Blackmoor Vituperative

The consensus among security researchers has been consistent for about 15 years: forcing password expiration based on nothing but the date makes passwords less secure.

https://www.sans.org/blog/time-for-password-expiration-to-die/

Also relevant…

I think passwords are the “rotary telephones” of this century. They will have to go away, as soon as someone (probably in Europe, for various reasons) invents something better and then it gets adopted by several large companies and/or countries. But until then… long passwords, 2FA, and trying to get out-of-date security policies to be updated (obsolete policies such as requiring passwords to “expire”, which DECADES of security research have demonstrated make passwords less secure).

Cyber-security firm CyberArk has released today a new free tool that can detect “shadow administrator accounts” inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure.

https://www.zdnet.com/article/new-tool-detects-shadow-admin-accounts-in-aws-and-azure-environments/?ftag=TRE-03-10aaa6b&bhid=71893585&mid=12954240&cid=716959071

I have been saying for years that passwords, as a concept, need to go away. As implemented, passwords don’t work, and the ludicrous “complexity” requirements imposed my many companies are little more than a guarantee that the user will write their password down, which is one of the easiest ways for a system to be compromised.

Here’s a cartoon from xkcd that illustrates why ridiculous password policies don’t even make sense from a security perspective.

The gist of it is this: long passwords (passphrases, actually) are more secure than short ones.

I ran across a set of tutorials and cheat sheets for a few of the more common security vulnerabilities this morning. I thought other people might find them useful. They’re from a company called Veracode. The guides are free, and they point to other free resources if you want to learn more, so they seem to be a pretty good starting point if you are interested in this sort of thing.

• SQL Injection
• Cross Site Scripting
• Cross Site Request Forgery
• LDAP Injection
• Mobile Code Security

I have believed for a long while now that passwords need to go away. Further support for that position is provided by a PC Pro article called How a cheap graphics card could crack your password in under a second:

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

[…]

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention.

Some of us have been paying attention.

A friend showed me this graphic at Simple Survival Skills, showing the protection afforded by these different types of protective vests. I thought it was interesting.

Here is another chart, from Body Armor News.

Ammunition From The Chart

1. .22 Magnum 40 gr. JHP (1209 FPS / 369 MPS)
2. .32 ACP 60 gr. Silvertip JHP (936 FPS / 285 MPS)
3. .380 ACP 95 gr. FMC (902 FPS / 275 MPS)
4. .38 Special 125 gr. Nyclad SWHP (1009 FPS / 308 MPS)
5. .38 Special +P 110 gr. JHP (1049 FPS / 320 MPS)
6. .38 Special +P 140 gr. JHP (869 FPS / 265 MPS)
7. 9mm 124 gr. FMC (1173 FPS / 358 MPS)*
8. 9mm 125 gr. JSP (1121 FPS / 342 MPS)
9. 9mm 147 gr. Black Talon (1010 FPS / 308 MPS)
10. 9mm 147 gr. Golden Saber (1083 FPS / 330 MPS)
11. 9mm 147 gr. Hydra Shok (1011 FPS / 308 MPS)
12. .357 Magnum 158 gr. JSP (1308 FPS / 399 MPS)
13. .357 Magnum 110 gr. JHP (1292 FPS / 394 MPS)
14. .357 Magnum 125 gr. JHP (1335 FPS / 407 MPS)
15. .40 Caliber 180 gr. FMJTC (992 FPS / 302 MPS)
16. .40 Caliber 170 gr. FMJTC (1095 FPS / 334 MPS)
17. 10mm 155 gr. FMJTC (1024 FPS / 312 MPS)
18. 10mm 170 gr. JHP (1137 FPS / 347 MPS)
19. .41 Magnum 210 gr. LSWC (1141 FPS / 348 MPS)
20. .44 Magnum 240 gr. LFP (1017 FPS / 310 MPS)
21. .45 Long Colt 250 gr. LRN (778 FPS / 237 MPS)
22. .45 ACP 230 gr. FMJ (826 FPS / 252 MPS)
23. 12 Ga. 00 Buck (9 pellet) (1063 FPS / 324 MPS)
24. 9mm 124 gr. FMJ (1215 FPS / 370 MPS)*
25. 9mm 115 gr. Silvertip JHP (1252 FPS / 382 MPS)
26. 9mm 124 gr. Starfire JHP (1174 FPS / 358 MPS)*
27. .357 Magnum 158 gr. JSP (1453 FPS / 443 MPS)*
28. .357 Magnum 145 gr. Silvertip JHP (1371 FPS / 418 MPS)
29. .357 Magnum 125 gr. JHP (1428 FPS / 435 MPS)
30. 10mm 175 gr. Silvertip JHP (1246 FPS / 380 MPS)
31. .41 Magnum 210 gr. JSP (1322 FPS / 403 MPS)
32. .44 Magnum 240 gr. SJHP (1270 FPS / 387 MPS)
33. 9mm 124 gr. FMJ (1440 FPS / 439 MPS)*
34. 9mm 115 gr. FMJ Israeli (1499 FPS / 457 MPS)
35. 9mm 123 gr. FMJ Geco (1372 FPS / 418 MPS)
36. 9mm 124 gr. FMJ Cavin (1259 FPS / 384 MPS)
37. .44 Magnum 240 gr. LSWC (1448 FPS / 441 MPS)*
38. .44 Magnum 240 gr. HSP (1320 FPS / 402 MPS)
39. 12 ga. 1 oz. Rifled Slug (1290 FPS / 393 MPS)
40. 12 ga. 1 oz. Rifled Slug (1254 FPS / 382 MPS)

Bullet Abbreviations

The following standard abbreviations are used to designate types of bullets or projectiles contained in the rounds tested.

FMC/J Full Metal Case/ Full metal Jacket
FMJTC Full Metal Jacket Truncated Cone
HSP Hollow Soft Point
LRB Lead Round Ball
LRN Lead Round Nose
LSWC Lead Semi-Wadcutter
JHP Jacketed Hollow Point
JSP Jacketed Soft Point
LFP Lead Flat Point
SJHP Semi-Jacketed Hollow Point
SWHP Semi-Wadcutter Hollow Point

Avast has come out with a new version of their antivirus and security software. I use Avast antivirus, and I recommend it to everyone. CNet has a review.

This article is worth reading. Most people have no clue about what “security” really means, including most of the people vilifying — or praising — WikiLeaks.

As becomes increasingly obvious with the passage of time, and with the advancement of digital communication (and thus copying) technologies, privacy is security, and secrecy is not.

[…]

Perhaps the most amazing thing about all this noise over the matter is that WikiLeaks is such a vulnerable, unreliable avenue for distributing such leaks. The US government’s campaign targeting WikiLeaks in an attempt to shut it down does not only betray the culture of secrecy in government to the public at large, undermining any claims to value transparency; it also showcases the simple fact that government officials just do not get it. WikiLeaks is not the cause of the “problem” for secretive government officials. It is merely a superficial indicator of much deeper problems — of a deeply flawed security model.

(from The difference between secrecy and privacy as security concepts, TechRepublic)

In this blog post on infolawgroup.com, David Navetta takes a closer look at the PCI and encryption requirements of Nevada’s Security of Personal Information law, including the interplay between the PCI and encryption requirements, the scope of the obligations, potential problems/ambiguities in the law, and the applicability of a “safe harbor” for security breaches.