Saturday, October 14, 2017

VirusTotal, Equifax, and Antimalware Products

There is a subtle precision in the statement “VirusTotal only showed three antimalware scanners detecting malware.” If you think that means only three scanners on VirusTotal detected the malware, then read it again more carefully; that is not what it says and that is not what it means.

Before I continue to talk about VirusTotal mythology, there are a few things I would like to clarify concerning my find of a malicious link on the Equifax website.

  • The site was not hacked, but as stated in the title of my blog, it was compromised. There is a difference; there were no exploits, no backdoors, etc.
  • There was no malware and there were no malicious pages on the site.
  • There is no indication or probability that data was stolen as a result of the compromise.
  • Equifax’s security team is blameless for this one. They were sucker-punched so badly by a third party who was in turn compromised.  The whole food chain was poisoned.
  • Infection required two clicks, a download and an install. It was not a drive-by.
  • There was a serious threat to people who clicked on the link and fell for the attack. This was really nasty malware.

I do not understand why the Experian page was down for two days. I have a theory, but I will wait for the producers of Ancient Aliens to tell me what some people believe before I publish.

Speaking of antimalware, I hope that Kim Komando will agree to write some guest blogs under the pen name “Auntie Malware.” How cool would that be? But I digress. At the 2017 Virus Bulletin Conference in Madrid Spain I presented VirusTotal tips, tricks, and myths. I believe the full presentation will be available soon. The content of the presentation was submitted to my friends at VirusTotal to validate accuracy. I am going to do a series of blogs about VirusTotal mythology.

There are multiple reasons why one cannot assume that only the scanners that display detection on VirusTotal are the only ones that have detection of the threat. Just as importantly you cannot assume that if the scanner you did not display detection of the threat you were not protected.

VirusTotal uses command-line versions the scanners. Command-line antimalware scanner cannot be expected to perform the same way that the GUI versions do. There are undocumented switches that can boost heuristic detections to a levels not available in commercial offerings. Antimalware vendors can hide detection on VirusTotal. Sometimes you do not want the malware authors to know what you know. The commercial versions may very well have detection.

There is more to say on the subject, but for now know that “Displayed on VirusTotal” does not mean that only those scanners that display detection provide detection. Don’t forget protection; it is not the same as detection, but it matters. I know for a fact that at least one product that did not demonstrate detection offered protection. I have a very high degree of confidence that other scanners did too.
In the next series of blogs, which may not be sequential, I am going to dispel the following myths:

  • VirusTotal can be used to perform comparative testing
  • Detection of malware on VirusTotal means the scanner can detect it
  • Lack of detection means the file is safe
  • False Positive means false positive
  • Detection by more scanners means better coverage
  • Malicious website means malicious website

I am going end this blog by summing up VirusTotal in one neat little quote by Alan Greenspan.

“I know you think you understand what you thought I said
but I'm not sure you realize that what you heard is not what I meant”

Randy Abrams
Independent Security Analyst

Wednesday, October 11, 2017

New Equifax Website Compromise

Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it's a security training video.

I like Equifax more than Experian. TrustedID gave me the heads up that Experian had falsified personal information in my file. After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax. As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.

For all of you voyeurs...

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines “deplaning” a passenger... It hurts.
And once again Equifax, all I want from you are my credit scores. Please?

Independent Security Analyst

Tuesday, October 10, 2017

Equifax Caught Experian Falsifying My Personal Information

One of the silver linings of the Equifax breach is their free identity theft protection. Perhaps that is the only silver lining. I was skeptical when I received an email from TrustedID that said “We've noticed a change on your credit report.”  I know that identity theft is rampant and credit reports change frequently, but consider the source. Equifax owns TrustedID; need I say more? I figured the email would be something like a LinkedIn style “three people have looked at your credit report. Upgrade to premium to find out who they are.” Or “views of your credit report are up 80% over last week’s views.” Still, I was curious. I logged into my TrustedID account and was informed that Experian had changed my address on file.

My investigation revealed that Experian now showed my current address is in a city I have never lived in. Perhaps accusing Experian of falsifying my personal information is a bit dramatic, but it is technically true. I won’t say it was deliberate because I know Hanlon’s razor. Hanlon’s razor essentially says “"Never attribute to malice that which is adequately explained by stupidity." In this case apathy is probably closer to accurate than stupidity. To paraphrase Lily Tomlin’s classic “we’re the phone company” sketch… “We don’t care. We don’t have to. We’re the credit bureau.” Experian is not stupid, they excel in math. They know exactly how much each congress person that can be bought costs. Based upon the laws of supply and demand I expect it isn’t very much.

Here is how I believe Experian got it wrong. For several years my Brother and sister-in-law had been living in a house I owned in Seattle. When they moved they filed a change of address form with the post office. My brother’s name is Steve. Steve is a name with five letters. The name Randy has five letters in it too. The rest is history. Data validation is not on Experian’s strong suit. Fortunately when I request my free credit report my brother will pass it along to me after Experian sends it to him.

Let’s compare Experian’s attitude toward consumers with T-Mobile’s attitude. In 2015 it was revealed that Experian had suffered a 2 yearlong data breach that affected T-Mobile’s customers. T-Mobile CEO John Legere response included the following comments.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”

Did you notice it was not Experian but rather T-Mobile whose first focus was on assisting customers?
Legere went on to say “Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.”

 Improving the protection of T-Mobile’s data is important to Experian’s bottom line, but maintaining the integrity of consumer data is irrelevant to Experian. It doesn’t help or hurt their bottom line. Let’s hope the Equifax breach results in industry wide changes that, among other things, makes negligent changes of consumer data expensive.

In conclusion, thank you Equifax for bringing to my attention the falsification of my personal data by Experian. On a more cheerful note, when Experian is breached again the attackers won’t get my real address.

Independent Security Analyst
I am my brother’s keeper, but I am not my brother

Tuesday, September 12, 2017

Equifax: Here Is What I Want From You

My credit scores. I want my credit scores. I know you’ll give me a year of free credit monitoring, but I’m pretty sure that is only to try to sell me more stuff. Actually Equifax, you are stingy. When Anthem was breached their victims got two years of free credit monitoring AND a $1 million identity theft insurance policy. When Premera Blue Cross was breached they gave away two years of free credit monitoring. Not one year, but two full years AND I got free access for life to the results of my colonoscopy. Equifax, I just want my credit scores. The hackers get them free, why don’t I?

I decided to find out if I am one of the people impacted by the breach. What I learned was that if I can pick out apartments buildings from a lineup, know my last name, and the last six digits of my social security number then I am probably impacted. The last six of my social security number was tricky. I was able to find correspondence containing the last four digits, so that narrowed it down to a maximum of 100 guesses to get the first two. Lucky for me I got it on the third try or else I may have been locked out and had to ask a hacker for assistance.

So here’s how to find out if you are a victim.

Step 1: Go to and pick out the website he indicates needs to be used. Do note that you may need to use a computer and a mobile device to verify the results. A tablet probably isn’t a bad idea either. Perhaps try it with iOS, Android, Win 10, and Symbian.

Step 2. Enter my last name and last six of my social security number (I don’t know if yours will work, but mine does, so I can confidently recommend it). Proceed to pick out ugly apartment buildings from a lineup. 

I hate these captchas. I wonder if the hackers had to complete them to get in too.

You can tell if you successfully completed step 1 by the following conspicuous message.

Have a last name?  √
Know or can guess the last six of your social security number?  √
Can pick ugly apartment buildings out of a lineup?  √

Winner!! You are the proud new owner of one glorious year of free credit monitoring!

I have to admit I got a bit queasy when the next screen appeared.

Why am I being asked for this information? Equifax knows all of this information just from my last name, the last six of my social security number, and some pictures of ugly apartment buildings now linked to my IP address. I forgot to check my VPN - it was off. I fear I am being set up. “See Mr. Investigator, he has some of the stolen data and knows which pictures are the ugly apartment buildings. He’s your culprit.” No, I think I will play it safe and appeal to the hacker’s consciences to do the right thing; Use the stolen data for good and sign me up so it doesn’t look like I committed the crime.

You may think that this sounds absurd, but do remember:

1) Equifax is desperate. Their stock tanked, they’re being grilled by congress, some of their executives sold stock at questionable times, and they face multiple lawsuits. Equifax needs a scapegoat like McCarthy needed commies.

2) The name of this blog is, after all, Security Through Absurdity. Sometimes I have to get a bit tongue-in-cheek or even absurd.

Equifax, I don’t care if you are too cheap to give two years of credit monitoring. I don’t care if you don’t give me a million bucks of identity theft protection. I don’t care about lawsuits. All I want is my credit scores. That is the only information that the hackers have that I do not have, and they got it for free.

Collector of free credit monitoring services and free identity theft insurance policies, and connoisseur of ugly apartment building fine art.

Wednesday, August 16, 2017

Will Passphrases Kill the Password Managers?

I won’t keep you hanging… … … much... the answer is no! If the answer was all you needed, then thank you for visiting my blog. If you would like to know why I say “no,” then keep reading.

Just in case you do not know what a passphrase is, it is a password that uses words instead of gibberish. The words may or may not have spaces in them. “thisisapassphrase” and “this is a passphrase” are both passphrases. Do not use those two examples for your passphrases though.

The argument for passphrases is that they are easy to remember, and if they are about 20 characters long or more, they can be far stronger than something like “^T28dy2a$o,v” is. That is completely correct. I am a strong proponent of passphrases.
On the NPR show All Tech Considered, Paul Grassi, the Senior Standards and Technology Adviser at NIST, is quoted as saying the following concerning password managers
“… these apps are useful because they completely randomize the password, but he says they aren't necessary to maintain security.”
The new NIST guidelines concerning passwords and passphrases are widely regarded as excellent by security experts. I wholeheartedly agree with all that Paul said, except for the part about password managers, and here are the reasons why.

1) Some sites are not going to allow long password/passphrases. If you are limited to 15 characters or less, complexity does become far more important and password managers help with that. This also means that you have to try to remember the gibberish.

2a) Depending upon how many sites you have passphrases for, many people are not going to be able to remember all of the phrases and which sites they correspond with. This leads to 2b (for the record, “2b or not 2b” is not a good passphrase.

2b) When people get to the point that they can’t remember all of the passphrases and corresponding sites, they are likely to take shortcuts that are essentially the same as incrementing passwords or using the same passphrase at multiple sites.

Cracking passwords is not as common as obtaining passwords from a data breach or a phishing attack. This is why password reuse is so dangerous. This is also why incrementing passwords makes a complex 16 character password weak. Easily recognized patters in passwords, such as “Todayis01/10/17” make the next series of password extremely easy to guess.

If a person has 20 sites with a unique username and passphrase to remember for each site, I believe that they are likely to do something far more serious than incrementing. They may use a site identifier.

Write down 20 websites that require you to log into. The next to each one write down your user name and a unique passphrase for each of them. Just to make my point., choose the first four words of a different sentence in this blog for each of the 20 website’s passphrases. As soon as you are done, stop looking at them. Even if your username is the same for all of the sites, do you remember the passphrases and corresponding sites? Most people will not. You need a way to remember all of these. The trick that I envision some people using is site identifiers.

“Tractors swim in aquariums” is a great passphrase (at least it was before I published this blog).

Now to make it easy to remember which site I use each password for…

“Tractors swim in aquariums – Gmail”

Care to guess this user’s password for Facebook, LinkedIn, and the company they work for? Websites can prevent users from including the name of the site in a password, but users are clever that way. They’ll figure out something as predictable. Of course if you write it down you are a bit worse off than using a random complex password. The gibberish passwords are hard to remember. If I see your passphrase written on a piece of paper, about a second or two is all I need to see it and remember it.

Passphrases and passwords share an identical problem. You can’t remember them all. Password managers address that problem. That is why password managers are as relevant in tomorrow’s world of ubiquitous passphrases as they are in today’s world of ubiquitous passwords.

Here is my recommendation. Use an excellent passphrase for your corporate login and remember it. Use an excellent passphrase for your personal computer login. Use an insanely good passphrase for your password manager. A sentence you create that is at least 35 characters long, such as “the purple cow danced on the cheese” is insane enough. Make sure your passphrases are at least 20 characters long and not common sentences, and you’ll be good to go for almost anywhere you currently use a password.

In future blogs I will give more detailed guidance on how to make killer passphrases.

In a different blog I will discuss the passphrase token attack and linguistic passphrase attacks. These attacks intrigue me, but I don’t think they are anything to worry about too much at this point.

Independent Security Analyst (is not my passphrase)

Thursday, August 10, 2017

Evasion and Regeneration; Decoys and Deception

I recently had an interesting conversation with Alex Gounares, the CEO at Polyverse. Alex calls Polyverse’s security approach “Moving Target Defense.” Polyverse’s technology basically causes your operating system to continuously morph into something functionally the same and dynamically different, at a very high rate of speed, while replacing the container with each morph. The idea is to give attackers virtually no time to exploit a vulnerability before the vulnerability has been moved somewhere else. If malware does enter the system, the OS is replaced with a brand new, clean morphed OS almost as quickly as the malware had arrived. Full disclosure: I had been referred by a friend to Polyverse for contract work. There was not a synergy in current needs but the ensuing conversation was engaging and thought provoking. This is the “evasion and regeneration” I am talking about in the title of this blog.

One of my all-time favorite quotes goes something like this. “If you only see one solution you probably don’t understand the problem.” This sage advice that I found in the sidebar of a DIY robotics book applies to life. Sometimes when I do not like a solution. I discover I’m not actually trying to solve the real problem. Sometimes the first solution I see is the best solution. Other times I find multiple appealing solutions.  Regardless, I am always more educated by remembering to apply this principle to my life.

I really am intrigued by Alex’s classifications of defenses as “stationary” and “moving target.” The moving target defense looks to me like a novel solution. Damn. The “S” word… “solution.” “If you only see one solution…” Sigh .Now my challenge became one to see if I could find better or equally appealing solutions that use a stationary target defense. In other words “Can a stationary endpoint be defended as well as an endpoint that is moving faster than the attackers can catch and inflict damage upon?”

There are many types of stationary target defenses but for this blog I am limiting discussion to one class of stationary target defense – deception and decoy. The reason is simple. It was the first to come to mind because my friend Gadi Evron is everywhere I go. Facebook, email, countries all over the world… Gadi is everywhere. In thinking about a stationary target defense solution that might be able to provide the effectiveness of a moving target defense, I remembered Gadi telling me about how his company, Cymmetria, uses decoys and deception to keep an attacker away from a stationary target. TrapX, Attivo Networks, and CounterCraft are three other companies that use a deception and decoy strategy. Aside from any technical merits of these solutions, I absolutely love the idea of deceiving the bad guys. Digital karma. Ask me about the time I kept a PC support scammer on the line for 45 minutes. He even waited for me to “cook my breakfast.”

I have an all-time favorite example of a successful stationary target defense. The defense was called “Rope-a-dope” and it made the “Rumble in the Jungle” one of the most exciting boxing matches in history. Muhammed Ali was essentially a stationary target for almost 8 rounds. In the 8th round Ali stopped being a stationary target and destroyed George Forman in an offensive flurry lasting less than 10 seconds. Rope-a-dope worked for Ali. Although it was an offensive maneuver that ended the fight, the defense was essentially stationary. I can’t imagine that getting pummeled by George Foreman felt like an Ashiatsu massage, but I wasn’t there.
Unlike Ali’s approach, companies employing decoys and deception do not let their targets stand and take punches – no matter how hardened the target is. Different companies use different techniques, but the high level concept is to use real or virtual computers that keep attention drawn away from the target by making the decoys look like they have the Holy Grail. One of the potential weaknesses of the decoy approach is that there is still a stationary target. I’m sure that all of the companies that use this approach are aware of this and have some pretty cool counter-measures, but still, there is a stationary target. If the decoys work all of the time then the actual target does not need to move.

My favorite moving target defense analogy is the SR-71 Blackbird. This spy plane was the fastest aircraft ever to fly.  The Blackbird had vulnerabilities. The Blackbird was designed for stealth, but you don’t really fly at Mach 3+ without leaving a detectable heat signature. To add to that, the skin around parts of the fuselage could be easily damaged. How did the Blackbird defend itself?  It flew faster than the missiles could reach it, faster than any other aircraft could fly, and it moved around a lot. Stealth was still a factor too. By the time the missile got there, the Blackbird was not. It didn’t matter that the Blackbird was in plain (no pun intended) sight.

Surveillance is a critical part of moving target defenses, deception and decoy defenses, and many other security approaches. Repelling attacks is good, but not everything. You want to have a discreet, digitally intimate relationship with your attacker. You just don’t want the attacker to know they are in the relationship. This should be your relationship status


This is what the adversary’s relationship status should be

You want to stalk your enemy… watch them... What is my enemy after? How are they going after it? How are their tactics adapting? Who is attacking me? What am I going to do about it? And so on… Ah ha! The OODA Loop is back!

Update: Attivo Networks expressed concern that I may be making decoy and deception defense look like a passive technology. I am actually surprised that none of the other vendors raised this concern because they all fight the misconception that they are glorified honeypots.

Modern decoy and deception approaches employ algorithms that can create a series of dynamically changing decoys and potentially even dynamically changing network topologies in response to the tactics of attackers. This is active engagement with the enemy, not passive intelligence collection.

Again, I am not recommending or endorsing any specific technology or security market segment. We’re talking philosophic approaches and challenging assumptions. I can’t imagine any single tactic working through the entire kill chain.

Given multiple approaches to achieve the same goals, which strategy is best? I can’t tell you, I don’t know your problem.

If you are Schick you are defending trade secrets. Encryption, DRM and data recovery probably address the real problem. Yes indeed, defend your endpoints, but don’t lose focus on the problem. Get that IP protected, then worry about the network and endpoints.

If you are a hospital you are defending human lives first. Protecting the equipment required to maintain the physical well-being of a patient probably requires different protection technologies and/or approaches than protecting the systems remotely monitoring a pacemaker. Banking Trojans may be the biggest threat to the accounting department, where data theft is the major threat to systems holding health records.

Make sure you are clear on the problem, assess the suitability of the approach to the problem, and them compare technologies and approaches. The right technological approach for you may not have been mentioned in this blog.

I really wanted to share with you the concept of diverse philosophical approaches to security, and demonstrate what happens when I remember some of the wisest words I know - “If you only see one solution you probably don’t understand the problem”

This is the official end of the blog, but feel free to read on if you enjoy the diversions that research on the Internet results in.  As you all know, the problem with research on the internet is not attribution and not validation, it’s that you get diverted to rather irrelevant information that is too compelling to ignore. In thinking about analogies to use in this blog, holograms came to mind. I could think of analogies using holograms for either type of defense, but they fell apart the very first time an adversary tried to “touch them.”  This analogy requires a hologram that can be “touched” to really fly. With that in mind I remembered that George Washington once said “if you can dream it you can find it on the Internet.”

Research into my dream led me to a company called Ultrahaptics. Ultrahaptics is developing a holographic technology which can make it seem like you are touching a hologram. How cool is that?

Randy Abrams

Independent Security Analyst (ISA)
Fan of Historical Quotes (FHQ)
Chaser of Internet Squirrels (CIS)

Tuesday, August 1, 2017

Can Comcast/Xfinity Publish Your Trade Secrets and Letters to Grandma?

The answer looks like yes, but ask a lawyer for a legal opinion.
I have confirmation from a lawyer that I am correct.

Comcast’s most recent Terms of Service (ToS) state

“Authorization. Comcast does not claim any ownership of any material that you publish, transmit or distribute using XFINITY Internet. By using XFINITY Internet to publish, transmit, or distribute material or content, you (1) warrant that the material or content complies with the provisions of this Agreement, (2) consent to and authorize Comcast, its agents, suppliers, and affiliates to reproduce, publish, distribute, and display the content worldwide and (3) warrant that you have the right to provide this authorization. You acknowledge that material posted or transmitted using XFINITY Internet may be copied, republished or distributed by third parties, and you agree to indemnify, defend, and hold harmless Comcast, its agents, suppliers, and affiliates for any harm resulting from these actions.”

 Sending data in email clearly is transmitting material. For example, if an employee or an independent contractor who uses their Comcast account to communicate something confidential with authorized people, it appears that Comcast retains the right to publish such information  on a worldwide basis.

If a child writes an email to grandma, fair game for worldwide publication? A suicide note? Spouses exchanging love letters and/or pictures? Letters to congress people. Your attorney? The FBI?

The answer is yes.

If I am reading this wrong please let me know so I can update this blog and inform others of what it means.

Randy Abrams
Independent Security Analyst

Monday, July 24, 2017

Enterprises Don’t Care About the 10,000 Most Common Passwords

At least yours shouldn’t. Your enterprise should not care about the 10,000 most common passwords and the reason is unbelievable! Out of the 10,000 most common passwords only 10 of had 12 or more characters. Perhaps this statistic is not surprising, but “unbelievable” did represent 10% (1) of the passwords that were 12 characters or longer! Not a single one of the passwords met the typical length and complexity requirements most enterprises inflict upon their employees.

The one 18 character password on the list was “films+pic+galleries” and was almost certainly magnitudes stronger than any 14 character password used in your organization, unless it was a category on the TV game show Jeopardy. I say “almost certainly” because there are probabilities that may make a longer password with equivalent entropy weaker than its shorter counterpart. You are not going to be able to do much about entropy and probability control enforcement for the passwords your users create though. I will discuss what I mean about probability factoring into password cracking in another blog.

Rules about using a password with at least 12 characters and multiple character sets encourage the use of 12 character passwords. This also results in the creation and use of short passwords that have predictable formats such as number or a symbol preceding or trailing a single word. What is the difference between the passwords “techniques” and “1Techniques&”? Not much. Perhaps a few seconds?

Recently NIST has adopted new guidelines concerning passwords that security experts have long been advocating for – dump complexity for length and don’t make users change their passwords frequently. In simple terms, don’t make me use “^incredible1” for a password and then swap “incredible” for another 10 letter word three months later. Trade complexity for length. It’s a win for all concerned.

I talked about passphrases in a previous blog, but I did not touch on passphrase token attacks. These are techniques that can be used that to exploit common weaknesses of passphrases. This does not mean the actual strength of a passphrase is less than a 12, or even 16 character password though. In another blog I’ll delve into token attacks and then provide easy ways to mitigate such attacks in another blog. For now, take a deep breath... Your users probably are not using very many of the rest of the top one million most commonly used passwords because they probably don’t meet your password strength criteria.

Randy Abrams

Independent Security Analyst

Friday, July 21, 2017

Remembering Your Password Can Put You at Risk – How to do One Time Passwords for the Non-Geeky

A long time ago an engineer invented a technology for computers called PCMCIA. To the best of my knowledge PCMCIA stands for People Can’t Memorize Computer Industry Acronyms.  Yeah, people also can’t remember 15 good passwords for 15 different sites with the rules they have to follow today. You have to use upper and lower case letters, numbers, and special characters when all you really need to be safe is a few words (passphrase).

Here is an example of a passphrase: boat plane dog cat fish. That passphrase can be memorized in a short amount of time although a real sentence, such as “I would sure like a ham sandwich!” is easier to remember. Both of these passphrases are far better passwords than “1Xrv24%/&4Zb.” The reason they are better is math. There’s a point where longer and simple is harder for a computer to figure out than short and complex.

So why won’t your system administrator let you stop using numbers and special characters? It’s tradition. Back in the days when passwords were limited to 8 or 12 characters it made a difference – a huge difference. It still does at some sites that only allow short passwords.

I have some good news. There is a growing shift in perspective on the subject. Standards are being set that only focus on length. You don’t even have to change your password very often, if at all, with these new standards. Passphrases are even encouraged.

I still have problems with passphrases though. It is a problem of remembering which of my 15 passphrases went with which site. You still need to use a different password or passphrase at every site you visit. I suppose I could do something like “dog cat rabbit squirrel facebook” and know that that one is for Facebook, but if someone gets that password it is the same as using the same password at every site. dog cat rabbit squirrel gmail, dog cat rabbit squirrel linkedin, etc. You are really using the same password everywhere.

Your bank has a great solution for bad passwords that rarely or never change. The solution is a onetime passwords (OTPs). You probably call them verification codes. OTPs are great for security. You get an email with a few numbers, type in the numbers and forget it. 123321 can be a really good password if someone only has two minutes to find it and guess it, and then figure out your other password. Your bank knows how to set up the system so that all you have to do is get a text and type in a few numbers, but you don’t have the bank’s resources or technical skill. What do you do? Simple, you make your own one-time passwords because for you it is free and easy.

Before I proceed I need to make a brief safety announcement.


Now that we have that out of the way, let’s do it. Go to a website and create an account, or reset your existing password for an account you already have. Now open notepad and start banging away on the keyboard like a chimpanzee.  I am serious. Completely randomly bang away for 2 or 3 seconds until you come up with something like this f43wejao;argnhol;vh;oweiuowfgrfikonarhgjo3245garfgnfr42. Don’t even think about what keys you hit, just hit a bunch of keys. Forty characters is more than enough. 30 characters is fine too. Don’t worry, you are only going to this password once and you are just going to copy and paste it anyway, so you don’t even have to type it in again. If you need to go back to the website and log in again, well that’s what password resets are for. By the way, the chimpanzee method may result in tabs and enters you will need to remove. A few places may allow tabs, but the enter key (new line) probably won’t work. Get rid of those.

This is my reset passport philosophy:
 “Reset password” is not there to help you if you forget your password, it is there to encourage you not to remember your password in the first place!
Let me repeat that.
Goto This is my reset passport philosophy
Sorry, the goto thing is geek humor.

Before we get to the part about “I don’t want to reset my password every time I log in, give me a few sentences.

Unlike the bank’s verification code, these OTPs are valid forever and still safe. The length and complexity of the password is such that one of three things will happen before a hacker cracks the password.

1) The website is gone. The company changed it or went out of business. Whatever.
2) You log in again. You just reset the password and the forever clock too.
3) You die. You will not care about that password, forever. It’s not your problem.

Now to address the complaint that it is a hassle to reset the password each time you log into a site. You are right. I usually will use this method when it is a site I rarely visit. It isn’t worth remembering another password when an occasional reset it really isn’t a big deal. I don’t do this for my email account, although it would be super secure.

For sites I use a lot, I use a password manager. Why would I use the chimpanzee password reset method it I have a password manager? I do not want to clutter up my password manager. If I sign up for a mailing list and then only log in once a year, I don’t need to have yet another entry in my password manager. If you only use less than a dozen sites then clutter isn’t a problem for you. I sign up for webinars, and all kinds of things that I wish I didn’t even need a password for. My password manager has too much stuff in it now because I didn’t think of what I just taught you until after it was cluttered. I’m getting rid of many passwords now. I’ll just reset them if I even need them again.

For the sites I do visit more frequently I use a password manager because it allows me to use very long, complex and unique passwords for each site, and they last a lifetime if the site doesn’t make me change them. I’ll get to data breaches momentarily.

Companies spend a lot of money to set up OTP systems because they can add a lot of security. You can do the same thing for free.

An important instruction for safe password manager use and then a note about data breaches.

The most critical part about using a password manager is having an extremely great, fantastic, stupendously wonderful password. The password manager holds a lot of eggs in one basket. I would recommend a passphrase that is very long. Let me show you.

My dog ate all of my books and bit my teacher.

This is an awesome password. A person I knew at Microsoft reputedly used a 75 character password. That is well beyond insanely long. It can be very easy to remember, but it’s a lot to type for me.

I can remember “Mary had a little lamb, little lamb, little lamb. Mary had a little lamb its fleece was white as snow” I’ just not going to type it in. Of note, the commas made the passphrase even stronger.

It really is best to make up your own sentence rather than a well-known one.

Now for the data breaches. There are times that a company did something wrong, really wrong, and your password was compromised. You may have to change a password. It depends on what it is. If it is an email account, a social networking account, etc. you need to change it right away. There are a few cases where it doesn’t really matter at all, but pretend like I didn’t say that… just change it.

Randy Abrams
Independent Security Analyst

Thursday, July 20, 2017

The Child’s T-Shirt Point of Sale (POS) Attack

Despite the fact that sometimes I discuss serious security topics, the name of this blog is after all “Security through Absurdity” and so absurdity is required at times. Prepare yourself for a Costco-sized package of absurd.

As I was walking through Costco today I saw a woman pushing a cart, with her kid in it. I figured if everything else in the cart has a barcode so should her kid. And so I spoke my mind. “You needs a kid’s t-shirt with a barcode on this. I thought she was going to ignore me, but a few seconds later she finally replied "No thanks, I already pay enough for my kids." I had actually thought about the absurdity of paying for your own kid and so I had my own reply (which I thought of on the spot) "what if the barcode is a rebate?" She liked that idea. And that was the birth of the child t-shirt exploit attack.

Replacing barcodes on products to get a cheaper price was innovative - one time - many years ago. The second time it was done was ho-hum.  The Child’s T-shirt POS attack is more interesting. I’m sure I am not the only one who has thought of this, but I think my idea of how to monetize it in the real world may be innovative. The Child’s T-shirt POS Attack is the perfect application of social engineer to exploit a cashier with a barcode scanner. The attack exploits the fact that a toddler sitting in a shopping cart, wearing a t-shirt with a barcode on, it is irresistible. Cashier: “Oh isn’t that adorable. Here you go cutie, let me scan you.”  Scan - ding - five bucks off. Ten bucks if you have two kids.

Is that awesome social engineering or what? It can work too, for both Costco and you!

Costco, you owe me big time for this idea...

Sell a child’s t-shirt with a barcode on it that gives the adult accompanying the kid 2% back on each purchase. You give 2% back for executive card holders so you can’t tell me the idea is cost prohibitive. You get your brand displayed every time the kid wears the shirt. The amusement factor is such that the t-shirt will be worn a lot. You will entertain most shoppers. Parents enjoy hearing “that is so adorable” when it’s talking about their kids. You’ll get the “mommy, daddy, I want that” sales (which you get anyway). Finally, the savings makes it less painful for the parents who have to put up with “mommy, daddy, I want that.”

Marketing is about social engineering. If you want to protect against the Child’s T-shirt POS Attack then embrace it and use social engineering to your advantage.

Randy Abrams
Independent Absurdity Analyst 

Monday, July 17, 2017

Stackhackr; Useless for Testing – Good for Marketing

Barkley, a self-proclaimed security company, has revived the 1990’s era Rosenthal Virus Simulator; an application that called false positives good while claiming to test the quality of antivirus products. Some users believed that this simulator indicated if an antivirus product was good at detecting malware. As a result some AV companies wrote detection specifically for Rosenthal’s harmless files. The customers wanted harmless false positives for harmless files and so they got them.

Barkly has come out with a free product they call stackhakr. Stackhackr is a lead generation application that is disguised as a security product testing tool. In reality it is another Rosenthal type program that convinces users that false positives mean better security.

According to Barkly “The malware you create won’t actually cause any harm, but whether it runs or gets blocked will tell you if your system is vulnerable to the real thing.”

Really? If a completely ineffective security product writes detection specifically for this application then you are not vulnerable to the real thing? If a product false positives and detects your harmless files, then the company’s customers are not vulnerable to ransomware? In order to use stackhackr you have to provide your contact information. It is only then that you get something that does not do what it was promised to do. Like I said, stackhackr is a lead generation application, not a test tool.

Stackhakr does not test the ability of a product to detect ransomware, malware, or the ability of a product to effectively deal with any attacks. Due to the security effectiveness of application reputation Barkly specifically calls out this type of detection as a false positive. Barkly claims that detection of their launcher application is a false positive because the launcher file is harmless and not part of the test. Seriously? Detecting a harmless launcher is a false positive but detecting the harmless files it writes is not? Take me to security school, I had no idea that’s how it works. In reality detecting a “harmless” file is not a false positive when it is only ever seen launching malware. Blocking a launcher or a dropper before it delivers its payload is a good thing. If launcher.exe is used to launch the simulator then it is fair game. Blocking the launcher protects users from a false sense of security. The detection is accurate, not a simulation but real protection against deception.

Now for all you AV vendors, Barkly has thrown down the gauntlet, so what are you going to do? If you identify a site delivering ransomware or other malware you block the site. If simulated ransomware or simulated malware creation kits are on, then let’s get this simulation off the ground and go block the site. Be sure to mention it is a simulated malware toolkit creation site you are simulating detection of.

I have interacted with major security product testing organizations as an enterprise security professional and as an employee of a security vendor. I have actually worked for a company (NSS Labs) that tests (and breaks) security products. There are no competent testers in the world that would tell you that stackhackr is usable as a security product testing tool.

I recommend against giving Barkly your user information in exchange for stackhackr. You will not receive anything I can deem as even slightly valuable.

Randy Abrams

Independent Security Analyst

Monday, June 26, 2017

The “I Can Use Facebook Any Time I Want To” Offspring Password Reset Attack

No matter how ridiculous, every "cyberthreat" must have a catchy name.

Sometimes parents will restrict the times that a child can use the Internet for anything other than homework or downloading Malwarebytes to fix their parent’s PC. Policy and compliance, as every parent and IT professional know, are not always followed by choice. If you are a parent, how do you enforce such a policy? Technology to the rescue…

Many cable modems, and other network connectivity devices, allow the administrator to set up times they can block certain computers from using specific Internet sites. Of course that doesn’t work if you leave the default administrator username and password unchanged... it’s either on the Internet, or on a sticker on the bottom of the device.

Since you already knew that, or someone who did know that helped you configure the device, your kid isn’t going to log in to the console and fix the “policy.” Here is where the old adage about physical access and game over come into play. Simply stated, if a person has physical access to a device, they own it. If your teenager has physical access to the network device, they can perform an insidious password reset attack and you will never be the wiser. There’s a reset button on the device. Among other things the reset button resets the... yeah, password. You may never know it happened until 25 years later when during some random conversation your kid confesses. At that time, if your kid still lives at home, go ahead and enforce lockout hours again. The defense against the offspring password reset attack is to prevent physical access to the device. For the average parent that would be a pain in the @ss inconvenient. I’m not a parent so it isn’t really my problem, I’m just the messenger.

Before you state the obvious, there are parental control apps that can enforce policy on a mobile phone. These apps are almost certainly more common than parents doing anything with their cable modem configurations. If you’re a kid, that’s what burner phones are for.

OK, the attack is esoteric and it just amused me, but the point is that sometimes physical security is required where you least expect it. Perhaps next time I will discuss the legal implications of the offspring password reset attack, but don’t lock up your kids yet.

By the way, I recommend using a password manager and keeping both your current username and password in it and the default username and password. For one, it can be a pain in the @ss inconvenient to turn over the device with all of those network cables and the stiff coaxial cable attached on order to see the sticker with the password on the bottom. For another, if anything happens to the sticker with the password, and it is a modem specific password, you are now vulnerable to a password lockout attack. I find it embarrassing to tell my ISP that my cat licked off the cable modem sticker…. especially the second time.

Randy Abrams

Independent Security Analyst with a Stranger Sense of Danger 
It has been so long since I posted here that most of the posts were irrelevant. I did leave the two rules you damned well better know post though. It is currently timeless, but that may change at a future time.