Thursday, March 1, 2012

Too many topics... Not enough blogging...

Dammit. So this has been a bad start to the year, blog-wise for me. Not what I intended. I have about a dozen post topics set out and yet, here we are, more than 2 months later and no blog posts. This was not what I wanted for this blog.
But with RSA happening this week (and possibly more importantly B-Sides San Francisco and the weird little firefight that occurred and then as quickly died) there has been so much going on, that I should definitely be saying *something*.
I was glad to see Jack Daniels (terrific blog BTW: http://blog.uncommonsensesecurity.com/) talk about how the communities, A-side and B-side generally get along. Also really liked some of the other things he had to say in an interview I watched, which I *will* write more about soon.
There will be more here soon, I promise. Who am I promising to? My loyal fan base? Doubtful. (Not the promise, the existence of a fan base...) Promising to myself. I have too much to write about to let this go nowhere. And unfortunately, two months into 2012 and it has gone very nowhere...
Not anymore!

Monday, January 2, 2012

The General Direction of This Blog - Addendum

As mentioned in the first post, this blog is really just my own personal musings on information security, data analysis, and devolving into a hodgepodge of game theory, current events, personal rants and pretty much any other damn thing I want. But I figured I might say a few more words about where this blog will be going over the next few months and beyond. Just so that people are not disappointed with something I post as "not in line with the theme" or anything. So this post will just be a little bit meta and help to point out what I hope to do here.
So again, this is just my own little slice of what interests me when it comes to modern data security and analysis, but also (hopefully) with some useful bits of wisdom, pointers to cool tools, and other things that some may find useful or helpful. So there will be a mixture of things both for the "beginner" or layperson, as well as (again, I hope) things that even some seasoned professionals will find interesting or useful. So for instance, the first real post, about passwords and password security was really aimed at end users, not security pros. Everything I said there should be obvious and even remedial for true professionals. But at the same time, passwords are probably the weakest part of many defenses (whether its a corporate database or your home wifi router) and also the first, fastest and easiest place to make significant improvement to your overall posture. So it seemed like a good first post, if not the kind of advanced topics that I would ultimately like to discuss.
I hope to have some things to say that might interest the professional as well as things that might help Grandma have a better and more secure computing experience. This might seem like a tall order, and I suppose if it is just too wide a swath, I might revisit that. But ultimately I will talk about the things that interest me the most. So I will have a fair number of posts that are just pointers to other great articles or tools I run across, but I also want to include some more theoretical discussions of things that may or may not be directly applicable to the daily life of anyone. Things that interest me like game theory and strategy, future directions of security and technology in general, implications, for individuals as well as society as a whole, and just quirky observations and musings. I know that I have lots to say, and a lot of this is just about getting off my ass and saying them. They won't necessarily always be well formed or right (although I strive not to be outright wrong about things), and they may even draw ire from those who would tend to be purists about things. Above all, I have become much more of a pragmatist about things (all things really) and have tried to keep in mind the mantra of "perfect as the enemy of good enough." At the same time, "good enough" in the sense of just getting by has also always rubbed me the wrong way. Yes, I can be a conflicted person at times. But for crying out loud, "awesomeness" is right there in the blog's tagline (and I don't give a shit that it isn't a word, it is staying), so I want to tend toward things that are, well.. Awesome. I might have more to say about all this as I go along.
Cheers!

Good Passwords Are the First Line of Defense

Let's talk about passwords. This is actually something that came up among some friends in the infosec community recently and is a good subject of a first blog post. It is arguably the subject that touches the most people and is also one of the most misapplied practices in security. Even in the largest corporate environments, it is something that is often poorly implemented and it can go a long way towards improving overall security posture, even for home users. It is usually the first line of defense against unauthorized people accessing things they shouldn't be, and for that reason alone, it makes a good basic first post.
It has been written that the most common password in use in the world is '123456' and the fourth most common password is 'password'. It is unreal to me that someone would choose something like that for a password, but again, stupidity among people seems to know no bounds. In fact, it is stupidity that is generally accepted among my cynical gaggle of friends in infosec that keeps us all employed and guarantees our job security for years or decades to come.
So, what can the average end user do to help improve their hardness against becoming the next addition to a botnet administrator's arsenal? Well, arguably, it would be to be smarter about how they use passwords. Step one is to use better passwords. Step two is to NOT use the same password for more than one service or application they access. Finally, step three would be to have some kind of regimen for changing their passwords on a regular basis.
So what makes a good password? Well generally it is accepted that longer is better, and using more classes of character in their password - i.e. use a mixture of upper and lower case letters, numbers and some symbols or punctuation. But even better is to not use a password but a passphrase. It might not seem obvious but using something like 'Apassphraseissomethingeveryoneshoulduse' is a better password than 'Ah3$s_@kX'. They are both relatively strong but (and I won't go into all the math or a discussion of entropy) the length of the passphrase makes it a MUCH less hackable password than even the complex password. So when asked to choose a password for a service (whether it's for an online game website or your online banking password - more on that in a second), consider using a phrase instead of a single word or random string of characters. It decreases the likelihood of being guessed by orders of magnitude.
The second step is to choose different passwords for different services. Certainly, if I can somehow guess, crack, keyboard sniff or otherwise get a hold of your password, it lessens the damage done if you aren't using that same password for multiple services. At the very least, it should be easily recognizable that different services have different levels of sensitivity. From the earlier example, if you use the same password for (say) an online gaming website as you do for your online banking, you are asking for trouble. It is not unheard of for even huge corporations to get hacked and lose their customer information, including their customer's usernames and passwords. This is made worse by the fact that many companies want you to use your email address as their username. So imagine if you used the same password for that as you do for your gmail account, and then that gets compromised because some company didn't keep their software patched and up to date. Now the hackers have your email address and the password. Two hacks in one. And it's all about making it harder for the bad guys. So again, use different passwords for different services and you lessen the impact if one of those services getting compromised.
Finally it is just good practice to change your passwords (at least the most important ones) often. How often is often? Well this is generally one thing that larger corporate environments do a better job at, and it's mostly because in a large corporate infrastructure, through group policy, to force users to change their login password on some kind of schedule. Usually that time frame is along the lines of every 90 days or less. This is not bad, and is something that end users are required to do. Which is different than most home users who choose a password when they first get their computer and then continue to use that same password for years. The longer you use the same password, the more chance you have of getting that password compromised in some way. And if you continue to use the same password, then you are just making it easy for the bad guys to use your resources (your CPU time, your network bandwidth, or worst case, the funds in your bank account) longer. So its a good idea to setup reminders for yourself, at least every few months, to change your most important passwords.
So for those that complain that doing all these things is too much work, there are some tools to help you. Use of some kind of password management software can help immensely. There are a number of choices, but a couple of the best that have been around for years are Keepass, and PasswordSafe. A quick google search of either of those will point you to where you can get them. They are both free to use and have a number of features that help you choose good passwords (or passphrases), easily use them, and remind yourself to change them on some kind of schedule. These are the simplest and most effective things a typical home user can do to instantly improve their security posture and I highly recommend it. (I am not affiliated with either of these pieces off software in any way, just so you know.)
Many people (especially the average home user) think that they are not important enough to be the target of a hack, but for a number of reasons, this is not at all true. This is a form of "security through obscurity" which is considered among the worst ways to keep something secret. (This might be the subject of a future blog post.) But the fact is, even if you are just a typical home user, you DO have some things that the bad guys want. Even if you don't use online banking, at the very least you have a computer (and its associated CPU, memory and storage) and a connection to the internet. Possibly even a fast broadband connection. Those two things alone make you a very desirable target for the botnet herders out there, and so they would love nothing better than for you to use 'password' to secure those things.
So, in summary: 1) Use better passwords and even better, consider using passphrases to secure your resources, 2) Don't use the same password or passphrase for more than one service (or at the very least the same class of service), and 3) Setup reminders for yourself to change your passwords/passphrases on a regular basis. I guarantee, if you follow those three simple steps, that will make you orders of magnitude more secure than probably 90% of the rest of the people out there.

Monday, December 19, 2011

A New Blog..


On an old topic...
I have had designs on my own version of the "My Musings On Information Security" blog for quite some time, and I am now finally getting off my ass to do it. Go me.
And so then here will be where I will post and discuss my own interpretations of what amounts to good, useful, clever or otherwise awesome tools and methodologies for the modern infosec analysis professional. Sometimes current and relevant, at other times, egg-headed and theoretical and (most) always with a satirical and cynical bent. What can I say? When you have been doing this as long as I have, it's hard to continue to be surprised at the stupid you run across in the wild.
If you like this and have something to say, feel free to comment, I would love to hear from you. And if not, I refer you to the patron saint of cynical, the voice of rage against the stupid, the captain of contemtuous, and say...

"Bite me!"
-Bender B. Rodriguez


Cheers!