I’m more in #ShellShock about the speed of the attackers !

If you haven’t caught up with it yet, there is a vulnerability out there which is quite a serious one.

What’s gone wrong now ?

If you have Linux, Unix or Mac OS X then you need to keep your eyes out for updates … and then learn how to test them for vulnerabilities !

 

So this is the issue … Bash. It’s in all the languages above and this is the problem with it :

I’ve given you a couple of links so you can get some breadth on the issue …

  1. Troy Hunt (LINK)
  2. Threatpost (LINK)
  3. CVE-2014-6271 (LINK)
  4. Akamai (LINK)

Well, am I affected ?

So yeah – that’s a biggie hey ?

Plenty of vendors have jumped on the scanner side of things to see if you are vulnerable :

  1. Errata Security (LINK)
  2. WebSecurify (LINK)
  3. Nessus (LINK)

Please note – you should use any tools you find on the internet with caution … only choose those you know or have been recommended by a competent security professional.

 

OK, you’ve probably ran that and found you are vulnerable. Yep, bad times ahead, I’m afraid. For those with multiple systems, it’s going to be a long night in the office.

Woah, so how do I fix it ?

Well it looks as simple as running update manager

  1. Update Manager (LINK)
  2. Ubuntu (LINK)
  3. Command line : apt-get update; apt-get upgrade; (Thanks to Matthew Pettitt for that ! LINK)

But … you said !

Disclaimer – this may fix this bug but could break everything that you were running, there may be a reboot and you never see your system again … backups please ladies and gents …. backups and test restores please.

OK, I’m still alive – now what ?

Test again … yes that’s right, check it’s been applied properly. (see section above !)

Phew, no problems here then !

Well not quite …

There is this bypass to look at :

bypass #shellshock patch: X='() { (a)=>\’ bash -c “echo date” creates ./echo with contents of `date` output

 

Oh and also – keep an eye out for the bots that have been trying to gain access for the last 24 hours !

  • What ?!! there’s already an active bot for this ?!! (LINK)
  • Yeah – there’s also this reverse shell too (LINK)
  • Oh and this daemon that reboots machines (LINK)

And is that it ?

Well essentially yes for now but keep a lookout on Twitter as there is sure going to be some big problems ahead which may be coming as a result of this. If you aren’t sure then go get some help … it’ll be on the news shortly so your boss will be OK by then to talk to you about it and will understand it. If you need a quick analogy … tell him we’re screwed and you’re going to resign. It’s easier than trying to fight the management team to try to get it fixed !!

 

The take away :

As technology becomes more pervasive and integrated into our lives and as some systems come to the fore, so the patching of those technologies has to be thought about. In this situation there are going to be some systems which simply cannot be patched. There will be some embedded systems, legacy Unix boxes etc which simply will not be able to be updated. The criminals were able to create an exploitive bot within hours while we were still warming up the PR departments to draft a catchy logo and first blog. The attackers yet again beat us. Add in to the mix the TVs, routers, medical equipment, SCADA systems and other devices yet to be discovered, we’re in for a bumpy ride – make sure you do your bit to keep the internet safe.

The movie list

This list is for my kids.

 

Let’s face it, I hate most of the stuff you watch – Barbie and the Dreamhouse was the low point. So this is a list of films I want you to watch.

Not in any particular order (although I’ll guide you on the proper order for Star Wars!) – just make sure they’re age appropriate. When you’ve watched them all, then I’ll allow Barbie again !!! (maybe not also !!)

 

  • THX1138
  • Blazing Saddles
  • Rollerball
  • Driver
  • Convoy
  • Time Bandits
  • Escape from New York
  • Mad Max (all of them so we can then debate which was the best)
  • Blade Runner
  • Dark Crystal
  • War Games (I want to watch this again too, book it in!!)
  • Top Gun
  • Labyrinth (ask for my Ludo impression)
  • Flight of the Navigator
  • Short Circuit (don’t watch number 2 – it sucked)
  • Ferris Beuller
  • Lost Boys
  • Dirty Dancing
  • La Bamba
  • BeetleJuice
  • Akira
  • Bill + Ted (all of them in one sitting)
  • Pretty Woman (with your mum)
  • Flatliners (they all die .. get over it)
  • Drop Dead Fred
  • Jurassic Park (Start at 9am and watch them all in one day)
  • Mrs Doubtfire
  • Wayne’s World (Schwing! …. inappropriate but very funny !)
  • Dumb and Dumber
  • Mask
  • Shawshank Redemption
  • Forrest Gump
  • Ace Ventura (One of my hero’s is Ace … you may get my humour … CHICAGO !!)
  • Pulp Fiction (great soundtrack)
  • Leon
  • Judge Dredd (all versions then debate which is the best and why)
  • The Net (I’ll show you all the technical nonsense in it .. Sandra Bullock didn’t invent the internet)
  • Crimson Tide
  • Hackers (all of them – but you need to read a couple of books first)
  • Tank Girl
  • Braveheart
  • Romeo and Juliet (with your mum)
  • Trainspotting (cracking soundtrack)
  • Mission Impossible (wait till you see 3 … you’ll die laughing)
  • The Rock
  • DragonHeart
  • Eraser
  • Swingers
  • Contact
  • Face Off
  • Gattaca
  • Grosse Point Blank
  • Full Monty
  • Titanic
  • Good Will Hunting
  • Austin Powers (and please get dressed up)
  • Men in Black (all of them in one sitting)
  • Rocky Horror Picture Show
  • Little Shop of Horrors

 

  • Weird Science
  • CannonBall Run
  • Devils Advocate
  • Fifth Element
  • Godzilla (the older one)
  • Truman Show
  • Enemy of the state
  • Armageddon
  • Lock Stock
  • Snatch
  • Meet Joe Black
  • Shakespeare in Love (watch with your mum!)
  • Avengers
  • Matrix (promise you’ll only watch the first one!)
  • American Pie
  • 6th Sense
  • Notting Hill
  • Office Space
  • Payback
  • Three Kings
  • Emperor’s New Groove
  • Chicken Run
  • Road Trip
  • Gladiator (See MovieMistakes.com first)
  • Gone in 60 Seconds
  • Pich Black
  • O Brother Where Art Thou
  • Boiler Room
  • Hollow Man
  • Perfect Storm
  • Monsters Inc
  • Dune
  • Convoy
  • Smokey and the Bandits
  • Fast and Furious (all of them)
  • Lord of the Rings
  • Oceans 11
  • AI (please read Isaac Asimov I Robot first)
  • Moulin Rouge
  • Swordfish
  • A Knight’s Tale
  • Catch Me If You Can
  • Bourne Identity
  • Men In Black (all of them)
  • Transporter (all of them)
  • Minority Report
  • Austin Powers (all of them)
  • Finding Nemo
  • Italian Job (the original)
  • School of Rock
  • League of Extraordinary Gentlemen
  • Love Actually
  • 50 First Dates
  • Day After Tomorrow
  • National Treasure (after watching – speak to Grandy)
  • Anchorman
  • Van Helsing
  • Yes Man
  • HitchHikers Guide (Orginal, read  the books then watch the latest one)
  • xXx
  • Cars
  • Flushed Away
  • 300
  • V for Vendetta
  • Talladega Nights
  • Ice Age
  • Night at the Museum
  • Employee of the Month
  • Little Miss Sunshine
  • I am Legend (and then write the ending properly)
  • Meet the Robinsons
  • Madagascar (all of them)
  • Below

 

That’ll do for now … I’ll add to it as I remember more.

 

If you have any suggestions please recommend them here :

 

Digital Freedom – the manifesto is launched

Mikko Hypponen and David Hasselhoff have appeared on stage at re:publica 14 and launched the new Digital Freedom manifesto.

The manifesto is based on 4 points :

  1. Freedom from mass surveillance (target / blanket)
  2. Freedom from digital persecution (privacy in the future)
  3. Freedom from digital colonisation
  4. Freedom of digital access, movement and speech

 

I watched the keynote with interest and have the following thoughts :

Freedom from mass surveillance (target / blanket)

I appreciate that there is a time and place for surveillance. CCTV watches our every move and our internet traffic is scanned for key words. To remove this I believe would be a mistake – but instead, they should be more transparent instead. Go ahead, watch me and scan me … but only if you do something useful with this data to keep me safer. Sure I have secrets and sure, I am aware of what I post … but can you imagine a world where facial recognition does not pick up the criminals ? I think that there is a specific use case for mass surveillance, but it is currently not being handled well and certainly not following the same standard of disclosure globally.

Freedom from digital persecution (privacy in the future)

This I understand and totally support. Right now, May 2014, it is OK to have certain views, prejudices etc, but in 2020, will those standards still hold. Will my old opinion still be the same ? I once thought I was going to be an electrical engineer – that didn’t work out, so why should the opinions I have still hold ANY weight in the future ? We need to isolate a case, sure, look back in history to see if it a long-held opinion, but certainly not to use it to persecute in the future.

Freedom from digital colonisation

The lines between technology and our existence are more blurred than ever. With the Internet of Things, mobile tech etc … we see more intrusion of technology into our lives. And it is just that .. an intrusion. We need to learn to adopt the divide between tech and life. Just because technology exists doesn’t mean we have to shoe-horn it into every day lives – especially if it is to the detriment of our privacy. We all need to learn to have down-days. Non-tech days … and if you don’t know the answer to a problem, instead of Googling it … use this method:

  • Brain – think about it, work out the options and the theory.
  • Book – read it in a book, they are more than paperweights !
  • Buddy – ask a friend, a colleague … the meat space !
  • Boss – ask a person in authority, your boss, a department head, a lecturer, they generally got there by knowing something !

Freedom of digital access, movement and speech

Should I be allowed to write what I want ? What about offending someone or prejudice ? Should I be restricted in what I can/can’t say ? I think this comes down to an old skill that we seem to have forgotten with the advent of technology – the art of common sense. So I would like to introduce you to Gran’s law. Think about an elderly relative (a Grand-parent for example). Now go ahead and type your real feelings about something you feel passionate about. If your Gran were to read it, would she be offended, clip you round the ear, would she be horrified about it … if the answer is yes, then it is probably best to keep it off the internet ! Common sense can save you a lot of conversations later. You should not be thinking about your intended audience but that the internet sees all.

 

What are your thoughts ? Have you posted on the Digital Freedom site ?

 

Security Mantras

I have to explain security concepts quite a bit in my job and so I thought I’d share my thoughts with you all for some discussion.

 

I’m going to keep it brief and then update this blog with the feedback and comments shortly.

 

Mantra 1

There are two kinds of people – those who have been hacked and those that don’t know it yet.

I’m all for a bit of FUD, Fear, Uncertainty and Doubt. It is a good sales technique to be fair – but please, if you are going to use FUD, be accurate. The infosec is getting a bad rap for wild accusations so let’s keep it real. If you feel the need to use a FUD mantra – how about:

Do you want to be one of those companies that you get to read about who didn’t do anything and then got hacked.

 

Mantra 2

Monitor, Manage and Maintain

Bit of a personal favourite of mine – so for transparency reasons … yes, I am biased!

  • Monitor – you have to be looking out to see what is coming your way. Ensure you have adequate monitoring that is telling you of an impending attack. Of course the critical part of all this is to know your base line – what is normal ? Once you know this, then you can work out what could be going wrong.
  • Manage – if you don’t have someone looking after these things, it goes the way of the paperless office … it was a good idea once. There should be a sponsor … a person at the top of the tree who ensures that the top line buys in, then there should be a busy bee worker who is making sure ‘stuff’ happens.
  • Maintain – patch, upgrade – do what you need to to ensure you are always at the edge and not falling in to the hands of criminals who love to capitalise on out of date systems

 

Mantra 3

We have [VENDOR PRODUCT] so we’ll be OK

or

Buy our [VENDOR PRODUCT] and you will be secure

No, no, no, no. No piece of tin will keep you safe. I love this quote which explains this perfectly “It doesn’t matter how thick your suit of armour is, you can still get flu.” With humans, there is always a will and a way !

 

 

So there you go …. my starter for 10 …. what security mantras do you use to protect yourself or what mantras do you train others in ?

 

 

Top Insecurity Tips

This is meant to be humorous blog about internet tips and why some advice is just bad. Just a bit of fun for April’s Fool.

 

1) Go to a public internet access point to surf the internet for a long time. Free wi-fi !

Bad idea – Public internet cafes are common places for various types of theft.

  • Physical theft of devices
  • Spoofing the access point to listen in on your traffic
  • Malicious payloads can be added via sponsored adverts
  • Shoulder surfing risk is greater

2) Do not put a password on your home wi-fi so that your friends can connect to the internet easily

Bad idea – so can your neighbours and malicious people. They can use your access point to surf nefarious websites and hammer it for downloads which all affect your speed and bandwidth limits.

3) One password to remember – use something easy like your name

Bad idea – Too easy to guess. and generally very easy to break as well because all words from the dictionary are already cracked. using the same password everywhere means that should you have a leak of your details, a criminal can gain access to everything you have ever logged in to.

4) Store your passwords in a notebook called passwords so you never forget another login

Bad idea – If someone opens your notebook , they can then log in on your computer with your credentials.

5) Antivirus, anti-malware tools and firewalls all slow down your computer, besides, you’ve never had a problem

Bad idea – all because you think you’ve never had a problem, does not mean that you have never been hit

6) Patching computers and installing updates gets in the way, takes too long and fills up your computer. Your computer works fine without them.

Bad idea – the hackers and malware writers can easily gain access to older versions of home systems, they have specific tools written to exploit these older out of date systems.

7) Leave your home computer on at home connected to the internet, that way you can just turn on the screen and have immediate access to the internet

Bad idea – if you are hacked, you won’t know about it till you get home and by then someone could have taken everything!

8) Downloading illegal content is fine, who cares about little old me !

Bad idea – it’s illegal.

9) Never clear your history – that way you can always find your old websites you have browsed

Bad idea – using tools a criminal can see everything you have done on your computer.

10) Auto-save passwords – that way your computer can auto-log in to all websites. How convenient is that, no more remembering passwords

Bad idea – anyone using your computer will also auto-login to sites with your details also, a criminal who may have been able to obtain remote access to your computer will also have all your passwords.

11) If they want to send you £20million from a relative you didn’t know from a foreign country you’ve never been to, what is £3000 in the grand scheme of things compared!!

Bad Idea – it’s a scam, congratulations, you’ve just lost £3000

Have some fun people and feel free to contact me on Twitter at @SPCoulson to add your own !

Things that each of us should do

This is for all of us … yes … I know you’re a leet hacker ‘n all, but c’mon, we all have to do this stuff.

So let’s start… right now

 

  1. Password re-use. Yep, don’t be that idiot ! Make each password different.
  2. Change your passwords every 90 days. That’s 4 times a year … Oh and while you’re at it … change your Pin numbers too. When did you last change your debit card pin number ?
  3. Someone elses Wi-Fi. If you didn’t set it up then don’t connect. There is nothing so critical in the world that means you have to connect insecurely.
  4. Get a shredder. A good one. Spend your money and get something that you know will keep you safe.
  5. Use the shredder. You bought it so use it ! then spread the paper about. If you have a pet you now have bedding / litter !
  6. Sharing is bad. Don’t share. If they take your USB pen drive away, did they recover anything. Your WiFi is yours .. don’t share.
  7. Challenge if you’re not sure. If your CEO isn’t wearing an iD badge … be nice but challenge people who might be using social engineering techniques.
  8. Windows Key L or Linux variant. Just remember the old days of meatspin. LOCK IT.
  9. Work is work. Don’t mix your work email / social media with your home life. Keep your digital identities separate.
  10. Have iD at all times. Appropriate, current and relevant. Be ready to challenge people who aren’t ready.
  11. Help your friends. They can be just an easy route back to you so help them be secure.
  12. Offer a free training course for colleagues on securing themselves. Start the wheels in motion.
  13. There is never a 13.
  14. Hack yourself. Yes, that’s right. I recommend looking yourself up to see how much data you are leaking. Then pen test yourself. is your home secure ?
  15. Alarm and alert. Not just house alarm, house locks, car alarm, immobiliser, alerts for you online –  use Google alerts for encrypted versions of your passwords, usernames, addresses.
  16. Have a business continuity plan for yourself. What would you do if …. ?

 

Well there you go … let me know in the comments below if you have any others you think should go on the list and we can develop it over time.

 

Keep Safe !

Cybersecurity for Kids

How on earth do explain to my kids about staying safe online. Do I tell them about the nasty man who wants to see pictures ? Do I tell them about the naughty people hiding in the shadows that want my kids to open things for them so they can look at mummy and daddy’s computer ?

 

Where do you start ?

 

Well the first thing I have done is to create their own logins (with parental controls applied) so they are now masters of their own destiny. It is also easier for me to log their movements. They know this and understand that if they have any problems, they can trust me to be able to look into their situation.

So tip 1) Make them accountable

 

Next logging in – My eldest child is VERY possessive of their writing and so they deliberately made their password harder for their younger sibling to guess. Aged 7 using an 8 character password with upper and lower case, numbers and otherwise. Even my youngest child is using upper and lower case characters.

Tip 2) Complex passwords / pass-phrases

 

Once logged in, the parental controls help limit what they can/can’t browse. There are a multitude of these in the marketplace as well as those built-in to Microsoft Windows 7 / Live. Although it is only a basic step, it reduces the likelihood of them viewing content they shouldn’t be seeing. It is not infallible, but we are looking at reducing risk. Allow them some control though – again, it will help them to still have usability of the internet and therefore won’t try to circumvent any security.

Therefore tip 3) Use parental controls to reduce the risks of what your child will be viewing

 

If you want to know what your children are doing on the internet … sit with them ! Show an interest in their computer use, suggest other sites. Think of safe sites (BBC, National Geographical, NASA), research them first. Show them how to use Google and other search engines to find safe sites (SafeSearch on etc). A bit of time and effort at the start and you will be starting them off on the right foot.

Tip 4) Invest some of your own time to help protect your children

 

OK, so your kids are now logging on, able to use the computer. But how do you get them to keep this good practise. At some point you need to talk about the bad guys. For this, there are plenty of online resources to demonstrate the dangers without them actually falling foul. Also, consider discussing situations – what if you post X on a social media page – how will that look to teachers / potential employers etc. This will be an invaluable lesson and you need to think about how to do this. Think about talking to your child’s school for advice and perhaps. This will then give a common view and reduce confusion about right and wrong habits.

So tip 5) Educate them about the bad guys

 

What do you do if you if you suspect your child has done something on the internet that they shouldn’t ? The big question … well the first thing is to talk to them about it and explain what the outcomes may be. The primary discussion is about them removing content or otherwise you should not do it alone as they could rebel and upload more content. So if they understand why they should remove the content, it should help them in the future. Let’s face it, we all get it wrong  at some point, don’t chastise them, help them realise how they should behave.

Tip 6) Help them when they go wrong.

 

By no means is this list infallible, but at least it’s a start. I encourage you to comment and offer your own suggestions as to how you tell your children about being safe online.

 

Summary :

Tip 1) Make them accountable

Tip 2) Complex passwords / pass-phrases

Tip 3) Use parental controls to reduce the risks of what your child will be viewing

Tip 4) Invest some of your own time to help protect your children

Tip 5) Educate them about the bad guys

Tip 6) Help them when they go wrong.