Out of the box, the Asus RT-AC87 router has some handy, but limited, file and media sharing capabilities. Connect a USB hard drive to one of its USB ports, and the router can share data from that drive with anyone on your network - or optionally, with the outside world. The firmware implements Samba (a Linux-based program for sharing files similar to Windows file shares), but through the web interface you have only two options: allow everyone complete and anonymous access, or require a username and password for every connection. Samba can be configured far more granularly, but you cannot get there from the RT-AC87 web interface.
Tuesday, December 23, 2014
Friday, December 19, 2014
Time to patch again. This time it's ntpd
It's late on a Friday, coming up on a holiday week. In other words, the perfect time to drop a major bug announcement, right? Someone seemed to think so. Alas this will mean much churn over the next few days for a great many IT shops.
The theme this year has been big vulnerabilities in common services or shared libraries - places where one bug might affect lots and lots of programs and devices. First it was a flaw in OpenSSL, the library that enables secure communication with websites around the world. Next came a flaw in Bash shell, a widely used Unix shell much like the Windows command line. Now it's ntpd, the Network Time Protocol service.
The theme this year has been big vulnerabilities in common services or shared libraries - places where one bug might affect lots and lots of programs and devices. First it was a flaw in OpenSSL, the library that enables secure communication with websites around the world. Next came a flaw in Bash shell, a widely used Unix shell much like the Windows command line. Now it's ntpd, the Network Time Protocol service.
Thursday, December 18, 2014
A look back: 4 years, 100 posts
Over the last 4 years, this blog has covered a lot of ground. We've looked at safe surfing practices when using the Internet in a public location. We've looked at how to set up a home network to be reasonably secure. We've talked about password practices, and the value of two-factor authentication to secure more valuable accounts. We've discussed a rash of credit card thefts at major retailers. We've seen several severe flaws in services used widely on the Internet. This blog has even published several vulnerabilities and website flaws discovered by yours truly.
My goal in writing is two-fold: I write technical content in the hopes that other professionals will find value, but I also endeavor to educate those that have not made a career out of information security. To that end, if there is a topic you would like to know more about, or a topic I have not explained as clearly as you would like, I invite you to comment on this or any post, or send me a message at david (at) securityforrealpeople (dot) com.
Without further ado, a highly biased revue of top topics:
Monday, December 8, 2014
Solving a crypto puzzle with Python
This December, computer security firm Sophos has been running a "12 Days of Christmas" contest, with cyber-related quizzes each day. So far the quizzes have ranged from hoaxes to malware authors to abandoned operating systems. Each of the questions have touched on topics relevant to hackers (using the traditional, inquisitive sense of the word ... hacking is not in and of itself evil!), and each have required skills useful to a cyber security pro - often, simply paying attention to detail and noticing clues.
Monday, December 1, 2014
Thanksgiving fun: reviving a busted power adapter
What do you do when a laptop A/C adapter breaks? When you are a family of geeks, you don't throw it out. There's a longstanding tongue-in-cheek tradition that Thanksgiving is the time when IT pros visit family and fix our parents' technology problems ... in this case, it was my teenage son's computer though, so was a perfect opportunity to have a little tech fun with my kid.
Thursday, November 27, 2014
Wednesday, November 26, 2014
Cheap Rolex Knockoffs from the Russians in Korea
Just in case it is not clear, the below is an explanation of a scam selling unauthorized replicas of high-end goods, not an offer to sell the same.
Just in time for Black Friday and Cyber Monday, I received a spam offering "Limited time ROLEX replicas and Louis Vuitton handbags" at unbeatable prices. These aren't run of the mill knock-offs, no. These are "High Quality Luxury Replicas That Are An EXACT Replica. Even a Jewler [sic] Can't Tell Our Replicas apart from the real thing." Wow, right? Who wouldn't want high class fake luxury to go along with the annual post-Thanksgiving ritual of waiting in line for hours to save a few bucks on a TV? And surely an email from Sbgrmogq@wgyxfez (dot) com suggests a legitimate retailer, right?
Just in time for Black Friday and Cyber Monday, I received a spam offering "Limited time ROLEX replicas and Louis Vuitton handbags" at unbeatable prices. These aren't run of the mill knock-offs, no. These are "High Quality Luxury Replicas That Are An EXACT Replica. Even a Jewler [sic] Can't Tell Our Replicas apart from the real thing." Wow, right? Who wouldn't want high class fake luxury to go along with the annual post-Thanksgiving ritual of waiting in line for hours to save a few bucks on a TV? And surely an email from Sbgrmogq@wgyxfez (dot) com suggests a legitimate retailer, right?
Friday, November 21, 2014
Password reuse: don't let lax security at one site give away all your accounts
Passwords are a hassle. In many cases though, they are the first line of defense against someone accessing your accounts without your permission. But passwords are a hassle, so why would you want to remember dozens or hundreds of individual passwords? Why not use the same username and password everywhere?
Unfortunately even with solid security practices a business or web site may be compromised. Mistakes happen. Previously unknown software flaws are discovered. Sophisticated new attack methods are invented. Sadly though, sophisticated hacks are not usually needed: not every website follows the best security practices. Some sites fail even the most basic of precautions. It would be a real shame to log into your favorite entertainment website only to have your password stolen and used to break into your bank account.
Unfortunately even with solid security practices a business or web site may be compromised. Mistakes happen. Previously unknown software flaws are discovered. Sophisticated new attack methods are invented. Sadly though, sophisticated hacks are not usually needed: not every website follows the best security practices. Some sites fail even the most basic of precautions. It would be a real shame to log into your favorite entertainment website only to have your password stolen and used to break into your bank account.
Wednesday, November 12, 2014
Layers of security - a look at Fidelity 401k.com
This started out as a story of lax security at one of the biggest providers of corporate retirement services. As I researched though, it has become a lesson about layers of security. All in all, the company described does a pretty good job, and is making even more improvements.
If you have an account with Fidelity Investments (including their 401k.com and NetBenefits properties), take a minute to update your password, then read on. This time the reason is beneficial, and not breach-related: Fidelity recently updated the password rules to allow a significantly stronger password. tl;dr: jump to the end for a few quick tips.
If you have an account with Fidelity Investments (including their 401k.com and NetBenefits properties), take a minute to update your password, then read on. This time the reason is beneficial, and not breach-related: Fidelity recently updated the password rules to allow a significantly stronger password. tl;dr: jump to the end for a few quick tips.
Friday, November 7, 2014
Tech Tip: search for formatting, instead of for specific text
Ever discover a fantastic feature you didn’t know you needed, and now don’t know how you got along without? That’s a bit how I feel about the bucket loader on my tractor, but I digress. Quite by accident I came across a feature in Microsoft Office that could come in handy.
Have you ever needed to search through a document, looking for formatted text rather than a specific string? For instance, you want to find every underlined word, or every italicized word, rather than a particular word. Why would you want to do this? I can think of a few reasons. Perhaps you are a teacher writing up a study guide for students … if every answer is underlined, you might want an easy way to jump from answer to answer instead of scrolling through the guide with the mouse wheel. Perhaps you are a network technician working with implementation templates - a template may describe the commands to properly implement a change, and italicize the values that vary such as vlans and ports. Searching for italicized text would ensure you didn’t miss filling in a value.
Have you ever needed to search through a document, looking for formatted text rather than a specific string? For instance, you want to find every underlined word, or every italicized word, rather than a particular word. Why would you want to do this? I can think of a few reasons. Perhaps you are a teacher writing up a study guide for students … if every answer is underlined, you might want an easy way to jump from answer to answer instead of scrolling through the guide with the mouse wheel. Perhaps you are a network technician working with implementation templates - a template may describe the commands to properly implement a change, and italicize the values that vary such as vlans and ports. Searching for italicized text would ensure you didn’t miss filling in a value.
Tuesday, November 4, 2014
Facebook now has a Tor site: oxymoron or not?
Facebook is well-known for using information about its users in sometimes-awkward ways. Privacy and Facebook (or for that matter, privacy and any social media network) are not usually associated with one another. So why was Facebook in the news recently for providing a Tor-enabled means to connect to the social media giant? Why would users go to the trouble of hiding their tracks through onion routing, only to connect with a service whose express purpose is to share personal information with others?
Before answering that question, let’s talk a little bit about Tor.
Before answering that question, let’s talk a little bit about Tor.
Tuesday, October 28, 2014
(CVE-2014-2718) ASUS wireless router updates vulnerable to a Man in the Middle attack
Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).
In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.
In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.
Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718. The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site.
In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.
In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.
Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718. The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site.
Monday, October 27, 2014
Tell someone you love them today
October 27. For many it's just another day on the calendar, a time when the weather has turned cooler, the nights longer, and perhaps Halloween plans are on the mind. For me it holds a special meaning: on this date nine years ago I learned just how precious life is.
Friday, October 24, 2014
Would you know if your email server were attacked?
This is a continuation of a series investigating a piece of malware.
- Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
- Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
- Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
I had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an "invoice" for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.
Discovering and writing about criminal mischief is great, but if that's where I stopped, I'm just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today's story picks up.
Thursday, October 23, 2014
Where does all the spam come from?
This is part 3 in a series investigating a particular piece of malware.
- Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
- Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
- Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
From click to pwned
This is part 1 in a series investigating a particular piece of malware.
Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.
If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.
- Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
- Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
- Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.
If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.
Wednesday, October 22, 2014
An introduction to malware forensics
This is part 2 in a series investigating a particular piece of malware.
In my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the "invoice" (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.
Once the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.
- Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
- Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
- Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
In my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the "invoice" (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.
Once the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.
Tuesday, October 14, 2014
Snapchat: What every parent needs to know (and teach)
Some topics are less pleasant to write about than others, though at times far more important. It is with this in mind that I write today on a topic every parent needs to know about. In early October rumors started to surface regarding a database breach that revealed thousands of supposedly private messages and photographs sent via the social sharing app Snapchat. Over the weekend that has proved true.
Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.
Friday, October 10, 2014
Another day, another breach
It seems like almost every week another business is in the news for having their payment network compromised and leaking customer information, often in the form of payment card data. Target, Home Depot, Jimmy Johns, Goodwill Industries, JP Morgan Chase, KMart/Sears, the list goes on. Today, Dairy Queen was (formally) added to the list.
I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.
I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.
Tuesday, October 7, 2014
One simple move can dramatically reduce the risk of identity theft
Identity theft is a common fear, one that is reinforced with each new headline. 40 million credit cards stolen from Target! Home Depot leaks 56 million payment cards! Hackers steal info on 145 million eBay customers! Giant data breach affects 152 million Adobe accounts! It seems each new breach is more "epic" than the last. A data visualizer known as "Information is Beautiful" has a frightening but fantastic visualization.
Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.
Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.
Wednesday, October 1, 2014
The high price of free wifi: your eldest child?
In keeping with National Cyber Security Awareness Month, I'll be updating a number of articles written over the last 4 years. In January of 2011 I entered the blogosphere with a story about Firesheep, a Firefox plugin that made wireless eavesdropping scarily simple.
Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).
Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).
Sunday, September 28, 2014
A Shell of a Bash: Shellshock in Lay Terms
A few days ago, researchers revealed a software vulnerability that quickly became known as "shellshock." It's a bug - an error in the software code - in a core piece of many Unix operating system flavors, and it can be used by an attacker to gain control of Unix computers. You don't use Unix, you say? I'll bet you do: a great many Internet-connected devices run on Unix because it can run on a minimal computer.
For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.
For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.
Thursday, September 25, 2014
Shellshocked: what is the bug in Bash?
The Internet has been awash with information and misinformation about a bug in GNU bash, a common system shell in many Unix variants. Here are some initial thoughts about what it is, and what it is not.
A shell is a way of giving a computer commands, that it in turn executes. The Windows CMD shell (aka "DOS Prompt") is one example of a shell. Unix has many different shells, but a common one is bash, or "Bourne Again SHell." It is common in Unix and Linux variants ... which happen to be the operating system of choice for a great many non-PC Internet devices. Think wireless routers, Blu-Ray players, network hard drives, printers, Internet TVs, etc. Not all run bash - as I said there are a number of different shells - but many do.
A shell is a way of giving a computer commands, that it in turn executes. The Windows CMD shell (aka "DOS Prompt") is one example of a shell. Unix has many different shells, but a common one is bash, or "Bourne Again SHell." It is common in Unix and Linux variants ... which happen to be the operating system of choice for a great many non-PC Internet devices. Think wireless routers, Blu-Ray players, network hard drives, printers, Internet TVs, etc. Not all run bash - as I said there are a number of different shells - but many do.
Tuesday, September 23, 2014
Installing Kali Linux and Snort on a Raspberry Pi
Last week I wrote about building a passive network tap with about $10 in off-the-shelf parts. Building a tap is a nice little project, but what do you do with it? A simple first step is to install Wireshark on a laptop and capture some packets. I wanted something a little more elegant though. Earlier this year I posted an April Fools gag on various uses for a Raspberry Pi ... this time I am putting it to legitimate use.
The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.
The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.
Tuesday, September 16, 2014
The naked truth about celebrity photos
Update September 30, 2015 Two significant flaws were just discovered in TrueCrypt, one of which could lead to complete compromise of a Windows PC. I am leaving this post active, but with the caveat that it may now be time to migrate off TrueCrypt. I have not yet used it myself, but VeraCrypt is an open-source project that took the last-known-good version of TrueCrypt and updated it, including fixing these newly-discovered bugs.We all have secrets. They may be intimate photos. They may be financial documents. Perhaps they are records indicating a medical condition. For some they are invention prototypes, or business plans. For others they might be battle plans or defense strategies. Some secrets are scandalous, but most are simply things we would like to keep private. In my line of work, occasionally I discover security flaws that could be damaging if details leaked before the affected party has a chance to fix things. The nature of secrets varies as widely as the nature of those that hold these secrets. My point though is that we all (with the possible exception of Jim Carrey’s Fletcher Reede character) have things we would prefer not be seen by others.
Tuesday, September 9, 2014
How to build a $10 passive network tap
When one's profession involves network security, sometimes it helps to capture network communication to analyze. Often the simplest way to do this is to install packet capture software such as tcpdump or Wireshark on the system in question. This has the advantage of being easy (tcpdump may even already be installed - it is common on Linux systems), and by running on the target system there can be less unrelated traffic to wade through.
The downside, of course, is sometimes I don't have access to the target system ... or do have access but do not wish for the user of the system to know it is being investigated. If it is malware I am investigating, the malware might tamper with software running on the same system. In any of these cases, it is to my benefit to capture the network traffic from somewhere other than the target system.
The downside, of course, is sometimes I don't have access to the target system ... or do have access but do not wish for the user of the system to know it is being investigated. If it is malware I am investigating, the malware might tamper with software running on the same system. In any of these cases, it is to my benefit to capture the network traffic from somewhere other than the target system.
Tuesday, September 2, 2014
Change the phone book: what is this "DNS" thing?
If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic! After a brief lesson on a fundamental piece of modern networks, I will explain a very simple step you can take that dramatically reduces the risk of encountering malicious software or scam / phishing traps.
Putting aside for a moment the possibility that you are reading a printout, you are more than likely using a web browser. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL in directly or used a bookmark. Regardless of the source, your browser did not just yell out on the Internet, "show me David Longenecker's blog." Instead, it referred to a DNS, a phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.
Putting aside for a moment the possibility that you are reading a printout, you are more than likely using a web browser. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL in directly or used a bookmark. Regardless of the source, your browser did not just yell out on the Internet, "show me David Longenecker's blog." Instead, it referred to a DNS, a phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.
Wednesday, August 27, 2014
Phishing for Men (and Women)
Those that know me well know there are three things I put most of my energy into: my faith, my family, and security. When something comes along that involves two of those interests, so much the better.
For the last year and a half, I have been involved in an organization known as HackFormers. HackFormers was founded by several Austinites who shared two passions: a passion for hacking (in the sense of finding, fixing, and defending against security flaws), and a passion for Jesus Christ. Its vision is to teach security principles, and then to show faith principles that go hand-in-hand with security. I gave a presentation at the August chapter meeting. It is in that context that I write today.
Tuesday, August 26, 2014
11 cyber security tips for back to school
The end of summer is here. That means the end of swimming, watermelon, ice cream ... wait a minute, this is Texas. We still have 8 more weeks of warm weather! What is does mean though is the end of summer vacation and a return to the school-year routine for millions of students. Some students that 3 months ago were graduating seniors are now adjusting to life on their own as either newly-inducted members of the adult workforce or as beginning college or vocational school students. For others this may be their first taste of primary education. They share one thing in common though: they are growing up (or have grown up) in a world where connectedness is a given.
Saturday, July 26, 2014
Securing a home network with the RT-AC87 wireless router
Let's say you want a wireless network in your home or small office. Maybe it's a new home, or maybe you're upgrading to something faster / more reliable / with better range. So you run down to the nearest big box retailer or online electronics shop, purchase something that looks good, unbox it, plug it in, and you are good to go, right?
Not quite. As nice as it would be if setting up a secure wireless network were just a matter of unboxing and plugging in a new router, it takes a few more steps to properly set things up. The good news is basic home network security is not terribly complicated - and the better news is newer wireless routers make it easier than ever to set things up safely. In this post I use the new ASUS RT-AC87U (aka RT-AC87R) to demonstrate basic secure installation.
TL;DR: see the brief checklist at the end for simple steps to secure a home wireless network.
Not quite. As nice as it would be if setting up a secure wireless network were just a matter of unboxing and plugging in a new router, it takes a few more steps to properly set things up. The good news is basic home network security is not terribly complicated - and the better news is newer wireless routers make it easier than ever to set things up safely. In this post I use the new ASUS RT-AC87U (aka RT-AC87R) to demonstrate basic secure installation.
TL;DR: see the brief checklist at the end for simple steps to secure a home wireless network.
Sunday, July 20, 2014
ASUS RT-AC87U / RT-AC87R first look
I've spent some time digging around the software on a few ASUS wireless router models this year, after finding a flaw that prevented the routers from recognizing new firmware was available in February. Along the way I found a modest bug in which the routers revealed the administrator password in clear text anytime the administrator was logged in (which was essentially always, since the routers did not automatically log you out). This week I had the privilege of exploring a pre-release unit of the brand new RT-AC87U, which uses multiple bands and multiple antennae to achieve what ASUS dubs “AC2400.” I'll write more in a few days, but here are my first impressions.
Monday, July 14, 2014
Digital certificates could allow spoofing ... could you give it to me in English?
On July 10, Microsoft published a bulletin stating that improperly issued digital certificates could allow spoofing. What exactly does that mean though? And for that matter, what is a digital certificate anyway?
In the physical world, you often conduct business with others face-to-face. If you do not personally know someone, you might rely on a trusted third party to vouch for the person's identity. That trusted third party might be a mutual friend, or it might be a government office that issues identification documents (passports, driver's licenses, state identification cards, school IDs, and the like). Digital certificates are the online equivalent of an identification card. See my article on the Heartbleed OpenSSL vulnerability for a thorough (but easily readable) explanation of digital certificates.
Friday, July 11, 2014
Gameover Zeus is back
I have received multiple email spam this afternoon, all with the following pattern:
Payment to <email>
Random order number and purchase amount
Link to Dropbox
The download link goes to variations on https://www.dropbox.com/s/xxx/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).
This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.
If you receive this spam, don't click the link.
Payment to <email>
Random order number and purchase amount
Link to Dropbox
The download link goes to variations on https://www.dropbox.com/s/xxx/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).
This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.
If you receive this spam, don't click the link.
Wednesday, July 9, 2014
TxDOT fixes security issues with txtag.org
In April, I reported several security concerns to the Texas Department of Transportation, which is responsible for among other things toll roads throughout the state. The concerns had to do with the billing and management website for TXTAG, one of several tolling systems in the state. Specifically, the login design made it easy for someone with ill intent to gain unauthorized access to a substantial portion of driver accounts, and having gained access, to acquire complete credit card numbers along with the collateral necessary to use them (expiration date, mailing address, cardholder name).
Tuesday, July 8, 2014
Dear TSA, my phone is not a bomb. See? It powers on!
Security Theater: the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.On Sunday the Transportation Security Administration announced new "enhanced security measures" at some overseas airports. (The TSA does not perform security screening overseas, but it does specify requirements for flights entering the US) The new rule? Travelers must power on electronic devices such as cell phones. If the device does not power on, it will not be allowed on board the aircraft - and the passenger will be subject to additional screening. The theory is that if a device does not power on, a traveler may have replaced the batteries with explosives.
Tuesday, July 1, 2014
A Facebook "social experiment" to manipulate your feelings
For one week in early 2012, Facebook ran a somewhat creepy social psychology experiment on about 690,000 users of the web site. In conjunction with Cornell University and the University of California, the social media site attempted to control the emotional state of users by controlling the type of posts that showed up on a person’s news feed. Specifically, the organization reduced the amount of “emotional content” in the news feed, in some cases reducing only negative content, and in other cases reducing only positive content. As reported in the study, “These results indicate that emotions expressed by others on Facebook influence our own emotions.” At the risk of sounding unprofessional, "well, duh."
Tuesday, June 24, 2014
The Samsung Galaxy S5 has been rooted. Now what?
Samsung released the latest edition of their flagship Galaxy smartphone to great fanfare in April. Tinkerers immediately set about looking for ways to gain root privileges (in other words, full control over their device, rather than the limited control that Samsung and the various cellular providers wish you to have). A seasoned developer known as Chainfire quickly found ways to gain root on international versions, and shortly afterward on US versions running on T-Mobile and Sprint networks. Alas Verizon and AT&T models proved more difficult to exploit. So difficult in fact that a crowd-funded bounty reached over $18,000, to be claimed by the first person that published a reliable way to root these models.
Monday, June 16, 2014
Godzilla, zombies, and more thanks to highway sign security flaws
One Friday in May, drivers in several North Carolina cities saw something unexpected on their morning commute. Electronic signs above several highways – which normally displayed traffic alerts or safety reminders – instead read “HACK BY SUN HACKER.” In one case the sign also included an invitation to connect with the hacker on Twitter.
This isn’t the first case of “unofficial alerts” showing up on street signs. Earlier in May, a sign in San Francisco warned of a Godzilla Attack. In this case, the sign was owned by an equipment rental business that had rented the sign to the city for the annual Bay to Breakers race, and was apparently not Internet-connected. Rather, it was a matter of obtaining the combination to or physically breaking the lock, and reprogramming the message in person. Five years ago, signs in Austin warned of an impending zombie attack, while signs in Indiana alerted motorists to dinosaurs. Again, the signs were reprogrammed in person – a trivial activity as long as one can get past the (often flimsy) lock and follow.
This isn’t the first case of “unofficial alerts” showing up on street signs. Earlier in May, a sign in San Francisco warned of a Godzilla Attack. In this case, the sign was owned by an equipment rental business that had rented the sign to the city for the annual Bay to Breakers race, and was apparently not Internet-connected. Rather, it was a matter of obtaining the combination to or physically breaking the lock, and reprogramming the message in person. Five years ago, signs in Austin warned of an impending zombie attack, while signs in Indiana alerted motorists to dinosaurs. Again, the signs were reprogrammed in person – a trivial activity as long as one can get past the (often flimsy) lock and follow.
Tuesday, June 10, 2014
Reflections on Awana
In my professional life I research security threats and network vulnerabilities. I have an additional passion though, a passion for children's ministry. I have served in Awana for 8 years, the last 5 of which I have been the club Commander. In that time, this year has been the most challenging personally.
The challenge was not the kids. I love the children we serve. Some I have known since preschool or before, others are new friends, but my heart is for each one. I have often said that I can begin a club night exhausted and end the night on a high - that is a true sign one is serving where their passion is!
The challenge was not the kids. I love the children we serve. Some I have known since preschool or before, others are new friends, but my heart is for each one. I have often said that I can begin a club night exhausted and end the night on a high - that is a true sign one is serving where their passion is!
Tuesday, June 3, 2014
Gameover ZeuS, Cryptolocker, Operation Tovar, Oh My...
The big news this week is the U.S. Department of Justice disclosing "Operation Tovar," an international sting operation that this weekend seized control of command and control servers directing the "Gameover ZeuS" criminal botnet. This botnet involved somewhere between a half million and a million computers, and was largely used to distribute a piece of malware known as CryptoLocker. The operation and its implications have been heavily covered in the news (at least among technology news sources). My intent is not to rehash the news, but rather to describe some steps to minimize the damage such malware can cause.
Thursday, May 29, 2014
Hack, Hoax, or Hanging It Up: What's Real With TrueCrypt?
Sometime yesterday afternoon, truecrypt.org, the web site of the "semi-open-source" TrueCrypt portable encrypted virtual hard drive software, changed its tune in a very unexpected way. The web site now redirects all traffic to truecrypt.sourceforge.net, which contains the following warning:
Wednesday, May 21, 2014
Anatomy of a phish
As an aside, USAA is aware of several phishing campaigns and has warned members against this type of attack for several months. It's not new, and USAA has taken steps to inform members. My intent is to go deeper into what the attacker is trying to do, show how they do it, and to show that it can be difficult or impossible to know you are being scammed if you ignore the early warning signs..
Today I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member).
Today I received an email purporting to be from USAA, stating that I had a new message waiting for me in the secure message center. I and others in my family do in fact have business with USAA, so it is not unexpected to receive correspondence from them - and so this particular phishing attempt was of interest to me. The format of the email even closely resembled the way USAA formatted such messages several years ago (though they have since changed the format to be harder to replicate without knowing some additional things about the member).
Tuesday, May 20, 2014
A twist on identity theft
Do you pay attention to email confirmations for purchases, account registrations, shipments and such that you did not expect?
A professional peer on a forum I frequent encountered an unusual scam this week. The person noticed purchase confirmations in email, for purchases made through Sony Entertainment Network. Here's the rub though: the person did not have an account with Sony.
Fake order confirmations or shipping memos are a common phishing approach. You receive an email for an order you don't recognize, inviting you to login to (for example) target.com; when you click the cleverly-disguised link, you instead go to igothacked.com, which looks oddly similar to the Target login page. Provide your username and password, and voila: you've given an attacker carte blanche to your account (unless you have two-factor authentication enabled. You do have 2FA enabled on important accounts, right?).
A professional peer on a forum I frequent encountered an unusual scam this week. The person noticed purchase confirmations in email, for purchases made through Sony Entertainment Network. Here's the rub though: the person did not have an account with Sony.
Fake order confirmations or shipping memos are a common phishing approach. You receive an email for an order you don't recognize, inviting you to login to (for example) target.com; when you click the cleverly-disguised link, you instead go to igothacked.com, which looks oddly similar to the Target login page. Provide your username and password, and voila: you've given an attacker carte blanche to your account (unless you have two-factor authentication enabled. You do have 2FA enabled on important accounts, right?).
Tuesday, May 13, 2014
Was your voice heard?
Last weekend my community voted on a few items that will have long-lasting effects for us as homeowners and residents, and for our children as they attend the local schools. On the ballot were two items, one with a three-year effect, and one that will be with us for decades. The shame is in how few took the time to make their voice heard.
The first ballot item was electing individuals to fill two open spots on the school board. These individuals will serve a three-year term; according to the DSISD web site, the Board of Trustees “has final control over all major decisions regarding school policy, curriculum, expenditures, and building programs. It is the Board’s responsibility to provide tax monies for maintenance and operation of the schools, to submit bond issues to the District’s voters for construction of school facilities, and to hire the Chief Executive Officer for the District. Board authority is defined by federal and state law and by regulations set by the State Board of Education. Trustees act officially only as a group in duly called and posted Board meetings.”
As important as this is, the second item has much more far-reaching implications. Dripping Springs ISD Proposition 1 asked voters to approve a $92 million dollar bond initiative. The proceeds from this bond would pay for a new elementary school, a new middle school, a multi-purpose competition stadium, a baseball and softball complex, maintenance improvements and repairs to several existing schools, and technology upgrades across the district. Based on home values in the district, the net effect would be on average about a $130 annual tax increase for up to forty years.
Of approximately 28,000 individuals (including nearly 5,500 students) living within the boundaries of the school district, a mere 2,860 voters made a decision affecting the rest for many years to come. According to unofficial results posted by the county election authorities, the bond passed by a vote of 1666 in favor, 1194 opposed.
I was in favor of the bond, and voted for it. Our elementary schools reached 100% capacity this year – with another 400 students expected in September. Our lone middle school will exceed capacity within 2 years. Our fantastic girls’ softball team (which just played in the area tournament last weekend) plays on a field leased from the city. Ditto for the boys’ baseball team. The football team plays on an aging field located at the middle school. Technology ages and requires replacement every few years to stay current.
With the exception of the elementary and middle schools to be constructed, none of this is absolutely required – but to not invest would be to relinquish the very thing that makes Dripping Springs such a desirable place to live. Many of us that live here came first for the exceptional school district, and only after we arrived did we discover the exceptional quality of life and the wonderful people. Dripping Springs consistently is ranked among the very best school districts in the state – consistently faring well in statewide academic competitions, among the highest in proportion of graduating seniors that continue on to advanced education, among the highest in statewide standardized testing. This year the district was honored in a national ranking of top schools. It is a fantastic place to raise a family, in large part because of the emphasis we place on investing in our children’s future.
All in all I was pleased with the election results. I know two of the individuals that were running for school board positions personally; one won a spot, while the other fell short by a mere nine votes. I am glad that we are investing in continued excellent education for my children, and for the children that will join the community in the years to come.
The first ballot item was electing individuals to fill two open spots on the school board. These individuals will serve a three-year term; according to the DSISD web site, the Board of Trustees “has final control over all major decisions regarding school policy, curriculum, expenditures, and building programs. It is the Board’s responsibility to provide tax monies for maintenance and operation of the schools, to submit bond issues to the District’s voters for construction of school facilities, and to hire the Chief Executive Officer for the District. Board authority is defined by federal and state law and by regulations set by the State Board of Education. Trustees act officially only as a group in duly called and posted Board meetings.”
As important as this is, the second item has much more far-reaching implications. Dripping Springs ISD Proposition 1 asked voters to approve a $92 million dollar bond initiative. The proceeds from this bond would pay for a new elementary school, a new middle school, a multi-purpose competition stadium, a baseball and softball complex, maintenance improvements and repairs to several existing schools, and technology upgrades across the district. Based on home values in the district, the net effect would be on average about a $130 annual tax increase for up to forty years.
Of approximately 28,000 individuals (including nearly 5,500 students) living within the boundaries of the school district, a mere 2,860 voters made a decision affecting the rest for many years to come. According to unofficial results posted by the county election authorities, the bond passed by a vote of 1666 in favor, 1194 opposed.
I was in favor of the bond, and voted for it. Our elementary schools reached 100% capacity this year – with another 400 students expected in September. Our lone middle school will exceed capacity within 2 years. Our fantastic girls’ softball team (which just played in the area tournament last weekend) plays on a field leased from the city. Ditto for the boys’ baseball team. The football team plays on an aging field located at the middle school. Technology ages and requires replacement every few years to stay current.
With the exception of the elementary and middle schools to be constructed, none of this is absolutely required – but to not invest would be to relinquish the very thing that makes Dripping Springs such a desirable place to live. Many of us that live here came first for the exceptional school district, and only after we arrived did we discover the exceptional quality of life and the wonderful people. Dripping Springs consistently is ranked among the very best school districts in the state – consistently faring well in statewide academic competitions, among the highest in proportion of graduating seniors that continue on to advanced education, among the highest in statewide standardized testing. This year the district was honored in a national ranking of top schools. It is a fantastic place to raise a family, in large part because of the emphasis we place on investing in our children’s future.
All in all I was pleased with the election results. I know two of the individuals that were running for school board positions personally; one won a spot, while the other fell short by a mere nine votes. I am glad that we are investing in continued excellent education for my children, and for the children that will join the community in the years to come.
But that is beside the point. My point is that the decision to invest here and now was made by 1,666 voters. One school board position was decided by nine votes. You think your vote does not matter? I could fit enough people in my van to have changed the outcome of this election! When 1,666 voters can make a decision affecting 28,000, and that will affect our grandchildren, it’s not the system that is broken. It’s a sign that we as a community have become complacent, satisfied to just watch.
The next time a local election takes place in your town, be it the big city or a small country town, take the time to make your voice heard. It's your privilege as a member of the community. If you don't speak up, someone else will choose for you, and you'll have no right to complain about it.
Update I have a number of friends in the community that were not in favor of the bond. I in no way mean to disparage them. We do have a relatively high property tax burden, and not everyone agrees with spending a quarter of the bond on athletic programs. Our differing views (shared civilly!) are what make us strong. The beauty of the democratic system is that we each get to voice our opinion.
The next time a local election takes place in your town, be it the big city or a small country town, take the time to make your voice heard. It's your privilege as a member of the community. If you don't speak up, someone else will choose for you, and you'll have no right to complain about it.
Update I have a number of friends in the community that were not in favor of the bond. I in no way mean to disparage them. We do have a relatively high property tax burden, and not everyone agrees with spending a quarter of the bond on athletic programs. Our differing views (shared civilly!) are what make us strong. The beauty of the democratic system is that we each get to voice our opinion.
Tuesday, April 29, 2014
Got Internet Explorer? Get Pwned!
For Windows XP users, the grace period lasted about 3 weeks longer than expected, but it's over now. The first of what will likely be many never-to-be-fixed bugs has turned up, and it's a doozy.
Security firm FireEye this weekend reported a serious flaw in versions of Internet Explorer from IE6 through the latest and greatest IE11. Thus far active exploit in the wild has focused on IE 9 though 11 (which will not run on Windows XP), but this will surely change now that it is public. For a mind-bendingly thorough discussion of how the vulnerability is exploited, see FireEye's write-up. The Cliff Notes version is this: the attacker makes use of an Adobe Flash Player technique that bypasses some IE security measures, drops its own code into a certain point in memory, and then through the newly-discovered bug executes that code.
The even simpler version is this: if you use Internet Explorer and open up an affected web page (whether a bad site, or a legitimate site that has been compromised, or a malicious email message), the attacker now owns your PC. The truly nasty thing about this sort of bug is that you don't have to do anything unseemly to be hit. Similar vulnerabilities in the past have been exploited through clever advertisements submitted to popular and legitimate web sites.
Security firm FireEye this weekend reported a serious flaw in versions of Internet Explorer from IE6 through the latest and greatest IE11. Thus far active exploit in the wild has focused on IE 9 though 11 (which will not run on Windows XP), but this will surely change now that it is public. For a mind-bendingly thorough discussion of how the vulnerability is exploited, see FireEye's write-up. The Cliff Notes version is this: the attacker makes use of an Adobe Flash Player technique that bypasses some IE security measures, drops its own code into a certain point in memory, and then through the newly-discovered bug executes that code.
The even simpler version is this: if you use Internet Explorer and open up an affected web page (whether a bad site, or a legitimate site that has been compromised, or a malicious email message), the attacker now owns your PC. The truly nasty thing about this sort of bug is that you don't have to do anything unseemly to be hit. Similar vulnerabilities in the past have been exploited through clever advertisements submitted to popular and legitimate web sites.
Thursday, April 24, 2014
Password Lessons from Heartbleed
It's been a little over two weeks since the web security bug known as "Heartbleed" was publicly reported (see my earlier post for a description of the bug). For businesses it has meant a lot of scrambling to update servers and to update network intrusion sensors to detect attempts to exploit the bug. Thus far though there have not been widespread reports of data breaches affecting consumers. There was the case of a teenager who was arrested for nabbing 900 social insurance numbers from the Canada Tax Agency (the equivalent of social security numbers and the US IRS) ... note to self: hacking a government agency and then presenting said agency with proof of your hack is not the best way to go about reporting a vulnerability. But I digress...