Tuesday, June 30, 2015

Incident response lessons from the Texas flash flood

What can a natural disaster teach about incident response planning? This is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.
During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This article (published at CSOonline) is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.

Thursday, June 25, 2015

How secure is your email?

Encrypted email has long been a complicated problem to solve, but a combination of Internet titans and innovative startups are working to make it practical for real people.

We send and receive a lot of email. Much of it is fairly benign: newsletter subscriptions, “hi, how are you” messages from friends, perhaps emergency services alerts (living in Central Texas, my mailbox in May had an oversize number of these), or online billing notifications. While most email is not of a nature that our world would end if someone were able to read it, we still prefer some privacy. After all, the old adage “you’ve been reading my mail” is rooted in a desire to keep some things to oneself.

Common email providers tend to allow (or require) a secure HTTPS connection between the browser or email client and their servers. Ignoring for a moment the variety of flaws that have surfaced in different SSL implementations over the past year, you can be reasonably sure no one can read messages between the server and your web browser. Google made HTTPS the default for Gmail in 2010, and made it the only option last March. Yahoo made SSL the default in early 2014. Microsoft’s Outlook.com now uses HTTPS only as well.

What happens after the email leaves your browser or email client though? It's great that the message is safely transported from your browser to the mail server, but unless the message is intended for someone else using the same server, it must travel across the public Internet.

Monday, June 22, 2015

Please, oh please, won't you phish me?

Sign in to iTunes Connect
Update: I have received a couple of variations on this; scroll to the bottom to see a running list of subjects and phishing URLs.

Time for another phishing lesson. Today's lesson involves a fake email pretending to be from Apple, which tries to steal not only your Apple ID login information, but everything else necessary to fully impersonate your identity: a credit card number with expiration and security code; mailing address; date of birth; social security number; and oh yes, your favorite security question. 

Unlike many phishing attempts, this scam is quite professionally done. Other than the obscene amount of personal information it collects to "verify" your account, there is not much to indicate it is fraudulent once you have clicked the link.

Thursday, June 18, 2015

Stranger than fiction: the week's security news

I love science fiction. I enjoy sarcastic fictional news such as "The Onion." I even enjoy watching CSI:Cyber despite its far-fetched depiction of security. But when reality exceeds even the wildest imaginable fictional scenarios, wow. The US government outsourcing administration of sensitive databases to China; professional sports teams hacking one another; security tools themselves turning into risks; and a ruling that websites may be held liable for things that anonymous readers have to say? I can't make this stuff up. Some highlights from this week's news:

Monday, June 15, 2015

LastPass password vault hacked: what you need to know

Password vault maker LastPass informed customers today that their servers had been compromised. Don't panic. Do change your master password.

LastPass informed its customers Monday that on Friday, the company detected and blocked suspicious activity on its network. In investigating the incident, they discovered that email addresses, password reminders, user salts, and authentication hashes were compromised. As of this writing they do not believe actual encrypted password vaults were accessed.

What does this mean for you?

Ten security lessons from the NBA finals

The NBA Finals between the Cleveland Cavaliers and the Golden State Warriors provided an entertaining example of some lessons that apply equally to basketball and to security preparation and incident response. Would you believe that? Without further ado, a tweet storm from last night:

Tuesday, June 9, 2015

Patch Week: time to update Windows, Flash, and VMWare

It's that time of the month again: the time when several software makers unload their latest software updates to address vulnerabilities discovered in their software. This time, Microsoft blesses us with 8 updates covering the Windows operating system, Internet Explorer, Windows Media Player, and Exchange Server. Adobe delivers the latest update for Flash Player; and VMWare issues updates for their popular virtualization software.

At least two of the vulnerabilities are exploited through a browser plug-in (Flash Player, and Windows Media Player). Google and Mozilla make it simple to make plug-ins be "click-to-play" in Chrome and Firefox, which prevents a malicious media file from compromising your computer simply by browsing to a website. Internet Explorer, alas, has no such option. Keep in mind that click-to-play simply prevents malicious content from playing immediately upon browsing to a site - if you choose to let the content play, it can still exploit the vulnerability.

Monday, June 8, 2015

How secure is your email?

This week I wrote a blog post at CSOonline.

Encrypted email has long been a complicated problem to solve, but a combination of Internet titans and innovative startups are working to make it practical for real people. Google has an "End-To-End" project developing a plugin for Chrome that will encrypt email before it ever leaves the browser; Keybase is a creative way to provide a trusted library of public keys using social media accounts you already own; and Facebook recently launched a feature to use your public key to encrypt all email that company sends.

See How secure is your email for the full story.

Tuesday, June 2, 2015

The end of a chapter: Farewell to Awana

In my first year as Commander, I poke to the preschool Cubbies as

It is the end of a chapter in my life.

For nearly a decade, Awana has been a significant part of my life. Awana is a non-denominational children's ministry that focuses on discipleship and evangelism, and reaches over two million students around the world every week. I have been the Commander for the Awana Club in Dripping Springs for six years, and prior to that I volunteered in the Sparks and Truth & Training clubs for Kindergarten to second grade, and third to sixth grade children, respectively.

Why did I pour so much of myself into this ministry? 

My faith in Christ is secure – but it is my faith. Just as I will have to give an account for my decision regarding Jesus, my children, and the kids I teach in Awana, will have to give their own account. My faith will not save them. The kids I taught are the future of the Church (“Big C” church, not necessarily my local congregation). Philippians 2:10 says that one day, every knee will bow, and every tongue will confess that Jesus is Lord. Our option is to either do so now, when it is our choice, or to do it later, when we have no choice. My passion through all of this has been to get as much of God’s word as I could, as deep as I could, into the hearts of as many children as I could - so they could have the knowledge to make it their faith.