Wednesday, October 9, 2013
Nothing could have prepared me for last week however. About 2 hours before church I learned that one of my leaders had been arrested for a series of armed bank robberies spanning 6 months. Wow. Talk about getting blindsided.
The first night was a flurry of activity such that I didn't really have time to digest what had happened. His role had to be filled on short notice – and naturally most of our standby “in a pinch” volunteers were out of town or otherwise occupied. I talked with a couple of key individuals that needed to know, but otherwise kept an eye on the news to determine when to address it publicly (I did not feel it was my place to “break the news,” so to speak). Church staff reviewed his background check to make sure we had not overlooked anything (if you run a children’s ministry, you do screen your volunteers for a criminal history, right?). I was too stunned and too numb to do more than simply get through the night.
A week has now passed. The initial shock has worn off. Many of the kids know what happened, and some of them are asking difficult questions. Questions such as, how can a Christian do such a thing? How can someone we trusted do this crime? How can I trust other leaders?
Throughout the Bible I read of God-fearing men and women that failed miserably at one point or another. Abraham twice said his wife was his sister, fearing a king would harm him to take her. Samson allowed his wife to compromise his Nazarite vow. David couldn't keep his hands off his soldier’s wife, and then had the man killed to cover it up. Peter denied knowing Christ mere hours after saying he would never deny Him. Romans 3:23 is pretty clear – all have sinned. Not most, not some, not just the “bad people” – all. Isaiah 53:6 says that we all have strayed from the Lord. Romans 6:23 leaves no room for doubt – the penalty for that sin is spiritual death (in other words, Hell). Not the penalty for murder, not the penalty for robbery, not the penalty for adultery, the penalty for sin. For all sin. Whether I take a piece of candy without permission, or I commit the most heinous crime imaginable, by God’s accounting the final consequence is the same. There may be significantly different consequences today (prison for one, a scolding for the other), but in both cases I will give an accounting before God in the end and if left to my own merit will face eternal judgment.
Thankfully I am not left to my own merit. When Christ died on the cross, He covered the sins of every believer. His sacrifice was enough to cover every sin – if I trust in Him for that salvation. Because of Christ, I don’t have to trust in my own self. I don’t put my trust in my pastor, or my friends, or my parents, or my teachers. I rely on them for guidance and teaching, and most of the time they will be honorable, but they are fallen sinners just like me. If my hope is in anyone besides Christ, I am bound to be disappointed eventually. That is the point I hope to teach the clubbers under my care: put your hope in Christ and in Christ alone. Only in Him will their trust never be broken.
As 2 Corinthians 9:15 says, “Thanks be to God for His indescribable gift.”
Wednesday, October 2, 2013
At the elementary level, the goal is to get kids thinking about the Internet as more than just a vague concept - to think of it as a street or city with many doors (web sites, apps). Some of the doors are generally safe - libraries, the mall, a restaurant. Other doors might be appropriate in certain settings but not in others (a college anatomy class might be suitable for an adult but not for a child; as one child brought up, a wanted fugitive's house might be an appropriate place for a sheriff but not for a child). Still other doors are distinctly dangerous (a drug dealer, a stranger's front door). Each of these has parallels in the online world.
Thursday, September 5, 2013
Friday, August 9, 2013
Friday, July 26, 2013
Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?
Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.
Tuesday, July 23, 2013
One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).
Friday, July 12, 2013
One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window. A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.
Tuesday, June 11, 2013
Wednesday, June 5, 2013
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
Tuesday, May 28, 2013
Recently a colleague asked if I had any recommendations for maintaining some semblance of privacy when online. His specific concerns were web browsing, search, and email. In each of these cases, one or two well-known names have a reputation of knowing their users a little too well. How often do you see advertisements that seem to read your mind? Have you ever researched or purchased a product, only to see lots of advertisements for a related product or accessory?
Tuesday, May 14, 2013
In July of 2010, I discovered a bug in Windows XP that allowed me to reliably crash a command shell. I reported the details to Microsoft's Security Response Center (any time you can force unexpected behavior in an application, there is at least a possibility that you can force your own arbitrary behavior). Microsoft's response was that while I was able to force cmd.exe to exit ungracefully, it did not indicate a security concern. That may well be true, but my curiosity brought it back to mind this week, and I was quite surprised to find that the bug still exists in Windows 7 with all current patches.
Tuesday, May 7, 2013
Wednesday, May 1, 2013
Most kids (adults too) have a variety of electronic devices. Cell phones, iPods, tablets, game systems, calculators, watches – all rely on battery power. Forget to charge the battery, and the device will not work. With many of these devices you may get a day or two out of them, but that’s about the limit. Once the battery dies, until it is recharged, the device is useful only as a paperweight!
Tuesday, April 30, 2013
Tuesday, April 23, 2013
And then we in the industry go and do boneheaded things that go against the very things we teach.
Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.
It's the way this email was presented that I have a problem with.
1. The sender was [email protected] Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?
2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.
3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.
Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.
The takeaways are twofold:
For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.
For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.
Monday, April 22, 2013
At least 14 people lost their lives in West, including 12 paramedics and firefighters that were on the scene before the fertilizer plant exploded. An entire apartment complex, many homes, and a part of the middle school are gone. Just because it doesn't have the shock factor of a bomb at a major public event doesn't lessen the tragedy this community is dealing with.
As I started to write this, I couldn’t help but think of the “security theater” Bruce Schneier often writes of. Security theater is when measures are taken to “look” secure while not actually providing any significant reduction in risk, or that are an overreaction to a real threat. The flaw in this sort of response is that it tends to focus on the sensational threat – the sort of threat you might see carried out in a movie – while overlooking more common events that just don’t have the same shock factor. Consider this: which do you fear more, a terrorist bomb, a deranged gunman, or a mosquito bite? According to the CDC, there were 243 deaths last year from West Nile Virus, transmitted by mosquito bites, while according to the National Counter-Terrorism Center 17 US civilians died at the hand of terrorist attacks in the same period.
Bruce has written frequently of the silliness in focusing on the sensational. It’s not because the sensational never happens (alas, it does), but rather because you could never predict every possible plot and prevent it (and to even try would completely upend life as we know it – as evident by the fiasco that is modern air travel). This week highlights a different, and less obvious, problem with security theater. As a nation we have become fixated upon terrorism and elaborate plots, to the point that a terroristic act largely overshadowed a greater catastrophe that was (by all current accounts) an accident.
I am praying for the victims of both events. Whether by the hand of two men intent on causing harm, or through an accidental explosion of an industrial facility, lives were lost, and many dozens more lives were damaged both physically and emotionally.
Thursday, April 18, 2013
As Google, Yahoo, Facebook, and others begin “federating” their login services (i.e. I can log into unrelated third party sites using my Facebook or Google credentials), the line between various service providers has first blurred, and now vanished altogether. It used to be that if my Facebook account were compromised, the only thing at risk was, well, my Facebook identity. But with “Facebook Connect,” now if my Facebook password is stolen, an attacker could conceivably have access to my accounts with CBS, Disney/ABC, Hulu, Twitter, Vimeo, WordPress, and more (assuming I use those services).
Tuesday, April 16, 2013
Monday, April 8, 2013
As I alluded in a previous post, I brought home a trophy in the social engineering CTF contest. In the hacking community, Capture The Flag (or CTF) refers to a contest to test various computer security skills. There are many variations, but the basic premise is a set of goals, or "flags," that each participant has to achieve. The contest will generally have a set of "rules of engagement" that provide boundaries, but within those RoE, anything goes.
This year I participated in the social engineering CTF at B-Sides. Social Engineering is commonly referred to as hacking the human - using social and psychological skills to get someone to give you what you want, as opposed to "breaking in." This was my first time competing in any such contest, so I had limited expectations beyond simply learning something new.
Monday, April 1, 2013
Last week I blogged about my walmart.com account getting pwned and used fraudulently to make purchases using my credit card. Since I caught it within minutes, and Walmart acted very quickly to void the transactions and suspend my account, I avoided any real damage.
It could have been much worse. Password management is one of the great nuisances of the Internet world. I have email accounts, social media accounts, bank accounts, online shopping accounts, blogging accounts, music service accounts, streaming video accounts, even accounts with news media sites. Most if not all of these are accessed by using a username and password (some of the more risk-averse sites ask for additional information to verify my identity the first time I log in from a given location, but by and large username and password are the Internet’s way of authenticating my identity). For that matter, the PIN on my debit card is essentially another form of password. Not only do I have dozens if not hundreds of password-protected accounts, but in some cases I am required to change these passwords periodically.
Friday, March 29, 2013
That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine. As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.
Today's report highlights a different approach, one that is far more difficult to detect.Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.
Friday, March 22, 2013
This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email. Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed. Uh oh.
Monday, February 25, 2013
When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.
Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).
Wednesday, February 6, 2013
- I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.
Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.
When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.
For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.