Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.

Wednesday, June 22, 2016

Taking a break

I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!

Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.

Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

Thursday, May 26, 2016

How to fail at mobile user experience

Some posts I write because I am curious, and some to share a project I have worked on, or a security risk to be aware of. And then there are posts like this, written out of sheer annoyance.

It began with a simple link to a news article, shared by a fellow Central Texas security pro:

At first glance, I thought the article pertained to a story I have been following (and have written about) - a series of coordinated ATM heists over the past few years, involving large numbers of stolen payment cards and large numbers of hired hands, stealing millions of dollars from thousands of ATMs at once.

Alas, I could not read the story.

Clicking the link in Twitter's client for my Android phone did not open the story on the ABC web site. Instead, the link opened Google Play Store, asking me to install the ABC News mobile app.

Monday, May 23, 2016

Coordinated heist steals $12.7 million from 1,400 ATMs in Japan

"Automatic teller machine trailer" by Thilo Parg, used under license CC BY-SA 3.0

This is a bit more sophisticated than the run-of-the-mill ‪heist. On May 15, an as-yet unidentified crime ring pulled off the theft of the equivalent of $12.7 million USD, using 1600 stolen payment cards at 1400 Japanese ATMs, all in the span of 2 hours.

This is not the first coordinated attack against ATMs. A similar heist in 2011 used prepaid cards from a Florida bank to withdraw some $13 million USD from ATMs across Europe. Then, in February 2013, yet another crime organization pulled off the theft of over $40 million USD from ATMs around the world in a coordinated attack lasting 10 hours.

The details of the most recent attack are a little bit unclear to me - I suspect something may be lost in translation. The original story says the attack used cloned credit cards stolen from South Africa, but ‪ATM‬ withdrawals require PIN transactions, which typically means debit or ATM cards. Regardless, there are a few things you can do to protect yourself.

  • Avoid the use of debit / ATM cards as much as possible. A debit or ATM card is directly connected to your ‪bank account, while a credit card is using the bank's money until you pay the bill at the end of the month.
  • When withdrawing cash from an ATM, if you have a choice, favor an ATM indoors at a brick-and-mortar bank. Brian Krebs has done some enlightening research into ATM ‪skimmers, including a fascinating series on a particular ATM fraud method in Mexico. ATMs in public places (shopping centers, hotels, convenience stores, event venues) are prime targets for crooks to steal card data.

    It takes only a few seconds to insert a skimmer - a physical device that copies the card information when you insert a card into the machine.  More sophisticated attacks will place the skimmer inside the machine, or install malware on the machine so the machine itself will copy the card data and send it to the attacker. ATMs inside legitimate banks are less likely to be compromised, simply because there is greater risk to the criminal.
  • Set up transaction alerts with your bank. Your bank will send you an email or SMS/text message, generally for transactions over a set dollar amount. While this does not prevent the fraud from happening, the sooner you know about it and report it to your bank, the sooner the fraudulent transactions can be reversed.

Wednesday, May 18, 2016

Rumor mill: LinkedIn password breach

Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.

The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.

Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.

If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time. 

Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.

As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.

Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.