My generation came of age as the Internet sprung on the scene ... we did not have the benefits nor threats of social media when we were teenagers. Our children are now growing up in a world where connectedness is ubiquitous. My 13-year-old son just got his first personal laptop this week (as opposed to using a shared family computer), so much of what I have written over the last few years suddenly has a newfound relevance. How do I protect him from malicious actors and his own youthful naivety, while at the same time teaching him to become a tech-savvy young adult? I don’t have all the answers yet (truthfully, I’ll never have all the answers), but here’s a sort of "stream-of-consciousness" stab at a starting point.
Tuesday, June 11, 2013
Wednesday, June 5, 2013
Practice Safe Charging
This is not exactly a new topic, but it is one that has
gained a new round of publicity this week following some recent research.
How are most portable electronic devices charged? Through a
USB cable. What else can USB be used for? Data storage (flash drives and
external hard drives), peripheral devices (mice and keyboards), and more. What
makes USB devices so convenient? They are generally plug-and-play, with
software drivers built-in to the device and automatically loaded when you
connect to a PC. Do you see a potential problem?
I look forward to the presentation to see other suggestions
the team has.
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
How are most portable electronic devices charged? Through a
USB cable. What else can USB be used for? Data storage (flash drives and
external hard drives), peripheral devices (mice and keyboards), and more. What
makes USB devices so convenient? They are generally plug-and-play, with
software drivers built-in to the device and automatically loaded when you
connect to a PC. Do you see a potential problem?
Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer
security conference in Las Vegas. The charging kiosk did in fact provide
electricity, but it also took advantage of the properties of USB to demonstrate
access to data on the device (generally a smartphone, which could be a gold
mine for an attacker). In the demonstration, the kiosk merely showed that it
could access data, and then displayed a warning message to the user. A truly
malicious charging station would not be nearly so kind.
This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their
presentation will demonstrate installing malicious software onto a
current-generation Apple device (off-the-shelf, not jailbroken, and without
user interaction).
In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).
There is a ridiculously simple way to minimize this particular risk. A standard
USB cable (sometimes referred to as “Sync and Charge”) will both provide
electricity and transfer data. Inside
the cable insulation are several tiny wires (the number varies according to the
USB version).
A visually-identical charge-only cable is missing the wires and/or pins that
transfer data, so it is physically only capable of providing electricity. $5 or
$10 for a charge-only cable is cheap insurance against this type of attack.
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
Tuesday, May 28, 2013
Privacy and Browsing: Does Google Know You Too Well?
Recently a colleague asked if I had any recommendations for maintaining some semblance of privacy when online. His specific concerns were web browsing, search, and email. In each of these cases, one or two well-known names have a reputation of knowing their users a little too well. How often do you see advertisements that seem to read your mind? Have you ever researched or purchased a product, only to see lots of advertisements for a related product or accessory?
Tuesday, May 14, 2013
How to crash a Windows shell
I typically
write about things I have experienced, or topics of interest I have researched,
but always something on which I have come to a conclusion. This week I am
taking a different approach: document something I discovered, but for which
getting to an answer goes beyond my skillset.
In July of 2010, I discovered a bug in Windows XP that allowed me to reliably crash a command shell. I reported the details to Microsoft's Security Response Center (any time you can force unexpected behavior in an application, there is at least a possibility that you can force your own arbitrary behavior). Microsoft's response was that while I was able to force cmd.exe to exit ungracefully, it did not indicate a security concern. That may well be true, but my curiosity brought it back to mind this week, and I was quite surprised to find that the bug still exists in Windows 7 with all current patches.
In July of 2010, I discovered a bug in Windows XP that allowed me to reliably crash a command shell. I reported the details to Microsoft's Security Response Center (any time you can force unexpected behavior in an application, there is at least a possibility that you can force your own arbitrary behavior). Microsoft's response was that while I was able to force cmd.exe to exit ungracefully, it did not indicate a security concern. That may well be true, but my curiosity brought it back to mind this week, and I was quite surprised to find that the bug still exists in Windows 7 with all current patches.
Tuesday, May 7, 2013
Being a “Paranoid” in a Social World
As the one responsible for LAN security in a major
technology company, I am paid to be paranoid. As one that has been involved in
security threat research for over a decade, I know there is good reason to be
paranoid. In fact, I dealt first-hand with a case of credit card fraud a couple of months ago. Computer threats have evolved
from pranks for attention a decade or two ago, to a major business that by one
account is more lucrative than illegal drugs. At the same time, our lives are
more Internet-connected (and accessible to bad guys) now than ever before –
smartphones, tablets, game consoles, DVRs, home security systems, even
household appliances and cars have network connections. A smartphone and a free app can become a
credit card skimmer. Bots can troll Twitter to harvest phone numbers, bank card numbers, and phone PINs. One "vendor" even advertises a fraud service right in the open on Facebook.It’s enough to make
a paranoid want to duck and cover, isn’t it?
Wednesday, May 1, 2013
Of Lemons and Prayer
One of my passions is leading an Awana club each Wednesday night. Awana is a Bible-based kids club that in our case is geared toward preschool through 6th grade students. We want to instill godly character in our kids through the gospel of Christ, Scripture memory, and Biblical lessons, all in a fun and exciting environment. Our core mission is to get as much of God’s Word as we can, as deep as we can, into the hearts of as many children as we can. One of the ways I make it fun is by injecting science experiments into the lessons I teach. Occasionally I document some of those lessons on my blog.Most kids (adults too) have a variety of electronic devices. Cell phones, iPods, tablets, game systems, calculators, watches – all rely on battery power. Forget to charge the battery, and the device will not work. With many of these devices you may get a day or two out of them, but that’s about the limit. Once the battery dies, until it is recharged, the device is useful only as a paperweight!
Tuesday, April 30, 2013
Whose Kids Are They Anyway?
I came across a very disturbing video recently, one that
echoes what I have seen personally in over a decade of various children’s and
youth ministries. In this video, a
well-known educator makes the point that we need to abandon the notion that we
as parents are ultimately responsible for raising our kids. She makes the
statement that “we have to break through
our kind of private idea that kids belong to their parents or kids belong to
their families and recognize that kids belong to whole communities.”
The video generated quite a bit of backlash, to which she
wrote a blog post that does a paradoxical job of backpedaling while simultaneously defending her position.
I get her point – our children are not merely members of our households, but also members of the community, and are deserving
of care, respect, and attention from the community. When we choose to live in communities, we can
pool our resources to provide emergency responders, medical care, recreation
opportunities, education, roadways, utilities, and more, in ways that would not be
economically feasible individually.
Subscribe to:
Posts (Atom)