Tuesday, May 3, 2016

A devilishly simple phish

A diabolically simple phish, the message claims an error prevented from the message from loading, and you must click the link to see the real message.

I've had this post half-written for a couple of months, and in the interim received two more phishing emails following the same pattern. Over the weekend, a peer in the security industry mentioned he had received a phishing scam that followed this pattern but in a more carefully-crafted package tailored to look like an important message from the president of his actual homeowners' association. @GRC_Ninja has a great write-up of that particular event, with some sage advice from an employer's perspective. What follows is my advice from a consumer perspective, and then a dive into the weeds.

Some phishing approaches are carefully crafted, highly targeted, and nigh impossible to recognize as evil. Some phishing approaches are ridiculously lame and downright silly. And then there is this, from the email account of someone I do know and correspond with. Devilishly simple, and yet entirely believable, who wouldn't click on the link to see what the actual message is?

The email appears to be something that Yahoo! Mail could not display in the normal reader window, and which you must open into its own window in order to read. The "error message" at the bottom lends credibility to the scam. Those with digital rights management on their business email might even be used to messages that cannot render in the standard email reader.

Despite appearances though, this is a fake, a fake for which the three best defenses are 

  1. A password manager such as LastPass or 1Password that recognizes website domains and will not enter your password into a fake login screen; 
  2. Two-factor authentication such that if a scammer does get your password, they still cannot log in without also having your device; and
  3. DNS resolver such as OpenDNS, that recognizes scam domains and prevents your browser from going there.

Monday, April 25, 2016

Perseverence

Years of perseverance led to the Senior Champion Rabbit Showman award.

Allow me to digress from computer security, and talk about something else for my 200th blog post.

The last week of January, my daughter was named the senior division Rabbit Showmanship Champion at the county Youth Livestock Show, and won a fancy belt buckle (pictured above). This award means far more to me than a grand champion animal would (though I'd love for our family to produce the latter too), because of what it represents.

Showmanship involves a student's knowledge of their animal and breed, the responsibility they display, how well they present themselves and their animal, and how well they control their animal. While a champion animal involves the student taking good care of it, there is also a lot of genetics and a good bit of luck involved in raising a winning animal. Showmanship on the other hand is entirely up to the student.

What makes me the most proud though is not that she won the buckle. It's how she got to this point.

Thursday, April 14, 2016

Got QuickTime? Take a moment to "unget" it


Correction: the original post referred to ZDI as a division of HP; Trend Micro bought ZDI from HP in October 2015. At this point, the discontinuation of Apple's QuickTime for Windows product is a statement from Trend Micro and not publicly confirmed by Apple. Regardless, QuickTime has publicly-disclosed flaws that can be exploited to take control of your PC, and has not fixes available.

Apple just discontinued and published removal instructions for QuickTime for Windows, a once-popular video player and web browser plugin. Software that lingers on past a vendor dropping support for it can quickly become a gateway for malicious hackers to enter your computer - Windows XP has been an infamous example since Microsoft dropped support for it in April 2014.

QuickTime is no exception: Trend Micro's Zero Day Initiative found a few new vulnerabilities that can be exploited to take control of your PC, and so recommends that you remove QuickTime right away. To be fair, the risk here is a bit less than it is with, say, Adobe's Flash Player or Microsoft's Silverlight. While those products can run in your browser automatically upon loading a webpage, the QuickTime plugin is an older format that most browsers no longer support. One would have to open a QuickTime movie outside a browser (perhaps from an email attachment) to be at risk.


But here's the kicker: Apple's own Software Update utility still offers to install it for you. Don't. I still recommend keeping Apple Software Update - let it keep any Apple software you do use up to date - but don't let it install QuickTime!




References:

  • ZDI-16-241: Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability
  • ZDI-16-242: Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability
  • Apple HT205771: Uninstall QuickTime 7 for Windows
  • US-CERT TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
  • CSOonline: CERT advisory urges QuickTime removal due to vulnerabilities, Apple does too

Tuesday, April 12, 2016

Four Commandments From a Cyberparent

These four "commandments" form a solid foundation for teaching kids to be safe online.
"Children at School" by LucĂ©lia Ribeiro, used under license CC BY-SA 2.0 / modified from original
One recent evening I spoke to a home school parents group about keeping their kids safe online. Having worked in the cyber security industry professionally for over 15 years, I've seen far too many ways that computers and their users can be abused. But panic isn't a healthy or productive response. Disconnecting from modern technology would mean giving up the amazing things technology has made possible, such as:

  • Amazon created the Dash Button - stick one near a place where you use consumables. Running low on laundry detergent? Just press the button, and more will be delivered tomorrow. (Keep out of reach of children!)
     
  • A recent Twitter conversation discussed how Skype is being used by hearing-impaired people to communicate in sign language, from their mobile devices, anywhere in the world. Wow.
     
  • Two-factor authentication using Apple Watch means you can log into an account on your phone or laptop, then click a button on your watch to say "yes, it's really me."
     
  • A paralyzed soldier is able to walk thanks to an exoskeleton (okay, okay, this one's not strictly Internet-related, but it's an amazingly cool piece of the future!) 

Instead of letting paranoia take hold, I prefer to take a few precautions and enjoy the benefits of living in the future. I teach my children the same.

Tuesday, April 5, 2016

A great debate: is a smartphone really a second factor?



Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Before answering the question, let's back up a bit and explain two-factor authentication (or 2fa). To borrow an analogy I first used two years ago: 10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.


Passwords can be stolen though, whether through a server database breach, or via a phishing scam, or by keylogging malware that captures the password as you enter it into a webpage. If a password is the only thing protecting your account, then a stolen password lets an attacker pretend to be you. If the attacker knows the right password, the server or website has no way of knowing it's an impostor.

By adding a second factor - something you physically possess (an identification card, or a token generator, or - the crux of today's question - a phone), the bar for an attacker is raised. Individually, each factor might be relatively easy to defeat. Gaining access to both a password and a device at the same time though takes more effort, and is far less likely. Not impossible, but less likely.

Friday, April 1, 2016

ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw

The world's most popular cable modem can be rebooted with no authentication required.
"Wipeout" by Dan Davison, used under license CC BY 2.0

Update April 8: Tom's Guide and The Wire Cutter both report having received a statement from ARRIS that they have updated the SB6141 firmware and are in the process of making it available to service providers. As cable modems are not consumer-updateable, it is up to Internet Service Providers to deliver the update to modems. 

Update April 10: The original post was based on first-hand testing with the SURFboard 6141 modem. It turns out the same flaw existed in the older SURFboard 5100 model at least as early as 2008. Multiple individuals have also contacted me both publicly and privately to confirm the same flaw exists in the popular but dated 6121 model. In addition, Michael Horowitz wrote for Computerworld about this very issue in February 2015, and described blocking LAN access to the cable modem using router settings. If you do not use a router model that Michael demonstrates, the iptables rules at the end of the original post below will work on any Linux-based router that allows command line access.

Update April 11: ARRIS published a note stating that contrary to their box markings and SURFboard 6141 product page claims, 135 million referred to the total number of all SURFboard modems in production, not the number of SB6141 units. A subset of this number are affected by this flaw.

Original post:

Want to annoy some friends? Ask them to visit this website:
RebootMyModem.net
Actually, don't ask them to do that until explaining that it is a proof of concept example that may in fact interrupt their Internet connection.

ARRIS (formerly Motorola) SURFboard modems are highly popular broadband cable modems with a reputation for reliability. The SB6141 model in particular can be found for around $70 US, is capable of supporting well over 150 megabit speeds, and works with all the major US Internet providers. According to ARRIS' documentation, the SB6141 is the world's most popular cable modem with over 135 million in production. [See April 11 update above for a disclaimer about the number of units affected.]

Rebooting one remotely is so easy, it doesn't even require a password.

Certain SURFboard modems have an unauthenticated cross site request forgery flaw. The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication - no username or password is required to access the administration web interface.

Monday, March 28, 2016

Malware-laden "speeding ticket" emails crafted using GPS data from users' own phone

Over the weekend, I came across an ingenious phishing scam seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).

Targeted victims receive an email similar to the following:



As the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a "free mobility or traffic APP" is involved. The attached "infraction statement" does not actually contain a license image nor any means of paying a fine; instead, it contains malware.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.