… many Australian internet users underestimated the threat from cyber criminals that steal passwords from one site and use attempt to use them across other sites. This conclusion was borne from the fact that 63 per cent of all respondents used the same password across more than one site.

Full article over here at: http://www.zdnet.com.au/aussies-overestimate-password-toughness-339322780.htm

I wonder what we thought made a tough password?

Hey, if you liked this (or didn’t) please leave a comment.

A post from: Identity Management

Using “dscl” (Directory Service Command Line utility) you can access the hashed passwords of other user accounts and change a password. Now if you could do this remotely, THAT would an awesome sensationalist headline.

Some choice extracts:

It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

…

Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.

Now, if the password is not found by the dictionary file you’re out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

Here’s the full article:

http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html

And I’ve saved you a google for “dscl”:

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/dscl.1.html

A post from: Identity Management

Not sure if this takes into account dictionary style attacks.

xkcd Password Strength

A post from: Identity Management

Siva Sivasubramanian, Optus’ head of information security, presented an SSPR success story this week at CA World using CA Identity manager. From deployment on the first 10,000 workstations, its reduced password reset calls by 60%.

Some of the benefits I’d called out ‘back in the day’ were:

• Less calls to the service desk for password resets, saving money
• Increased productivity – Why spend productive time calling the service desk?
• User empowerment – Users can take immediate action and solve their own problem
• A far better user experience than navigating all those average phone menus

The article calls out another benefit that was right under my nose – if a password can be easily reset, you’re less likely to borrow someone else’s

Check the full article at http://www.zdnet.com.au/self-serve-passwords-more-secure-optus-339319174.htm

A post from: Identity Management

5 minutes is pretty damn quick for change request approval and update. I can’t see it happening in any large organisation I’ve worked for so I’ve got plenty of praise for a rapid response. On the flip side, weak change control is probably why the bug got through in the first place.

All users logged in at that time have been sent logs to review any anomalies for themselves. Hmmm…. crowd sourced security investigations? To the potentially compromised users themselves? Probably not the greatest idea. But still, if you don’t have any better technology to do it (maybe an adaptive risk engine could help?) it’s better than some alternatives – doing nothing or adding more eyeballs who don’t really know what to look for.

• Here’s the Slashdot mention | http://bit.ly/mtaGS7
• The coverage on the DropBox blog | http://blog.dropbox.com/?p=821

In related news, ATC-NY has released a forensic tool that allows private files on the Dropbox online hosting service to be read.

• Itnews coverage | http://bit.ly/lGc99w

Might need to rethink my personal cloud storage approach. Is anyone else any better?

A post from: Identity Management

http://www.zdnet.com.au/sms-bank-tokens-vulnerable-rsa-339308633.htm

welcome all to 2011.

A post from: Identity Management

Thanks for visiting and engaging during 2010 and I wish you all a very Merry Christmas and a Happy New Year!

Cheers,

Adrian

A post from: Identity Management

The ATO announced that the AUSkey registration, download and installation process had been successfully tested with Ubuntu 10.04 and Firefox 3.6, and may also work with other versions of the software.

Full coverage at http://www.itnews.com.au/News/242111,tax-office-authentication-goes-linux-compatible.aspx

A post from: Identity Management

Oracle has up until now OEM’d the Passlogix v-Go suite to complement their existing identity management platforms. This arrangement is not unique – Passlogix has OEM’d to a number of big vendors in the past including

• RSA Sign-On Manager (which transitioned back to Passlogix in 2007);
• Citrix for Citrix Password Manager (this agreement is reaching back a while)

And most notably IBM for TAM-ESSO 6 … well right up until IBM’s acquisition of Singapore based Encentuate in 2008.

Passlogix, like other eSSO solutions,  remembers credentials post-authentication, saving them into the user’s “wallet”. The “wallet” is an encrypted collection of credentials stored either locally or in an external repository such as an LDAP directory. Passlogix replays these credentials, authenticating on behalf of the user and creating the magic effect of single signon.

The Passlogix suite also integrates into provisioning engines such as Oracle Identity Manager for the pre-provisioning of credentials into the user’s “wallet”, further simplifying the process for the user.

Bringing it back to Australia, local security integrator 443 became a reseller of the Passlogix technology suite in September 2009 and Passlogix v-Go is EAL3 certified by the Australian Defence Signals Directorate (DSD). I can’t share, but I know of a number of organisations in Melbourne who have either deployed Passlogix or are in the process of evaluating it.

Congratulations to all the guys at Passlogix – I hope you had equity! 

Want more info?

• www.passlogix.com
• Passlogix Facebook Page
• https://twitter.com/passlogix
• Full oracle coverage of the arrangement here and here’s a link to the FAQ.
• Oracle press release here.
• Computer world coverage
• Network World coverage

A post from: Identity Management

“Rather than rely on an alternate e-mail address and a single secret question-answer pair for resetting an account password, Hotmail now lets a user set one or more “trusted PCs” or a mobile phone as proof that she is the real owner of the account, said Dan Lewis, a senior product manager with the Hotmail team.”

Here’s the full coverage from Computerworld

http://www.computerworld.com/s/article/9188462/Microsoft_boosts_Hotmail_password_reset_security

And here’s the original release from John Scarrow , General Manager – Safety Services, Microsoft.

http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/09/27/hotmail-security-updates-protect-you-from-account-hijackers.aspx

It’s great to see security enhancements, especially in the consumer space where User’s are notoriously difficult to educate. Furthermore, Users’ expectations for how to use technology within the workplace are shaped by their experiences as consumers, so hopefully features like this and the rationale will in the long term influence their security awareness.

A post from: Identity Management