Tuesday, October 14, 2014

Snapchat: What every parent needs to know (and teach)

Some topics are less pleasant to write about than others, though at times far more important. It is with this in mind that I write today on a topic every parent needs to know about. Late last week, rumors started to surface regarding a database breach that revealed thousands of supposedly private messages and photographs sent via the social sharing app Snapchat. Over the weekend that has proved true.

Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.

Friday, October 10, 2014

Another day, another breach

It seems like almost every week another business is in the news for having their payment network compromised and leaking customer information, often in the form of payment card data. Target, Home Depot, Jimmy Johns, Goodwill Industries, JP Morgan Chase, KMart/Sears, the list goes on. Today, Dairy Queen was (formally) added to the list.

I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.

Tuesday, October 7, 2014

One simple move that can dramatically reduce the risk of identity theft

Identity theft is a common fear, one that is reinforced with each new headline. 40 million credit cards stolen from Target! Home Depot leaks 56 million payment cards! Hackers steal info on 145 million eBay customers! Giant data breach affects 152 million Adobe accounts! It seems each new breach is more "epic" than the last. A data visualizer known as "Information is Beautiful" has a frightening but fantastic visualization.

Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.

Wednesday, October 1, 2014

The high price of free wifi: your eldest child?

In keeping with National Cyber Security Awareness Month, I'll be updating a number of articles written over the last 4 years. In January of 2011 I entered the blogosphere with a story about Firesheep, a Firefox plugin that made wireless eavesdropping scarily simple.

Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).

Sunday, September 28, 2014

A Shell of a Bash: Shellshock in Lay Terms

A few days ago, researchers revealed a software vulnerability that quickly became known as "shellshock." It's a bug - an error in the software code - in a core piece of many Unix operating system flavors, and it can be used by an attacker to gain control of Unix computers. You don't use Unix, you say? I'll bet you do: a great many Internet-connected devices run on Unix because it can run on a minimal computer.

For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.

Thursday, September 25, 2014

Shellshocked: what is the bug in Bash?

The Internet has been awash with information and misinformation about a bug in GNU bash, a common system shell in many Unix variants. Here are some initial thoughts about what it is, and what it is not.

A shell is a way of giving a computer commands, that it in turn executes. The Windows CMD shell (aka "DOS Prompt") is one example of a shell. Unix has many different shells, but a common one is bash, or "Bourne Again SHell." It is common in Unix and Linux variants ... which happen to be the operating system of choice for a great many non-PC Internet devices. Think wireless routers, Blu-Ray players, network hard drives, printers, Internet TVs, etc. Not all run bash - as I said there are a number of different shells - but many do.

Tuesday, September 23, 2014

Installing Kali Linux and Snort on a Raspberry Pi

Last week I wrote about building a passive network tap with about $10 in off-the-shelf parts. Building a tap is a nice little project, but what do you do with it? A simple first step is to install Wireshark on a laptop and capture some packets. I wanted something a little more elegant though. Earlier this year I posted an April Fools gag on various uses for a Raspberry Pi ... this time I am putting it to legitimate use.

The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 14, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.