General: August 2008 Archives

A Different Approach to Password Reset

Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..

Mother's Maiden Name - public record
Street you grew up on - can be findable.
Place of Birth - discoverable
Name of Pet - guessable (top list of pet names on Internet, or just check their facebook)

Users "improve" on security by putting something else their. They've effectively created a second password when they couldn't remember the first. Now its likely they'll forget both.

In a discussion of users at a non-security forum where I'm a member, one user reports "I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor."

Here's another person's response:

It drives me nuts. Stupid questions like the "favorite" stuff - what am I five years old? I don't have a f&*(&*ng favorite color you stupid POS website!!! And then there's the "What street did you grow up on?" "What was your Math teacher's name?" "What is your childhood pet's name?" ********. I'd moved six times by the time I got to high school. I didn't grow up on ONE street, nor did I have a SINGLE math teacher and I didn't have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them...
.

Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.

While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn't need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.

I watched a video of the researcher's presentation at Google.

I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can't imagine doing that everytime I have to sign up for an account at a new site.

I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.

Interesting work on a real problem. Check out the video link

By Roger on August 30, 2008 3:19 PM | | Comments (2) | TrackBacks (1)

iPhone password bypass

Caught up with this one via Digg

Earlier this week Jesus Diaz posted on Gizmodo how to bypass the iPhone login pin/password protection.

Its kind of funny the typical comment response to that article is "who uses a password on their phone anyway." My opinion is more with the commenter who pointed out that "whether the typical user used a password or not if this was a Microsoft vuln the reaction would be different."

It is serious. Apple is trying to position themselves as the new Blackberry, not just from the functionality and the coolness, but also the security. They need business customers, otherwise they wouldn't be licensing ActiveSync. No business that values its data is going to put the data on a phone that doesn't have encryption (iPhone doesn't) and doesn't even have an effective login password.

The article says that rumor is this will be fixed in the next iPhone firmware update. With the Blackberry I'm pretty sure you could push out required updates wirelessly (not positive I"m not a Blackberry admin). With the iPhone you have to ask your users to synch with iTunes (not a iPhone admin either, but thats my understanding).

By Roger on August 29, 2008 9:55 PM | | Comments (2) | TrackBacks (0)

A night on the town

Last night, I went to a Fishnet Security event. Fishnet is a nationally focused information security solutions provider.

The features speaker was Suzanne Hall CIO of the Washington Nationals and Lerner Enterprises. She has had some interesting experiences. Opening Nationals Park. Having the Pope at Nationals Park. (talk about security!)

The topic of her talk was moving CSO to CIO, but it was really relevant to anyone that has to sell their projects to C-level people.

The regulatory approach (FISMA PCI HIPPA SOX GLB says we have to) only goes so far. Meeting regulations is really the bare minimum. Its not about Return on Investment. Security protects your ability to generate revenue. It does not generate revenue itself. FUD ("The sky is falling" also known as Fear Uncertainty and doubt) doesn't work any more. The sky already fell and we're still here. Risk based approaches are great. Suzanne working for a private company doesn't have regulations to blame for needing this security stuff. Instead she appeals to "Core Values". To me that puts a much more positive spin on it. Imagine that, doing the right thing. Appealing to that wouldn't have worked at Enron, but at companies where the motto is more than just something on the corporate letterhead that has some promise.

After the featured presentation we heard from some sponsoring vendors.
Bradford Networks spoke about NAC.

Crossbeam is a virtualization/consolidation solution that uses blade systems and working with security companies so you have one platform that could house your firewall, url filtering, gateway antivirus, IDS, etc. Currently many datacenters have an over abundance of appliances. And if the network grows the solution is to add another appliance. If you're running out of space or running out of power then that might be an interesting solution.

Secure Computing presented and I spoke with one of their people for a bit. Since I first heard of them in the HTTP area that is how I think of them. They feel they have a great application layer firewall.

I also spoke with a rep from Varonis. They make a really interesting product to report on access to file shares. Many years ago I had looked for this exact feature set, couldn't find it and cobbled something together using a Access database and dumpsec exports of permissions. It would be good to replace that homebrew with something a little more solid. Additionally Varonis will be adding support for Sharepoint next year.

By Roger on August 28, 2008 8:59 AM | | Comments (0) | TrackBacks (0)

WebEX Meeting Manager Exploits

A couple weeks ago a patch came out for WebEx Meeting Manager for Internet Explorer. Symantec's Security Response Blog is reporting sightings of exploits for this vulnerability in the wild.

Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them

Computers will be patched automatically if they connect to a patched WebEx server. Otherwise you can install WebEx Meeting Manager from the WebEx website or just uninstall via Add/Remove Programs in the Control Panel.

By Roger on August 27, 2008 10:25 AM | | Comments (1) | TrackBacks (0)

Get Healthy Plan for Small Business

Greg Playle's article "The Seven Week Get Healthy Plan for Small Business" in this months ISSA Journal (ISSA Membership Required) outlines 7 security steps for small businesses to consider.

One of my friends recently received a telephone call from his doctor asking if he had an appointment. An upgrade of the appointment system had gone south and they were reconstructing the appointment book by calling all patients and asking them if they had an appointment. Whoever is handling the IT duties at these small businesses apparently doesn't know to take a backup before starting a upgrade.

I've wondered many times just what the Mortgage guy or my Dentist is doing to protect my personal information. I feel like I don't know them well enough to give them this article, at the same time as a customer don't I have the write to be proactive in making sure my data is protected.

There are a couple of errors in the article. The first I hope was an editors mistake. While describing how to gather the physical address to use to whitelist what servers are allowed on the wireless network, the example given is an IP address.

The bigger problem is that the author has apparently not read George Ou's Wireless Security Myths that Will Not Die. If the author had read that he would not be making some of the wireless security recommendations that he makes.

Do not broadcast the Service Set IDentifier (SSID). Kismet will reveal hidden SSIDs. Not broadcasting it doesn't gain you much except against the causal browser. The casual browser is already stopped by your use of WPA2.

Worse yet, your client computers will now have to probe for that network everywhere you go.
See also Josh Wright's article Issues with SSID Cloaking.

PCI 1.2 no longer requires the disabling of SSID broadcast. The message is starting to get out.

Turn on Wireless Security to at least 128 bit WEP
You're only buying time by using 128 bit WEP over 64 bit. As the retailers have learned, NEVER USE WEP if you have something to protect. Since this article assumes you need to protect the small business, I think the recommendation needs to be a bit stronger. I think even WPA-PSK is suspect for a work environment.

It seems like some of the things suggest are belt and suspenders solutions. Others are more like belt and Hawaiian shirt. The belt is doing the work, the shirt is just there for looks. If you have WPA2 do you really need DHCP reservations and MAC address filtering? If they break your encryption are those things really going to help? Probably not.

The article over all is good. The experience of finding wide open wireless at a small business is far too common. This article will help.

By Roger on August 23, 2008 8:32 PM | | Comments (0) | TrackBacks (0)

Gmail HTTPS enhancements

Robert Graham writes in Errata Security that "Google recently made a change that allowed you to configure your Gmail account to force SSL."

In Gmail click on Settings. On the General Tab under Browser Connection select Always Use HTTPS. Without this I believe the behavior is SSL during login only which has been shown to not protect a authentication cookie.

Google Help warns that you'll need a patch for Google Notifier and it may break mobile applications that check Gmail.

By Roger on August 21, 2008 12:09 PM | | Comments (0) | TrackBacks (0)

Toyota Echo at 100 MPH? Not so fast

The Washington Post's weekly traffic column has a article on a couple who received a ticket from photo radar for driving 100 MPH in their Toyota Echo. Photo radar tickets are supposed to be reviewed before being issued. Given the street, car and time of day, its hard to imagine this one passing the laugh test.

Upon review prompted by the Washington Post, it was reported that the traffic camera issues 'exceptional" speed tickets of zero or 100 to indicate to the ticket reviewer that there is a problem with the camera.

There has to be a better diagnostic alert.

By Roger on August 18, 2008 12:28 PM | | Comments (0) | TrackBacks (0)

Knowing What you Have

In the year that has passed since the I-30 bridge collapse in Minneapolis, inspectors have struggled to doublecheck every bridge that had the same steel deck truss design.

The Federal government had a National Bridge database using data compiled from the states which showed 756 bridges of that structure. MSNBC reports that as inspectors began their process they found that 280 of those bridges weren't of that design at all.

Some of the bridges had been torn down years ago. Others were misclassified and were actually privately owned (not subject to inspection) A pedestrian bridge made the list as did 13 bridges using wood timbers.

With the data so faulty, how many bridges of this design were miscategorized and thus not given the emergency re-inspection?

Obviously the same holds true in the world of computers. The old adage "you can't patch what you don't know you have" is still true. You can't even watch out for vulnerabilities in things you don't know you have.

By Roger on August 6, 2008 6:58 PM | | Comments (0) | TrackBacks (0)

GPU Password Cracking

Last October, much ink was spilled regarding GPU password cracking. With GPU password cracking, the work is offloaded to the video cards Graphics Processing Unit. Due to the nature of the GPU, password cracking can occur at speeds previously only seen by people with a lot of computers working together.

Recently InsidePro makers of SamInside, released the Extreme GPU Bruteforcer. I love SamInside so I had work buy a GeForce 8800 GT video card and a copy of Extreme GPU Bruteforcer.

There were a couple of false starts. Not being much of a hardware guy, I made the mistake of not considering the power needs of a high end card. I upgraded my power supply, installed the new video card and began cracking.

Previously bruteforcing on my computer chugged along at 6.6 million passwords per second. With the new setup, I'm checking NTLM passwords at approximately 324.75 million passwords per second. If my math is correct, that means for a 8 character password that could have uppers, lowers or numbers, it would now take almost 8 days instead of taking 382 days. Not bad for less than $300 including the new power supply.

By Roger on August 4, 2008 8:49 PM | | Comments (1) | TrackBacks (0)
« General: July 2008 | Main Index | Archives | General: September 2008 »

Search