Tuesday, July 28, 2015

Your password isn't as strong as you think

Your password may not be as strong as you think it is

How strong is your password?

You've heard the recommendations: mix uppercase and lowercase letters, add in a number or two, and if you're really on the ball, add a "special character." Something like 16F^umQcb makes use of all four categories and is suitably random; as 9-character passwords go, it's pretty strong.

Guess what?

Austin15! uses all four categories too. So do Fall2015$ and IL0veTX<3. If a website shows a "password strength meter" when you create or change a password, more than likely it will deem these passwords pretty good despite the obvious patterns.

Unlike my random example earlier though, these examples follow a predictable pattern: a word from the dictionary, possibly changing a letter or two, with a couple of digits and punctuation marks thrown in for good measure. We humans are pretty predictable: we tend to use the same patterns.

Monday, July 20, 2015

Commentary on the BIS proposal regarding the Wassenaar Arrangement

The Bureau of Industry and Security (BIS) has proposed rules related to the Wassenaar Arrangement, a set of agreements intended to limit the exchange of weapons and related research. As Cyber security gains attention, the WA has been expanded to cover cyber research. Specifically, the BIS proposes to require export licenses for products and documentation related to network and software vulnerabilities. These rules have the potential to severely restrict the sort of work I and my peers in the industry do. The BIS is taking public comment through today. Below are my comments to the BIS taken in large part from a previous post on Security Shades of Grey.

On morality and data breaches: thoughts on AshleyMadison

Online cheating site AshleyMadison was hacked and its patrons' personal information made public. Before pointing fingers, here are some thoughts as both a Christian and a hacker.

Late Sunday night Brian Krebs published news that online "cheating" site Ashley Madison had been the latest victim of a data breach. Given the site's business model (their slogan is "Life is short. Have an affair." I think you can infer the business model), it is tempting to sit back on our moral high horses laughing at the company and its patrons.

That is entirely the wrong response.

Thursday, July 16, 2015

What can a natural disaster teach us about incident response?

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

During the overnight hours of Saturday night and Sunday morning May 23-24, heavy rain in the Texas Hill Country triggered a flash flood of near-Biblical proportions in Wimberley and San Marcos. This is the story of a disaster response program executed exceptionally well.

Flooding rains are not uncommon in Central Texas. The region has long been known as "Flash Flood Alley" due to its hilly terrain, shallow soils, and proximity to the moisture-laden Gulf of Mexico. When rain falls, it essentially has two options: soak into the soil, or flow downhill; the shallow and rocky soils of the Hill Country limit the former, so even a moderate rain causes runoff.

The weekend of Memorial Day 2015, however, was something else entirely. Over a period of a few hours, between nine and 12.5 inches of rain fell over a wide range of the Hill Country - much of which fell within the watersheds of the Blanco and San Marcos rivers. A foot of rainfall - a third of a typical year's total - inundated the region in just a few hours, and had to go somewhere.

Wednesday, July 8, 2015

Time to patch Adobe Flash Player. Now.

An exploit for Adobe Flash Player is being actively used to infect computers with ransomware. Here is action you need to take NOW.
This article was written about a specific incident the first week of July 2015, but the instructions are what I have recommended for at least a year - and will continue to be appropriate into the future. Also of note, the recommendation to make browser plug-ins "Click to Play" is effective against exploits in all sorts of plug-ins, including Flash, Java, Silverlight, Adobe Reader, Windows Media Player, and more.

Last updated December 8, 2016. Current latest version is

Early this week, the security firm Hacking Team was the victim of a massive network breach in which a large amount of company data was stolen and made public. This data included among other things a previously-unknown exploit against Adobe Flash Player. 

This exploit was quickly added to popular crimeware exploit kits (products that make it easy for an amateur criminal to create and deploy malware). It is actively being used to deliver "Cryptolocker," a form of malware known as ransomware - malicious software that encrypts all your files and then demands a ransom payment to return the files to you.

In short, a fully-patched PC could be completely owned simply by browsing to a web site carrying a malicious Flash object. Since Flash videos are a common type of advertisement, you do not even need to browse anywhere unusual - a malicious ad slipped into the rotation at your favorite news site would be enough.

Adobe released an update this morning to fix the vulnerability. Here is what you need to do.

Tuesday, July 7, 2015

Hacking Team: Words of caution regarding dirty laundry

Hacking Team, a notorious hacking firm with a rather dubious reputation, finds themselves the victim of a thorough hack.

When a notorious hacking firm with a rather dubious reputation is themselves the victim of a thorough hack, what happens with their dirty laundry? More to the point, what is appropriate with their dirty laundry?

Hacking Team is an Italian security company that develops and sells surveillance and malware tools, in many cases to governments and law enforcement organizations. While the company claims to sell only to "ethical" governments, there has long been evidence of their tools being used by questionable, if not outright oppressive, regimes.

Sunday evening my Twitter timeline lit up with reports that Hacking Team had themselves been the subject of a severe hack, with 400 gigabytes of company data stolen and shared publicly on the Internet. This data included company email, contracts, customer lists, passwords, malware exploits, and source code for their surveillance products.

The released data may have included much more.