I have been an Awana Commander for 4 years, and involved in Awana much longer. In that time I have learned to expect the unexpected. Cars that break down right before club. Flooding rains. Leaders facing depression / illness / lost jobs / family strife. The constant tension between sports and church activities. Our adversary does not like seeing God at work amongst youth, and so he tirelessly attacks those leading vibrant ministry.
Nothing could have prepared me for last week however. About 2 hours before church I learned that one of my leaders had been arrested for a series of armed bank robberies spanning 6 months. Wow. Talk about getting blindsided.
The first night was a flurry of activity such that I didn't really have time to digest what had happened. His role had to be filled on short notice – and naturally most of our standby “in a pinch” volunteers were out of town or otherwise occupied. I talked with a couple of key individuals that needed to know, but otherwise kept an eye on the news to determine when to address it publicly (I did not feel it was my place to “break the news,” so to speak). Church staff reviewed his background check to make sure we had not overlooked anything (if you run a children’s ministry, you do screen your volunteers for a criminal history, right?). I was too stunned and too numb to do more than simply get through the night.
A week has now passed. The initial shock has worn off. Many of the kids know what happened, and some of them are asking difficult questions. Questions such as, how can a Christian do such a thing? How can someone we trusted do this crime? How can I trust other leaders?
Throughout the Bible I read of God-fearing men and women that failed miserably at one point or another. Abraham twice said his wife was his sister, fearing a king would harm him to take her. Samson allowed his wife to compromise his Nazarite vow. David couldn't keep his hands off his soldier’s wife, and then had the man killed to cover it up. Peter denied knowing Christ mere hours after saying he would never deny Him. Romans 3:23 is pretty clear – all have sinned. Not most, not some, not just the “bad people” – all. Isaiah 53:6 says that we all have strayed from the Lord. Romans 6:23 leaves no room for doubt – the penalty for that sin is spiritual death (in other words, Hell). Not the penalty for murder, not the penalty for robbery, not the penalty for adultery, the penalty for sin. For all sin. Whether I take a piece of candy without permission, or I commit the most heinous crime imaginable, by God’s accounting the final consequence is the same. There may be significantly different consequences today (prison for one, a scolding for the other), but in both cases I will give an accounting before God in the end and if left to my own merit will face eternal judgment.
Thankfully I am not left to my own merit. When Christ died on the cross, He covered the sins of every believer. His sacrifice was enough to cover every sin – if I trust in Him for that salvation. Because of Christ, I don’t have to trust in my own self. I don’t put my trust in my pastor, or my friends, or my parents, or my teachers. I rely on them for guidance and teaching, and most of the time they will be honorable, but they are fallen sinners just like me. If my hope is in anyone besides Christ, I am bound to be disappointed eventually. That is the point I hope to teach the clubbers under my care: put your hope in Christ and in Christ alone. Only in Him will their trust never be broken.
As 2 Corinthians 9:15 says, “Thanks be to God for His indescribable gift.”
Wednesday, October 9, 2013
Wednesday, October 2, 2013
Online Safety For Kids - Courtesy of McAfee
Today I had the privilege of teaching about 150 4th grade students about online safety and security. McAfee has put together a good series of presentations [ed. note: link removed as the presentations are no longer available from Intel Security], tailored individually to elementary, middle school, and high school students. Those presentations combined with my own stories gave me lots of material to offer.
At the elementary level, the goal is to get kids thinking about the Internet as more than just a vague concept - to think of it as a street or city with many doors (web sites, apps). Some of the doors are generally safe - libraries, the mall, a restaurant. Other doors might be appropriate in certain settings but not in others (a college anatomy class might be suitable for an adult but not for a child; as one child brought up, a wanted fugitive's house might be an appropriate place for a sheriff but not for a child). Still other doors are distinctly dangerous (a drug dealer, a stranger's front door). Each of these has parallels in the online world.
At the elementary level, the goal is to get kids thinking about the Internet as more than just a vague concept - to think of it as a street or city with many doors (web sites, apps). Some of the doors are generally safe - libraries, the mall, a restaurant. Other doors might be appropriate in certain settings but not in others (a college anatomy class might be suitable for an adult but not for a child; as one child brought up, a wanted fugitive's house might be an appropriate place for a sheriff but not for a child). Still other doors are distinctly dangerous (a drug dealer, a stranger's front door). Each of these has parallels in the online world.
Thursday, September 5, 2013
How Big a Risk are Geotagged Photos?
A friend showed me a video from a Missouri news station
(from a newscast almost 3 years ago, mind you). In the video, the reporters
discuss a "new threat" with "new technology." While the video engages in the usual FUD
(fear, uncertainty, and doubt) to oversell the risk, there is a nugget of truth
that bears repeating.
Smartphones, tablets, and many standalone digital cameras
have a GPS built-in, and can "geo-tag" photos with the location at
which they were taken. This can make it easy to group photos by location (as
in, group all my photos from the Grand Canyon, or from Disney World, or from
Jamaica ... assuming I had vacationed at any of these places). But it makes it
equally easy for someone else to do the same.
Friday, August 9, 2013
Turning a NAS into a Halfway Decent Media Server
A while back, I bought a Seagate “FreeAgent GoFlex Home” network-attached storage (NAS) device - essentially a hard drive with a network port that does not need to be connected to a computer. I had two goals in mind: my digital music collection had outgrown the old PC I use for that purpose, and backups of my various home PCs were a haphazard mess. I could have spent several hundred dollars on a new computer to serve this purpose, but I thought I'd try something new and try my luck with a ~$150 NAS device.
Friday, July 26, 2013
A Note for Code Developers
Today's post is very simple: if you are going to write code, don't embed privileged usernames and passwords in the code. And if you must hard-code a password, for crying out loud, don't store the code with passwords on a public code repository!
https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code
Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?
Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.
https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code
Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?
Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.
Tuesday, July 23, 2013
Disguised links
Previously I wrote about two new pen-test / social engineering tools (Pwnxy and Phishable). These tools simplify the "art" of deceiving an end user by presenting a legitimate-looking page (the page is in fact legitimate, but passed through a proxy that can change the content and intercept anything submitted - such as login credentials).
One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).
One comment from a reader was, can you tell if a link is safe by examining the URL? To some degree, yes you can tell by the actual URL whether the link is safe or not. When you hover over a link, typically the actual URL is displayed on the browser's status bar at the bottom of the screen. If the URL is myrealbank.com, it may be safe; if the URL is myevilproxy.com?site=myrealbank.com, that's a dead giveaway. Shortened URLs (t.co, bit.ly, etc) make this a bit more challenging, because the short URL masks a much longer string, and it's a bit inconvenient to check each long-form URL before following the link (though there are browser plug-ins that will expand the URL and show you the full link).
Friday, July 12, 2013
Pwnxy and Phishable - awesome tools with scary abusability
Penetration testing answers the question "can someone penetrate your defenses" before a hacker does the same. In other words, when you put up a door on the Internet, someone somewhere is going to see if they can crawl in through an unlocked window instead of using the door as you intend. Pen testing searches for that window, or back door, or subterranean tunnel, with the intention of finding and closing vulnerable surfaces before an attacker does it for you.
One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window. A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.
One facet of penetration testing is to focus on the person rather than the system - if I can get a person to give up their keys to the front door (their username and password, for example), then there is no need to search for a weak back door or unlocked window. A common way to approach this is through phishing - often an email (or Facebook post) masquerading as communication from a trustworthy entity (say, a bank or a boss) asking for information, or directing the target to a web link.
Tuesday, June 11, 2013
Security Savvy Kids
My generation came of age as the Internet sprung on the scene ... we did not have the benefits nor threats of social media when we were teenagers. Our children are now growing up in a world where connectedness is ubiquitous. My 13-year-old son just got his first personal laptop this week (as opposed to using a shared family computer), so much of what I have written over the last few years suddenly has a newfound relevance. How do I protect him from malicious actors and his own youthful naivety, while at the same time teaching him to become a tech-savvy young adult? I don’t have all the answers yet (truthfully, I’ll never have all the answers), but here’s a sort of "stream-of-consciousness" stab at a starting point.
Wednesday, June 5, 2013
Practice Safe Charging
This is not exactly a new topic, but it is one that has
gained a new round of publicity this week following some recent research.
I look forward to the presentation to see other suggestions
the team has.
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
How are most portable electronic devices charged? Through a
USB cable. What else can USB be used for? Data storage (flash drives and
external hard drives), peripheral devices (mice and keyboards), and more. What
makes USB devices so convenient? They are generally plug-and-play, with
software drivers built-in to the device and automatically loaded when you
connect to a PC. Do you see a potential problem?
Two years ago, three researchers built a demonstration “charging kiosk” at DefCon, a massive hacker / computer
security conference in Las Vegas. The charging kiosk did in fact provide
electricity, but it also took advantage of the properties of USB to demonstrate
access to data on the device (generally a smartphone, which could be a gold
mine for an attacker). In the demonstration, the kiosk merely showed that it
could access data, and then displayed a warning message to the user. A truly
malicious charging station would not be nearly so kind.
This week, three researchers published a brief for a presentation they will deliver at Blackhat this summer. Their
presentation will demonstrate installing malicious software onto a
current-generation Apple device (off-the-shelf, not jailbroken, and without
user interaction).
In the past couple of years, public USB charging stations have become increasingly common – at airports, in taxis, at bus stops. Certainly not every charging station is malicious - it is likely very few if any are - but this research shows how such conveniences can be abused for ill gain. As in all aspects of life, it pays to understand risk so we can take appropriate action (or consciously accept the risk).
There is a ridiculously simple way to minimize this particular risk. A standard
USB cable (sometimes referred to as “Sync and Charge”) will both provide
electricity and transfer data. Inside
the cable insulation are several tiny wires (the number varies according to the
USB version).
A visually-identical charge-only cable is missing the wires and/or pins that
transfer data, so it is physically only capable of providing electricity. $5 or
$10 for a charge-only cable is cheap insurance against this type of attack.
Update December 4, 2015: Graham Cluley wrote about a related topic: many common devices in hospitals and other public facilities have USB ports, which might be tempting sources of power for a mobile device. These devices though serve important purposes, in many cases keeping patients alive. Plugging a phone or tablet in for a quick charge could unintentionally damage the equipment, leaving it inoperable the next time it is needed for a medical emergency.
A charge-only USB cord is great for charging from an untrusted charging kiosk, but an A/C wall adapter is the better bet if you need to charge and no dedicated charging port is available.
Tuesday, May 28, 2013
Privacy and Browsing: Does Google Know You Too Well?
Recently a colleague asked if I had any recommendations for maintaining some semblance of privacy when online. His specific concerns were web browsing, search, and email. In each of these cases, one or two well-known names have a reputation of knowing their users a little too well. How often do you see advertisements that seem to read your mind? Have you ever researched or purchased a product, only to see lots of advertisements for a related product or accessory?
Tags:
Hacking,
Practical Security,
Privacy,
Social Networks
Tuesday, May 14, 2013
How to crash a Windows shell
I typically
write about things I have experienced, or topics of interest I have researched,
but always something on which I have come to a conclusion. This week I am
taking a different approach: document something I discovered, but for which
getting to an answer goes beyond my skillset.
In July of 2010, I discovered a bug in Windows XP that allowed me to reliably crash a command shell. I reported the details to Microsoft's Security Response Center (any time you can force unexpected behavior in an application, there is at least a possibility that you can force your own arbitrary behavior). Microsoft's response was that while I was able to force cmd.exe to exit ungracefully, it did not indicate a security concern. That may well be true, but my curiosity brought it back to mind this week, and I was quite surprised to find that the bug still exists in Windows 7 with all current patches.
In July of 2010, I discovered a bug in Windows XP that allowed me to reliably crash a command shell. I reported the details to Microsoft's Security Response Center (any time you can force unexpected behavior in an application, there is at least a possibility that you can force your own arbitrary behavior). Microsoft's response was that while I was able to force cmd.exe to exit ungracefully, it did not indicate a security concern. That may well be true, but my curiosity brought it back to mind this week, and I was quite surprised to find that the bug still exists in Windows 7 with all current patches.
Tuesday, May 7, 2013
Being a “Paranoid” in a Social World
As the one responsible for LAN security in a major
technology company, I am paid to be paranoid. As one that has been involved in
security threat research for over a decade, I know there is good reason to be
paranoid. In fact, I dealt first-hand with a case of credit card fraud a couple of months ago. Computer threats have evolved
from pranks for attention a decade or two ago, to a major business that by one
account is more lucrative than illegal drugs. At the same time, our lives are
more Internet-connected (and accessible to bad guys) now than ever before –
smartphones, tablets, game consoles, DVRs, home security systems, even
household appliances and cars have network connections. A smartphone and a free app can become a
credit card skimmer. Bots can troll Twitter to harvest phone numbers, bank card numbers, and phone PINs. One "vendor" even advertises a fraud service right in the open on Facebook.It’s enough to make
a paranoid want to duck and cover, isn’t it?
Wednesday, May 1, 2013
Of Lemons and Prayer
One of my passions is leading an Awana club each Wednesday night. Awana is a Bible-based kids club that in our case is geared toward preschool through 6th grade students. We want to instill godly character in our kids through the gospel of Christ, Scripture memory, and Biblical lessons, all in a fun and exciting environment. Our core mission is to get as much of God’s Word as we can, as deep as we can, into the hearts of as many children as we can. One of the ways I make it fun is by injecting science experiments into the lessons I teach. Occasionally I document some of those lessons on my blog.
Most kids (adults too) have a variety of electronic devices. Cell phones, iPods, tablets, game systems, calculators, watches – all rely on battery power. Forget to charge the battery, and the device will not work. With many of these devices you may get a day or two out of them, but that’s about the limit. Once the battery dies, until it is recharged, the device is useful only as a paperweight!
Most kids (adults too) have a variety of electronic devices. Cell phones, iPods, tablets, game systems, calculators, watches – all rely on battery power. Forget to charge the battery, and the device will not work. With many of these devices you may get a day or two out of them, but that’s about the limit. Once the battery dies, until it is recharged, the device is useful only as a paperweight!
Tuesday, April 30, 2013
Whose Kids Are They Anyway?
I came across a very disturbing video recently, one that
echoes what I have seen personally in over a decade of various children’s and
youth ministries. In this video, a
well-known educator makes the point that we need to abandon the notion that we
as parents are ultimately responsible for raising our kids. She makes the
statement that “we have to break through
our kind of private idea that kids belong to their parents or kids belong to
their families and recognize that kids belong to whole communities.”
The video generated quite a bit of backlash, to which she
wrote a blog post that does a paradoxical job of backpedaling while simultaneously defending her position.
I get her point – our children are not merely members of our households, but also members of the community, and are deserving
of care, respect, and attention from the community. When we choose to live in communities, we can
pool our resources to provide emergency responders, medical care, recreation
opportunities, education, roadways, utilities, and more, in ways that would not be
economically feasible individually.
Tuesday, April 23, 2013
I thought I taught you not to click...
For years, the computer security industry has worked to educate computer users to avoid phishing scams and malware spread via email. One of the most basic rules of thumb is not to click links or attachments in email unless you are certain of the sender. We teach to look at the sender's address for out-of-place characters such as G00GLE instead of GOOGLE (zeros in place of "oh's"). We say to look out for added characters (googlecom.com instead of google.com). We say not to trust what the text in a link says, but to hover over a link and see what URL shows up in the status bar (for instance, the text www.google.com in fact is a link to yahoo.com - hover over it and see for yourself). And we teach that a legitimate service will never ask for your password over email (instead we will direct you to login to our web site).
And then we in the industry go and do boneheaded things that go against the very things we teach.
Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.
It's the way this email was presented that I have a problem with.
1. The sender was [email protected]. Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?
2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.
3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.
Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.
The takeaways are twofold:
For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.
For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.
And then we in the industry go and do boneheaded things that go against the very things we teach.
Recently I received a message claiming to be from Yahoo!, promoting a new "advanced account recovery" feature in their email service. It invited me to add a mobile phone number to my email account as a secondary way of authenticating my account and regaining access should I ever forget my password of get locked out. OK - a useful feature, and one that other webmail services have also introduced.
It's the way this email was presented that I have a problem with.
1. The sender was [email protected]. Now maybe yahoo-email.com is a legitimate domain owned by Yahoo! Inc. for the purposes of official corporate email, since @yahoo.com is the freely available email domain - other webmail services do something similar. But if I were a bad guy, I would do the same thing - use a domain that looks close enough to the real thing. I pulled up the Whois record to find out the actual owner, and it is registered to Yahoo! Inc, so it very well may be legitimate, but how many people do a whois query before trusting a sender?
2. The links in the email - both the "click here to add your mobile number" and the links in the disclaimers at the bottom, go to yahoo-email.com/something. This is a much more serious problem: I know yahoo.com is the original domain for Yahoo!, just as I know microsoft.com is the original domain for Microsoft. I would expect a legitimate email, even if it used a different email source to differentiate it from consumer mail, to link to the well-known domain yahoo.com.
3. Nowhere in the email does it describe a way for me to add my mobile number through the email settings portal I already know - and I cannot find such a setting anywhere in the email settings. This is a huge red flag. If this is a legitimate email, then there should be a way to access the feature through the email settings tool.
Ultimately I spoke with the director for security at Yahoo! (his actual title is "Director, paranoids" - is that not a great title for a security manager?). He confirms that this is a legitimate new feature, and that the email text was not crafted as well as it could be.
The takeaways are twofold:
For the consumer, be suspicious of email that seems out of place, especially if it asks you to click a link or log in somewhere.
For the industry professional, be conscious when communicating with customers, and take care not to undermine the safe computing practices we work hard to teach.
Tags:
Hacking,
Practical Security
Monday, April 22, 2013
Why is one tragedy headline news, while another is largely overlooked?
I've been bothered by
something this past week. Why is it that a terroristic act at the Boston
Marathon, and the subsequent lockdown and manhunt, have been headline news
all week, while the catastrophe in West, Texas,
with much greater loss of life as well as the loss of many families’ homes, has
for the most part been only a side note outside of Central Texas? I do not in
any way mean to diminish the pain felt by those injured, or that lost loved ones
in Boston. It was an atrocious act. But it seems the country is fixated on it
simply because it was terrorism.
At least 14 people lost their lives in West, including 12 paramedics and firefighters that were on the scene before the fertilizer plant exploded. An entire apartment complex, many homes, and a part of the middle school are gone. Just because it doesn't have the shock factor of a bomb at a major public event doesn't lessen the tragedy this community is dealing with.
As I started to write this, I couldn’t help but think of the “security theater” Bruce Schneier often writes of. Security theater is when measures are taken to “look” secure while not actually providing any significant reduction in risk, or that are an overreaction to a real threat. The flaw in this sort of response is that it tends to focus on the sensational threat – the sort of threat you might see carried out in a movie – while overlooking more common events that just don’t have the same shock factor. Consider this: which do you fear more, a terrorist bomb, a deranged gunman, or a mosquito bite? According to the CDC, there were 243 deaths last year from West Nile Virus, transmitted by mosquito bites, while according to the National Counter-Terrorism Center 17 US civilians died at the hand of terrorist attacks in the same period.
Bruce has written frequently of the silliness in focusing on the sensational. It’s not because the sensational never happens (alas, it does), but rather because you could never predict every possible plot and prevent it (and to even try would completely upend life as we know it – as evident by the fiasco that is modern air travel). This week highlights a different, and less obvious, problem with security theater. As a nation we have become fixated upon terrorism and elaborate plots, to the point that a terroristic act largely overshadowed a greater catastrophe that was (by all current accounts) an accident.
I am praying for the victims of both events. Whether by the hand of two men intent on causing harm, or through an accidental explosion of an industrial facility, lives were lost, and many dozens more lives were damaged both physically and emotionally.
At least 14 people lost their lives in West, including 12 paramedics and firefighters that were on the scene before the fertilizer plant exploded. An entire apartment complex, many homes, and a part of the middle school are gone. Just because it doesn't have the shock factor of a bomb at a major public event doesn't lessen the tragedy this community is dealing with.
As I started to write this, I couldn’t help but think of the “security theater” Bruce Schneier often writes of. Security theater is when measures are taken to “look” secure while not actually providing any significant reduction in risk, or that are an overreaction to a real threat. The flaw in this sort of response is that it tends to focus on the sensational threat – the sort of threat you might see carried out in a movie – while overlooking more common events that just don’t have the same shock factor. Consider this: which do you fear more, a terrorist bomb, a deranged gunman, or a mosquito bite? According to the CDC, there were 243 deaths last year from West Nile Virus, transmitted by mosquito bites, while according to the National Counter-Terrorism Center 17 US civilians died at the hand of terrorist attacks in the same period.
Bruce has written frequently of the silliness in focusing on the sensational. It’s not because the sensational never happens (alas, it does), but rather because you could never predict every possible plot and prevent it (and to even try would completely upend life as we know it – as evident by the fiasco that is modern air travel). This week highlights a different, and less obvious, problem with security theater. As a nation we have become fixated upon terrorism and elaborate plots, to the point that a terroristic act largely overshadowed a greater catastrophe that was (by all current accounts) an accident.
I am praying for the victims of both events. Whether by the hand of two men intent on causing harm, or through an accidental explosion of an industrial facility, lives were lost, and many dozens more lives were damaged both physically and emotionally.
Thursday, April 18, 2013
Blurring the line between login credentials
Yesterday’s XKCD comic got me thinking about
something. The point of the comic is that we jealously guard the admin account on computers, with the mindset that if the admin account is protected, we are doing a good job at security.
As Google, Yahoo, Facebook, and others begin “federating” their login services (i.e. I can log into unrelated third party sites using my Facebook or Google credentials), the line between various service providers has first blurred, and now vanished altogether. It used to be that if my Facebook account were compromised, the only thing at risk was, well, my Facebook identity. But with “Facebook Connect,” now if my Facebook password is stolen, an attacker could conceivably have access to my accounts with CBS, Disney/ABC, Hulu, Twitter, Vimeo, WordPress, and more (assuming I use those services).
As Google, Yahoo, Facebook, and others begin “federating” their login services (i.e. I can log into unrelated third party sites using my Facebook or Google credentials), the line between various service providers has first blurred, and now vanished altogether. It used to be that if my Facebook account were compromised, the only thing at risk was, well, my Facebook identity. But with “Facebook Connect,” now if my Facebook password is stolen, an attacker could conceivably have access to my accounts with CBS, Disney/ABC, Hulu, Twitter, Vimeo, WordPress, and more (assuming I use those services).
Tuesday, April 16, 2013
Thursday Mornings Are Hard ... Because Wednesday Nights Are Amazing
I love working with Awana (as I have written about before). I love getting to know the kids and their families (which admittedly has gotten exponentially harder as our club has grown). I love seeing kids learn Scripture that will guide them their entire lives. Most of all, I love knowing that with at least this one part of my life, I am doing exactly what God has called me to do.
A recent Wednesday reinforced my passion. It was a truly awesome example of how God orchestrates things far beyond my understanding to accomplish His Will. I and my Awana leadership team had planned
this date as "snow day" during our planning session last August. We had some ideas in mind from previous years, but hadn't yet figured out logistics - we knew what worked with 25-30 kids would not work with the much larger group God has blessed us with this year.
Monday, April 8, 2013
Capture The Flag, Social Engineering-style
Recently, I attended the Austin B-Sides security event. B-Sides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I alluded in a previous post, I brought home a trophy in the social engineering CTF contest. In the hacking community, Capture The Flag (or CTF) refers to a contest to test various computer security skills. There are many variations, but the basic premise is a set of goals, or "flags," that each participant has to achieve. The contest will generally have a set of "rules of engagement" that provide boundaries, but within those RoE, anything goes.
This year I participated in the social engineering CTF at B-Sides. Social Engineering is commonly referred to as hacking the human - using social and psychological skills to get someone to give you what you want, as opposed to "breaking in." This was my first time competing in any such contest, so I had limited expectations beyond simply learning something new.
As I alluded in a previous post, I brought home a trophy in the social engineering CTF contest. In the hacking community, Capture The Flag (or CTF) refers to a contest to test various computer security skills. There are many variations, but the basic premise is a set of goals, or "flags," that each participant has to achieve. The contest will generally have a set of "rules of engagement" that provide boundaries, but within those RoE, anything goes.
This year I participated in the social engineering CTF at B-Sides. Social Engineering is commonly referred to as hacking the human - using social and psychological skills to get someone to give you what you want, as opposed to "breaking in." This was my first time competing in any such contest, so I had limited expectations beyond simply learning something new.
Monday, April 1, 2013
One password to rule them all
Last week I blogged about my walmart.com account getting pwned and used fraudulently to make purchases using my credit card. Since I caught it within minutes, and Walmart acted very quickly to void the transactions and suspend my account, I avoided any real damage.
It could have been much worse. Password management is one of the great nuisances of the Internet world. I have email accounts, social media accounts, bank accounts, online shopping accounts, blogging accounts, music service accounts, streaming video accounts, even accounts with news media sites. Most if not all of these are accessed by using a username and password (some of the more risk-averse sites ask for additional information to verify my identity the first time I log in from a given location, but by and large username and password are the Internet’s way of authenticating my identity). For that matter, the PIN on my debit card is essentially another form of password. Not only do I have dozens if not hundreds of password-protected accounts, but in some cases I am required to change these passwords periodically.
Friday, March 29, 2013
Card skimming goes viral
It should come as no surprise that if most computer criminals are interested in money, they would go where the money is. As a report this morning indicates, often that means either banks or points of sale.
That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine. As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.
Today's report highlights a different approach, one that is far more difficult to detect. Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.
Friday, March 22, 2013
Identity theft while at a hacker conference ... an ironic coincidence
It is disturbingly ironic to have had to deal with credit card fraud in the middle of a hacker conference. Thankfully this story has a happy ending. I have to give kudos to Walmart for their quick and professional handling of this incident.
This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email. Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed. Uh oh.
This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.
As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email. Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed. Uh oh.
Monday, February 25, 2013
What's the big deal about hacking?
I've written before on how to protect your digital life from malware and identity theft, but never on why shady types might target you in the first place. There are a variety of reasons, but with a few less common exceptions they generally boil down to money.
When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.
Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).
When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.
Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).
Tags:
Practical Security
Wednesday, February 6, 2013
No Better Feeling on Earth...
...Than to have your 12-year-old son's last words before
going to sleep be "That was awesome, Dad!"
note: I wrote this nearly a year ago, but unintentionally left it unpublished until now.
Saturday night, I took my three boys and a couple of friends
to San Antonio, to go to the Winter Jam concert tour. I have been a lifelong music junkie - in fact
I ran one of the first online magazines for Christian music from the mid-90s
until shortly after my oldest sons were born in 2000. But after my kids were born, my priorities
changed, and I have not been to many concerts in the last 12 years. What a thrill to introduce my kids to the
world of live Christian music!
Winter Jam has been going on for 17 years, and is a bit like
a travelling music festival. 10 bands
played over 5+ hours, with worship, prayer, and even a little magic mixed in,
all for $10. This was by far the best
$10 I have ever spent on entertainment and is certain to become an annual
tradition for my family.
During the time after the doors opened and before the
"proper" concert began, two bands new to the US market
entertained. We As People kicked off the
night, but alas I missed much of their set getting my kids situated. Aussie duo for KING & COUNTRY followed
with a very enjoyable set. They are
perhaps best known for the recent radio hit “Busted Heart” but there’s a lot
more to them than that one song. Youth
leaders got an extra bonus – a goodie bag that included among other things a
free download of their newest album “Crave.”
I have to say they've been growing on me the last few days.
Group 1 Crew ushered in the main show, bringing down the
lights to a rendition of “Party Rock Anthem” (aka "Everyday I’m Shuffling"),
complete with neon-lined outfits that would have been cool if they had worked
more than half the time. Fortunately the
singing was more reliable than the wardrobe.
Building 429 rocked to crowd-pleasers “Where I Belong” and “Listen to
the Sound.” Newcomer Dara Maclean did a lively rendition of the radio hits
“Free” and “Suitcases.” During Kari
Jobe’s performance of “We Are (the Light of the World)” my son pointed out the
absolutely amazing scene of the entire arena sparkling like a starry night,
from 9,000 cell phone flash lights. Cool
doesn't even begin to describe it!
Newsong’s Russ Lee emceed the entire event, but was not
silent during the singing. His amazing
tenor filled the arena during Newsong’s performance of the power ballad “Arise
My Love,” sung while an artist’s portrait of Christ’s face was etched on a
30-foot-square screen through light effects.
That song has always given me the chills, and hearing it performed live
was worth the price of admission by itself.
They then sang a new release, “The Same God.” That song really hit me. “The same God with you then is with you
now. The same God who led you in will
lead you out. So take all the fear and
doubt, go on and lay them down. The same
God, the same God is with you now.” I
needed that reminder!
After a brief intermission, Sanctus Real raised the audio
level (as if that were necessary!) another few notches, getting the crowd
singing along to “Forgiven,” “I’m Not Alright,” “Lead Me,” and “The
Redeemer.” As much fun as they were,
that was nowhere near the highlight of the night.
I've been a fan of Skillet for many years. As a matter of fact, I wrote about their
self-titled debut album way back in 1997 (reprinted in my blog). This was my first chance to see them live
though, and frankly was the reason I went to the Winter Jam (I’ll be returning
though, regardless of who headlines next year – the entire night was
incredible). To say they rocked the
crowd would be the understatement of the night.
From the introductory rock duet between headbanging violinist Jonathan
Chu and cellist Tate Olsen, to the closing strains of “The Last Night,” from
onstage pyrotechnics to 20-foot hydraulic lifts and Jen Ledger’s rotating drum
platform, the show was everything I expected and more.
Winter Jam 2012 may not have been the best concert I’ve ever
attended (I doubt anything can top a small acoustic show with Petra lead John
Schlitt back in the early ‘90s), it certainly falls in the top 2 or 3. If you’re in the Eastern US and have a chance
to see the remainder of this tour, take it. You won’t
regret it!
Tags:
Faith Family & Fun
Review of Skillet's self-titled debut
Reprinted from CMRH,
first published 06-24-1997
In the mood for something loud, fast, and totally cool? Then check out Skillet, one of ForeFront's new
artists. Granted I'm about 6 months late on this one, but nonetheless it's a
good listen. From the first slams of
"I Can" to the final fade-out of "Splinter," Skillet's
self-titled debut rocks. “I Can” plays a musical see saw between the airy
guitar and piano during the verses, and the hard core guitar-driven choruses.
The screaming and rocking seems a bit out of place with the message - the title
is the answer to the simple question, "can I come to you?" - but hey,
Christ said to go into all the world preaching His name; He didn't say we had
to do it calmly!
"Gasoline" is a pretty innovative idea - the
chorus sings (or screams - take your pick) "You want to soak my heart in
gasoline, light a match and consume me. You want to soak my pride in gasoline -
all of You and none of me." The song is that of a man who is scared of
being hurt, scared of letting go of his heart. He is holding it out for God,
but would rather have it locked up in a box where it can't be hurt or crushed
or broken. But that's not what God wants of him. The song ends with the man's
heart sitting on a table next to a bloody mess that used to be Jesus' heart.
It's a gory picture, one that some may say doesn't belong in a Christian song.
But Christ's crucifixion was hardly pleasant. It was messy, bloody, painful,
and gruesome. That's what it took to redeem a lost world. And sometimes we need to be reminded of just
how much Jesus actually did for us so that we don't take it for granted. In
light of that, does God really ask too much of us?
I've many times said that an artist painted a picture of
this or a portrait of that. By that analogy, Skillet would be the abstract
painters who throw paint in front of a high-speed fan, which blows it randomly
onto a canvas. They have a perspective on life that's quite colorful, and quite
enlightening when you really look at it. "Saturn" is a perfect
example of this. It's also proof that there's more to Skillet than just
let-it-all-out rock. This song is much more down to Earth, musically, driven
mostly by an unplugged-style acoustic rhythm. In their unique style, they
allude to the fact that we don't have to see Heaven to know that it's there; we
don't have to see Jesus face to face to know that what He did was real.
Other highlights include "My Beautiful Robe,"
which speaks to the deceptiveness of our own righteousness (or lack thereof);
"Paint," a ripping cut with an almost sinister sounding lead vocal
through the verses; "Safe With You," a toned down tune about the
refuge we find in Christ; "Boundaries," which has some really cool
guitar work and a lot of lyrical contradictions; and the totally cool
"Splinter," with its truly high quality musicianship.
Skillet successfully blends raucous hard rock, deep and
sometimes subtle, sometimes provocative lyrics, and the gospel into a great
addition to ForeFront's arsenal. If you can handle a CD meant to be cranked up
loud, then pick this one up!
Tags:
Faith Family & Fun
Subscribe to:
Posts (Atom)