Have any questions or comments about dealing with online security issues? Do XKCD comics cause you to lose sleep at night? Do you really want to staple a battery powered horse? FOCUS: Ask your security related questions here.
Salient reading for an intelligent conversation on password security - <a class="postlink" href="http://vivekgirotra.com/why-the-password-this-is-fun-is-10-times-more" onclick="window.open(this.href);return false;">http://vivekgirotra.com/why-the-passwor ... times-more</a> <a class="postlink" href="http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html" onclick="window.open(this.href);return false;">http://www.troyhunt.com/2011/04/bad-pas ... -good.html</a> Password security practice is a weird argument. Password brute forcing an unsalted hash set using rainbow tables may well be able to attempt a brute force at 400,000 passwords per second... And a straight dictionary attack may well be able to progress at about 500 passwords a second against a typical auth db. But if developers salt and hash their passwords then rainbow tables are useless. If service administrators put in a lock out policy - and if they make it 1 failed password = five seconds of lock out for new authentication sessions - then users don't even fucking notice - and brute forcing is pointless. If there's a secondary password lockout at 100 failed password attempts in an hour (I.E. NEVER happens from anything except broken code or a hacker) that requires you to phone someone and have your password reset - then brute forcing is magically useless. Personally, I'm a fan of 'this is fun' or 'correct horse battery staple' - Because they're easy to remember and reasonably secure. A password that the user has to write down to meaningfully utilize is worthless. Longer strings of simple text are a far better idea. And combined with sensible developer precautions - that's all that's needed. The important thing is not to use the same fucking password for internet forums and social networks, as you use for your internet banking, or for work. Use a universal password for worthless things. Use a different password for your email. Use unique and complex (but memorable) passwords for work and financial stuff - don't use the same password across those things. It's inconvenient if your facebook gets hacked because an internet forum was hacked. It's annoying if your email gets hacked because you used a simple password - especially if they then retrieve your password for other sites and hack those as well. It's a real, legitimate fucking problem if your financials get hacked, or if your bad password security leads to your employer losing money or IP because you were an idiot.
Even if brute force attacks were still relevant.... they can be rendered mostly useless by putting a space into your password.
This thread hasn't seen a bump in forever, but I ran across this today and thought it would be worth sharing: http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf It's an excellent presentation/deck... and if you're into this stuff at all, it's well worth the read.
Some nice information there. Some of it is either hard to take seriously or downright ridiculous but those things could be simply the lack of context for the slides. No idea the audience, the speech along with it, etc. If the context is extremely narrow, which it appears to be - that is, this deck is about what happens if you're a highly valued, targeted system being attacked by large scale crowds or well-funded agencies - it's a little more on point. The fact that crypto isn't a panacea for security doesn't mean it's without use, though. In fact, the deck (ironically) makes this point: it spends half the deck talking about how crypto is typically compromised through means other than cracking the encryption. It then wraps up basically saying "don't bother" or "it won't help." Well, you put safeguards in to stop people from getting through those safeguards. It seems to me if crypto must be broken by subverting the system it resides on, you've done one job well. The fact there were other weaknesses is almost irrelevant - that's what always happens. Why don't we have the password "password" on all our servers? Because that would be easy to break. Does that mean the servers are secure? No. It's one step. Encryption of data is another step. You could replace "crypto" in many of those slides with "strong passwords" or any of a number of security practices and it'd all hold true. Most people don't crack 16 character randomized passwords. Moto's bootloaders held on for years before they were broken. There's also a matter of considering who you're defending against. I think what the NSA doing is wrong and should be stopped, but unless I'm protecting dangerous secrets, building a system that would effectively lower the risk of data gathering (probably using all self-owned decentralized services, all hosted outside the US, multiple protections on connection layers, etc) is not worth the cost. At the end of the day, if the NSA can slap me with a NSL and force me to give up my keys, I'm going to spend my efforts on more practical concerns. Preventing casual trolling of data in transit, for example, is one of those concerns.
I did IT audit for a bit before moving over to where I am now. Youd be surprised how much company's rely on the fact they have a character minimum with a real basic alphanumeric complexity to protect everything. I have one client that we had to end our relationship with because they (a publicly traded company and beholden to the SEC) didn't have an Active Directory or LDAP, but a Windows work group. Their argument for not having any reliable password standards on their financial system was that they trust their employees. 6 months later they had a massive internal fraud.
Didn't have a chance to reply earlier, but I think the point that he's making is that most people focus on the actual "number" associated with various security pieces-parts, when it doesn't really matter. I don't think he's saying to not do it, just don't obsess over it, because having the "best" doesn't really matter. No sense having the most powerful, expensive, and effective lock on your door if you put the key under the mat or leave the window open. At least that was the sense I got. Still, interesting to see the various NSA intrusion, and I especially got a kick out of that "don't IPSec me man" piece... how fucking true.
Yeah, I guess it was the wrap-up slide that made me wince a little. The last point that you're driving home to your audience is usually a core principle in your talk, and the last two quotes - including one by the presentation author - basically say "don't bother." The fact that a useful security feature can be implemented in a fundamentally insecure way doesn't make the feature useless - or even discouraged. Ars re-published a short article on local data encryption after the Anthem hack: http://arstechnica.com/security/201...ouldnt-protect-ssns-exposed-in-anthem-breach/ It's an interesting point and germane to the discussion here - encryption has its uses, but you can't just turn on encryption, wipe your hands and call it a day. What are you protecting against? Theft of hardware, right? How big a risk is it that your hardware will be stolen by someone? It requires that they already got into your building, into your server room and into the racks, identified the hardware they want to steal, defeated any local locks on the server and made it out again. If all of those protections have failed, you have a pretty ugly security breach. It doesn't mean there's no use for disk encryption, just that people should understand what they're protecting themselves against. No different from in-transit encryption, or any security feature - you should always understand, for any feature, a) what risks you're mitigating, b) what risks you're introducing, c) mitigation or acceptance of the above.
I know this post is old but just in case anyone reads this thread and sees this advice... It's not true. Not only is it not true, but it's dangerous to suggest that a simple change to a password can render it safe. Any simple change to your password is equally simple to implement into password attacks, so there will just never be a fix this easy for password security. Most cracking attacks are not blind random letter attempts anymore. They use behavioral and heuristic patterns, along with large previously-used password lists and word/phrase lists from books or the internet. This means that the now-famous xkcd correct horse battery staple is incredibly insecure despite its length, since its inclusion in common internet sites has put it on that phrase list. I recommend using a password manager such as LastPass for your passwords in order to allow the use of long, randomized character sequences. If not, though, make sure that whatever patterns or phrases you use are personal to you, not common to society. For example, if you've chosen the method of using the first letters from a long phrase, don't use a common lyric like Twinkle Twinkle Little Star to get ttlshiwwya. Pick something more obscure or more personal and add something to it. And above all, listen to what scootah said about password re-use (don't use your secure passwords on random internet sites) and treat your email address password as one of your most secure passwords since it can be used to impersonate you or reset passwords on other sites.
Speaking of online security, I've just converted the site over to HTTPS-only. SSL is not supported (to mitigate the various attacks against it in the past few years), TLS-only, up to TLS 1.2. This should make the site marginally safer to browse at work (the contents of what you're viewing will not be visible by the firewall team), should help prevent any capturing of your password or personal data, and generally just bring the site up to modern standards. Many sites are shifting to HTTPS-only. In fact, Google recently announced that supporting HTTPS can help improve your site ranking. Additionally, I'm investigating implementing SPDY or HTTP/2, both of which will improve performance.
UK provider SKY to switch on its porn filters in 2016. I guess they never heard of VPN? That is unless they decide to block VPN hosts also.
I'm behind a VPN almost 100% of the time, not because I'm doing anything nefarious (usually), but because I try to limit the data I'm freely giving away. (I also think it's fun to set my location where English isn't the primary language and see how much I can translate, but that's because I'm a geek with too much free time).
Any recommendations for a good free VPN? I got a letter from my provider about downloading a certain torrent. I told them I didn't do it which might work once, but not multiple times, so it's time to proxy. I set up CyberGhost, but it seems to be blocking uTorrent.
You'll find that most free VPNs are. Not to mention the sketchy nature of many free VPN providers. If I were you, I'd fork over the ~40$/year you need to pay for a private VPN. https://www.privateinternetaccess.com/ should be decent. I use https://airvpn.org/. Or you could go check out https://thatoneprivacysite.net/ and pick one that works for you.
To fix it, you will probably have to enable the root user, set a password, then disable the root user. From what I can see, it's only an issue on older unencrypted systems still running a HFS+ file system. I haven't been able to get it to work on anything that is encrypted and running APFS. If that is the case, then anything running High Sierra on a SSD shouldn't be affected as it should have forced APFS and encryption when it upgraded. However, my sample size is pretty small - 2 unencrypted and 3 encrypted.
Our laptops are almost all new MacBook Pros and we put on full disk encryption. We kept everyone on Sierra except for 2 or 3 developers.