O.P.B.?

In the immortal words of Naughty by Nature: are you down with O.P.B.?  O.P.B., how can I explain it… It is Other Peoples’ Blogs!

I know that you are transfixed by the Jurishacker.com blog, wearing out your F5 key, reloading over and over, waiting for that next nugget of wisdom… Who am I kidding, according to the site analytics both of you that have read this blog are from China and never came back.

Anyway, if you do stumble upon this site and would like to read more intelligent discussions than you will find here I’ve put together a list of the pages that I enjoy visiting.

I’ll start with http://www.vogelitlawblog.com/.  Peter Vogel, a Partner at Gardere in Dallas has been involved with IT and Software Law issues for almost 40 years.  In fact, his sole practice area for the past 39 years has been IT, Software, and Internet law.  He teaches (for the past 30 years) e-discovery and Internet law courses at SMU.  (Bias note: Peter and I are good friends and work together.)

Next up is http://www.gigalaw.com/blog/.  Doug Isenburg provides a good deal of insight into the law of the Internet.

The Center for Internet and Society at Stanford University always has good information on Internet law and policy.

For a couple non-legal (but provide a good amount of information on policy) I really like Brian Krebs’ Krebs on Security and Bruce Schneier’s Schneier on Security sites.  Krebs’ site is less blog and more news, but I’m including it anyway.

If you open each of these each morning, you get a pretty good idea of any large news stories, new vulnerabilities, or threats.  Either that or check https://istheinternetonfire.com/.

edit:  I’ve just been informed that the Naughty by Nature song was O.P.P., which has a completely different meaning. And here I thought Treach was a social media pioneer.  Who knew?

Backdoors, and clear text, and default credentials, oh my!

For years I’ve been warning people about insecure devices being added to their home networks.  It’s clear that the vendors haven’t really been listening because there are still consumer grade (and some enterprise grade) network devices that use clear text passwords, default credentials, and backdoor accounts.  Remember the movie War Games from 1983?  Joshua was a backdoor account.  Even IMDB knows that Falken left a backdoor!

So we cleared up the backdoors and default accounts waaaaayyyyy back in 1984 right?  Nope.

The FTC filed charges yesterday (5 Jan 2017) against D-link for inadequate security in its products.  Guess what the insecurity was (I’ll wait, guess)…

Yep, D-link use “’hard-coded’” login credentials integrated into D-Link camera software — such as the username “’guest’” and the password “’guest’” — that could allow unauthorized access to the cameras’ live feed . . .  [and] . . . leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.”

Read that again.  D-link hard-coded login credentials into the devices (that means that the consumer couldn’t change the password if they tried!).

It’s 2017 people, we have to do better than hard-coded credentials and clear text password.  We are putting these devices in our homes.  Having random strangers watching you probably isn’t a settling thought to most.

But hey, no one will find my IP enabled camera right?  Wrong:  Shodan has a large database of webcams that are open to the Internet.  Webcams are always on Shodan’s top searched list, so a lot of people are very interested in watching strangers.

 

85th Legislative Session

The 85th regular Texas legislative session begins next week (January 10th.) For those outside of The Great State of Texas the Texas legislature meets for 140 days every 2 years. In those few days things move pretty quickly; a budget must be drafted and passed, any new bills must be submitted, reviewed and adopted, state agencies face scrutiny. All-in-all it can be a whirlwind.

In the interim between sessions, legislative committees will dive deep into issues, researching topics and delivering reports to the Speaker of the House and Lt. Governor (who oversees the Senate).

So what is in store for information security or cybersecurity in the 85th?  If the interim tells us anything it is that “cyber” is on the mind of many in both houses.  Over the interim there were six House committees charged with identifying and making recommendations regarding cybersecurity policies.

  • House Committee on Business & Industry
  • House Committee on County Affairs
  • House Committee on Government Transparency & Operation
  • House Committee on House Administration
  • House Committee on Investments & Financial Services
  • House Committee on Urban Affairs

Several of these committees had hearings on the issue, at which I either testified or was used as a resource.

On the Senate side only the Business and Commerce committee was explicitly charged with reviewing cybersecurity.  The Inter-Governmental Relations committee had a charge regarding disaster preparedness planning and coordination, which has technology implications.

So, that is a long way of saying that there seems to be a concern with protection of information assets within the state.  There are already a handful of bills submitted, with more expected in the coming weeks.  The Texas Legislature Online site provides the capability to search for bills, but that can be a monotonous process to do each day.  One the Texas Legislation page, I’m tracking bills that are related to information security, cybersecurity, and privacy.

I also wrote a really bad script to search the TLO website for keywords.  It works, but it is U, L, G, Y, Ugly.  Feel free to grab it off github.  I’ll try to make it more pretty as the session goes.

 

 

Ah, the end of the year. The time when everyone posts their ‘Top 10’ lists

Every year the last week of December is filled with ‘Top 10’ lists or ‘Year in Review’ lists.  The information security community is no different.  Whether it is threatpost’s 2016 Year in Review, DarkReading’s 21 Biggest Cybercriminal Busts of 2016, or even the University of San Diego’s Top Cyber Security Blogs and Websites of 2016 (sadly not including JurisHacker.com), everyone seems to look back at the year to see what has happened or changed.

Unfortunately, not enough has changed.  If we look back at esecurityplanet.com’s Top Five Security Threats for 2006 (no, that’s not a typo.  The list is from 10 years ago) we see:

Targeted Phishing Scams
Self-Contained Electronic Devices
Spam
Voice over IP
and Microsoft vulnerabilities.

With the exception of Microsoft vulnerabilities (36 critical vulns over the past year), we are still fighting many of the same battles.  Now we call it spear-phishing, BYOD, and IoT.  We still face insecure vendor defaults (now in IoT devices), vendor backdoors, and increasingly clever spear-phishing attacks.  At least two of these issues can be fixed by the vendor community.

I hope that in 2017 the vendor community will finally understand that poor default security hurts the consumer and that backdoors are only useful to attackers.  My fear is that I’ll still be talking about these in 2026, though.

Personally, I think I’ll drown my sorrows watching the worst movies of 2016.