Tuesday, June 11, 2013

Security Savvy Kids

My generation came of age as the Internet sprung on the scene ... we did not have the benefits nor threats of social media when we were teenagers. Our children are now growing up in a world where connectedness is ubiquitous.  My 13-year-old son just got his first personal laptop this week (as opposed to using a shared family computer), so much of what I have written over the last few years suddenly has a newfound relevance.  How do I protect him from malicious actors and his own youthful naivety, while at the same time teaching him to become a tech-savvy young adult? I don’t have all the answers yet (truthfully, I’ll never have all the answers), but here’s a sort of "stream-of-consciousness" stab at a starting point.

Wednesday, June 5, 2013

Practice Safe Charging

This is not exactly a new topic, but it is one that has gained a new round of publicity this week following some recent research.

How are most portable electronic devices charged? Through a USB cable. What else can USB be used for? Data storage (flash drives and external hard drives), peripheral devices (mice and keyboards), and more. What makes USB devices so convenient? They are generally plug-and-play, with software drivers built-in to the device and automatically loaded when you connect to a PC. Do you see a potential problem?

Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer security conference in Las Vegas. The charging kiosk did in fact provide electricity, but it also took advantage of the properties of USB to demonstrate access to data on the device (generally a smartphone, which could be a gold mine for an attacker). In the demonstration, the kiosk merely showed that it could access data, and then displayed a warning message to the user. A truly malicious charging station would not be nearly so kind.

This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their presentation will demonstrate installing malicious software onto a current-generation Apple device (off-the-shelf, not jailbroken, and without user interaction).

In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).

There is a ridiculously simple way to minimize this particular risk. A standard USB cable (sometimes referred to as “Sync and Charge”) will both provide electricity and transfer data.  Inside the cable insulation are several tiny wires (the number varies according to the USB version). A visually-identical charge-only cable is missing the wires and/or pins that transfer data, so it is physically only capable of providing electricity. $5 or $10 for a charge-only cable is cheap insurance against this type of attack.

I look forward to the presentation to see other suggestions the team has.

Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.

A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.