Tuesday, March 24, 2015

Social media risks and rewards

Social media are great for keeping in touch with friends, but be mindful of what you share and with whom. Simply planning a strategy for how each social network will be used can make all the difference.
Do you know with whom you share, and what you share, on social networks? I've had around a dozen conversations about social media in the last few months. Conversations with friends and family, with colleagues, and with professional peers. Conversations about differences in uses and privacy implications, as well as conversations about examples of ill-advised sharing. Over the weekend I had a brief Twitter conversation with Rafal Los (aka Wh1t3rabbit) bemoaning recent LinkedIn changes that make it difficult to introduce ourselves when requesting a connection.

On top of that, there have been a couple of widely-publicized news stories recently about direct consequences of social sharing: a Dallas teenager accepted a job with a pizzeria, and proceeded to badmouth the job to friends on Twitter. Word got back to the shop owner, who fired her before she started. Then the New York Times ran a story of a senior director of communications who's poorly-conceived tweet cost her a high-ranking job.

Tuesday, March 17, 2015

Security B-Sides Austin: Recapping a hacker conference

A recap of the 2015 Austin B-Sides security conference, with links to speakers and slides where available
March 12 and 13, about 250 hackers and security practitioners from around Texas (and as far away as Canada) descended upon Round Rock, a suburb of Austin, for two days of training and research presentations. Security B-Sides sprung up in 2009, as an alternative to the major (and highly-attended) conferences such as Blackhat and RSA: there's not much opportunity to talk one-on-one with a researcher at a conference attended by 10,000. In 2009,the inaugural B-Sides was held in Las Vegas; a year later, B-Sides Austin launched, timed to coincide with the annual Spring Break phenomenon known as SXSW (South by Southwest). For 2015, over 30 events in North and South America and Europe are scheduled, with more in the planning stages.

I refer to B-Sides as a hacker conference. Some readers may take offense. I use hacker in its original (and to many, "real") sense: one that knows a topic well and can modify something to do his or her will, rather than what the creator intended. That culture has nothing to do with malicious use of computers - it is the culture that lead to automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a maker, or a tinkerer, or a modder - or an engineer. In that sense, I am proud to wear the label of hacker.

Tuesday, March 10, 2015

The week in tech news

Monday seemed to be "the day" for big technology and security news. Several big stories broke yesterday, so rather than dive deep into a topic this week, I am going to summarize what you need to know: Rowhammer, FREAK, IOS 8.2, Apple Watch, and [added Tuesday] Microsoft's massive Patch Tuesday.

Wednesday, March 4, 2015

The closed account that wasn't

This morning I received an unexpected message to my mailbox. Wells Fargo was informing me that my account had been locked due to three attempts to log in with an incorrect password. This is pretty good security: an attacker cannot keep trying passwords forever since the account is locked after the third try, and the bank alerted me via the email they had on record for the rightful owner of the account. Locking the account is a common way to prevent an attacker from discovering a password randomly (though it does nothing to protect against an actual password that is stolen). Alerting the account owner means I can change my password and look for any unexpected transactions or other changes to the account.

Tuesday, February 24, 2015

These are a few of my favorite blogs

In no particular order, a list of security bloggers and information sources I find useful:

  • [web] [rss] Krebs on Security (Brian Krebs)
  • [web] [rss] Graham Cluley
  • [web] [rss] Hot for Security
  • [web] [rss] lcamtuf (Michal Zalewski)
  • [web] [rss] Troy Hunt
  • [web] [rss] Full Disclosure (mostly vulnerability disclosures)
  • [web] [rss] F-Secure Labs
  • [web] [rss] SANS Internet Storm Center
  • [web] [rss] SANS Curated News
  • [web] [rss] SANS Industrial Control Systems Blog
  • [web] [rss] SANS Digital Forensics and Incident Response Blog
  • [web] [rss] Exploit DB
  • [web] [rss] Microsoft Security Response Center
  • [web] [rss] Dave Shackleford
  • [web] [rss] Google Project Zero issue tracker
  • [web] [rss] Google Project Zero blog
  • [web] [rss] Google Online Security Blog
  • [web] [rss] Carnal0wnage (Chris Gates)
  • [web] [rss] OpenDNS Labs
  • [web] [rss] Dark Reading
  • [web] [rss] Help Net Security
  • [web] [rss] Verizon Security Blog
  • [web] [rss] Errata Rob (Robert Graham)
  • [web] [rss] Wh1t3 Rabbit (Rafal Los)
  • [web] [rss] Schneier on Security (Bruce Schneier)
  • [web] [rss] Social-Engineer
  • [web] [rss] Common Exploits (Daniel Compton) 
  • [web] [rss] McAfee Labs
  • [web] [rss] CSO Online Dashboard / Security News
  • [web] [rss] Uncommon Sense Security (Jack Daniel)



Along with some useful finds:
  • CapTipper: Malicious HTTP traffic explorer tool. Point it at a PCAP or live traffic and easily pull out hosts, conversations, downloaded files, etc.
  • Bit.ly to track malware outbreaks: A short piece using bit.ly's click analysis to view geographic distribution and infection rates.
  • Pemcrack: ErrataRob's tool to crack SSL PEM files that hold encrypted private keys (first authored to crack the Superfish cert)
  • Recommended forensic reading: a list of books
  • APTNotes: Github repository of whitepapers, docs and articles related to APT campaigns
  • Telerik Fiddler: web debugging proxy

Please reply in the comments below if you have a favorite that I overlooked!

Thursday, February 19, 2015

Lenovo PCs preloaded with "Superfish" malware that breaks security

Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing Superfish adware that breaks otherwise secure HTTPS website connections.
Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing adware that breaks otherwise secure HTTPS website connections. 

Recent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The "VisualDiscovery" adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.

Thursday, February 12, 2015

Shades of Grey

It may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey.
 I frequently write about malware, spam, credit card fraud, and various computer crimes. In my and others' writing it may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey. 

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 15, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.