What does your password say about you?


Using what we security experts call “crappy passwords” can be the first step in a journey to identity theft and all of its attendant miseries.  If you are using Google Chrome to browse the web, a new web extension from Google can help you detect when you are using user names or passwords which have appeared in lists of compromised credentials leaked by attackers.  Should you be using these easily guessable credentials, the Password Checkup extension will warn you, giving you a chance to change your credentials and make life just a little bit harder for hackers.  Google has a blog post explaining how the extension works (no they can’t see your password).

Crappy passwords are a big problem.  A few weeks ago, someone dumped 87 gigabytes of stolen user names and passwords (over 1.1 billion sets of credentials) from lots of web sites on the Internet for all to see.   Analysis of the data dump yielded some depressing statistics – the most depressing being that only 3% of the passwords in the database were unique.  97% were being used by at least one other account.  This makes password guessing easier for attackers – use a password manager to generate, long, random, unique passwords for each website you visit, people!


If you are using any of these passwords, you are BAD and your password is BAD!

And here is reason # 312 to use a password manager… when you die, while I am sure you are going to want your browser history to remain a deep dark secret you take to the grave, your bereaved loved ones may actually need some of your passwords to, say, allow your crypto currency exchange customers to access $145 million worth of BitCoin.  This guy did not take my advice…much to the consternation of customers of Quadriga.   Password managers (like Lastpass, KeePass or Dashlane) allow you to share passwords for selected sites with your loved ones, avoiding such unpleasantness.

And finally, remember that there is no escape from the prying eyes of the Internet.  I’m expecting them to develop software which can see through that piece of duct tape on your webcam next!

What does your password say about you?

E.U. software bug bounties for open source software 👍

Here is a great example of how international cooperation can make the Internet more secure for us all… the European Union has announced “bug bounty” programs for over a dozen pieces of free and open source software commonly used as components of internet sites and services. By encouraging researchers to find and report security vulnerabilities in these vital yet invisible components, the Internet can be made safer for us all. The next step will be to get developers and admins to keep their software up to date with the corrected versions…

E.U. software bug bounties for open source software 👍

Not all two factor authentication is created equal

And apparently, not all ambulances are created equal, either

Two factor authentication  is an important security tool; by using 2FA, an attacker get ahold of your user name and password still can’t get into your accounts.

But not all two factor authentication is created equal.

Good two factor authentication uses an app on your phone or a hardware key to provide the secret codes needed to complete the login process.

Bad two factor authentication uses SMS (text) messages to send you the login code.

Why is this bad?  Attackers have increasingly been using social engineering techniques to get mobile phone companies to switch victims’ phone numbers to phones which the attackers control.  Once this is done, the attacker with a user name and password has everything they need to drain your bank account or read your email.

What you need to do to protect yourself:

Make sure that your mobile phone account is protected by a PIN code which must be given in order to port your phone number to a new phone.  You can do this on your mobile carrier’s web site or by calling their customer service number.

Some services give you a choice as to whether to use an app on your phone or an SMS message to complete your login.  Whenever you have this choice, choose the app.

If you are using services which provide SMS only 2FA, let them know that this is not acceptable in today’s security climate.  Hearing a requirement from customers is the only way these companies will make the investment in the improved technology.

If you would like to read more about this scam and how to protect you and your loved ones, here is an article on the topic.  And here is an example of a recently announced data breach at Reddit which was the result of this type of attack

While SMS based 2FA is better than no 2FA, it is time to stop using it wherever possible.

Not all two factor authentication is created equal

Open S3 Buckets: From Bad to Worse


Just when you thought that the whole “globally readable Amazon S3 storage buckets” thing couldn’t get any worse, it did.

According to a study by a French cybersecurity firm which looked at 100,000 Amazon S3 buckets…

  • 90% of buckets are private, and therefore not at risk of leaking data or being corrupted by attackers. Of course, that means 10% of buckets are public…

    58% of those public Buckets (in other words, 5.8% of the total number of buckets tested) contained readable files, what might allow data leakage.

    20% of public Buckets (or, if you prefer, 2% of the total buckets) are not write-protected.

    Only a tiny 5% proportion of those public, write-enabled buckets (in other words, a mere 0.1% of the total) don’t contain any files.

This is pretty bad for the companies who own the 2% of buckets which are writeable – this could lead to data corruption, ransomware, etc.

The cloud is a great way to increase efficiency and integrate best of breed solutions into your business, but it requires that administrators be trained for the specific challenges of security in cloud computing.  The information is out there – for example, Amazon has a page chock full of security advice.

Businesses should consider getting their employees trained and certified in the ways of the cloud either via vendor neutral certifications or, if you have chosen your cloud platform, via vendor specific certifications like Amazon’s and Microsoft’s.

The people who are plunging in to the cloud and messing up are making it harder for the rest of us who see the cloud as the future to sell its security to management – let’s get our acts together people!

Open S3 Buckets: From Bad to Worse

The (not paranoid enough) Android


The train wreck that is Android security continues…

A new strain of malware by security firm Wandera found in China has the following charming characteristics, according to a recent blog post.


Zero-day threat previously unknown within the mobile security community

Group of at least 50 functioning apps containing the sophisticated RedDrop malware

Apps are distributed from a complex network of 4,000+ domains registered to the same underground group

Once the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious functionality

When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected

These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more

RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes

This is frightening stuff as it turns the victim’s phone into a bug, compromising phone calls made on the device as well as conversations in the vicinity.

As usual, the key problem here is that the app follows the rules and asks the user to approve a (long) list of permissions which are then used to compromise the device.  Many users don’t bother to read/think about these permission prompts, leading them to basically invite the malware authors to take over their device.

Security pros need to make their users aware of the need to read and think about security prompts EXTRA carefully on their Android devices.

The (not paranoid enough) Android

Beware of mobile number port out scams!


I spend a lot of time telling people to use two factor authentication on their important web accounts.  This may explain why I don’t get invited to parties.

While using 2FA is a great idea, there is one issue which you (and your employees) should be aware of.

If your 2FA solution relies on text messages to deliver it’s one time passcodes, it may be vulnerable to “mobile number port out” scams.  This article from the always informative Brian Krebs explains the mechanics of this.

The solution?  If a site offers the choice between using text messages and an authenticator app, choose the app.  If you have to use text based authentication, make sure that your mobile phone account is protected from porting using a PIN or password.


Beware of mobile number port out scams!

The ultimate outsider threat?

Not so fast there, Alf…

I know I have been blathering on about insider threats lately, so let’s go to the other extreme – the ultimate outsider threat.

A pair of researchers have given some thought to the possibility of aliens hacking us (us being Earth) via interstellar messages.

From their paper:

Our main argument is that a message from ETI cannot be decontaminated with certainty. For anything more complex than easily printable images or plain text, the technical risks are impossible to assess beforehand. We may only choose to destroy such a message, or take the risk. The risk for humanity may be small, but not zero. The probability of encountering malicious ETI first might be very low. Perhaps it is much more likely to receive a message from positive ETI. Also, the potential benefits from joining a galactic network might be considerable.

If the aliens have the ability to create Flash content, we are doomed.

The ultimate outsider threat?

Insiders on the outside

defending-against-insider-threat-landingPageImage-w-67Homeland Security Magazine has a very interesting case study on an insider threat case involving DirecTV.  In this case, the insider was a sort-of third order insider, as they worked for the document management contractor of DirecTV’s law firm.

A few lessons for us infosec professionals from this:

First:  The definition of insiders expands as businesses continue to outsource functions which used to be done in house.

Second: Vendor Risk Management programs need to pay special attention to law firms.  These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.

Third:  Trust no one.

Insiders on the outside

Jim Jeffries on US airport security

The rest of the world tends to look askance at the way that we here in the US handle airport security.  Many of the measures we take are pure “security theatre,” reacting to the last terrorist scheme (exploding shoes, bombs in underwear) that we happened to catch.  Checking electronics seems to be a good idea, although the lithium ion batteries in non terrorist devices seem to be more likely to bring a plane down than a booby trapped phone or laptop.   Even this, though, may be giving us a false sense of security as terrorists are working to better hide explosives in electronics.

Here’s a pretty funny take on all of this from Australian comedian Jim Jeffries.  Warning: it is very sweary, so don’t watch if that kind of thing offends you.

Now, I’m not saying that we should do away with the TSA or many of the security checks it performs.  One look at their Instagram account of things taken away from people at security checkpoints is enough proof of that.

What is needed is a more people focused type of security – looking for patterns in ticket purchases, travel, and behavior before and during travel to spot people with bad intentions rather than the specific weapons they use – they have all the time in the world to come up with new and better ways to evade the technical security measures, but like in information security, the real detection gold is to be found in human behavior.

Jim Jeffries on US airport security