Devil's Advocate Security

Part 2: On Passwords, Password Policies, and Teaching

2011-10-14T20:00:00.003-04:00

I noted in yesterday's post that I used the answers to drive a conversation with a student employee, but didn't provide details. I was asked what the assignment was, and thought that it might be of interest.

I provided the initial question, and my response about what drives institutional policy - essentially what I summarized here. The assignment was:

Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:

A large multinational corporation
A commercial website like Amazon, or a cloud service like Dropbox or Picasa
A small company or non-profit

This sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.

On Passwords and Password Expiration

2011-10-13T22:00:00.001-04:00

One of the things that I believe is an important part of my job is to answer user questions in a way that educates them about the topic they ask about in addition to providing the answer. At times, this can be frustrating, but it also challenges me to think about why I'm providing the answer that I do. It also means that I have to review the choices I, and my organization make about policy, process, and the reasons for both.

I recently exchanged email with one of our users who questioned our password policy which requires periodic changes of passwords. The user contended that periodic password changes encourages poor password choice, that users who are forced to choose new passwords (even on a relatively infrequent basis) will choose poor passwords, and that in the end, that password changes serve no purpose.

In my institution's case, there are a number of reasons why password changes make sense, and I believe that these are a reasonable match for most companies, colleges, and other organizations - but not necessarily for your Amazon account, or your banking password. It is critical to understand the difference between a daily use password for institutional access that provides access to things like VPN access, email, licensed software, and the rest of the keys to the kingdom, and a single use password that accesses a service or site. Thinking about your password policy in the context of institutional risk while remaining aware of how your users will react is critical.

The reasons that help drive password change for my institution, in no particular order are:

Password changes help to prevent attackers who have breached accounts, but who have not used them, or who are quietly using them, from having continued access.
Similarly, they can help prevent shared passwords from being useful for long term access.
They can help prevent users from using the same password in multiple locations by driving changes that don't match the previously set passwords elsewhere.
They can help prevent brute forcing, although this is less common in environments where there are back-off algorithms in place. In many institutions, that central monitoring may not exist, or may not be easy to implement.
Password changes continue to be recommended by most best practice documents (including PCI-DSS and others). Including password expiration in your password policy can be an element in proving due diligence as an organization.

When you read the list from a user perspective, it is difficult to see a compelling reason for them to change their passwords. There isn't a big, disaster level threat that is immediately obvious, and the "what's in it for me" is hard to communicate. When you read it from an organizational perspective, you will likely see a set of reasons that when taken as a whole mean that a reasonable password expiration timeframe is useful at an organizational level. Here's why:

The environment in which most of us work now has two major external threats to passwords: malware and phishing. With malware targeting browsers and browser plugins, and institutional policies that accept that users will visit at least common sites like CNN, ESPN, and other staples of our online lives, we have to acknowledge that malware compromises that gather our user's passwords are likely.

Similarly, despite attempts we make at user education, phishing continues to seduce a portion of our user population into clicking that tempting link, or responding to the IT department that needs to know their password to ensure that their email isn't turned off. Again, we know that passwords will be exposed.

Bulk compromises of passwords are likely to involve captured hashes, which most organizations have spent years designing infrastructure to avoid as tools like Rainbow Tables and faster cracking hardware became available. Thus, we worry more about what access to our networks, and what individual accounts, or small groups of compromised accounts can do. In the event of a large-scale breach of central authentication, the organization will require a password change from every user, typically with immediate expiration of all passwords.

In this environment, we will require our users to change their passwords when their account is compromised, but will we know to require that? We know that advanced persistent threats exist, and that some attackers are patient and will wait, gathering information and not abusing the accounts they collect. We can continue to fight those threats with periodic password changes for the accounts that provide access to our institutions.

It would, of course, be preferable to use biometrics, or tokens, or some other two factor authentication system. It is also expensive, and difficult to adapt into a diverse environment where credentials are used across a variety of systems that are glued (or duct taped, bubble gummed, and bailing wired) together in a variety of ways. For now, passwords - or preferably passphrases - remain the way to make these heterogeneous systems authenticate and interoperate.

In the end, I learned a lot from my exchange with the user. Over the next few months, I'll be adding additional information to our awareness program reminding users that password changes that change from "Password1" to "Password2" aren't serving a real use, we'll add additional information about tools like Password Safe to our posters and awareness materials, and I'll be working with our identity and access management staff to see if we can leverage their tools to prevent similar poor password practices. In addition, I've been using it as a learning opportunity for my staff, and as a challenge for my student employee.

I'm aware that I won't win with every user - I'll still have the gentleman who resets his password once a day for as many days as our password history and minimum password age will allow so he can get back to his favorite password. I'll still have the user who changes their password to "Password1!" and claims that yes, they have used a capital and a number and a symbol, and that thus they have met the requirements for a strong password. But I also know that our population continues to grow more security aware, and that many of our users do get the point.

If you're interested in this topic, you may enjoy this Microsoft research about users, security advice, and why they choose to ignore it, and NIST's password guidance provides a well reasoned explanation of everything from password choice to mnemonics and password guessing.

How to handle "I want to be a security guy" with an easy assignment

2011-10-10T20:00:00.000-04:00

As the manager of a security team I'm often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.

Over the years I've developed a simple list of things that I tell people who express an interest:

Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.
Skim the book, and read anything that catches your eye. Don't try to read it cover to cover, unless you really find that you want to.
Come back and talk to me once you've done that, and we'll talk about what you found interesting.

It's a very simple process - but I've found it immensely valuable. Those who are really interested, and who will put the time into the effort will buy the book, and will come back with questions and comments. A certain percentage will get the book and will realize that information security isn't really what they want to do, or they will realize that they need or want to know more before they tackle a career in security. A final group are interested, but not enough to take the step to follow up.

Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you've read the book yourself, as you'll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:

OWASP - particularly WebGoat and Multilldae
Investigation of vulnerability scanners like Nikto and Nessus and
Exploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OS
SANS courses like SANS 401 and 501

A whole range of options exists once you start to have the conversation - but you're certain you're having the conversation with someone who is interested enough to follow up, and who has helped you identify what they'll have some passion for.

What do hackers look like?

2011-08-01T21:17:00.003-04:00

Boingboing's Rob Beschizza surveyed stock photos of hackers from Shutterstock and Reuters - the writeup should make security professionals and hackers laugh...and wince.

What does the LastPass security breach mean?

2011-05-19T20:29:00.003-04:00

Most people in the security world - and many Internet users - have read over the past two weeks about the possible exposure of LastPass's password database. Since LastPass (which I've written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted - which would make them harder to figure out - many users still use poor passwords which could be easily retrieved.

The good news is that LastPass did a lot of things right, starting with their first blog post: "We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password." They went on to explain why they were worried "we saw a network traffic anomaly for a few minutes from one of our non-critical machines" and "we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)".

They explained what this might mean: "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

Best of all, they then explained who might be in danger: "If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing."

They even note that they're not sure that the whole thing is an actual issue - but that they want to do the right thing: "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

Since then, LastPass has done a lot more things right and they've described it on their blog. They've done everything from providing frequent updates to trying to make sure that any future issues are handled properly. They've analyzed the mistakes they've made, and have acted to correct them, and have implemented a number of improvements to their infrastructure, design, and their overall processes.

Some of the things that I'm happiest to see are:

They have engaged 3rd party code reviewers and have committed to doing several reviews per year and sharing the results of the reviews.
They are soliciting community feedback at https://lastpass.com/support_security.php
They've split their infrastructure to keep back end systems away from their production service systems.
They've created a bastion host log server

To enterprise security folks, these will all look like normal best practices, and they are - but the fact that the folks at LastPass learned, and learned quickly is a great sign.

So, if you're a LastPass user, should you be worried? The answer is...probably not. While storing passwords in the cloud has some innate security risk, their reaction to the event had all the things I would want to see, and their basic technology not only appears well founded, but it also continues to get better. For now, my recommendation remains the same: if you're interested in cloud based password storage, LastPass is a good choice - and it appears that it will continue to improve. Regardless of what you use for password storage, a good master password is critical.

If you're not comfortable with a solution like LastPass, Password Safe and similar solutions can still be kept in the cloud - you just need to keep a client handy to access them once you retrieve the encrypted file.

BP Loses Personal Data

2011-04-01T17:15:00.001-04:00

The AP and other news sources are reporting that BP lost a laptop containing the personal information of 13,000 people who applied for compensation for damages. The laptop was unencrypted, but was password protected. BP has sent notification letters to those effected.

This is just another reminder that laptop encryption makes life easier...and may even cost less than notification letters!

Messages from the (purported) Comodo Hacker

2011-03-30T21:11:00.000-04:00

The purported Comodo hacker has posted a number of documents on pastebin. The hacker claims to have used API access to generate the certificates mentioned in

Comodo has also recently announced that two additional resellers were also breached.

The documents are well worth a read to understand how web based infrastructure services might be breached, and where we might expect to see attacks in the future. API accessibility and vulnerable servers make for a nasty combination when a trust based infrastructure is in play.

How to Spot a Liar

2011-03-28T17:15:00.000-04:00

Forensic Psychology's "How To Spot A Liar" infographic is a great overview of what research shows liars do - and don't when asked questions.

How To Spot A Liar by Forensic Psychology

Anatomy of a Scam - Secret Shoppers

2011-03-27T11:49:00.003-04:00

Here's a recent example of a secret shopper scam. Like many scams, this one attempts to lure people who think that accidentally receiving a secret shopper invitation is a way to free money. In the end, it is merely an attempt at identity theft - though it may also involve a fee scam as well!

If the recipient bothers to check who it is from, it purports to come from Dow Chemical, with an email address that is recruit@hsbrv.net, with a cc to david212@blumail.org. The hsbrv.net domain points back to a Betty Prevo, with an email address listing mark212@blumail.org. That sounds suspiciously like our david212 address as well. The whois results are below:

Administrative Contact:
Prevo, Betty mark212@blumail.org
1368 X W. Estes Ave
Chicago, Illinois 60626
United States

For those who are interested, that address points to an apartment building in Chicago. Interestingly, Betty Prevo apparently exists and does live in that area in Chicago, but she'd probably be interested to find out that she's running various domains.

Blumail? Well, it's a free email service that, "provides global e-mail accounts, educational content, employment needs, entrepreneurship, networking, story / experience sharing, mentoring and volunteering opportunities to youth and others who are coming online in developing countries." In this case? It's a great place for a scammer to get free email hosting. It's also a well known 419 scam domain. Blumail is a legitimate service, unlike the hsbrv.net domain we first looked at.

Now, the actual scam letter:

Hello there,

My Name is David Anderson and I am your group regional Instructor from within the USA.Henceforth you will be working with me on the completion of your Mystery Shopper's Position application. Like you already know, your weekly per assignment is $300:00 Flat for working with us and will come in payments of $300 each per assignment you complete for the company.

Note that the name actually somewhat matches the email address - that's often a missed detail for our scammers.

PAYMENT TERMS:
Your payment would be sent ($300) per assignment , Also the company is in charge of providing you with all expense money for the shopping and other expenses incurred during the course of your assignment.All the tools you will needing would be provided to you with details every week you have an assignment.

JOB Description :
1} When an assignment is given to you,You would be provided with details to execute the assignment and in a timely fashion.
2} You would be asked to visit a company or store in your area and they are mostly our competitors as a secret shopper and shop with them to know more about their sales and stock , cost sales and more details as provided by the company then report back to us with details of whatever transpired a the store. But anything you buy at the shop belongs to you,all we want is an effective/quick job and reports.

Free money, and what sounds like a somewhat reasonable reason why the company would want you to do this. The grammar is even better than most letters of this type.

ASSIGNMENT PACKET :
Before any assignment we would provide you with the resources needed {cash}Mostly our company would send you a check which you can cash and use for the assignment. Included to the check would be your assignment packet .Then we would be providing you details on here. But you follow every single information given to you as a secret shopper .

It starts to fall apart here with lines like "Then we would be providing you details on here".

And now for the meat of the scam:

KINDLY RECONFIRM YOUR INFORMATION BELOW TO PROCEED ON FIRST ASSIGNMENT:
Full Legal Name :
Full Physical Address :
City :
State :
Zip code :
Age:
Nationality :
Home and Cell # :
Present Occupation:
Email:

Thank you for reading.
Yours sincerely.
Contact Person: David Anderson
Time: 24 Hours daily by e-mail

And that's the anatomy of a secret shopper scam. A simple way to hook the gullible into providing details for identity theft.

RSA Hacked - SecurID Information Exposed

2011-03-18T12:30:00.001-04:00

EMC's RSA division announced that they had been hacked and it appears that they're doing the right thing for their customers by telling them. From their announcement:

"Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

If you're a current SecurID customer, you'll likely want to keep track of this as further detail is released. RSA notes that they expect to release details to the community -

"As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat."

I'll post further detail as it becomes available.

Caribou and Cardkey Door Control Systems

2011-03-18T07:30:00.000-04:00

Caribou is a proof of concept exploit application that targets cardkey systems like the prox cards that you're likely familiar with from parking lots, apartment complexes, and possibly your entry access system at your employer.

Per the site and demo:

"By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system."

While the proof of concept code isn't provided, the speed with which is unlocks the door indicates that the keyspace for the pin is likely relatively small, and the author provides a series of tips on securing HOA and other common spaces that use devices of this type. The most important item is the common sense (but often ignored) need to place the entry access system on a private network so that it can't be brute forced via open wireless or wired networks.

Android Malware in the Android Marketplace - the dangers of free

2011-03-02T12:30:00.000-05:00

Android Police today reports that 21 applications (which have since been pulled) in the Android market, with between 50,000 and 200,000 downloads included malware, with capabilities including the rageagainstthecage or exploid root exploits, and that they upload data including "product ID, model, partner (provider?), language, country, and userI". Worse, their analysis shows the ability to self update.

Most of these apps appear to have been copies of existing apps, made available for free. This points out both the danger of the relatively open Android Market, and of uncontrolled app downloads for your users.

The original article is worth a read, and includes a list of the malware laden apps.

Free Mac Antivirus from Sophos

2011-03-01T17:15:00.000-05:00

I often recommend AVG to Windows users looking for a free antivirus product, but I haven't had a good recommendation for Mac users - until now.

Sophos makes their Mac Home Edition antivirus software available for free at http://www.sophos.com/products/free-tools/free-mac-anti-virus/

Sophos has impressed me in the past, and this looks like a very nice solution for Mac users.

Mac OSX 10.7 to include full disk encryption

2011-02-24T17:30:00.000-05:00

Apple's recent developer preview announcement for 10.7 notes that it will include:

"the all new FileVault, that provides high performance full disk encryption for local and external drives, and the ability to wipe data from your Mac instantaneously"

This means that both Windows (BitLocker) and MacOS (FileVault) will have free, OS integrated full disk encryption.

How the President's Security Motorcade Works

2011-02-11T17:15:00.001-05:00

Jalopnik links to The Atlantic's Marc Ambinder's great article on how the Secret Service handles a significant event, including details of how the motorcade is organized and run. For those who think about physical security, this is an interesting read including a diagram of each vehicle and its role.

Google Cache Prowling and Useful Firefox Security Plugins

2011-01-17T20:40:00.000-05:00

I find that I often check Google's cache of sites that have been taken down, either as part of an incident investigation or to verify that data has been removed. One of the nicer ways to do this is using a tool like Jeffrey To's Google Cache Continue script.

This joins my toolbox of existing Firefox plugins such as:

NoScript - script blocking
URLParams - website get/post parameters
Firebug - editing of pages, including Javascript variables
FoxyProxy - a Firefox based proxy switcher that works very well with web app testing tools.
IETab - to pop an IE tab into a Firefox testing session
Leet Key - for Base64, Hex, BIN, and other transforms
ShowIP - shows the current site's actual IP address, as well as enabling a number of other useful host lookup tools.

You can find a whole relation mapped list of Firefox plugins in the FireCAT listing - enjoy!

Security Humor: DMC-Eh?

2011-01-04T20:00:00.002-05:00

A recent take-down notice (which was of course sent to the wrong address) contained what has to be one of the best typos I've ever seen in such a missive:

"Hereby we inform you that the material listed hereunder are of Phonographic nature and are deemed harmful to minors by many governments and non-governmental organizations."

We all knew the Internet was full of phonographic material, right?

Flickr Creative Commons attribution licensed image courtesy cristinabe

Facebook Status and Burglaries

2010-09-17T11:30:00.000-04:00

WMUR in New Hampshire reports what is one of the first large-scale burglary cases based on Facebook status messages that I'm aware of. For those of us who need to communicate about Facebook and social network security concerns to varied populations, this is a great example to cite. According to the article, "Investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time."

The article mentions $100,000-200,000 of stolen property that was recovered, and that the case was solved due to an officer who noticed that fireworks of the same brand reported stolen in a burglary were being shot off and investigated on orders to check out any fireworks they heard being fired.

A Different Angle on Identity Theft: When Identity Thieves Use Your Identity

2010-09-16T20:43:00.002-04:00

The story of Dr. Gemma Meadows, as reported by MSNBC is an intriguing one. Like many victims of identity theft, she was contacted by her bank and informed of fraudulent activity. What happened next though, is a bit off the normal path for identity theft victims.

Various packages with a wide range of values started to show up, and have continued to show up. Now, Dr. Meadows spends time tracking and returning packages, as well as fielding calls from various vendors from whom the items are ordered.

Why? According to the article, and what she has been able to determine, the identity thieves are using her information to test validation scripts on e-commerce websites. Her valid address, phone, and other details are being used to make transactions appear valid.

Interestingly, the scripts seem to work in some cases, flagging the transactions as possible fraudlent. The article mentions that some sites note that the item is to be shipped thousands of kilometers away from the order location, and that others call to verify that she is the one placing the order. Many others, however, don't do as well, and the stream of packages continues.

The article is well worth a read. We're used to seeing lives disrupted by identity theft and the credit and financial issues that can go with it. Receiving packages when criminals use your identity to support their crimes in a different way is an entirely different event, and appears to be one that law enforcement and our database driven society isn't geared to handle.

Blackhat, ATMs, and Money Fountains, Oh My!

2010-07-29T21:01:00.004-04:00

Security blogs and websites are all buzzing with the news of Barnaby Jack's Blackhat demonstration of ATM insecurity. Wired has coverage, our favorite security monkey has a video, and others including Tony Bradley from PC World covers the important lessons from the talk.

So does the hack tell us something truly new? I don't really think so. For years, many ATMs have been poorly embedded systems, often running commodity operating systems that rely more on physical security provided by locked boxes than on heavily secured operating systems with appropriate security controls. I've written about the insecurity of some ATM uplinks before, and accessing their network connection is often very simple in public locations.

What the exploit does do is serve to point out vulnerabilities in the specific ATMs, both of which were running Windows CE. It also serves as a reminder that any operating system that can be remotely accessed, or that allows its filesystem to be written, or to mount USB devices is vulnerable. Since many ATMs run Windows XP, or even Windows NT, they make attractive targets to those who have pre-written malware that works on Windows systems.

It should also remind us to review what devices we rely on that have embedded PC platforms in them. Windows CE, NT, XP, and various flavors of Linux appear throughout our IT infrastructure, and while we're used to locking down network access, often embedded devices don't provide strong local security. I've run into everything from AV controllers and music players to embedded systems running animal feeding systems for research. Most of the time, my only ability to secure them is to lock them away, limit access to the room they live in, and to ensure that they're on a secured network.

How do you secure your embedded systems? Have you gone so far as to modify appliances that manufacturers don't want changed?

O'Reilly Book Deal - Get Security and Other Ebooks Cheap Today

2010-05-21T19:35:00.004-04:00

O'Reilly has a coupon available for today only that makes any one ebook in their store $10. If you're like me and like to have an electronic edition handy, this is a great deal for books that are updated and searchable. Their security books can be found here. You'll want to use coupon code "FAVFA".

Check Facebook Privacy Settings with ReclaimPrivacyRights.org's Scanner Bookmarklet

2010-05-18T23:21:00.002-04:00

ReclaimPrivacyRights.org provides a simple bookmarklet that works simply by loading it when you visit your Privacy settings page on Facebook. Simple, neat, and it appears to be a neat way to get a basic checkup. Better, the source code is available for review.

Facebook Friend Suggestions - Not a Virus!

2010-05-13T21:33:00.003-04:00

Facebook status updates are quickly being populated with warnings that the suggest a friend notes that are appearing in users inboxes are virus driven. They're not - in fact, Facebook has released a notice that AllFacebook.com posted stating

"This is neither a bug nor a virus, and the “Virus Alert” status update is incorrect. Friend suggestions are now mutual and will appear for both users involved. That is, if I suggest that one person become friends with another, both the person I suggested and the person to whom I sent the suggestion will receive the notification."

The fact that the Facebook populace quickly communicates about a potential issue is good - the fact that false information is spreading quickly is not as good - but I'd rather my users avoid a fake virus than not avoid a real one.

Experiments in Security: Magstripe Reading Using Rust Particles

2010-05-09T11:37:00.002-04:00

Tetherdcow via BoingBoing has a great science experiment to try with magstripes on credit cards and other ID cards: using rust particles to read the magstripe. This looks like a great hands on and visible way to talk about how data is encoded when teaching students.

Opting out of Facebook's Instant Personalization

2010-05-04T17:30:00.000-04:00

The EFF as a quick look at how to opt out of Facebook's new Instant Personalization capabilities. Of note, you must block ALL of the Instant Personalization websites if you use them, rather than just setting one master setting. They provide both written steps and a video, as well as a suggestion on how to make your voice heard about this new "feature".