Wednesday, August 26, 2015

The Ashley Madison breach is a gold mine for scammers

The Ashley Madison breach is a gold mine for scammers and extortionists, and some "search the data" sites are scams in their own right. The only breach search site I trust: Have I Been Pwned.

I've not said anything about the Ashley Madison breach since my initial thoughts on glass houses and collateral damage last month (which essentially boil down to not throwing stones in glass houses, and considering the collateral damage to the betrayed spouses and children before going on a witch hunt). There's one more aspect that I think appropriate to mention though.

Any newsworthy event is going to result in clever advertising, spam and phishing emails hoping to capitalize on the fact that something is in the news. The Ashley Madison breach is no different.

Tuesday, August 25, 2015

Cracking a CTF [Part 1]

Capture the Flag, hacker style: walking through the first four puzzles in the 2015 Hou.Sec.Con pre-conference CTF.


I grew up playing Capture the Flag in my backyard. Now with kids of my own and a couple acres of mostly undisturbed woods to call my own, my family enjoys the occasional evening of Capture the Flag.

In hacker culture, a different sort of Capture the Flag (or CTF) is a common way to hone our skills and compete against peers. In hacking CTFs, the flags are digital rather than physical, and the field is bits and bytes rather than grass and trees, but there are still similarities. In both cases, winning requires a combination of skills: sheer speed is rarely enough, but at the same time my carefully-planned strategy has many times been derailed by a quicker opponent.

Most hacker and security conferences include some sort of a CTF challenge. I wrote a couple years ago of winning a trophy by "cheating" at a social engineering CTF (in fairness, I was upfront about my approach, and the rules of engagement did not prohibit reverse engineering the scoring portal to steal the flags!).

This time, I am participating in an online CTF ahead of Hou.Sec.Con, the Houston Security Conference. And since the event is online, it is a chance for me to not only compete, but let my 11 year old daughter shoulder surf and give her own ideas while learning.

Monday, August 17, 2015

Introducing a new forensics tool: RegLister

TL;DR: Hop over to GitHub to download RegLister, a new command line digital forensics tool for scanning the Windows registry to identify unusually large data entries that could be indications of malware hiding.

Fellow Austin security pro Michael Gough first introduced me to the idea of malware hiding in the Windows registry a couple of years ago. It's sneaky but it makes sense: most antivirus products depend on a malicious file existing on the hard drive. They scan the disk periodically for malicious programs, and will scan files written to or read from the disk when that read or write occurs.

If malware files never touch the disk, then when will antivirus scan them?

Thursday, August 13, 2015

Android StageFright patches are out - here's how to update

The "StageFright" vulnerabilities could allow someone to take control of your Android device merely by sending a multimedia message. Here is how to check for and apply updates.

A couple of weeks ago, an Austin researcher spoke at the security conference Blackhat on flaws he had found in Android software. Commonly called "StageFright," the flaws could allow a malicious hacker to take control of a phone or tablet by simply sending a specially crafted multimedia message. The device would automatically download the message and have it ready for you to view, thus compromising the device without you having to even view the message.

At the time, there was no fix available, so I wrote a description of how to minimize the risk by disabling auto-retrieve for multimedia messages. Various phone makers and cellular carriers are beginning to roll out an update to fix* the flaw. Following are step-by-step instructions for checking to see if an update is available for your phone. I demonstrated the update using a Samsung Galaxy S5 running Android 5.1 (aka "Lollipop"); the screens and menus for other phones and versions will differ somewhat but the menu selections should be essentially the same.

Tuesday, August 11, 2015

Maybe a Cyber UL is just what we need

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

In this article (posted at CSOonline) I look at some of the security areas that are the biggest headache to end users (passwords, software updates, features that affect privacy) and suggest to Mudge the ways he could address them by making security "built-in."

Wednesday, August 5, 2015

Avoid StageFright by turning off auto retrieve for multimedia messages

An Austin hacker discovered a major flaw in Android's StageFright library. While waiting for your device maker to provide a fix, turn off automatic downloads for MMS.

Update August 13: Phone makers and cellular carriers are beginning to roll out updates to fix this vulnerability; see step-by-step instructions for checking for and installing updates.


Last week, Austin hacker / researcher Joshua Drake disclosed a fairly significant flaw in all versions of Android, whereby a malicious multimedia message (aka a video text) could take control of the phone. This is a hacker's dream in that it does not require the victim to do anything. Simply receiving a message can trigger the flaw, because most messaging apps will automatically download the message and have it ready to display. This is very similar to the "text of death" that affected iPhone users a couple of months ago, but with the potential to actually take control of devices rather than merely crash them.

Tonight he is presenting his findings at BlackHat, a major security conference in Las Vegas. He will release details of his findings, including proof of concept code demonstrating the flaw, at the end of his talk. With the demonstration code, any software developer could reproduce his research.

Tuesday, August 4, 2015

How to schedule cron jobs on an ASUS wireless router

Want to run a task on a regular schedule on your ASUS wireless router? Well, you're out of luck.

Or are you?

Cron is the well-known method of scheduling tasks for Unix, the equivalent of "at" on Windows. My purpose is not to document the use of cron - it is well documented elsewhere. Alas, ASUS does not include the crontab utility for creating and editing jobs in its firmware, but the cron daemon (crond) is installed and running. If a jobs file can be loaded into the daemon, crond will happily run the jobs.