Thursday, August 25, 2016

Apple releases iOS 9.3.5 to block a sophisticated iPhone spy technique

Updated 26 August: Brief update - here is a link to the original (and in-depth) report by Citizen Lab, the firm that identified the vulnerabilities and ferreted out the origin of the attack.

When a mobile phone provider sends you an update for your phone, it's usually a good idea to install it. Sometimes it's a better idea than others.

This is one of those times: Apple just released an update for iPhones, fixing three very serious bugs that together have been exploited in secret to spy on apparent Middle Eastern targets. Through the flaws, merely clicking on a link can "jailbreak" an iPhone - defeating the security measures Apple has built in and giving the attacker complete control of the device (and any private information on the device).

Your iPhone will prompt you to update to iOS 9.3.5 very shortly. Do it.

Motherboard has an article describing how the flaw was discovered and how it was being used to spy on individuals.


The SANS Internet Storm Center has a concise description of the three flaws and how they work together to compromise a device.

And here is Apple's release bulletin.



What do you need to do?


Open your iPhone or iPad's Settings tool and go to General -> Software Update in your device's Settings app, or connect to iTunes on your Mac or PC. If you are running iOS 9.3.5 (the latest update as of this writing), your device will show that it is up-to-date. If you are running an older version, your device will show an update is available. Install it!

Tuesday, August 9, 2016

Beginner's Guide to Information Security

This summer, I and ten other security professionals wrote a book called the Beginner's Guide to Information Security. It is available now on Amazon for the Kindle and Kindle Reader apps! Our eventual goal is to give it away, but the publisher doesn't make that easy. For now, any proceeds from book sales will be donated to Without My Consent, an organization that combats online harassment.

I am in awe by the giants of the field I was privileged to write with!

Chapters include:



Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.


Why does that matter to me?


From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.


So what? I'm not an information security person


The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.

Wednesday, June 22, 2016

Taking a break

I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!

Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.

Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.