Tuesday, August 9, 2016

Beginner's Guide to Information Security

This summer, I and ten other security professionals wrote a book called the Beginner's Guide to Information Security. It is available now on Amazon for the Kindle and Kindle Reader apps! Our eventual goal is to give it away, but the publisher doesn't make that easy. For now, any proceeds from book sales will be donated to Without My Consent, an organization that combats online harassment.

I am in awe by the giants of the field I was privileged to write with!

Chapters include:



Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.


Why does that matter to me?


From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.


So what? I'm not an information security person


The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.

Wednesday, June 22, 2016

Taking a break

I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!

Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.

Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

Thursday, May 26, 2016

How to fail at mobile user experience

Some posts I write because I am curious, and some to share a project I have worked on, or a security risk to be aware of. And then there are posts like this, written out of sheer annoyance.

It began with a simple link to a news article, shared by a fellow Central Texas security pro:


At first glance, I thought the article pertained to a story I have been following (and have written about) - a series of coordinated ATM heists over the past few years, involving large numbers of stolen payment cards and large numbers of hired hands, stealing millions of dollars from thousands of ATMs at once.

Alas, I could not read the story.

Clicking the link in Twitter's client for my Android phone did not open the story on the ABC web site. Instead, the link opened Google Play Store, asking me to install the ABC News mobile app.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.