Pizza, passwords and octopus!

I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.

The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.

But it's only a pizza website? Who cares!

The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.

It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.

Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.

While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....

Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)

Octopus #1:
A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!

Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....

Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?

Social Engineering CTF

Social engineering is back! Did it go away? Not really, but it's back in the mainstream news. One of the competitions at DefCon this year has been a 'social engineering contest', where contestants were given a list of information they have to obtain and a target company that they have to obtain it from.
They were given a limited amount of time to get as much of the information as they could. And the the result? Not good.
We've touch upon Social engineering before and unless (or even if) you're a super-secret organization with highly trained personnel it is something that is damn near impossible to stop. I would imagine it is easier to do against larger companies (such as those targetted in the contest; the likes of Apple, Microsoft, Cisco, Ford, Coke and BP) , especially those with areas that routinely deal with the public and whose staff are encouraged and trained to be helpful and friendly.

Only 3 out of the 50+ employees contacted by the competitors were skeptical enough to hang up without providing information (and all three were women....so much for the skeptical male stereotype!). Apparently:

"People went as far as opening up their e-mail clients, Adobe Reader, versions of Microsoft Word, and clicking on 'Help/About' and giving the exact version numbers of their software," said Aharoni. "For an attacker, the exact version number would provide a much higher level of success," allowing an attack to be tailored to exploit a vulnerability in that exact program.

The contest was sponsored by social-engineer.org who seek to "Exploit the HumanOS".

While I can see the validity of the contest, I hope the details of those called is not released to avoid any punishment or ridicule from their employers or fellow workers. The urge to be helpful is part of human nature and it is a sad fact that there are those who will exploit and manipulate that nature for their own ends.

Time to go and review your Security Awareness training...

Cloudy Weather

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)