Wednesday, June 22, 2016

Taking a break

I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!

Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.

Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.