The most intriguing debate to come out of last weeks security conferences in Vegas stems from a presentation by FTC Chief Technologist Lorrie Cranor at PasswordsCon 2016, part of the BSides security conference in Las Vegas. Dan Gooding, with ARS Technica, summarized the discussion well; the gist of the presentation seems to question why we should change passwords at some frequency, or aims to challenge the old model of forcing password expirations in systems. We’ve had others in the community like Bruce Schneier agree and Troy Hunt implies agreement in his tweet. In my mind though, I struggle with the idea that it’s in some way bad or ill-advised and that it’s time to do away with it.
This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.
Yes – LastPass was Compromised
The impacts however are not as severe, all things considered, as it might appear at face value.
Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.
To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.
It All Lies Within the World of Passwords
Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).
The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie Faith Cranor is doing on the subject very interesting and insightful.
This post is really designed for my family and friends. I write it because in the business that I am in I get to see hear the detrimental impact web based threats have on people. I hear horror stories of lost data, the amount of information they have lost and the impacts it has had on them and their businesses.
I by no means will cover all the things that you should do, but it will help better situate your online security posture.
Good security posture is about risk reduction…
Understand that when reading this there are many variables that have to be accounted for when talking about protecting yourself and not everything is under your control. The web is such that we have grown accustomed to what it offers us and now we have to learn to adapt.
Although social engineering has been around for some time, it’s probably not been as prevalent as it has become in recent months. Perhaps the one event that has forced many of the largest companies to rethink their security posture was the complete dissolution of Matt Honan’s digital presence in August. In the weeks following it sparked much discussion and uproar around the existing protocols employed by Apple and Amazon and other big service providers.
Today Matt Honan put out another exceptional post on Cosmo, a cracker that goes by the name of Cosmo the God. What’s by far most impressive is he is only 16 years of age, but then again, is it really? Besides the jaw-dropping size of the youngster, his insight and knowledge of social engineering techniques was and is impressive.
If you’re interested in better understanding what social engineering is all about then this is definitely a post you want to read.
The storage of your data on the cloud is becoming common place today and its hard to think that it will change any time soon. I personally have been a big fan of cloud-based services since they first started to come on the scene a few years back. With it though comes concerns around security, most notably is the recent compromise at Dropbox.
If you’re not familiar, this is what The Dropbox Blog reported:
Earlier today researcher Benjamin Kunz Mejri, Vulnerability Lab, reported to ThreatPost that he had found a vulnerability in the open-source password manager, KeePass.
The vulnerability is supposedly in the way the application filters and validates data. If exploited, the vulnerability could be used to inject malicious scripts. To work though it’d require a number of conditions to be met:
- Need a manipulated URL with malicious script code;
- Logging server with read, write and execute permissions;
- A listing File;
- Valid KeePass user;
If all conditions are met, then the attacker would be able to steal the victims passwords.
Back in February I put out a post talking about Web Security: Managing Your Passwords, with the recent compromises on sites like LinkedIn, eHarmony and Last.fm I felt it was appropriate to go back and look at some of the technical aspects of the LastPass solution. Specifically on whether it is secure.
This week I was sent a podcast, Security Now with Steve Gibson, that supposedly talked to whether LastPass is secure so I figured why not give it a go. I learned a few things from it and thought I’d share it in a quick post, especially being how relevant a topic it is right now. Password management that is…
This post is for friends and colleagues and any one who cares to listen. It focuses on the very real issue of managing all our password!!!!
Everyday I deal with websites, and their owners, in varying degrees of distress. I want to help avoid crossing paths with any of you. There are a number of preventive tips you can take and you can watch them here or read about it here. The one I want to spend a few minutes on specifically is password management.
I, like most of you, as of a week ago, would have been classified as a culprit of poor password management. I mean lets face it, in this day and age we have, probably, no less than 50 different sites we go to that require us to enter credentials to authenticate (e.g., Facebook? Bank? School? Work? Email?).