Tuesday, April 30, 2013

Whose Kids Are They Anyway?

I came across a very disturbing video recently, one that echoes what I have seen personally in over a decade of various children’s and youth ministries.  In this video, a well-known educator makes the point that we need to abandon the notion that we as parents are ultimately responsible for raising our kids. She makes the statement that “we have to break through our kind of private idea that kids belong to their parents or kids belong to their families and recognize that kids belong to whole communities.

The video generated quite a bit of backlash, to which she wrote a blog post that does a paradoxical job of backpedaling while simultaneously defending her position. I get her point – our children are not merely members of our households, but also members of the community, and are deserving of care, respect, and attention from the community.  When we choose to live in communities, we can pool our resources to provide emergency responders, medical care, recreation opportunities, education,  roadways, utilities, and more, in ways that would not be economically feasible individually.

Tuesday, April 23, 2013

I thought I taught you not to click...

For years, the computer security industry has worked to educate computer users to avoid phishing scams and malware spread via email. One of the most basic rules of thumb is not to click links or attachments in email unless you are certain of the sender. We teach to look at the sender's address for out-of-place characters such as G00GLE instead of GOOGLE (zeros in place of "oh's"). We say to look out for added characters (googlecom.com instead of google.com). We say not to trust what the text in a link says, but to hover over a link and see what URL shows up in the status bar (for instance, the text www.google.com in fact is a link to yahoo.com - hover over it and see for yourself). And we teach that a legitimate service will never ask for your password over email (instead we will direct you to login to our web site).

And then we in the industry go and do boneheaded things that go against the very things we teach.

Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.

It's the way this email was presented that I have a problem with.

1. The sender was [email protected] Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?

2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.

3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.

Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.

The takeaways are twofold:

For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.

For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.

Monday, April 22, 2013

Why is one tragedy headline news, while another is largely overlooked?

I've been bothered by something this past week. Why is it that a terroristic act at the Boston Marathon, and the subsequent lockdown and manhunt, have been headline news all week, while the catastrophe in West, Texas, with much greater loss of life as well as the loss of many families’ homes, has for the most part been only a side note outside of Central Texas? I do not in any way mean to diminish the pain felt by those injured, or that lost loved ones in Boston. It was an atrocious act. But it seems the country is fixated on it simply because it was terrorism.

At least 14 people lost their lives in West, including 12 paramedics and firefighters that were on the scene before the fertilizer plant exploded. An entire apartment complex, many homes, and a part of the middle school are gone. Just because it doesn't have the shock factor of a bomb at a major public event doesn't lessen the tragedy this community is dealing with.

As I started to write this, I couldn’t help but think of the “security theater” Bruce Schneier often writes of. Security theater is when measures are taken to “look” secure while not actually providing any significant reduction in risk, or that are an overreaction to a real threat. The flaw in this sort of response is that it tends to focus on the sensational threat – the sort of threat you might see carried out in a movie – while overlooking more common events that just don’t have the same shock factor. Consider this: which do you fear more, a terrorist bomb, a deranged gunman, or a mosquito bite? According to the CDC, there were 243 deaths last year from West Nile Virus, transmitted by mosquito bites, while according to the National Counter-Terrorism Center 17 US civilians died at the hand of terrorist attacks in the same period.

Bruce has written frequently of the silliness in focusing on the sensational. It’s not because the sensational never happens (alas, it does), but rather because you could never predict every possible plot and prevent it (and to even try would completely upend life as we know it – as evident by the fiasco that is modern air travel). This week highlights a different, and less obvious, problem with security theater. As a nation we have become fixated upon terrorism and elaborate plots, to the point that a terroristic act largely overshadowed a greater catastrophe that was (by all current accounts) an accident.

I am praying for the victims of both events. Whether by the hand of two men intent on causing harm, or through an accidental explosion of an industrial facility, lives were lost, and many dozens more lives were damaged both physically and emotionally.

Thursday, April 18, 2013

Blurring the line between login credentials

Yesterday’s XKCD comic got me thinking about something. The point of the comic is that we jealously guard the admin account on computers, with the mindset that if the admin account is protected, we are doing a good job at security.

As Google, Yahoo, Facebook, and others begin “federating” their login services (i.e. I can log into unrelated third party sites using my Facebook or Google credentials), the line between various service providers has first blurred, and now vanished altogether. It used to be that if my Facebook account were compromised, the only thing at risk was, well, my Facebook identity. But with “Facebook Connect,” now if my Facebook password is stolen, an attacker could conceivably have access to my accounts with CBS, Disney/ABC, Hulu, Twitter, Vimeo, WordPress, and more (assuming I use those services).

Tuesday, April 16, 2013

Thursday Mornings Are Hard ... Because Wednesday Nights Are Amazing

I love working with Awana (as I have written about before). I love getting to know the kids and their families (which admittedly has gotten exponentially harder as our club has grown). I love seeing kids learn Scripture that will guide them their entire lives. Most of all, I love knowing that with at least this one part of my life, I am doing exactly what God has called me to do.

A recent Wednesday reinforced my passion. It was a truly awesome example of how God orchestrates things far beyond my understanding to accomplish His Will. I and my Awana leadership team had planned this date as "snow day" during our planning session last August. We had some ideas in mind from previous years, but hadn't yet figured out logistics - we knew what worked with 25-30 kids would not work with the much larger group God has blessed us with this year.

Monday, April 8, 2013

Capture The Flag, Social Engineering-style

Recently, I attended the Austin B-Sides security event. B-Sides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers.  It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.

As I alluded in a previous post, I brought home a trophy in the social engineering CTF contest. In the hacking community, Capture The Flag (or CTF) refers to a contest to test various computer security skills.  There are many variations, but the basic premise is a set of goals, or "flags," that each participant has to achieve. The contest will generally have a set of "rules of engagement" that provide boundaries, but within those RoE, anything goes.

This year I participated in the social engineering CTF at B-Sides. Social Engineering is commonly referred to as hacking the human - using social and psychological skills to get someone to give you what you want, as opposed to "breaking in." This was my first time competing in any such contest, so I had limited expectations beyond simply learning something new. 

Monday, April 1, 2013

One password to rule them all

Last week I blogged about my walmart.com account getting pwned and used fraudulently to make purchases using my credit card. Since I caught it within minutes, and Walmart acted very quickly to void the transactions and suspend my account, I avoided any real damage.

It could have been much worse. Password management is one of the great nuisances of the Internet world. I have email accounts, social media accounts, bank accounts, online shopping accounts, blogging accounts, music service accounts, streaming video accounts, even accounts with news media sites. Most if not all of these are accessed by using a username and password (some of the more risk-averse sites ask for additional information to verify my identity the first time I log in from a given location, but by and large username and password are the Internet’s way of authenticating my identity). For that matter, the PIN on my debit card is essentially another form of password. Not only do I have dozens if not hundreds of password-protected accounts, but in some cases I am required to change these passwords periodically.