Search This Blog

Tuesday, January 24, 2012

(W) Ahhhhhhhhhh ! Your 5th Amendment personal password rights just died

Many of us have been watching the Colorado Court Case where a woman used encryption to protect files on her laptop. She was arrested for bank fraud and as a part of the investigation she refused to give up her password that would produce more evidence of her guilt - thus self incrimination and a violation of her 5th Amendment rights...

US District Judge Robert Blackburn ruled against the defendant.

She is appealing the ruling...

I hope she wins !!! The authorities should build a case without this data or obtain it from a witness or whistleblower, not by being ordered!

Article on CO Judge ruling

#InfoSec #Password #5thAmendment

(I) Expanding on people's passwords - InformationWeek article

Kevin Casey of InformationWeek magazine wrote a bit on "9 Password Security Policies For SMBs" and though mostly OK in the 9, I would add the following to each of the 9 password items mentioned:

1. Password complexity - Should or must be set by GPO or via the OS, Application and Database where available to force policy compliance

2. Password reuse - Can you say LastPass... but really, you can't force user to use unique passwords for each website, but for LastPass users, the LastPass password challenge web page helps to educate the user the impact. Now you just need to test everyone in your organization once they use it to convince them to change the passwords to be unique wherever possible.

LastPass User Security Challenge

3. Change Passwords regularly - 30 days ? uhh.. if you force a long complex (meaning 12 characters or more, all 4 char sets aA1!) password via GPO, OS, App or DB level... rotation is not necessary.. 90 days is plenty internally and two (2) times per year for Internet accessible Apps (Expense Watch, SalesForce and Marketo do this now) Logging and monitoring Internet facing systems further mitigates this risk as hopefully failed and successful login attempts with some alerting is being performed.

4. Email accounts - If your email is not tied to AD or some forced policy... Use 2-Factor authentication like Google Authenticator for Cloud based Email

5. Restrict App settings - Anything Internet facing should or must have strict password policies enforced or p0wnage will occur. For Mobile devices in the enterprise, use Mobile Device Management to enforce policy on iDevices, Droid and BBerrys.

6. Password wallet - LastPass again - Yeah !! - You CAN have different passwords for each login.. a GREAT thing. Remembers the URL, username and password of your Web based Apps. You can share logins too and create secure notes. Also sync to mobile devices. The only wallet you will ever want or need. Don't forget to use 2-Factor authentication with the FREE Google Authenticator app on your smart device or a YubiKey. I use both !

7. Device Locking - Who doesn't use a ScreenSaver? On all PC's and laptops enable a 5 minute screensaver... OK.. 10 mins at most. Autolock on handhelds and smartphones to 5 mins... seriously! Use GPO or the OS and App settings and a Mobile Device Manager for your phones and smart devices like BoxTone.

8. Jailbreak or rooted devices - I agree, block them from corporate use, too bad for you... get a personal device if you want to do this, but it is not acceptable for corporate devices - period!

9. Exit Apps - It has been shown that not timing out Web/Browser based apps can be tab nabbed or XSS from the user surfing on other sites and thus steal session and cookie info... Short timeouts for Web based user interfaces is a good thing... annoying to login, but a good thing. Don't save username or password info on Mobile Apps... and time them out to 15 mins. A pain I know, but if all I have to guess is your password... bummer for you. Browsers will sandbox this in the future. Look at the way HootSuite terminates your session for an example. I blogged about this apps session timeout here:

Session TimeOut Post

Just some education and things to ponder as you develop and administer your enterprise, SMB or even home systems.

InfoWeek article

#InfoSec #KevinCasey

Friday, January 20, 2012

(I) RSA 2012 Social Security Bloggers Awards nominees - great list

If you are looking for Security Blogs to follow, consider this list of nominees for the RSA 2012 Blogger awards.

Add them to your reader and sync them to you mobile device, I use Early Edition on my iPad synchronized with my Google Reader account for lunch time and evening reading... Simple and educational for you N3wbs, Gr33nhorns or seasoned InfoSec professionals.

RSA 2012 Security Blogger Awarda

#InfoSec #RSA2012

Thursday, January 12, 2012

(W) Warning home WiFi users - your router may allow strangers to surf your connection

There has been recent press about the flaw in WiFi Protected Setup (WPS) and the possibility that newly released tools 'Reaver' and the scanner 'Walsh' can scan your home network and attach to your wireless network and begin having fun and mayhem...

Look up your Wireless Router on the follow list to see if you are vulnerable. This list is work in progress And will update as routers are tested.

If you have a vulnerable router, you will need to disable WPS or if you have a vulnerable Linksys router, Cisco has confirmed WPS can NOT be disable so you might consider using one of the OpenSource firmware options listed below to replace the vulnerable version. There are more links to other OpenSource firmware at the bottom of the Tomato firmware website.

If you want to play with the tools to validate if your system is vulnerable, here are links to the 'Reaver' tool and LifeHacker website on How-To use the tools.


Friday, January 6, 2012

(W) Warning Will Robinson.. Damnit Ramnit steals Facebook passwords

This is yet another reason your Facebook password and any other social password should be unique.  The Ramnit worm when clicked on by a link in a Facebook post will install and steal your Facebook password, so far 45,000 of them.  

The password would then be use to try against your other accounts on the InterWebbings.. Say your $$$$ Bank...

Like I continue to say, you should have a different unique password for every website you use on the Internet and so you don't have to remember them, use a password manager like LastPass to remember them for you... It's free unless you want to access your password vault on your mobile device which will cost you $12 USD per year for a subscription.. Well worth when you realize someone you know has already had their password or an Internet account compromised.

And DON'T Click on links in Facebook unless you use WOT plugin for Chrome and FireFox!!!!  And for security sake... Remove administrator rights to your Windows user!!!!

Thursday, January 5, 2012

(I) My Preso on "The BIG ONE" from HouSecCon and BSides DFW - Incident Response

For those interested in Tips on how to prepare yourself and your management for the BIG ONE... Read and watch my presentation on Incident Management preparation from HouSecCon and BSides DFW 2011.

#InfoSec #BSidesDFW #IncidentResponse #HouSecCon

Tuesday, January 3, 2012

Humor that Astronomers and physicists had hanging up...

(W) Warning Android users... Don't install Apps with this right

If you are one of the many Android users, you see the permission screen when installing Apps...

You should really pay attention to it as Android Apps can come from anyone, written anywhere, contain and do anything if you just install it and don't pay attention to what you are allowing...

So what's wrong with these permissions?

(W) Subway POS hacked and card numbers stolen

Subway and the Feds found a elaborate hacking scheme that stolen the credit and debit card numbers of customers between 2008 and possibly thru 2011.  80,000 card numbers were compromised at over 150 Subway shops. 

Why?  Because clearly Subway did not understand putting a Point of Sale (POS) on the InterWebbings is a bad thing... A REALLY bad and Stooopid thing.  They should have scanned the IP's of the stores to verify things were properly configured.  Like my Cardkey system split, anything Internet facing needs to be thoroughly scanned and checked for vulnerabilities.

A Romanian hacker Ring stole over $3 million USD in fraudulent charges on the stolen cards.

So check your statements if you frequent Subway...