Friday, November 21, 2014

Password reuse: don't let lax security at one site give away all your accounts

Person thinking "password" between a bank and a musical note
Passwords are a hassle. In many cases though, they are the first line of defense against someone accessing your accounts without your permission. But passwords are a hassle, so why would you want to remember dozens or hundreds of individual passwords? Why not use the same username and password everywhere? 

Unfortunately even with solid security practices a business or web site may be compromised. Mistakes happen. Previously unknown software flaws are discovered. Sophisticated new attack methods are invented. Sadly though, sophisticated hacks are not usually needed: not every website follows the best security practices. Some sites fail even the most basic of precautions. It would be a real shame to log into your favorite entertainment website only to have your password stolen and used to break into your bank account.

Wednesday, November 12, 2014

Layers of security - a look at Fidelity

This started out as a story of lax security at one of the biggest providers of corporate retirement services. As I researched though, it has become a lesson about layers of security. All in all, the company described does a pretty good job, and is making even more improvements.

If you have an account with Fidelity Investments (including their and NetBenefits properties), take a minute to update your password, then read on. This time the reason is beneficial, and not breach-related: Fidelity recently updated the password rules to allow a significantly stronger password. tl;dr: jump to the end for a few quick tips.

Friday, November 7, 2014

Tech Tip: search for formatting, instead of for specific text

Everybody needs a tractor with a bucket loader. Some just don't know it yet :-)
Ever discover a fantastic feature you didn’t know you needed, and now don’t know how you got along without? That’s a bit how I feel about the bucket loader on my tractor, but I digress. Quite by accident I came across a feature in Microsoft Office that could come in handy.

Have you ever needed to search through a document, looking for formatted text rather than a specific string? For instance, you want to find every underlined word, or every italicized word, rather than a particular word. Why would you want to do this? I can think of a few reasons. Perhaps you are a teacher writing up a study guide for students … if every answer is underlined, you might want an easy way to jump from answer to answer instead of scrolling through the guide with the mouse wheel. Perhaps you are a network technician working with implementation templates - a template may describe the commands to properly implement a change, and italicize the values that vary such as vlans and ports. Searching for italicized text would ensure you didn’t miss filling in a value.

Tuesday, November 4, 2014

Facebook now has a Tor site: oxymoron or not?

An onion
Facebook is well-known for using information about its users in sometimes-awkward ways. Privacy and Facebook (or for that matter, privacy and any social media network) are not usually associated with one another. So why was Facebook in the news recently for providing a Tor-enabled means to connect to the social media giant? Why would users go to the trouble of hiding their tracks through onion routing, only to connect with a service whose express purpose is to share personal information with others?

Before answering that question, let’s talk a little bit about Tor.

Tuesday, October 28, 2014

(CVE-2014-2718) ASUS wireless router updates vulnerable to a Man in the Middle attack

Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).  

In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.

In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.

Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site. 

Monday, October 27, 2014

Tell someone you love them today

October 27. For many it's just another day on the calendar, a time when the weather has turned cooler, the nights longer, and perhaps Halloween plans are on the mind. For me it holds a special meaning: on this date nine years ago I learned just how precious life is.

Friday, October 24, 2014

Would you know if your email server were attacked?

This is a continuation of a series investigating a piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
I had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an "invoice" for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.

Discovering and writing about criminal mischief is great, but if that's where I stopped, I'm just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today's story picks up.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 14, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.