Stop the ADA Education and Reform Act

An image of handicap parking by Shawn Campbell

The Americans with Disabilities Act (ADA) of 1990 (amended in 2008) is a bipartisan law that sets accessibility standards that businesses open to the public must follow, so that those with disabilities can work, shop, dine, and play just like any other citizens. Title III of the ADA requires basic necessities like ramps, handicap parking spaces, and doorways wide enough for a wheelchair. Even under current law, the accommodations must not place an “undue burden” on the business, and be “readily achievable“. In other words, the accommodations must be practical and affordable. As a result of 27 years of building access equality, these features have become so ubiquitous that it’s easy for anyone to take them for granted. However, the enforcement mechanism that has been in place for nearly three decades is now in jeopardy because of H.R.620 – The ADA Education and Reform Act of 2017, sponsored by Rep. Poe, Ted [R-TX-2].

Read moreStop the ADA Education and Reform Act

Lessons Learned from the US Federal Government’s Ongoing Deployment of SPF and DMARC

Two soldiers process mail in a US Army Forward Operating Base Mailroom

SPF and DMARC are standards that describe how the origins of email messages should be verified, to prevent email spoofing. I spent some free time over the past few weeks creating checkdmarc , a Python 3 module and command-line interface that can validate and troubleshoot SPF and DMARC records across multiple domains, with the intent of building it into a web application that will process DMARC reports. The Department of Homeland Security recently launched an initiative to deploy SPF, DMARC, and other best practices on most federal agency domains by issuing BOD 18-01. This created the perfect case study of common challenges and mistakes when deploying SPF and DMARC across very large organizations, and even a few small ones.

2018-01-30 update: I have made many improvements to my script, corrected a few of my own misconceptions about DMARC I had in this post, and switched to updated results from 2018-01-28.

Read moreLessons Learned from the US Federal Government’s Ongoing Deployment of SPF and DMARC

How to install YARA and write basic YARA rules to identify malware

A screenshot of a YARA rule with syntax highlighting

YARA is described as “The pattern matching Swiss knife for malware researchers (and everyone else)”. Think of it as like grep, but instead of matching based on one pattern, YARA matches based on a set of rules, with each rule capable of  containing multiple patterns, and complex condition logic for further refining matches. It’s a very useful tool. Let’s go over some practical examples of how to use it.

Read moreHow to install YARA and write basic YARA rules to identify malware

How to run graphical Linux applications on Bash on Ubuntu on Windows 10

A screenshot of xeyes running on Bash on Ubuntu on Windows 10

Bash on Ubuntu on Windows was introduced by Microsoft in the Windows 10 Anniversary Update. It allows users to run a full Ubuntu user space in Windows. It is a much nicer approach for most applications than Cygwin, or using a Linux VM. It is not an emulator either. Think of it as GNU/Linux/Windows (apologies to Richard Stallman). This guide starts off with Microsoft’s instructions for installing Bash on Ubuntu on Windows, and then goes a few steps further by describing how to run graphical Linux applications.

Read moreHow to run graphical Linux applications on Bash on Ubuntu on Windows 10

WannaCry ransomware analysis: Samples date back to at least early February 2017

VirusTotal results showing the earliest observed sample of Wannacry ransomware

The WannaCry ransomware worm has spread panic and destruction as it infects hundreds of thousands of systems around the world; a rate not seen since the Blaster and Sasser worms of 2003. WannaCry — also known as WannaCrypt, WannaCryptor, WanaCrypt0r, WCry, or WCrypt — leverages vulnerabilities that Microsoft patched in the March MS17-010 Security Bulletin, after taking the unprecedented step of canceling the February Patch Tuesday.

While collecting samples of WannaCry, I found a sample that predates the worm version. The sample was compiled on February 9th, and uploaded to VirusTotal on February 10th. While compile timestamps can be faked, the closeness to the upload date suggests that the compilation timestamp is legitimate.

Read moreWannaCry ransomware analysis: Samples date back to at least early February 2017

Google Pixel phones can be unlocked with a recording of a trusted voice by default

user manually enables "Ok Google" Trusted Voice

The headline feature of the new Google Pixel phones is deep integration between the operating system and the Google Assistant AI. By default, the Google Assistant can be activated even when the phone is locked and the display is off, if the device hears the trusted voice say the hot word, “Ok Google”. This also has the effect of unlocking the device, meaning that anyone with a recording of the trusted voice saying “Ok Google” — or even someone with a similar voice — can easily unlock the device.

Read moreGoogle Pixel phones can be unlocked with a recording of a trusted voice by default

Android 7.1 adds native android visual voicemail support for Verizon

When I first switched my Nexus 6P to from T-Mobile to Verizon, I noticed that support for native visual voicemail in the Android dialer was missing. Worse, I was getting cryptic text messages instead of the usual basic voicemail notification.

A blog post from Matt Cutts describes this situation in detail. It turns out the text messages are somehow used in the background by Verizon’s proprietary visual voicemail application. That application is not available to Nexus devices on the Google Play store like the My Verizon app is. So the only solution to get regular voicemail notifications working on Nexus devices was to have a Verizon rep switch your line to basic voicemail. This option is different that basic visual voicemail, which is on your line by default.

In an age of texting and messaging apps, loosing visual voicemail might not seem like a big deal to most consumers, but I’ve found that the voicemail to text feature is extremely useful when I need to discreetly check voicemails from businesses and doctor’s offices while on the go or at work. It’s also indispensable for those who are hearing impaired.  I wondered how Verizon and Google were going to do Visual Voicemail on the Pixel phones, since Verizon’s Visual Voicemail app is not on the list of installed Verizon apps. Now we know.

After upgrading my Nexus 6P on Verizon to the Android 7.1.1 beta, I discovered that Visual Voicemail in the native Android dialer works! You just need to make sure that that basic (free) or premium visual voicemail is active on your line. Voicemail-to-text works too, if you add Premium Visual Voicemail to your line. Unfortunately, there is no sign of Wi-Fi calling support (yet?). HD voice has always worked on the Nexus 6P.

A screenshot of the Verizon Wireless Premium Visual Voicemail welcome message in the Android 7.1 Dialer on a Nexus 6P

Also, the Support tab in Settings is there, as seen on the Pixel phones.

A screenshot of the settings app in Android 7.1 on a Nexus 6P, showing the support tab first seen on the Google Pixel phones

This was one of the features that I thought was Pixel exclusive. It’s nice to see it included.  Hopefully more features from the Pixel phones like the Google Assistant will make their way to Nexus devices over the next few months. That would go a long way towards soothing the outrage of many Nexus owners who feel left behind. It would certainly be in Google’s long-term interest to put the assistant in the hands of as many Android users as possible once it has full integration with third party services.

Update: Unfortunately, the day after this post was published, Google updated Google Support Services that remove the phones and chat support buttons for Nexus devices 🙁

A screenshot of the support tab in settings as seen on a Nexus 5X after the Google Support Services update

You can get Android 7.1.1 on a Nexus device right now by signing up for the Android Beta. It’s actually very stable, and I think it’s snappier than 7.0.

My Google Pixel XL is due to arrive today. I’ll have a full review here next week.

Featured image by Andrew Taylor. Used under a CC BY 2.0 license.

PSA: The latest Google Chrome release trips EMET’s EAF+ mitigation

A screenshot of the EAF+ error generateted W=by the latest Google Chrome release when used with the defualt EMET config

When Google Chrome updated to 53.0.2785.101 on my Windows systems, I encountered an onslaught of alerts from EMET, which was killing chrome.exe processes for EAF+ violations as fast as Chrome kept trying to spawn them (each tab in Chrome is a separate process). Luckily, this problem is easily fixable.

Read morePSA: The latest Google Chrome release trips EMET’s EAF+ mitigation

HHS: Ransomware encryption of ePHI is a HIPAA breach

Colorful shelves of paperrecords at a dental clinic Credit: Tom Magliery License: CC BY-NC-SA 2.0

As a growing number of medical facilities are struck by ransomware, the US Department of Health and Human Services (HHS) has published a fact sheet describing how businesses that process electronic Protected Health Information (ePHI) should defend against and respond to ransomware.

Read moreHHS: Ransomware encryption of ePHI is a HIPAA breach

Prevent ransomware from succeeding with strategic defense-in-depth

Thoughtfully placed countermeasures can prevent ransomware like Petya, shown in this screenshot

Ransomware has become the weapon of choice for financially motivated cybercriminals. Individuals, hospitals, businesses, schools, police departments, and government agencies have all been victims of highly disruptive ransomware, resulting in ransom payments totaling at least $24 million in 2015, according to the DoJ and DHS. It doesn’t take much to start a ransomware campaign, and the returns can be extremely high. Fortunately, the steps to prevent ransomware from succeeding are equally simple and low cost.

Read morePrevent ransomware from succeeding with strategic defense-in-depth