Thursday, December 18, 2014

A look back: 4 years, 100 posts

Over the last 4 years, this blog has covered a lot of ground. We've looked at safe surfing practices when using the Internet in a public location. We've looked at how to set up a home network to be reasonably secure. We've talked about password practices, and the value of two-factor authentication to secure more valuable accounts. We've discussed a rash of credit card thefts at major retailers. We've seen several severe flaws in services used widely on the Internet. This blog has even published several vulnerabilities and website flaws discovered by yours truly.

My goal in writing is two-fold: I write technical content in the hopes that other professionals will find value, but I also endeavor to educate those that have not made a career out of information security. To that end, if there is a topic you would like to know more about, or a topic I have not explained as clearly as you would like, I invite you to comment on this or any post, or send me a message at david (at) securityforrealpeople (dot) com.

Without further ado, a highly biased revue of top topics:

Passwords, Passwords, and More Passwords

Passwords are the bane of most Internet users - and the few that are not annoyed by passwords are not using them properly! That's one reason why I've written more on passwords than just about any other topic. Thankfully, managing passwords does not have to be a torturous endeavor. You know the recommendations: use a different password for every login account; use long, complex passwords that are not made up of words you can find in the dictionary; don't use things that are easy to guess (like names or birthdates of children or pets); in short, don't use passwords you can remember. Password managers take the arduous task of remembering passwords out of your hands - they remember a hundred passwords so you don't have to. Several have even taken the next step and offer to change your passwords with one click. It's a logical step: I trust a program to remember all my passwords, perhaps I can trust it to change all my passwords too ... so long as it doesn't become sentient and decide I no longer require access to an account!

Alas, even the best password is no match for malware that watches the keyboard to capture the password as it is entered. That is why I and every other security professional recommend using "multifactor authentication" on more valuable accounts. With multifactor (often called two-factor, or 2FA), you use both a password and an additional factor to prove your identity. Note that this additional factor should not be another piece of information you know - if a hacker can steal a password, they can also steal the answer to "What street did you grow up on?" The extra factor should be something you physically possess - frequently your cell phone or a keycard.

Wireless Routers

Early in 2014, after reading about a serious flaw in certain Asus wireless routers in which an intruder could access hard drives connected to the router, I proceeded to update the firmware (aka the programs built into the device) on my router. To my surprise, my router reported it has the latest update, when I knew for a fact it was outdated. I'm not one to just call customer support and say "it doesn't work," so instead I dug through the update scripts and found the problem: the manufacturer had released a new version, but forgot to update the "lookup table" that tells routers what is the latest version. Asus fixed this quickly. That would have been the end of the story, but while troubleshooting I came across two vulnerabilities in the router firmware.

The first was that the administration pages (the website on the router, for configuring router settings) showed the administrator username and password in a hidden field on the page - they were not visible in a common browser, but were easily found by right-clicking the web page and choosing to View Source. The second was more complicated to exploit, but potentially more damaging. Routers running ASUSWRT firmware did not verify the source of an update, and thus it was possible to trick the router into installing fraudulent code, or as I demonstrated, to "upgrade" to an older version with known vulnerabilities that could then be exploited. Asus has fixed each of these issues. My research led to a chance to beta test the new top-of-the-line RT-AC87U router - a highly capable wireless router that makes a fantastic foundation for a secure home network.


What hacker blog would be complete without talking about malware, the viruses, worms, and trojans that sneak onto your computer to wreak havoc? We've looked at how criminals disguise malicious links and make them look legitimate. We've looked at a worm delivered through Facebook (would you click a Facebook instant message from a friend that read "LOL Image?" We've looked at the silly: spam offering to sell high-quality luxury knock-offs ... from a Russian website ... hosted on a Korean server. We took a deep dive into a phishing spam - an email claiming to be from USAA bank with an important message for me. The "message" was in fact an absolutely perfect recreation of the USAA website, designed to trick the unsuspecting visitor into logging in with valid USAA credentials, thereby giving the username and password to the attacker. Most recently, we did another deep dive, this time into a botnet - malware that would remote control my computer and enlist it into a robot network to do the attacker's bidding. In this case, the attacker's bidding was to turn around and attack thousands of mail servers, looking for ones using simple passwords that could be taken over and used to send yet more spam.

Financial Crime

Malware doesn't (usually) exist just for fun. While that may have been true 15 years ago (early viruses were more about "hey, look what I can do"), most modern malware has a more sinister goal. Generally speaking, malware is written for either financial gain or activism / retaliation ... and sometimes both. A malicious actor may write or buy botnet software, infect thousands of computers to form a botnet army, and then rent this botnet army to whomever is willing to pay for its use. Lately, heavy focus has been on point of sale devices - sales registers and kiosks. Target, Home Depot, Goodwill Industries, Jimmy Johns, JP Morgan Chase, Sears/KMart, Dairy Queen, ... malware was used to infect the point of sale devices, which then sent credit card numbers to the criminals to be sold on the black market. I've even written a first-hand account of a retail shopping account being hacked to purchase pre-paid cell phone minutes (and gave kudos to Walmart for an outstanding fraud response). You can't always prevent your financial information from falling into criminal hands, but there are steps you can take to protect yourself from identity theft even when your information is stolen.

Awana, Children's Ministry, and Parenting

Network security is only one of my passions. I am the father of 5 teenage and preteen children, all of which have their own interests (Chess! Archery and shooting sports! Breeding rabbits! Raising and showing turkeys!) One thing we have in common though is faith in Jesus Christ - He who lived, was executed on a Roman cross, and yet returned to life according to Biblical and historical records. Our family has served in and led Awana clubs for many years. One goal in Awana is to teach children Biblical truth so they can recognize lies for what they are.

It is far more effective to teach a child to think for themselves and recognize a lie on their own, than to try to shield our children from every opinion that is contrary to our own. Sadly, there are some that not only would absolve themselves of the responsibility to raise and train the little ones they brought into the world, but would go so far as to argue that parents do not have the right to lead their children. Contrary to popular opinion, If my child reaches adulthood and cannot tell right from wrong, or does not have the life skills to leave the nest and carry forth the heritage of serving Christ, the community did not fail him. I failed him.

As a modern hacker, I would be amiss if raising my children did not include teaching them technical skills such as how to solve a crypto puzzle in Python, as well as protecting them from the darker side of the Internet. This came to the forefront when the kids began acquiring Internet-connected devices that went beyond watching movies on Netflix (tablets, smartphones, and in the case of my eldest, a laptop computer). I feel my responsibility goes beyond my own kids though, and so I volunteer to talk about online safety to students in my local schools.

The Next 100...

Thanks for reading over the past 4 years. I hope you have enjoyed reading, but more important, learned something useful. I can't say what the future will hold - that's one of the reasons I love this field - but I'll continue to write about newsworthy security events as well as practical things you can do to stay safe online.

What would you like to learn about? Drop me a line in the comments, or at david (at) securityforrealpeople (dot) com.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen