infosec

You have been pwned.

Robert Graham from Errata Security gives a basic walk-through of just how easy it (potentially) is to “hack” people’s accounts.

“Hack” is in scare quotes here because there’s no actual hacking going on; Graham is just cross-referencing data sets, specifically looking for a target’s email address in the Have I Been Pwned database. HIBP doesn’t display hacked passwords/hashes directly, but it does provide details of which datasets an email is found it. Anyone with access to the original dataset—and they’re not that difficult to obtain, for someone motivated to look—basically then has a user’s password1 and can potentially use it to breach someone’s other accounts.

The point of this, incidentally, is to point out how trivial this stuff is, and to stress the importance of tactics such as enabling multi-factor authentication and not reusing passwords2 across websites. Nothing is foolproof, but the low-hanging-fruit here is very low hanging, so… y’know. Go do something about that, maybe?

Or, more accurately, the potential to obtain the user’s password. [↩]
Or email addresses! [↩]

Alis2019-03-25T09:59:47+10:0012th September, 2019|Tags: infosec|

The oldene dayes.

*dons flat cap* In my day, you knew a site was hacked because you’d be greeted with green-on-black text stating the site was “0wned” by the “hackersaurus” and their “l33t crew”. You’d also get a few animated GIFs of skulls, and if you were really lucky, a picture of a big ol’ arse. But now… now it’s all stealthy crypto bullshit.

Jake Archibald on hacking.

This entire article is about what happens when packages (y’know, those bits of other people’s code you include in your code) go bad, which is also an interesting topic asides from the quote above that made me lol.

It’s called a supply chain attack, incidentally, and they’re getting more and more common. I mean, why hack one thousand apps when instead you can hack just one and get auto-updated into the thousand that use it as a dependency?

Alis2019-01-17T08:37:09+10:001st June, 2019|Tags: infosec, tech|

Everything is compromised.

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Brian Krebs on security realities.

The full article has some strategies individual users (and companies, though that’s probably less relevant to This Audience) can do, taking into account Realities #1 and #2.

Alis2019-01-07T08:16:34+10:0016th May, 2019|Tags: infosec|

Who’s who.

Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar.

Brian Krebs on legitimacy.

Spoiler alert: SSL is still a goddamn scam.

Alis2018-12-31T22:49:16+10:003rd May, 2019|Tags: infosec, tech|

Truthiness.

I work in a corrupted industry, variously known as the “infosec” community or “cybersecurity” industry. It’s a great example of how truth is corrupted into “Truth”.

At a recent government policy meeting, I pointed out how vendors often downplay the risk of bugs (vulnerabilities that can be exploited by hackers). When vendors are notified of these bugs and release a patch to fix them, they often give a risk rating. These ratings are often too low, in order to protect the corporate reputation. The representative from Oracle claimed that they didn’t do that, and that indeed, they’ll often overestimate the risk. Other vendors chimed in, also claiming they rated the risk higher than it really was.

In a neutral world, deliberately overestimating the risk would be the same falsehood as deliberately underestimating it. But we live in a non-neutral world, where only one side is a lie, the middle is truth, and the other side is “Truth”. Lying in the name of the “Truth” is somehow acceptable.

Robert Graham on “Truth”.

While I don’t think Graham is wrong on his larger point (that of truth versus “Truth”), it does bear pointing out that literally the Number 1 problem in INFOSEC risk assessment is that the vast majority of it is qualitative, not quantitative. That is, it’s based on gut feelings and instincts and who can make the most persuasive argument, not actually any unchanging empirical fact, and that this something large portions of the more operationally minded members of the community find almost impossible to deal with…

Alis2018-09-05T09:06:48+10:0012th February, 2019|Tags: culture, infosec, politics|

HTTPS is garbage, vol. 284.

This just in! HTTPS is still a useless garbage technology.

Alis2018-08-25T11:54:12+10:0028th January, 2019|Tags: infosec, ssl, tech|

Oh Pillowfort, no.

Pillowfort… wut u doin’, man?

(With original credit here.)

Edited to add: From reports by other users, it seems Pillowfort isn’t doing any robust sanitization on usernames at all, allowing things like slashes and period and spaces that break their own UI. This is… not good. Weren’t they supposed to’ve done a “security audit” after their hack a few weeks back?

Alis2018-12-20T09:01:46+10:0020th December, 2018|Tags: fandom, infosec, pillowfort, social media, tech|

Cyberfaking.

Former president Bill Clinton has contributed to a cyberthriller The President is Missing, the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it.

Robert Graham on bad policy.

A good chunk of my day job is trying to communicate to non-INFOSEC people how various different INFOSEC threats, a) actually operate, and b) what actually works against them. It is, I would have to say, not an easy job. And it’s a not-easy job made all the more not-easy by the fact that pop culture depictions of hacking, viruses, and so on are all just so bad…

(Also: Bill Clinton co-wrote a Jame Patterson-branded extruded fiction product. What a world we live in.)

Alis2018-06-26T11:16:25+10:0019th December, 2018|Tags: infosec|

Security advice is terrible.

“Strong” passwords, HTTPS, backups… pretty much all security advice is garbage, whether it’s coming from a garbage administration or not.

Alis2018-06-25T11:39:39+10:0016th December, 2018|Tags: infosec|

HTTPS is still bullshit, part one million.

In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.

So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products. [↩]

Alis2018-06-15T07:06:03+10:005th December, 2018|Tags: infosec, ssl, tech|