Friday, October 14, 2011

Part 2: On Passwords, Password Policies, and Teaching

I noted in yesterday's post that I used the answers to drive a conversation with a student employee, but didn't provide details. I was asked what the assignment was, and thought that it might be of interest.

I provided the initial question, and my response about what drives institutional policy - essentially what I summarized here. The assignment was:

Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:

  • A large multinational corporation
  • A commercial website like Amazon, or a cloud service like Dropbox or Picasa
  • A small company or non-profit
This sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.

Thursday, October 13, 2011

On Passwords and Password Expiration

One of the things that I believe is an important part of my job is to answer user questions in a way that educates them about the topic they ask about in addition to providing the answer. At times, this can be frustrating, but it also challenges me to think about why I'm providing the answer that I do. It also means that I have to review the choices I, and my organization make about policy, process, and the reasons for both.

I recently exchanged email with one of our users who questioned our password policy which requires periodic changes of passwords. The user contended that periodic password changes encourages poor password choice, that users who are forced to choose new passwords (even on a relatively infrequent basis) will choose poor passwords, and that in the end, that password changes serve no purpose.

In my institution's case, there are a number of reasons why password changes make sense, and I believe that these are a reasonable match for most companies, colleges, and other organizations - but not necessarily for your Amazon account, or your banking password. It is critical to understand the difference between a daily use password for institutional access that provides access to things like VPN access, email, licensed software, and the rest of the keys to the kingdom, and a single use password that accesses a service or site. Thinking about your password policy in the context of institutional risk while remaining aware of how your users will react is critical.

The reasons that help drive password change for my institution, in no particular order are:

  • Password changes help to prevent attackers who have breached accounts, but who have not used them, or who are quietly using them, from having continued access.
  • Similarly, they can help prevent shared passwords from being useful for long term access.
  • They can help prevent users from using the same password in multiple locations by driving changes that don't match the previously set passwords elsewhere.
  • They can help prevent brute forcing, although this is less common in environments where there are back-off algorithms in place. In many institutions, that central monitoring may not exist, or may not be easy to implement.
  • Password changes continue to be recommended by most best practice documents (including PCI-DSS and others). Including password expiration in your password policy can be an element in proving due diligence as an organization.
When you read the list from a user perspective, it is difficult to see a compelling reason for them to change their passwords. There isn't a big, disaster level threat that is immediately obvious, and the "what's in it for me" is hard to communicate. When you read it from an organizational perspective, you will likely see a set of reasons that when taken as a whole mean that a reasonable password expiration timeframe is useful at an organizational level. Here's why:

The environment in which most of us work now has two major external threats to passwords: malware and phishing. With malware targeting browsers and browser plugins, and institutional policies that accept that users will visit at least common sites like CNN, ESPN, and other staples of our online lives, we have to acknowledge that malware compromises that gather our user's passwords are likely.

Similarly, despite attempts we make at user education, phishing continues to seduce a portion of our user population into clicking that tempting link, or responding to the IT department that needs to know their password to ensure that their email isn't turned off. Again, we know that passwords will be exposed.

Bulk compromises of passwords are likely to involve captured hashes, which most organizations have spent years designing infrastructure to avoid as tools like Rainbow Tables and faster cracking hardware became available. Thus, we worry more about what access to our networks, and what individual accounts, or small groups of compromised accounts can do. In the event of a large-scale breach of central authentication, the organization will require a password change from every user, typically with immediate expiration of all passwords.

In this environment, we will require our users to change their passwords when their account is compromised, but will we know to require that? We know that advanced persistent threats exist, and that some attackers are patient and will wait, gathering information and not abusing the accounts they collect. We can continue to fight those threats with periodic password changes for the accounts that provide access to our institutions.

It would, of course, be preferable to use biometrics, or tokens, or some other two factor authentication system. It is also expensive, and difficult to adapt into a diverse environment where credentials are used across a variety of systems that are glued (or duct taped, bubble gummed, and bailing wired) together in a variety of ways. For now, passwords - or preferably passphrases - remain the way to make these heterogeneous systems authenticate and interoperate.

In the end, I learned a lot from my exchange with the user. Over the next few months, I'll be adding additional information to our awareness program reminding users that password changes that change from "Password1" to "Password2" aren't serving a real use, we'll add additional information about tools like Password Safe to our posters and awareness materials, and I'll be working with our identity and access management staff to see if we can leverage their tools to prevent similar poor password practices. In addition, I've been using it as a learning opportunity for my staff, and as a challenge for my student employee.

I'm aware that I won't win with every user - I'll still have the gentleman who resets his password once a day for as many days as our password history and minimum password age will allow so he can get back to his favorite password. I'll still have the user who changes their password to "Password1!" and claims that yes, they have used a capital and a number and a symbol, and that thus they have met the requirements for a strong password. But I also know that our population continues to grow more security aware, and that many of our users do get the point.

If you're interested in this topic, you may enjoy this Microsoft research about users, security advice, and why they choose to ignore it, and NIST's password guidance provides a well reasoned explanation of everything from password choice to mnemonics and password guessing.

Monday, October 10, 2011

How to handle "I want to be a security guy" with an easy assignment

As the manager of a security team I'm often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.

Over the years I've developed a simple list of things that I tell people who express an interest:

  1. Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.
  2. Skim the book, and read anything that catches your eye. Don't try to read it cover to cover, unless you really find that you want to.
  3. Come back and talk to me once you've done that, and we'll talk about what you found interesting.
It's a very simple process - but I've found it immensely valuable. Those who are really interested, and who will put the time into the effort will buy the book, and will come back with questions and comments. A certain percentage will get the book and will realize that information security isn't really what they want to do, or they will realize that they need or want to know more before they tackle a career in security. A final group are interested, but not enough to take the step to follow up.

Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you've read the book yourself, as you'll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:

  • OWASP - particularly WebGoat and Multilldae
  • Investigation of vulnerability scanners like Nikto and Nessus and
  • Exploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OS
  • SANS courses like SANS 401 and 501
A whole range of options exists once you start to have the conversation - but you're certain you're having the conversation with someone who is interested enough to follow up, and who has helped you identify what they'll have some passion for.

Monday, August 1, 2011

What do hackers look like?

Boingboing's Rob Beschizza surveyed stock photos of hackers from Shutterstock and Reuters - the writeup should make security professionals and hackers laugh...and wince.

Thursday, May 19, 2011

What does the LastPass security breach mean?

Most people in the security world - and many Internet users - have read over the past two weeks about the possible exposure of LastPass's password database. Since LastPass (which I've written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted - which would make them harder to figure out - many users still use poor passwords which could be easily retrieved.

The good news is that LastPass did a lot of things right, starting with their first blog post: "We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password." They went on to explain why they were worried "we saw a network traffic anomaly for a few minutes from one of our non-critical machines" and "we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)".

They explained what this might mean: "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

Best of all, they then explained who might be in danger: "If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing."

They even note that they're not sure that the whole thing is an actual issue - but that they want to do the right thing: "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

Since then, LastPass has done a lot more things right and they've described it on their blog. They've done everything from providing frequent updates to trying to make sure that any future issues are handled properly. They've analyzed the mistakes they've made, and have acted to correct them, and have implemented a number of improvements to their infrastructure, design, and their overall processes.

Some of the things that I'm happiest to see are:

  • They have engaged 3rd party code reviewers and have committed to doing several reviews per year and sharing the results of the reviews.
  • They are soliciting community feedback at https://lastpass.com/support_security.php
  • They've split their infrastructure to keep back end systems away from their production service systems.
  • They've created a bastion host log server
To enterprise security folks, these will all look like normal best practices, and they are - but the fact that the folks at LastPass learned, and learned quickly is a great sign.

So, if you're a LastPass user, should you be worried? The answer is...probably not. While storing passwords in the cloud has some innate security risk, their reaction to the event had all the things I would want to see, and their basic technology not only appears well founded, but it also continues to get better. For now, my recommendation remains the same: if you're interested in cloud based password storage, LastPass is a good choice - and it appears that it will continue to improve. Regardless of what you use for password storage, a good master password is critical.

If you're not comfortable with a solution like LastPass, Password Safe and similar solutions can still be kept in the cloud - you just need to keep a client handy to access them once you retrieve the encrypted file.

Friday, April 1, 2011

BP Loses Personal Data

The AP and other news sources are reporting that BP lost a laptop containing the personal information of 13,000 people who applied for compensation for damages. The laptop was unencrypted, but was password protected. BP has sent notification letters to those effected.

This is just another reminder that laptop encryption makes life easier...and may even cost less than notification letters!

Wednesday, March 30, 2011

Messages from the (purported) Comodo Hacker

The purported Comodo hacker has posted a number of documents on pastebin. The hacker claims to have used API access to generate the certificates mentioned in

Comodo has also recently announced that two additional resellers were also breached.

The documents are well worth a read to understand how web based infrastructure services might be breached, and where we might expect to see attacks in the future. API accessibility and vulnerable servers make for a nasty combination when a trust based infrastructure is in play.

Monday, March 28, 2011

How to Spot a Liar

Forensic Psychology's "How To Spot A Liar" infographic is a great overview of what research shows liars do - and don't when asked questions.

Sunday, March 27, 2011

Anatomy of a Scam - Secret Shoppers

Here's a recent example of a secret shopper scam. Like many scams, this one attempts to lure people who think that accidentally receiving a secret shopper invitation is a way to free money. In the end, it is merely an attempt at identity theft - though it may also involve a fee scam as well!

If the recipient bothers to check who it is from, it purports to come from Dow Chemical, with an email address that is recruit@hsbrv.net, with a cc to david212@blumail.org. The hsbrv.net domain points back to a Betty Prevo, with an email address listing mark212@blumail.org. That sounds suspiciously like our david212 address as well. The whois results are below:

Administrative Contact:
Prevo, Betty mark212@blumail.org
1368 X W. Estes Ave
Chicago, Illinois 60626
United States
For those who are interested, that address points to an apartment building in Chicago. Interestingly, Betty Prevo apparently exists and does live in that area in Chicago, but she'd probably be interested to find out that she's running various domains.

Blumail? Well, it's a free email service that, "provides global e-mail accounts, educational content, employment needs, entrepreneurship, networking, story / experience sharing, mentoring and volunteering opportunities to youth and others who are coming online in developing countries." In this case? It's a great place for a scammer to get free email hosting. It's also a well known 419 scam domain. Blumail is a legitimate service, unlike the hsbrv.net domain we first looked at.

Now, the actual scam letter:

Hello there,

My Name is David Anderson and I am your group regional Instructor from within the USA.Henceforth you will be working with me on the completion of your Mystery Shopper's Position application. Like you already know, your weekly per assignment is $300:00 Flat for working with us and will come in payments of $300 each per assignment you complete for the company.
Note that the name actually somewhat matches the email address - that's often a missed detail for our scammers.
PAYMENT TERMS:
Your payment would be sent ($300) per assignment , Also the company is in charge of providing you with all expense money for the shopping and other expenses incurred during the course of your assignment.All the tools you will needing would be provided to you with details every week you have an assignment.

JOB Description :
1} When an assignment is given to you,You would be provided with details to execute the assignment and in a timely fashion.
2} You would be asked to visit a company or store in your area and they are mostly our competitors as a secret shopper and shop with them to know more about their sales and stock , cost sales and more details as provided by the company then report back to us with details of whatever transpired a the store. But anything you buy at the shop belongs to you,all we want is an effective/quick job and reports.
Free money, and what sounds like a somewhat reasonable reason why the company would want you to do this. The grammar is even better than most letters of this type.
ASSIGNMENT PACKET :
Before any assignment we would provide you with the resources needed {cash}Mostly our company would send you a check which you can cash and use for the assignment. Included to the check would be your assignment packet .Then we would be providing you details on here. But you follow every single information given to you as a secret shopper .
It starts to fall apart here with lines like "Then we would be providing you details on here".

And now for the meat of the scam:
KINDLY RECONFIRM YOUR INFORMATION BELOW TO PROCEED ON FIRST ASSIGNMENT:
Full Legal Name :
Full Physical Address :
City :
State :
Zip code :
Age:
Nationality :
Home and Cell # :
Present Occupation:
Email:

Thank you for reading.
Yours sincerely.
Contact Person: David Anderson
Time: 24 Hours daily by e-mail
And that's the anatomy of a secret shopper scam. A simple way to hook the gullible into providing details for identity theft.

Friday, March 18, 2011

RSA Hacked - SecurID Information Exposed

EMC's RSA division announced that they had been hacked and it appears that they're doing the right thing for their customers by telling them. From their announcement:

"Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
If you're a current SecurID customer, you'll likely want to keep track of this as further detail is released. RSA notes that they expect to release details to the community -
"As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat."
I'll post further detail as it becomes available.

Caribou and Cardkey Door Control Systems

Caribou is a proof of concept exploit application that targets cardkey systems like the prox cards that you're likely familiar with from parking lots, apartment complexes, and possibly your entry access system at your employer.

Per the site and demo:

"By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system."
While the proof of concept code isn't provided, the speed with which is unlocks the door indicates that the keyspace for the pin is likely relatively small, and the author provides a series of tips on securing HOA and other common spaces that use devices of this type. The most important item is the common sense (but often ignored) need to place the entry access system on a private network so that it can't be brute forced via open wireless or wired networks.

Wednesday, March 2, 2011

Android Malware in the Android Marketplace - the dangers of free

Android Police today reports that 21 applications (which have since been pulled) in the Android market, with between 50,000 and 200,000 downloads included malware, with capabilities including the rageagainstthecage or exploid root exploits, and that they upload data including "product ID, model, partner (provider?), language, country, and userI". Worse, their analysis shows the ability to self update.

Most of these apps appear to have been copies of existing apps, made available for free. This points out both the danger of the relatively open Android Market, and of uncontrolled app downloads for your users.

The original article is worth a read, and includes a list of the malware laden apps.

Tuesday, March 1, 2011

Free Mac Antivirus from Sophos

I often recommend AVG to Windows users looking for a free antivirus product, but I haven't had a good recommendation for Mac users - until now.

Sophos makes their Mac Home Edition antivirus software available for free at http://www.sophos.com/products/free-tools/free-mac-anti-virus/

Sophos has impressed me in the past, and this looks like a very nice solution for Mac users.

Thursday, February 24, 2011

Mac OSX 10.7 to include full disk encryption

Apple's recent developer preview announcement for 10.7 notes that it will include:

"the all new FileVault, that provides high performance full disk encryption for local and external drives, and the ability to wipe data from your Mac instantaneously"

This means that both Windows (BitLocker) and MacOS (FileVault) will have free, OS integrated full disk encryption.

Friday, February 11, 2011

How the President's Security Motorcade Works

Jalopnik links to The Atlantic's Marc Ambinder's great article on how the Secret Service handles a significant event, including details of how the motorcade is organized and run. For those who think about physical security, this is an interesting read including a diagram of each vehicle and its role.

Monday, January 17, 2011

Google Cache Prowling and Useful Firefox Security Plugins

I find that I often check Google's cache of sites that have been taken down, either as part of an incident investigation or to verify that data has been removed. One of the nicer ways to do this is using a tool like Jeffrey To's Google Cache Continue script.

This joins my toolbox of existing Firefox plugins such as:

  • NoScript - script blocking
  • URLParams - website get/post parameters
  • Firebug - editing of pages, including Javascript variables
  • FoxyProxy - a Firefox based proxy switcher that works very well with web app testing tools.
  • IETab - to pop an IE tab into a Firefox testing session
  • Leet Key - for Base64, Hex, BIN, and other transforms
  • ShowIP - shows the current site's actual IP address, as well as enabling a number of other useful host lookup tools.
You can find a whole relation mapped list of Firefox plugins in the FireCAT listing - enjoy!

Tuesday, January 4, 2011

Security Humor: DMC-Eh?


A recent take-down notice (which was of course sent to the wrong address) contained what has to be one of the best typos I've ever seen in such a missive:

"Hereby we inform you that the material listed hereunder are of Phonographic nature and are deemed harmful to minors by many governments and non-governmental organizations."
We all knew the Internet was full of phonographic material, right?

Flickr Creative Commons attribution licensed image courtesy cristinabe