I have a Samsung S3 that decided it wouldn’t boot on Wednesday. After talking to the very helpful people at Samsung they decided that they can replace my phone for me but I need to send them my broken phone.
All my data is on my phone. All my email. All my passwords. All my texts. All my pictures. I have backups and I have a password on my phone but I still have to send my phone back to a company who could access it if they wanted to.
So what is a security professional to do? Normally I would just wipe my phone and send it in but since that isn’t an option I am stuck with either keeping a $400 brick or possibly exposing my data to Samsung.
Earlier today I was asked to come up with the best way to keep your social media accounts secure. Here are 5 easy ways to protect your social media accounts:
Update accounts with unique, complex passwords. Complex passwords will contain a combination of upper and lower case letters, symbols and numbers, and have at least ten characters.
Change your password often. No matter how complex your password is it is necessary to change it regularly. Normally I suggest changing your social media passwords two times a year.
Enable Two Factor Authentication. Google, Facebook and Twitter all offer two factor authentication. Enabling it allows these services to know that it is you logging into your account and not someone else.
Review apps and add-ons regularly. Review all apps and add-ons associated with your social media accounts at regular intervals. Remove apps and add-ons you no longer use or post to your social media accounts without your permission.
Log out. Remember to log out when you are finished using it. It is an easy and highly effective step to protect your account.
In two weeks I am on a career panel for a group of high school kids interested in technology careers. They sent a list of discussion questions they were going to use to get the conversation started and one of them was:
What does it take to be successful in information technology?
The answer to this question I always give is:
If you want to be successful in information technology and life in general you need to implement the no no rule.
The no no rule is extremely simple: When asked a question your first response should never be no.
The two none yes responses I use are:
1) Ask for more information or clarification. 2) Ask for time to research a solution.
In a lot of cases (especially in security) after you ask for clarification or time to research the answer may still be no but you will have given the question some real thought and understanding and the person making the request wont feel like you are ignoring them. A lot of information technology professionals get a bad reputation because they say no to often.
My son asked me on Saturday as we were going into the store why an old guy was selling flowers. It gave me an opportunity to tell him about the “true meaning” of Memorial Day and explain to him that some of our bravest hero’s don’t get to come home.
So today I will be spending sometime thinking about the people who gave everything.
In Flanders fields the poppies blow Between the crosses, row on row, That mark our place; and in the sky The larks, still bravely singing, fly Scarce heard amid the guns below.
We are the Dead. Short days ago We lived, felt dawn, saw sunset glow, Loved and were loved, and now we lie In Flanders fields.
Take up our quarrel with the foe: To you from failing hands we throw The torch; be yours to hold it high. If ye break faith with us who die We shall not sleep, though poppies grow In Flanders fields.
I got a call from a friend who was sure his PC was hacked because his CD-ROM drive kept randomly opening and closing. After looking at the machine I found a .vbs file in his appdata folder named RandomlyOpenCD.VBS (surprisingly It randomly opens and closes the CD drive) and nothing else that looked like an APT.
After making a copy of the code, deleting the file and rebooting his PC it was fine and his CD drive was back to a non-hacked state.
The practical joker in me makes it nearly impossible to not share the code:
Last night I sent an email to a good friend and his boss passing on an amazing career opportunity that paid an ungodly amount of money.
It was basically Scrooge McDuck build a money bin money.
So why didn’t I take it? After a lot of thinking and discussion with my wife it boiled down to timing and location.
We weren’t crazy about the location. We would have had to relocate to Atlanta. We dont have more than a handful of friends in Atlanta and our nearest relatives would be about 300 miles away. I dont like grits.
The timing wasn’t great either. My son is getting ready to start Kindergarten next month. My wife has a job that she loves. Our family is a half hour drive away. We have amazing friends. We love our church. I dont like grits.
Even after that list of cons It was still amazingly hard to say no to a great career opportunity and the possibility of my own money bin.
So why did I?
I remember seeing this quote a few months ago:
“Half of the troubles of this life can be traced to saying yes too quickly and not saying no enough.” - Josh Billings
So I took my time and thought about it. On Monday I was ready to call a Realtor and put my house and the market. On Tuesday I was trying to figure out if I was going to sound cool with a southern accent. On Wednesday I woke up and realized it wasn’t the right time to move our family half way across the country.
So yesterday I wrote an email apologizing and declining the position, put in a 16 hour day at my current job and went home and slept like a baby.
It will be hard not owning a Tesla and having a bin full of money to swim around in but I know I made the right choice for my family and hopefully there will be other opportunities like this in the future.
This afternoon a “hacker" decided to text bomb my phone with about 1000 text messages asking me to paypal him $100 to stop.
A couple of things:
I don’t negotiate with terrorists. (I always wanted to say that.).
Part of the text bomb gave me information on how it was happening.
After getting a couple of messages I noticed they were all coming from onlinetextmessage.com. After looking at their web page I noticed that you could block messages from their site to your phone.
Once I blocked the attack I was interested in how they did it and started to do a little bit of research.
I am about to give you a link to a script that can do bad things. Please dont do bad things.
With a few well placed Google searches (onlinetextmessage.com sms bomb) I found this pastebin with a two year old perl script in it. I am “researching” here so I had to test out the script myself (against my own phone) and surprisingly it works really well.
After looking at a couple of other online SMS sending website it appears the reason that onlinetextmessage.com is vulnerable to this abuse is because they dont ask for a capatcha before sending the message. This would seem to be a pretty easy addition to their code to stop this from happening. I have sent them a nice email asking this to make these changes. I doubt I ever hear from them.
This “DST” button is .25” away from the snooze button, .2” away from the source and sleep timer button.
Why is this a big deal? Because when you accidentally touch the button it magically makes it an hour earlier in my bedroom than in the rest of the world. For a feature that will save me 30 seconds two times a year they have basically put a self destruct button right on top of their product.
How in the world do products like this make it to the market?
I was having a conversation about security today with a good friend and the subject came up of what is the most difficult question in security to answer?
After a few minutes of back and we fourth we settled on the following question:
Who would want to hack us?
This question is nearly always asked with the person asking it implying they aren’t important enough to be hacked.
As security professionals we mostly do a terrible job at answering this question. Normally we end up answering with something vague like “hackers”.
(This is what a hacker looks like.)
When we answer back with a vague answer like “hackers” we dont make the threat real to the person asking the question. They will care and think about hackers as much as they do the nebulous bad guy who might break into their car and steal their 3 Doors Down CD.
The best way I have found to answer this question is by asking a question back.
Here are a few questions I always try to ask back when someone asks me who would want to hack us?
Have you ever had an employee leave on bad terms? Have you ever made a competitor mad? Is there anyone that would enjoy you having negative publicity?
Everyone can think of an answer to one of these questions and it plants a mental image of someone who would actually want to do their company harm and not a guy with a ski mask.
How do you answer the question: Who would want to hack us?
That was my four year olds response when I reminded him that his first T-Ball game was later that day as I woke him up. I love my son but he spent 80% of his first and only T-Ball practice trying to make the other kids on his team laugh. He is no Jose Abreu.
My first instinct was to tell him:
Logically the chances of you hitting the ball over the fence are not very realistic, why don’t we concentrate on a single and hustling to first base?
As I sit on his bed getting ready to tell him why he isn’t going to hit a home run he tells me:
I can’t wait for my game tonight, it is going to be a so much fun!
At that moment my 4 year old reminded me that baseball it isn’t as much fun if you aren’t swinging for the fences. The same can be said about life. I can hit singles and hustle to first all day but wouldn’t it be a lot more fun to swing for the fences?
Even if you dont hit a home run you might even end up on 3rd base talking to your friend.
This morning I was out running some errands and NPR had an interview with a David Sklansky a poker player who wrote a book called “The Theory Of Poker" and he said the most important thing to remember about poker is that:
Poker Is Fundamentally A Battle Of Mistakes
That quote stuck with me all day and when I got some time to sit down and Google it tonight I found this amazing excerpt from his book:
Every time you play a hand differently from the way you would have played it if you could see all your opponents’ cards, they gain; and every time you play your hand the same way you would have played it if you could see all their cards, they lose.
Lets make this about security:
Every time you secure your network differently from the way you would have if you could see all your opponents’ attacks, they gain; and every time you secure your network the same way you would have if you could see all their attacks, they lose.
Poker players spend just as much time while at the table thinking about who they are playing than what they are playing. Security professionals on the other hand spend a lot of time and a lot of money trying to prevent attacks that people attacking their networks wont or cant use. I know small companies who are more worried about APT’s than they are of phishing attacks because they watched a 60 minutes story about it.
Can you answer these five questions about the people who would likely attack your network:
Who would want to attack my network? Why are they attacking my network? What do they want to steal or change? Is it possible for them to access the information they want to steal? If I were them how would I try to steal the information?
I think if you can answer those five questions you would be off to a good start on understanding the correct way to secure your network because:
I have a mentor who sends me a motivational quote a couple of times a week and today he dropped this on me:
If you’re the smartest person in the room, then you need to find another room.
I have heard that quote before and actually used it in an opening slide of a talk to make a self deprecating joke. I get the underlaying meaning of the quote but I think few people would actually admit to thinking that they are the smartest person in the room.
So either the person who wrote this quote was an egomaniac or wasn’t clear in his writing. Here is what I think he is talking about:
I have an amazing four year old at home who challenges me all the time by asking me questions I don’t know the answer to (Why are bananas yellow?) and asking me questions that make me think about life (Why do we have a house and my friend lives in an apartment?).
To be honest a lot of time I turn into this guy:
One thing my son does everyday is challenges me to think and learn. So after thinking about that quote for a little bit I responded with this:
If you’re in a room with people who don’t challenge you, then you need to find another room.
Are you being challenged in your personal and professional life or is it time to find another room?
Earlier today I was reading this article on Rollingstone.com about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice. That got me thinking about what else could be appended to copied text and how bad guys could use.
When you copy and paste the echo $PATH command in Firefox and Chrome you get this:
If you copy and paste directly into a terminal window you get this:
So you want to be a Twitter security expert? I have come up with an easy to follow list to make sure you are:
All Cons, All The Time! If you are not tweeting about flying to, attending, partying at, or flying home from a con at least once a month you cant be a security expert. Also try not to mention what you actually do for a living. It removes some of the expert shine.
Be an expert on EVERYTHING. Heartbleed? Drones? Malaysia Airlines Flight 370? Top Secret NSA Domestic Spying Programs? Windows Patching? Programming? All in your wheelhouse. If you are going to be a twitter security expert you need to know this stuff. Skimming half a wikipedia page qualifies you to speak on any subject authoritatively.
Everything is your business. A company you own no stock in appoints someone you dont like to their board of directors or CEO? Good thing you are an expert on EVERYTHING! Time to be really outraged and let everyone know it!
It is all about you! This is the main rule of being a security expert on twitter! Every time somebody expresses an opinion with which you disagree, they are doing it to anger you personally. It would be wrong to not to take it as a deeply personal insult.
How many followers do you have? Make you sure you are have at minimum one bot a week tweet about how many followers, re-tweet and mentions you have. You need people to know how important and influential you are!
So this is how it feels to feel abandoned? That is the question you have to be asking yourself this morning. For the last 4549 days you have been a constant workhorse for PCs around the world and this morning Microsoft has decided that you are no longer worthy of support.
I remember the first time I meet you. I was a 20 something systems admin who was in love with Redhat 7.1 and I thought you were going to be the end of the enterprise operating system. A few service packs later you were a solid work horse who did her job without any real complaints.
You have been great to me and my career. I owe you a lot and until Windows 7 came out you had been what I have used and supported nearly every day of my life for 10 years (I am still sorry about that fling I had with Vista in 2007. She was shiny, pretty and had so much promise. I am wrong and glad we can move on.).
I know you will live on in unprepared and underfunded schools, banks and grandparents systems for the next 10 years but I am going to miss you. Thanks for all the good memories you gave me and thanks for taking me this far in my career!
Twitter added a photo tagging feature today and like Facebook decided to have the default setting to allow anyone to tag you.
For your own saftey you should change it to this:
The steps to do this are easy:
1) Login to Twitter.com 2) Go to the Settings tab. 3) Go to the Security tab. 4) Under Photo Tagging click “Do not allow anyone to tag me in photos”. 5) Scroll to the bottom of the page and Click “Save changes” 6) Enter your password to save your changes.
My opening question was simple: What does social media and hammers have in common?
The two main points of my talk were the following:
My first point was: You wouldn’t give your 13 year old a box of nails and hammer and tell them to go build something without first showing them how to properly use a hammer. This means as parents you are going to need to know the difference between a snapchat and an instagram. The days of being able to say “I dont do that internet thing” are over.
My second point was: According to the FBI 2011 496 people were killed by hammers. It was terrible and tragic misuse of the tool. The way to fix that isn’t to ban hammers. This applies to social media also. There are tons of tragic cases about when people misuse social media but that shouldn’t stop you from letting your child use this very important communication tool.
This was one of the favorite groups I have talked to all year. These people all have amazingly loving hearts for kids and want to do what is best for them. It was great to talk to a group of such involved parents.
Can you name 5 people who are better at your job than you are?
I was asked this question earlier today and after trying to convince myself that “no one is better than I am” I took 5 minutes and wrote out a list of people who are better at my job than I am.
If you could ask them 5 questions what would they be?
This wasn’t as hard and I came up with these 5 pretty quick:
What drives you? What is the first thing you do when you get to the office? How do you manage work and life balance? What books have influenced your career that most? What was your biggest failure and what did you learn from it?
Now it is your turn: Can you name 5 people who are better at your job than you are? If you could ask them 5 questions what would they be?
Would you believe someone if they told you that they had four simple words that if asked honestly can make you successful?
I have those four words.
My grandpa gave them to me when I started my first job at 13 and came home complaining of being bored. He asked me if I had asked my boss “What can I do?”. I hadn’t… why would I… who asks for more work? Not me… I just wanted to work long enough to make enough money to buy a Super Nintendo.
He told me something I won’t forget. He told me that asking “What can I do?” and then doing it had made him successful in anything he had ever tried.
Why am I telling you my secret of success? Mostly because I didn’t know it was a secret and because there was this question on twitter last night:
If you had 15 minutes with your company’s Chief Executive, what would you say… RIGHT NOW. Curious on answers…
I see where he is coming from. I will admit sometimes I ask my wife “What can I do?" while I am sitting on the couch watching Teenage Mutant Ninja Turtle reruns and surfing the web while she cooks dinner. Hoping she says "Nothing… I am just doing the dishes, negotiating world peace and cooking dinner…just finish watching TV" when I know in honesty I am not doing all I can.
Asking “What Can I Do?" is a dangerous question it can lead to all kinds of unattended consequences like having to take out the trash or having your boss give you more responsibilities.
So please be careful with those four words and dont tell anyone I told you.
First off I must admit one of my all time favorite movies is bloodsport.
I was watching it recently and it struck me that I have seen this Dim Mak scene play out at countless infosec cons:
No, I haven’t seen anyone break a brick with a secret move at an underground martial arts tournament (that I am telling you about) but I have seen people prove they can do amazing things only to be greeted with a room full of “not impressed” faces.
KOMU is the local NBC affiliate out of Columbia. To be honest I really love their news broadcasts and their website and rely on them for the majority of my news. Sorry KRCG and KMIZ.
Yesterday I got a couple of calls from people who were getting this when they visited the website:
After looking at the diagnostic page here it was clear that their ad network was distributing malicious software. It happens when you outsource your ads. It has happened to the NY Times, Yahoo and Wall-Street Journal. You clean it up, apologize and move on.
What is inexcusable to me is their social media team telling people to ignore what is a very valid warning:
http://t.co/B6A1jCvvs6 is safe to use. If you get a malware or “attack” warning, direct your browser to continue. We are working to correct.
This is putting their viewers PC’s at a very unnecessary risk. As someone who deals with this stuff for a living it is mind boggling that a company would do this.The software that is being distributed by those servers can lead to broken PCs, lost files and identity theft.
I like KOMU and I want them to get their website fixed but I dont like it when they lie to their customers.
Last night I wrote a post about 5 things I am bad at and promised I would follow up with 5 things (appropriate to share on the internet) I am good at.
So here they are:
Technical Intuition My job is not hard because I have a natural understanding of how technology and security should function and most of the time they do. This makes my job fun.
Dropping Dope Rhymes I know you may not believe me but I am most talented rapper you have never heard. If you want proof just hop in the car with me for a road trip and I will make you throw your hands in the in the air and say uhh!?!
Liking People I like people. I have people I consider friends all over the world. It doesn’t take me a long time to get warmed up to someone and start caring for them. It is probably because of my childhood but I truly understand that all people want to be liked.
Leading Discussions I wanted to put that I was good at teaching on this list but in honesty I suck at teaching. I am really good at leading discussions though. So good in fact that I fly all over the world doing it. I love leading discussions and watching amazing things happen because of it.
Being Thankful My childhood was beyond rough and to be where I am today has given me a heart that is truly thankful for all the opportunities I that I have been given.
I am reading a book and one of the questions in it was “What are 5 things you do poorly?”. I thought it was a very interesting and thought provoking question. If the question was “What are 5 things you are super awesome at?” I could whip up at list without hesitation in about 5 minutes. It took me an hour to come up with my list but here are the 5 things I am bad at:
Writing I never liked the grammar part of English class. When I was in high school I never thought that writing would be something I would do so I goofed off and didn’t pay attention enough and because of that my writing skills are really poor.
Listening instead of thinking about what to say next. Were you talking? Sorry I was thinking of what I wanted to say next and not really paying attention to what you said.
Doing Dishes I am really, really bad at doing dishes. So bad in fact my wife never makes me do the dishes because she ends up just having to redo most of them.
Silence I hate the quiet and have to have some kind of music,TV or conversation all the time.
Completing repetitive tasks for a long period of time. I would be the worst factory or fast food worker in the history of history. If I have to do something at work that is repetitive I try to figure out a way to automate it.
Today I got a bunch of questions from people who were woke up at 2330 last night because of an Amber Alert on their iPhone wondering what they could do about it. Sadly there’s no way to customize the alerts, they are either off or on.
If you want to turn them off you need to do this:
Launch the Settings App
Tap on Notifications and scroll all the way to the bottom of the page.
Under the Government Alerts section, you’ll see an option to enable and disable both Amber Alert notifications as well as general emergency alerts.