Saturday, February 11, 2017

Quick and dirty malicious PDF analysis

Analyzing weird things forwarded by friends and family is a great way to keep my DFIR skills sharp.

Friends and family regularly send me things they find suspicious or weird. Sometimes it turns out to be malicious, and other times perfectly fine, but I'm always glad to know I've instilled a proper degree of skepticism in my friends.

My willingness to help has an ulterior motive: aside from the "herd immunity" that comes from helping those around me stay safe, analyzing weird things they see helps me keep my own skills sharp. It also can alert me to new or resurging threats, such as the Disney theme park scams so common around customary family travel periods.

Today's story is about a phish. A simple phish, but one with lots of red flags to call out, and that called to my attention some new features Google introduced in Chrome last month. As with many phish, this one begins with an email. Nothing fancy, just a brief memo that a voice message has arrived.

Wednesday, January 25, 2017

It's tax fraud season!

Tax season means tax fraud season. Here are a few common schemes to watch out for, along with tips to protect yourself from fraud.
1040 Individual Tax Return, by 401kcalculator. Used under license CC BY-SA 2.0

It's tax season. That means it is also tax fraud season. 

Early in the year is prime time for tax-related scams targeting both consumers and businesses. I see these start to appear around late December, but tax-related scams tend to peak in March. It makes sense that consumer scams would peak as the April 15 filing deadline approaches - but it's rather illogical that this is also true for business compromise. Employers, charities, and financial institutions are generally required to provide tax documents to consumers by January 31, so a successful business-oriented scam in March is a bit of a head-scratcher. Nonetheless, that's what the data show. 

What follow are explanations of some common tax-related threats this time of year, along with tips to protect yourself.

Tuesday, January 17, 2017

How to be your daughter's hero, DFIR edition

Not only is digital forensics useful in cybersecurity, it can make you a hero in your daughter's eyes!

Every now and then, my day job pays dividends at home. Shortly before Christmas was one such occasion.

My daughter (a foreign exchange student my family is hosting, but she quickly became a daughter to us) had just spent a weekend with a friend. The friend too was a foreign exchange student from the same country as my daughter, but was near the end of her exchange, and was soon to return to her their home country. My daughter had taken many pictures of their weekend together, and had uploaded them to the friend's computer.

As is commonly the default, uploading the photos to the computer also deleted them from her camera.

By the time she discovered that, the friend had already begun her trek home. Several gigabytes of photos are not hard to transfer over WiFi or with a flash drive ... it's a different story when all you have is a cellphone hotspot with a limited data plan, or a costly and rate-limited airport wireless service.

Much to my wife's chagrin I am a sucker for my daughters' pleas for help. That holds true whether from the daughters born to my family or the daughter we are hosting. Just about any dad would say the same. Fortunately, one doesn't spend twenty years in technology and digital forensics without learning a few tricks.

Thursday, December 29, 2016

Silver linings: 2016 in pictures

2016 in photos

2016 has been a bugger of a year for many. Rather than stew over the loss of family members, friends, and icons of our adolescence, my cousin asked a simple question: "what's the best/coolest thing you did in 2016?" I thought to reply with a picture - but as I scrolled through my camera roll I found it has been an amazing year of memories, too many great experiences to pick just one picture. So here are some smile-worthy pictures from my family's 2016!

If you like these, my Instagram account is entirely things that make me smile or laugh. Cyber security exposes me and my peers to a constant flood of bad news and never-ending threats. This is one way I stay mentally healthy.

Tuesday, December 13, 2016

"Ho! Ho! Ho!" or "Oh No No!"

Here are a few holiday tips to make sure "Ho! Ho! Ho!" doesn't turn into "Oh No No!"

It's December! A time for family gatherings, vacation travels, Christmas shopping - and holiday scams. Here are a few tips to make sure "Ho! Ho! Ho!" doesn't turn into "Oh No No!"

Wednesday, December 7, 2016

Six steps to block credit card fraud

Credit Card Fraud spelled out using Scrabble tiles

Just over a year ago, I put together a simple guide to dodging financial fraud; it quickly became one of the most popular posts on this site. Given some recent cyber events, now seems like a good time for an updated version.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was two years ago, but it still remains a hot topic. Between Target, The Home Depot, Sears, Dairy Queen, Wendys, Cici's Pizza, Goodwill, Trump Hotels, Hyatt, Hilton - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story this week, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?

Saturday, November 26, 2016

RIP Tom Hanks? No, it's a fake malware scam

Tom Hanks is not dead. That doesn't stop crooks from using news of his demise to attract victims.

Updated 29 November with additional context after I analyzed the malicious link. TL;DR: Tom Hanks is not dead, and the fake news link on Facebook leads to a malicious website. As an aside, Tom Hanks is not the first celebrity to be used in fake news scams, and I am sure he won't be the last. Other recent malvertisements have claimed the demise of Harrison Ford, Sylvester Stallone, Beyonce, and even Facebook's own CEO Mark Zuckerberg.


No, Tom Hanks is not dead. However, a malicious advertisement circulating on Facebook over Thanksgiving weekend uses that headline as bait; readers that click the "news story" to find out more instead get more than they bargained for. 


Instead of a news article, the advertisement leads to a web page that blares an incessant alarm sound and displays the following warning message. As a clever twist, the malicious content itself imitates Google's own malicious website warning. 

Victims that call the phone number on the screen will no doubt be instructed to pay a "Microsoft Technical Support" fee to have the malware removed - a twist on the classic technical support scam.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.