Thursday, November 29, 2012

The Email That Hacks You: Securing the Home Network

I’ve written about this before, but a report this week on yet another way to exploit unsuspecting home Internet users seemed like a good excuse to update my blog.

A security researcher at Acunetix wrote this week about a simple way he found to hack some common home WiFi routers. He based his research on the fact that many email programs will automatically download and display embedded email. Most programs can be configured to not do this, and I can’t knock the convenience of not having to expressly download images to see what someone I know and trust sent. But this behavior can be abused: in his research, instead of embedding the location of an image file in his email, he embedded a link to his home router, crafted to log in with the default password and issue some commands. As far as the email client knew, it was an image, so it tried to load the link. As far as the router knew, the mail client was a legitimate user, supplying the legitimate password, and so it let the command go through.

What I wrote 2 years ago is still a pretty good foundation. I look at home security as having 4 legs: installing the latest software patches; a firewall to keep bad stuff from coming in; a web filter to keep from getting to bad stuff; and an antivirus program to deal with the bad stuff that will (not might) get through. To that I would add one more: lock the door (in other words, be intelligent in the use of passwords, and never leave the default password on anything of value).

Friday, November 2, 2012

Sometimes God Provides Just Enough

7 years ago today I wrote a letter about God’s hand in protecting my family from what could have been a tragic event.  A teenage driver ran a red light, hitting my wife and two oldest broadside at about 70mph, rolling the van and leaving one of my boys unconscious for the better part of 12 hours. To see the wreckage afterward though, no one should have survived it. God preserved their lives when there is no natural way they should have survived.  October 27 is forever a day of thanksgiving for me now.

This month, God again showed His sovereignty in some amazingly clear ways. I have seen God provide an abundance of blessings in the past, but this time He chose to work a little differently. This time He chose to provide exactly what we needed, at exactly the right time, and to lead us in faith through the entire process.

On October 16 2012, my wife was involved in another auto accident. A man at a red light misjudged the lanes, and turned directly into her lane as she crossed an intersection, hitting her quite hard directly on the passenger-side rear wheel. The scenario was disturbingly similar to the awful wreck 7 years ago that nearly took the lives of my oldest sons. Thankfully her injuries were not severe and she has mostly recovered. The van, however, was another story.

The initial evaluation from the other party’s insurance company was that the van could be repaired, but that it would take about 3 weeks to do so. I am not comfortable keeping a vehicle that has been in a wreck though, even if it is repaired. A collision stresses parts of the vehicle that were not designed to be stressed (or more specifically, that were designed to protect the occupants by taking the brunt of that stress). Even fully repaired, there’s just no telling what sort of “gremlins” will be left behind, showing up months or years later as unexplained problems and breakdowns. I know a body shop can do a very good job on a repair, but the likelihood of future problems is just not something I want to deal with. So Jennifer and I decided that regardless of the outcome with the old van, we were going to replace it.

In researching possible replacement vehicles, we ultimately decided there was one specific model and year we would be most comfortable with (and comfortable in). We didn’t want to replace the van with something of the same vintage, but rather wanted something that would get us the rest of the way through our child-hauling years so we’re not back in the same situation in a few years. But here comes the rub: we had not planned on replacing the old van for another 4 years or so, so were not financially prepared to do so just yet. It seemed we faced the choice to either take on an uncomfortable amount of debt (I am a big Dave Ramsey fan – I don’t like debt for depreciating assets!), or settle for a vehicle we wouldn’t be happy with.

Here is where God started to intervene. In searching for the right van at the right price, we stumbled across exactly what we were looking for, at a price that bordered on manageable. It was a 2-year-old Honda Odyssey with only 20,000 miles on it, and it was a Certified Pre-Owned so it had been thoroughly checked out and cleaned up by the dealer, and came with an extended warranty. But it was in Shreveport, Louisiana, about 350 miles away. This was Friday afternoon … I called the dealer and talked with the sales manager to ask a few questions about it, and we agreed in principle on a price. An hour later we were en route to Louisiana, staying at our lakehouse to avoid the cost of a hotel (it just so happened that our lakehouse is right on the route from Austin to Shreveport – imagine that!).

Saturday morning we arrived at the dealership, test drove the van, looked it over for anything that would turn us away, got the dealer to agree to fix a minor issue we did see, and then headed back to Texas in a van we are confident will last until the kids are out of school. We had made a number of assumptions as to where the money would come from, and came to the conclusion that we could handle the cost but would have to make some hard sacrifices for a year or so.

At this point we still expected to get the old van back and have to sell it. We weren’t sure whether to pray that Progressive call it a total loss, or that they fix it and return it to us. On the one hand if we got the van back would have the hassle of finding a buyer, for a van that had been repaired from a significant wreck. On the other hand my experience with insurance companies in the past was that they tended to value a total loss as low as they could get away with. Either way we were faced with a less than desirable situation. Then God revealed His hand again.

The day after we got home in the new van, Progressive called back to say they were now considering the old van a total loss. We were not going to get the old van back, and they would have given us about 3 more days of a rental vehicle before we would have been left without transportation. Finding and buying the new van when we did kept us from having to make a quick purchase on something we might have regretted later. More than that, their valuation was a bit more than I expected them to offer. That plus the savings we had available were almost to the dollar enough to pay for the new van without taking on debt.

God didn’t give us a brand new car. He provided a near-new car in great condition.

God didn’t give us a car at no cost to us. We still spent a substantial amount out of pocket – but He provided exactly what we could afford and no more.

God didn’t show us the entire picture up front. He led us through one decision at a time, forcing us to take each step on faith.

And in a twist of irony, we bought the new van 7 years to the day after the wreck that totaled our first van.

I have to agree with the writer that said, "only the fool says in his heart 'there is no God.' "

Thursday, August 16, 2012

Random musings from a discussion with MAD Security's Mike Murray

I had a fascinating discussion with Mike Murray, principal at MAD Security, yesterday at a local ISSA chapter meeting.  In his presentation, and in a one-on-one discussion afterward, he covered a lot of ground, but the two central points that kept coming up are 1: there is a somewhat predictable cycle to the ebb and flow of vulnerability and exploit; and 2: awareness training as most companies approach it is only marginally ineffective.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.