Do as I say, don’t do as I do


What are we who like to call ourselves “security professionals” trying to learn our users when it comes to plugging  USB devises unknown USB devises that they find or get as hand outs?…. Don’t plug them into your computer!

And what do I get as a hand-out at a the BlackHat Europe security conference?… a USB dongle…. Need I say more?

Please remember 200 different passwords…

ONE of the most useless “good practises” advice that always seems to be included is the “don’t re-use passwords on different websites”. Seriously can you expect someone to remember 200 different passwords?password-2781614_960_720

This might have been a good advice back in the 90’s where you maybe had a geocities account, but now the avarage internet user have almost 200 online accounts. (A sruvey showed that the avaarage UK consumer had 118 online accounts in 2015). So that makes me wonder, do the people giving these type of advice have 200 different passwords?… nah probably not.

So what is the alternatives? Multifactor authentication? password vaults? Both of them are of course good alternatives that will provide you with additional scurity, however my experience is that both MFA and password managers tend to raise the bar a bit to high for Average Joe and eyes tend to glaze over when I start talking about MFA and password managers and they and up with concluding that this is too cumbersome. This might ofcourse be due to my lack of communication skills 🙂 , however people tend to be lazy and shy away form anything that might make their day more difficult. (quilty as charged)

So I will not present a solution o this issue in this post, but maybe the “don’t reuse passwords” advice needst to be rephrased that makes it more likely to be adopted. E.g. “Don’t reuse passwords for important online accounts, such as social media, email and internet banking” If you are lucky you might be down to 10 passwords that you need to remember. And remember to WRITE THEM DOWN, on a piece of paper in a closed envelope. (the good old fasion analog method, not in an excel sheet stored on your computer or one drive.

What about the rest of the 190 online accounts? a good option for the websites you visit most frequiently is to have a set of 5-6 passwords that you can jougle between the different websites. For the rest of the websites that you maybe visit 2-3 times a year? use a random string of characters and use the “I have forgotten my password” function next time you visit.

….Or here is a wild idea… use multifactor authentication and password managers

“Secret Questions” – Why you should lie until your pants catches fire

At some point in all of us have probably forgotten their password, but luckly the site or service that you need the password for has this magic password reset questions (also known as secret question). These are questions that are meant to have simple answers that only you can remember, so you can be positively identified as you and not an evil hacker trying to get access to your account. Password reset questions are often something like this:

◦What is your mothers maiden name?
◦What is the name of your first grade teacher?
◦What is the name of your favorite football team?
◦What is the name of your first pet?
◦What was the name of the street where you grew up?
◦….etc etc

As you can see they are questions that everybody should be able to remember the answer to. The thing is that these type of questions are a bit too simple and to easy. The thing is that after social media entered into our lives many of us have short bio’s available online for everyone to see. Telling the world that you grew up in a cosy streed called Evergreen Terasse , that your first pet was the a puppy called Kerbero, and that you will neverforget the loving Mrs Oswald you had as a teacher in first grade. In addition you might also have public profile on describing your lineage bot on you mothers and fathers side.

As you can see many of the answers of these questions are available online with a little reasearch, and for people that know what they are looking for it can be very easy to stich together a list of plausebal answers to such quetions that are used as “safeguards” to identify you.

You can also fine these type of questions in some of our systems. A good example is the self-help function in the disk encryption tool used to protect the data stored on our company laptops. Even if there is a restrected number of attempts you that you can answer before you need to call servicedesk, some of the questions can easiliy be answered by someone else if they do some reaserch into your profile on different social media sites.

So how can you avodi that someone that put some effort into reasearching your profile can actuially use that information to reset your passwords and gain access to your accounts? Well I know your mother probably told you to never do this but you could lie. lie until your pants catches fire, becaue the important thing here is that the lie must be so good that you can remember it so you can answer the questions correctly. If possible you should consider not relying on password reset questions, but maybe try a password manager instead

In addition you should also be careful on how detailed your online bio’s are, since that information also can be used for identity theft in addtion to getting access to your online accounts. The information in such bio’s can also help hackers guess your passwords ( one of the mehtods used in the apple celebrity hacking scandal last year).

Learning to fly

So.. I have turned 40 (tbh I’m staring 43 straight in the face) And I guess its time to have a midlife crises. Even though I have spent many years within the field of cyber security but I have never seem to have the time to dabble within the filed of penetration testing (I have always left that to the “geeky young people….” So no in my midlife crises armed with Kali Linux, a pine apple and a rubber ducky i have decided to learn my self some pen testing to expand my horizon. I guess my current level would be Newbie script kiddie 🙂