Thursday, October 27, 2016

A $17 Social Engineering Lesson From a Blind Man

Today I fell for a scam.

I often walk around the Texas Capitol complex during lunch, or when I need to mull over something. Today as I was walking, a blind man stopped me and asked if I could direct him to Lamar Street. I stopped to talk with him for a moment, and he explained he was trying to get to the Texas School for the Blind. 

Texas School for the Blind is a solid 4 miles from downtown, so I offered to get my car and give him a lift. He appeared grateful - and then said he wanted to call ahead and make sure it wouldn't be a wasted trip. See, he was living in a halfway house and his rent was due; if he couldn't come up with seventeen dollars to make rent, he would be out on the street tonight. He thought Texas School for the Blind offered emergency assistance.

I let him borrow my phone to make a call. From his side of the supposed conversation, it was obvious he did not get the answer he was hoping for. I gladly gave him what I had in my wallet, shook his hand, and wished him well.

Being the skeptical soul that my profession makes me though, when I got back to my office I redialed the number he had called. Surprise, surprise - the number was not in service.

Working downtown I frequently encounter people asking for a handout. I have my own ideas that influence my decisions to give or not to give, but it is not my intent to turn this into a philosophical or political discussion. What makes this event stand out in my mind though is how his pitch was so polished, rehearsed - and phish-like.

It was a veritable lesson in social engineering.

Tuesday, October 11, 2016

Amazon joins the password merry-go-round

Like many companies, regularly looks for evidence that its customers' usernames and passwords have been exposed. The company apparently discovered a trove of usernames and passwords recently, and is resetting some passwords as a precaution.

The company has not said how many accounts are affected, nor where they found the user details; the only thing they have said is that the list was not Amazon-related. This could mean it was a list of usernames and passwords from a completely unrelated site, but for individuals that reused the same passwords at Amazon.

The details are almost identical to reports about 6 months ago of a similar incident: Amazon reset some users' passwords after a list of names and passwords was found online. the list was not for Amazon accounts, but the account owners used the same passwords for their Amazon accounts. Go back a year, and the same scenario played out yet again.

What should you do?

First, don't panic. There is no indication that has been hacked. Rather, Amazon does an excellent job of searching for breaches elsewhere, and identifying customers that used the same password at Amazon.

  1. There is no harm whatsoever in changing your password just to be safe, even if you have not received a notice from the company.
  2. More important, make sure your Amazon (and every other account) password is long, and is not reused anywhere else. If the same password is used everywhere, a stolen password can give an attacker access to all of your accounts. A stolen password is far less damaging if it only unlocks that single account.
  3. If you do receive an email that appears to be from Amazon, don't click the password reset link in the email! While I haven't seen any examples specific to Amazon, fraudsters love to imitate a well-known service and claim your account is in jeopardy. In this example from last year, scammers sent a phishing email pretending that your Apple ID was amiss. When you click the link and "verify your information" though, you instead are giving the hacker your information so they can login as you.

    What to do instead?

    Go directly to, and change your password there.

If you received a phishing email imitating Amazon, I'd love to have an example to add to this story. I'll gladly credit you, or keep you anonymous, as you wish!

Thursday, October 6, 2016

Basic cyber advice

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

For the second year in row, Security For Real People is proud to be a National Cyber Security Awareness Month Champion. NCSAM is a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. It began as a joint effort government and industry program between the National Cyber Security Alliance and the Department of Homeland Safety. It now includes over 700 corporations, small and medium businesses, educational institutions, and individuals, all with the shared goal of making the digital world just a bit safer for us all.

The news is full of stories about extraordinary threats: Baby monitors hacked to spy on you. A billion Yahoo email accounts exposed. Sophisticated spies taking over iPhones. Movie plot-worthy heists draining millions of dollars from thousands of ATMs at once.

Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Wednesday, September 28, 2016

Someone's watching the baby, and it isn't you

"A greyscale image of a webcam," by Asim Saleen, used under license CC BY-SA 3.0

It seems like a scene out of a Transformers movie, but it happened right here in Austin. Local news station KVUE reports that an Austin family noticed their Wi-Fi baby monitor moving on its own one evening last week. It was being controlled by an unknown person, for an unknown purpose.

I hesitated to write this story, since I do not have a Wi-Fi camera to test myself and provide recommendations on. The intent of Security for Real People is not to spread fear, but to give practical advice you can use to keep yourself and your family safe online.

I decided to share the story anyway, for this reason: Internet-connected devices are becoming more and more common, and entering more and more intimate areas of our lives. But in many cases online safety is an afterthought. With a refrigerator or TV, maybe that's not a big deal, but a camera inside the home lends itself to voyeuristic abuse or worse.

Friday, September 23, 2016

Monster DDoS, Yahoo woes, malware by mail - the week in review

Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

Friday, September 9, 2016

New Twitter stalker-assist feature is enabled by default

I noticed a new feature on my Twitter mobile app this morning - one that I'm not exactly keen on. I'm even less keen on it being added and enabled by default. By default, Twitter now has a "Send/Receive read receipts" feature that lets the sender know when you have read a DM. I'm not exactly sure when it was added, but I know it was not there a couple of days ago.
Useful? Maybe, depending on your preferences. As fellow traveler Trey Ford pointed out to me, many if not most chat apps already have this feature. iMessage, Facebook Messenger, Whats App - they all let you know when your message has been seen by the recipient.
Twitter has a different use model though - and more to the point, has another feature that in conjunction with this can make things a bit awkward. With "Receive Direct Messages from anyone" enabled, any person on Twitter can send private messages to you. Combined with this new "Send/Receive read receipts" feature, strangers can send you messages - and know when you read them.
It's sort of a stalker's dream.
I won't scream and shout to disable the setting - that's truly a personal preferences choice. But at the very least you should be aware that Twitter has added this feature, and that by default it is turned on.

If you wish to disable it, here are instructions. I presume the Android settings are similar, but I don't have a screen capture handy. Also, hat tip to Bryan Brake for pointing out that you must do this for EVERY Twitter account you manage.

iOS app: Select the "Me" icon, then the Settings gear, then Settings. Under Privacy and safety, look for the Send/Receive read receipts selector. website: Select the profile and settings icon, then Settings. Select the Security and Privacy menu, then look for the Send/Receive read receipts check box.

Thursday, September 8, 2016

An Aggie Story

"Tree stump at Armadale Castle" by Mike Peel, used under license CC BY-SA 4.0

While this may sound like the setup to a joke, I assure you my story is true and accurate :-)

A number of years ago, my brother attended Texas A&M University. He had a bicycle he used to commute around campus, a bicycle that he was rather attached to. At times he did not want to carry it up the stairs to his apartment, so in order to protect it from theft, he chained it up. He located the biggest, gnarliest tree he could find near his apartment, and frequently chained the bike to that tree.

One morning he walked outside to go for a ride. He walked to where his bike had been safely chained, and found a stump. While he napped, the University had cut down and removed the tree, leaving only a stump!

Fortunately they had left his bike - chain, lock and all - leaning against a sign post, where he found it moments later.

I could make a point about myopic security viewpoints, focusing on one risk and overlooking equally great risks.

I could make a point about supply chain risk, in which the products we choose introduce risks outside our control.

I could make a point about recognizing which risks our controls mitigate - and which risks they don't.

Instead, though, I'll leave the reader to ponder this humorous story and come up with your own moral!

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.