Jul 26
2016

How to install Android 4.4 r5 in VMware Workstation

I saw a lot of other videos out there, and they seem to be missing the latest steps so I decided to put this video together.

You will need VMware Workstation, VMware Player, or Virtual Box. You will also need the iso file “android-x86-4.4-r5.iso” and may be found here: http://www.android-x86.org/download

Posted in New Technologies, Security Tutorials | Leave a comment
Mar 25
2016

Why Bashing Formalized Education is BS and Needs to Stop

Just a note… on this EC-Council cryptolocker breach, and inspired by @da_667 on twitter because he doesn’t have his head up his butt.

First of all EC-Council supports a wonderful program called Certified Ethical Hacking, which as a cert is:

1: Affordable, and
2. Obtainable by people just starting out in the program of cybersecurity program

Saw someone post out there on twitter yesterday about why they are against certification and their opinion is invalid (and sucks).

Most people starting out can’t afford SANS certification or courses yet, and CEH still has a place still in Cybersecurity.

I’m sick of hearing people talk crap at conferences from pre-madonnas – as certification and formalize education allows people starting out or interested in certain topics like:

1. Push themselves to learn something they haven’t learned before.
2. Expand on their knowledge in a way that helps to fill in gaps and areas they may not even know they are missing.
3. Help to show potential employers that the person is actually interested enough in the field of cybersecurity to obtain something related to it.
4. Builds confidence in people to move to bigger and better things.

With that being said, yes it’s ultimately up to the candidate for a job to prove themselves during the interview process and that goes well beyond a cert.

However, that cert will get them recognized and shouldn’t be looked down on as there are many in the field that have it.  Some of those individuals are the friends you present with at conferences and support.

I’m currently not one with a CEH – just pointing out facts – but hell… I’m probably going to get CEH anyway.

I will admit while the irony of a cert website getting breached sounds funny at first, this is truly sad.

EC-Counsel helps to bridge the gap and hopefully provide a stepping stone to help elevate people to a job they may actually be passionate about.

To bash EC-Counsel or the certification, is complete BS… instead use your talents to help them. You’re that good at pentesting and helping out… contact the EC-Counsel – I’m sure they can use your assistance as this isn’t the first time their website has been breached. Put-up or shut-up.

Stop bashing security certification as this only helps to:

1. Make students disinterested in pushing themselves to a formalized or common body of knowledge program that may expand their knowledge.
2. Make our cybersecurity community as a whole weaker in the process as it may create gaps in knowledge of various systems.
3. Keeps people insecure in their knowledge.

So are certs a means to an end? No… but they are a great pathway to the freedom we enjoy in Cybersecurity and perhaps a builder of greater speakers and professionals to come.

Speaking from experience, I wouldn’t be where I’m at if I didn’t have a formalized education in Information Assurance/Cybersecurity that made me realize I’ve been pentesting systems since I was 11 years old.

Just never put it together or thought I was good enough… until I went through a program that gave me the confidence.

Posted in Information Assurance | Leave a comment
Mar 23
2016

Surreal Paradigms… Automotive and Cybersecurity Cultures

Well – had a great time today at the 3rd Annual Cybersecurity Summit.  Basically there’s a lot of conferences out there on this subject lately, but I love the mixture I see with Cybersecurity experts and Engineers.

I did a 15 minute talk about how the Engineering and Cybersecurity cultures differ, and how we both need to focus more on the common good.  Highlighting Charlie Miller/Chris Valasek and compared him/them to Roger Boisjoly because they both found vulnerabilities in vehicles (Charlie/Chris – cars; Roger a rocket in the Space Shuttle Challenger).

It’s important because it’s been 30 years this year since the Challenger malfunction, and there’s a lot of parallels to be drawn (especially with hero’s of the industry being shunned for presenting findings that have scientific testing behind them).

We need to strike down the differences (both automotive and cybersecurity) and listen without prejudice when security researchers come forward with findings, as this helps to create an opportunity to fix issues. I’m sure business people are thinking about the money this costs, however – it may cost in the way of litigation as well.

Craig Smith/Charlie/Chris and Roger have been criticized from time-to-time and even shunned from companies for coming forward.  In short, I see the same type of environment (denial of the possibility of a hack) coming from various companies – just like there was a denial to fix the space shuttle issue and delay launch in 1986.

I highlighted the following video:

Basically following up to the video that the people in the conference has the ability to take action followed up by: “Conferences are OK, but Action wins the day!”

Automotive manufacturers have to take action to become more agile in response to various issues, and cyber warriors need to understand not everyone can talk about what’s going on in the automotive industry due to legal obligations (and the fact they want to keep their job to feed their children).

Overall, we need to foster (together) a wonderful environment/community and that’s the atmosphere we are creating at Walsh College in regard to our Cybersecurity vehicle certification.  However, it doesn’t need to stop there… as everyone can do it (the bigger the better)!

We are partnering with people and making connections across industry because we all have to be part of the solution.  Silos and keeping things closed source won’t work.

We have developed a two part course for understanding automotive systems and testing controls… along with providing findings to those people that actually want to partner with us (and yes there will be nondisclosure statements).

Think of the world of possibility and what we are all capable of if we take action and most importantly work together to combine our knowledge.  How fascinating!

Chris Valasek, Charlie Miller, and Craig Smith to name a few are great talented people and gifts to our cybersecurity community and most importantly the automotive industry.

Embracing their ideas, dropping the negative perception of a hacker in a hoodie, and recreating that impression as a partner at the table is important for all of our success.  Media tries to play and spin perceptions, don’t buy into it – it holds us back as a true team by limiting all of our potential.

We owe it to  ourselves as it is our generation’s responsibility to work together for a common goal.   We owe it to ourselves and to our children that will have to carry the weight after we are ready to move on to that beach and fun in the sun.

Link to the presentation is here: Walsh Connected Vehicles

Posted in Information Assurance, New Technologies | Leave a comment
Aug 30
2015

Windows 10 – Why the human race is screwed when it comes to Security…

2015-08-30_15-45-01Please allow me to introduce myself, I’m David Schaefer, an Information Technologies professional that has supported security via teaching and other unique findings for over 25 years.  I’m not crazy and I don’t believe in things like the Illuminati, the 13 families, etc.

I love my country and what it is supposed to represent, although I believe something has gone terribly wrong along the way to utopia, and it’s due to human greed.

I’m a father first who loves his family,  as I work full time in an Information Technologies department while developing/teaching offensive/defensive computer security classes, on top of balancing out a number of other things in my life.

I’m not paranoid, but I am a fan of history as it does repeat itself, and I do observe data and trends – especially concerned with Information Security (InfoSec).

That is why I’m taking a break out of my normal hectic life – as this is extremely important to get out as this is not just another Cybersecurity rant… it’s a concern for the human race.

It shuman windows batetarted with this article this morning: “Despite privacy concerns 75 million devices are already running Windows 10” (http://bit.ly/1hpgezi, August 2015).   I tweeted about this, but I can’t possibly encompass everything going through my head in a twitter account.  Please take the time to read the article I referenced and watch the video in the link I shared above to see what I’m talking about.  Truly, it’s not just me, as I’ve been reading these things for weeks, but I’m astonished by how many are already on Windows 10.  So I’m writing this as a supplement.

With that said… Microsoft has finally crossed that line, where I can’t tell if they are an individual company or a subsidiary of the United States government when they starting pushing out the worse Windows 10 features to their Windows 7 and 8 OSs this month via the KB2068708, and KB3022345 updates (http://onforb.es/1Q1CLhO, August 2015).  This being said by someone that remembers the Microsoft antitrust lawsuit brought on by the government, my how times have changed.

Image Source: https://www.secureworldexpo.com/sites/secureworld/files/Cyber%20Offense-Defense%20Image%20-%20Labeled%20for%20Reuse_0.jpgPlease share this post with everyone you know and love or at least those that care.  We are fighting a human battle here that we can’t win on the War of Cybersecurity.  Security advocates like myself consistently try to protect others, but few care.  Often our battle screams fall on deaf ears as the majority of people that choose not to understand why we teach how to break into systems, or why we even try to break into systems to start with.  However, at the same token, people in general accept and can understand when we teach how to defend computers.

Image Source: https://www.staysafeonline.org/download/document/598/FTC+online+safety+guest+blog+2014_9_16.jpgGeneral society for the most part choose not to understand that defensive and offensive security go hand-and-hand.   They also choose not to understand or seem to care about security to the point that they will risk their own data and the data of their loved ones in making technology choices that put loved ones at risk.  A simple choice to put an internet connected camera in your daughters room that is on and connected 24×7 is strange to me for example.  The problem is that putting this camera into your own daughter’s room is not an example of typical people, however this is taken from my personal real life experience from working with a higher level system programmer that thought this was a good thing to do.  Did they ever get compromised?  I’d like to think not, but why risk a compromise like that with someone you love so much?

However, even now we don’t think much about providing technologies like computers with camera’s in them, and phones that can have spyware installed on them to record sound and video.  I’m talking from yet another experience where a student of mine provided a cell phone to a 6 month old baby… it’s all conditioning the human race and that child like many now-a-days will not know a day without technology.

hydraThe Windows 10 article is just as concerning to me as the daughter camera incident – in the way that there are privacy concerns in Windows 10 – especially with passwords being stored on Microsoft servers, along with biometric behaviors, location data, etc. by default.

It’s not just about us as system administrators.  It’s about everyone… it’s about our mothers, grandmothers, daughters and sons, friends, and people we haven’t even met yet. We have the knowledge to protect them but unless they want to learn… and do something about it – it’s worthless.  Besides, who is going to take care of them after we are gone?

I really do fear for our children and their children in regard to technology and the current state of the government, much less society in general – their lives have already changed so much in regard to what I had to worry about as a child.  I also fear that it will only get worse as time carries on as it did for us.  There are more attack vectors now in 2015 than I could have ever imagined as a teenager when I first started to break into things.

However, the general public doesn’t seem to care about security as it relates to privacy when it comes to “free” and “technology” in the same sentence.

Image Source: http://storegridcloud.vembu.com/img/out_of_box.pngHow are we as InfoSec professionals supposed to stand up for people when they en masse swarm to an OS that has so many privacy/security concerns right out-of-the-box???  Yet another vector we need to be concerned with is how Microsoft can now push updates down automatically and update terms (and they will) as time goes on after the initial install.

Sure, you may disable the auto-updates feature in Windows 10 but it’s a pain to work with – so most of these people we truly care about won’t bother (and those that do will probably become even more insecure). This auto-update feature could potentially open a bigger hole for Microsoft to suck even more data down that violates our privacy.  See the catch 22 here?  I guess we just need to figure out if it’s better for the NSA to have our data, or if it’s better for malicious attackers to have it – if there is a difference.

Microsoft and their supporters calls our security concerns overblown, however it’s not overblown.  This is a typical tactic used to make individuals less sensitive and thus dismiss a legitimate concern.

Microsoft and the US Government officials are chipping away at our privacy little by little (or in this case in one-foul-swoop) so they can catalog us for what most may think are limited to ads (however, it is potentially much more). Don’t believe me, ask representatives, like Jeb Bush, who think encryption is bad for us, but at the same token, uses encryption on his own website.

encryption failGood ole Jeb just highlights the technological bloody mess we are faced with in regard to government and our own privacy concerns as it relates to those in charge of our lovely government.  Obviously, Good ole Jeb Bush doesn’t care to protect our own data like credit cards, social security number, etc. However Jeb Bush at the same token uses HTTPS which is an encrypted protocol on his own site don’t believe me – look https://jeb2016.com/.  These are the people we elected to the government!!!!  Good ole Jeb Bush – “Do as I say, not as I do”, and who gives a care about?  Jeb doesn’t… but elect him because he’s related to two individuals that were presidents.  By-the-Way (BTW), Jeb has supporters… so if that doesn’t say we’re hosed I don’t know what does.

Political and commercial entities are just trying to condition us like a frog in the beaker.

Sad-danboI’m sad that 75 million users don’t get it (because I think we’re all in this together… the entire planet – not just the US)… and Microsoft isn’t the only one doing this… Apple is guilty as well…. it’s just more people use Microsoft than Apple.  We are selling ourselves short, and selling ourselves out… when we blindly install this junk.

This is not just about us it’s about our loved ones (as we transmit data with them and on them as well).

One only needs to study history to see that this data can be used against us, and the data Microsoft stores on us doesn’t even need to be compromised according to the End User License Agreement (EULA).  The EULA and yet some ignorant individuals claim that it’s sloppy language and vagueness, but not ill intent (http://slate.me/1KMW6nJ, August 2015).  Sorry I don’t buy it, and you’re too naive if you believe it – Microsoft has enough money and lawyers working that this wasn’t a mistake – besides I don’t see them backing down specially since 75 million users installed Windows 10.

Is it a coincidence that all this overbearing control in a Windows OS comes from Microsoft just a few years after the Snowden incident exposing corporations like Microsoft for sharing data with the government?

I think not… and the fact of the matter is they are cataloging us… much like the US did via Eugenics push back in the 1910s, 1920s, and 1930s.

Image Source: https://upload.wikimedia.org/wikipedia/en/e/e3/United_States_eugenics_advocacy_poster.jpgEugenics is a lesson that supports the theory that not much science or data needs to be studied by the masses in order to support an idea, all they need are notable leaders and public figures to support it. This is an extreme example of many where castration of those less worthy was supported all the way through the 1980s (http://bit.ly/1NQ92cg, August 2015).  I was alive during this period… so it wasn’t that long ago!

So cleansing didn’t start in Germany, it started here in the USA and continued through to the 1980s (as the US government castrated individuals among other things).  Even our own president Teddy Roosevelt, along with other known people like Helen Keller, H.G. Wells, Winston Churchill, Alexander Graham Bell, and even a Detroit favorite Henry Ford (http://bit.ly/1EtNHDL, August 2015) all supported Eugenics… (http://bit.ly/1F9xOwU, August 2015).

What does this have to do with Windows 10 and other technologies like it?  Let me connect the dots.

Windows now sends data on your bio-metric behaviors (keystrokes, voice recognition, etc.) back to Microsoft servers out of the box (OOTB), meaning it’s there by default unless you change it, and most people probably won’t.  Microsoft Windows is the most popular operating system in the known universe with Windows owning 75.9% of the market in July 2015 (http://bit.ly/1iECzUJ, August 2015).

The biometric and location data collected on us can be analyzed to see what kind of person you are.  This can give more insights into our individual human mind, and the way we individually operate.  In other words… it’s a ploy in my theory that they are hacking our minds.  Eugenics was based primarily off who you are… and how you behave and Operating Systems (OS) like Windows 10 now can be used to provide more data than the government ever had on us collectively as individuals.

This paired with the simple fact that the we are surrounded by the Internet of Things (IoT), which is basically all these other devices that can track our vitals, tell others if we are home, and where we are located (location is yet another thing collected by Microsoft in Windows 10 as well – by default).

Image Source: http://schoolgetsbetter.org/wp-content/uploads/2014/12/technology-storm.jpg

I’m not saying we may have another Eugenic’s phase coming up, but what I’m saying is we are opening ourselves up to something like that or even more potentially dangerous.  The IoT and the general willingness of individuals to blindly participate in it are putting us into a perfect storm situation on which racism and governments can pick people off based on biometric data like raw emotions, behaviors, and a myriad of data we have been recording ourselves via blogs, Facebook, Twitter, etc.

However, it’s not just limited to that, and I can’t stop thinking of some evil villain who is laughing his butt off somewhere because his plan is coming together as we naively continue to connect ourselves to sensors everywhere, even when we are strolling about (in regard to mobile devices).

It’s sad, but in order to change this we have to consider there still are other options out there.  I myself will support Windows only if I’m getting paid to support it as a professional, and will continue to support my students by providing host-based hardening lessons on Windows 10.  This will in turn make me stronger in supporting Windows.  However, I’m sad to say Windows  and Microsoft have lost me personally with this push.

We only have to look as far as our friends/heroes like Bruce Schneier to what is right and what is wrong in regard to security as it relates to the government. People like Chris Roberts gives us the ability to open our eyes to problems around us we can fix, while others like Johnny Long, remind us that we are the solution.

There are other great operating systems out there that don’t track you at the rate Windows does, and we can still use Microsoft Office on them along via Windows in a virtual machine.  Linux is what I’m thinking of primarily… mainly for my home life.

However, large organizations are harder to convert off of Windows and thus why I will continue to support Windows in the future as I can make money off of it.  I just can’t see myself saying I want anyone I know or love using Windows 10 – but again, that’s their choice, just like smoking.

trojan-horse2The general public really doesn’t care to take action on these security issues.  However, for those that do… the simplest law of economics states that we vote by our buying power (free or not), and that paired with the fact that Windows is already installed on 75 million devices shows very little concern or thought to what the data will be potentially used against them.

The Microsoft Windows 10 free offer reminds me of another history lesson where Troy accepted a Trojan Horse from the Greeks – it didn’t end too well for Troy either nor will this end well for us.  Maybe as a race we deserve what’s coming to us as we ignore security issues and security concerns.

Posted in Information Assurance, New Technologies, Public Speaking, Windows, Windows 10, Windows 7, Windows 8 | Tagged , , , , , , , , , , , , , , , , , | Leave a comment
Aug 28
2015

Another Dimension

Image Source: http://www.photoshop-info.ru/uroki/surreal_song_lady_of_the_desert/final_result_large.jpg

Time keeps slipping away into an eternity – like a silent waterfall trickling away all our moments and memories into space.

The fourth dimension is beyond my comprehension as we continually transcend into the end…

I try to grasp at time but it simply slips though my fingers… I try to enjoy it but it invisibly moves until it’s not there anymore and I can’t see it again.

Time is truly a playful child, joking, and laughing at us as we simply try to hold onto it for love and for life.

Our time is spent, our time has gone, our time is what we make of it…

Don’t worry about time, it doesn’t worry about us as it jokingly and gently dances away with a smile and a wink into the western sunset.

Posted in Poetry | Leave a comment
Aug 08
2015

Hacking Tesla

Tesla_Model_S_digital_panels

Image of Tesla’s Model S digital panels

One only needs to have a brief look at Tesla’s Model S dash panel to realize that it’s not a typical car.  In a normal automobile you would find gadgets with physical gauges to tell you things like speed, fuel and other things.  In a Tesla Model S you find a series of computer generated graphics that represent the physical gauges found in other vehicles.   In addition, underneath the sophisticated look of the exterior are controls and WiFi technologies that has had experts in Cybersecurity talking for over a year, making Tesla the biggest target for talk amongst the offensive community.  However, it’s not just Tesla that is getting involved and bracing the software enhancement of cars, it’s just that Tesla is so advanced and has taken it to the next level first.

Just recently Kevin Mahaffey (co-founder and CEO of mobile security firm Lookout) and Marc Rogers (CloudFlare) discovered vulnerabilities and presented on them at Def Con (the biggest offensive Security Conference in the U.S.) on Friday 8/7/2015 in Las Vegas.  The attack on the car requires physical access to the inside of the car and involves plugging in a laptop to a CAN bus port located behind the Model S driver’s side dashboard.

Tesla_Model_S_canbus

Image of Tesla’s Model S CAN bus

The CAN bus port is specific to automobiles, and according to a conversation I had with someone who works directly with Ford Motor Company, it is unfamiliar to most people on most cars.  However, in Tesla’s case they actually use an Ethernet network that is more familiar to people who use computers.  In fact, Tesla uses an internal 100 Mbps, full-duplex Ethernet network with 3 devices on it that use statically defined IP addresses on a 192.168.90.0 subnet…. this may seem like geek speak to most… but trust me, that’s pretty familiar stuff to those of us that are educated in the arena of computer networks.

Tesla systems actually speak the offensive security community’s language.

cof_orange_hex_400x400

Ubuntu Logo

The most interesting thing to me as a security researcher is under all the pretty graphics of the Tesla itself, it has a customized Ubuntu operating system, something I’ve favored and taught in my classes for years.  This means that modern cars all use an Operating System (OS) and applications just like any other computer we interface with.  It also means that unless the manufacturers keep their OS and applications current in their hardware products (like Tesla, Nest, and others) there will be known vulnerabilities that can be exploited to take control over those systems.  In fact, if there’s one system Offensive Security people know, it’s Ubuntu as it has mainstream offensive testing distributions based on it.

Kevin Mahaffey and Marc Rogers talk at Def Con after investigating the Tesla systems for over two years is promised to be one of the top talks. They already released some of their six vulnerability findings to the public to promote the talk such as the Tesla Model S:

  • Using an out-dated browser containing a four-year-old Apple Web-Kit that is well documented, having a history of being used to attack other systems.
    • This Apple Web-Kit vulnerability allows the attacker to conduct a fully remote hack to start the car’s motor by developing a website targeting the car owners to download malicious code
      • That code (known as an exploit) when executed would provide privilege escalation allowing the attacker to deliver various payloads of the attacker’s choosing to the Tesla Model S system.
EV_Rally_Trollstigen_Tesla_Model_S

Tesla Model S

It’s almost like a perfect storm in the way that the owner has to be tricked into clicking on a link to the code to allow this remote control.  However, using social engineering and manipulating Google or a search engine to produce a result specifically targeting an individual that owns the car (like telling them it’s a software update or something) one could feasibly do this.  The attacker could then have a back door impregnated on the Model S system and simply issue commands to the car.  The back door would then create a life threatening issue as they did with a Jeep Cherokee recently under test conditions.

The nice thing is that Mahaffey and Rogers worked with Tesla’s software and security team to develop patches to the Tesla system.  Tesla fixed some of the vulnerabilities  delivering the updates to their cars remotely on Wednesday 8/5/2015.  What is amazing to me is how responsive Tesla has been to patching these known vulnerabilities so quickly, and how easy it was for them to deploy their updates directly to their cars.

Meanwhile back here in Detroit, we use systems that are designed specifically so you need to have specific knowledge and physical access to the cars to deliver the updates.   One would think that would cut down on issues.

102862398-2014-Jeep-Cherokee-Uconnect.1910x1000

Jeep Cherokee U Connect System

However, as recent as July 2015 there were findings on the Chrysler U Connect system that reared an ugly attackable vulnerability.  It was discovered that attackers could take control of the transmission, breaks, and steering on certain cars.  Chrysler had to issue USB sticks with the patch and ask 1.4 million vehicles to report back to the dealership  for the fix.  This undoubtedly cost Chrysler more money for the way they decided to control access to their U Connect update systems vs. how Tesla does.  However, it is important to note that Chrysler does care for the security and safety of their customers, otherwise the money wouldn’t be spent on the updates at all for their U Connect systems.

Even with all the talk about Tesla and their Internet of Things (IoT) automobile, they will continue to prove themselves only if they can continue to quickly resolve issues as they have with the deployment of the latest patches delivered this week to their automobiles.  Many times in our world of security, weeks, months or even years after a Def Con talk detailing an attack comes out… many software manufacturers don’t even bother fixing the known vulnerabilities.

If Tesla keeps delivering real-time updates quickly to resolve known vulnerabilities, they will continue to win the hearts and minds of the Ethical Offensive community, and even increase their market share as a manufacturer that is concerned with the security and safety of their customers.

Resources:

The Tesla Model S Is Basically A Good Looking IT Department On Wheels: http://jalopnik.com/the-tesla-model-s-is-basically-a-good-looking-it-depart-1558372928

Making the Real Diagnostic Connector Part 1: http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/step2/Making-the-Real-Diagnostic-Connector-Part-1/

The scariest thing about the Chrysler hack is how hard it was to patch: https://www.theverge.com/2015/7/24/9036153/chrysler-hack-vulnerability-automobile-car-software-security

Hackers Remotely Kill a Jeep on the Highway—With Me in It: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Posted in Information Assurance, New Technologies | Tagged , , , , , , , , , , , , , , , | Leave a comment
Jun 29
2015

Stingrays that attack our civil liberties!

news-police-stingrayWhat if I told you there is technology out there that could intercept cell phone data by acting as a cell phone tower? What if this technology had no way to isolate the calls, so that anyone that uses this device in a given area is forced to obtain sensitive information from your phone as well as the target’s device?

These “cell site simulators” aka “International Mobile Subscriber Identity (IMSI) catchers” are used in many areas of the government including the FBI. The bad part is the Harris Corporation StingRay’s are indiscriminate in the way they collect data meaning they intercept everyone’s cell phone data (using the 25 watt StingRay device) within several kilometers of the device when it is turned on.

surveillance-stingray-cell-phoneHow it works: Your cell phone device seeks out a connection to the nearest cell phone tower, even when it’s not being used. The StingRay device, when turned on, simulates a cell phone tower. The StingRay gathers information via cell phones by sending out a signal that tricks the cell phones into connecting to the StringRay device. It is a box shaped portable device that collects hundreds of unique phone identifying codes, such as the IMSI, and Electronic Serial Number (ESM). The authorities can then hone in on specific phones of interest to monitor the location of the user in real time or use a spy tool to log a record of all phones in a targeted area at a certain time (arstechnica.com, 2015).

When the suspect’s cell phone is found, the StingRay measures the strength of the suspect’s cell phone to get a general location on a map. Using the signal information from various locations help the device to triangulate the location of the suspect’s phone more efficiently.

StingRays can be used with with other software such as “Fishhawk” used to eavesdrop on conversations.  StingRay family devices can be used in vehicles such as airplanes, helicopters, vans, cars, and unmanned helicopters.  They also are not just limited in capabilities to eavesdropping, they can be used for encryption key extraction, and conducting denial of service attacks for example.

The thing is there isn’t just one type of device, but many other versions of devices like the StingRays out there used to track cell phone calls. In fact there are different model types of StingRays such as the KingFish, TriggerFish, and HailStorm.

Hailstorm is the type of StingRay device Michigan’s Oakland County law enforcement agency purchased in 2014.  The difference is the HailStorm can track 4G phones where older StingRay devices can only track 2G devices.

To me this is nothing new, and growing up in an age of computers, doesn’t surprise me as I see cameras in every public arena possible.  Of course I made it a point to read George Orwell’s 1984 as a kid, and pretty much saw what his fears were in this book, quickly coming real as a kid.  That doesn’t mean we should lay down and stand for it either, thus why I’m writing this to hopefully increase awareness.

The problem I have with StingRay tracking devices is that these devices violate the Forth Amendment’s warrant requirement before obtaining phone data from service providers or tracking phones directly. The StingRay tracking device can instantly gather information from all devices in the area around an investigation.  This includes gathering information from people that may be part of the investigation as well as gathering information from those in the area that are not part of the investigation.  The majority of the device information collected is from those that are not part of the investigation.

hydraThe government can use these tracking mechanisms much like Hydra did in the scene from Captain America when Hydra started tracking individuals by their actions or reactions in the real world and killing them. Given this is an extreme example, but art imitates reality here in the way that the government agencies using this technology can reasonably stereotype and individual based on their locations and interactions on their cell phone device. Hydra’s examples also have historical references in the way that Hitler eliminated his opposing politicians in order to take over the German government.

Who has a StingRay in the USA (map)?The American Civil Liberties Union (ACLU) currently maintains a list of 53 federal law enforcement agencies known to use the technology throughout 21 of the United States.

To quote the ACLU, “In order to protect both privacy and First Amendment rights, the law needs to keep up with technology. The government must be open about the use of these powerful tools and put rules on their usage in place to protect people’s Fourth Amendment rights and prevent abuse (www.ACLU.org, 2015).”

What can we do about it?  Well, according to the Detroit News article, we obviously need to be active enough to increase public awareness prior to our commissioners making a decision to approve technology like this.  The article cited that none of the Oakland County commissioners in March of 2014 asked questions about the HailStorm purchase prior to it actually being approved.  Thus exposing the voters of their county to privacy issues.

ignoranceThese 21 elected commissioners should be held responsible as they are elected to ask questions and make decisions without just simply glazing over and approving everything that comes across the table.

Everyone, not just the commissioners, needs to understand issues like this and be able to research or table decisions if they don’t know enough about technology purchases prior to approving them.

The government often speaks of transparency, but seldom gives it… just another case and point with the HailStorm purchase.

To learn more about some of the issues in regard to StingRays, feel free to visit the Electronic Frontier Foundation’s website on Stingrays.  In particular, make sure you read about “The Rigmaiden Case.”  It seems like the government and policing agencies like to continue to mislead those in power by not giving them enough information, and it’s not just limited to Michigan!!!

Indeed the biggest problem with the StingRay device may not be the device itself, but how the use and capabilities of the StingRay devices are kept secret from the court, politicians, as well as the public by the United States law enforcement community.

Posted in Information Assurance | Tagged , , , , , , , , , , | Leave a comment
Mar 27
2015

Dave’s Home Security Software Picks for 2015

-mac-apple-antivirus-140x140OK, I get asked a lot about what type of software I personally would like or recommend for home use so I figured I would type up a list of security solutions that may work for you at home and rate it based on how often I get asked the question.  So I do a lot of research on it as well, and that includes checking out Consumer Reports, AV-Tests, reading Life Hacker, running the applications myself to verify they are good products, running background checks on the companies, etc.

With that said, the views I have are of this blog purely and not of any organization I work for or teach at.  Also what ran on my computer may have issues on your computer, because if your computer is infected or corrupted… installing any application especially a security application can cause it to act goofy.

So figure this is my count down for 2015:

1) Antivirus for Windows:

logo-avira-antivirusPersonally, I like a couple of different ones, but one of the better not paid for Antivirus software solutions out there right now is Avira… despite Consumer Reports picking Avast, I can’t really stand behind Avast based on the findings from this article from “The Safe Mac”.

Avira is free and from Germany… it offers average threat blocking (which is what Antivirus should be about… not cleaning mind you – stop it before it gets in), is easy to use, and is not a drain on your computer’s resources.  In addition, Avira historically has been really quick in responding to threats compared to other antivirus.

You can download Avira Free here.

logo-eset-nIf you don’t mind paying for Antivirus, then you can one up Avira and all the other free Antivirus products by purchasing ESET Smart Security.  In addition to the stuff Avira does, Smart Security has good threat blocking, a firewall, is easy to upgrade, but can be a little behind when responding historically to threats.  In addition, ESET Smart Security also has parental controls, Spam blocking, and Anti-theft tools built into it. Smart Security costs MSRP $59.99 for one device.

If you have a lot of computers and different platforms other than Windows, ESET also offers a “Multi-Device Security” platform that will cover Windows, Mac, and Android.  The two year subscription is only $149 for the Multiple Device for 5 computer + 5 android devices (that’s up to 10 devices!!)… not bad considering all you get and it may be able to protect the majority of the computers in your house.

Here’s a link to the ESET Antivirus comparison web page.

2.  Antivirus for Mac

OK, I know Antivirus is outdated… even the term Virus belongs back in the 90s with MC Hammer Pants and LL Cool J Momma Said Knock You Out Songs.  However, it still is one of our best defenses… and yes I understand Mac computers really are not subject to the sheer number of attacks that Windows machines are.

However, with that said, I do believe we can a) Protect our Windows friends b) Protect ourselves especially when we run Flash, Java, Shockwave, etc. on our Mac related devices.

logo-headerSo my choice is Sophos, it’s free, stops threats for Mac and Windows based threats, helps to block web based malware, and the overhead of running Sophos is pretty easy on system resources.  Don’t believe me… checkout Lifehacker… great minds think alike!  Still going strong in 2015 according to independent tests.

Here is the link to free Sophos.

logo-eset-nOf course you can always go with ESET if you have the money and enough Windows PCs lying around… it’s just up to you as ESET Cyber Security Pro starting at $59.99 does have extra features like the ESET Fireall, Parental Controls… and again the Multidevice for Mac offers Antispam, and Antitheft to the mix.

Here’s a link to the ESET main web page for Mac.

3.  Malware Protection for Windows.

header-logoBy far my favorite for the last couple of years has been Malwarebytes.  This is not only a great product for cleaning up your computer with (free version), it also aids in stopping bad things from infecting you in the first place if you purchase it.  Well worth the money!

You can get Malwarebytes from here.

4. Web Browser….

header-firefox.98d0a02c957fI’ve lived through IE… Chrome… but I would have to say I keep going to back to Firefox.  This time giving my own regard to my privacy I would say I’m probably not going back to Chrome anytime soon either – course I still use Google… as I find Duck Duck Go doesn’t really give me the search results I’m looking for when compared to Google searches.

Firefox is a longtime friend of mine, and the best thing is it is available for Linux, Mac, Android, and Windows.  Hopefully, some time in the future, it will be available for Apple’s IOS as well… for iPhones, iPads, and iPods… however, it’s not there yet due to some disagreements.

You can download Firefox from here.

Honorable mentions for other desktop browsers (haven’t really tested the Android versions… so may not be the same) you never heard of that build off of Firefox are:

palemooniconPale Moon – An Open Source Firefox based browser available for Microsoft Windows, Linux, and Android.  It focuses on speed, stability, and experience.

You can read about and download Pale Moon here.

However, the best part of Firefox is the add-ins and I usually use these following add-ins to harden (aka secure) my Firefox experience further:

adblockA) AdBlock – The original Adblock is the best add-in you can get… don’t download AdBlock plus, or pro… these are pretty much scammers taking the name of a very good add-on from Michael Gundlach.  This means they created the same type of application but unlike Michael, they take payment from various ad sites to allow them without your permissions.  The original Adblock attempts to block everything and then if you want to allow certain ads you can make that exception.

The advantage is faster web browsing because now you don’t have to wait for ads to load, and it also limits the chances of you actually getting a drive by download from an advertisement on a web page.  By far my favorite add-on, and it can be found here.

https-everywhere2B) HTTPS Everywhere – Nice little add-on that that forces your browser to the secure version of HTTP every time you visit a page that supports HTTPS.  Remember S is for security and that means that the communication between the webpage and your computer is encrypted.  However, that doesn’t mean you’re safe if you’re using HTTPS and you’re on Wi-Fi.

You can download HTTPS Everywhere from here.

noscriptC) NoScript – Great little app that allows you to perform an implicit deny on all java scripts.  That means when you visit websites you’ll need to figure out what to add after, however it’s a good thing because a lot of drive by downloads (or bad things that can install a lot of bad software in seconds by clicking on the wrong link) can be stopped this way.  Malware installs randomly off of ads even on legitimate sites, so it’s worth the time to figure this one out.

I recommend watching a video that shows you how to utilize this powerful tool that is available for Chrome and Firefox before using it because it will stop your browser from working until you figure out what to allow and what not to allow on different sites.  If nothing else… just simply use another browser to access the sites or select the “Temporarily allow all on this page” until you figure it out.

You can download NoScript here.

 5. Android and iOS Security…

sohopsA) Android – I really like Sophos Mobile Security… it works well and has high ratings for a free antivirus.  Pick-it up in either the Google Play store.

 

lookoutB) iOS – Lookout Mobile Security… runs great and is also available for android… an American based company that actually includes a flare that is sent up when you battery is low on your device to signal the last location your device was at (so you can find it easier).

It will notify you if things look strange in regard to processes running on your phone as well.

You can download view Lookout Mobile Security here.

6. Firewalls…

Windows – Don’t need to install one… one of the most sophisticated firewalls available is in Windows Vista on up.

Mac & Pop Distro Linux users– Please enable your firewall at the very least!  It comes disabled by default…  ya I heard the argument that you don’t need to enable it by default, but still it’s better to be safe than sorry.   Besides users don’t stay with default applications that come installed on an OS… so it just helps the total security of the Operating System as people start to pile on software.

littlesnitch_320I would pretty much stay with default application firewall for now unless you have a paid for solution like NOD… but I would have to admit I do like Little Snitch for Mac OSX as an added layer of defense.  Just like with NoScript I recommend watching a tutorial on how to use Little Snitch first as the user can block legitimate traffic if they are not careful (thus rendering your computer useless).

Posted in Information Assurance, Public Speaking | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment
Mar 20
2015

FCC approves strong Net Nutriality Rules

Netneutrality modern template pureSo there’s a lot of talk out there about the FCC approving “Net Neutrality Rules”, and how it passed by a 3 to 2 vote.  There are also a lot of quotes from people in these articles from Tom Wheeler, the commission chairman… saying stuff like this is “too important to let broadband providers be the ones making the rules.”

However, a lot of the articles fail to really explain what Net Neutrality is although they do like to say what it could mean…

The 2 additional rules added are below:

Under the draft proposed rules, subject to reasonable network management, a provider of broadband Internet access service:

  • would be required to treat lawful content, applications, and services in a nondiscriminatory manner; and
  • would be required to disclose such information concerning network management and other practices as is reasonably required for users and content, application, and service providers to enjoy the protections specified in this rule making.

Net Neutrality is a term that was coined by Columbia University Media Law Professor Tim Wu in 2003, however the concept existed long before that.  It means that “Internet Service Providers (ISPs) and Governments should treat all data on the Internet equally, not discriminating or charging differently by user, content, site, platform, application, type of attached equipment, or mode of communication. (taken from Wikipedia 2/26/2015)”

The FCC has had complaints in the past about ISPs using devices like “Packet Shapers” that is used to limit certain types of traffic that at the ISPs discretion. The ISPs traffic speed they promised their customers would then have a lower priority thus resulting in lower speeds. Even worse the customer could be limited or discourage to visit legitimate websites or use certain technologies prior to approving the “Net Neutrality” rules.

One example of a service that was commonly limited is called Peer2Peer (P2P) networks such as file sharing networks that people use to download movies, programs, songs, or whatever you can put in a file and share. While this technology can be used to break laws, it also has legitimate purposes like for when we want to download the latest version of a Linux operating systems via a torrent file.  The other example would be when people are streaming movies, etc…. this normally takes up a lot of speed on networks, and thus lowering the speed of video streaming for their customers makes it so that the ISP doesn’t have to invest so much into it’s infrastructure.

14137_large_net_neutrality.pngThe other side of the argument is that ISPs would actually limit this traffic because it could take up a lot of the speed that other people needed to use on the web.   However, in the past some of these Internet service providers didn’t tell their customers about this limitation and therefore, it wasn’t disclosed to the customers.

The problem here before this was actually approved is that the ISPs themselves had the discretion to punish customers by providing slower download speeds to content and limiting content that their customers want to view without disclosing this to the ISPs customer base.

Overall, this should be a good thing, and is a huge step for all of us using Internet services as it helps to promote truth in advertisement.  I just hope that ISPs don’t leverage these new rules to punish customers monetarily by increasing costs and blaming the cost increase on the newly approved rules.  Hopefully, in the end, if that ever does happen fair competition will help to drive costs down if cost increases do occur.  However, at least we know what we are paying for!

Posted in Information Assurance | Tagged , , , , , , , , , , , | Leave a comment
Feb 25
2015

Obama’s Cyber Security Plan… the good the bad and the ugly

goodbadulgyNormally I don’t write too much about political affairs because I don’t care to get too involved with them.  However, Obama’s message in January concerns me in regard to the state of security.  Let us look at what it means for us as professionals and citizens of the United States of America.

Part of Obama’s cyber security plan has an opt-in option for digital information sharing, and the benefit for the company in doing this is that the government will be granting a certain degree of “due care” to those companies that take advantage of this.  This means the companies may be partially protected from lawsuits related to security breaches or privacy complaints from consumers if they opt-in.

Cyber security threat indicators” will be formulated for the companies to help them define what type of information would be shared.  The plan goes on to define this as many things including “Malicious Reconnaissance” or a “Technical Vulnerability“.  This would include meta data about the companies networks such as Internet Protocol (IP) addresses, date-time stamps, routing information, including other things that will basically map out the companies entire network to the government.

knowingThe bad thing is terms like “malicious reconnaissance,” for an example, is defined as “communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat.” If this passes, how would we protect our companies without raising the brow of the government?

This means people trying to perform “due diligence” (aka security research) for the place that they work may actually rise up on the Cyber Security Threat Indicator for trying to protect their company.  Hopefully, this allows us to observe the dual sword that Obama is wielding in this policy… he’ll be complicating things for the ethical researchers as well… thus making our defenses weaker by slowing us down and driving up the costs.

If you want to see security done poorly, simply slow down all offensive behavior legally by ethical attackers and have security professionals focus entirely on defenses only.  This way the good guys will never know if they did security properly, because they won’t be able to find any holes in their defenses before the unethical attacker does.

The good thing here is it’s an opt in approach, some claim the other bad thing here is the government doesn’t spell out what type of protection is afforded to the companies.  This doesn’t surprise me, because due to the wide array of how a company may be breached and how well “due care” may have been exercised by the company… the protection will most certainly vary.  However, having a clearly defined maximum level of protection defined as well as a minimum level may help to aid companies in understanding what this may mean for them.   In addition, there are no restrictions put on this policy to limit how the government may actually utilize this information to protect the users of the Internet.

In the end, it will be up for the companies to decide if they want to opt into this policy or not.  There would be a certain level of risk and reward here, but it is a marginal improvement over past plans that made it mandatory for businesses to actually provide this data.

The policy also looks to name a 30 day standard for companies in the United States (US) to disclose any information in regard to a loss of Personally Identifiable Information (PII) data.  Many companies support this because it helps to standardize expectations.  Currently, expectations may vary from the 30 days Florida gives for disclosure (+15 day extension), while other states like Alaska is on the other end of the spectrum.   Alaska law states “disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of  (Alaska), the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach.” 20 Alaska Stat. §45.48.010.

This basically means notification may be mandatory or not even occur based off of where you live in our blessed union currently.   This standardization is a good thing for these companies that support it as it means there is less room for misinterpretation of the various laws from state to state.  Click here for a complete list Computer Security Breach Notification laws.

Picture of GoatObama has also proposed to update the Computer Fraud and Abuse Act (CFAA), and this is where the proposal takes a strange twist to a yet another surreal paradigm in which Washington lives in – in regard to computer or cyber security.  What really gets my goat here is that with most of these plans there seems to be a lot of good in, kind of like a cup cake… it looks good and promises some a good taste, but if you’re not careful to examine it further you’ll find there was some blarney in the center instead of the creamy filling you would expect to enjoy.

The entire PDF of the law enforcement tools can be found here if you want to read it (and you should as it concerns you). Also here is the Fear Uncertainty and Doubt (FUD) Obama spread back in January, and I quote:

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.”

protect_childrenReally?  Our Children?  OK, my friends in the United States or anywhere… when you see a politician actually use “children” in a statement you should know they are attempting to play on our emotions to persuade our logical self outside the window and down into a street 15 stories below.  This is a ploy by the man to mislead his sheep from thinking logical into a doing something illogical by playing on our emotions.  Let us examine why…

New laws baked into the CFAA extend the maximum penalty for computer crimes from 10 to 20 years.  Remember the security threat indicators above… and malicious research?  For security to be performed properly you have to perform due diligence and research the ever changing threat landscape, and it’s even more critical now than ever in the age of “Internet of Things (IoT).”

internet-of-things-concept-illustrationThe IoT basically includes things that are not considered a normal computer you sit in front of, but are also Internet enabled things like thermostats, fridges, smart phones, software, car stereos, sensors, and more. These things usually run older, outdated operating systems on them and pose a threat to our networks both at home and work.  Without getting into it too much, how would we ever be able to test and find out how horrible the security may be on these devices or better yet, how to fix them if we are painted as felons and threatened by ever increasing fines?  The government basically is punishing the good and cutting us off at our knees at this point by making it harder for us to do our jobs and protect our companies via the new proposed CFAA.

More bothersome is the “modernizing” of the CFAA:

(6) knowingly and willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;

This means if you have a subscription to a service that you use for streaming movies, music, or whatever… and you share that password and username with someone you know… that you can get up to 10 years for sharing that username and password.  So basically if I give my kid the password for my Netflix to watch a video and that somehow leaks out to someone else, I would be held up to 10 years in jail because I am responsible for my child’s actions legally.  This may not be far fetched as crazier things have happened.

In September 2014, 5 million Google accounts were leaked to a Russian cyber security internet forum.  The new CFAA would make anyone accessing this file a criminal and you would potentially get up to 20 years for simply clicking on or accessing this file.  However, who is this keeping honest here?  This law would not stop the unethical attackers from accessing it, however it would prevent the ethical people and potential victims from finding out if their information was disclosed in this leak.  This leak is beneficial to the good to know because if they possessed this already leaked file to the web they can search the file for their email address to see if they were part of the breach.

Having such information is huge part of defending ourselves, family, and friends.  The damage was already done by the initial leak and the unethical already had this information before the leak.  So why should this be considered bad?  One word… ignorance (the lack of knowing how this is actually helpful).  This ignorance is what is driving this policy and will most certainly rob security professionals of the freedoms we need to defend ourselves.

Then there is the “racketeering” section:

“racketeering activity” means … (B) any act which is indictable under any of the following provisions of title 18, United States Code: … section 1028 (relating to fraud and related activity in connection with identification documents), section 1029 (relating to fraud and related activity in connection with access devices), section 1030 (relating to fraud and related activity in connection with computers) if the act indictable under section 1030 is felonious, section 1084 (relating to the transmission of gambling information), section 1341 (relating to mail fraud), section 1343 (relating to wire fraud), …

Let’s look at this… So simply being there during a conversation in a chat room that discusses fraud makes you guilty.  If this passes make sure you don’t leave your chat rooms open and walk away from your computer… because you never know what people may start to talk about when you’re away from the keyboard (AFK).

I’m not opposed to legislation, however the legislation needs to be fair and balanced into “we the people’s” best interest.  The fact that the administration is trying to push this policy along utilizing FUD is concerning to me, and as a security professional that believes wholeheartedly in offensive security to improve our defensive strategies, this proposal is a step in the wrong direction for us all – even our children.

The freedoms we lose, will put us at a greater loss defensively if this passes.

Posted in Information Assurance | Tagged , , , , , , , , , , , , , , , , , | Leave a comment