A recent article on Wired talks about hacking hotel systems, but what I think is more important is the line that says how everyone assumes that IR remotes are secure.  I can say with conviction that these kinds of assumptions account for virtually all of the lapses in security I encounter in my travels.  Assumption is death when it comes to security in everything from preventing SQL Injection to ensuring you locked the doors at night.

Think about your assumptions.

I have spent alot of time recently talking about passwords and I think the reason that I can’t seem to get off the subject is that there is so much that has to change about the way passwords are actually handled by companies.  Most recently I had a discussion that caused me to poll several clients about how they tracked who knew each of the myriad passwords in their organization.  The resounding and unanimous answer was, “oh maybe we should do that”.

If you know who knows each password (even if you don’t document the passwords) then you have a much better chance of getting access to the system you need, when access is needed most.  Also by tracking the names of everyone who has ever been told the password to your Cisco Router for instance then when Joe leaves the company at least you have some justification for deciding not to change that password aside from it being too hard to bother.

You will find that people get much less freaked out then you might think when you start maintaining a document that shows who knows each of the passwords you care about.  You will be surprised at just how big the list becomes if you put any effort at all into it. This practice not only serves the purposes I have already pointed to, but it also helps you avoid that really scary situation when you have to call an ex-employee and ask them if they remember the password to a critical system.

Expect more food for thought on passwords as I am becoming convinced that it is a bottomless pit of best practices that noone seems to be practicing.

I am seeing the signs that the Security business is going through a consolidation as some of the bigger names buy up smaller firms to cover their bases.  Most recently, VeriSign bought iDefense for $40 Million.  I don’t think this is THE consolidation as there are many, many more security plays yet to occur (we aren’t quite done with security as it hasn’t become a solution yet), but it is interesting to see the giants scramble.  Let the bidding begin…

Just recently I talked about online password security and I referred to the way most sites on the Internet handle passwords as the Ugly in my “the Good, the Bad and the Ugly” slide.  Most sites I visit not only allow me to put in a woefully weak password, but don’t allow me to set a strong one by my standards.  Have you ever seen a website support pass-phrases by allowing really long passwords (say 50 or more characters)?  Probably not.

So given my pessimism, I think the message is getting through.  On a site called GamerFacts.net there is a post about the change in policy that Sony has made to their existing system that supports massive multiplayer online RPG games like Everquest and Star Wars Galaxies.  To see the post and read the message sent out by Sony click here.

Lets hope this is just the tip of the iceberg.

A customer said today that they are using stored procedures so unless I knew of any other SQL Injection risks then they thought that was enough.  The truth is that the answer is that this is true in most people’s minds.  The problem is that this common mindset is exactly the kind of thing that aids hackers.

While using stored procedures or parameterized queries or any of the other methods to thwart hackers is not only highly recommended, but also an absolute requirement, I don’t feel it is enough.  We are treating the symptoms, not the disease.  If a hacker fails in their SQL Injection attack because of these measures then great, but we haven’t prevented them from trying something else.

Think about having the application try to detect such attacks even if you are impervious (which you probably aren’t in my experience) and when you detect this kind of attack then do something to hinder the hacker.  Close their session, ban their host, crash their browser, whatever you can do to make it harder for them to move to the next step of their attack will ultimately help you.

I will discuss this topic more in future posts as I think there is alot left to say on it, but for the moment look at your existing web application in this light and see what you come up with.

The stereotype of the malware and spyware author is the lone disgruntled hacker who has squandered their talent on rage and hate.  Sounds like the perfect villian for a melodrama.  It turns out that the truth is much worse.  The driving force behind most of this software is actually organized crime.  An article on ZDnet yesterday details how this all works in a nice little overview.  This seems to be just another wave in the process of hacking and anti-hacking becoming battles not between individuals alone in the dark, but between industries and governments vs. syndicates.

I just read an article which quotes Jesper Johansson as saying that we should reverse the long held truism that users should not write their passwords down for their own reference.  Jesper is a well respected (though often contreversial) Security Heavyweight who has worked for Microsoft for some years.  I know Jesper from events we both presented at such as TechEd Hong Kong and the New York Security Summit a year or so ago.  I often read his advice and take it to heart, but this time I think we need to be less binary.  I can see circumstances where you can make this case, but to just reverse the rule is reckless.  We need training first and foremost.  Have I seen a seasoned professional make this method of password tracking work.  Yes, I have.  But I have also seen users abuse the hell out of the loosening of such policies. 

Silver bullets are few and far between in our space when it comes to security.  We have trained most drivers to lock their car and carry the key along with them (don’t even attempt the keyless entry system argument, that is newish and doesn’t weaken my analogy).  If you lock the key in your car or lose it then the world takes a healthy bite out of your convieniece factor in terms of cost and delay.  If we just trained users to take their passwords as seriously then I think we would be OK. 

I recently returned from Huntsville, Alabama where I gave a talk on passwords for developers.  The article cites systems that allow only weak (read short and limited character set) passwords to be used.  The number of examples of this from the web is staggering so I won’t bother.  We need to go after this problem as well.  Developers (and managers) don’t get that there are brute force attacks against web site logins just like there are for PC Operating System logins.  They are much more mature than most people think.

My bottom line is that I don’t think you can make a blanket statement about something this nuanced and varied by group.  I give credit to Jesper for saying shocking things to promote the debate (he has accomplished that), but I can’t buy in that we have a new and diametrically opposed truism to our old and long held on that users should not write down their passwords.

A recent article about terrorists being behind continued attacks on our energy companies in an attempt to disrupt the power grid made me realize that this should serve as a wake up call for the rest of us.  If you are running a business related web site in the US or one of its allies you have to think about what happens if the bad guys decide to go for the softer targets.  Remember when bad relations with China released a wave (almost a plague) of defacement hacks against US based web site?

When you read a story like this, just think about what the hacker with a political agenda might turn toward if they get too frustrated (and I hope they do get very frustrated) hacking at our vital national interests.

For those of you that don’t know, a big concern in companies vulnerable to corporate espionage (almost everybody) is employees walking away with a USB drive full of confidential data.  Device Lock has solved this problem for several of our clients and they have just released a new version.

If you haven’t see this before at least check it out.