Wednesday, September 2, 2015

Comments on proposed FCC rules regarding wireless devices

The FCC proposes new regulations on wireless devices that could severely restrict innovation and security improvements.
The Federal Communications Commission, or FCC is the government agency that regulates radio, television, satellite, and other forms of communication in the United States. Within its scope are regulating radio frequency (RF)-emitting devices to ensure one person's devices do not interfere with another's.

It is in this capacity that the FCC proposed new rules in August, rules that could have significant unintended consequences for end users and security researchers. In particular, the rules could put an end to highly popular aftermarket firmware such as OpenWRT and Tomato for wireless routers, and CyanogenMod for Android phones.

The comment period during which the FCC will accept public comment ends on September 8. Please take a moment to submit your comments to the FCC here.

According to the proposal, the FCC last reviewed its equipment review and authorization process over 15 years ago, during which time the RF environment has grown dramatically (to wit, the explosion of the Internet of Things). It is sensible to review regulations periodically and to ensure the rules still make sense. For the most part, the proposed rules do make sense - but with a few significant caveats. 

Tuesday, September 1, 2015

What if connected devices were secure right out of the box?

For over 120 years, Underwriters Laboratories has given manufacturers and developers a trusted way to assure consumers that products are physically safe. Noted hacker "Mudge" is on a mission to do the same for connected products.

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

Rob Graham (aka @Errata_Rob) calls it a dumb idea in so many words. Rob goes so far as to call it a "Vogon approach," an allusion to the alien species from Dan Adams' Hitchhiker's Guide to the Galaxy. In Rob's view, the problem isn't hacking or physical quality defects - and in this Rob is exactly right. Elite hackers exist, and they do elite things - but most consumers are not their prey. Their prey by and large is higher value targets - businesses, governments, and perhaps individuals in positions of significant wealth, power, or influence.

Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Wednesday, August 26, 2015

The Ashley Madison breach is a gold mine for scammers

The Ashley Madison breach is a gold mine for scammers and extortionists, and some "search the data" sites are scams in their own right. The only breach search site I trust: Have I Been Pwned.

I've not said anything about the Ashley Madison breach since my initial thoughts on glass houses and collateral damage last month (which essentially boil down to not throwing stones in glass houses, and considering the collateral damage to the betrayed spouses and children before going on a witch hunt). There's one more aspect that I think appropriate to mention though.

Any newsworthy event is going to result in clever advertising, spam and phishing emails hoping to capitalize on the fact that something is in the news. The Ashley Madison breach is no different.

Tuesday, August 25, 2015

Cracking a CTF [Part 1]

Capture the Flag, hacker style: walking through the first four puzzles in the 2015 Hou.Sec.Con pre-conference CTF.


I grew up playing Capture the Flag in my backyard. Now with kids of my own and a couple acres of mostly undisturbed woods to call my own, my family enjoys the occasional evening of Capture the Flag.

In hacker culture, a different sort of Capture the Flag (or CTF) is a common way to hone our skills and compete against peers. In hacking CTFs, the flags are digital rather than physical, and the field is bits and bytes rather than grass and trees, but there are still similarities. In both cases, winning requires a combination of skills: sheer speed is rarely enough, but at the same time my carefully-planned strategy has many times been derailed by a quicker opponent.

Most hacker and security conferences include some sort of a CTF challenge. I wrote a couple years ago of winning a trophy by "cheating" at a social engineering CTF (in fairness, I was upfront about my approach, and the rules of engagement did not prohibit reverse engineering the scoring portal to steal the flags!).

This time, I am participating in an online CTF ahead of Hou.Sec.Con, the Houston Security Conference. And since the event is online, it is a chance for me to not only compete, but let my 11 year old daughter shoulder surf and give her own ideas while learning.

Monday, August 17, 2015

Introducing a new forensics tool: RegLister

TL;DR: Hop over to GitHub to download RegLister, a new command line digital forensics tool for scanning the Windows registry to identify unusually large data entries that could be indications of malware hiding.

Fellow Austin security pro Michael Gough first introduced me to the idea of malware hiding in the Windows registry a couple of years ago. It's sneaky but it makes sense: most antivirus products depend on a malicious file existing on the hard drive. They scan the disk periodically for malicious programs, and will scan files written to or read from the disk when that read or write occurs. 

If malware files never touch the disk, then when will antivirus scan them?

Thursday, August 13, 2015

Android StageFright patches are out - here's how to update

The "StageFright" vulnerabilities could allow someone to take control of your Android device merely by sending a multimedia message. Here is how to check for and apply updates.

A couple of weeks ago, an Austin researcher spoke at the security conference Blackhat on flaws he had found in Android software. Commonly called "StageFright," the flaws could allow a malicious hacker to take control of a phone or tablet by simply sending a specially crafted multimedia message. The device would automatically download the message and have it ready for you to view, thus compromising the device without you having to even view the message.

At the time, there was no fix available, so I wrote a description of how to minimize the risk by disabling auto-retrieve for multimedia messages. Various phone makers and cellular carriers are beginning to roll out an update to fix* the flaw. Following are step-by-step instructions for checking to see if an update is available for your phone. I demonstrated the update using a Samsung Galaxy S5 running Android 5.1 (aka "Lollipop"); the screens and menus for other phones and versions will differ somewhat but the menu selections should be essentially the same.

Tuesday, August 11, 2015

Maybe a Cyber UL is just what we need

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

In this article (posted at CSOonline) I look at some of the security areas that are the biggest headache to end users (passwords, software updates, features that affect privacy) and suggest to Mudge the ways he could address them by making security "built-in."

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.