Sunday, September 28, 2014

A Shell of a Bash: Shellshock in Lay Terms

A few days ago, researchers revealed a software vulnerability that quickly became known as "shellshock." It's a bug - an error in the software code - in a core piece of many Unix operating system flavors, and it can be used by an attacker to gain control of Unix computers. You don't use Unix, you say? I'll bet you do: a great many Internet-connected devices run on Unix because it can run on a minimal computer.

For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.

Thursday, September 25, 2014

Shellshocked: what is the bug in Bash?

The Internet has been awash with information and misinformation about a bug in GNU bash, a common system shell in many Unix variants. Here are some initial thoughts about what it is, and what it is not.

A shell is a way of giving a computer commands, that it in turn executes. The Windows CMD shell (aka "DOS Prompt") is one example of a shell. Unix has many different shells, but a common one is bash, or "Bourne Again SHell." It is common in Unix and Linux variants ... which happen to be the operating system of choice for a great many non-PC Internet devices. Think wireless routers, Blu-Ray players, network hard drives, printers, Internet TVs, etc. Not all run bash - as I said there are a number of different shells - but many do.

Tuesday, September 23, 2014

Installing Kali Linux and Snort on a Raspberry Pi

Last week I wrote about building a passive network tap with about $10 in off-the-shelf parts. Building a tap is a nice little project, but what do you do with it? A simple first step is to install Wireshark on a laptop and capture some packets. I wanted something a little more elegant though. Earlier this year I posted an April Fools gag on various uses for a Raspberry Pi ... this time I am putting it to legitimate use.

The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.

Tuesday, September 16, 2014

The naked truth about celebrity photos

We all have secrets. They may be intimate photos. They may be financial documents. Perhaps they are records indicating a medical condition. For some they are invention prototypes, or business plans. For others they might be battle plans or defense strategies. Some secrets are scandalous, but most are simply things we would like to keep private. In my line of work, occasionally I discover security flaws that could be damaging if details leaked before the affected party has a chance to fix things. The nature of secrets varies as widely as the nature of those that hold these secrets. My point though is that we all (with the possible exception of Jim Carrey’s Fletcher Reede character) have things we would prefer not be seen by others.

Tuesday, September 9, 2014

How to build a $10 passive network tap

When one's profession involves network security, sometimes it helps to capture network communication to analyze. Often the simplest way to do this is to install packet capture software such as tcpdump or Wireshark on the system in question. This has the advantage of being easy (tcpdump may even already be installed - it is common on Linux systems), and by running on the target system there can be less unrelated traffic to wade through.

The downside, of course, is sometimes I don't have access to the target system ... or do have access but do not wish for the user of the system to know it is being investigated. If it is malware I am investigating, the malware might tamper with software running on the same system. In any of these cases, it is to my benefit to capture the network traffic from somewhere other than the target system.

Tuesday, September 2, 2014

Change the phone book: what is this "DNS" thing?

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic! After a brief lesson on a fundamental piece of modern networks, I will explain a very simple step you can take that dramatically reduces the risk of encountering malicious software or scam / phishing traps.

Putting aside for a moment the possibility that you are reading a printout, you are more than likely using a web browser. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL in directly or used a bookmark. Regardless of the source, your browser did not just yell out on the Internet, "show me David Longenecker's blog." Instead, it referred to a DNS, a phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Wednesday, August 27, 2014

Phishing for Men (and Women)

Those that know me well know there are three things I put most of my energy into: my faith, my family, and security. When something comes along that involves two of those interests, so much the better.

For the last year and a half, I have been involved in an organization known as HackFormers. HackFormers was founded by several Austinites who shared two passions: a passion for hacking (in the sense of finding, fixing, and defending against security flaws), and a passion for Jesus Christ. Its vision is to teach security principles, and then to show faith principles that go hand-in-hand with security. I gave a presentation at the August chapter meeting. It is in that context that I write today.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 14, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.