Posted: April 10th, 2010 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: back to basics, InfoSec, passwords, query | 1 Comment »
Recently there has been a spate of Gmail accounts being compromised by what sounds like poor passwords. This begs the question what are we doing wrong ? I’ve come to the following conclusions:
- We’re choosing poor passwords to begin with.
– We’re using shady third party providers for some reason.
– We’re using insecure methods to check mail.
– Someone somewhere knows something we don’t
I know I’m stating the obvious here, but for the sake of my sanity I’m going to go through my process for choosing a password. As much as I really like this post, I don’t believe it’s really enough. When choosing a password I’ll take a favourite phrase, generally something obscure that only I will know. And yes, some of the time it’s related to the site I am saving a password for. Instead of rambling on about some obscure phrase only I know let’s take an example.
I have just created a Twitter account for @leethaX0r69 which I am going to use as a C&C page for my …wait…er..plans for world domination should not be published. Regardless. I’ll take that account and come up with something like “Leet HaX0r is now on Twitter”. From that phrase I’ll take the first letter of each word and get “LHinoT” which is pretty good (not really). Now let’s add a little spice into the mix and get “LH1n0T” which is marginally better. Finally, some padding to get this “&LH1n0T%”. That’s not too bad now is it. Eight characters, upper and lower case with some special characters for good measure. And it’s not based on anything in a dictionary.
There are a number of trains of thought on the topic of a good password. Some think that having a standard pass{word,phrase} with a slight change depending on what site you are using is fine. I’d disagree with that simply because I don’t like the idea of sharing a common password among sites, even if there are slight changes in it.
This brings me to password managers. I’ve been using 1Password for a while now and it’s awesome. No, they don’t sponsor this blog, nor do I receive any kick backs from them. The basic idea is that I have one password to get into my 1Password database and I am then free to use extremely complex passwords for all my online stuff. Very neat. Yes, I am up a certain creek without a certain paddle if I’m stuck without my laptop but that’s what 1Password for the iPhone is for. Alas my iPhone died a horrible death and is now about to be taken apart with a screwdriver just because I can….
What do you do for passwords ?
Am I crazy doing what I’m doing ?
Let me know what you think…
And no…my password for Twitter is NOT &LH1n0T%
Or is it…
Posted: April 10th, 2010 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: community, help a brother out, rant, war | 1 Comment »
I guess there would have to be communication between parties to begin with…
I’m not talking about writing on your best friends Facebook wall or flirting with that gorgeous 18 year old on Mixit (mostly because she’s probably a creepy 37 year old man living at home with mom). I’m talking about getting a decent conversation going with your peers. Perhaps it’s because I am still very naive and not yet jaded about the industry I work in but I firmly believe that we need to talk more. A whole bunch more. We are all in this together, we just choose to be on different fronts. Like it or not, if you’re in the Information Security game you’re fighting a battle. And the other team has more money, bigger guns and they don’t clock in or out. Ever. And if the stats are to be believed, they’re winning. Yes, we may win the odd battle every now and again and I am certainly not trying to take anything away from anyone on my side, but yeah, it’s a little rough out there at the moment.
My biggest issue really is that we suck at getting new guys in. It’s something that Dave Shackleford got across very well in a couple of blog posts and something that locally was dealt with very well by ZaCon/zacon/ZACON/zAcOn/etc.etc.etc. But essentially at the end of the day there still seems to be that feeling of “oh you’re new here, just sit in the corner and shut up”. Or perhaps that’s just me and I’m hanging around in the wrong circles. I have been faced with this problem a couple of times. I am not afraid to pick up a book or read the fine print on the best of occasion but it would be great every now and again to not have to worry about “oh god, I’ll look like an idiot if I ask this so I’m not gonna”. A couple of times while in Durban I was approached by guys wanting to get into the game and get their Security careers started but at the same time they complained about how difficult it was to find help. To me this paints a fairly bleak picture for our future. Or perhaps I’ve grown too cynical during the course of this article ?
So what’s the solution ? I always get told that if you’re going to point out a fault or issue with something, you best come with a solution or a bottle of very good whiskey. I prefer whiskey most of the time but here’s my solution. And unfortunately for me, my solution is going to be “state the obvious”. Not because it’s the easy way out because at the end of the day it’s not. The solution is to give the “leet” thing a rest and help someone out. If you can see someone battling with an idea, concept, piece of code or some such hurdle, give the guy a hand. If you can’t help him out, point him in the direction of someone/something that can. I had a case recently where I was tasked to do something which I didn’t even have the foggiest clue about where to begin. No, I don’t want to be spoon fed but if you expect me to build the aeroplane we’re going to use to fly over that smoking volcano, at least point me in the direction of the toolbox. Because if push comes to shove and I’ve missed a bolt somewhere for some silly reason, we’re all screwed.
To be honest, I’m not entirely sure where I wanted to go with this. Mostly it was probably a small rant I needed to get off my chest for whatever reason. Anyway, I suck at crypto so I’m going to play with OpenSSL until I understand it a little better. Probably because someone said it was a good place to start.
Posted: October 12th, 2009 | Author: Matt | Filed under: Brain Dump, InfoSec, malware | Tags: InfoSec, malware, rant, spit balling, stating the obvious | No Comments »
The days of signature based malware / trojan detection are over. We are now living in some of the most dangerous times to be using the Internet I consider if it’s even worth sticking around. Farming cats in the Karoo sounds like a far safer and less stressful job anyway. Long gone are the days when a cute character of the authors choosing would run across your screen and moon you. These days, with humanities greed, it’s all about how quickly and easily a 0-day can be transformed into a working exploit which can either be sent out in a (spear)phishing attack or hosted on some web server with Javascript doing the rest of the work. And the worst part of it all is that we are constantly playing catchup.
When new malware is introduced into the ecosystem that is the Internet at large, we rely on someone catching a specimen of this malware and either analyzing it themselves or sending it through to one of the big AV vendors who will analyze it and produce a signature which will then disseminate out to paying customers. This whole process leaves gaps which are filled by zombies and eventually botnets which plague not only home users, but big corporates. No one is safe.
Conficker, while a great example of what can be done by the community at large, is still very badly understood. No one seems to know why it’s out there and what it’s truly capable of. The media didn’t help us at all around April 1st either with all the hype that went around. I think the awful catch phrase of “Cyber Katrina” was thrown around with gay abandon. Please don’t get me wrong, I am not bashing the groups who worked on the Conficker Working Group, they did tremendous work. I am just worried that there is a fairly serious piece of malware floating around which no one seems to really know the capabilities of.
What are we going to do about this ? Switch to multi-engine scanning on our AV ? Move to a more proactive IDS/IPS setup ? How does this really help the little guy in the street ? Do you think Joe Average who just wants to download the lastest funny video from that site that needs that special codec from that other site that ends in .ru ? Oh wait…I’ve gone cross eyed. Am I the only person who is still worried that we are relying on vendors who’s principal goal is to make money for our anti-virus updates ? They’re not going to do anything rash are they ? Yes, they’re out to help us, but at what cost ?
I fear I may have too many questions and doubts with not enough answers. All I know is that there is a very, very wild west (and east) out there and suddenly, running my web browser in a Virtual Machine or Live CD doesn’t sound like such a bad idea.
Hold that thought, I’m going to fire up Vmware Fusion.
Posted: September 25th, 2009 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: Links, podcasts, useful | 2 Comments »
We all spend time in a mode of transport of some sort. For some of us it’s a fairly significant portion of our lives. I feel sorry for the guys and girls who live in Johannesburg. Having said that, I would move there just to get more time in the car to listen to podcasts. I used to have around 17 podcasts that were regularly downloaded but never listened to. This is bad. I then whittled this list down to 7 which I will list here. You should really check them out at some point or another.
DiscussIT Pubcast
Run by a local bunch who are involved in info-sec in some way or form. Great to get the South African point of view in a sea of foreigners.
Check them out here
Pauldotcom.com.com/net
I cannot say enough good things about the PDC crew. I was lucky enough to meet the guys at the Podcasters meet up. Great content, good insight and you have to love the commercial breaks.
Subscribe to this in iTunes.
Exotic Liability
Yes, just listen to EL. That is all.
Subscribe to this in iTunes.
Network Security Podcast
Really great dynamic with Martin Mckeay and Rich Mogull. Quite a bit on PCI and privacy. Always great content.
Subscribe to this in iTunes.
An Information Security Place Podcast
This is the podcast that I stumbled upon when I first really got into info-sec and it’s still one of my favourites run by
Michael Farnum
Subscribe to this in iTunes.
Securabit
I really enjoy the Securabit guys. They always have great guest interviews. Check out the “f0rb1dd3n Network” interview, then go and buy the book. It’s going to be awesome (when it arrives from Kalahari).
Subscribe to this in iTunes.
Security Justice
Just a great content.
Subscribe to this in iTunes
Yes, there are a lot of podcasts to listen to out there. Yes I probably am missing out on quite a bit of information and tid bits, but I listen to these podcasts religiously and feel better for it. So instead of rotting your brain with 5fm and “shock” DJ’s, plug in a podcast and learn something while you sit in traffic for 4 hours. Yes Jo’burg, I’m talking about you.
note: If you’re iTunes challenged like I am, to subscribe to a podcast and have iTunes plunder your bandwidth daily, click Advanced then Subscribe to Podcast. Then simply paste the links above into the little dialog box and have it update weekly.
Thank me later.
Posted: September 25th, 2009 | Author: Matt | Filed under: Brain Dump | Tags: iphone, observations, random | No Comments »
I saw this t-shirt and had to have it. There has been alot of hype and general douchery about the iPhone for a while now and it’s gotten a bit old. I did notice something about having an iPhone, other than having my monthly bill triple in size.
I’ve always been a huge advocate of free software and the Linux way of doing things, but since having a Mac and indeed an iPhone, I have noticed this attitude of mine swing a little the other way. It started with a couple of free downloads of useless applications from the iStore (directly from my phone mind you). Then, after a while I moved on to the 99c applications, mostly because “hey, it’s 99c…that’s nothing” and also because 95% of the free applications are crap. No biggie, we’re still fairly safe..
But lately, I’ve been into the expensive applications. I just spent $13.95 on stuff for the phone. All in one foul swoop, without even leaving my bed. Without even turning my notebook on. And therein lies the problem dear friends. The iPhone may not have changed how I poop, but it has influenced my spending habits. Slightly and over time, without me really thinking about it.
Now, I consider purchasing applications where before I would have spent days searching out a decent open source alternative on Freshmeat and the like.
What’s the point to all this ? Apple is making it very easy to spend money without the need for a web browser or even a physical component like a credit card or better yet, cold hard cash. It’s changing peoples perceptions of what’s safe and “the right thing to do” when purchasing items online. I fear the day when people start sending credit card details over clear text again, simply because the big apple has taught them that’s it’s the norm…