Wednesday, September 28, 2016

Someone's watching the baby, and it isn't you

"A greyscale image of a webcam," by Asim Saleen, used under license CC BY-SA 3.0


It seems like a scene out of a Transformers movie, but it happened right here in Austin. Local news station KVUE reports that an Austin family noticed their Wi-Fi baby monitor moving on its own one evening last week. It was being controlled by an unknown person, for an unknown purpose.

I hesitated to write this story, since I do not have a Wi-Fi camera to test myself and provide recommendations on. The intent of Security for Real People is not to spread fear, but to give practical advice you can use to keep yourself and your family safe online.

I decided to share the story anyway, for this reason: Internet-connected devices are becoming more and more common, and entering more and more intimate areas of our lives. But in many cases online safety is an afterthought. With a refrigerator or TV, maybe that's not a big deal, but a camera inside the home lends itself to voyeuristic abuse or worse.

Friday, September 23, 2016

Monster DDoS, Yahoo woes, malware by mail - the week in review


Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

Friday, September 9, 2016

New Twitter stalker-assist feature is enabled by default


I noticed a new feature on my Twitter mobile app this morning - one that I'm not exactly keen on. I'm even less keen on it being added and enabled by default. By default, Twitter now has a "Send/Receive read receipts" feature that lets the sender know when you have read a DM. I'm not exactly sure when it was added, but I know it was not there a couple of days ago.
Useful? Maybe, depending on your preferences. As fellow traveler Trey Ford pointed out to me, many if not most chat apps already have this feature. iMessage, Facebook Messenger, Whats App - they all let you know when your message has been seen by the recipient.
Twitter has a different use model though - and more to the point, has another feature that in conjunction with this can make things a bit awkward. With "Receive Direct Messages from anyone" enabled, any person on Twitter can send private messages to you. Combined with this new "Send/Receive read receipts" feature, strangers can send you messages - and know when you read them.
It's sort of a stalker's dream.
I won't scream and shout to disable the setting - that's truly a personal preferences choice. But at the very least you should be aware that Twitter has added this feature, and that by default it is turned on.

If you wish to disable it, here are instructions. I presume the Android settings are similar, but I don't have a screen capture handy. Also, hat tip to Bryan Brake for pointing out that you must do this for EVERY Twitter account you manage.

iOS app: Select the "Me" icon, then the Settings gear, then Settings. Under Privacy and safety, look for the Send/Receive read receipts selector.




Twitter.com website: Select the profile and settings icon, then Settings. Select the Security and Privacy menu, then look for the Send/Receive read receipts check box.



Thursday, September 8, 2016

An Aggie Story

"Tree stump at Armadale Castle" by Mike Peel, used under license CC BY-SA 4.0

While this may sound like the setup to a joke, I assure you my story is true and accurate :-)

A number of years ago, my brother attended Texas A&M University. He had a bicycle he used to commute around campus, a bicycle that he was rather attached to. At times he did not want to carry it up the stairs to his apartment, so in order to protect it from theft, he chained it up. He located the biggest, gnarliest tree he could find near his apartment, and frequently chained the bike to that tree.

One morning he walked outside to go for a ride. He walked to where his bike had been safely chained, and found a stump. While he napped, the University had cut down and removed the tree, leaving only a stump!

Fortunately they had left his bike - chain, lock and all - leaning against a sign post, where he found it moments later.

I could make a point about myopic security viewpoints, focusing on one risk and overlooking equally great risks.

I could make a point about supply chain risk, in which the products we choose introduce risks outside our control.

I could make a point about recognizing which risks our controls mitigate - and which risks they don't.

Instead, though, I'll leave the reader to ponder this humorous story and come up with your own moral!

Tuesday, August 30, 2016

The tangled road toward securing Social Security accounts


Everywhere you look this week, you see talk about Facebook's "people you may know" algorithms creepy sentience suggesting that patients of a certain psychiatrist friend one another, and of an investment firm that took out a short sale position (basically a bet that the stock would fall in value) in a medical devices firm, then profited when they published news that the firm's devices had serious and easy-to-exploit flaws.

I'm not going to talk about either of those events in this post.

In late July, the US Social Security Administration made a significant change to "my Social Security," the online portal for accessing and managing benefits. In order to improve the security of the site, the government agency began to require two-factor authentication via a code sent by text message. In order to log in, you had to have both your password, as well as a phone to receive the text message on.


Thursday, August 25, 2016

Apple releases iOS 9.3.5 to block a sophisticated iPhone spy technique

Updated 2 September: It turns out that the same vulnerabilities exist in OS X for MacBooks and iMacs, and can be used to run malicious programs with kernel (i.e. the highest level) privileges. Apple released updates for OS X Yosemite and OS X El Capital on September 1. 

For El Capitan, the fix is Security Update 2016-001.
For Yosemite, the fix is Security Update 2016-005.

To check for Mac software updates, open the App Store app on your Mac, then click Updates in the toolbar. If updates are available, click the Update button to download and install them. If you don't have the App Store on your Mac, get OS X updates by choosing Software Update from the Apple menu.

Updated 26 August: Brief update - here is a link to the original (and in-depth) report by Citizen Lab, the firm that identified the vulnerabilities and ferreted out the origin of the attack.

When a mobile phone provider sends you an update for your phone, it's usually a good idea to install it. Sometimes it's a better idea than others.

This is one of those times: Apple just released an update for iPhones, fixing three very serious bugs that together have been exploited in secret to spy on apparent Middle Eastern targets. Through the flaws, merely clicking on a link can "jailbreak" an iPhone - defeating the security measures Apple has built in and giving the attacker complete control of the device (and any private information on the device).

Your iPhone will prompt you to update to iOS 9.3.5 very shortly. Do it.

Motherboard has an article describing how the flaw was discovered and how it was being used to spy on individuals.


The SANS Internet Storm Center has a concise description of the three flaws and how they work together to compromise a device.

Here is Apple's release bulletin for iOS, and Apple's release bulletin for OS X.



What do you need to do?


Open your iPhone or iPad's Settings tool and go to General -> Software Update in your device's Settings app, or connect to iTunes on your Mac or PC. If you are running iOS 9.3.5 (the latest update as of this writing), your device will show that it is up-to-date. If you are running an older version, your device will show an update is available. Install it!

Tuesday, August 9, 2016

Beginner's Guide to Information Security

This summer, I and ten other security professionals wrote a book called the Beginner's Guide to Information Security. It is available now on Amazon for the Kindle and Kindle Reader apps! Our eventual goal is to give it away, but the publisher doesn't make that easy. For now, any proceeds from book sales will be donated to Without My Consent, an organization that combats online harassment.

I am in awe by the giants of the field I was privileged to write with!

Chapters include:



Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.