the country it is hosted in and gives a screenshot of the website you looked up. Another site,, is owned by Google and allows both URLs and files to be scanned for malware. If you receive a file from someone and you want it scanned before you double click it, upload it to VirusTotal to see if it’s malicious first.

Drive-By or Watering Hole Attacks

As organizations and individuals have become more adept at identifying phishing emails, attackers have had to change their modus operandi. One such example of this evolution is changing phishing emails so instead of sending an attachment within an email that is compromised or a link that begins the download of a piece of malware, the email (or Facebook post, or Tweet, etc.) sends the user to a website. The website is most likely legitimate and the user’s system would not detect anything suspicious at this point because nothing is attempting to download.

In the background however, the attacker has compromised the website, hosting malware on the site itself. Once the victim’s browser begins to read the contents on the website, it delivers a payload of malware to the system. This may come in the form of a download where the user is prompted to run something, or it may be a piece of JavaScript that when the browser sees the code, it automatically runs it without user interaction.

These attacks are called “drive by” attacks because they can indiscriminately target anyone who browses the site, or watering hole attacks because the malicious activity is just sitting in the site, waiting for people to stop by. There have been some very popular websites compromised and embedded with malware such as CNN and Forbes so this kind of attack can be extremely widespread.

How do you spot this attack? Well, this one is tricky and there is a possibility that nothing on your system will notify you that an attack is taking place. Some more advanced anti-malware software may catch it, or if you notice strange things happening on your computer (website crashes, computer begins running slow with high CPU or memory utilization), or being prompted to download and run something may all be indications of a problem.

Wireless Attacks / Man in the Middle (MiTM) Attacks

While it has long been known that Wi-Fi, Bluetooth, and other wireless technologies are vulnerable to attacks, it is still a common and successful attack because people continue to connect to open access points out of convenience or to save their data consumption. Many people do not configure their home wireless access points correctly either, leaving them vulnerable to attacks by people in the area. When I was in law enforcement, I remember a case where an Internet Protocol (IP) address was identified as downloading hundreds of images of child sexual abuse. My team wrote a search warrant and executed it, only to find that the home we went to had nothing to do with the crime. Our investigation later revealed that a neighbor about three homes down was a registered sex offender and had been using this neighbor’s Wi-Fi to commit their crimes. It was a huge inconvenience (not to mention a traumatic event) to not secure their Wi-Fi network and it all could have been easily prevented by taking some basic security steps.

Beyond securing your personal network, you must be extremely careful with the networks you allow your devices to connect. If you are connected to an unsecure wireless network (e.g. Starbucks) anything that your device transmits or receives that isn’t otherwise encrypted is fair game for someone also connected to that same wireless network. Wireless networks acts as a hub, meaning that anyone else connected to that network can see all the traffic, not just the traffic between their own device and the wireless router. Because of this, I can setup my device on the Starbucks network to promiscuously listen to all traffic and capture it, allowing me to compile it and view anything you typed, downloaded, uploaded, etc. as long as you were doing it unencrypted (http instead of https for example). If you navigate to a website that is not using encryption like http[://} and enter a username and password, I can sniff that out of the air and later use it. It is true that more and more sites, especially sites that involve finance or healthcare use encryption because it’s mandated, there are still many sites that do not. The other danger is that most people reuse passwords, so even if your bank uses encryption (i.e., https[://] but your favorite news site does not and you use the same password between the two, once I get the unencrypted username and password and see in your traffic you navigated to US Bank’s website, I can try your username and password on that site to see if it works. This is another huge reason to always use multifactor authentication on everything (more on this in the next post).

Another wireless attack is called the Man-in-the-Middle or MiTM attack. This kind of attack, which can also be carried out with cellular devices using devices like the Stingray can be very dangerous. In this kind of attack, the criminal creates a rogue access point (AP) and advertises it for users to connect to. On one side of the rogue AP are the victim devices and the other side is a path to the Internet. This allows the attacker to capture, decrypt, and record all of the traffic between the victim device and the Internet. It also allows the attacker to inject malicious traffic or redirect websites using the Domain Name Service (DNS).

To illustrate an MiTM attack, imagine you are seated at the airport and see a variety of wireless APs available to connect to. One has the name of “Free WiFi” and the other says “Free High Speed WiFi.” The “Free WiFi” is the legitimate Internet connection offered by the airport, but the “Free High Speed WiFi” is a malicious AP. An attacker sitting in your general proximity has created an AP using free software on his laptop. As your device scans for open APs it locates the High Speed AP and since anyone would want high speed over standard speed, you click to connect to the high speed AP. Once you click to connect, your device associates itself with the attacker’s laptop.

Now that you are connected to the attacker’s laptop, he essentially owns your device and the communications between your device and the Internet. Since the attacker is routing your traffic through to the Internet, as a user nothing seems out of the ordinary. In fact, the attacker is probably leveraging the airport’s free Wi-Fi to get your device out to the Internet. However, the attacker is now capturing all of the traffic coming into and out of your device and as we have already learned, anything typed in the clear (unencrypted) is recorded by the attacker in plaintext.

The attacker could make things even more interesting by using his laptop as a proxy between your device and the Internet and decrypting your encrypted traffic between your device and wherever you are browsing. Essentially what happens is your device connects to the attacker’s laptop where he breaks your connection to your bank or Facebook account, or whatever it is you are navigating to and decrypts your traffic, then re-encrypts it between his laptop and the destination (we’ll use your bank in this situation). Now the attacker can record even encrypted traffic such as usernames and passwords in plaintext. This attack however, will prompt the user’s device with an error message that the encryption certificate that you are using to visit your bank does not match the domain name of the bank and will require the user’s interaction to continue. If you’re interested in the technical details of encryption, certificates, etc. send me a note and I’ll be glad to discuss it. Suffice it to say that if you get an error message about mismatched certificates (as shown below) on any device there is a high likelihood that the certificate has been compromised or you are the victim of a MiTM attack. No matter the reason, if you get this error, stop browsing, try connecting later from a different access point or from your cellular data to see if you get the same error, or contact the institution you are trying to access.

An error message generated by Safari showing there is a problem with the website encryption certificate


The same website visited in Firefox; notice the alert over the padlock


An example of Firefox showing a correctly implemented website encryption certificate

As mentioned above, the attacker can also inject malicious traffic into your session or redirect your computer. For example, if you type google[.]com into your browser, the attacker can create DNS entries that say if a user types google[.]com, actually send them to duckduckgo[.]com. In an even more sinister scenario, the attacker could create a rule that if you type wellsfargo[.]com, send the computer to wellsfargoamerica[.]com which might be a fake website that looks exactly like the real Wells Fargo (see Pharming attacks below).

How do you spot this attack? First, don’t connect to free Wi-Fi hotspots. If you absolutely must, then make sure you are using a Virtual Private Network (VPN) connection (either through your employer or use some of the VPN services available) which creates an encrypted tunnel between you and the VPN service before you navigate the Internet. Spotting a simple MiTM rogue AP may be nearly impossible. Spotting a rogue AP acting as a proxy will give you the browser certificate error messages shown above.

Pharming and Illegitimate Websites

Pharming, like it’s sister Phishing, is an attack that socially engineers a user. Instead of sending a message out, pharming is more like the watering hole attack where it waits for victims to stop by. Pharming is usually done by an attacker when they create a fake website but make it look legitimate and trick users to visit the site and enter their sensitive information (like credentials). Take this scenario: an attacker knows that because of a recent disaster, many users will be donating money with the American Red Cross on the legitimate website redcross[.]org. So, the attacker uses a free tool to “scrape” the actual Red Cross website, purchases the domain name of redcross[.]info, and then uploads the copy of the real Red Cross website to a server being hosted with Amazon Web Services (AWS). The attacker then begins a massive spam campaign for people to donate and provides the link of redcross[.]info and as people go to that site, it looks completely legit just like the real site. Users begin to donate millions of dollars to the PayPal account, which all goes to the attacker’s bank account.

This kind of attack can also be used by taking advantage of common misspellings or known letter combinations that people may not notice in the URL bar of their browser.

How do you spot this type of attack? This one may be difficult or impossible. Since nothing malicious is actually running on your computer (unless the attacker is combining Pharming with another attack) and you are just entering information into a website, there may be no signs or alerts at all. The best way to prevent this type of attack is by being very careful what you type into the URL address bar of your device, using known good bookmarks instead of relying on searches each time, and if you are given a link to click, make sure it matches the known website. Sometimes if I get a link from someone to follow, instead of clicking the link I will Google the organization and go to it that way, or at least confirm that what was in the link matches what is in Google.

In all of these attacks the bottom line is to pay attention, don’t click links that you don’t absolutely trust, actually read error messages that pop up on your screen before just clicking “OK”, don’t connect to public Wi-Fi APs, and make sure the certificate of an encrypted website you are visiting matches the domain name. In the last post of this series I will discuss the preventative strategies you can take to help harden your systems from attack and some proactive steps you can take to reduce the likelihood of being compromised.

Note – this three-part blog series was written for Author Leslie Ann Sartor and originally posted on her blog as well as author Lee Lofland’s blog.



]]> 1
Cyberattacks and How To Protect Your Computer and Data – Part 1 of 3 Mon, 21 May 2018 03:53:11 +0000 Cyberattacks and data breaches are unfortunately commonplace in the daily news cycle. Many of us have had our personal, healthcare, and financial data breached so much that we are used to receiving letters notifying us of unauthorized disclosures or getting signed up for yet another credit monitoring service. Cybercrime is out of control and the most infuriating part is that most of the attacks are not sophisticated or require an expert hacker. Indeed, most of the successful attacks use the same modus operandi that they have for a decade.

The fact that the majority of attacks are not sophisticated is as troublesome as it is helpful. Since we know what most attackers do, it makes the identification and prevention of these attacks easier. Individuals and small to medium businesses often assume (incorrectly) that if the United States Federal Government or massive corporations such as Home Depot, Anthem, Yahoo!, Target, and Equifax, who spend millions of dollars each year in cybersecurity can’t keep hackers out, then there is no possible way they can defend themselves.

It is true that many cyberattacks are easily preventable and only effective because mistakes have been made which create vulnerabilities. However, it is also true that this world has nation state military units and sophisticated hackers which target government agencies, universities, corporations, and high-value individuals. When a skilled attacker has set their sights on a victim and has the means, opportunity, and intent to launch a cyberattack against that victim, these attacks may use techniques, tactics, and procedures that are highly complex and extremely difficult to detect. For the purposes of this article, I am not discussing these advanced attacks.

In this first blog post of a three-part series, I am going to focus on the cyberattack kill chain and lay the foundation for how cyberattacks happen. The focus audience of this post is individuals who are trying to protect their personal devices and data from cyberattacks. The next blog post will discuss the most common attacks and how to spot them, and finally I will discuss preventative strategies that people can take including security software, configurations, and backup strategies.

Cyberattack Kill Chain

Each cyberattack goes through a series of steps to accomplish its mission. Depending on the target, mission objectives, and abilities of the attacker this kill chain may happen very quickly or may take months to years to accomplish. Sometimes an attack is to simply disrupt a business competitor or political adversary. Attacks like this are generally carried out through Distributed Denial of Service (DDoS) attacks or website defacement. Other attacks are performed with the intent of gaining intelligence about a competitor or government agency, and yet others are to steal intellectual property, harass someone, or to support a political ideology (hacktivism).

The attack kill chain is comprised of the following steps:

  1. The target is defined: This may simply be a target of opportunity (e.g., a person in close proximity to a hacker that has a vulnerable mobile device) or could be targeted due to the person’s position, the value of their data, etc.
  2. Reconnaissance: The attacker begins to research the target. What information is available via public open source intelligence (OSINT) such as Facebook, LinkedIn, Google, public databases, etc. What IP addresses are assigned to the target, what operating systems do they use, and are there any known vulnerabilities for the target’s Internet connected systems?
  3. Weaponization: The attacker develops their weaponized attack, which is generally malware (malicious software) such as a Trojan horse, virus, ransomware, worm, etc. or may utilize a previously unpublished exploit known as a zero-day (0-day). The weapon must be able to exploit a vulnerability, which is what the attacker discovers during the recon stage.
  4. Delivery: The attacker delivers the payload to the victim. This may be done in a variety of ways such as via an email attachment or embedded link (phishing), through a chat session, uploading a file to a server on the Internet, compromising a website and then sending the victim to the compromised website (also called drive-by attacks), or several other methods.
  5. Exploitation: Once the payload has been delivered, the malicious code must execute to exploit the system. Malicious code can be executed by the attacker, by the system itself, or frequently by a user who clicks something and executes the malware.
  6. Installation: After the vulnerability is exploited the malware is installed on the system. Most attackers want one thing: persistence. They want to get on a system and stay on a system, having the ability to do internal recon now that they are inside the network and laterally move to other systems to stay within the network and spread their attack. Some advanced malware only lives in RAM and never actually “installs” on a hard drive, making post mortem examinations of systems difficult.
  7. Command & Control: Once the malware is installed it generally opens up the system to receive commands from the attacker (known as Command & Control, or C2). Malware may “phone home” occasionally asking for any new commands from the C2 which may tell the malware to perform functions such as copy and send data from the computer to the attacker’s system, activate the system’s webcam, or any number of other things.
  8. Exfiltration: Generally the main goal, this is the step where the attacker gets access to data and begins sending (exfiltrating) the data from the system to the attacker.

Cyber Kill Chain
Source: EventTracker

There are several ways to make yourself less susceptible to a cyberattack, such as reducing the attack surface, target hardening, and learning how to identify potentially dangerous situations online or in emails.

A Practical Scenario

An author is putting their finishing touches on their latest work in preparation of sending it off for review. This author is somewhat controversial and critics are anticipating the release of the new book, posting negative comments all across the Internet. A hacker decides to make a statement by attempting to hack this author’s computer and disrupt the author’s ability to publish the book as well as steal a copy of the book before it is released. Step 1, target acquisition is complete.

The hacker begins by finding out as much as possible about the author through social media, Internet posts, interviews, and any other source of OSINT. The hacker is able to determine through social media that the author has a daughter in the fourth grade and because of geotagged photos posted of the author’s daughter, the hacker determines what school the daughter attends. The hacker now downloads the logo of the elementary school as well as an offline copy of the school’s website. Step 2, reconnaissance is complete.

The hacker obtains a variant of ransomware from a hacker website and places the malicious code on a server controlled by the hacker and sitting inside of Amazon Web Services (AWS). The malicious code is just waiting to be downloaded and executed by anyone who visits the server. Step 3, weaponization is complete.

Next, the hacker drafts an email using the same logo, colors, and “look and feel” of the elementary school’s website. The hacker addresses the email to the author’s email address (which was obtained via Google) and sends an email to the author during school hours that there has been an active shooter incident at the school. Included in the email is a link that tells the author to click for further details. As any parent would, the author clicks the link of the email. When the author clicks the link, they are directed to a webpage that looks exactly like the school’s site. They receive some bothersome pop-up that the don’t read because they are terrified about their child’s safety and just click “ok” to close the window and see what is going on at the school. In reality, when the author clicked the link they navigated to a fake site hosted by the attacker and their computer downloaded the ransomware code. When the code attempted to execute, a pop-up appeared asking for administrative privileges to execute the code. When the author clicked “ok” they just executed the ransomware on their computer. Steps 4, 5, and 6 (delivery, exploitation, and installation) are complete.

The ransomware on the author’s computer begins immediately encrypting data on the hard drive and searches the drive for any .doc or .docx files, compresses them, and exfiltrates them to the attackers C2 server located in AWS. The author has now lost their latest manuscript and cannot access any files on their computer due to the ransomware encryption. Steps 7 and 8 (C2 and exfiltration) are complete.

This scenario is exactly the kind of targeted social engineering attacks that occur on a daily basis and are extremely easy to perpetrate. In future blog posts I will discuss how to recognize attacks and how to harden your systems to try and prevent malicious activity.

Note – this three-part blog series was written for Author Leslie Ann Sartor and originally posted on her blog as well as author Lee Lofland’s blog.



]]> 2