— From the article

The college student accused of hacking into Sarah Palin’s e-mail account in 2008 has been found guilty of obstruction of justice and unauthorized access of a computer. The verdict against 22-year-old David Kernell came down late Friday, with sentencing to follow later.

— via Palin e-mail hacker found guilty.

I have mixed feelings about this outcome, while the individual undoubtadly did the wrong thing be breaking into someones email account, he also highlighted the risks we all face(particularly public figures) as a result of the (secret) question/answer system for reseting forgotten passwords.

I don’t think these issues could have been highlighted in any more clear way to raise the publics awareness of this.  No matter how many times the security iductry warns against the weaknesses of the present system, it takes real incidents (like the above) before the issues are generally accepted.

-Daniel

A couple of days ago I got a comment on one of my posts that struck me as unusual, it was marked as spam (thanks to akismet), but didn’t read like your standard spam. Here’s the text:

Good points raised here, (well, what I could read of it). I am afflicted with color blindness (tritanopia to be exact). I use Chrome browser (unsure if that matters), and a lot of your site is a little difficult for me to read. I don’t wish to whinge, and I know it is my problem really, nonetheless it would be cool if you could bear in mind color blind visitors when carrying out the next site re-working.

After a first glance I almost approved it without further thought, however something struck me as odd.   The comment linked to p_l_a_y_n_i_c_e .c_o .u_k, which backs up the post, still not convinced I did some googling and found a number of blogs with almost identically worded comments.   There was some differences in the wording, the browser changes, I’ve seen Chrome, Konqurer and Safari and there are a couple of different introductions.

The only thing I am sure of now is that this isn’t a legitimate comment, but is meant to serve some other purpose.   It may be just for self promotion, grandfathering links for search eangines, or potentially preparation for a drive by download attack.  I’ll keep track of the page and report any changes.

-Daniel

It’s been a while since I’ve done any writing on InfoSec topics, but it’s my new years resolution to take it up again, so expect more articles on info sec stuff from now on.

DataBreaches.net have updated their list of the top 10 Data breaches of all time.   What I find most disturbing about the list, isn’t the volumes (although that’s still concerning), is that 4 of the top 10 were due to poor information management and/or lack of encryption.   The causes for the other breaches (such as insiders leaking information) are harder to solve, and as such a little more (not a lot though) understandable.

• National Archives (70 Million)
• Department of Veterans Affairs ( 26 Million)
• HMRC (25 Million)
• T-Mobile (17 Million)

With the exception of Veterans Affairs, all of these have occured in the last 2 years, when the use of disk/tape encryption technology came into the mainstream.  There really is no excuse for these type of breaches anymore, if companies made it standard practice to encrypt sensitive data where ever it lives, then that would mean that over the past 2 years there would have been 128 Million less records breached. That’s almost as many were revealed in the Heartland hack!

Of course the top 10 doesn’t include breaches that go unnoticed and unreported, and if you start thinking about that you start to wonder how bad the problem really is.

-Daniel

Online privacy and the implications of data aggregation is a bit of a passion of mine, that’s part of what inspired me to write the thunderbird plugin.

Here’s an interesting story about one journalists discovery of what he found out about himself.

What the Web knows about you.

People wonder why identity theft happens, so much of our personal data is available online these days that it’s possible to build a fairly complete profile of anyone you want.  Just one of the reasons everyone needs to be careful needs to be careful of what they post on social networking sites.

-Daniel

Here’s an interesting twist on an old scam.   In a town in the US someone has been issuing fake parking tickets.   The fake tickets instruct the victim to go to a website to pay their fine, the website in turn says that you have to download a ‘toolbar’ to see the details and pay their fine.

Needless to say the toolbar is really a trojan infested piece of malware, which will continue to spawn popups including the notorious Antivirus 2009.

Viruses: Hackers Using Fake Parking Tickets to Infect Computers.

Yet another example of how the bad guys are changing their tactics to stay ahead of the curve.

Data Loss Prevention is one of the hot topics in Information Security at the moment, largely brought about by the numerous accidental losses of sensitive information that have been in the press over the last few years.

Here is a decent article that covers what it is and how it works:

What You Really Need To Know About Data Loss Prevention – insider threats/Management – DarkReading.

While this is not my usual topic, there’s something very wrong with this story, it pays to remember how closely information security is tied to physical security:

Former Energy Worker Admits Trying To Sell Nuclear Secrets – Insider threats/Attacks – DarkReading.

The short of it is that a janitor managed to walk out of a US DoD site with a number of components developed as part of a nuclear research project.   After successfully getting them on site, he tried selling them to the French Government.  Fortunately it was the French, not some semi-hostile government, and so they reported him to the FBI who arrested him.

What can we learn from this story?  Firstly treat your cleaners as if they are privy to your most sensitive secrets, because in all likelihood they are. Things get left on desks, in photocopiers, ‘secure’ document disposal bins  all the time, and cleaners often have unsupervised access to all parts of your offices.

Secondly, a number of vital security controls were either missing or failed for him to take them.  Inventory control should have noticed that sensitive items were missing,and so sparked a full scale investigation.  Secondly it shows the weakness  of manual security searches, why was he taking equipment on and offsite anyway.

Somewhere in the region of 100 million credit cards numbers have been acquired from payment processor Heartland by cyber-criminals in what is likey to be the largest breach of its kind to date.

Payment Processor Breach May Be Largest Ever – Security Fix.

What makes this worse is that Heartland was PCI DSS compliant, having passed the audit April 2008.    Undoubtedly this will bring about even further debate about the validity of the PCI standard.

-Daniel

For a while now, it’s been known that the md5 hashing algorithm is susceptible to collisions, reducing the level of security it provides, although predominately in only a theoretical manner.

Now some enterprising researchers have used this vulnerability (along with 200 ps3′s) to create a fake certificate authority, ensentially allowing them to create certificates for any name that browsers will trust implicitly.

Schneier on Security: Forging SSL Certificates.

There are a couple of factors that mean the internet isn’t ‘broken’ by this:

• By itself it’s not particularly useful to have a certificate for “example.com”, I also need to convince someone that “example.com” is at my ip address. (Some of the recent dns vulnerabilities could be used for this)
• Most CA’s don’t use MD5 anymore, those that do are moving to more secure algorithms.

One comment that Bruce made in his blog (linked above) that I disagree with is about people ignoring SSL warning messages, I have never (and make sure my family and colleagues do the same) ignored SSL warnings,  they are there for a reason and I make sure if I see one I understand why I am seeing it before doing anything I wouldn’t want to be compromised.  I strongly recommend that SSL warnings (like all security messages) seriously.

-Daniel

e are always told to choose strong passwords, over eight characters, with lower & upper case letter, numbers and symbols, but really what difference does it make.

Lets have a look at 4 different classes of passwords each 8 characters:

A) Lower case letters only

B) Mixed case letters

C) Mixed case letters and digits

D) Mixed case letters, digits and 32 symbols

The table below shows the number of possible combinations and the time to crack based on Elcomsoft‘s rates for md5 password recovery on a dual core processor (4.7 million passwords/second)

So you can see a password that just has lower case letters can be cracked in less than a minute!  While a password that covers the full spectrum of character types will take 15 days, that’s a lot of extra effort to get into your account.

So what if you want to have a strong password, but you don’t want to have to remember a string with upper case letters, numbers and symbols.  Can you have a password, containing just lower case letters, that provides as much protection as a password that contains at least 1 character from each group?  Absolutely, you just have to trade complexity for length.  Have a look at this table to see how long passwords need to be to be at least as strong as a 8 character class D password.

So if you want a password of lowercase letters that provides the same level of protection as a more complicated password, you’ll need 12 characters.

Of course a password that is based on dictionary words is still not going to keep the bad guys at bay for long, it still needs to be a fairly random string of letters,  there are plenty of ways to come up with good passwords, but thats another article.

-Daniel