Friday, July 21, 2017

Remembering Your Password Can Put You at Risk – How to do One Time Passwords for the Non-Geeky

A long time ago an engineer invented a technology for computers called PCMCIA. To the best of my knowledge PCMCIA stands for People Can’t Memorize Computer Industry Acronyms.  Yeah, people also can’t remember 15 good passwords for 15 different sites with the rules they have to follow today. You have to use upper and lower case letters, numbers, and special characters when all you really need to be safe is a few words (passphrase).

Here is an example of a passphrase: boat plane dog cat fish. That passphrase can be memorized in a short amount of time although a real sentence, such as “I would sure like a ham sandwich!” is easier to remember. Both of these passphrases are far better passwords than “1Xrv24%/&4Zb.” The reason they are better is math.There’s a point where longer and simple is harder for a computer to figure out than short and complex.

So why won’t your system administrator let you stop using numbers and special characters? It’s tradition. Back in the days when passwords were limited to 8 or 12 characters it made a difference – a huge difference. It still does at some sites that only allow short passwords.

I have some good news. There is a growing shift in perspective on the subject. Standards are being set that only focus on length. You don’t even have to change your password very often, if at all, with these new standards. Passphrases are even encouraged.

I still have problems with passphrases though. It is a problem of remembering which of my 15 passphrases went with which site. You still need to use a different password or passphrase at every site you visit. I suppose I could do something like “dog cat rabbit squirrel facebook” and know that that one is for Facebook, but if someone gets that password it is the same as using the same password at every site. dog cat rabbit squirrel gmail, dog cat rabbit squirrel linkedin, etc. You are really using the same password everywhere.

Your bank has a great solution for bad passwords that rarely or never change. The solution is a onetime passwords (OTPs). You probably call them verification codes. OTPs are great for security. You get an email with a few numbers, type in the numbers and forget it. 123321 can be a really good password if someone only has two minutes to find it and guess it, and then figure out your other password. Your bank knows how to set up the system so that all you have to do is get a text and type in a few numbers, but you don’t have the bank’s resources or technical skill. What do you do? Simple, you make your own one-time passwords because for you it is free and easy.

Before I proceed I need to make a brief safety announcement.


Now that we have that out of the way, let’s do it. Go to a website and create an account, or reset your existing password for an account you already have. Now open notepad and start banging away on the keyboard like a chimpanzee.  I am serious. Completely randomly bang away for 2 or 3 seconds until you come up with something like this f43wejao;argnhol;vh;oweiuowfgrfikonarhgjo3245garfgnfr42. Don’t even think about what keys you hit, just hit a bunch of keys. Forty characters is more than enough. 30 characters is fine too. Don’t worry, you are only going to this password once and you are just going to copy and paste it anyway, so you don’t even have to type it in again. If you need to go back to the website and log in again, well that’s what password resets are for. By the way, the chimpanzee method may result in tabs and enters you will need to remove. A few places may allow tabs, but the enter key (new line) probably won’t work. Get rid of those.

This is my reset passport philosophy:
 “Reset password” is not there to help you if you forget your password, it is there to encourage you not to remember your password in the first place!
Let me repeat that.
Goto This is my reset passport philosophy
Sorry, the goto thing is geek humor.

Before we get to the part about “I don’t want to reset my password every time I log in, give me a few sentences.

Unlike the bank’s verification code, these OTPs are valid forever and still safe. The length and complexity of the password is such that one of three things will happen before a hacker cracks the password.

1) The website is gone. The company changed it or went out of business. Whatever.
2) You log in again. You just reset the password and the forever clock too.
3) You die. You will not care about that password, forever. It’s not your problem.

Now to address the complaint that it is a hassle to reset the password each time you log into a site. You are right. I usually will use this method when it is a site I rarely visit. It isn’t worth remembering another password when an occasional reset it really isn’t a big deal. I don’t do this for my email account, although it would be super secure.

For sites I use a lot, I use a password manager. Why would I use the chimpanzee password reset method it I have a password manager? I do not want to clutter up my password manager. If I sign up for a mailing list and then only log in once a year, I don’t need to have yet another entry in my password manager. If you only use less than a dozen sites then clutter isn’t a problem for you. I sign up for webinars, and all kinds of things that I wish I didn’t even need a password for. My password manager has too much stuff in it now because I didn’t think of what I just taught you until after it was cluttered. I’m getting rid of many passwords now. I’ll just reset them if I even need them again.

For the sites I do visit more frequently I use a password manager because it allows me to use very long, complex and unique passwords for each site, and they last a lifetime if the site doesn’t make me change them. I’ll get to data breaches momentarily.

Companies spend a lot of money to set up OTP systems because they can add a lot of security. You can do the same thing for free.

An important instruction for safe password manager use and then a note about data breaches.

The most critical part about using a password manager is having an extremely great, fantastic, stupendously wonderful password. The password manager holds a lot of eggs in one basket. I would recommend a passphrase that is very long. Let me show you.

My dog ate all of my books and bit my teacher.

This is an awesome password. A person I knew at Microsoft reputedly used a 75 character password. That is well beyond insanely long. It can be very easy to remember, but it’s a lot to type for me.

I can remember “Mary had a little lamb, little lamb, little lamb. Mary had a little lamb its fleece was white as snow” I’ just not going to type it in. Of note, the commas made the passphrase even stronger.

It really is best to make up your own sentence rather than a well-known one.

Now for the data breaches. There are times that a company did something wrong, really wrong, and your password was compromised. You may have to change a password. It depends on what it is. If it is an email account, a social networking account, etc. you need to change it right away. There are a few cases where it doesn’t really matter at all, but pretend like I didn’t say that… just change it.

Randy Abrams
Independent Security Analyst

Thursday, July 20, 2017

The Child’s T-Shirt Point of Sale (POS) Attack

Despite the fact that sometimes I discuss serious security topics, the name of this blog is after all “Security through Absurdity” and so absurdity is required at times. Prepare yourself for a Costco-sized package of absurd.

As I was walking through Costco today I saw a woman pushing a cart, with her kid in it. I figured if everything else in the cart has a barcode so should her kid. And so I spoke my mind. “You needs a kid’s t-shirt with a barcode on this. I thought she was going to ignore me, but a few seconds later she finally replied "No thanks, I already pay enough for my kids." I had actually thought about the absurdity of paying for your own kid and so I had my own reply (which I thought of on the spot) "what if the barcode is a rebate?" She liked that idea. And that was the birth of the child t-shirt exploit attack.

Replacing barcodes on products to get a cheaper price was innovative - one time - many years ago. The second time it was done was ho-hum.  The Child’s T-shirt POS attack is more interesting. I’m sure I am not the only one who has thought of this, but I think my idea of how to monetize it in the real world may be innovative. The Child’s T-shirt POS Attack is the perfect application of social engineer to exploit a cashier with a barcode scanner. The attack exploits the fact that a toddler sitting in a shopping cart, wearing a t-shirt with a barcode on, it is irresistible. Cashier: “Oh isn’t that adorable. Here you go cutie, let me scan you.”  Scan - ding - five bucks off. Ten bucks if you have two kids.

Is that awesome social engineering or what? It can work too, for both Costco and you!

Costco, you owe me big time for this idea...

Sell a child’s t-shirt with a barcode on it that gives the adult accompanying the kid 2% back on each purchase. You give 2% back for executive card holders so you can’t tell me the idea is cost prohibitive. You get your brand displayed every time the kid wears the shirt. The amusement factor is such that the t-shirt will be worn a lot. You will entertain most shoppers. Parents enjoy hearing “that is so adorable” when it’s talking about their kids. You’ll get the “mommy, daddy, I want that” sales (which you get anyway). Finally, the savings makes it less painful for the parents who have to put up with “mommy, daddy, I want that.”

Marketing is about social engineering. If you want to protect against the Child’s T-shirt POS Attack then embrace it and use social engineering to your advantage.

Randy Abrams
Independent Absurdity Analyst 

Monday, July 17, 2017

Stackhackr; Useless for Testing – Good for Marketing

Barkley, a self-proclaimed security company, has revived the 1990’s era Rosenthal Virus Simulator; an application that called false positives good while claiming to test the quality of antivirus products. Some users believed that this simulator indicated if an antivirus product was good at detecting malware. As a result some AV companies wrote detection specifically for Rosenthal’s harmless files. The customers wanted harmless false positives for harmless files and so they got them.

Barkly has come out with a free product they call stackhakr. Stackhackr is a lead generation application that is disguised as a security product testing tool. In reality it is another Rosenthal type program that convinces users that false positives mean better security.

According to Barkly “The malware you create won’t actually cause any harm, but whether it runs or gets blocked will tell you if your system is vulnerable to the real thing.”

Really? If a completely ineffective security product writes detection specifically for this application then you are not vulnerable to the real thing? If a product false positives and detects your harmless files, then the company’s customers are not vulnerable to ransomware? In order to use stackhackr you have to provide your contact information. It is only then that you get something that does not do what it was promised to do. Like I said, stackhackr is a lead generation application, not a test tool.

Stackhakr does not test the ability of a product to detect ransomware, malware, or the ability of a product to effectively deal with any attacks. Due to the security effectiveness of application reputation Barkly specifically calls out this type of detection as a false positive. Barkly claims that detection of their launcher application is a false positive because the launcher file is harmless and not part of the test. Seriously? Detecting a harmless launcher is a false positive but detecting the harmless files it writes is not? Take me to security school, I had no idea that’s how it works. In reality detecting a “harmless” file is not a false positive when it is only ever seen launching malware. Blocking a launcher or a dropper before it delivers its payload is a good thing. If launcher.exe is used to launch the simulator then it is fair game. Blocking the launcher protects users from a false sense of security. The detection is accurate, not a simulation but real protection against deception.

Now for all you AV vendors, Barkly has thrown down the gauntlet, so what are you going to do? If you identify a site delivering ransomware or other malware you block the site. If simulated ransomware or simulated malware creation kits are on, then let’s get this simulation off the ground and go block the site. Be sure to mention it is a simulated malware toolkit creation site you are simulating detection of.

I have interacted with major security product testing organizations as an enterprise security professional and as an employee of a security vendor. I have actually worked for a company (NSS Labs) that tests (and breaks) security products. There are no competent testers in the world that would tell you that stackhackr is usable as a security product testing tool.

I recommend against giving Barkly your user information in exchange for stackhackr. You will not receive anything I can deem as even slightly valuable.

Randy Abrams

Independent Security Analyst

Monday, June 26, 2017

The “I Can Use Facebook Any Time I Want To” Offspring Password Reset Attack

No matter how ridiculous, every "cyberthreat" must have a catchy name.

Sometimes parents will restrict the times that a child can use the Internet for anything other than homework or downloading Malwarebytes to fix their parent’s PC. Policy and compliance, as every parent and IT professional know, are not always followed by choice. If you are a parent, how do you enforce such a policy? Technology to the rescue…

Many cable modems, and other network connectivity devices, allow the administrator to set up times they can block certain computers from using specific Internet sites. Of course that doesn’t work if you leave the default administrator username and password unchanged... it’s either on the Internet, or on a sticker on the bottom of the device.

Since you already knew that, or someone who did know that helped you configure the device, your kid isn’t going to log in to the console and fix the “policy.” Here is where the old adage about physical access and game over come into play. Simply stated, if a person has physical access to a device, they own it. If your teenager has physical access to the network device, they can perform an insidious password reset attack and you will never be the wiser. There’s a reset button on the device. Among other things the reset button resets the... yeah, password. You may never know it happened until 25 years later when during some random conversation your kid confesses. At that time, if your kid still lives at home, go ahead and enforce lockout hours again. The defense against the offspring password reset attack is to prevent physical access to the device. For the average parent that would be a pain in the @ss inconvenient. I’m not a parent so it isn’t really my problem, I’m just the messenger.

Before you state the obvious, there are parental control apps that can enforce policy on a mobile phone. These apps are almost certainly more common than parents doing anything with their cable modem configurations. If you’re a kid, that’s what burner phones are for.

OK, the attack is esoteric and it just amused me, but the point is that sometimes physical security is required where you least expect it. Perhaps next time I will discuss the legal implications of the offspring password reset attack, but don’t lock up your kids yet.

By the way, I recommend using a password manager and keeping both your current username and password in it and the default username and password. For one, it can be a pain in the @ss inconvenient to turn over the device with all of those network cables and the stiff coaxial cable attached on order to see the sticker with the password on the bottom. For another, if anything happens to the sticker with the password, and it is a modem specific password, you are now vulnerable to a password lockout attack. I find it embarrassing to tell my ISP that my cat licked off the cable modem sticker…. especially the second time.

Randy Abrams

Independent Security Analyst with a Stranger Sense of Danger 
It has been so long since I posted here that most of the posts were irrelevant. I did leave the two rules you damned well better know post though. It is currently timeless, but that may change at a future time.

Monday, December 12, 2011

Two Rules You Damned Well Better Know

Phishing is a wide spread Internet plague that is often used to fraudulently obtain usernames and passwords, bank account numbers and PINs, and other information used to commit cybercrimes such as banking fraud, identity theft and corporate espionage. Phishing attacks may come in the form of links in email, requests for passwords, or malicious webpages that will appear to be legitimate.

The results of a successful phishing attack can result in a criminal emptying your back account, stealing your Facebook Account, raiding your PayPal account, or even hacking into your company’s network.
Most anti-phishing education to date has been focused around trying to teach people what a phishing attack looks like. I am all for education and if someone can teach you to be better at spotting a phishing attack it is a good thing, but the truth is these attacks can be so sophisticated that even security experts can be fooled or have a very hard time determining if a specific email is legitimate or not.

To try to help people defend against phishing attacks I use a method that I believe is far more effective. You see, the problem is not that you received and phishing email and did not realized you were under attack, the attack is only a problem if you engage in the behaviors that allow the attack to succeed. If you follow my two simple rules religiously, you will dramatically reduce the odds of a successful phishing attack against and it doesn’t matter if you know it is a phishing attack.
Rule #1
There are only two types of people who ask you for your password… thieves and idiots. You obviously do not want to give your password to a thief, and if you give it to an idiot, they’ll probably get tricked into giving it to a thief.

So when you get an email that says Hotmail, or PayPal, your bank, or someone else you do business with needs your password, it is a thief, not your bank, not PayPal, not EBay, not, Hotmail or Gmail, it is a thief. There isn’t a problem with your account. They are not updating their security systems, and it didn’t come from where you thought it did.

A common attack is for a person to call an employee and claim to be from helpdesk. The conversation progresses and the caller claims to need your password, or they need you to change your password to one they provide you. Changing your password to something someone else provides you is the same thing as telling someone else your password.

OK, there are exceptions to every rule, but if there is an exception to this rule, be very, very alert. For example, there may be a rare situation where IT at your workplace needs your password to help you resolve an issue. First off, IT needs to find a better solution. If IT really does need your password then you probably should be the one who called IT for help, and not the other way around. Once IT has finished helping you, change your password immediately. Not 30 minutes after the problem is resolved, not a day after, not 3 minutes after, but immediately after the problem is resolved you change your password. Competent IT professionals do not want to know your password any longer than may rarely be required.

If it is your Internet Service Provider (ISP) asking for your password, you are dealing with an idiot. It may not actually be the technician on the other end of the phone, it may be a higher up who was ignorant enough to have a technician ask you for your password. Don’t give it to them, it probably is an attack. Never give your ISP your password.

To make it easy, pretend there can be absolutely no exceptions to this rule and whenever you see a request for your password in email, instant messaging/chat, or hear a request for your password on the phone, remember that you are dealing with a thief or an idiot and keep your password to yourself!

Rule #2

If you click on a link and it takes you to a login page, don’t do it. This is the most common type of phishing attack and is equally successful against high level executives as it is against a grandparent using a computer for the first time. The real travesty is that millions of times each day socially irresponsible sites like Facebook and LinkedIn teach people to become victims of phishing attacks.

Take a look at these two screen shots of emails I have actually received, and tell me if they are legitimate or phishing attacks?

The correct answer is “IT DOESN’T MATTER!” You really can’t tell from looking and it. Do not click on the links in the emails. If these emails are legitimate then simply log into Facebook and LinkedIn yourself. The notifications will be there. If these were well crafted phishing attacks, then if I clicked on them I would be presented with a very, very real looking login screen and a criminal would have my account credentials after I logged into the fake site.

It doesn’t matter if it is in email, chat, a Facebook comment or most anywhere else. If you click on a link that asks you to login, close your browser, clear the cache (delete temporary internet files, open your browser back up, and then type in or or whatever the real site is. Now you can log in there. Anything of importance will be there for you to find after you log in by typing in the URL yourself. The fake LinkedIn email scam has been quite successful against executives. Password requests to fix a problem with your Hotmail, Yahoo, or Gmail account work well with the general public.

You may think that there is nothing of value in your Facebook or email account, but you would be wrong. Your email and social network accounts can be used to send spam and to trick your friends into believing a criminal is you so that your friends can be the victims of cybercrime.

Yeah, there’s more you need to know to be safe online, but follow these two simple rules religiously and you have drastically improved your security profile!

Randy Abrams
Independent Security Analyst and Educator for the Masses J

Friday, December 2, 2011

Welcome to Security through Absurdity!

I will use this blog to comment on security and privacy issues, but now and then any topic will be fair game!