It’s a little embarrassing to admit, but it seems that the mistakes of one person globally syndicated columnist have led to a rapid increase in the acceptance and use of two-factor authentication technologies for authentication. Within the last week, I have set up both my Dropbox account and this very blog with two-factor authentication. Mat Honan’s sordid tale did a lot to raise awareness of how passwords are imperfect as an authentication mechanism, as have the many password breaches that have occurred over the years. Most interesting, though, is how Google created and freely released Google Authenticator as an open source application and how quickly organizations have begun to embrace it. While I’ve traditionally been a PKI guy (I know,[…]
Since every time I posted my previous article people were asking questions, I wrote up the following as a Facebook comment and figured it deserved repeat posting here. Note that there’s an article in our archives which is similar but not as specific as this one. Get ready for your cryptography lesson. A hash is a one-way function. This means that given some input, it creates some seemingly random output. It is one-way in that you can’t do math on the output to get back to the input. So, “abc” -> (hash function) -> A9993E364706816ABA3E25717850C26C9CD0D89D and there’s no way to get “abc” back from that nasty string. UNLESS you have taken the time to generate what’s called a rainbow table. Hackers[…]
You might have heard that LinkedIn had its password database breached, and news of it is trickling out today. There are a number of write-ups about it in most of the usual places, and Martin McKeay has a post with links to some of the better ones. The reason I’m writing about this is not to alert you, or that I’m annoyed I have to change another password. Two things really bother me about this. The first is the eerie similarity between this event and the Gawker password breach I wrote about almost exactly eighteen months ago. Both of these events made news because they were leaks of unsalted password hashes. And, although I didn’t write it in my blog post that day, two[…]
The following events are based on actual facts and actual events. Names have been changed to protect the oblivious. I would like to start off by stating that I take no pity on the individual this story is about. I refer to them as oblivious because to do what they did simply can’t be categorized in any other way. Let’s back up a week. I’ve been in need of another Android device to do some tinkering with, have a backup for my daily driver, and to have something that my son can play with and not fear total destruction (again of the daily driver). After checking with friends and co-workers if they had any spares – they didn’t – I[…]
A lot of what we security professionals do includes protecting information from being compromised (especially personal information). The shift towards more profit-driven computer crime has happened swiftly over the last decade, so it should come as no surprise that there is a booming underground market centered almost entirely around compromised financial and personal data. And, on the other end of the spectrum, we have laws and regulations to help minimize the leakage of this data in the first place. Plenty of research and documentation exists for the many ways we try to protect information, but there isn’t much (public) info on the underground market populated by the attackers and their associates who trade in illegally-gotten information. So, how do someone’s[…]
In light of all the discussions about maintaining a secure posture on trusted certificates we often times forget about the little guys. In this case I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting read on to find out how you can do it.