Thursday, May 29, 2014
Hack, Hoax, or Hanging It Up: What's Real With TrueCrypt?
Wednesday, May 21, 2014
Anatomy of a phish
As an aside, USAA is aware of several phishing campaigns and has warned members against this type of attack for several months. It's not new, and USAA has taken steps to inform members. My intent is to go deeper into what the attacker is trying to do, show how they do it, and to show that it can be difficult or impossible to know you are being scammed if you ignore the early warning signs..
Today I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member).
Today I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member).
Tuesday, May 20, 2014
A twist on identity theft
Do you pay attention to email confirmations for purchases, account registrations, shipments and such that you did not expect?
A professional peer on a forum I frequent encountered an unusual scam this week. The person noticed purchase confirmations in email, for purchases made through Sony Entertainment Network. Here's the rub though: the person did not have an account with Sony.
Fake order confirmations or shipping memos are a common phishing approach. You receive an email for an order you don't recognize, inviting you to login to (for example) target.com; when you click the cleverly-disguised link, you instead go to igothacked.com, which looks oddly similar to the Target login page. Provide your username and password, and voila: you've given an attacker carte blanche to your account (unless you have two-factor authentication enabled. You do have 2FA enabled on important accounts, right?).
A professional peer on a forum I frequent encountered an unusual scam this week. The person noticed purchase confirmations in email, for purchases made through Sony Entertainment Network. Here's the rub though: the person did not have an account with Sony.
Fake order confirmations or shipping memos are a common phishing approach. You receive an email for an order you don't recognize, inviting you to login to (for example) target.com; when you click the cleverly-disguised link, you instead go to igothacked.com, which looks oddly similar to the Target login page. Provide your username and password, and voila: you've given an attacker carte blanche to your account (unless you have two-factor authentication enabled. You do have 2FA enabled on important accounts, right?).
Tuesday, May 13, 2014
Was your voice heard?
Last weekend my community voted on a few items that will have long-lasting effects for us as homeowners and residents, and for our children as they attend the local schools. On the ballot were two items, one with a three-year effect, and one that will be with us for decades. The shame is in how few took the time to make their voice heard.
The first ballot item was electing individuals to fill two open spots on the school board. These individuals will serve a three-year term; according to the DSISD web site, the Board of Trustees “has final control over all major decisions regarding school policy, curriculum, expenditures, and building programs. It is the Board’s responsibility to provide tax monies for maintenance and operation of the schools, to submit bond issues to the District’s voters for construction of school facilities, and to hire the Chief Executive Officer for the District. Board authority is defined by federal and state law and by regulations set by the State Board of Education. Trustees act officially only as a group in duly called and posted Board meetings.”
As important as this is, the second item has much more far-reaching implications. Dripping Springs ISD Proposition 1 asked voters to approve a $92 million dollar bond initiative. The proceeds from this bond would pay for a new elementary school, a new middle school, a multi-purpose competition stadium, a baseball and softball complex, maintenance improvements and repairs to several existing schools, and technology upgrades across the district. Based on home values in the district, the net effect would be on average about a $130 annual tax increase for up to forty years.
Of approximately 28,000 individuals (including nearly 5,500 students) living within the boundaries of the school district, a mere 2,860 voters made a decision affecting the rest for many years to come. According to unofficial results posted by the county election authorities, the bond passed by a vote of 1666 in favor, 1194 opposed.
I was in favor of the bond, and voted for it. Our elementary schools reached 100% capacity this year – with another 400 students expected in September. Our lone middle school will exceed capacity within 2 years. Our fantastic girls’ softball team (which just played in the area tournament last weekend) plays on a field leased from the city. Ditto for the boys’ baseball team. The football team plays on an aging field located at the middle school. Technology ages and requires replacement every few years to stay current.
With the exception of the elementary and middle schools to be constructed, none of this is absolutely required – but to not invest would be to relinquish the very thing that makes Dripping Springs such a desirable place to live. Many of us that live here came first for the exceptional school district, and only after we arrived did we discover the exceptional quality of life and the wonderful people. Dripping Springs consistently is ranked among the very best school districts in the state – consistently faring well in statewide academic competitions, among the highest in proportion of graduating seniors that continue on to advanced education, among the highest in statewide standardized testing. This year the district was honored in a national ranking of top schools. It is a fantastic place to raise a family, in large part because of the emphasis we place on investing in our children’s future.
All in all I was pleased with the election results. I know two of the individuals that were running for school board positions personally; one won a spot, while the other fell short by a mere nine votes. I am glad that we are investing in continued excellent education for my children, and for the children that will join the community in the years to come.
The first ballot item was electing individuals to fill two open spots on the school board. These individuals will serve a three-year term; according to the DSISD web site, the Board of Trustees “has final control over all major decisions regarding school policy, curriculum, expenditures, and building programs. It is the Board’s responsibility to provide tax monies for maintenance and operation of the schools, to submit bond issues to the District’s voters for construction of school facilities, and to hire the Chief Executive Officer for the District. Board authority is defined by federal and state law and by regulations set by the State Board of Education. Trustees act officially only as a group in duly called and posted Board meetings.”
As important as this is, the second item has much more far-reaching implications. Dripping Springs ISD Proposition 1 asked voters to approve a $92 million dollar bond initiative. The proceeds from this bond would pay for a new elementary school, a new middle school, a multi-purpose competition stadium, a baseball and softball complex, maintenance improvements and repairs to several existing schools, and technology upgrades across the district. Based on home values in the district, the net effect would be on average about a $130 annual tax increase for up to forty years.
Of approximately 28,000 individuals (including nearly 5,500 students) living within the boundaries of the school district, a mere 2,860 voters made a decision affecting the rest for many years to come. According to unofficial results posted by the county election authorities, the bond passed by a vote of 1666 in favor, 1194 opposed.
I was in favor of the bond, and voted for it. Our elementary schools reached 100% capacity this year – with another 400 students expected in September. Our lone middle school will exceed capacity within 2 years. Our fantastic girls’ softball team (which just played in the area tournament last weekend) plays on a field leased from the city. Ditto for the boys’ baseball team. The football team plays on an aging field located at the middle school. Technology ages and requires replacement every few years to stay current.
With the exception of the elementary and middle schools to be constructed, none of this is absolutely required – but to not invest would be to relinquish the very thing that makes Dripping Springs such a desirable place to live. Many of us that live here came first for the exceptional school district, and only after we arrived did we discover the exceptional quality of life and the wonderful people. Dripping Springs consistently is ranked among the very best school districts in the state – consistently faring well in statewide academic competitions, among the highest in proportion of graduating seniors that continue on to advanced education, among the highest in statewide standardized testing. This year the district was honored in a national ranking of top schools. It is a fantastic place to raise a family, in large part because of the emphasis we place on investing in our children’s future.
All in all I was pleased with the election results. I know two of the individuals that were running for school board positions personally; one won a spot, while the other fell short by a mere nine votes. I am glad that we are investing in continued excellent education for my children, and for the children that will join the community in the years to come.
But that is beside the point. My point is that the decision to invest here and now was made by 1,666 voters. One school board position was decided by nine votes. You think your vote does not matter? I could fit enough people in my van to have changed the outcome of this election! When 1,666 voters can make a decision affecting 28,000, and that will affect our grandchildren, it’s not the system that is broken. It’s a sign that we as a community have become complacent, satisfied to just watch.
The next time a local election takes place in your town, be it the big city or a small country town, take the time to make your voice heard. It's your privilege as a member of the community. If you don't speak up, someone else will choose for you, and you'll have no right to complain about it.
Update I have a number of friends in the community that were not in favor of the bond. I in no way mean to disparage them. We do have a relatively high property tax burden, and not everyone agrees with spending a quarter of the bond on athletic programs. Our differing views (shared civilly!) are what make us strong. The beauty of the democratic system is that we each get to voice our opinion.
The next time a local election takes place in your town, be it the big city or a small country town, take the time to make your voice heard. It's your privilege as a member of the community. If you don't speak up, someone else will choose for you, and you'll have no right to complain about it.
Update I have a number of friends in the community that were not in favor of the bond. I in no way mean to disparage them. We do have a relatively high property tax burden, and not everyone agrees with spending a quarter of the bond on athletic programs. Our differing views (shared civilly!) are what make us strong. The beauty of the democratic system is that we each get to voice our opinion.
Tuesday, April 29, 2014
Got Internet Explorer? Get Pwned!
Security firm FireEye this weekend reported a serious flaw in versions of Internet Explorer from IE6 through the latest and greatest IE11. Thus far active exploit in the wild has focused on IE 9 though 11 (which will not run on Windows XP), but this will surely change now that it is public. For a mind-bendingly thorough discussion of how the vulnerability is exploited, see FireEye's write-up. The Cliff Notes version is this: the attacker makes use of an Adobe Flash Player technique that bypasses some IE security measures, drops its own code into a certain point in memory, and then through the newly-discovered bug executes that code.
The even simpler version is this: if you use Internet Explorer and open up an affected web page (whether a bad site, or a legitimate site that has been compromised, or a malicious email message), the attacker now owns your PC. The truly nasty thing about this sort of bug is that you don't have to do anything unseemly to be hit. Similar vulnerabilities in the past have been exploited through clever advertisements submitted to popular and legitimate web sites.
Thursday, April 24, 2014
Password Lessons from Heartbleed
It's been a little over two weeks since the web security bug known as "Heartbleed" was publicly reported (see my earlier post for a description of the bug). For businesses it has meant a lot of scrambling to update servers and to update network intrusion sensors to detect attempts to exploit the bug. Thus far though there have not been widespread reports of data breaches affecting consumers. There was the case of a teenager who was arrested for nabbing 900 social insurance numbers from the Canada Tax Agency (the equivalent of social security numbers and the US IRS) ... note to self: hacking a government agency and then presenting said agency with proof of your hack is not the best way to go about reporting a vulnerability. But I digress...
Monday, April 14, 2014
(CVE-2014-2719) More fun with wireless routers: ASUS wireless routers reveal admin password
If you use an ASUS RT-XXXX wireless router, you should update to firmware 3.0.0.4.374.5517 3.0.0.374.5656, released April 24, 2014 (or any newer firmware).
In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The server tables that identify the correct latest firmware revision for each model of router had not been updated in about 4 months, though there had been two releases in the interim. This was a significant problem because it came right on the heels of an exploit for a bug in which hard drives connected to the router could be accessed from the public Internet, with no login credentials required.
In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The server tables that identify the correct latest firmware revision for each model of router had not been updated in about 4 months, though there had been two releases in the interim. This was a significant problem because it came right on the heels of an exploit for a bug in which hard drives connected to the router could be accessed from the public Internet, with no login credentials required.
Subscribe to:
Posts (Atom)