Ten years after the accident

There are points in time, where the rest of life can be defined as "before" and "after." October 27, 2005 was such a date in the life of my family. It is the date on which I was reminded we have no guarantee of tomorrow. I share this story each October to remind readers how precious each day is.

Free Disney World Tickets? Nah, it's another Facebook scam

For more examples, as well as a walk-through of a particular scam, and some investigation into possible motivations for the scammers, see this follow-up story.

Looking for information about the April 2016 "Disneyland 61st Birthday" offer? Sadly, it too is a scam. Scroll to the bottom for details.

Yesterday, someone created a fake "Walt Disney World Epcot." Facebook community. Yes, complete with the period at the end of the name. In 24 hours, it has gained some 900 likes and innumerable shares. That might have something to do with a fraudulent offer and a deadline of tomorrow:

DNS: a simple way to stop malicious web traffic

This post was first published in September, 2014. It has been updated for October, 2015's Cyber Security Awareness Month. DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic!

Putting aside for a moment the possibility that you are reading a printout, you are more than likely reading this on a digital device. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. You might have clicked a post in Facebook, Twitter, Pinterest or Instagram (I'm not sure any of my pictures are worthy of the latter two, but I suppose it's possible). Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL into your web browser directly or used a bookmark.

Regardless of the source, your browser did not just yell out on the Internet, "show me the Security for Real People blog." Instead, it referred to a DNS, a network phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Grog and Narg teach two-factor authentication

This post was first published in March, 2014. It has been updated for October, 2015's "Two Factor Authentication Tuesday." While passwords are often the first line of defense for online accounts, they can also often be discovered. Multifactor authentication is combining a password with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is. This makes it exponentially harder for someone with malicious intent to access your account.

10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Cyber tips for digital citizens

Every October, the National Cyber Security Alliance and the Department of Homeland Safety lead a National Cyber Security Awareness Month, a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. This year's campaign kicks off with the theme "best practices for all digital citizens."

The news is full of stories about extraordinary threats: the NSA spying on everyone. Car, airplane, and medical device hacks. Baby monitors used by kidnappers to plan their entry. Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.

Autumn brings a return to the school-year routine for millions of students young and old, as well as their respective families. What better time for a refresher on cyber safety? Start Cyber Security Awareness Month with some healthy habits.

Who is stealing your tweets?

TL;DR: skip the reading and download TweetThief from GitHub to search for uncredited copies of your tweets.

Over the last year, I've participated in a number of Twitter chats. The National Cyber Security Alliance hosts Twitter conversations every couple of months, under the hashtags #ChatSTC (Stop. Think. Connect., their cyber awareness campaign slogan) and #ChatDPD (Digital Privacy Day). It's a great way to share information with people interested in security advice, as well as to learn from like-minded professionals.

During several of these chats, I've noticed an oddity: most of the participants contribute original thoughts to the conversation, or retweet pertinent comments to their own audiences. A couple of participants though appear to copy and paste the comments of others verbatim, with no credit given. They aren't retweeting someone else's thoughts, but are instead claiming them for their own.

Exploiting iOS backups for fun and profit

Recently I looked at an iPhone / iPad app designed to hide documents and pictures from snooping friends (or parents). By day the app was a calculator, but upon entering a secret code, it unlocked the hidden files. In exploring the app (and in particular, answering the question of whether I could access the hidden files without knowing the passcode), I came across an interesting oversight in the iOS security model.