Happy Thanksgiving!

Happy Thanksgiving from our family to yours!

Cheap Rolex Knockoffs from the Russians in Korea

Just in case it is not clear, the below is an explanation of a scam selling unauthorized replicas of high-end goods, not an offer to sell the same.

Just in time for Black Friday and Cyber Monday, I received a spam offering "Limited time ROLEX replicas and Louis Vuitton handbags" at unbeatable prices. These aren't run of the mill knock-offs, no. These are "High Quality Luxury Replicas That Are An EXACT Replica. Even a Jewler [sic] Can't Tell Our Replicas apart from the real thing." Wow, right? Who wouldn't want high class fake luxury to go along with the annual post-Thanksgiving ritual of waiting in line for hours to save a few bucks on a TV? And surely an email from Sbgrmogq@wgyxfez (dot) com suggests a legitimate retailer, right?

Password reuse: don't let lax security at one site give away all your accounts

Passwords are a hassle. In many cases though, they are the first line of defense against someone accessing your accounts without your permission. But passwords are a hassle, so why would you want to remember dozens or hundreds of individual passwords? Why not use the same username and password everywhere?

Unfortunately even with solid security practices a business or web site may be compromised. Mistakes happen. Previously unknown software flaws are discovered. Sophisticated new attack methods are invented. Sadly though, sophisticated hacks are not usually needed: not every website follows the best security practices. Some sites fail even the most basic of precautions. It would be a real shame to log into your favorite entertainment website only to have your password stolen and used to break into your bank account.

Layers of security - a look at Fidelity 401k.com

This started out as a story of lax security at one of the biggest providers of corporate retirement services. As I researched though, it has become a lesson about layers of security. All in all, the company described does a pretty good job, and is making even more improvements.

If you have an account with Fidelity Investments (including their 401k.com and NetBenefits properties), take a minute to update your password, then read on. This time the reason is beneficial, and not breach-related: Fidelity recently updated the password rules to allow a significantly stronger password. tl;dr: jump to the end for a few quick tips.

Tech Tip: search for formatting, instead of for specific text

Ever discover a fantastic feature you didn’t know you needed, and now don’t know how you got along without? That’s a bit how I feel about the bucket loader on my tractor, but I digress. Quite by accident I came across a feature in Microsoft Office that could come in handy.

Have you ever needed to search through a document, looking for formatted text rather than a specific string? For instance, you want to find every underlined word, or every italicized word, rather than a particular word. Why would you want to do this? I can think of a few reasons. Perhaps you are a teacher writing up a study guide for students … if every answer is underlined, you might want an easy way to jump from answer to answer instead of scrolling through the guide with the mouse wheel. Perhaps you are a network technician working with implementation templates - a template may describe the commands to properly implement a change, and italicize the values that vary such as vlans and ports. Searching for italicized text would ensure you didn’t miss filling in a value.

Facebook now has a Tor site: oxymoron or not?

Facebook is well-known for using information about its users in sometimes-awkward ways. Privacy and Facebook (or for that matter, privacy and any social media network) are not usually associated with one another. So why was Facebook in the news recently for providing a Tor-enabled means to connect to the social media giant? Why would users go to the trouble of hiding their tracks through onion routing, only to connect with a service whose express purpose is to share personal information with others?

Before answering that question, let’s talk a little bit about Tor.

(CVE-2014-2718) ASUS wireless router updates vulnerable to a Man in the Middle attack

Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).

In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.

In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.

Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718. The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site.