Tuesday, January 27, 2015

Secure your device (the uncomplicated way)

There are lots of things you might do to protect your computers and Internet-connected devices, but basic, sane security doesn't have to be be a brain twister.
There are lots of things you might do to protect your computers and Internet-connected devices, but basic, sane security doesn't have to be be a brain twister. Below are a handful of simple steps anyone can take, whether you use a PC or a Mac, an Android or an iPhone, or any other form of computing device.

Tuesday, January 20, 2015

(CVE-2015-1314) USAA mobile app gives away your account numbers and balances

If you use the USAA Mobile Banking app for Android, take a moment to ensure it automatically updated to version 7.10.1, released January 19.
If you use the USAA Mobile Banking app for Android, take a moment to ensure it automatically updated to version 7.10.1, released January 19.

USAA typically shines when it comes to security. A considerable proportion of their membership are active duty military and their families - a clientele that certain malicious actors might find great value in distracting from their sworn duties. Financial fraud can be a very effective distraction, and USAA is well aware of this. Generally they do a great job in both providing members with advanced security features as well as education.


Even the best make mistakes though. In using the app recently, I noticed something unusual: at times I would launch the app and briefly see private information before I was prompted to log in.

Small Word Security: Security knowledge without all the big words

Small word security: security knowledge without all the big words
Do stories about Raspberry Pi's with Kali Linux and Snort used as an IDS to detect C&C traffic and phishing make your head spin? Then I have good news. A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, so I would hope I have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. I'm just about the last person you would want to perform a root canal on you, or to rebuild your carburetor (well ... I might be able to figure out the latter, but you certainly don't want me working on your teeth!).

Over the next couple of months, tune in here for a new series entitled "Small Word Security." There are many big words and acronyms that would seem arcane to those not in the field. This series will address some of the security challenges that face consumers and businesses alike, and explain real steps you can take to protect your self, both digitally and in the physical world.

Some of the topics you will read about are simple ways to keep your computer up to date and secure; ways to make passwords less of a nuisance; and how to avoid - and recover from - credit card fraud. I'll still write more in-depth articles as I learn new tools, and break and fix devices on my network, but anything tagged "Small Word Security" will be specifically written for those that don't live and breathe hacking.

The "Small Word Security Dictionary" I published a few weeks ago was the first step in this new journey; more "Small Word Security" topics will be posted over the coming months, at the following URL:





Or on Facebook, at 

Thursday, January 15, 2015

Peerio: end-to-end encryption made easy (a quick look)

On Wednesday security startup Technologies Peerio, Inc. pulled the covers off a new website and service, named simply enough, Peerio. The concept is greatly needed: easy to use, end-to-end encrypted communication that doesn't require a computer science degree. Sign up for an account, and from within that account you can securely send email and instant messages, as well as share files. Since the messages and files are encrypted, they can't be read by anyone except the intended recipient. Messages and files are encrypted at your client before being sent to the Peerio servers, so unencrypted data is never exposed. Here's a brief first look at the service.

Monday, January 12, 2015

A new year, a new job...

Today I start a new chapter, one that I am very excited about.

Thursday, January 8, 2015

ASUS bug lets those on your local network own your wireless router

A few months ago, researcher Joshua Drake (better known as jduck) found a flaw in his ASUS RT-N66U. The flaw is documented as CVE-2014-9583. This week, proof of concept code (i.e. working example code) to exploit this flaw was published.

By sending a specially-crafted packet to udp port 9999, he was able to execute any commands (well, almost any ... the exploit is limited to 237 characters or it will overrun a buffer, likely crashing the router). This does not require being logged into the router - no need for an attacker to learn the administrator password.

Joshua found this on the RT-N66U, with firmware 3.0.0.376.2524-g0013f52 (current as of October); I've confirmed it also on the newest model RT-AC87U, running the latest 3.0.0.4.378_3754 firmware (released December 31).

Friday, January 2, 2015

Detecting malware through DNS queries: a Kali Pi / Snort project

With Kali and Snort running on a Raspberry Pi, and using OpenDNS for name resolution, we can set up simple malware detection alerts.
Earlier this year I wrote about building a minuscule hacking computer by installing Kali and Snort onto a Raspberry Pi. I also wrote about building a homemade passive network tap out of $10 in spare parts. Having a piece of equipment to capture network traffic is nice, but what good does it do? Today I am going to take you on a winding path through a variety of topics, putting these projects to good practical use. My ultimate goal is to detect possibly-infected computers on a network.

tl;dr: download local.rules from https://github.com/dnlongen/Snort-DNS and add to your Snort installation; this will trigger an alert on DNS responses from OpenDNS that indicate likely malware, phishing, or adult content.