Tom Olzak

Archive for the ‘Password Management’ Category

Is email safer than a password?

In Access Controls, Computers and Internet, One Time Passwords, Password Management on July 1, 2015 at 20:02

According to a Register article, Small change to Medium takes large axe to passwords, Medium is providing an option to use email to login instead of passwords.  I registered at Medium to check it out and to see if I agree with the Register article about possible weakness.

Sign up is easy.  On the first screen, you choose whether to use a social network login (e.g., Twitter) or email.  I chose email.  After selecting topics I wanted to read about, Medium sent an email to me.  Using the email, I logged in.  No password, just a user ID.

I logged out and tried to log in again.  Medium asked me for my registration email using TLS 1.2 to encrypt the session.  I entered my email and almost immediately received a message from Medium.  The message provided a button I pushed, which took me to my home page at Medium.  Very fast, very efficient.

So is this safer than a password?  Almost everyone now accepts email as a secondary method of bypassing forgotten passwords.  It isn’t much of a stretch to use email as the primary authentication factor.  Further, users don’t have to write down passwords or remember a new password for every login.  But…

In an email-as-a-password world, email becomes a single-point-of-failure and a big target.  As long as users do better at password selection, this could still work.  What are the odds that we can train users (after trying for years) to use something other than 12345678 or Passw0rd.

It isn’t the algorithm, it’s the admin…

In Access Controls, Password Management, SHA on February 18, 2013 at 19:04

In a recent Threat Post article, Dennis Fisher writes about a competition to find a new password hashing algorithm.  Actually, I thought we had enough.  Let’s see… we have SHA-2 and SHA-3 (just approved by NIST), so what is the rush for a new one?  It seems the supporters of this competition believe their efforts will help stop use of unencrypted password stores.  Really?

The problem is not with hashing algorithms.  Rather, it is with the questionable reasoning of administrators or business managers that can’t seem to understand the need to scramble passwords in storage or in transit.  It also exists in the mental voids where managers seem to justify weak passwords and weak prevention, detection, and response controls.  We have the hash algorithms we need; we just need to use them. But even if a better algorithm is found, who is going to make people use it?  SHA-1 might be weak, but it’s betting than nothing.  SHA-2 is still effective, and SHA-3 is waiting in the wings for deployment (http://valerieaurora.org/hash.html).

Yes, faster is better.  Stronger is better.  But getting people to do the right thing requires more than a better, faster algorithm.

Twitter hacked. So what’s new?

In Access Controls, Password Management, Social Networking on February 3, 2013 at 16:31

Twitter reported last week that about 250,000 customers might have had their usernames, email addresses, session tokens, and password hashes stolen.  This is just one more instance in which the social networking world is shown as having a humongous target on its collective back.  Anyone believing anything is safe when posted on Facebook, Twitter, or any other social network is just kidding themselves.  This doesn’t mean that Facebook, for example, doesn’t care about your information.  What it means is that cyber-criminals are attracted to social networking sites like Trekkers to a George Takei book signing.  (In the interest of full disclosure, I fall into the Trekker category.)

Caution about the credentials used to access these sites is just as important as what not to post: maybe more.  However, the normal user likely uses the same password for Twitter as he does for BYOD devices, bank logins, etc.  Twitter gets it and has tried to inform its customers.  An entry in Twitter Blog reads,

“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.”

If you have users who don’t get it yet, gently help them see the light.

Government Dysfunction Strikes Another Blow for Insecurity

In Access Controls, Business Continuity, China, Cyber Espionage, Government, Hacking, Network Security, Password Management, Policies and Processes, Risk Management, Security Management, Vendor Management on October 12, 2010 at 12:51

For many years, even before the Internet, changing default access codes, passwords, and other vendor assigned information was considered a basic no-brainer.  And I understand normal people (non-IT) not getting it.  After all, if it wasn’t a good password, why would a vendor assign it…?  And who wants to argue with a support guy on the phone who can’t understand why you changed it?  I get it.  However, when our government doesn’t see the value in the change, we have a big problem.

According to an article last week in the New York Times,

[University of Michigan researchers] infiltrated the District of Columbia’s online voting system last week. They changed all votes for mayor to Master Control Pro and elected HAL 9000 the council chairman. The blaring University of Michigan fight song played whenever a new ballot was successfully cast” (Wheaton, 8 Oct 2010).

To be fair, this is a pilot project by the District’s Board of Elections.  However, I always thought “pilot’” meant seeing how it works in the real world.  So it should also mean setting security for testing system trust.  One reason why this is necessary was included in the same article:

“[Professor J. Alex Halderman] said he also saw signs that computer users in Iran and China were trying to crack the system’s master password — which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless” (ibid.)

In addition to immediate attempts by our “enemies” to hack into the system, we decided to practice global good will by leaving the vendor password in place for anyone who wanted into our system.  What a novel idea regarding how to meet the cyber-crime and warfare challenges we increasingly face.

In case you haven’t yet gotten the message across to your network engineers or internal support personnel, this might be something you can use as an attention-getter (instead of the bat you’ve placed strategically next to your filing cabinet.

This is just one more example of the dysfunction of our government information handling capability.

Do you know where your certificates are?

In Access Controls, Business Continuity, Certificates, Cybercrime, Hacking, Password Management, Risk Management, Security Management on September 13, 2010 at 07:29

So what’s next in the growing black hat toolkit?  According to some researchers, it is theft of certificates.  And this is not just theory, as demonstrated with the recent Adobe PDF zero-day exploit.  The creators of this little gem used a certificate obtained by nefarious means to bypass Microsoft Windows address space layout randomization (ASLR) and data execution prevention (DEP) safeguards.

“So the Adobe [zero-day] is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!” said “Neeraj,” who works as a senior security research engineer for Nevis Network, an Indian firm. “That’s how future attacks gonna be. Scary!”

via Newest Adobe zero-day PDF exploit ‘scary,’ says researcher.

Yes, this is scary for organizations that have become complacent about protecting their certificates.  Managers tend to forget about certificate protection unless it is touted in the press or they are surprised by misuse of a cert that leaked into the wrong hands.

Certificate management is not only important for the signing organization.  It is also critical for user trust related to Web services access.  If users can no longer count on certificates to verify site authenticity, for example, what will that do to e-commerce?

So what’s the big deal?  This is just one instance in a world of hundreds of thousands of commonly used certs.  Well, the problem is that the organization whose cert was stolen had to shut down Web-facing operations until a new cert was obtained.  Think revenue loss and customer dissatisfaction.  On top of those concerns, there is the FUD (fear, uncertainty, and doubt) spread via the media and around the multi-function device at the office (the replacement for the venerable water cooler as the dissemination point for office gossip…) causing mass hysteria about the dangers of the dark, foreboding forces on the Web.

In my experience, certificates are often not managed properly, putting organizations at serious risk of a business continuity event–or worse.  Certificates, whether personal or organizational, are your electronic identity.  Lose it and game over.

For some simple guidelines for protecting certificates, see Protecting ECA Software-Based Certificates.

%d bloggers like this: