Tuesday, June 30, 2015

Incident response lessons from the Texas flash flood

What can a natural disaster teach about incident response planning? This is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.
During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This article (published at CSOonline) is the story of a disaster response program executed exceptionally well, and the lessons it provides for incident response of all types.

Thursday, June 25, 2015

How secure is your email?

Encrypted email has long been a complicated problem to solve, but a combination of Internet titans and innovative startups are working to make it practical for real people.

We send and receive a lot of email. Much of it is fairly benign: newsletter subscriptions, “hi, how are you” messages from friends, perhaps emergency services alerts (living in Central Texas, my mailbox in May had an oversize number of these), or online billing notifications. While most email is not of a nature that our world would end if someone were able to read it, we still prefer some privacy. After all, the old adage “you’ve been reading my mail” is rooted in a desire to keep some things to oneself.

Common email providers tend to allow (or require) a secure HTTPS connection between the browser or email client and their servers. Ignoring for a moment the variety of flaws that have surfaced in different SSL implementations over the past year, you can be reasonably sure no one can read messages between the server and your web browser. Google made HTTPS the default for Gmail in 2010, and made it the only option last March. Yahoo made SSL the default in early 2014.  Microsoft’s Outlook.com now uses HTTPS only as well.

What happens after the email leaves your browser or email client though? It's great that the message is safely transported from your browser to the mail server, but unless the message is intended for someone else using the same server, it must travel across the public Internet.

Monday, June 22, 2015

Please, oh please, won't you phish me?

Sign in to iTunes Connect
Update: I have received a couple of variations on this; scroll to the bottom to see a running list of subjects and phishing URLs.

Time for another phishing lesson. Today's lesson involves a fake email pretending to be from Apple, which tries to steal not only your Apple ID login information, but everything else necessary to fully impersonate your identity: a credit card number with expiration and security code; mailing address; date of birth; social security number; and oh yes, your favorite security question. 

Unlike many phishing attempts, this scam is quite professionally done. Other than the obscene amount of personal information it collects to "verify" your account, there is not much to indicate it is fraudulent once you have clicked the link.

Thursday, June 18, 2015

Stranger than fiction: the week's security news

I love science fiction. I enjoy sarcastic fictional news such as "The Onion." I even enjoy watching CSI:Cyber despite its far-fetched depiction of security. But when reality exceeds even the wildest imaginable fictional scenarios, wow. The US government outsourcing administration of sensitive databases to China; professional sports teams hacking one another; security tools themselves turning into risks; and a ruling that websites may be held liable for things that anonymous readers have to say? I can't make this stuff up. Some highlights from this week's news:

Monday, June 15, 2015

LastPass password vault hacked: what you need to know

Password vault maker LastPass informed customers today that their servers had been compromised. Don't panic. Do change your master password.

LastPass informed its customers Monday that on Friday, the company detected and blocked suspicious activity on its network. In investigating the incident, they discovered that email addresses, password reminders, user salts, and authentication hashes were compromised. As of this writing they do not believe actual encrypted password vaults were accessed.

What does this mean for you?

Ten security lessons from the NBA finals

The NBA Finals between the Cleveland Cavaliers and the Golden State Warriors provided an entertaining example of some lessons that apply equally to basketball and to security preparation and incident response. Would you believe that? Without further ado, a tweet storm from last night:

Tuesday, June 9, 2015

Patch Week: time to update Windows, Flash, and VMWare

It's that time of the month again: the time when several software makers unload their latest software updates to address vulnerabilities discovered in their software. This time, Microsoft blesses us with 8 updates covering the Windows operating system, Internet Explorer, Windows Media Player, and Exchange Server. Adobe delivers the latest update for Flash Player; and VMWare issues updates for their popular virtualization software.

At least two of the vulnerabilities are exploited through a browser plug-in (Flash Player, and Windows Media Player). Google and Mozilla make it simple to make plug-ins be "click-to-play" in Chrome and Firefox, which prevents a malicious media file from compromising your computer simply by browsing to a website. Internet Explorer, alas, has no such option. Keep in mind that click-to-play simply prevents malicious content from playing immediately upon browsing to a site - if you choose to let the content play, it can still exploit the vulnerability.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 15, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.