Saturday, August 25, 2007

Your password is too short.

Forget complex passwords, you can't remember them- so you write them down (and lose the note). Besides, they are not that hard to break anyway. I won't bore you with all of the math* , but a really long passphrase will be more secure and easier to remember than a short, complex password. (Unless you use something lame like "p@ssw0rd", which is easy to remember and will be cracked by any viable dictionary attack).

This isn't just a hairbrained idea of mine, check out Mark Burnett's comments in this "Contrary Wisdom from Syngress Authors" video:
The whole clip is good, but did they have to leave Bruce looking like that?

Another thing, it is OK to write down your passwords. Just not on yellow stickies on your monitor- treat them like money, keep them in a safe place and destroy the old note when you change passwords.


* Alright, here's the basic math-
number of possible characters(length of password).

Assuming 62 possible characters for a simple set (a-z, A-Z, 0-9), and 94 for a full set with punctuation and other special characters- your eight digit "complex" password has 948 or 6.09568939 × 1015 possible passwords. A "simple" alphanumeric twelve digit password is significantly stronger with 6212 or 3.22626676 × 1021 possible combinations. Simply using a long nonsense phrase (no quoting Shakespeare or Darth Vader here, please) with all lower case letters and a space (to make it readable) results in a 27 character set; at sixteen digits we get 2716 or 7.97664431 × 1022 possible passwords, stronger than either of the above.

Tuesday, August 21, 2007

"Real" security people just don't get it.

Black Hat, DefCon, CCC and yet another pile of news about the largely theoretical from really smart people, bah! Virtual this, hyper that, advanced counter-rotating BS.

Out here in the real world of small business, things are different. We struggle with security battles that most "experts" think were won years ago- and the problem is not that we are behind as much as the "experts" and vendors (and a big chunk of the IT press) are out of touch. They might as well be academics. (My view of smart people is summarized in my first post).

Look kids, remote code execution in user space, followed by privilege escalation and eventual total compromise with an "undetectable" rootkit isn't that impressive in a world where you can guess half of the passwords (if they even have passwords). Sure, I can sniff your car's keyless locking and ignition system's RFID and steal your car- but if the keys are in the ignition of every other car in the parking lot, I'm just showing off. And wasting time.

Don't think this is a big deal? According to the US Small Business Administration [PDF], a little over half of all private sector jobs are in small business and small businesses have generated between 60 and 80 percent of all net new jobs created annually in the past decade. That is a bunch of people(58.6 million in '04) in a bunch (26.7 million plus) of little companies- which means a really big (and growing) bunch of computers. Unfortunately, the pressures on small business are great- about a third are gone in the first two years and over half don't make four years. That means IT budgets are very tight, and security is considered a luxury by many. These systems are often no better protected or maintained than home systems, yet have valuable business data on them. And yet, we still need simple, reliable and secure systems- and we still won't have them. But we do have theoretical arguments about theoretical vulnerabilities and exploits.

At least I'm not bitter about it.


Monday, August 20, 2007

Partners and Security, Part 3B

In the words of Homer Simpson, "DOH!"

I overlooked one of the best and easiest sanity checks for web apps-
if there are forms on the site, especially ones with menu selections, see if your inputs are passed to the address bar when you advance through the site. If they are, you may be able to check for simple input validation problems.

NOTE- Passing info to the URL is not necessarily a bad thing, it just depends on what is passed and if it needs to be validated. For example, it is great that Google Maps lets you throw addresses into a URL to get the maps you want, but a bank that lets you see more information than you should is a problem.

I once found a website where I could select the number of records to display when retrieving a report- I had the choice of five, ten, or twenty records per page in a drop-down menu. When I chose the number and submitted the form, the choice appeared in a string in the resulting URL. Unfortunately, I could simply go to the address bar and change the number to anything I wanted and get the appropriate results- in other words, they didn't validate input. Without going any deeper, I knew that this app was questionable. I reported it to my employer and the company with the problem site. My employer understood immediately, the other company took some effort.

We are severely limited in what we can do to check other's web sites and applications, this is a simple test that can expose fundamental problems without "hacking" the application.


Thursday, August 16, 2007

Yet another reason to take security seriously

One of the more compelling, yet less obvious, reasons for taking security seriously is to prevent it being forced down our throats, complete with flawed requirements. GLBA, HIPAA and Sarbanes-Oxley are examples of what happens when our lawmakers feel there is a problem and they try to legislate an answer. Don't get me wrong, these laws were designed to address real problems- but their execution is far from perfect.

Let's pick on Enron for an example: If there had been some accountability in the boardroom and at the accounting firm, maybe Enron would not have become, well, Enron. And, maybe Arthur Anderson would still exist, and maybe corporations throughout the US would not have to spend buckets of cash complying with this law. But, Enron was Enron, and Anderson did what they did (and didn't do), and SarbOx is the law- for better AND worse.

If we don't accept our responsibility to secure our systems we could end up with more legislation mandating how we run our businesses. Well-intentioned, but poorly crafted, regulations or personal responsibility- that should be an easy choice.


Friday, August 10, 2007

Security Excuse Bingo

Friday evening humor-

Security Excuse Bingo


SCO loses, Novell (and almost everyone else) wins!

An article at Groklaw has the good news:

"Hot off the presses: Judge Dale Kimball has issued a 102-page ruling [PDF] on the numerous summary judgment motions in SCO v. Novell. Here is what matters most:
[T]he court concludes that Novell is the owner of the UNIX and UnixWare Copyrights."

I'm sure there will be appeals, but this should be the beginning of the end of this chapter in the FUD wars.

Yes, there is a security angle here. One less bogus legal threat hanging over our heads for using Open Source software. Don't forget, just about everyone uses some Linux somewhere- on cell phones, media devices, network appliances and of course computers.


Thursday, August 9, 2007

Captain Privacy Strikes Again!

Captain Privacy, aka Martin McKeay, has blogged about the latest changes to the law on NSA surveillance. He has summed it up better than I could, so just go over to and read his post on the topic.


Wednesday, August 8, 2007

Verisign laptop theft

This one is over the line. A former Verisign employee had a laptop stolen from their car and the laptop may have contained employee data. An article at has the details, including tidbits like "The laptop may have contained such personal information as names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses".

But don't worry, "The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password". Besides, "there's no indication of fraudulent activity thus far".

This is a respected security company, not some naive retailer. There are too many questions to fathom here.
  • Whose laptop was this?
    • If it was Verisign's, why did the ex-employee still have it?
    • If it was the ex-employee's, why was company data on it?
  • Why does a former employee still have this info?
  • Why does anyone need this kind info on a laptop?
  • Why wasn't the data encrypted if there was a reason to have it on a laptop?
  • Why was the laptop left in the car overnight?
  • Who believes that a Windows username and password will protect anything when an attacker has unlimited physical access?
  • When will people learn?
Verisign has quite a few job openings listed on their careers site, I wonder how much this will hurt their recruiting efforts? I'm glad I'm not in HR or PR at Verisign this week.


Friday, August 3, 2007

Exploring the IT Community

How's your training budget? How about the budget for consultants and analysts? Yeah, I don't get to spend much either.

It is ok, though, there are plenty of great resources available for little or no money through user groups and similar organizations. I have the luxury of being in the Greater Boston area where we have an abundance of great user groups, but they are everywhere.

A couple of ways to find them-
On the (mostly) Windows front, Culminis Alliance has a good User Group Locator.
Linux user groups are everywhere, take a look at for a good starting point.
Also, there are a growing number of Ubuntu LoCo (Local Community) teams.
If you happen to be in the Greater Boston area, check out Boston User Groups for a list of regional groups (full disclosure, I am the Vice President of Boston User Groups).
Don't be put off if your particular interest doesn't have a group of its own in your area, check it out and see if there might be some overlap.
Also, on the security front, there are groups like ISSA and the FBI's InfraGard.

Next time, some of my favorite local groups. Even if you aren't in the area, check out their online offerings and maybe join the maillists.


Thursday, August 2, 2007

Educational Commuting (Podcasts)

I spend a couple of hours a day in my car commuting and traveling between locations. Podcasts are a great way turn "car time" into productive time. I listen to many, here are a few that I can't do without, give them a listen and I think you'll agree.

Pauldotcom Security Weekly.
Informative and Entertaining (always both, not always in that order). Sometimes not "work-safe" listening, but always worth listening to. A group of security pros offer up technical tips, how-to segments, discussions of current security news, the occasional interview and even "storytime" hacker stories.

"Two Former Federal Agents Talk About Computer Forensics, Network Security and Computer Crime." Another informative and entertaining podcast, mostly focused on computer forensics but covering a mix of topical and technical security news. Brett and Ovie also frequently feature interviews, again usually forensics focused, but not always. Always worth the listen, even if you don't handle incident response and forensics.

The Network Security Podcast.
The blogs and podcasts from Martin McKeay- Martin is a prolific blogger, podcaster and video podcaster. Although he has an information security focus, with PCI a frequent topic, Martin also ventures into other areas- I especially enjoy his coverage of electronic voting systems and his exploits in the guise of his alter-ego, Captain Privacy. Martin's "creative output" has recently been re-invigorated, and I'm glad about that.

Security Now.
"Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte."
Security Now has some great great information, especially some of the earlier shows on encryption and the foundations of TCP/IP. This show targets the "power user", not the security pro- keep that in mind as you listen, otherwise you may find yourself screaming at your MP3 player occasionally.

Happy Listening-