We all have passwords.  Most of us hate writing a new one for every new account we open.  The traditional thinking always said that for a password to be secure, it was necessarily unwieldy to memorize.  So who wants to memorize vRg5BoTA for your new Spotify account when you just solidified a mnemonic in your head for your Gmail password?  Many older account systems limited your passwords to be between 6 and 12 characters, so increasing complexity through a larger alphabet and using non-dictionary words was crucial to give yourself a chance against password guessing attacks.  If you’re still using 6 character passwords, I have bad news for you: you’re so laughably vulnerable, you don’t even register as roadkill for[…]

I just recently bought a new netbook. Now, I know that netbooks are supposedly on the way out, but I love the low price, long battery life, and massive portability. But there’s a problem with netbooks and security. They’re massively portable – whether the person doing the porting is me or a thief. I do my best to keep my netbook safe, but being realistic I’ll admit that it could happen. Now, the biggest loss from someone stealing my netbook is in data; the hardware really isn’t all that expensive. My netbook doesn’t just contain personal information; it’s also full of important business data. I can and do perform regular backups to make sure I don’t lose any of the[…]

If you’re new to the world of testing web application security, you may not be aware of the many great Firefox add-ons available that greatly help such endeavors. While others have compiled similar lists in the past, I thought this week would be a good time for me to share a few of the favorite tools I use in my own web app work. HttpFox: I’ve blogged about this one in the past; it lists for you every HTTP request made during a given browser session, with details on headers, cookies, parameters, responses, and more. Very handy to monitor traffic when you’re browsing around an app. HackBar: Another one I’ve mentioned before, the HackBar is a swiss-army knife that gives[…]

I hesitate to say that visio is only useful in pen-testing, because it can also be useful in developing a secure architecture, or a web page, and really just putting all the moving parts onto your screen (or paper) so that you can look at the big picture. I use Visio to diagram networks and web pages that I’m looking at. The network diagramming is pretty obvious – a lot of people use Visio for network diagrams anyway. Where the value comes for security folks is in the details you’re willing to add to the diagram – what ports are open on the firewall and what servers do they go to? Another use for Visio is mapping out web pages.[…]

Several months back, we covered Google’s new and much-welcomed two-factor authentication process.  As mentioned before, enabling true two-factor authentication greatly enhances an application’s security profile, a crucial step for applications as important and ubiquitous as Gmail and Google Docs.  So after being painted with a giant bull’s eye last year following Firesheep‘s debut demonstration, Facebook has followed Google’s lead and added several new security features, including two-factor authentication. All of Facebook’s new security options have been conveniently grouped together under “Account Settings”.  There are several check boxes here, as well as a list of devices that have recently logged into Facebook with your account. First, be sure to enable secure browsing via https connection, so as to prevent sidejacking, à[…]

Recently I had the chance to test out a clever little device called the hiddn Crypto Adapter. Made by Norway-based High Density Devices, the adapter looks somewhat like a miniature desk calculator with a USB port instead of a display, but its simple appearance belies some powerful functionality: transparent, real-time encryption of USB drives with two-factor authentication. The adapter essentially acts as a proxy between your computer and a USB drive, meaning it needs no software, has no operating system requirement, and works with everything from a flash memory stick to an external hard drive. All communication with the USB device is encrypted on the fly using 256-bit AES via a certified FIPS 140-2 Level 3 crypto module, but the[…]