Friday, March 29, 2013
Card skimming goes viral
It should come as no surprise that if most computer criminals are interested in money, they would go where the money is. As a report this morning indicates, often that means either banks or points of sale.
That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine. As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.
Today's report highlights a different approach, one that is far more difficult to detect. Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.
Friday, March 22, 2013
Identity theft while at a hacker conference ... an ironic coincidence
It is disturbingly ironic to have had to deal with credit card fraud in the middle of a hacker conference. Thankfully this story has a happy ending. I have to give kudos to Walmart for their quick and professional handling of this incident.
This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email. Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed. Uh oh.
This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email. Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed. Uh oh.
Monday, February 25, 2013
What's the big deal about hacking?
I've written before on how to protect your digital life from malware and identity theft, but never on why shady types might target you in the first place. There are a variety of reasons, but with a few less common exceptions they generally boil down to money.
When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.
Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).
When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.
Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).
Wednesday, February 6, 2013
No Better Feeling on Earth...
...Than to have your 12-year-old son's last words before
going to sleep be "That was awesome, Dad!"
note: I wrote this nearly a year ago, but unintentionally left it unpublished until now.
Saturday night, I took my three boys and a couple of friends
to San Antonio, to go to the Winter Jam concert tour. I have been a lifelong music junkie - in fact
I ran one of the first online magazines for Christian music from the mid-90s
until shortly after my oldest sons were born in 2000. But after my kids were born, my priorities
changed, and I have not been to many concerts in the last 12 years. What a thrill to introduce my kids to the
world of live Christian music!
Winter Jam has been going on for 17 years, and is a bit like
a travelling music festival. 10 bands
played over 5+ hours, with worship, prayer, and even a little magic mixed in,
all for $10. This was by far the best
$10 I have ever spent on entertainment and is certain to become an annual
tradition for my family.
During the time after the doors opened and before the
"proper" concert began, two bands new to the US market
entertained. We As People kicked off the
night, but alas I missed much of their set getting my kids situated. Aussie duo for KING & COUNTRY followed
with a very enjoyable set. They are
perhaps best known for the recent radio hit “Busted Heart” but there’s a lot
more to them than that one song. Youth
leaders got an extra bonus – a goodie bag that included among other things a
free download of their newest album “Crave.”
I have to say they've been growing on me the last few days.
Group 1 Crew ushered in the main show, bringing down the
lights to a rendition of “Party Rock Anthem” (aka "Everyday I’m Shuffling"),
complete with neon-lined outfits that would have been cool if they had worked
more than half the time. Fortunately the
singing was more reliable than the wardrobe.
Building 429 rocked to crowd-pleasers “Where I Belong” and “Listen to
the Sound.” Newcomer Dara Maclean did a lively rendition of the radio hits
“Free” and “Suitcases.” During Kari
Jobe’s performance of “We Are (the Light of the World)” my son pointed out the
absolutely amazing scene of the entire arena sparkling like a starry night,
from 9,000 cell phone flash lights. Cool
doesn't even begin to describe it!
Newsong’s Russ Lee emceed the entire event, but was not
silent during the singing. His amazing
tenor filled the arena during Newsong’s performance of the power ballad “Arise
My Love,” sung while an artist’s portrait of Christ’s face was etched on a
30-foot-square screen through light effects.
That song has always given me the chills, and hearing it performed live
was worth the price of admission by itself.
They then sang a new release, “The Same God.” That song really hit me. “The same God with you then is with you
now. The same God who led you in will
lead you out. So take all the fear and
doubt, go on and lay them down. The same
God, the same God is with you now.” I
needed that reminder!
After a brief intermission, Sanctus Real raised the audio
level (as if that were necessary!) another few notches, getting the crowd
singing along to “Forgiven,” “I’m Not Alright,” “Lead Me,” and “The
Redeemer.” As much fun as they were,
that was nowhere near the highlight of the night.
I've been a fan of Skillet for many years. As a matter of fact, I wrote about their
self-titled debut album way back in 1997 (reprinted in my blog). This was my first chance to see them live
though, and frankly was the reason I went to the Winter Jam (I’ll be returning
though, regardless of who headlines next year – the entire night was
incredible). To say they rocked the
crowd would be the understatement of the night.
From the introductory rock duet between headbanging violinist Jonathan
Chu and cellist Tate Olsen, to the closing strains of “The Last Night,” from
onstage pyrotechnics to 20-foot hydraulic lifts and Jen Ledger’s rotating drum
platform, the show was everything I expected and more.
Winter Jam 2012 may not have been the best concert I’ve ever
attended (I doubt anything can top a small acoustic show with Petra lead John
Schlitt back in the early ‘90s), it certainly falls in the top 2 or 3. If you’re in the Eastern US and have a chance
to see the remainder of this tour, take it. You won’t
regret it!
Review of Skillet's self-titled debut
Reprinted from CMRH,
first published 06-24-1997
In the mood for something loud, fast, and totally cool? Then check out Skillet, one of ForeFront's new
artists. Granted I'm about 6 months late on this one, but nonetheless it's a
good listen. From the first slams of
"I Can" to the final fade-out of "Splinter," Skillet's
self-titled debut rocks. “I Can” plays a musical see saw between the airy
guitar and piano during the verses, and the hard core guitar-driven choruses.
The screaming and rocking seems a bit out of place with the message - the title
is the answer to the simple question, "can I come to you?" - but hey,
Christ said to go into all the world preaching His name; He didn't say we had
to do it calmly!
"Gasoline" is a pretty innovative idea - the
chorus sings (or screams - take your pick) "You want to soak my heart in
gasoline, light a match and consume me. You want to soak my pride in gasoline -
all of You and none of me." The song is that of a man who is scared of
being hurt, scared of letting go of his heart. He is holding it out for God,
but would rather have it locked up in a box where it can't be hurt or crushed
or broken. But that's not what God wants of him. The song ends with the man's
heart sitting on a table next to a bloody mess that used to be Jesus' heart.
It's a gory picture, one that some may say doesn't belong in a Christian song.
But Christ's crucifixion was hardly pleasant. It was messy, bloody, painful,
and gruesome. That's what it took to redeem a lost world. And sometimes we need to be reminded of just
how much Jesus actually did for us so that we don't take it for granted. In
light of that, does God really ask too much of us?
I've many times said that an artist painted a picture of
this or a portrait of that. By that analogy, Skillet would be the abstract
painters who throw paint in front of a high-speed fan, which blows it randomly
onto a canvas. They have a perspective on life that's quite colorful, and quite
enlightening when you really look at it. "Saturn" is a perfect
example of this. It's also proof that there's more to Skillet than just
let-it-all-out rock. This song is much more down to Earth, musically, driven
mostly by an unplugged-style acoustic rhythm. In their unique style, they
allude to the fact that we don't have to see Heaven to know that it's there; we
don't have to see Jesus face to face to know that what He did was real.
Other highlights include "My Beautiful Robe,"
which speaks to the deceptiveness of our own righteousness (or lack thereof);
"Paint," a ripping cut with an almost sinister sounding lead vocal
through the verses; "Safe With You," a toned down tune about the
refuge we find in Christ; "Boundaries," which has some really cool
guitar work and a lot of lyrical contradictions; and the totally cool
"Splinter," with its truly high quality musicianship.
Skillet successfully blends raucous hard rock, deep and
sometimes subtle, sometimes provocative lyrics, and the gospel into a great
addition to ForeFront's arsenal. If you can handle a CD meant to be cranked up
loud, then pick this one up!
Thursday, November 29, 2012
The Email That Hacks You: Securing the Home Network
I’ve written about this before, but a report this week on yet another way to
exploit unsuspecting home Internet users seemed like a good excuse to update my
blog.
A security researcher at Acunetix wrote this week about a simple way he found to hack some common home WiFi routers. He based his research on the fact that many email programs will automatically download and display embedded email. Most programs can be configured to not do this, and I can’t knock the convenience of not having to expressly download images to see what someone I know and trust sent. But this behavior can be abused: in his research, instead of embedding the location of an image file in his email, he embedded a link to his home router, crafted to log in with the default password and issue some commands. As far as the email client knew, it was an image, so it tried to load the link. As far as the router knew, the mail client was a legitimate user, supplying the legitimate password, and so it let the command go through.
What I wrote 2 years ago is still a pretty good foundation. I look at home security as having 4 legs: installing the latest software patches; a firewall to keep bad stuff from coming in; a web filter to keep from getting to bad stuff; and an antivirus program to deal with the bad stuff that will (not might) get through. To that I would add one more: lock the door (in other words, be intelligent in the use of passwords, and never leave the default password on anything of value).
A security researcher at Acunetix wrote this week about a simple way he found to hack some common home WiFi routers. He based his research on the fact that many email programs will automatically download and display embedded email. Most programs can be configured to not do this, and I can’t knock the convenience of not having to expressly download images to see what someone I know and trust sent. But this behavior can be abused: in his research, instead of embedding the location of an image file in his email, he embedded a link to his home router, crafted to log in with the default password and issue some commands. As far as the email client knew, it was an image, so it tried to load the link. As far as the router knew, the mail client was a legitimate user, supplying the legitimate password, and so it let the command go through.
What I wrote 2 years ago is still a pretty good foundation. I look at home security as having 4 legs: installing the latest software patches; a firewall to keep bad stuff from coming in; a web filter to keep from getting to bad stuff; and an antivirus program to deal with the bad stuff that will (not might) get through. To that I would add one more: lock the door (in other words, be intelligent in the use of passwords, and never leave the default password on anything of value).
Friday, November 2, 2012
Sometimes God Provides Just Enough
7 years ago today I wrote a letter about God’s hand in protecting my family from what could have been a tragic event. A teenage driver ran a red light, hitting my wife and two oldest broadside at about 70mph, rolling the van and leaving one of my boys unconscious for the better part of 12 hours. To see the wreckage afterward though, no one should have survived it. God preserved
their lives when there is no natural way they should have survived. October 27 is forever a day of thanksgiving for me now.
This month, God again showed His sovereignty in some amazingly clear ways. I have seen God provide an abundance of blessings in the past, but this time He chose to work a little differently. This time He chose to provide exactly what we needed, at exactly the right time, and to lead us in faith through the entire process.
On October 16 2012, my wife was involved in another auto accident. A man at a red light misjudged the lanes, and turned directly into her lane as she crossed an intersection, hitting her quite hard directly on the passenger-side rear wheel. The scenario was disturbingly similar to the awful wreck 7 years ago that nearly took the lives of my oldest sons. Thankfully her injuries were not severe and she has mostly recovered. The van, however, was another story.
The initial evaluation from the other party’s insurance company was that the van could be repaired, but that it would take about 3 weeks to do so. I am not comfortable keeping a vehicle that has been in a wreck though, even if it is repaired. A collision stresses parts of the vehicle that were not designed to be stressed (or more specifically, that were designed to protect the occupants by taking the brunt of that stress). Even fully repaired, there’s just no telling what sort of “gremlins” will be left behind, showing up months or years later as unexplained problems and breakdowns. I know a body shop can do a very good job on a repair, but the likelihood of future problems is just not something I want to deal with. So Jennifer and I decided that regardless of the outcome with the old van, we were going to replace it.
In researching possible replacement vehicles, we ultimately decided there was one specific model and year we would be most comfortable with (and comfortable in). We didn’t want to replace the van with something of the same vintage, but rather wanted something that would get us the rest of the way through our child-hauling years so we’re not back in the same situation in a few years. But here comes the rub: we had not planned on replacing the old van for another 4 years or so, so were not financially prepared to do so just yet. It seemed we faced the choice to either take on an uncomfortable amount of debt (I am a big Dave Ramsey fan – I don’t like debt for depreciating assets!), or settle for a vehicle we wouldn’t be happy with.
Here is where God started to intervene. In searching for the right van at the right price, we stumbled across exactly what we were looking for, at a price that bordered on manageable. It was a 2-year-old Honda Odyssey with only 20,000 miles on it, and it was a Certified Pre-Owned so it had been thoroughly checked out and cleaned up by the dealer, and came with an extended warranty. But it was in Shreveport, Louisiana, about 350 miles away. This was Friday afternoon … I called the dealer and talked with the sales manager to ask a few questions about it, and we agreed in principle on a price. An hour later we were en route to Louisiana, staying at our lakehouse to avoid the cost of a hotel (it just so happened that our lakehouse is right on the route from Austin to Shreveport – imagine that!).
Saturday morning we arrived at the dealership, test drove the van, looked it over for anything that would turn us away, got the dealer to agree to fix a minor issue we did see, and then headed back to Texas in a van we are confident will last until the kids are out of school. We had made a number of assumptions as to where the money would come from, and came to the conclusion that we could handle the cost but would have to make some hard sacrifices for a year or so.
At this point we still expected to get the old van back and have to sell it. We weren’t sure whether to pray that Progressive call it a total loss, or that they fix it and return it to us. On the one hand if we got the van back would have the hassle of finding a buyer, for a van that had been repaired from a significant wreck. On the other hand my experience with insurance companies in the past was that they tended to value a total loss as low as they could get away with. Either way we were faced with a less than desirable situation. Then God revealed His hand again.
The day after we got home in the new van, Progressive called back to say they were now considering the old van a total loss. We were not going to get the old van back, and they would have given us about 3 more days of a rental vehicle before we would have been left without transportation. Finding and buying the new van when we did kept us from having to make a quick purchase on something we might have regretted later. More than that, their valuation was a bit more than I expected them to offer. That plus the savings we had available were almost to the dollar enough to pay for the new van without taking on debt.
God didn’t give us a brand new car. He provided a near-new car in great condition.
God didn’t give us a car at no cost to us. We still spent a substantial amount out of pocket – but He provided exactly what we could afford and no more.
God didn’t show us the entire picture up front. He led us through one decision at a time, forcing us to take each step on faith.
And in a twist of irony, we bought the new van 7 years to the day after the wreck that totaled our first van.
I have to agree with the writer that said, "only the fool says in his heart 'there is no God.' "
This month, God again showed His sovereignty in some amazingly clear ways. I have seen God provide an abundance of blessings in the past, but this time He chose to work a little differently. This time He chose to provide exactly what we needed, at exactly the right time, and to lead us in faith through the entire process.
On October 16 2012, my wife was involved in another auto accident. A man at a red light misjudged the lanes, and turned directly into her lane as she crossed an intersection, hitting her quite hard directly on the passenger-side rear wheel. The scenario was disturbingly similar to the awful wreck 7 years ago that nearly took the lives of my oldest sons. Thankfully her injuries were not severe and she has mostly recovered. The van, however, was another story.
The initial evaluation from the other party’s insurance company was that the van could be repaired, but that it would take about 3 weeks to do so. I am not comfortable keeping a vehicle that has been in a wreck though, even if it is repaired. A collision stresses parts of the vehicle that were not designed to be stressed (or more specifically, that were designed to protect the occupants by taking the brunt of that stress). Even fully repaired, there’s just no telling what sort of “gremlins” will be left behind, showing up months or years later as unexplained problems and breakdowns. I know a body shop can do a very good job on a repair, but the likelihood of future problems is just not something I want to deal with. So Jennifer and I decided that regardless of the outcome with the old van, we were going to replace it.
In researching possible replacement vehicles, we ultimately decided there was one specific model and year we would be most comfortable with (and comfortable in). We didn’t want to replace the van with something of the same vintage, but rather wanted something that would get us the rest of the way through our child-hauling years so we’re not back in the same situation in a few years. But here comes the rub: we had not planned on replacing the old van for another 4 years or so, so were not financially prepared to do so just yet. It seemed we faced the choice to either take on an uncomfortable amount of debt (I am a big Dave Ramsey fan – I don’t like debt for depreciating assets!), or settle for a vehicle we wouldn’t be happy with.
Here is where God started to intervene. In searching for the right van at the right price, we stumbled across exactly what we were looking for, at a price that bordered on manageable. It was a 2-year-old Honda Odyssey with only 20,000 miles on it, and it was a Certified Pre-Owned so it had been thoroughly checked out and cleaned up by the dealer, and came with an extended warranty. But it was in Shreveport, Louisiana, about 350 miles away. This was Friday afternoon … I called the dealer and talked with the sales manager to ask a few questions about it, and we agreed in principle on a price. An hour later we were en route to Louisiana, staying at our lakehouse to avoid the cost of a hotel (it just so happened that our lakehouse is right on the route from Austin to Shreveport – imagine that!).
Saturday morning we arrived at the dealership, test drove the van, looked it over for anything that would turn us away, got the dealer to agree to fix a minor issue we did see, and then headed back to Texas in a van we are confident will last until the kids are out of school. We had made a number of assumptions as to where the money would come from, and came to the conclusion that we could handle the cost but would have to make some hard sacrifices for a year or so.
At this point we still expected to get the old van back and have to sell it. We weren’t sure whether to pray that Progressive call it a total loss, or that they fix it and return it to us. On the one hand if we got the van back would have the hassle of finding a buyer, for a van that had been repaired from a significant wreck. On the other hand my experience with insurance companies in the past was that they tended to value a total loss as low as they could get away with. Either way we were faced with a less than desirable situation. Then God revealed His hand again.
The day after we got home in the new van, Progressive called back to say they were now considering the old van a total loss. We were not going to get the old van back, and they would have given us about 3 more days of a rental vehicle before we would have been left without transportation. Finding and buying the new van when we did kept us from having to make a quick purchase on something we might have regretted later. More than that, their valuation was a bit more than I expected them to offer. That plus the savings we had available were almost to the dollar enough to pay for the new van without taking on debt.
God didn’t give us a brand new car. He provided a near-new car in great condition.
God didn’t give us a car at no cost to us. We still spent a substantial amount out of pocket – but He provided exactly what we could afford and no more.
God didn’t show us the entire picture up front. He led us through one decision at a time, forcing us to take each step on faith.
And in a twist of irony, we bought the new van 7 years to the day after the wreck that totaled our first van.
I have to agree with the writer that said, "only the fool says in his heart 'there is no God.' "
Subscribe to:
Posts (Atom)