Sunday, April 22, 2012

Password Rules Explained

So you pull up a really cool web site, or what you think will be a cool web site, only to realize you can’t get to anything without creating an account.  Ok, you really want to get into the site because it’s where all the cool kids are, so you start creating an account.  After trying a bunch of different usernames, you finally find one that isn’t taken.  Almost there, you think.  It’s easy sailing now.  You enter a really simple password and this popup appears with a ridiculously complex list of reasons why your choice is too weak to use as a password.  Reasons like a password must be X characters long, with so many lowercase, so many uppercase, so many special characters, so many numbers and no words from any dictionary from any language.  What?? But you really want to get into that site, so you keep trying all kinds of crazy combinations until you find one that works.  By that time, you probably can’t even remember why you wanted into the site so bad in the first place.

Thursday, April 19, 2012

Teen hacker hits 259 sites

Saw this article about a 15-year old in Austria who was busted for hacking 259 company web sites.  I figured they would say he was working on this for, you know, maybe the last year or two.  Nope, not even close.  The sites were all compromised in a 3-month period at the start of this year!  Some sites were just defaced, other sites had information taken and published.  All kinds of different sites, from all over the world.  Asked why he did it, the response was boredom and a need to prove himself.  How did he do it?  Simple tools and scripts available on the internet.

Here's the big question - why is it still so easy in 2012 to find so many vulnerabilities?  Is there just too much pressure to get an internet presence out there without even thinking about any security?  Probably.  Other times it's just because somebody didn't configure something properly.  It shouldn't be that hard to stop for a minute and think things through.  Do it right the first time.  Then keep up with what's going on within the systems.  With all the high profile hacks and millions and millions of lost dollars, the low hanging fruit should be disappearing.  Somehow it just keeps popping up.  Guess it just means plenty of new opportunities and plenty of work for many years to come.  That's good.  I have too much time before even seriously considering about retirement.

Tuesday, April 17, 2012

Interesting articles from 4/17 (give or take a few days)

Here are some interesting articles I found over the last few days:

Tuesday, April 10, 2012

Hacking medical devices

Recent articles in Wired's ThreatLevel and Toronto's The Globe and Mail discuss concerns over security of personal medical devices. Researchers have shown in the past that insulin pumps, pacemakers and defibrillators could be hacked through their wireless connections.  Wait, huh?  So somebody could be sitting there and their pacemaker could change rhythm or their insulin pump could change the dosage or the defibrillator could fire without warning?  That's uncool.  Really uncool.  Yeah, it is.  But don't these kinds of devices have to undergo all kinds of intense testing and certification before they are marketed?  You bet.  Unfortunately it sounds like there wasn't much security built into these devices in the first place.  Probably a lot of different reasons why - cost, power consumption, and more than likely the thought that nobody would even think to mess with something like this.  It would be nice to think nobody would ever mess with these devices, but as we see more and more each day, that simply isn't true.  People will hack anything.  Hopefully a solution can be found before this becomes a widespread problem.

Friday, April 6, 2012

Week in review

For the first week in April, 2012 ...

  • Researchers estimate as many as 600,000 Macs have been infected with the Flashback trojan.  Apple released a Java patch this week to plug up the vulnerability used in this attack.  Several different articles on the topic here, here and here.
  • A vulnerability in Facebook mobile apps may allow attackers to grab your Facebook identity on iOS and Android devices.  A researcher in the UK has found the Facebook mobile app apparently doesn't encrypt or otherwise protect your login credentials (username and password).  In fact, he found quite a bit of information just using the basic file browser tools.  More information can be found here and here.
  • A story in Wired's Threat Level on Friday talks about a push by the European Union to criminalize "hacking tools".  Sounds like you could get busted for possessing the tools as well as for using them.  This could create serious problems for researchers and pen testers who use these types of tools to show flaws and help people better secure they devices and networks.  Creating laws like this tend to punish the law abiding way more than the criminals.  Hopefully it's not the start of a trend.

Tuesday, April 3, 2012

Quick news and notes

Just a few quick items from the last few days:
  • Researchers suggest Xbox consoles may be storing credit card info on the hard drive.
  • New Facebook login scam asks users to verify their identity by supplying credit card info.  Please don't ever supply credit info in order to verify anything.
  • Interesting article on the possibility of Samsung HDTVs watching you as you watch them.

Another reason not to check-in your location

For those who haven't been keeping up with the latest news, there's an app out there called "Girls Around Me" that allows you do exactly what you think it does - find people who might be right around you.  Say you're out at a bar one night and curious about who may be there with you.  Well, this is the app for you.  Not only will it find people around you, it will possibly give you access to photos of those people.  No, it's not hacking their phones or doing some neat jedi mind thing.  The app is simply going out to social networking sites like Facebook and FourSquare to pull information about people who have checked-in close to where you are.  While the app has recently been blocked from that type of information by FourSquare and the developer has removed it from the App Store, there will undoubtedly be others following along the footsteps. So for those of you who like the idea of checking-in everywhere you go, don't be surprised if a total stranger comes up to you somewhere and seems to know just a little too much about you.  It's a good possibility it's because they have an app just like this.

Sunday, April 1, 2012

Social Network Safety

The amount of personal information easily available on the internet is staggering.  It’s kind of funny, in an odd way though.  Doctors, lawyers, schools and employers get attacked all the time for “leaking” personal information, but an average person will willingly divulge much more potentially damaging personal information on any number of social networking sites.  Just look through sites like Facebook, Twitter, LinkedIn and Pinterest.  You will see people posting about incredibly sensitive and personal information – and sometimes it’s even about themselves.

Don’t get me wrong, social networking is not always a bad thing.  There just needs to be some thought and even restraint before posting information.  Once data is out there on the internet, it’s out there.  There is no magic eraser that will get rid of the post.  No do-over button that gives you a second chance.  Sure, some sites allow you to fiddle with your posted data, but some, maybe even most, will hold onto data even after you click the delete button.  A good rule to follow before you post is what is referred to as the “grandmother’s rule”.  It’s pretty simple.  If you would not go up to your grandmother and tell her what you are about to post, it’s probably something you shouldn’t post in the first place.  Granted, this might not always work for everyone, especially those with grandmothers who are a little on the wild side.  If that’s the case for you, maybe instead of talking to grandmother, think if it is something you would stand in front of a group of strangers and announce.