Tuesday, July 28, 2015

Your password isn't as strong as you think

Your password may not be as strong as you think it is


How strong is your password?


You've heard the recommendations: mix uppercase and lowercase letters, add in a number or two, and if you're really on the ball, add a "special character." Something like 16F^umQcb makes use of all four categories and is suitably random; as 9-character passwords go, it's pretty strong.


Guess what?


Austin15! uses all four categories too. So do Fall2015$ and IL0veTX<3. If a website shows a "password strength meter" when you create or change a password, more than likely it will deem these passwords pretty good despite the obvious patterns.


Unlike my random example earlier though, these examples follow a predictable pattern: a word from the dictionary, possibly changing a letter or two, with a couple of digits and punctuation marks thrown in for good measure. We humans are pretty predictable: we tend to use the same patterns.

Monday, July 20, 2015

Commentary on the BIS proposal regarding the Wassenaar Arrangement

The Bureau of Industry and Security (BIS) has proposed rules related to the Wassenaar Arrangement, a set of agreements intended to limit the exchange of weapons and related research. As Cyber security gains attention, the WA has been expanded to cover cyber research. Specifically, the BIS proposes to require export licenses for products and documentation related to network and software vulnerabilities. These rules have the potential to severely restrict the sort of work I and my peers in the industry do. The BIS is taking public comment through today. Below are my comments to the BIS  taken in large part from a previous post on Security Shades of Grey.

On morality and data breaches: thoughts on AshleyMadison


Online cheating site AshleyMadison was hacked and its patrons' personal information made public. Before pointing fingers, here are some thoughts as both a Christian and a hacker.

Late Sunday night Brian Krebs published news that online "cheating" site AshleyMadison had been the latest victim of a data breach. Given the site's business model (their slogan is "Life is short. Have an affair." I think you can infer the business model), it is tempting to sit back on our moral high horses laughing at the company and its patrons.

That is entirely the wrong response.

Thursday, July 16, 2015

What can a natural disaster teach us about incident response?

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

Flooding rains are not uncommon in Central Texas. The region has long been known as "Flash Flood Alley" due to its hilly terrain, shallow soils, and proximity to the moisture-laden Gulf of Mexico. When rain falls, it essentially has two options: soak into the soil, or flow downhill; the shallow and rocky soils of the Hill Country limit the former, so even a moderate rain causes runoff.

The weekend of Memorial Day 2015, however, was something else entirely. Over a period of a few hours, between nine and 12.5 inches of rain fell over a wide range of the Hill Country - much of which fell within the watersheds of the Blanco and San Marcos rivers. A foot of rainfall - a third of a typical year's total - inundated the region in just a few hours, and had to go somewhere.

Wednesday, July 8, 2015

Time to patch Adobe Flash Player. Now.


An exploit for Adobe Flash Player is being actively used to infect computers with ransomware. Here is action you need to take NOW.
This article was written about a specific incident the first week of July 2015, but the instructions are what I have recommended for at least a year - and will continue to be appropriate into the future. Also of note, the recommendation to make browser plug-ins "Click to Play" is effective against exploits in all sorts of plug-ins, including Flash, Silverlight, Adobe Reader, Windows Media Player, and more.

Last updated July 15, 2015

Early this week, the security firm Hacking Team was the victim of a massive network breach in which a large amount of company data was stolen and made public. This data included among other things a previously-unknown exploit against Adobe Flash Player. 

This exploit was quickly added to popular crimeware exploit kits (products that make it easy for an amateur criminal to create and deploy malware). It is actively being used to deliver "Cryptolocker," a form of malware known as ransomware - malicious software that encrypts all your files and then demands a ransom payment to return the files to you.

In short, a fully-patched PC could be completely owned simply by browsing to a web site carrying a malicious Flash object. Since Flash videos are a common type of advertisement, you do not even need to browse anywhere unusual - a malicious ad slipped into the rotation at your favorite news site would be enough.

Adobe released an update this morning to fix the vulnerability. Here is what you need to do.

Tuesday, July 7, 2015

Hacking Team: Words of caution regarding dirty laundry

https://twitter.com/thenickdeHacking Team, a notorious hacking firm with a rather dubious reputation, finds themselves the victim of a thorough hack.

When a notorious hacking firm with a rather dubious reputation is themselves the victim of a thorough hack, what happens with their dirty laundry? More to the point, what is appropriate with their dirty laundry?

Hacking Team is an Italian security company that develops and sells surveillance and malware tools, in many cases to governments and law enforcement organizations. While the company claims to sell only to "ethical" governments, there has long been evidence of their tools being used by questionable, if not outright oppressive, regimes.

Sunday evening my Twitter timeline lit up with reports that Hacking Team had themselves been the subject of a severe hack, with 400 gigabytes of company data stolen and shared publicly on the Internet. This data included company email, contracts, customer lists, passwords, malware exploits, and source code for their surveillance products.

The released data may have included much more.

Over the next 24 hours, "amateur investigators" around the globe downloaded and dug through the breach data and began to share things they found. The earliest revelations included lists of internal company passwords - passwords to database and server administration accounts, passwords of a nature that one would expect an "elite security firm" to know better. Passwords such as "Passw0rd!", "wolverine", and "HT2015". While every password can eventually be broken or stolen, every security consultant worth her salt knows the basic rules: long, unique, random passwords are far less likely to be cracked.

As the day progressed though, the revelations became more disturbing.

It should come as no surprise that government organizations such as the US Federal Bureau of Investigations and Drug Enforcement Agency would buy commercial cyber espionage tools. More interesting though are reports that Hacking Team - while stating on the record that they did not do so - did business with nations embargoed by the European Union (of which Italy is a member).

The divulged source code included what appears to be yet another Flash Player exploit, apparently useful against even the most current version of Flash Player. If you have not done so already, make your browser plugins "click to play." It truly is negligible inconvenience and provides a good layer of safety.

Worse though was a snapshot of source code, possibly taken out of context either by a novice programmer or by one that knew but intended to mislead (though possibly portrayed accurately).

An image circulating yesterday showed programming code that suggested a Hacking Team malware product actually planted child pornography. I can think of no legitimate reasons to do this, but can think of a few quite nefarious reasons. The most obvious would be setting up extortion/blackmail schemes. 

An individual that reviewed the rest of the code says it is actually looking for, not planting, these files, and that the piece of code in question is likely a test routine used to demonstrate it to a potential customer. For reasons I will explain momentarily, I have not downloaded or reviewed the code myself.


This leads directly into my purpose in writing today. Downloading and commenting on data from major breaches has become something of a sport for amateur investigators (a term I use intentionally). I am not qualified to speak of the legality of accessing formerly-private data that has been made public. Personally I see it as similar to rummaging through a found purse or wallet: possibly acceptable to identify the owner, but ethically questionable otherwise.


I am however qualified to speak a word of caution to would-be armchair investigators.

Hackers with malicious intent managed to break into Hacking Team's network and exfiltrate an enormous amount of information. How they got in is not yet clear, but if they could compromise a professional security company, are you certain they could not also compromise you or your company?

I hope everyone has been very careful combing through these documents. I feel like this is a very clever setup to own all the journalists...

Malicious hackers are also known to use newsworthy events as bait to trap new victims. They are experts at search engine optimization, in which they use various tricks to make their links appear at the top of Google or Bing search results. Can you be sure the "400GB Hacker Team Torrent" you are about to download is the real thing and not a fake bundle of malware?

Finally, and most importantly, you cannot know in full what the breach data contains before downloading it. Certain types of information (in particular, child pornography images or videos) are illegal to even possess if one is not an authorized law enforcement officer investigating a crime - and even in those cases, the investigators prefer to deal with file hashes (uniquely identifying markers) rather than the actual files. Given the suggestion that this firm plants contraband material, it raises suspicion that the breach data could contain the same. Sure, that suggestion may be completely misleading, but do you want to risk it? I don't.

Professional investigators have a legitimate reason to peruse this data. There will be some involved in investigating the crime that took place (breaking into and stealing data from Hacking Team). There may well be national or international investigations into the business practices Hacking Team engaged in. Malware and security businesses worldwide have a distinct interest in reverse-engineering the exploits and malware code Hacking Team developed, they they can in turn add protection to their respective security software.

Aside from those purposes (by individuals trained in safe handling of suspected-malicious content), I urge caution.


Update 7 July: The Flash Player exploit from the breach has been added to at least one crimeware kit, and is actively being used to deliver cryptolocker ransomware to FULLY PATCHED Windows PCs. A patch is expected on Wednesday; in the meantime, the only effective protection is to either remove Flash from your PC, or set the plugin to "click-to-play". If you require the Flash Player, I strongly suggest setting your browsers to ask before running Flash content.

Tuesday, June 30, 2015

Incident response lessons from the Texas flash flood

What can a natural disaster teach about incident response planning? This is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.
During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This article (published at CSOonline) is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 15, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.