Friday, November 1, 2013

badBIOS Hacker Commentary

More info on badBIOS' plausible existence. Looks like people are willing to give Dragos the benefit of the doubt even with the lack of independent verification of his claims:

Malware Science Fiction Reality

I honestly didn't think I'd ever hear about a real-life malware that can jump across Windows, Mac OS X, BSD, and Linux computers. There are a few movies and television shows that present the digital version of a skeleton key that can unlock any encryption and security measure currently available and I'd always get a chuckle out of watching this presented. Never let reality come in the way of a story I guess.

I hadn't heard about badBIOS until Ars Technica wrote this piece on it. Although, it currently seems to be the front-end component of a payload to a perhaps more devious malware. Only time will tell what that is and if we can get a fix in time. The fact that it's infected security professional Dragos Ruiu's lab leads me to think that he can't be the only one infected. What's the current reach of badBIOS?

Time will tell again. Right now the only indicator seems to be that if you can't boot from CD, you're likely infected.

I imagine that it'll start to be a trending search term now that Ars has published this article. Below is an embedded twitter search that I'll be watching closely over the next few days to see what else pops up.

Friday, September 13, 2013

Brush up on your cryptography

My favourite MOOC has a good course on cryptography. We're still in week 1 so there's still time to join and follow along.

Thursday, August 8, 2013

Chrome's Insecure Passwords

Chrome offers the ability to remember your passwords for you.  As Elliot pointed out in his post "Chrome’s insane password security strategy" anyone who has access to your PC can view your passwords simply by entering the URL: chrome://settings/passwords

A list of your saved usernames and passwords appears.  Granted, the passwords are not visible until you click on them and press the "show" button.  Anyone who borrows your PC to quickly look something up can also grab some of your passwords when you're not looking.  Something to keep in mind...

There are a few third party password managers available that will do a better job of hiding your passwords, such as:

Sunday, July 21, 2013

Tracking You Through WiFi

Here's an article that caught my attention "Attention, Shoppers: Store Is Tracking Your Cell" which claims that brick-and-mortar retailers are using our cell phones' WiFi to track our movements.  I had always assumed that a client device that is not connected to a wireless access point ("WAP") does not broadcast any packets because it silently monitors the nearby SSIDs for an access point that it recognizes.  This passive wouldn't provide any information for someone to collect.  However, when our cell phones are connected to a WiFi hotspot, there is an ongoing exchange of packets between the client device and the WAP.  In this scenario, it's easy to understand how a store could track one's movements.

Well, we've all heard what happens when you assume and I've fallen victim to it... one more time.  Turns out, when a WiFi device is not connected to a WAP it continually broadcasts probe requests to search for a WAP that it recognizes.  If our cell phone recognizes a WAP, it then begins the authentication process.  This is how our devices are able to register themselves with any network that does not broadcast its SSID.

Stores with multiple monitoring devices that are tuned to capturing probe requests can monitor and triangulate the location of a specific device's location within its premises.  Each probe request contains the device's unique MAC address allowing stores to differentiate between all the probe requests.  Below is an image of a wireshark capture of a probe request from aircrack-ng:

The source address field would contain the device's MAC address.

Thus, stores can monitor your cell phones' probe requests and watch your movements through the store.  This provides a more granular peek at the behaviour of their customers and can be used to not only show how people move throughout their store but show which areas are more popular.  It can provide more metrics on the success of particular campaigns.  I can see large department stores or malls being particularly interested in this type of technology.

For the more privacy minded folks who want to avoid being tracked, the simple solution is to shut off your WiFi on your phone when you leave your home.

Wednesday, July 17, 2013

Do You Trust Your Computer?

I don't.  Just a sec while I don my tinfoil hat.

Data breaches, zero-day exploits, and the NSA's PRISM program have placed a nice big spotlight on IT security these days.  Hackers that steal your identity can plunge your life into a world of problems.  One step that I've taken to provide some protection against identity theft is I re-purposed an old netbook for only my most sensitive surfing (banking, investments, CRA, etc...).

I use the usual anti-virus and anti-spyware tools to protect my main pc.  However, zero-day exploits and keyloggers are particularly worrisome.  I don't want to turn into one of those numbers that help increase the identity theft statistics.  Not necessarily to keep the number low but more for the headaches that identity theft cause.  Initially, I installed Chromium O/S as my first operating system.  I particularly liked the continuous update feature and how each boot presents me with a fresh operating system.  Chrome O/S' resilience really shined this year at the annual hacking event pwnium 3.  Unfortunately, Chromium wasn't quite optimized for my poor old netbook and it was painfully slow to use.

I have since settled on Fedora.  It appears to have a focus on security and also isn't the most popular Linux flavour available.  Given the choice, hackers will likely focus their efforts on finding flaws within operating systems that have a wider audience.  The NY Times has a worrisome article "Nations Buying as Hackers Sell Flaws in Computer Code" that describes how hackers that sell vulnerabilities can earn as much as $150,000 from Microsoft.  Government agencies looking to exploit these vulnerabilities would pay more.  There's big money in being first-to-market with an undiscovered zero-day exploit.

To reduce the exposure to my little Fedora netbook, I only access a limited set of sites and I keep it in its own VLAN.  Thus, if my main computer were to be infected with a worm and wanted to infect other computers on my LAN, it would have to be robust enough to cross over to the less popular Fedora.  A feat not many worms can do.  If it were capable of this, it wouldn't be able to find my netbook since it's been placed on an entirely different network segment with no access to the VLAN where my main surfing machine resides.

This strategy won't solve data breaches or prevent the NSA from accessing my data on servers that reside in the U.S.  It helps make me less of a noticeable target for hackers and hopefully keeps my sensitive sites safe.

Sunday, November 4, 2012


Another year, another blog reset.

This time, it wasn't because of Russian hackers who added a ton of PHP code to redirect my pages and get me blacklisted from Google (temporarily).  My dreamhost account was expiring and I had to make a decision about whether or not to renew.  There are some excellent alternatives to self-hosting and that reduces my security worries so I can strictly focus on content.

It was a toss-up between blogger and  In the end, blogger won because it allowed me to freely use my own domain name.  I reset this site over 10 days ago and dragged my feet on writing my first post.  That was enough time for Google to discover the new empty site and wipe it from its search results.  Google continually tweaks its search engine algorithm which can have unintended consequences as this NYTimes article suggests.  I remember having a mostly empty static web page in the mid-2000s that still managed to stay on Google's search results.

I'll be taking a new direction with this blog.  I'll be blogging about more IT related topics and use my Google+ account to post my photos and sketches.