Thursday, December 29, 2016

Silver linings: 2016 in pictures

2016 in photos

2016 has been a bugger of a year for many. Rather than stew over the loss of family members, friends, and icons of our adolescence, my cousin asked a simple question: "what's the best/coolest thing you did in 2016?" I thought to reply with a picture - but as I scrolled through my camera roll I found it has been an amazing year of memories, too many great experiences to pick just one picture. So here are some smile-worthy pictures from my family's 2016!

If you like these, my Instagram account is entirely things that make me smile or laugh. Cyber security exposes me and my peers to a constant flood of bad news and never-ending threats. This is one way I stay mentally healthy.

Tuesday, December 13, 2016

"Ho! Ho! Ho!" or "Oh No No!"

Here are a few holiday tips to make sure "Ho! Ho! Ho!" doesn't turn into "Oh No No!"

It's December! A time for family gatherings, vacation travels, Christmas shopping - and holiday scams. Here are a few tips to make sure "Ho! Ho! Ho!" doesn't turn into "Oh No No!"

Wednesday, December 7, 2016

Six steps to block credit card fraud

Credit Card Fraud spelled out using Scrabble tiles

Just over a year ago, I put together a simple guide to dodging financial fraud; it quickly became one of the most popular posts on this site. Given some recent cyber events, now seems like a good time for an updated version.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was two years ago, but it still remains a hot topic. Between Target, The Home Depot, Sears, Dairy Queen, Wendys, Cici's Pizza, Goodwill, Trump Hotels, Hyatt, Hilton - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story this week, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?

Saturday, November 26, 2016

RIP Tom Hanks? No, it's a fake malware scam

Tom Hanks is not dead. That doesn't stop crooks from using news of his demise to attract victims.

Updated 29 November with additional context after I analyzed the malicious link. TL;DR: Tom Hanks is not dead, and the fake news link on Facebook leads to a malicious website. As an aside, Tom Hanks is not the first celebrity to be used in fake news scams, and I am sure he won't be the last. Other recent malvertisements have claimed the demise of Harrison Ford, Sylvester Stallone, Beyonce, and even Facebook's own CEO Mark Zuckerberg.

No, Tom Hanks is not dead. However, a malicious advertisement circulating on Facebook over Thanksgiving weekend uses that headline as bait; readers that click the "news story" to find out more instead get more than they bargained for. 

Instead of a news article, the advertisement leads to a web page that blares an incessant alarm sound and displays the following warning message. As a clever twist, the malicious content itself imitates Google's own malicious website warning. 

Victims that call the phone number on the screen will no doubt be instructed to pay a "Microsoft Technical Support" fee to have the malware removed - a twist on the classic technical support scam.

Sunday, November 6, 2016

November 8 is about more than just the Oval Office

Decisions made November reach from the White House to your and my houses.

The bulk of this was written a year and a half ago. This election cycle has brought about caustic attitudes, and a very large number of people stating they simply would not vote this year. I have for the most part stayed out of any political discourse this season, but the following tweets from Leslie "Hacks4Pancakes" Carhart spurred me to update my post.

Even if you're fed u with presidential candidates, please vote local and for the next 10+ years of SCOTUS.

The current presidential election cycle has truly brought out the worst in this country. I've seen caustic arguments between friends and family members. Individuals in each camp call supporters of the other everything from foolish to evil (frequently in less kind terms). Over and over again I hear comments of "I can't vote for anyone but I surely have to vote against so-and-so" or "there's no one worth voting for so there's no use voting." Lost in the noise is that November 8 is about far more than just who will occupy the Oval Office for the next four years.

The soon-to-be President of the United States will appoint at least one Supreme Court justice (replacing Justice Antonin Scalia, who passed away this year). Given the ages of other currently-serving justices, he or she may well appoint as many as four. The current court is an evenly-balanced mix of justices who tend toward liberal and conservative; for the incoming President to replace four justices would put decided slant on the court, one way or the other.

Thursday, October 27, 2016

A $17 Social Engineering Lesson From a Blind Man

Today I fell for a scam.

I often walk around the Texas Capitol complex during lunch, or when I need to mull over something. Today as I was walking, a blind man stopped me and asked if I could direct him to Lamar Street. I stopped to talk with him for a moment, and he explained he was trying to get to the Texas School for the Blind. 

Texas School for the Blind is a solid 4 miles from downtown, so I offered to get my car and give him a lift. He appeared grateful - and then said he wanted to call ahead and make sure it wouldn't be a wasted trip. See, he was living in a halfway house and his rent was due; if he couldn't come up with seventeen dollars to make rent, he would be out on the street tonight. He thought Texas School for the Blind offered emergency assistance.

I let him borrow my phone to make a call. From his side of the supposed conversation, it was obvious he did not get the answer he was hoping for. I gladly gave him what I had in my wallet, shook his hand, and wished him well.

Being the skeptical soul that my profession makes me though, when I got back to my office I redialed the number he had called. Surprise, surprise - the number was not in service.

Working downtown I frequently encounter people asking for a handout. I have my own ideas that influence my decisions to give or not to give, but it is not my intent to turn this into a philosophical or political discussion. What makes this event stand out in my mind though is how his pitch was so polished, rehearsed - and phish-like.

It was a veritable lesson in social engineering.

Tuesday, October 11, 2016

Amazon joins the password merry-go-round

Like many companies, regularly looks for evidence that its customers' usernames and passwords have been exposed. The company apparently discovered a trove of usernames and passwords recently, and is resetting some passwords as a precaution.

The company has not said how many accounts are affected, nor where they found the user details; the only thing they have said is that the list was not Amazon-related. This could mean it was a list of usernames and passwords from a completely unrelated site, but for individuals that reused the same passwords at Amazon.

The details are almost identical to reports about 6 months ago of a similar incident: Amazon reset some users' passwords after a list of names and passwords was found online. the list was not for Amazon accounts, but the account owners used the same passwords for their Amazon accounts. Go back a year, and the same scenario played out yet again.

What should you do?

First, don't panic. There is no indication that has been hacked. Rather, Amazon does an excellent job of searching for breaches elsewhere, and identifying customers that used the same password at Amazon.

  1. There is no harm whatsoever in changing your password just to be safe, even if you have not received a notice from the company.
  2. More important, make sure your Amazon (and every other account) password is long, and is not reused anywhere else. If the same password is used everywhere, a stolen password can give an attacker access to all of your accounts. A stolen password is far less damaging if it only unlocks that single account.
  3. If you do receive an email that appears to be from Amazon, don't click the password reset link in the email! While I haven't seen any examples specific to Amazon, fraudsters love to imitate a well-known service and claim your account is in jeopardy. In this example from last year, scammers sent a phishing email pretending that your Apple ID was amiss. When you click the link and "verify your information" though, you instead are giving the hacker your information so they can login as you.

    What to do instead?

    Go directly to, and change your password there.

If you received a phishing email imitating Amazon, I'd love to have an example to add to this story. I'll gladly credit you, or keep you anonymous, as you wish!

Thursday, October 6, 2016

Basic cyber advice

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

For the second year in row, Security For Real People is proud to be a National Cyber Security Awareness Month Champion. NCSAM is a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. It began as a joint effort government and industry program between the National Cyber Security Alliance and the Department of Homeland Safety. It now includes over 700 corporations, small and medium businesses, educational institutions, and individuals, all with the shared goal of making the digital world just a bit safer for us all.

The news is full of stories about extraordinary threats: Baby monitors hacked to spy on you. A billion Yahoo email accounts exposed. Sophisticated spies taking over iPhones. Movie plot-worthy heists draining millions of dollars from thousands of ATMs at once.

Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Wednesday, September 28, 2016

Someone's watching the baby, and it isn't you

"A greyscale image of a webcam," by Asim Saleen, used under license CC BY-SA 3.0

It seems like a scene out of a Transformers movie, but it happened right here in Austin. Local news station KVUE reports that an Austin family noticed their Wi-Fi baby monitor moving on its own one evening last week. It was being controlled by an unknown person, for an unknown purpose.

I hesitated to write this story, since I do not have a Wi-Fi camera to test myself and provide recommendations on. The intent of Security for Real People is not to spread fear, but to give practical advice you can use to keep yourself and your family safe online.

I decided to share the story anyway, for this reason: Internet-connected devices are becoming more and more common, and entering more and more intimate areas of our lives. But in many cases online safety is an afterthought. With a refrigerator or TV, maybe that's not a big deal, but a camera inside the home lends itself to voyeuristic abuse or worse.

Friday, September 23, 2016

Monster DDoS, Yahoo woes, malware by mail - the week in review

Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

Friday, September 9, 2016

New Twitter stalker-assist feature is enabled by default

I noticed a new feature on my Twitter mobile app this morning - one that I'm not exactly keen on. I'm even less keen on it being added and enabled by default. By default, Twitter now has a "Send/Receive read receipts" feature that lets the sender know when you have read a DM. I'm not exactly sure when it was added, but I know it was not there a couple of days ago.
Useful? Maybe, depending on your preferences. As fellow traveler Trey Ford pointed out to me, many if not most chat apps already have this feature. iMessage, Facebook Messenger, Whats App - they all let you know when your message has been seen by the recipient.
Twitter has a different use model though - and more to the point, has another feature that in conjunction with this can make things a bit awkward. With "Receive Direct Messages from anyone" enabled, any person on Twitter can send private messages to you. Combined with this new "Send/Receive read receipts" feature, strangers can send you messages - and know when you read them.
It's sort of a stalker's dream.
I won't scream and shout to disable the setting - that's truly a personal preferences choice. But at the very least you should be aware that Twitter has added this feature, and that by default it is turned on.

If you wish to disable it, here are instructions. I presume the Android settings are similar, but I don't have a screen capture handy. Also, hat tip to Bryan Brake for pointing out that you must do this for EVERY Twitter account you manage.

iOS app: Select the "Me" icon, then the Settings gear, then Settings. Under Privacy and safety, look for the Send/Receive read receipts selector. website: Select the profile and settings icon, then Settings. Select the Security and Privacy menu, then look for the Send/Receive read receipts check box.

Thursday, September 8, 2016

An Aggie Story

"Tree stump at Armadale Castle" by Mike Peel, used under license CC BY-SA 4.0

While this may sound like the setup to a joke, I assure you my story is true and accurate :-)

A number of years ago, my brother attended Texas A&M University. He had a bicycle he used to commute around campus, a bicycle that he was rather attached to. At times he did not want to carry it up the stairs to his apartment, so in order to protect it from theft, he chained it up. He located the biggest, gnarliest tree he could find near his apartment, and frequently chained the bike to that tree.

One morning he walked outside to go for a ride. He walked to where his bike had been safely chained, and found a stump. While he napped, the University had cut down and removed the tree, leaving only a stump!

Fortunately they had left his bike - chain, lock and all - leaning against a sign post, where he found it moments later.

I could make a point about myopic security viewpoints, focusing on one risk and overlooking equally great risks.

I could make a point about supply chain risk, in which the products we choose introduce risks outside our control.

I could make a point about recognizing which risks our controls mitigate - and which risks they don't.

Instead, though, I'll leave the reader to ponder this humorous story and come up with your own moral!

Tuesday, August 30, 2016

The tangled road toward securing Social Security accounts

Everywhere you look this week, you see talk about Facebook's "people you may know" algorithms creepy sentience suggesting that patients of a certain psychiatrist friend one another, and of an investment firm that took out a short sale position (basically a bet that the stock would fall in value) in a medical devices firm, then profited when they published news that the firm's devices had serious and easy-to-exploit flaws.

I'm not going to talk about either of those events in this post.

In late July, the US Social Security Administration made a significant change to "my Social Security," the online portal for accessing and managing benefits. In order to improve the security of the site, the government agency began to require two-factor authentication via a code sent by text message. In order to log in, you had to have both your password, as well as a phone to receive the text message on.

Thursday, August 25, 2016

Apple releases iOS 9.3.5 to block a sophisticated iPhone spy technique

Updated 2 September: It turns out that the same vulnerabilities exist in OS X for MacBooks and iMacs, and can be used to run malicious programs with kernel (i.e. the highest level) privileges. Apple released updates for OS X Yosemite and OS X El Capital on September 1. 

For El Capitan, the fix is Security Update 2016-001.
For Yosemite, the fix is Security Update 2016-005.

To check for Mac software updates, open the App Store app on your Mac, then click Updates in the toolbar. If updates are available, click the Update button to download and install them. If you don't have the App Store on your Mac, get OS X updates by choosing Software Update from the Apple menu.

Updated 26 August: Brief update - here is a link to the original (and in-depth) report by Citizen Lab, the firm that identified the vulnerabilities and ferreted out the origin of the attack.

When a mobile phone provider sends you an update for your phone, it's usually a good idea to install it. Sometimes it's a better idea than others.

This is one of those times: Apple just released an update for iPhones, fixing three very serious bugs that together have been exploited in secret to spy on apparent Middle Eastern targets. Through the flaws, merely clicking on a link can "jailbreak" an iPhone - defeating the security measures Apple has built in and giving the attacker complete control of the device (and any private information on the device).

Your iPhone will prompt you to update to iOS 9.3.5 very shortly. Do it.

Motherboard has an article describing how the flaw was discovered and how it was being used to spy on individuals.

The SANS Internet Storm Center has a concise description of the three flaws and how they work together to compromise a device.

Here is Apple's release bulletin for iOS, and Apple's release bulletin for OS X.

What do you need to do?

Open your iPhone or iPad's Settings tool and go to General -> Software Update in your device's Settings app, or connect to iTunes on your Mac or PC. If you are running iOS 9.3.5 (the latest update as of this writing), your device will show that it is up-to-date. If you are running an older version, your device will show an update is available. Install it!

Tuesday, August 9, 2016

Beginner's Guide to Information Security

This summer, I and ten other security professionals wrote a book called the Beginner's Guide to Information Security. It is available now on Amazon for the Kindle and Kindle Reader apps! Our eventual goal is to give it away, but the publisher doesn't make that easy. For now, any proceeds from book sales will be donated to Without My Consent, an organization that combats online harassment.

I am in awe by the giants of the field I was privileged to write with!

Chapters include:

Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.

Why does that matter to me?

From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.

So what? I'm not an information security person

The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.

Wednesday, June 22, 2016

Taking a break

I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!

Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.

Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

Thursday, May 26, 2016

How to fail at mobile user experience

Some posts I write because I am curious, and some to share a project I have worked on, or a security risk to be aware of. And then there are posts like this, written out of sheer annoyance.

It began with a simple link to a news article, shared by a fellow Central Texas security pro:

At first glance, I thought the article pertained to a story I have been following (and have written about) - a series of coordinated ATM heists over the past few years, involving large numbers of stolen payment cards and large numbers of hired hands, stealing millions of dollars from thousands of ATMs at once.

Alas, I could not read the story.

Clicking the link in Twitter's client for my Android phone did not open the story on the ABC web site. Instead, the link opened Google Play Store, asking me to install the ABC News mobile app.

Monday, May 23, 2016

Coordinated heist steals $12.7 million from 1,400 ATMs in Japan

"Automatic teller machine trailer" by Thilo Parg, used under license CC BY-SA 3.0

This is a bit more sophisticated than the run-of-the-mill ‪heist. On May 15, an as-yet unidentified crime ring pulled off the theft of the equivalent of $12.7 million USD, using 1600 stolen payment cards at 1400 Japanese ATMs, all in the span of 2 hours.

This is not the first coordinated attack against ATMs. A similar heist in 2011 used prepaid cards from a Florida bank to withdraw some $13 million USD from ATMs across Europe. Then, in February 2013, yet another crime organization pulled off the theft of over $40 million USD from ATMs around the world in a coordinated attack lasting 10 hours.

The details of the most recent attack are a little bit unclear to me - I suspect something may be lost in translation. The original story says the attack used cloned credit cards stolen from South Africa, but ‪ATM‬ withdrawals require PIN transactions, which typically means debit or ATM cards. Regardless, there are a few things you can do to protect yourself.

  • Avoid the use of debit / ATM cards as much as possible. A debit or ATM card is directly connected to your ‪bank account, while a credit card is using the bank's money until you pay the bill at the end of the month.
  • When withdrawing cash from an ATM, if you have a choice, favor an ATM indoors at a brick-and-mortar bank. Brian Krebs has done some enlightening research into ATM ‪skimmers, including a fascinating series on a particular ATM fraud method in Mexico. ATMs in public places (shopping centers, hotels, convenience stores, event venues) are prime targets for crooks to steal card data.

    It takes only a few seconds to insert a skimmer - a physical device that copies the card information when you insert a card into the machine.  More sophisticated attacks will place the skimmer inside the machine, or install malware on the machine so the machine itself will copy the card data and send it to the attacker. ATMs inside legitimate banks are less likely to be compromised, simply because there is greater risk to the criminal.
  • Set up transaction alerts with your bank. Your bank will send you an email or SMS/text message, generally for transactions over a set dollar amount. While this does not prevent the fraud from happening, the sooner you know about it and report it to your bank, the sooner the fraudulent transactions can be reversed.

Wednesday, May 18, 2016

Rumor mill: LinkedIn password breach

Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.

The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.

Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.

If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time. 

Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.

As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.

Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.

Wednesday, May 11, 2016

SIM swap fraud targets SMS-based two-factor authentication

Security is a constant cat-and-mouse game between developers/defenders and criminals. I and others have long recommended "two-factor authentication" for any sensitive accounts (email, banks) - you must enter both a password and a code generated either by a mobile app or sent to you via SMS/text message. It is a significant hurdle for crooks.

This method of security is becoming common enough for criminals to come up with ways to defeat it. One such method seen lately in the UK is a so-called "SIM swap" - the crook gains enough information to impersonate you, then calls your mobile carrier to claim your phone has been stolen. Your phone number is re-activated, but on the crook's phone - so the crook now receives the SMS or text codes meant for you.

Multi-factor authentication that uses a mobile app (or a separate token generator) is stronger security, but if SMS is what your bank offers, I still recommend enabling it. It's still far better than just a password.

What you should do

  • Enable any two-factor or multi-factor feature provided by your bank. A hardware token (a physical device generally about the size of a USB flash drive) is the strongest solution, though it's probably not practical to carry token generators for every important account. A mobile app (Google Authenticator and Duo Mobile are popular options) is the next best thing, and even an SMS or text message code still raises the bar that a criminal must overcome. is a great website with links to "how-to" documentation at many, many banks and service providers.
  • Be mindful of the personal information you share publicly. The more a criminal can learn about you (address, current location, date of birth, email addresses, children's names, payment card numbers, bank account numbers, etc.), the easier he or she can impersonate you to a service provider. If the identity thief can convince tech support that they are you, then for all intents and purposes, to that service provider they are you.

Friday, May 6, 2016

Email hacks, cute pet scams, and payroll fraud - the week in review

Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

270 million email accounts hacked!

The story: many news outlets are reporting that a Russian hacker stole passwords to over 270 million GMail, Yahoo! Mail, Hotmail, and email accounts. The origin of the story is a company with a dubious track record, known for making a big deal out of questionable information. Most likely, the hacker does have 270 million passwords - but not necessarily accurate, current, or associated with email accounts. This seems to be a repackaging of a story from the same source 2 years ago - at that time claiming a billion passwords. In reality, these passwords came from many smaller breaches, over a period of many years, and many were not even to email accounts. Instead, perhaps a news website was compromised and the attacker stole the email address and password used to log in; the attacker makes an assumption that you used the same password for your email account as you used for the news website.

What you should do: Don't panic. Do change your email account passwords just to be safe. Do use unique and long passwords for every account (or at least for any important accounts). Do set up two-factor authentication (which requires a code sent to you via SMS/text message, or an authentication app on your phone, to log in from any new location) for your email accounts.

Read this post for more password advice.

Fraudsters steal tax, salary data from ADP!

The story: ADP provides payroll and benefits services for over a half million businesses. Cyber crime investigator Brian Krebs wrote of an incident affecting some ADP clients. Client companies have the option of either pre-creating accounts for every employee, or of having employees create accounts themselves. In the latter case, the employee provides some information that presumably only the actual employee would know (social security number, date of birth, and a code provided by the employer). In some cases, employers evidently posted the company-specific code on a public website to make it easy for employees to sign up; if an attacker were able to obtain someone's social security number and date of birth, they could then create an account pretending to be that employee, and access all of the tax and salary information ADP holds for that employee - useful for tax return fraud among other schemes.

What you should do: This only affects ADP client companies that require their employees to sign up for online payroll and benefits services. The simplest defense is to create your online account with your payroll service immediately upon starting a new job - if you do it first, a hacker cannot pretend to be you.

10 year old kid gets $10,000 for hacking Instagram!

The story: this is actually a great positive story. Facebook awarded a 10-year-old Finnish student with the equivalent of $10,000 USD for finding and reporting a flaw in Instagram (which Facebook owns). Under the flaw, a hacker could delete any other people's comments. Thanks to this young researcher, Facebook fixed the flaw so it cannot be exploited by those with nefarious intention. I've seen other companies disqualify bug bounty reports from underage submitters. Kudos to Facebook for giving young ones incentive to not go to the Dark Side!

What you should do: Nothing! The flaw has already been fixed by Facebook.

Wi-Fi network named "mobile detonation device" freaks out passengers!

The story: Passengers on an Australian airline turned on their wireless devices to connect to the in-flight movie system, and freaked when they saw a hotspot named "mobile detonation device." The airline quickly ushered passengers off the plane while they investigated. As far as has been stated publicly, the device advertising that name was never identified, and eventually the flight did go on.

What you should do: How about not naming your mobile phone wi-fi hotspot something that will cause panic and possibly get you arrested?

Cute puppies and kittens lead to online scams!

The story: UK fraud and cyber crime reporting center ActionFraud writes of an increase in pets offered for sale through online auction websites. Often, the animal comes with a sad story about how it is in a faraway location and needs a new home, along with transportation to that new home. The unsuspecting buyer wins the auction, pays for the animal, and then is asked to pay more vet, boarding, or transportation fees. The buyer though never actually gets the animal - the pet for sale is usually merely a picture taken off a public social media post, of a happily homed pet.

What you should do: Don't buy a pet through an online auction. Your local animal rescue or SPCA no doubt has plenty of sweet animals looking for new homes.

Thousands of WordPress blogs redirect readers to malware!

The story: Security research firm Sucuri found a clever malware campaign that exploits WordPress blog sites whose operators haven't paid attention to security updates. The attackers compromise the blog sites, and add a piece of code that randomly redirects some but not all users to a website controlled by the attacker. If you are one of the unlucky few, the attacker's website attempts to trick you into downloading a fake software update that is actually malware.

What you should do: Two things. First, if a website asks you to install a software update, be very skeptical. Most modern software will automatically update in the background, and may display a notice in your system tray; a website popup with a software update is usually fake. Second, I am a huge fan of OpenDNS, a service that simply doesn't let your browser go to known bad sites. Read this post for a simple, step-by-step guide to setting up OpenDNS. It's not as hard as you think.

Tuesday, May 3, 2016

A devilishly simple phish

A diabolically simple phish, the message claims an error prevented from the message from loading, and you must click the link to see the real message.

I've had this post half-written for a couple of months, and in the interim received two more phishing emails following the same pattern. Over the weekend, a peer in the security industry mentioned he had received a phishing scam that followed this pattern but in a more carefully-crafted package tailored to look like an important message from the president of his actual homeowners' association. @GRC_Ninja has a great write-up of that particular event, with some sage advice from an employer's perspective. What follows is my advice from a consumer perspective, and then a dive into the weeds.

Some phishing approaches are carefully crafted, highly targeted, and nigh impossible to recognize as evil. Some phishing approaches are ridiculously lame and downright silly. And then there is this, from the email account of someone I do know and correspond with. Devilishly simple, and yet entirely believable, who wouldn't click on the link to see what the actual message is?

The email appears to be something that Yahoo! Mail could not display in the normal reader window, and which you must open into its own window in order to read. The "error message" at the bottom lends credibility to the scam. Those with digital rights management on their business email might even be used to messages that cannot render in the standard email reader.

Despite appearances though, this is a fake, a fake for which the three best defenses are 

  1. A password manager such as LastPass or 1Password that recognizes website domains and will not enter your password into a fake login screen; 
  2. Two-factor authentication such that if a scammer does get your password, they still cannot log in without also having your device; and
  3. A DNS resolver such as OpenDNS, that recognizes scam domains and prevents your browser from going there.

Monday, April 25, 2016


Years of perseverance led to the Senior Champion Rabbit Showman award.

Allow me to digress from computer security, and talk about something else for my 200th blog post.

The last week of January, my daughter was named the senior division Rabbit Showmanship Champion at the county Youth Livestock Show, and won a fancy belt buckle (pictured above). This award means far more to me than a grand champion animal would (though I'd love for our family to produce the latter too), because of what it represents.

Showmanship involves a student's knowledge of their animal and breed, the responsibility they display, how well they present themselves and their animal, and how well they control their animal. While a champion animal involves the student taking good care of it, there is also a lot of genetics and a good bit of luck involved in raising a winning animal. Showmanship on the other hand is entirely up to the student.

What makes me the most proud though is not that she won the buckle. It's how she got to this point.

Thursday, April 14, 2016

Got QuickTime? Take a moment to "unget" it

Correction: the original post referred to ZDI as a division of HP; Trend Micro bought ZDI from HP in October 2015. At this point, the discontinuation of Apple's QuickTime for Windows product is a statement from Trend Micro and not publicly confirmed by Apple. Regardless, QuickTime has publicly-disclosed flaws that can be exploited to take control of your PC, and has not fixes available.

Apple just discontinued and published removal instructions for QuickTime for Windows, a once-popular video player and web browser plugin. Software that lingers on past a vendor dropping support for it can quickly become a gateway for malicious hackers to enter your computer - Windows XP has been an infamous example since Microsoft dropped support for it in April 2014.

QuickTime is no exception: Trend Micro's Zero Day Initiative found a few new vulnerabilities that can be exploited to take control of your PC, and so recommends that you remove QuickTime right away. To be fair, the risk here is a bit less than it is with, say, Adobe's Flash Player or Microsoft's Silverlight. While those products can run in your browser automatically upon loading a webpage, the QuickTime plugin is an older format that most browsers no longer support. One would have to open a QuickTime movie outside a browser (perhaps from an email attachment) to be at risk.

But here's the kicker: Apple's own Software Update utility still offers to install it for you. Don't. I still recommend keeping Apple Software Update - let it keep any Apple software you do use up to date - but don't let it install QuickTime!


  • ZDI-16-241: Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability
  • ZDI-16-242: Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability
  • Apple HT205771: Uninstall QuickTime 7 for Windows
  • US-CERT TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
  • CSOonline: CERT advisory urges QuickTime removal due to vulnerabilities, Apple does too