Tuesday, May 19, 2015

Planes, Trains, and Ethical Dilemmas

Ethical lessons in research and disclosure, from the Internet of Flying Things.

When I started out in the systems administration and hacking worlds a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: to take something and make it do what I want, rather than necessarily what the creator intended. A hacker is someone who is highly interested in a subject (often technology), and pushes the boundaries of their chosen field.

That culture has nothing to do with malicious use of computers - nay nothing to do with malice at all. It is all about solving puzzles: "here's an interesting <insert favorite item>; now what can I do with it?" The hacking ethos brought about automotive performance shops and the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.

Hacking in its purest form is perfectly legitimate. If I own a computer, or a phone, or a network router, or a TV, or a printer, or a programmable thermostat, or an Internet-connected toy, or a vehicle, or (the list could go on forever), I have every right to explore its capabilities and flaws. Within reasonable limits (various transportation authorities may have something to say if I add flashing red and blue lights to my car and start driving down the highway), it is mine to do with as I please. Where it becomes ethically and legally questionable is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission.

Thursday, May 14, 2015

VENOM: What you need to know (CVE-2015-3456)

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain access to every other virtual server on the same physical host. Here is a moderately non-technical explanation.
Venom is a fictional comic character and occasional nemesis of Spider-Man... wait, that's not the Venom you meant.

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software, which they dubbed "Virtualized Environment Neglected Operations Manipulation" or “VENOM” for short. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain root access on the virtualization host (the physical box), and from there read memory and do anything else with other virtual servers on the same box. This vulnerability was given the identifier CVE-2015-3456

Wednesday, May 13, 2015

Is your home router spying on you?

Home wireless routers leased from Comcast broadcast a public wireless signal in addition to the private home network. Be sure your device is on the right network before doing online banking.
In mid-2013, Internet provider Comcast announced plans to build a massive network of public WiFi hotspots across the United States, so its subscribers could connect to the Internet from just about anywhere. This network would be built on the wireless routers Comcast leases to its home subscribers: most home users don't use the full capacity of their broadband connection 24/7, so the Internet provider would make unused bandwidth available for a public hotspot. The company says that the public wireless signal is completely separate from the private wireless signal used by your private home network, keeping your home network secure (though I am not aware of a definitive study that proves this).

For Comcast, this is great: it lets them boast of having the largest network of public wireless hotspots in the United Stated. For its customers traveling around the country it is likewise great: they pay for service at home, and get free access to the Internet on the road without having to eat up their cellular data plans. There is an unintended side effect though.

Thursday, April 30, 2015

Lessons from CSI:Cyber

Unrealistic scenarios aside, CSI: cyber is doing some good by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts.
The CSI: franchise has been a very successful television endeavor, combining entertainment with a view into how forensic science is used to identify and prosecute criminals. Needless to say, creative liberty is taken to fit a story into a 42 minute episode, but it never pretended to be instructional. It's TV, not a college class. I have no training in pathology or chemical analysis, and only a basic background in the physics of force and motion, but I've been involved in cyber technologies since before "cyber" was a household term.

There has been considerable complaint from my industry over the way CSI: Cyber sensationalizes real events, and invents wholly unrealistic threats, for the sake of entertainment. I get it - I really do. The daily grind of a real cyber expert is not nearly as exciting as an action-packed TV episode. Hours of digging through logs or interpreting a pcap (a record of network traffic) wouldn't make for very exciting television. As researcher/hacker Charlie Miller recently said on Twitter, real hacking doesn't happen in the span of a 42-minute made-for-TV episode. It is the result of days, weeks, or even years of research, learning, and poking at a topic.

Tuesday, April 28, 2015

How you handle a conflict speaks loudly

How you handle a problem (as a person, and as a company) speaks far more loudly than the problem itself. No one is perfect. There will be conflicts whether in business or in social life. At times those conflicts are the result of an intentional slight or a boneheaded decision, but just as often they are the result of simple miscommunication.

Tuesday, April 14, 2015

What if Jesus was a hacker?

It's interesting the ways faith and security intersect. This weekend I attended an information security conference in which one speaker talked about the often-strained relationship between hackers / researchers and reporters. Author / blogger / journalist Violet Blue (warning: in many cases very much NSFW) gave a talk entitled "Everything They Don't Tell You: When Hackers Talk to the Press" that was quite eye-opening. A key point was that so many (not all, but a significant majority of) reporters think career first, and are more interested in being *first* with a story than in being *right* with a story. Interviewees may be manipulated into giving statements that fit the story the reporter is trying to tell, by reporters that don't really understand the technologies and security threats they are writing about. The end result is that hackers need to be very careful in whom they talk with.

Tuesday, April 7, 2015

Don't get pwned by a former service provider

When establishing a business - to - business relationship, don't forget to specify what happens to information when the business relationship ends.
The growth of the Internet from a novel idea into a business necessity created a new market for online service providers. Large corporations have the resources to run their own web servers and to hire professional staff to keep them running well and (hopefully) secure. When you run a small business though - and in particular, a business that is not in a computer technology field - more often than not you are dependent on third parties to provide such services. If your company is in the business of collecting and disposing of garbage, you might expect to invest heavily in trucks and landfill property. A company web site through which to offer online bill payment may not be at the top of your in-house priority list.

There's absolutely nothing wrong with that.Why try to be something you are not? Doing what you do, well, and paying someone else to do the rest can be an effective business model. Alas, outsourcing isn't (or at least shouldn't be) a "choose someone and forget about it" decision. 

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 15, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.