If true, this just leaves me speechless....

VMware Security

The VMware hardening guide for vSphere 5.5 has been released and is available here: https://www.vmware.com/support/support-resources/hardening-guides.html

I've only had a chance to have a cursory look at it so far, but it looks pretty good. 

Women prefer length and men diversity.

You know I'm referring to passwords right?

Also from the article:

"studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst."
Did that study include *nix admins?

Also from the BBC, an an analysis on the Adobe passwords that were leaked. No real news here, except to say people still choose terrible passwords....

Top 20 passwords

  • 123456
  • 123456789
  • password
  • adobe123
  • 12345678
  • qwerty
  • 1234567
  • 111111
  • photoshop
  • 123123
  • 1234567890
  • 000000
  • abc123
  • 1234
  • adobe1
  • macromedia
  • azerty
  • iloveyou
  • aaaaaa
  • 654321

Trouble in transit

We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!

Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.

What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!

Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!

Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!

EMET Uncovered

This is a nice rundown on Microsoft EMET's functionality and its strengths and weaknesses.  I've been running EMET for about 6 months, its very unobtrusive and I'm yet to see it cause an issue with the applications that I run. I believe the more recent versions are also able to be managed with MS System Center for larger environments.

Microsoft Expands Mitigation Bypass Bounty

Microsoft have expanded their mitigation bypass bounty to include not just bypass techniques researched and developed specifically for the program, but also bypass techniques observed in the wild, thereby vastly increasing the number of researchers looking and the chance of finding something novel.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.
Increasing the chance of finding a novel technique is only the first benefit that Microsoft hope to gain from this expansion, as they point out in the quote below they are also hoping to have an influence on the underground vulnerability markets, increasing the costs to those looking to buy exploits.  This is a nice use of market forces to drive security benefit, artificially increasing the cost to the bad guys, I wonder who has more money... (and no, I'm not going down the rabbit hole of nation state actors)
This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.
The use of market forces to drive up the cost of exploits ties in quite nicely with some discussions I've been having recently about raising the entry criteria for attackers, be it at a micro level such as what you might be doing in your organisation or a macro level such as what Microsoft are doing here. Attempting to 'raise the bar' for adversaries, either by technical or financial means is nothing new, this is the point of every security control or bug bounty program.  What is different from other bounty programs with this effort and its predecessor is that Microsoft is incentivising researchers to find new defensive strategies rather than individual vulnerabilities with point solutions, effectively eliminating whole classes of vulnerabilities.

NBN and Huawei

Interesting article on Huawei's exclusion from the NBN here in Australia

Dark Mail Alliance

Interesting concept, and one that's probably well over due, but I get the feeling it may be a little like implementing DNSSEC or IPv6... Who knows, maybe the Snowden leaks will provide the push necessary to overcome the inertia.



Don't be...?

So I saw this today:

Google will allow its advertisers to use your image and comments in ads for their products, via a new feature called Shared Endorsements. This change raises privacy concerns for some people, and if you use Google Plus, the company's competitor to Facebook, you need to understand these changes.From November 11, the names, images and comments of Google Plus users will be available to Google advertisers for incorporation into the advertisements that appear when users run searches on the site. The changes are reflected in new Terms of Service that are understood to be accepted whenever you use Google services.

While this may not qualify as 'evil' (as in the famous Google "don't be evil" motto that they used to use), it seems like adding a 'feature' like this that sin't opt-in is kinda a douche move and a particularly poorly timed one in the post-Snowden era where privacy is currently such a touchy subject. Although Google may claim they didn't give the NSA access to private user data, giving it to advertisers is apparently OK.

(and yes I know this blog is on blogger - owned by Google).

Investigation, now and then...

Here's an interesting article from a journalist who paid a private investigator to investigate him to see what he could discover back in 1999 and compared it to seeing what an ethical hacker could find today. Interesting results, although the 1999 techniques (largely social engineering) would probably still bear fruit today... 

TED Talk - Why Privacy Matters

Interesting TED Talk on privacy and one which highlighted in my mind an interesting crossover that exists in the Information Security industry.  Information Security professionals are often in an excellent position to breach privacy, and are often called upon to do tasks that do just that (though only in an ethical and responsible manner). On the flip side and possibly as a result of the above, they are often the strongest proponents of improved privacy controls and the most outspoken critics of those that breach them.

More on Storing Passwords

Following on from my Storing Passwords post, here is an excellent and far more comprehensive discussion of password storage (albeit in a .NET context) from Troy Hunt.

Storing Passwords

A while back, one of the guys here at work set up an open source collaboration web app to exchange some files with a customer, being an inquisitive chap I thought I'd take a wander through the source code to see how it fared from a security stand point. My first port of call for these sort of things is usually to have a look at how they're doing authentication and in this case they're doing (arguably) the right thing or, at least better than a number of other web apps out there and storing an individually salted sha1 hash of the password, they also offer the option of LDAP integration, so far so good.

The code for validating password complexity when setting passwords turned out to be a bit more interesting, the user’s password is stored with the other user details in the user table in MySQL, but there is also a password table, and the passwords in it don't look like sha1 hashes... A little more digging through the code reveals this table to be a password history table, but this doesn't explain why the passwords aren't just stored as hashes, there are also a couple of functions with ominous names called within the password reset code (cp_encrypt and cp_decrypt) that take the password as a parameter... eeek! Also, testing confirms that not just the history, but also the current password is stored in this table.

1:  function cp_encrypt($password, $time){  
2:      //appending padding characters  
3:      $newPass = rand(0,9) . rand(0,9);  
4:      $c = 1;  
5:      while ($c < 15 && (int)substr($newPass,$c-1,1) + 1 != (int)substr($newPass,$c,1)){  
6:          $newPass .= rand(0,9);  
7:          $c++;  
8:      }  
9:      $newPass .= $password;  
11:      //applying XOR  
12:      $newSeed = md5(SEED . $time);  
13:      $passLength = strlen($newPass);  
14:      while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;  
15:      $result = (substr($newPass,0,$passLength) ^ substr($newSeed,0,$passLength));  
17:      return base64_encode($result);  
18:  }  

1:  function cp_decrypt($password, $time){  
2:      $b64decoded = base64_decode($password);  
4:      //applying XOR  
5:      $newSeed = md5(SEED . $time);  
6:      $passLength = strlen($b64decoded);  
7:      while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;  
8:      $original_password = (substr($b64decoded,0,$passLength) ^ substr($newSeed,0,$passLength));  
10:      //removing padding  
11:      $c = 1;  
12:      while($c < 15 && (int)substr($original_password,$c-1,1) + 1 != (int)substr($original_password,$c,1)){  
13:          $c++;  
14:      }  
15:      return substr($original_password,$c+1);  
16:  }  

Looking into the encrypt and decrypt functions, there are a couple of things of note; firstly their very existence tells us that the passwords are being stored in a reversible form in the database, essentially defeating the purpose of storing the password as a salted hash.  This means that an administrator on the system can decrypt and use any user's password; it also means that should the server be compromised an attacker could also trivially decrypt the passwords and use these accounts.  While salted SHA1 hashes are also crackable in short order with the right hardware they do raise the bar somewhat.  To mitigate the SHA1 attack it would be relatively straight forward in this case to swap out the SHA1 function being used and substitute it with a slow password hashing algorithm such as scrypt or bcrypt.

A review of the encryption algorithm being used is also pretty interesting; the developer has chosen to use XOR encryption, the password is padded to 16 characters and XOR’d with an MD5 of a pseudo-random string generated at install and the current date.  In the case of short strings like passwords, this is actually a reasonably effective encryption algorithm as the password is unlikely to be any longer than 16 characters (in the event it is the key material is repeated which introduces a weakness).  However in this context the encryption being used is really academic, the passwords shouldn’t be stored in a reversible format, though when you look at the apparent reasoning behind it there is an interesting security trade-off. 

The impetus behind storing the passwords encrypted appears to be so that the application can do a comparison of the new password with previous passwords to ensure that not only is it different from previous passwords but also that it isn’t too similar to any previous passwords.  The motivation here is noble but, in my opinion, somewhat misguided, a better approach would probably be to prompt the user based on the entropy of the new password while also checking that it doesn’t match any of the previous X passwords.  While this doesn’t solve the problem of having users choose passwords and incrementing a suffix it means that passwords aren’t being stored reversibly, even removing the current password from the history table doesn’t mitigate the problem as users still have a tendency to choose passwords based on a pattern, regardless of the checks that you enforce.  Password selection guidance is still maybe best done as part of a security education program.

How to Phish Friends and Influence People

As I mentioned in a previous blog post I'm doing a bit of lecturing for an undergraduate degree in Network Security, this semester I'm teaching Enterprise Security.  This week we covered Security Engineering and were discussing, among other things, the psychology/ behavioural economics of Phishing.  Rather than try and explain the incentives and mentality at play when someone clicks on a phishing link I thought I'd take a more practical approach and carry out a small simulated phishing campaign.

Using the Simple Phishing Toolkit, an excellent but sadly abandoned open source tool for running educational Phishing campaigns, I set out to phish the students under the guise that their Moodle platform had been upgraded with a number of bug and security fixes and a link to click to see a full list of the changes.  The tool provides the capability to have a dummy login form, even providing an inbuilt scraper to automate the building of the form, I stopped short of this however, mainly due to time constraints. For the purposes of this exercise just clicking on the phishing link was enough to get you marked as a victim.  After all, these are students who are studying security and should know better than to click on a links in an email without validating the destination and visiting a malicious site is often enough.

Having set up the campaign and pushed out the emails I went off to do some other jobs that needed doing, I didn't really expect to get too many hits on the link, it pointed at a dynamic IP and I didn't really think they would find a list of updates to Moodle worth clicking through for ( a theory that was subsequently confirmed when I spoke to them in the lecture). As it turns out either I'm a better phisherman than I give myself credit for or this group of students is a gullible bunch, 12 out of a total 32 students clicked on the link (see chart below).  Given that a couple of those 32 students seem to have given up checking course related emails, the percentage may be even higher. Those that clicked on the link were redirected to a phishing education page (also supplied in SPT) with a video on phishing from Symantec.

Phishing the students was certainly an interesting exercise and one that I'd like to repeat with other groups and extend into other organisations, more and more, having recognised the human element as the weak link in their security posture, organisations are running social engineering pen-tests and including simulated phishing campaigns.  Done right, this could be an excellent education tool, and one worth pursuing, it serves as a nice demonstration of the types of methods used by real attackers against organisations, giving your users real experience that they can relate to net time they encounter a real phishing (or spear-phishing) email, with the right instruction and correct incentives, users can be taught to identify phishing emails and report them to your security team.  The confidence to report a phishing email is even more important if the user did click on the link or fill in the form, it is important not to castigate users for making security mistakes, the knowledge that they have done so at least allows you to respond to the potential outcomes rather than having to detect it through other means.  It also serves as another source of insight into the security posture of your organisation and potentially an intelligence source for identifying high risk users to be correlated against mail gateway logs.

Back in the security saddle

It's been quiet around here lately as I've been travelling and extremely busy with work. However it's time to get back to blogging on a semi-regular basis (I don't know what Richard's excuse is!)

While checking out the new IOS7 features recently (although I've yet to upgrade) I came across this gem:

Apps can now be configured to automatically connect to VPN when they are launched. Per app VPN gives IT granular control over corporate network access. It ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee's personal web browsing activity, does not.
Now that's a nice feature (and about time), especially in the BYOD era. Speaking of BYOD, I recently had a chance to meet a number of Security managers from around the world and BYOD was a hot topic. However here in Japan it is not even on the radar for many organizations. A Logicalis research paper [pdf] from last year showed Japan as significantly trailing other markets in regards to corporate IT actively promoting BYOD and, perhaps unsurprisingly, leading the pack in the measure of 'IT don't know about it but we're doing it anyway'.

Why is Japan slow to embrace this trend? My personal view is it is a combination of inherently conservative companies and IT departments (who are unwilling to give up control) combined with the strict labour laws regarding overtime work. As we've seen in the west, mobility and BYOD blur the lines of work/life significantly and risk putting companies here on the wrong side of the law if employees are found to be working excessive overtime.

Sh!tty Security

As we move into the age of the Internet of Things, expect to see more and more stories like this one, where a luxury toilet firm here in Japan have developed a Android-app controlled 'smart toilet'. The problem? All the toilets are hardcoded to a PIN of 0000 -- allowing anyone with the app (in bluetooth range) to control the toilet.

While the actual benefits of a Android-app controlled toilet escape me at present (and the impact of an attack is admittedly pretty minor), the poor security in the execution is unfortunately all too common. Today it's a toilet, tomorrow implanted medical devices (actually that is also today...).

The toilet pales in comparison to the Smart TV Hacking [pdf] research from Korea. Which is extra creepy if you're watching your smart TVon your smart toilet...

Remember when...

Remember when getting hacked was a bad thing? Now apparently it is a marketing opportunity!

US Food chain Chipolte faking it's twitter account being hacked to generate 'buzz' as a marketing exercise.

Of course while others have claimed twitter accounts were hacked to cover up embarrassing behavior, this is the first time I've seen someone making a claim of being hacked as marketing.....

Cyber Defence Unit in Japan

After a few recent high-profile data breaches, and all the global cyberwar press, here in Japan a Cyber Defence Unit (CDU) is being created, but not without what appears to be warranted criticism.

No word on whether it will also include animal handlers for their incident investigation team.

I think I speak for us all when I say we expected any Japanese military (or SDF) related unit with the word "cyber" in it's name to include more of this kind of thing...!

Onion Hack

It's a few months old, but there's an interesting article at that home of Internet satire, The Onion on how they were hacked.

It's always good to see when companies are able to disclose some of these details so the rest of us can learn from their misfortune.


Irony: Emails about Governments snooping on private data used to distribute malware that allows criminals snoop on your private data...

SANS Pen Test Poster

SANS have put out this nice poster of useful pen-testing resources.

iOS mobile hotspots

Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...

“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”
The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.

Best option - use a long, custom non-dictionary password....

Frank Abagnale Jnr.

Following on from my previous post on 'gaming the system', a friend sent me this link to Frank Abagnale Junior - the man played by Leonardo DiCaprio in "Catch me if you can" - giving the closing keynote at the RSA APAC conference (youtube).

It's an interesting talk to hear how someone with a hacker mindset in the 60s was able to social engineer and defeat some of the security systems of the day...just by not following 'the rules'.

Whacky McAfee

John McAfee has posted an "instructional" video on "How to uninstall McAfee Antivirus" (youtube).

I'm sure the McAfee marketing department are appreciating his efforts...

Gaming the system

I do enjoy stories of people gaming systems. This one came up today of a man who took advantage of a National Australia Bank promotion to earn 380,000 frequent flyer points for $70. The bank offered 100 frequent flyer points per purchase - but failed to state a minimum purchase value. A whole lot of 1c purchases later and the guy had 380,000 points -- before the bank noticed and closed the loophole!

It kinda reminds me of the (in)famous Pepsi promotion in the US in the 90s where they offered a Harrier Jump Jet as the prize for collecting 7,000,000 pepsi points. When a guy bought the points for $700,000 and went to claim his multi-million dollar jet the result was -- a lawsuit!

At least in the NAB case, the guy got to keep the points!

The lesson? Imaginative people will always find a way to game the system if the reward is worth the effort!

OWASP Top 10

The 2013 OWASP top 10 has been released, and sad to say the number one spot has not changed since the last top 10 in 2010.....Injection!

OWASP Top 10 – 2013
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards

Back in 2011 I referenced Troy Hunt's excellent ebook reference for the 2010 OWASP top 10. If you didn't go get it then, download it now. 

Hack me, hack you!

The NY Times has an interesting article on the hacking culture in China. It is especially interesting in the context of the Business Week article from the following day titled How the US Government hacks the world.

And just so the non-governmental types don't feel left out, a friend passed me the LA Times article on 'hacking back', a topic which seems to have become more and more of a discussion point recently.

Perhaps we'll end up taking a leaf out of the history books and start issuing Letters of Marque to Cyber-privateers!

Zero-Day Attacks

Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.

Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

Breach Blanket Bingo

So it looks like Australia may finally have a data breach notification law. It was back in 2011 when the Government started really discussing this again and at that time I wrote a little about it and posted to links to an interesting point/counterpoint as to whether these laws work. While I think the jury may still be out, I hope some law is better than no law and at the very least we get something reasonable that makes sense.
(am I setting the bar too high here?)

At the same time "China" is reported to have hacked the Australian Government, including stealing plans for the new ASIO Headquarters - but it seems we forgive them, so all is OK.

I wonder if/what the Government would have to report if the new laws were in place already?

National Cyber Security Awareness Week

National Cyber Security Awareness week is this week (20-24 May). Full details here.

Oh the irony

Think this might be kind of like letting my 2 year old guard the bikkie tin...


Big Brother in a good(?) way

I sense this is not going to be without it's challenges or challengers...


OAIC Guide

Privacy is getting more and more attention in Australia, with the Privacy Commissioner recently stating:

"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects"
As part of this most recent push, the OAIC recently released their Guide to Information Security [pdf].

While there's nothing groundbreaking in the document for a security professional, it's encouraging to see the Government pushing for businesses to improve their information security and providing this kind of document as a starting point.

Will it make much difference in the long run? Time will tell. Perhaps, combined with the proposed data breach laws, although the effectiveness of such laws is subject to debate...


Here's an interesting article on the motivation of Chinese hackers.

To quote a famous Chinese historical figure:

If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle” --Sun Tzu.
This also aligns with a timely point in the just-released Verizon Data Breach Report for 2013 - "we’re convinced of the critical importance of understanding your enemy"

How well do you understand who wants into your network, why they want in and how motivated or determined they are?

A great quote.

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Microsoft updates in excel format

Someone asked me about this today, so I thought I'd add a link. for a while now Microsoft have regularly published an excel spreadsheet with all the details on their patches. It is quite useful as a quick reference!

It's available here under "Download Detailed Bulletin Information". Or direct link is here.

Making fun of Adobe


Creator responsibility

I recently came across this rather interesting story (wired.com) about a guy who added secret compartments to vehicles. End of the story is, despite the fact what he did may not technically be illegal, he got 24 years in prison as some of his clients were (without his knowledge - although he may have suspected) major drug smugglers. At the same time, the two guys in charge of the drug smuggling operation got much shorter sentences - go figure!

The article ends with the comment:

 The (hacker) culture’s libertarian ethos holds that creators shouldn't be faulted if someone uses their gadget or hunk of code to cause harm; the people who build things are under no obligation to meddle in the affairs of the adults who consume their wares.
But Alfred Anaya’s case makes clear that the government rejects that permissive worldview. The technically savvy are on notice that they must be very careful about whom they deal with, since calculated ignorance of illegal activity is not an acceptable excuse. 
Interesting food for thought. To what extent is the creator responsible for the use of his/her creation?
Unlike the "guns don't kill people, people kill people" argument, the primary function of a secret compartments - or perhaps a technology like encryption - is not to cause harm, but to protect privacy. Should/could the makers of truecrypt be held responsible for criminals or terrorists using it to hide evidence of a crime?

I'm not an American, but sometimes these American precedents can have an influence overseas. It would seem to me a slippery slope if, as this article suggests, the person responsible for creating/implementing a technology that may be used for committing a crime more effectively can be sentenced far more harshly than the perpetrators of the crime.

World Backup Day

Apparently March 31st was World Backup Day! (http://www.worldbackupday.com/)

Although the date has passed, backing up your data = good! Losing your data because you had no backup = bad!

So go and take a few minutes to ensure your data is backed up.

The future is...hackable

Seeing the recent Telstra video about how amazingly internet-connected the world will be reminded me of a recent blog post by Pure Hacking CTO Ty Miller called "Hacking in the year 2030".

While the Telstra video is all 'minority report-esque', it doesn't seem too far fetched - although I can imagine the fun to be had messing up with a friend's shopping list by hacking their garbage can.

Ty's vision of the future may come off as a little grim, but I can't say I disagree with it. In the last decade we haven't managed to eliminate SQL Injection as a vulnerability, but it could be argued that we've made the impact of SQLi exploitation worse by making so much more information available through the ever-increasing plethora of vulnerable websites. As we rely more and more on the internet and our connected devices multiply exponentially (with the associated exponential growth in the number of connections those devices make with each other; and everything around them) the number of ways to subvert and compromise those systems will similarly grow, as will the impact of malicious actions.

Deleting the 1995 version of Sandra Bullock in "The Net" may have seemed ridiculously far-fetched at the time, but the social networking revolution has more and more people interacting with people they've never met than ever before - going as far as 'dating' and 'mourning the death' of a girlfriend who never existed.

Deleting Sandra in 2013 or 2030 may be easier than ever! (Expect a Hollywood remake!)

As a side note this article is a fun look at how you can blame Minority Report for far more than just being a bad film.

Biggest DDoS ever?

This was sent to me by a friend is an interesting read about a recent massive DDoS (distributed denial-of-service) attack that was aimed at Spamhaus.
The attack was a type of DNS-recursion amplification attack [pdf] that uses bogus queries to DNS servers to massively amplify the amount of bandwidth consumed by the attackers to over 300Gbps at times.
Cloudflare have another great explanation of this type of attack here.

The website at http://openresolverproject.org/ can be used to help you identify if you have DNS servers configured to allow recursion, and provides some configuration suggestions (such as rate limiting)

Oh Cisco... You make me sad



This was from a little while back, but I hadn't got around to posting it yet. Dan Kaminsky offering a different view of passwords:

"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."
An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory. 
He certainly brings up a good point. The problem may not be passwords, but bad passwords. And why do we get bad passwords? The same reason we get single passwords used across multiple systems or people using their birthdays as PIN numbers - "Password1" or "P@ssw0rd" is easier to remember that "w4dHu92#".

But will passphrases change that? It will involve a seismic shift in mindsets and many users having to 'unlearn' what they've been told previously. The 'passphrase' movement has been around for a while and the first reaction from users when you say "Now your passwords have a 12 character minimum" is generally not positive - even if you do away with the complexity requirements. People already forget their passwords with alarming regularity, I'm not sure if passphrases will be must easier to remember.

Passphrases have their limitations too - they don't help with password reuse, and won't stop a user changing "fourscoreandsevenyearsago" to  "fourscoreandsevenyearsago1" on their next passphrase change.

But I do agree with Dan that passwords work better than we probably give them credit for, and maybe passphrases will work a even better.

OWASP Top 10 2013 Release Candidate

Release candidate for the 2013 OWASP Top 10:


Rearranging Deckchairs on the Titanic

I heard this term for the first time the other day, and while I think there are several analogies from the Titanic that can be drawn upon for describing concepts in information security, perhaps few are as apt as this. It implies, of course, the futility of rushing around making minor adjustments in the face of impending disaster. Counteracting this requires you to have a broad picture of the security issues in your area of responsibility so you can focus on avoiding the iceberg toward which you are currrently heading at full steam. It means focussing on the highest risk issues first and letting the minutiae go for another day.  If you are a network operations guy this means doing away with unencrypted protocols for administration before changing the enable secret on the router, if you are a developer it means fixing the SQL Injection vulnerability on the login form of your app before fixing the difficult to exploit XSS bug on a page only accessible post authentication.

The US State Department has a very effective model for this which they use for vulnerability management in their unclassified network, it is described in some detail here. There are three main components to this system, continuous monitoring, a weighted scoring system and continuous feedback to both those responsible for making changes and those reponsible for overseeing the security of the organisation.  Interestingly it lists as one of it's objectives 'inspiring competition' which I think could be a very useful way of incentivising security initiatives, but that's a topic for another post. The key component as it relates to this post is the continuous nature of the feedback, administrators are sent one task (the highest priority for the systems which they are responsible for) to remediate on a daily basis. The scoring system operates at a operates at a host, site and enterprise level, allowing the feedback to occur at all levels safely guiding the ship around the icebergs.

While the scheme described above does its best to objectify the security changes to be made, situations will vary and what is critical in one context will be less so in another, the important thing is that you do the assessment and make the changes in a sensible order. Sometimes business pressures or regulatory compliance will mean that these priorities will be changed but at least the trade off is understood. If you are placed in a position where you need to meet a compliance requirement perhaps use it as an opportunity to make material gains in your security posture i.e. comply with spirit of the law and the letter.

Shaping the Security Minds of Tomorrow

So it seems I will be lecturing 'Mobile Computing and Security' for Northern Sydney Institute of TAFE's Bachelor of Network Security this semester.  It should be an interesting challenge and I'm quite looking forward to it.  It seems like a pretty good program they run, with a mix of industry certifications and a good broad range of more traditional university type subjects.

IE Cursor-tracking Data Leakage.

Now this is really interesting, especially if you're using onscreen virtual keyboards to prevent MITM capture of keystrokes.

And according to Spider.io: "The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month".

Mega Security?

Interesting look at some of the security architecture in the new Mega site


I think the key message here is that if you are going to implement cryptographic systems, even standards based ones, you need to understand the limitations of that particular implementation and it's correct uses.

A New Take on Insider Threat?

This is just plain funny

Stand back...

Nice description of why regex based blacklists are bad


Complexity the worst enemy of security

First post for 2013. The plan is to hopefully be a bit more active after a slow 2012!

I came across this interesting article that has the details of an interview with Bruce Schneier.

While I pretty much agree with Bruce and especially like Bruce's last comment: "Is my data more secure with you than it is with me?", I think the problems begin with the follow-up to that question - which is "prove it".

Now 'proving security' is fraught with danger (and is most likely an impossible task), but while you may have a good understanding of what you do - or don't do - from a security perspective, it's the lack of details that cloud providers will supply on their security practices (other than to say "we use military-grade encryption" or "we follow industry best practices") that always concerns me.

"Trust us" seems to be the mantra from a number of cloud or SaaS providers and trust them we have, sometimes with less than stellar results.

Before signing over the keys to the kingdom to cloud providers, I think it's important to get a good understanding of exactly how they protect your data, what will happen if they do suffer a breach (at what point do they notify you? When they suspect something happened or 2 weeks later when they've confirmed the breach?) and what you can can do to protect your data (such as encrypt everything and keep the keys to yourself).

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme