On Saturday I was saved by a second factor of authentication. I was playing the new SimCity game on my home computer in the basement, when my gaming session (surprisingly, it was playable that day) was abruptly terminated because my account had been logged on in a different location. Seeing as how I only had one computer with the Origin software installed, I was surprised by this, so I restarted the game. It told me that I was logged on somewhere else, and if I logged on it would log me off the other location. “Sure, sure, whatever.” A minute or two later, the same thing happens. Then I realize what’s going on. I’ll admit, my Origin.com password was horrible. It was four characters[…]

Two weeks ago, I finally got a chance to try out a Windows 8 system. First, I have to give huge kudos to Dell, who makes the XPS 12 system I’m playing with. This system seems to be the ideal platform for a Windows 8 user. A thin and light notebook with plenty of power, with the ability to flip the screen around and make it into a touchscreen tablet. That said, during my initial installation of the system, alarm bells immediately rang in my head. “This system doesn’t comply with many password policies!” I found that as I joined my Windows 8 system to my company’s domain (which enforces a number of things through group policy), some configurations were allowed[…]

Numberphile recently posted a video about the math behind RSA encryption.  In the video below, a brief description of public key cryptography is given and then we are shown a simple example of the math used to perform encryption and decryption (math example @ 2:25). In the video, James skips over the method for determining the private key, so I thought I would run through the key generation steps for his example. Choose two distinct prime numbers p and q. These are the two primes that he mentioned, so p = 2 and q = 5. Compute n = pq. Simply multiply 2 and 5. n = 10. Compute the totient of n, or (p-1)(q-1). (2-1) times (5-1) is 1[…]

Yesterday, this story on Wired was making the rounds: How a Google Headhunter’s E-mail Unraveled a Massive Net Security Hole. Sure, the title is probably hyperbole, but it is an interesting story. At a high level, mathematician Zach Harris noticed that emails from Google – and from several other prominent domains including eBay, PayPal, Yahoo, Amazon, etc. – could be spoofed. Anyone who has ever run telnet to port 25 and sent an email from santaclaus@northpole.net or billgates@microsoft.com knows that email has always been pretty easy to spoof. Given the rise in unsolicited emails also known as spam, something had to be done. In 2006, a working group was founded to try and create a standard that would make email harder to[…]

It’s a little embarrassing to admit, but it seems that the mistakes of one person globally syndicated columnist have led to a rapid increase in the acceptance and use of two-factor authentication technologies for authentication. Within the last week, I have set up both my Dropbox account and this very blog with two-factor authentication. Mat Honan’s sordid tale did a lot to raise awareness of how passwords are imperfect as an authentication mechanism, as have the many password breaches that have occurred over the years. Most interesting, though, is how Google created and freely released Google Authenticator as an open source application and how quickly organizations have begun to embrace it. While I’ve traditionally been a PKI guy (I know,[…]

tl;dr Abstract To improve performance, particularly for mobile users, many websites have started caching app logic on client devices via HTML5 local storage. Unfortunately, this can make common injection vulnerabilities even more dangerous, as malicious code can invisibly persist in the cache. Real-world examples of this problem have now been discovered in third-party “widgets” embedded across many websites, creating security risks for the companies using such services – even if their sites are otherwise protected against attacks. Striking a balance between security and performance can be difficult, but certain precautions may help prevent an attacker from exploiting local storage caches. Background Throughout the history of web development, people have found ways to use and abuse various technologies beyond their intended[…]