Monday, September 28, 2015

Who is stealing your tweets?

TL;DR: skip the reading and download TweetThief from GitHub to search for uncredited copies of your tweets.

Over the last year, I've participated in a number of Twitter chats. The National Cyber Security Alliance hosts Twitter conversations every couple of months, under the hashtags #ChatSTC (Stop. Think. Connect., their cyber awareness campaign slogan) and #ChatDPD (Digital Privacy Day). It's a great way to share information with people interested in security advice, as well as to learn from like-minded professionals.

During several of these chats, I've noticed an oddity: most of the participants contribute original thoughts to the conversation, or retweet pertinent comments to their own audiences. A couple of participants though appear to copy and paste the comments of others verbatim, with no credit given. They aren't retweeting someone else's thoughts, but are instead claiming them for their own.

Tuesday, September 22, 2015

Exploiting iOS backups for fun and profit

Recently I looked at an iPhone / iPad app designed to hide documents and pictures from snooping friends (or parents). By day the app was a calculator, but upon entering a secret code, it unlocked the hidden files. In exploring the app (and in particular, answering the question of whether I could access the hidden files without knowing the passcode), I came across an interesting oversight in the iOS security model.

Tuesday, September 15, 2015

Financial fraud - a prevention guide

Five steps to dramatically limit the risk and consequences of financial fraud.
Credit card fraud is a perpetual worry in the modern age. Who among us has never had to replace a card because the number had been stolen? Target, The Home Depot, Sears, Dairy Queen - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

Ah, but just because a crime is common doesn't mean it must be a reason to worry. 

I'd like to start with a story - a real-life case of fraud that I experienced very recently. I'll explain how I noticed it and how I resolved it. In fact, it took me longer to write this post than it did to resolve the case of fraud. The rest of this post will explain a few basic things I do to ensure financial fraud is not something I worry about - things that you can do too.

Thursday, September 10, 2015

What's hiding in your child's Calculator%?

An iOS "Calculator%" app designed to hide photos: here's how to retrieve hidden images without the passcode.
This is one of those rare times when I get to write about two of my favorite subjects at the same time: parenting in a digital age, and digital forensics. In the past week, two people have brought an unusual iOS calculator app to my attention, each coming from a different perspective. One is a high school teacher I have known for years, mentioning it from the perspective of a teacher or parent that might want to know of its hidden features. The other is a Twitter persona that I know only by his (?) alias @munin, asking a question from the perspective of digital forensics.

Between the two, my curiosity was piqued.

Tuesday, September 8, 2015

Back to School Cyber Tips

The end of summer vacation brings a return to the school-year routine for millions of students young and old, as well as their respective families. What better time for a refresher on cyber safety? Start the new school year off with some healthy habits: my latest post on CSOonline.

Wednesday, September 2, 2015

Comments on proposed FCC rules regarding wireless devices

The FCC proposes new regulations on wireless devices that could severely restrict innovation and security improvements.
The Federal Communications Commission, or FCC is the government agency that regulates radio, television, satellite, and other forms of communication in the United States. Within its scope are regulating radio frequency (RF)-emitting devices to ensure one person's devices do not interfere with another's.

It is in this capacity that the FCC proposed new rules in August, rules that could have significant unintended consequences for end users and security researchers. In particular, the rules could put an end to highly popular aftermarket firmware such as OpenWRT and Tomato for wireless routers, and CyanogenMod for Android phones.

The comment period during which the FCC will accept public comment ends on September 8 has been extended to October 9. Please take a moment to submit your comments to the FCC here.

According to the proposal, the FCC last reviewed its equipment review and authorization process over 15 years ago, during which time the RF environment has grown dramatically (to wit, the explosion of the Internet of Things). It is sensible to review regulations periodically and to ensure the rules still make sense. For the most part, the proposed rules do make sense - but with a few significant caveats. 

Tuesday, September 1, 2015

What if connected devices were secure right out of the box?

For over 120 years, Underwriters Laboratories has given manufacturers and developers a trusted way to assure consumers that products are physically safe. Noted hacker "Mudge" is on a mission to do the same for connected products.

This post was written in September 2015. A year later, a botnet suspected to be made up of IoT devices carried out some of the largest distributed denial of service (DDoS) attacks ever recorded, knocking acclaimed cyber crime investigator Brian Krebs offline for the better part of a week. Insecure devices connected to the Internet no longer affect only the intended users of those devices. When your improperly secured webcam, or my poorly-configured TV, can be conscripted into a weapon powerful enough to cause actual harm, developers need to step up and build connected devices that are secure by default.

In late June, hacker and researcher Peiter Zatko, better known to many by the moniker "Mudge," left a position at Google to launch a so-called "Cyber Underwriters' Laboratory." The concept has been variously celebrated and panned by respected researchers and security experts.

Rob Graham (aka @Errata_Rob) calls it a dumb idea in so many words. Rob goes so far as to call it a "Vogon approach," an allusion to the alien species from Dan Adams' Hitchhiker's Guide to the Galaxy. In Rob's view, the problem isn't hacking or physical quality defects - and in this Rob is exactly right. Elite hackers exist, and they do elite things - but most consumers are not their prey. Their prey by and large is higher value targets - businesses, governments, and perhaps individuals in positions of significant wealth, power, or influence.

Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.