Tuesday, April 14, 2015

What if Jesus was a hacker?

It's interesting the ways faith and security intersect. This weekend I attended an information security conference in which one speaker talked about the often-strained relationship between hackers / researchers and reporters. Author / blogger / journalist Violet Blue (warning: in many cases very much NSFW) gave a talk entitled "Everything They Don't Tell You: When Hackers Talk to the Press" that was quite eye-opening. A key point was that so many (not all, but a significant majority of) reporters think career first, and are more interested in being *first* with a story than in being *right* with a story. Interviewees may be manipulated into giving statements that fit the story the reporter is trying to tell, by reporters that don't really understand the technologies and security threats they are writing about. The end result is that hackers need to be very careful in whom they talk with.

Tuesday, April 7, 2015

Don't get pwned by a former service provider

When establishing a business - to - business relationship, don't forget to specify what happens to information when the business relationship ends.
The growth of the Internet from a novel idea into a business necessity created a new market for online service providers. Large corporations have the resources to run their own web servers and to hire professional staff to keep them running well and (hopefully) secure. When you run a small business though - and in particular, a business that is not in a computer technology field - more often than not you are dependent on third parties to provide such services. If your company is in the business of collecting and disposing of garbage, you might expect to invest heavily in trucks and landfill property. A company web site through which to offer online bill payment may not be at the top of your in-house priority list.

There's absolutely nothing wrong with that.Why try to be something you are not? Doing what you do, well, and paying someone else to do the rest can be an effective business model. Alas, outsourcing isn't (or at least shouldn't be) a "choose someone and forget about it" decision. 

Tuesday, March 31, 2015

Needle in a haystack: searching from the Windows command line

A key part of security involves basic command line skills. Read on for some tips for command-line searches on Windows.
Part of network security involves fancy technology, specialized devices, and ever-advancing techniques. The crooks are constantly improving their craft, and so must the defenders. But an equally important part of security involves mundane and boring tasks, tasks such as looking through log files for indications that something undesirable happened or that someone has gained unauthorized access - i.e. Forensics 101.

There are a myriad tools available for searching, whether on Windows, Linux, or Mac. I am of the opinion that a security expert (or system administrator) needs to understand the command line and built-in tools first. There are times when you don't have the luxury of installing or using custom tools and have to make do with what comes on the operating system. If that system is Windows, you get Find and Findstr.

Tuesday, March 24, 2015

Social media risks and rewards

Social media are great for keeping in touch with friends, but be mindful of what you share and with whom. Simply planning a strategy for how each social network will be used can make all the difference.
Do you know with whom you share, and what you share, on social networks? I've had around a dozen conversations about social media in the last few months. Conversations with friends and family, with colleagues, and with professional peers. Conversations about differences in uses and privacy implications, as well as conversations about examples of ill-advised sharing. Over the weekend I had a brief Twitter conversation with Rafal Los (aka Wh1t3rabbit) bemoaning recent LinkedIn changes that make it difficult to introduce ourselves when requesting a connection.

On top of that, there have been a couple of widely-publicized news stories recently about direct consequences of social sharing: a Dallas teenager accepted a job with a pizzeria, and proceeded to badmouth the job to friends on Twitter. Word got back to the shop owner, who fired her before she started. Then the New York Times ran a story of a senior director of communications who's poorly-conceived tweet cost her a high-ranking job.

Tuesday, March 17, 2015

Security B-Sides Austin: Recapping a hacker conference

A recap of the 2015 Austin B-Sides security conference, with links to speakers and slides where available
March 12 and 13, about 250 hackers and security practitioners from around Texas (and as far away as Canada) descended upon Round Rock, a suburb of Austin, for two days of training and research presentations. Security B-Sides sprung up in 2009, as an alternative to the major (and highly-attended) conferences such as Blackhat and RSA: there's not much opportunity to talk one-on-one with a researcher at a conference attended by 10,000. In 2009,the inaugural B-Sides was held in Las Vegas; a year later, B-Sides Austin launched, timed to coincide with the annual Spring Break phenomenon known as SXSW (South by Southwest). For 2015, over 30 events in North and South America and Europe are scheduled, with more in the planning stages.

I refer to B-Sides as a hacker conference. Some readers may take offense. I use hacker in its original (and to many, "real") sense: one that knows a topic well and can modify something to do his or her will, rather than what the creator intended. That culture has nothing to do with malicious use of computers - it is the culture that lead to automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a maker, or a tinkerer, or a modder - or an engineer. In that sense, I am proud to wear the label of hacker.

Tuesday, March 10, 2015

The week in tech news

Monday seemed to be "the day" for big technology and security news. Several big stories broke yesterday, so rather than dive deep into a topic this week, I am going to summarize what you need to know: Rowhammer, FREAK, IOS 8.2, Apple Watch, and [added Tuesday] Microsoft's massive Patch Tuesday.

Wednesday, March 4, 2015

The closed account that wasn't

This morning I received an unexpected message to my mailbox. Wells Fargo was informing me that my account had been locked due to three attempts to log in with an incorrect password. This is pretty good security: an attacker cannot keep trying passwords forever since the account is locked after the third try, and the bank alerted me via the email they had on record for the rightful owner of the account. Locking the account is a common way to prevent an attacker from discovering a password randomly (though it does nothing to protect against an actual password that is stolen). Alerting the account owner means I can change my password and look for any unexpected transactions or other changes to the account.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 15, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.