Security for Real People

A band-aid for Twitter's horribly broken security

2018-12-27T10:41:00.000-06:00

If you manage a high-value Twitter account, consider creating a second, "burner" account. After enabling multifactor authentication on the high-value account, add the same phone number to the burner account. This will turn off SMS access features for the high-value account, without breaking MFA on the same.

Updated December 31: Added a description of the variations between mobile app, mobile web UI, and desktop web UI, along with a bug Kevin Beaumont pointed out (described at the end of this post).

On Christmas Eve, Richard De Vere of The AntiSocial Engineer published a doozie of an article describing a serious flaw in Twitter’s security. In a nutshell, if a Twitter account has a phone number connected to it, Twitter accepts instructions via SMS from that phone number, with no additional authentication required.

It gets worse – far worse. Twitter requires a phone number be connected to an account in order to enable multifactor authentication. Twitter does support using a mobile security app or a physical key for MFA, and allows you to turn off SMS-based 2FA, but requires a phone number to be connected to the account nonetheless. Removing the phone number also turns off "logon verification" (Twitter's term for multifactor authentication).

Meaning, a user security-aware enough to set up two-factor authentication to protect their Twitter account, is also opening a back door into their account, a back door that allows functions including follow, unfollow, tweet, retweet, like, DM, turn on or off push notifications, or remove the phone number from the account.

And since Twitter 2FA requires a phone number, sending a “stop” message to Twitter from (or spoofing) the number associated with an account, will disable 2FA on that account, with no notice to the rightful account owner.

That's right: enabling 2FA on Twitter, explicitly enables an SMS back door to Twitter, which can be used to disable 2FA on Twitter, without you knowing that 2FA has been disabled.
Read more »

The most challenging aspect of security

2018-12-04T21:51:00.002-06:00

Ever wondered what is the most challenging aspect to security? It's not understanding the evolving threats and actors. Certainly those are important, but people smarter than me do a fine job of tracking and reporting on emerging threats.

It's not the constant evolution of tools and blinky boxes. Sure, tools are part of the mix, and knowing what tools will benefit in what situations is a must, but a tool is a tool. Given the right tool with a suitable understanding of the problem, the right people can figure out the right way to use it.

It's not understanding the technologies and solutions I'm tasked with defending. Of course that is crucial, but 20 years in the field have taught me a great bit about operating systems, applications, networking, business, and the way systems work, break, and can be fixed.

The biggest challenge? It's not threats, blinky boxes, or foundational knowledge. It's the context switching. It's being eyeball deep into a topic when something else demands attention. It's the interrupt-driven pace of work, always at the mercy of the next unscheduled threat.

What techniques do you use to carve out dedicated time for strategic work? How do you avoid the pitfall of perpetual firefighting? Comment below or join the discussion on Twitter.

On teaching kids to make good security and privacy choices themselves

2018-08-07T19:45:00.001-05:00

February 10, 2019: Since writing the below post, I've learned of a technique that is used to get around Instagram's obscuring unsolicited direct messages.

Instagram in general will blur DM'ed images from strangers, with a message asking if the recipient wants to accept the message. It's a simple and sometimes-effective way to reduce unwanted sexual images (more often than not sent to female accounts). To get around that, some lowlifes will begin a DM conversation benignly, engaging their mark in innocent conversation. After the target has accepted the (so-far above-board) DM, the abuser sends obscene images that are not obscured because the sender is now "known." The abuser keeps a clean "public" profile and only engages in abusive behavior through DM; since the abusive content is sent by DM, Instagram staff either cannot or will not (it's unclear which) view the content to act on abuse reports.

Educate your children that even if the conversation seems innocuous, you never really know who is on the other end of an Internet conversation.

If you or your child have received such unsolicited obscene material, you can report it to the FBI's Internet Crime Complaint Center (IC3) at https://www.ic3.gov/complaint/default.aspx/

If the recipient is under the age of 16, you can also report it to the National Center for Missing and Exploited Children (NCMEC) at https://report.cybertip.org/

In both cases, a screen capture of the obscene DM that includes the sender's name and/or profile alias will help preserve evidence if the abuser later deletes the DM.

Over the years I've written several posts on raising security-conscious kids.

A trend in my writing, as well as in my parenting, has been that as they grow up, my approach has evolved from technical controls to educating them to make good choices themselves. A recent conversation with my high school daughter highlights why that is.

My middle daughter maintains an active Instagram account. A household rule is, if your social media account is public, don't post anything personally identifiable; if you want to post personal stuff, keep your account private. This is a rule that gradually loosens as they grow older and can make informed decisions. As my daughter has gradually shifted from private to somewhat public, she recently was asked if she would be a "brand ambassador" for a company.

We discussed some of the dangers and abuses a teenage girl would face as her exposure grew (abuses I have little first-hand experience with, but that I am well aware of through conversations with many of you). Her response was both shocking and encouraging:

"Dad, I already deal with all of that. I just block and report them. Besides, Instagram obscures DM'ed photos unless I accept the request."

While not the response I expected, and not a topic I would have ever thought relevant in the not-too-distant past, I have to admit that's a pretty mature response.

The moral? Technical controls can only go so far; as kids grow into teenagers and fledgling adults, they need the tools and skills to look after themselves.

Using malware's own behavior against it

2018-02-12T22:19:00.000-06:00

A quick read for a Monday night.

Last week while investigating some noisy events in my security monitoring system, I noticed two competing Windows features filling up event logs: link-local multicast name resolution (LLMNR) put lots of name resolution requests onto the local network segment, which Windows firewall promptly blocked.

LLMNR is the successor to NetBIOS Name Service. Both serve the same purpose: if a computer cannot resolve a name through DNS, it essentially yells out on the local network "hey, anyone know an address for xyzzy?"

This sounds like a reasonable solution, but it invites abuse. If an adversary has a foothold on my network, they can either listen for and reply to common typos, or can actively interrupt the legitimate DNS and instead give their own answers. In either case, the adversary can provide fake addresses for servers and websites, directing users to malicious places (and possibly stealing usernames and passwords along the way).

Generally speaking, I recommend turning off LLMNR and NBNS, as well as using a trusted DNS provider that prevents access to known-malicious websites.

Today I came across a slick way to use such malware's own behavior against it. LLMNR "responder" malware replies to requests with a bogus address, so they generally respond to *any* request. So Respounder spits out bogus name requests and looks for responses.

Seeing isn't believing: the rise of fake porn

2018-01-24T22:12:00.002-06:00

The following may be disturbing to readers, but I feel it is important to write for several reasons. The first is, to stay a step ahead of cyberbullies that could use this technology to humiliate others. The second is to give readers - especially parents and teens - information to consider when deciding what to share publicly, privately, or at all.

In late 2016, software maker Adobe showcased an audio-editing tool that could, given a speech sample, create a natural-sounding recording of that person. This capability could come in very handy for editing podcasts or narrations, allowing a producer or sound engineer to edit the spoken text instead of re-recording.

Last summer, a University of Washington research project demonstrated the next logical step. They were able to take a video recording of a public speech, replace the audio portion with a recording saying something else entirely, and manipulate the video so the speaker's face and mouth movements matches the new audio.

Faking someone's spoken words is one thing. But technology publication Motherboard wrote today of a new and disturbing practice gaining steam in the last six weeks or so: so-called "face-swap" porn, an artificial intelligence-aided merging of celebrity faces onto the bodies of porn actors, to create convincing videos that appear to be of that celebrity.

In the article (warning: NSFW, and unsettling content) Motherboard writes of individuals taking benign video from celebrities' public Instagram stories, and transferring the faces onto nude Snapchats posted by others. Using freely available software and step-by-step instructions, the technique can be accomplished by even a novice computer user.

My fear is that it won't stop with celebrities. The thought of someone taking video from my daughter's Instagram, and creating a believable fake video with which to humiliate her, shakes me to the core, as it should any parent.

So why write this?

The first reason is to counter would-be cyberbullies. My hope is that a fake video - even an extremely convincing fake - might be less traumatic if it is widely known that such fakes are no longer fantasy.

The second reason is to give you food for thought when it comes to privacy decisions. What you (or your child) post publicly, may be seen by - or downloaded and abused by - anyone.

There is no one-size-fits-all solution when it comes to privacy and safety, but I'll share how I have approached this with my kids. When my children first began using social media, our household rule was that a social media account could be either public, or personal, but never both.

If the child wanted to share publicly, it had to be under a pseudonym and never include pictures of them, their family members, pets, or home. If the child wanted to identify themselves, the account had to be private and only shared with friends they (and we) knew in real life.

As they and their situational awareness have grown, we have given them more discretion, but you can bet this development is the subject of discussion in our home.

It's W2 scam season

2018-01-12T16:21:00.000-06:00

Time for a short Friday afternoon social engineering‍ discussion. If you work in HR / finance / benefits, you'll want to stick with me.

It's January, the beginning of tax season in the US (and I presume, other countries as well). Employers in the US are required to provide W2 statements documenting pay and tax to their employees by the end of his month.

Scammers know this, and love to exploit this annual ritual. The common schemes I see are an email or phone call pretending to be from either a company executive (often the CEO or CFO), or from the taxing authority, with an urgent request for employee records.

Urgent because, a sense of urgency can short-circuit skepticism and get an employee to respond before thinking.

Oddly, even though employers must provide this data by January 31, W2 scams have tended to peak around March for the last few years. Perhaps there's a psychological element since individual tax returns are due by April 15 so it remains top of mind for the HR/finance/benefits/payroll employee.

If you work in HR / finance / payroll / benefits, or otherwise have access to employee personal data, stay vigilant over the next 90 days or so. Be suspicious of any request for employee records, especially if it comes in an unusual manner.

Take the time to verify the request through a trusted channel. Depending on your organization size, that might mean in person, over the phone, or via an established business process.

DON'T ship a CSV or XLS of employee data simply because someone - even the CEO - sends an email requesting such.

If you own or manage a business, or manage those that have access to employee records, be sure they know how employee records are handled, and know the appropriate process for requesting and approving transfer of that data.

If there is no established process for handling employee records - make one, and stick to it.

A handy trick for proxying HSTS sites in Chrome

2017-12-20T20:23:00.004-06:00

TL;DR: Chrome has a nifty undocumented trick that makes proxying so much more useful when testing sites using HSTS or pinned certs: where the security warning screen doesn't give you an option to ignore, type "badidea" to continue anyway.

Browser makers have been raising the bar when it comes to website security, gradually moving toward a state where insecure websites stand out like a sore thumb. The result has been a steady increase in the proportion of websites that safeguard your private information while in transit between you and the web server. Google's Chrome in particular makes it especially challenging to use badly secured websites, with a variety of warning messages such as the image above.

In the example above, the website in question has enabled HTTP Strict Transport Security, or HSTS, which tells browsers that it should only be accessed over a secure channel, and so to always use HTTPS. Essentially, the website tells browsers "don't ever come here again except over HTTPS."

In this case, the warning is slightly misleading: I am browsing to the site over HTTPS, but using a proxy to inspect what I am sending to the website. The proxy feature of Burp Suite allows me to send information to a secure website, but to catch and decrypt it before it leaves my computer, to see exactly what my browser is sending.

As a penetration tester or vulnerability researcher, it is very handy for making sure an application is not sending more data than I intend. It is also very handy for probing an application for data leaks and weaknesses. In this scenario, Chrome's helpful protection is less, well, helpful.

Thankfully, Google developers included an undocumented Easter Egg: typing the phrase "badidea" while that warning is on the screen, will clear the warning and proceed to the website.

A note to readers: this is a handy trick for researchers and penetration testers. Generally though, that warning is there for a reason. If you unexpectedly see a warning that your connection is not private - your connection is not private. If you are not intentionally man-in-the-middling your connection, the warning likely means either the website or your network is compromised. The technique I use for testing web applications is the same technique used by malicious hackers to eavesdrop when you connect to an "evil twin" hotspot mimicking the legitimate connection provided by your coffee shop or airport.

The moral? Unless you know what you are doing, bypassing Chrome's privacy warning is, well, a bad idea.

Private data in public places

2017-11-30T21:03:00.000-06:00

Professional social engineer and open source intelligence expert Stephanie "@_sn0ww" Carruthers makes a living out of (mis)using what people and companies share publicly, so when she talks I listen. Her talk at the Lonestar Application Security conference in October was captivating in showing how such information can be used to infiltrate a business (in her case, for the purposes of showing the business their weaknesses and how to defend themselves against someone with actual malicious intent). She made an observation this week that sparked some lively discussion:

Be sure to deregister Amazon devices purchased as gifts

2017-11-27T20:18:00.001-06:00

Now that post-Thanksgiving shopping is in full swing, here's a brief tip for those purchasing Amazon gadgets as Christmas gifts: if you are giving an Amazon Device to someone outside your household, take a moment to deregister the device from your Amazon account. Otherwise you may inadvertently give more gift than you bargained for.

Amazon devices ship pre-connected to the purchaser's account -- and thus to the purchaser's payment settings. This is the the case for Fire TV devices; it may also be true for Fire tablets and Echo voice control devices. Straight out of the box, an Amazon Fire TV device can purchase digital media and games, billed to the original purchaser of the device.

I actually like this user experience decision: it is quite consumer-friendly, making it simple to unbox it, plug it in, and immediately start using it. Sure there's a potential abuse case here: a device stolen out of the mailbox could be abused to make digital purchases billed to the rightful owner - but those purchases are still tied to your account, not to the device, so there's no transferable value to the thief*. On top of that the purchaser gets a notification as soon as the device is first activated, limiting the window to make fraudulent purchases. And of course fraudulent purchases can be disputed and reversed.

This leads to another tip: where possible use a low-limit credit card, or a prepaid debit card, for any online accounts. That way any fraud is with the bank's money and not yours. A debit card is tied directly to your bank account, meaning fraud immediately hits your cash balance. Sure, you'll get fraudulent transactions reversed and the money back. Eventually. But eventually doesn't help if the rent is due today.

*Digital media is not transferable. However, some apps feature in-app shopping, suggesting it may be possible for a mail thief to plug in a Fire TV and purchase physical items for delivery. Alexa voice commands theoretically would allow for purchasing hard goods independent of any app features.

IR Toolkit

2017-11-09T21:14:00.000-06:00

In 20 years of systems administration and incident response, there are a handful of tools I find myself coming back to over and over again. Naturally, the SysInternals suite is on the list, along with Wireshark and Didier Stevens PDF tools. I've also included portable installations of Python Some are useful for examining a system, others are useful for examining a suspicious file or attachment. So... I started a GitHub project to document my favorite free and/or open-source tools.

I'll bet my readers have some of their own favorites: by all means, please comment below, or submit a pull request on GitHub, and I'll update the list!

https://github.com/dnlongen/IR-Toolkit

Exploiting Office native functionality: Word DDE edition

2017-10-10T16:21:00.000-05:00

Updated 20 October: Added a note regarding enabling full command line logging for process creation events; added a note clarifying that "Creator Process Name" is only recorded in Windows 10 and Windows Server 2016. Older versions of Windows record the creator process ID but not the process name; added references to a variety of exploitation techniques found by other researchers or seen in the wild.

Updated 11 October: I originally wrote that this exploit technique bypassed both disabled macros, and Protected View. That is incorrect: this technique will work if macros are disabled, but the code does not trigger while in Protected View. Thanks to Matt Nelson (@enigma0x3) for pointing out my mistake.

I love reading exploit techniques that rely on native features of the operating system or common applications. As an attacker, I find it diabolically clever to abuse features the target fully expects to be used and cannot turn off without disrupting business. As a defender, I am intrigued by the challenge of detecting malicious use of perfectly legitimate features.

Researchers Etienne Stalmans and Saif El-Shereisuch of Sensepost wrote of a slick way to execute code on a target computer using Microsoft Word - but without the macros or buffer overflows usually exploited to this end. Instead, they use dynamic data exchange, or DDE - an older technology once used for coding and automation within MS Office applications. This is particularly clever because it works even with macros disabled - because it's not using the macro subsystem.
Read more »

Enable two-factor on your Yahoo account... if you can

2017-10-05T08:57:00.002-05:00

Yahoo! accounts have very different security options depending on their origin.

Unless you've been living under a rock, you know by now that Yahoo! suffered a massive data breach in 2013. The number of accounts reportedly affected changed a number of times, until this week it announced that every single account had been compromised. All 3 billion of them.

Zack Whittaker, security editor for ZDNet, had this to say:

That's good advice - if you can. Many cannot.
Read more »

Seven steps to minimize your risk of financial identity fraud

2017-10-02T21:22:00.002-05:00

This is one of a few Security for Real People blog posts routinely updated once or twice a year, to offer up-to-date advice to consumers and small businesses as threats evolve over time. The recent Equifax breach has put most Americans at a higher risk of identity fraud and is a good reason for an update.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was a few years ago, but it still remains a hot topic. Between Sonic, Sabre, Target, The Home Depot, Sears/Kmart, Dairy Queen, Wendy's, Cici's Pizza, Goodwill - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story in late 2016, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?
Read more »

Incremental wins: iOS11 strengthens the idea of Trust

2017-09-19T13:45:00.000-05:00

Two years ago, a friend piqued my curiosity with a question about a iPhone / iPad app teenagers were using to hide content from nosy peers (and parents). This person wondered whether the app was more than "security by obscurity" - did the app actually protect and encrypt the hidden data, or did it merely hide it out of obvious sight?

The answer turned out to be the latter, but along the way I noticed a curious oversight in the iOS security model.
Read more »

Avast download site compromised to host a malicious CCleaner

2017-09-18T12:32:00.000-05:00

If you downloaded "CCleaner" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to host a malicious version of CCleaner that contains malware.

Computers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.

Those that follow my advice to use the free OpenDNS service for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.

If you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).

I have long recommended automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to deliver malware to taxpayers in that country, I wrote up an analysis of why I still held that recommendation.

I said then:

In over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.

It is becoming increasingly difficult to maintain that position... I suspect I am up to two hands now, but for the time being, I still find quickly updating is less risky than not patching.