Thursday, December 24, 2015

Should you turn off multifactor authentication before traveling overseas?

It's Christmastime, that time of the year when many folks take advantage of time away from work and school to travel. As a travel tip, the Australian government's online services website, myGov, put out a recommendation this week that made security professionals worldwide cringe.

Why do we cringe? My peers and I have spent the last couple of years promoting the use of two-factor authentication - a way of securing your accounts so that a stolen password is not enough for a criminal to break in.

Tuesday, December 22, 2015

An introduction to network packet analysis

I love that even more than most CTFs, the 2015 SANS Holiday Hack is designed to appeal to kids. My 12-year-old daughter has shown an interest in cybersecurity, so this turned into a great way to teach her a few things. Even better, most of the lessons were in response to her own questions.

I will publish a write-up of the entire challenge (or at least as far as I am able to complete it) in January once the contest concludes; in the meantime, the early challenge goals involve some network packet analysis. My tool of choice for packet analysis is Wireshark. To understand packet analysis though, it is useful to understand a little bit about how networks work.

Traditionally, network concepts are defined in terms of "layers." At each layer, one device talks to another, and each layer does not care what is happening at the other layers. Keep in mind that what follows is the simplified explanation I gave to my 12 year old; Microsoft describes things in more detail in a knowledge base article, and for even more education, Cisco has mountains of training and certifications available.

Photo credit: Luca Ghio (Wikimedia Commons)

Thursday, December 17, 2015

Your child's privacy is eroding

Internet-connected gadgets, aka mobile apps and the "Internet of Things," are all the rage right now. Home thermostats let me turn up the heat from my smartphone, or monitor my household electricity consumption in near-real-time. Networked door locks make it possible to give a friend or a service provider access to the home without giving them a key. Smart TVs with built-in streaming media apps reduce the complexity of a home theater.

There's a dark side though: Internet-connected means ... well ... Internet-connected. A device talking to a server on the Internet means a device talking to something I don't control, and thus means a degree of trust. The more sensitive the nature of that device, the more trust I must have in the provider.

When that device or service interacts with my kids, the required degree of trust is very high indeed.

Friday, December 11, 2015

Why did the Doubleclick ad network need client certificates?

Why did ad network Doubleclick ask for digital client authentication certificates?

For several hours December 8, Google's Doubleclick ad network requested client authentication certificates when browsing to web properties that contained Doubleclick advertising.

In the physical world, you often conduct business with others face-to-face. If you do not personally know someone, you might rely on a trusted third party to vouch for the person's identity. That trusted third party might be a mutual friend, or it might be a government office that issues identification documents (passports, driver's licenses, state identification cards, school IDs, and the like).

Digital authentication certificates are the online equivalent of an identification card, using mathematical encryption algorithms to ensure that only the proper owner of a certificate is able to use it.

Generally, digital certificates are associated with a web server: you want to know that you are buying from and not from You don't have to provide your own certificate, because the web server (much like a brick-and-mortar store) is open to all visitors. In this case however, Doubleclick asked your browser for a digital certificate anyway.

Monday, December 7, 2015

Malware freeloading on security pros' good name?

The following are notes about something I am investigating, and for which I don't yet have a conclusion. I am sharing in the hopes that perhaps some of my readers have seen this as well and might have some insight into the purpose or delivery mechanism. Of note, each example hosts the malicious download link on *

I have a variety of Google Alerts queries set up to alert me to mentions of my blog or my name on the Internet. I frequently get notices for news articles about a David Longenecker who happens to be the fire chief in Lancaster, Pennsylvania, but that's not my point today.

December 7, Alerts informed me of three documents on Google Docs. These documents contain a long list of excerpts and headlines from various security writers, including some from my own blog. They also contain links to a likely-malicious website.

The first two documents contain headlines and excerpts about security flaws in Adobe Flash Player, along with a link to download an "update" for Flash; the third document is similar, but refers to Asus wireless router firmware instead of Adobe Flash. Below is a screenshot of one document:

Friday, December 4, 2015

Practice Safe Charging, redux

Many portable devices can be charged via a USB cable - incredibly convenient due to the ubiquity of USB slots in computers, cars, airport charging kiosks, and electronic equipment. The USB cables used to charge mobile devices are also capable of transferring data and programs, both legitimately and maliciously.

Miscreants can compromise a USB post in a public place, in an attack known as "juice jacking." The attacker either replaces the USB port, or installs malicious software on the device that contains the port; when you plug your phone or tablet in to charge, you get an unwelcome bonus of having your device taken over by the attacker.

Juice jacking is easy to prevent though. I carry a special power-only cable (readily available for $5 or $10 from Amazon, or most stores with a well-stocked electronics department). This cable is missing the physical wires used for transferring data, so it can only be used to deliver power. An easy alternative is a universal charge-only adapter. This is a simple USB adapter that connects to the end of any USB cable, again missing the physical wires to carry data, thus turning any cable into a charge-only cable.

Bob Covello writes of a different concern, especially in hospitals and medical facilities. A growing number of medical devices have USB ports, used by technicians to maintain the equipment, and used by medical professionals to transfer data and update medical instructions. These ports are a tempting source of power to a patient or visitor.

Plugging your device into medical equipment for a quick charge though could have unintended consequences. These devices are often keeping patients alive, or used in medical emergencies. Plugging a phone or tablet in could damage the devices, or infect the equipment with malware - meaning the device may not work as expected the next time a medical professional uses it.

The best tip? Keep a charging adapter handy and plug into the A/C outlet in the wall.

Wednesday, December 2, 2015

Your child's privacy is eroding

Social media, cloud-based educational tools, and Internet-connected toys are eating away at your child's privacy. My latest post at CSOonline