Internet Theft and the Holidays

As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.

“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.

This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.

In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.

Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.

The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.

Or did I?

See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.

Continue Reading

May Updates and Patch Report: Part 2

It’s interesting how you can go through an entire week of work and think that nothing significant happened in the security world. Now that I am trying to write these updates on a weekly basis, I’m paying a bit closer attention. While we won’t have huge patch-focused updates unless it’s the same week as a patch release, it doesn’t mean nothing has been going on. So, without further ado here are this week’s updates and patch report. If you missed last week’s, read it here.



EMET 3.0 has been released. What is EMET you ask?

EMET stands for “Enhanced Mitigation Experience Toolkit” and is basically a tool that allows you to protect Windows applications from attack. We’re used to applying patches for things like this, but sometimes a problem is more complex than people think and patches are a long time coming. EMET allows you to shift from a reactive to a proactive stance. This is a different way of protecting your systems and will take some work to get started. However, if your operational guidelines have matured to the point you have identified allowed applications and are either using application control or imaging, this can provide a nice additional layer of protection. With this new version, you can also identify attempts to exploit vulnerabilities, which can give you preliminary warnings of attack.



Google has released a new version of Chrome. This new version adds a few features and patches several security bugs. If you are running Chrome, it should have automatically updated. If you want to verify the update has gone through, go to Tools->About and make sure you’re running version 19 or higher.



Apple has released a new version of QuickTime. This version patches seventeen problems and affects the application on both Windows and OSX. If you use it, patch it.  Details are here.



Trail of Bits published an interesting article on the relative security merits of Android versus iOS. The heart of their argument is Android phones aren’t updated as often as the iPhone and the Android marketplace is more flexible and this brings additional malware risk.

While this is true, it is also true the reduction of controls allows for faster development. Additionally, the deployment of Android updates is the job of the carrier, not of Google. Blaming Google for the carriers’ unwillingness to deploy updates to older phones is, I think, unfair. The real problem is carriers make more money when people buy new phones, so the longer they support the old phones, the less money they make. Apple has embraced this economic reality by convincing people to throw away their devices and buy new ones every year or so.

So here’s the truth.  If you are concerned about malware you have three options:

1) Use iOS and trust Apple to protect you. Do not jailbreak anything and live with what you get.

2) Use Android and run an anti-malware agent. I like Sophos Mobile Security (beta) and Lookout. On my phone, at least, they even seem to play well together. Don’t install apps willy-nilly.

3) Use Android, run an anti-malware agent (as above), root it and install firewall and adblockers. This makes you more vulnerable to malware, but gives you additional protection to (somewhat) make up for it. Optionally install your own ROM.

You do have to be more vigilant, but if that’s not a problem for you, you can actually get a more secure device than you can with IOS, as you are in charge of your updates and you don’t have to wait for it to fit within a company’s lifecycle.



A very interesting bug in sudo was discovered. There’s no point in my describing it here, as they did such a good job on Sophos Naked Security. Definitely go there and read about it.



RealPlayer has a brand new update. It patches three vulnerabilities in different levels of the product. However, the fourth vulnerability “why are people still using RealPlayer?” remains unpatched. :)

Apply the fix or remove the software.  The latter is generally a better choice.



A new denial of service tool is out. Known as the HTTP Unbearable Load King or “HULK,” it is different in that it takes greater care to make sure requests are unique. With a traditional DDoS tool, you can often find a traffic pattern to filter out and mitigate the attack. However, the more different each request is from one another, the harder this is to do. This tool raises the bar for DDoS protection.

If you are running a DDoS protection tool, take a look at the tool and check it against your protection system.  If it bypasses it, complain to your vendor so they fix the problem.

If you are not running a DDoS protection tool and are comfortable accepting the DDoS risk, just sit back and chuckle over the fact the most stealthy DDoS tool is known as The HULK.


That’s it for this week.  If you have any questions, please drop us a note.

Is this the end of carrier bloat as we know it?

Carrier bloat … if you have a Smartphone, you probably know exactly what I’m talking about. Carrier bloat usually takes the form of targeted mobile marketing applications that encompass everything from sports and shopping, to games and movies. The apps are baked into the phone’s software,  often run by default, can’t be removed and worst of all, gobble up precious storage space, CPU cycles and battery life. Simply put, carrier bloat holds your phone hostage.

I’m a big fan of rooting Smartphones by loading a custom ROM that strips away all the non-essential garbage the carriers preload onto each device. It’s amazing how much longer your battery will run, as well as how much more talk and text time you will have, when the added overhead of carrier bloat is removed. Why does it suck up so many resources? The bloatware is constantly dialing home to check on updates and frequently reports back to the carrier regarding what you’re up to (*cough* CIQ  *cough*). I guess I’m just one of those old school guys that believes when you purchase a device, you own the hardware and have total control over what is running on the device. What a novel concept!

If I don’t like the underwater basket weaving app included with the phone, I shouldn’t have to put up with Sprint, T-Mobile, or AT&T’s version of that app for the life of the product. I paid several hundred dollars for the hardware and I have a say in what the phone is or isn’t running. I didn’t pay the carrier to spy on my activities or offer me products and services that I don’t care for or use. I’m paying these clowns to provide me with voice and data service … that’s it. And when I root a device and strip it bare, I’m getting exactly what I want and technically what everyone thinks they’re paying for.

Not surprisingly, I’m not alone in this line of reasoning. XDA Developers has at this time a little over 4.4 million members. The site specifically caters to custom ROM development for pretty much every Smartphone you can buy today. Developers on this site figure out how to root the devices and then customize the software loaded onto each device. The real kicker here is the carriers and mobile device manufacturers watch this site very closely as it is often XDA who manages to load new versions of Android on older phones and extend the usefulness and security of said phone before the carrier gives up on it entirely.

Take the HTC Evo 4G for example. HTC had stated they weren’t sure if the device was capable of running Gingerbread. It wasn’t until someone on XDA had successfully ported it over from a ROM on a newer HTC phone that HTC announced a few months later that it was releasing an official update that would upgrade the Evo 4G to Gingerbread.

Luckily, the times be changing!

Google started a little pilot project last month involving Google Wallet and a completely unlocked carrier-independent Samsung Galaxy Nexus smartphone. The phone has no carrier bloat and no carrier contract. It’s simply a pay as you go GSM device that works on any GSM network (AT&T and T-Mobile here in the US). You pay for your minutes through Google wallet and Google reimburses the carrier for your used bandwidth. It’s being described as “Android in pure unadulterated goodness.”

For light phone users this is a perfect phone. You essentially pay for only the time you spend on data and voice usage with no carrier bloat eating away at your data minutes … it only uses what you tell it to use.  For guys like me that are heavy data users and who rely on unlimited data access plans (I spend a lot of time on customer sites using my phone for network access), this will be a very expensive device. It’s not quite there yet for us, but it’s a good step in the right direction for many other users.

The goal of this project is to take control of the device out of the hands of the carrier who ideally should only be involved in providing voice and data services and not dictating to the customer what they can or cannot run on said device. And it’s not like this is the first time a communications provider has taken advantage of its power.

This was a particularly sore point I had with Comcast cable service. They would outright block Netflix at times or downgrade the network traffic to the popular streaming website to the point their product was unusable. Comcast isn’t happy that Netflix is giving Comcast customers options. They want to maintain a closed market environment and don’t like competition for their OnDemand product offering. Like many other consumers, as soon as DSL was available in my area I kicked Comcast to the curb. I voted with my wallet and went with a more open carrier.

Sadly there are those out there that live in locations where Comcast is the only option and they are therefore stuck with a monopolizing provider. Up until Google started their exciting new project, a large percentage of smartphone owners were at the mercy of their carriers for what exactly is installed and running on their phones until Google started their exciting new Smartphone project.

If you’re a Smartphone user who is tired of a carrier who manipulates your phone, it’s time for you to vote with your wallet as well and switch to a phone that doesn’t hold you hostage.