Friday, May 29, 2015

The heart-warming response to the Wimberley Flood

Amid the tragedy of the Wimberley and San Marcos Flood are heart-warming stories of neighbors helping neighbors.
A week ago tonight, the heavens unleashed their fury over Central Texas, dropping an incredible amount of rain in one night and causing an almost unimaginable flash flood.

Central Texas has long been known as "Flash Flood Alley." The terrain and atmospheric conditions can allow enormous amounts of rain to fall in one place; the soil is generally shallow and rocky so cannot absorb much water; and the hilly terrain means as water runs off it can gain tremendous momentum.

Flash floods are nothing new for Central Texas. In 2007, Marble Falls received some 19 inches of rain in 6 hours. That's more than half the rainfall in a typical year. The rain was enough to fill Lake Travis beyond its capacity, leading to two months of flood-control operations on the lake dam. In 2010, heavy rains caused the Comal River in New Braunfels to flood nearby Schlitterbahn water park, filling rides with mud.

The Memorial weekend storm of 2015 was different though in that heavy rain fell over a relatively large area. Between 9 and 12.5 inches of rain was recorded at numerous Central Texas gauges, much of which fell in the watersheds for the Blanco and San Marcos rivers. With so much rainwater funneled into two normally peaceful rivers, the result was a monstrous flood. The Blanco River rose 17 feet in a half hour, and 33 feet in a 3-hour span, ultimately resulting in a 40-foot tall wall of water that scoured away everything in its path.

Thursday, May 28, 2015

A text message to reboot your iPhone

Got an iPhone? Have friends (or kids) with a prankster streak? You might want to disable notification previews for SMS messages.
Got an iPhone? Have friends (or kids) with a prankster streak? You might want to disable notification previews for SMS messages.

An individual noticed on Tuesday that his iPhone rebooted after receiving an unusual text message. He posted a question about it on Reddit, and word quickly spread. The British technology publication The Register has a nice write-up on what it actually happening; the simple description is this:

When your iPhone attempts to display certain Unicode text (i.e. text using some international character sets), it triggers a flaw in the text processing library, causing the active app to crash. If that app is a core part of the operating system, that crashes the phone, causing a reboot.

Receiving an SMS message, or possibly a Twitter DM, causes the message to be shown in a "notification," a message preview on the lock screen or the top of the screen. Notifications are part of the operating system core, thus crashing the phone.

It doesn't damage the phone permanently, and it doesn't give an attacker control over your phone, so in the long run it's a pretty mild problem. In the short term though, lots of middle school kids (and middle schoolers at heart!) are pranking one another or their parents by sending an SMS message.

Apple has not released an update to fix this, though they have acknowledged the problem. A temporary solution is to disable notification previews. From the iOS "Settings" menu, select "Notifications", then "Messages," and set "Show Previews" to "Off."

This will prevent iMessages from displaying SMS messages previews in the notifications panel or lock screen and crashing the phone. It won't keep the iMessages app itself from crashing if you open a pranked message though. For that, you'll need the offending sender to send you another message, pushing the exploit string off the top of the list; or send yourself a message from another device or app (i.e. send yourself an image using the photo app instead of the iMessage app).

Tuesday, May 19, 2015

Planes, Trains, and Ethical Dilemmas

Ethical lessons in research and disclosure, from the Internet of Flying Things.

When I started out in the systems administration and hacking worlds a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: to take something and make it do what I want, rather than necessarily what the creator intended. A hacker is someone who is highly interested in a subject (often technology), and pushes the boundaries of their chosen field.

That culture has nothing to do with malicious use of computers - nay nothing to do with malice at all. It is all about solving puzzles: "here's an interesting <insert favorite item>; now what can I do with it?" The hacking ethos brought about automotive performance shops and the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.

Hacking in its purest form is perfectly legitimate. If I own a computer, or a phone, or a network router, or a TV, or a printer, or a programmable thermostat, or an Internet-connected toy, or a vehicle, or (the list could go on forever), I have every right to explore its capabilities and flaws. Within reasonable limits (various transportation authorities may have something to say if I add flashing red and blue lights to my car and start driving down the highway), it is mine to do with as I please. Where it becomes ethically and legally questionable is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission.

Thursday, May 14, 2015

VENOM: What you need to know (CVE-2015-3456)

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain access to every other virtual server on the same physical host. Here is a moderately non-technical explanation.
Venom is a fictional comic character and occasional nemesis of Spider-Man... wait, that's not the Venom you meant.

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software, which they dubbed "Virtualized Environment Neglected Operations Manipulation" or “VENOM” for short. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain root access on the virtualization host (the physical box), and from there read memory and do anything else with other virtual servers on the same box. This vulnerability was given the identifier CVE-2015-3456

Wednesday, May 13, 2015

Is your home router spying on you?

Home wireless routers leased from Comcast broadcast a public wireless signal in addition to the private home network. Be sure your device is on the right network before doing online banking.
In mid-2013, Internet provider Comcast announced plans to build a massive network of public WiFi hotspots across the United States, so its subscribers could connect to the Internet from just about anywhere. This network would be built on the wireless routers Comcast leases to its home subscribers: most home users don't use the full capacity of their broadband connection 24/7, so the Internet provider would make unused bandwidth available for a public hotspot. The company says that the public wireless signal is completely separate from the private wireless signal used by your private home network, keeping your home network secure (though I am not aware of a definitive study that proves this).

For Comcast, this is great: it lets them boast of having the largest network of public wireless hotspots in the United Stated. For its customers traveling around the country it is likewise great: they pay for service at home, and get free access to the Internet on the road without having to eat up their cellular data plans. There is an unintended side effect though.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.