Thursday, December 24, 2015

Should you turn off multifactor authentication before traveling overseas?

It's Christmastime, that time of the year when many folks take advantage of time away from work and school to travel. As a travel tip, the Australian government's online services website, myGov, put out a recommendation this week that made security professionals worldwide cringe.

Why do we cringe? My peers and I have spent the last couple of years promoting the use of two-factor authentication - a way of securing your accounts so that a stolen password is not enough for a criminal to break in.

Tuesday, December 22, 2015

An introduction to network packet analysis

I love that even more than most CTFs, the 2015 SANS Holiday Hack is designed to appeal to kids. My 12-year-old daughter has shown an interest in cybersecurity, so this turned into a great way to teach her a few things. Even better, most of the lessons were in response to her own questions.

I will publish a write-up of the entire challenge (or at least as far as I am able to complete it) in January once the contest concludes; in the meantime, the early challenge goals involve some network packet analysis. My tool of choice for packet analysis is Wireshark. To understand packet analysis though, it is useful to understand a little bit about how networks work.

Traditionally, network concepts are defined in terms of "layers." At each layer, one device talks to another, and each layer does not care what is happening at the other layers. Keep in mind that what follows is the simplified explanation I gave to my 12 year old; Microsoft describes things in more detail in a knowledge base article, and for even more education, Cisco has mountains of training and certifications available.

Photo credit: Luca Ghio (Wikimedia Commons)

Thursday, December 17, 2015

Your child's privacy is eroding

Internet-connected gadgets, aka mobile apps and the "Internet of Things," are all the rage right now. Home thermostats let me turn up the heat from my smartphone, or monitor my household electricity consumption in near-real-time. Networked door locks make it possible to give a friend or a service provider access to the home without giving them a key. Smart TVs with built-in streaming media apps reduce the complexity of a home theater.

There's a dark side though: Internet-connected means ... well ... Internet-connected. A device talking to a server on the Internet means a device talking to something I don't control, and thus means a degree of trust. The more sensitive the nature of that device, the more trust I must have in the provider.

When that device or service interacts with my kids, the required degree of trust is very high indeed.

Friday, December 11, 2015

Why did the Doubleclick ad network need client certificates?

Why did ad network Doubleclick ask for digital client authentication certificates?

For several hours December 8, Google's Doubleclick ad network requested client authentication certificates when browsing to web properties that contained Doubleclick advertising.

In the physical world, you often conduct business with others face-to-face. If you do not personally know someone, you might rely on a trusted third party to vouch for the person's identity. That trusted third party might be a mutual friend, or it might be a government office that issues identification documents (passports, driver's licenses, state identification cards, school IDs, and the like).

Digital authentication certificates are the online equivalent of an identification card, using mathematical encryption algorithms to ensure that only the proper owner of a certificate is able to use it.

Generally, digital certificates are associated with a web server: you want to know that you are buying from and not from You don't have to provide your own certificate, because the web server (much like a brick-and-mortar store) is open to all visitors. In this case however, Doubleclick asked your browser for a digital certificate anyway.

Monday, December 7, 2015

Malware freeloading on security pros' good name?

The following are notes about something I am investigating, and for which I don't yet have a conclusion. I am sharing in the hopes that perhaps some of my readers have seen this as well and might have some insight into the purpose or delivery mechanism. Of note, each example hosts the malicious download link on *

I have a variety of Google Alerts queries set up to alert me to mentions of my blog or my name on the Internet. I frequently get notices for news articles about a David Longenecker who happens to be the fire chief in Lancaster, Pennsylvania, but that's not my point today.

December 7, Alerts informed me of three documents on Google Docs. These documents contain a long list of excerpts and headlines from various security writers, including some from my own blog. They also contain links to a likely-malicious website.

The first two documents contain headlines and excerpts about security flaws in Adobe Flash Player, along with a link to download an "update" for Flash; the third document is similar, but refers to Asus wireless router firmware instead of Adobe Flash. Below is a screenshot of one document:

Friday, December 4, 2015

Practice Safe Charging, redux

Many portable devices can be charged via a USB cable - incredibly convenient due to the ubiquity of USB slots in computers, cars, airport charging kiosks, and electronic equipment. The USB cables used to charge mobile devices are also capable of transferring data and programs, both legitimately and maliciously.

Miscreants can compromise a USB post in a public place, in an attack known as "juice jacking." The attacker either replaces the USB port, or installs malicious software on the device that contains the port; when you plug your phone or tablet in to charge, you get an unwelcome bonus of having your device taken over by the attacker.

Juice jacking is easy to prevent though. I carry a special power-only cable (readily available for $5 or $10 from Amazon, or most stores with a well-stocked electronics department). This cable is missing the physical wires used for transferring data, so it can only be used to deliver power. An easy alternative is a universal charge-only adapter. This is a simple USB adapter that connects to the end of any USB cable, again missing the physical wires to carry data, thus turning any cable into a charge-only cable.

Bob Covello writes of a different concern, especially in hospitals and medical facilities. A growing number of medical devices have USB ports, used by technicians to maintain the equipment, and used by medical professionals to transfer data and update medical instructions. These ports are a tempting source of power to a patient or visitor.

Plugging your device into medical equipment for a quick charge though could have unintended consequences. These devices are often keeping patients alive, or used in medical emergencies. Plugging a phone or tablet in could damage the devices, or infect the equipment with malware - meaning the device may not work as expected the next time a medical professional uses it.

The best tip? Keep a charging adapter handy and plug into the A/C outlet in the wall.

Wednesday, December 2, 2015

Your child's privacy is eroding

Social media, cloud-based educational tools, and Internet-connected toys are eating away at your child's privacy. My latest post at CSOonline

Monday, November 23, 2015

Cunning payment card fraud, or just a random glitch?

I have a strange tale to tell. I am sharing it here because I honestly don't know if it represents a simple computer glitch on the part of a bank or payment processor, or it it represents a breakthrough in payment card fraud. I have intentionally kept the dates and amounts approximate rather than exact, and am not doxxing the other party in this event, but otherwise what follows is a reasonably detailed sequence of events.

In early September, a charge I did not recognize appeared on my Chase credit card. I figured my card number had been taken in the latest Point of Sale card breach, so called Chase to report the fraudulent use. I expected they would identify it as fraud, close my account, and issue me a new card, as has happened 3 or 4 times in the past few years.

As I have written before, this type of fraud doesn't really bother me much - it's a bit annoying, but I've taken a few steps to limit any real consequences to me. This guide to financial fraud prevention explains what I do, and what I recommend my readers do too. By purchasing with credit cards and never debit cards, setting up transaction alerts by email or text message, and keeping a fraud alert on my credit report, I ensure that any card fraud is the bank's problem and not my problem.

Today's tale begins with an aforementioned transaction alert.

Tuesday, November 17, 2015

Schlotzsky's: Funny name, serious sandwich, poor privacy

I had a hankering 4 @Schlotzskys. Then I remembered the loyalty app demands too many perms. Guess I'll have to settle 4 a lesser sandwich...

When I began writing this post, I did not know how it would end. My hope was it would become a story of a privacy issue acknowledged and a restaurant modifying its customer loyalty app to respect its customers' privacy. Thus far, 5 months after initially reporting this, the Schlotzsky's "Lotz4Me" mobile loyalty app remains an egregious invasion of privacy beyond any loyalty app I have seen in the past.

Those not from the Texas may not recognize the name Schlotzsky's. For that matter, you might not even know how to pronounce the name. That's OK. The chain that originated in downtown Austin makes a fantastic hot sandwich on fresh sourdough buns. Since the first restaurant opened in 1971, the chain has grown to some 350 locations - mostly in the southern and southwestern US (well over half are in Texas).

They are great at making food.

They are not so good at choosing digital products.

Wednesday, November 11, 2015

Free Disney World Tickets? Nah, it's another Facebook scam (Part 2)

Some of this article appeared on this blog a few weeks ago; it has been updated with more examples, as well as some investigation into the possible motivations for such scams.

Disney is giving away hundreds of tickets to Disneyland and Walt Disney World! All you have to do is like a page on Facebook and share it with your friends!

Or not.

My friends and family know I am in the cyber security field, so often ask me questions or send suspicious things my way for my opinion. And occasionally, they send things my way not realizing they've been hooked by a scam. The week before Halloween a friend shared what appeared to be a drawing for Disney theme park tickets. At the time I grabbed a few screen captures and pointed out a few things that led me to believe it was a scam, but left it at that.

In the time since then, I've seen about a half dozen similar scams and figured perhaps it's time for a more thorough discussion of what is going on, as well as possible motivations for the scammers.

Tuesday, October 27, 2015

Ten years after the accident

Ten years after the accident

There are points in time, where the rest of life can be defined as "before" and "after." October 27, 2005 was such a date in the life of my family. It is the date on which I was reminded we have no guarantee of tomorrow. I share this story each October to remind readers how precious each day is.

Saturday, October 24, 2015

Free Disney World Tickets? Nah, it's another Facebook scam

For more examples, as well as a walk-through of a particular scam, and some investigation into possible motivations for the scammers, see this follow-up story.

Looking for information about the April 2016 "Disneyland 61st Birthday" offer? Sadly, it too is a scam. Scroll to the bottom for details.

Yesterday, someone created a fake "Walt Disney World Epcot." Facebook community. Yes, complete with the period at the end of the name. In 24 hours, it has gained some 900 likes and innumerable shares. That might have something to do with a fraudulent offer and a deadline of tomorrow:

Sharing this post --won't-- win you tickets to Disney World.

Thursday, October 8, 2015

DNS: a simple way to stop malicious web traffic

DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

This post was first published in September, 2014. It has been updated for October, 2015's Cyber Security Awareness Month. DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic!

Putting aside for a moment the possibility that you are reading a printout, you are more than likely reading this on a digital device. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. You might have clicked a post in Facebook, Twitter, Pinterest or Instagram (I'm not sure any of my pictures are worthy of the latter two, but I suppose it's possible). Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL into your web browser directly or used a bookmark.

Regardless of the source, your browser did not just yell out on the Internet, "show me the Security for Real People blog." Instead, it referred to a DNS, a network phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Tuesday, October 6, 2015

Grog and Narg teach two-factor authentication

Multifactor authentication is combining a password with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is.

This post was first published in March, 2014. It has been updated for October, 2015's "Two Factor Authentication Tuesday." While passwords are often the first line of defense for online accounts, they can also often be discovered. Multifactor authentication is combining a password with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is. This makes it exponentially harder for someone with malicious intent to access your account.

10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Thursday, October 1, 2015

Cyber tips for digital citizens

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

Every October, the National Cyber Security Alliance and the Department of Homeland Safety lead a National Cyber Security Awareness Month, a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. This year's campaign kicks off with the theme "best practices for all digital citizens."

The news is full of stories about extraordinary threats: the NSA spying on everyone. Car, airplane, and medical device hacks. Baby monitors used by kidnappers to plan their entry. Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Autumn brings a return to the school-year routine for millions of students young and old, as well as their respective families. What better time for a refresher on cyber safety? Start Cyber Security Awareness Month with some healthy habits.

Monday, September 28, 2015

Who is stealing your tweets?

TL;DR: skip the reading and download TweetThief from GitHub to search for uncredited copies of your tweets.

Over the last year, I've participated in a number of Twitter chats. The National Cyber Security Alliance hosts Twitter conversations every couple of months, under the hashtags #ChatSTC (Stop. Think. Connect., their cyber awareness campaign slogan) and #ChatDPD (Digital Privacy Day). It's a great way to share information with people interested in security advice, as well as to learn from like-minded professionals.

During several of these chats, I've noticed an oddity: most of the participants contribute original thoughts to the conversation, or retweet pertinent comments to their own audiences. A couple of participants though appear to copy and paste the comments of others verbatim, with no credit given. They aren't retweeting someone else's thoughts, but are instead claiming them for their own.

Tuesday, September 22, 2015

Exploiting iOS backups for fun and profit

Recently I looked at an iPhone / iPad app designed to hide documents and pictures from snooping friends (or parents). By day the app was a calculator, but upon entering a secret code, it unlocked the hidden files. In exploring the app (and in particular, answering the question of whether I could access the hidden files without knowing the passcode), I came across an interesting oversight in the iOS security model.

Tuesday, September 15, 2015

Financial fraud - a prevention guide

Five steps to dramatically limit the risk and consequences of financial fraud.
Credit card fraud is a perpetual worry in the modern age. Who among us has never had to replace a card because the number had been stolen? Target, The Home Depot, Sears, Dairy Queen - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

Ah, but just because a crime is common doesn't mean it must be a reason to worry. 

I'd like to start with a story - a real-life case of fraud that I experienced very recently. I'll explain how I noticed it and how I resolved it. In fact, it took me longer to write this post than it did to resolve the case of fraud. The rest of this post will explain a few basic things I do to ensure financial fraud is not something I worry about - things that you can do too.

Thursday, September 10, 2015

What's hiding in your child's Calculator%?

An iOS "Calculator%" app designed to hide photos: here's how to retrieve hidden images without the passcode.
This is one of those rare times when I get to write about two of my favorite subjects at the same time: parenting in a digital age, and digital forensics. In the past week, two people have brought an unusual iOS calculator app to my attention, each coming from a different perspective. One is a high school teacher I have known for years, mentioning it from the perspective of a teacher or parent that might want to know of its hidden features. The other is a Twitter persona that I know only by his (?) alias @munin, asking a question from the perspective of digital forensics.

Between the two, my curiosity was piqued.

Tuesday, September 8, 2015

Back to School Cyber Tips

The end of summer vacation brings a return to the school-year routine for millions of students young and old, as well as their respective families. What better time for a refresher on cyber safety? Start the new school year off with some healthy habits: my latest post on CSOonline.

Wednesday, September 2, 2015

Comments on proposed FCC rules regarding wireless devices

The FCC proposes new regulations on wireless devices that could severely restrict innovation and security improvements.
The Federal Communications Commission, or FCC is the government agency that regulates radio, television, satellite, and other forms of communication in the United States. Within its scope are regulating radio frequency (RF)-emitting devices to ensure one person's devices do not interfere with another's.

It is in this capacity that the FCC proposed new rules in August, rules that could have significant unintended consequences for end users and security researchers. In particular, the rules could put an end to highly popular aftermarket firmware such as OpenWRT and Tomato for wireless routers, and CyanogenMod for Android phones.

The comment period during which the FCC will accept public comment ends on September 8 has been extended to October 9. Please take a moment to submit your comments to the FCC here.

According to the proposal, the FCC last reviewed its equipment review and authorization process over 15 years ago, during which time the RF environment has grown dramatically (to wit, the explosion of the Internet of Things). It is sensible to review regulations periodically and to ensure the rules still make sense. For the most part, the proposed rules do make sense - but with a few significant caveats. 

Tuesday, September 1, 2015

What if connected devices were secure right out of the box?

For over 120 years, Underwriters Laboratories has given manufacturers and developers a trusted way to assure consumers that products are physically safe. Noted hacker "Mudge" is on a mission to do the same for connected products.

This post was written in September 2015. A year later, a botnet suspected to be made up of IoT devices carried out some of the largest distributed denial of service (DDoS) attacks ever recorded, knocking acclaimed cyber crime investigator Brian Krebs offline for the better part of a week. Insecure devices connected to the Internet no longer affect only the intended users of those devices. When your improperly secured webcam, or my poorly-configured TV, can be conscripted into a weapon powerful enough to cause actual harm, developers need to step up and build connected devices that are secure by default.

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

Rob Graham (aka @Errata_Rob) calls it a dumb idea in so many words. Rob goes so far as to call it a "Vogon approach," an allusion to the alien species from Dan Adams' Hitchhiker's Guide to the Galaxy. In Rob's view, the problem isn't hacking or physical quality defects - and in this Rob is exactly right. Elite hackers exist, and they do elite things - but most consumers are not their prey. Their prey by and large is higher value targets - businesses, governments, and perhaps individuals in positions of significant wealth, power, or influence.

Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Wednesday, August 26, 2015

The Ashley Madison breach is a gold mine for scammers

The Ashley Madison breach is a gold mine for scammers and extortionists, and some "search the data" sites are scams in their own right. The only breach search site I trust: Have I Been Pwned.

I've not said anything about the Ashley Madison breach since my initial thoughts on glass houses and collateral damage last month (which essentially boil down to not throwing stones in glass houses, and considering the collateral damage to the betrayed spouses and children before going on a witch hunt). There's one more aspect that I think appropriate to mention though.

Any newsworthy event is going to result in clever advertising, spam and phishing emails hoping to capitalize on the fact that something is in the news. The Ashley Madison breach is no different.

Tuesday, August 25, 2015

Cracking a CTF [Part 1]

Capture the Flag, hacker style: walking through the first four puzzles in the 2015 Hou.Sec.Con pre-conference CTF.

I grew up playing Capture the Flag in my backyard. Now with kids of my own and a couple acres of mostly undisturbed woods to call my own, my family enjoys the occasional evening of Capture the Flag.

In hacker culture, a different sort of Capture the Flag (or CTF) is a common way to hone our skills and compete against peers. In hacking CTFs, the flags are digital rather than physical, and the field is bits and bytes rather than grass and trees, but there are still similarities. In both cases, winning requires a combination of skills: sheer speed is rarely enough, but at the same time my carefully-planned strategy has many times been derailed by a quicker opponent.

Most hacker and security conferences include some sort of a CTF challenge. I wrote a couple years ago of winning a trophy by "cheating" at a social engineering CTF (in fairness, I was upfront about my approach, and the rules of engagement did not prohibit reverse engineering the scoring portal to steal the flags!).

This time, I am participating in an online CTF ahead of Hou.Sec.Con, the Houston Security Conference. And since the event is online, it is a chance for me to not only compete, but let my 11 year old daughter shoulder surf and give her own ideas while learning.

Monday, August 17, 2015

Introducing a new forensics tool: RegLister

TL;DR: Hop over to GitHub to download RegLister, a new command line digital forensics tool for scanning the Windows registry to identify unusually large data entries that could be indications of malware hiding.

Fellow Austin security pro Michael Gough first introduced me to the idea of malware hiding in the Windows registry a couple of years ago. It's sneaky but it makes sense: most antivirus products depend on a malicious file existing on the hard drive. They scan the disk periodically for malicious programs, and will scan files written to or read from the disk when that read or write occurs.

If malware files never touch the disk, then when will antivirus scan them?

Thursday, August 13, 2015

Android StageFright patches are out - here's how to update

The "StageFright" vulnerabilities could allow someone to take control of your Android device merely by sending a multimedia message. Here is how to check for and apply updates.

A couple of weeks ago, an Austin researcher spoke at the security conference Blackhat on flaws he had found in Android software. Commonly called "StageFright," the flaws could allow a malicious hacker to take control of a phone or tablet by simply sending a specially crafted multimedia message. The device would automatically download the message and have it ready for you to view, thus compromising the device without you having to even view the message.

At the time, there was no fix available, so I wrote a description of how to minimize the risk by disabling auto-retrieve for multimedia messages. Various phone makers and cellular carriers are beginning to roll out an update to fix* the flaw. Following are step-by-step instructions for checking to see if an update is available for your phone. I demonstrated the update using a Samsung Galaxy S5 running Android 5.1 (aka "Lollipop"); the screens and menus for other phones and versions will differ somewhat but the menu selections should be essentially the same.

Tuesday, August 11, 2015

Maybe a Cyber UL is just what we need

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

In this article (posted at CSOonline) I look at some of the security areas that are the biggest headache to end users (passwords, software updates, features that affect privacy) and suggest to Mudge the ways he could address them by making security "built-in."

Wednesday, August 5, 2015

Avoid StageFright by turning off auto retrieve for multimedia messages

An Austin hacker discovered a major flaw in Android's StageFright library. While waiting for your device maker to provide a fix, turn off automatic downloads for MMS.

Update August 13: Phone makers and cellular carriers are beginning to roll out updates to fix this vulnerability; see step-by-step instructions for checking for and installing updates.

Last week, Austin hacker / researcher Joshua Drake disclosed a fairly significant flaw in all versions of Android, whereby a malicious multimedia message (aka a video text) could take control of the phone. This is a hacker's dream in that it does not require the victim to do anything. Simply receiving a message can trigger the flaw, because most messaging apps will automatically download the message and have it ready to display. This is very similar to the "text of death" that affected iPhone users a couple of months ago, but with the potential to actually take control of devices rather than merely crash them.

Tonight he is presenting his findings at BlackHat, a major security conference in Las Vegas. He will release details of his findings, including proof of concept code demonstrating the flaw, at the end of his talk. With the demonstration code, any software developer could reproduce his research.

Tuesday, August 4, 2015

How to schedule cron jobs on an ASUS wireless router

Want to run a task on a regular schedule on your ASUS wireless router? Well, you're out of luck.

Or are you?

Cron is the well-known method of scheduling tasks for Unix, the equivalent of "at" on Windows. My purpose is not to document the use of cron - it is well documented elsewhere. Alas, ASUS does not include the crontab utility for creating and editing jobs in its firmware, but the cron daemon (crond) is installed and running. If a jobs file can be loaded into the daemon, crond will happily run the jobs.

Tuesday, July 28, 2015

Your password isn't as strong as you think

Your password may not be as strong as you think it is

How strong is your password?

You've heard the recommendations: mix uppercase and lowercase letters, add in a number or two, and if you're really on the ball, add a "special character." Something like 16F^umQcb makes use of all four categories and is suitably random; as 9-character passwords go, it's pretty strong.

Guess what?

Austin15! uses all four categories too. So do Fall2015$ and IL0veTX<3. If a website shows a "password strength meter" when you create or change a password, more than likely it will deem these passwords pretty good despite the obvious patterns.

Unlike my random example earlier though, these examples follow a predictable pattern: a word from the dictionary, possibly changing a letter or two, with a couple of digits and punctuation marks thrown in for good measure. We humans are pretty predictable: we tend to use the same patterns.

Monday, July 20, 2015

Commentary on the BIS proposal regarding the Wassenaar Arrangement

The Bureau of Industry and Security (BIS) has proposed rules related to the Wassenaar Arrangement, a set of agreements intended to limit the exchange of weapons and related research. As Cyber security gains attention, the WA has been expanded to cover cyber research. Specifically, the BIS proposes to require export licenses for products and documentation related to network and software vulnerabilities. These rules have the potential to severely restrict the sort of work I and my peers in the industry do. The BIS is taking public comment through today. Below are my comments to the BIS taken in large part from a previous post on Security Shades of Grey.

On morality and data breaches: thoughts on AshleyMadison

Online cheating site AshleyMadison was hacked and its patrons' personal information made public. Before pointing fingers, here are some thoughts as both a Christian and a hacker.

Late Sunday night Brian Krebs published news that online "cheating" site Ashley Madison had been the latest victim of a data breach. Given the site's business model (their slogan is "Life is short. Have an affair." I think you can infer the business model), it is tempting to sit back on our moral high horses laughing at the company and its patrons.

That is entirely the wrong response.

Thursday, July 16, 2015

What can a natural disaster teach us about incident response?

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

Flooding rains are not uncommon in Central Texas. The region has long been known as "Flash Flood Alley" due to its hilly terrain, shallow soils, and proximity to the moisture-laden Gulf of Mexico. When rain falls, it essentially has two options: soak into the soil, or flow downhill; the shallow and rocky soils of the Hill Country limit the former, so even a moderate rain causes runoff.

The weekend of Memorial Day 2015, however, was something else entirely. Over a period of a few hours, between nine and 12.5 inches of rain fell over a wide range of the Hill Country - much of which fell within the watersheds of the Blanco and San Marcos rivers. A foot of rainfall - a third of a typical year's total - inundated the region in just a few hours, and had to go somewhere.

Wednesday, July 8, 2015

Time to patch Adobe Flash Player. Now.

An exploit for Adobe Flash Player is being actively used to infect computers with ransomware. Here is action you need to take NOW.
This article was written about a specific incident the first week of July 2015, but the instructions are what I have recommended for at least a year - and will continue to be appropriate into the future. Also of note, the recommendation to make browser plug-ins "Click to Play" is effective against exploits in all sorts of plug-ins, including Flash, Java, Silverlight, Adobe Reader, Windows Media Player, and more.

Last updated December 8, 2016. Current latest version is

Early this week, the security firm Hacking Team was the victim of a massive network breach in which a large amount of company data was stolen and made public. This data included among other things a previously-unknown exploit against Adobe Flash Player. 

This exploit was quickly added to popular crimeware exploit kits (products that make it easy for an amateur criminal to create and deploy malware). It is actively being used to deliver "Cryptolocker," a form of malware known as ransomware - malicious software that encrypts all your files and then demands a ransom payment to return the files to you.

In short, a fully-patched PC could be completely owned simply by browsing to a web site carrying a malicious Flash object. Since Flash videos are a common type of advertisement, you do not even need to browse anywhere unusual - a malicious ad slipped into the rotation at your favorite news site would be enough.

Adobe released an update this morning to fix the vulnerability. Here is what you need to do.

Tuesday, July 7, 2015

Hacking Team: Words of caution regarding dirty laundry

Hacking Team, a notorious hacking firm with a rather dubious reputation, finds themselves the victim of a thorough hack.

When a notorious hacking firm with a rather dubious reputation is themselves the victim of a thorough hack, what happens with their dirty laundry? More to the point, what is appropriate with their dirty laundry?

Hacking Team is an Italian security company that develops and sells surveillance and malware tools, in many cases to governments and law enforcement organizations. While the company claims to sell only to "ethical" governments, there has long been evidence of their tools being used by questionable, if not outright oppressive, regimes.

Sunday evening my Twitter timeline lit up with reports that Hacking Team had themselves been the subject of a severe hack, with 400 gigabytes of company data stolen and shared publicly on the Internet. This data included company email, contracts, customer lists, passwords, malware exploits, and source code for their surveillance products.

The released data may have included much more.

Tuesday, June 30, 2015

Incident response lessons from the Texas flash flood

What can a natural disaster teach about incident response planning? This is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.
During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This article (published at CSOonline) is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.

Thursday, June 25, 2015

How secure is your email?

Encrypted email has long been a complicated problem to solve, but a combination of Internet titans and innovative startups are working to make it practical for real people.

We send and receive a lot of email. Much of it is fairly benign: newsletter subscriptions, “hi, how are you” messages from friends, perhaps emergency services alerts (living in Central Texas, my mailbox in May had an oversize number of these), or online billing notifications. While most email is not of a nature that our world would end if someone were able to read it, we still prefer some privacy. After all, the old adage “you’ve been reading my mail” is rooted in a desire to keep some things to oneself.

Common email providers tend to allow (or require) a secure HTTPS connection between the browser or email client and their servers. Ignoring for a moment the variety of flaws that have surfaced in different SSL implementations over the past year, you can be reasonably sure no one can read messages between the server and your web browser. Google made HTTPS the default for Gmail in 2010, and made it the only option last March. Yahoo made SSL the default in early 2014. Microsoft’s now uses HTTPS only as well.

What happens after the email leaves your browser or email client though? It's great that the message is safely transported from your browser to the mail server, but unless the message is intended for someone else using the same server, it must travel across the public Internet.

Monday, June 22, 2015

Please, oh please, won't you phish me?

Sign in to iTunes Connect
Update: I have received a couple of variations on this; scroll to the bottom to see a running list of subjects and phishing URLs.

Time for another phishing lesson. Today's lesson involves a fake email pretending to be from Apple, which tries to steal not only your Apple ID login information, but everything else necessary to fully impersonate your identity: a credit card number with expiration and security code; mailing address; date of birth; social security number; and oh yes, your favorite security question. 

Unlike many phishing attempts, this scam is quite professionally done. Other than the obscene amount of personal information it collects to "verify" your account, there is not much to indicate it is fraudulent once you have clicked the link.

Thursday, June 18, 2015

Stranger than fiction: the week's security news

I love science fiction. I enjoy sarcastic fictional news such as "The Onion." I even enjoy watching CSI:Cyber despite its far-fetched depiction of security. But when reality exceeds even the wildest imaginable fictional scenarios, wow. The US government outsourcing administration of sensitive databases to China; professional sports teams hacking one another; security tools themselves turning into risks; and a ruling that websites may be held liable for things that anonymous readers have to say? I can't make this stuff up. Some highlights from this week's news:

Monday, June 15, 2015

LastPass password vault hacked: what you need to know

Password vault maker LastPass informed customers today that their servers had been compromised. Don't panic. Do change your master password.

LastPass informed its customers Monday that on Friday, the company detected and blocked suspicious activity on its network. In investigating the incident, they discovered that email addresses, password reminders, user salts, and authentication hashes were compromised. As of this writing they do not believe actual encrypted password vaults were accessed.

What does this mean for you?

Ten security lessons from the NBA finals

The NBA Finals between the Cleveland Cavaliers and the Golden State Warriors provided an entertaining example of some lessons that apply equally to basketball and to security preparation and incident response. Would you believe that? Without further ado, a tweet storm from last night:

Tuesday, June 9, 2015

Patch Week: time to update Windows, Flash, and VMWare

It's that time of the month again: the time when several software makers unload their latest software updates to address vulnerabilities discovered in their software. This time, Microsoft blesses us with 8 updates covering the Windows operating system, Internet Explorer, Windows Media Player, and Exchange Server. Adobe delivers the latest update for Flash Player; and VMWare issues updates for their popular virtualization software.

At least two of the vulnerabilities are exploited through a browser plug-in (Flash Player, and Windows Media Player). Google and Mozilla make it simple to make plug-ins be "click-to-play" in Chrome and Firefox, which prevents a malicious media file from compromising your computer simply by browsing to a website. Internet Explorer, alas, has no such option. Keep in mind that click-to-play simply prevents malicious content from playing immediately upon browsing to a site - if you choose to let the content play, it can still exploit the vulnerability.

Monday, June 8, 2015

How secure is your email?

This week I wrote a blog post at CSOonline.

Encrypted email has long been a complicated problem to solve, but a combination of Internet titans and innovative startups are working to make it practical for real people. Google has an "End-To-End" project developing a plugin for Chrome that will encrypt email before it ever leaves the browser; Keybase is a creative way to provide a trusted library of public keys using social media accounts you already own; and Facebook recently launched a feature to use your public key to encrypt all email that company sends.

See How secure is your email for the full story.

Tuesday, June 2, 2015

The end of a chapter: Farewell to Awana

In my first year as Commander, I poke to the preschool Cubbies as

It is the end of a chapter in my life.

For nearly a decade, Awana has been a significant part of my life. Awana is a non-denominational children's ministry that focuses on discipleship and evangelism, and reaches over two million students around the world every week. I have been the Commander for the Awana Club in Dripping Springs for six years, and prior to that I volunteered in the Sparks and Truth & Training clubs for Kindergarten to second grade, and third to sixth grade children, respectively.

Why did I pour so much of myself into this ministry? 

My faith in Christ is secure – but it is my faith. Just as I will have to give an account for my decision regarding Jesus, my children, and the kids I teach in Awana, will have to give their own account. My faith will not save them. The kids I taught are the future of the Church (“Big C” church, not necessarily my local congregation). Philippians 2:10 says that one day, every knee will bow, and every tongue will confess that Jesus is Lord. Our option is to either do so now, when it is our choice, or to do it later, when we have no choice. My passion through all of this has been to get as much of God’s word as I could, as deep as I could, into the hearts of as many children as I could - so they could have the knowledge to make it their faith.

Friday, May 29, 2015

The heart-warming response to the Wimberley Flood

Amid the tragedy of the Wimberley and San Marcos Flood are heart-warming stories of neighbors helping neighbors.
A week ago tonight, the heavens unleashed their fury over Central Texas, dropping an incredible amount of rain in one night and causing an almost unimaginable flash flood.

Central Texas has long been known as "Flash Flood Alley." The terrain and atmospheric conditions can allow enormous amounts of rain to fall in one place; the soil is generally shallow and rocky so cannot absorb much water; and the hilly terrain means as water runs off it can gain tremendous momentum.

Flash floods are nothing new for Central Texas. In 2007, Marble Falls received some 19 inches of rain in 6 hours. That's more than half the rainfall in a typical year. The rain was enough to fill Lake Travis beyond its capacity, leading to two months of flood-control operations on the lake dam. In 2010, heavy rains caused the Comal River in New Braunfels to flood nearby Schlitterbahn water park, filling rides with mud.

The Memorial weekend storm of 2015 was different though in that heavy rain fell over a relatively large area. Between 9 and 12.5 inches of rain was recorded at numerous Central Texas gauges, much of which fell in the watersheds for the Blanco and San Marcos rivers. With so much rainwater funneled into two normally peaceful rivers, the result was a monstrous flood. The Blanco River rose 17 feet in a half hour, and 33 feet in a 3-hour span, ultimately resulting in a 40-foot tall wall of water that scoured away everything in its path.

Thursday, May 28, 2015

A text message to reboot your iPhone

Got an iPhone? Have friends (or kids) with a prankster streak? You might want to disable notification previews for SMS messages.
Got an iPhone? Have friends (or kids) with a prankster streak? You might want to disable notification previews for SMS messages.

An individual noticed on Tuesday that his iPhone rebooted after receiving an unusual text message. He posted a question about it on Reddit, and word quickly spread. The British technology publication The Register has a nice write-up on what it actually happening; the simple description is this:

When your iPhone attempts to display certain Unicode text (i.e. text using some international character sets), it triggers a flaw in the text processing library, causing the active app to crash. If that app is a core part of the operating system, that crashes the phone, causing a reboot.

Receiving an SMS message, or possibly a Twitter DM, causes the message to be shown in a "notification," a message preview on the lock screen or the top of the screen. Notifications are part of the operating system core, thus crashing the phone.

It doesn't damage the phone permanently, and it doesn't give an attacker control over your phone, so in the long run it's a pretty mild problem. In the short term though, lots of middle school kids (and middle schoolers at heart!) are pranking one another or their parents by sending an SMS message.

Apple has not released an update to fix this, though they have acknowledged the problem. A temporary solution is to disable notification previews. From the iOS "Settings" menu, select "Notifications", then "Messages," and set "Show Previews" to "Off."

This will prevent iMessages from displaying SMS messages previews in the notifications panel or lock screen and crashing the phone. It won't keep the iMessages app itself from crashing if you open a pranked message though. For that, you'll need the offending sender to send you another message, pushing the exploit string off the top of the list; or send yourself a message from another device or app (i.e. send yourself an image using the photo app instead of the iMessage app).

Tuesday, May 19, 2015

Planes, Trains, and Ethical Dilemmas

Ethical lessons in research and disclosure, from the Internet of Flying Things.

When I started out in the systems administration and hacking worlds a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: to take something and make it do what I want, rather than necessarily what the creator intended. A hacker is someone who is highly interested in a subject (often technology), and pushes the boundaries of their chosen field.

That culture has nothing to do with malicious use of computers - nay nothing to do with malice at all. It is all about solving puzzles: "here's an interesting <insert favorite item>; now what can I do with it?" The hacking ethos brought about automotive performance shops and the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.

Hacking in its purest form is perfectly legitimate. If I own a computer, or a phone, or a network router, or a TV, or a printer, or a programmable thermostat, or an Internet-connected toy, or a vehicle, or (the list could go on forever), I have every right to explore its capabilities and flaws. Within reasonable limits (various transportation authorities may have something to say if I add flashing red and blue lights to my car and start driving down the highway), it is mine to do with as I please. Where it becomes ethically and legally questionable is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission.