Month: November 2012 (Page 1 of 2)

What’s so bad about Windows 8 Picture Password?

The jury is still out on Windows 8.

I mean, from what I see from countless youtubes out there, there are those who like it, and those who wished it would completely die a slow and horrible death. On the whole, almost everyone agreed there would be a learning curve involved even for the experienced users. For those who are like my dad, who is still mastering the art of mouse usage, using windows 8 would be as easy to understand as interpreting Mesopotamian hieroglyphs.

However, there is an interesting feature in Windows 8 called the Picture Password. You can google it and see how it works. Basically, you choose a picture then do a sequence of gestures on it as your password. Gestures are limited to circles, lines and taps. Taps means what it is. Tap. So if I had my dog’s picture there, I could draw glasses on him, put a smiley on his snout and tap his cute little nose.

Obviously in IT security circle, it has been bashed to bits. The inventor of RSA SecurID token, Kenneth Weiss took the concept into centre court and smashed it into tiny bits with a sledgehammer. And then ran a lawn mower over it. Before feeding it to a pool filled with piranhas.

To be honest, I thought it was a wee bit over-reactive from a guy who didn’t have a great track record himself of late. I mean, it wasn’t cool. You are obviously a genius, Kenneth. To label Windows’ attempt at authentication a “Fisher Price Toy” is like me looking at my son’s attempt at writing his name and smacking him in the head because he can’t write in a straight line. My son is 5 months old. It’s unwarranted, and in some ways, makes him look like a petty old man who knows his time in this world is over and can’t stand the sight of new, and obviously inferior ideas overtaking his.

First of, is the picture password revolutionary? Of course not. Android has already adopted gestures as authentication, and probably the pilgrims did it as a way of communicating with the natives when they landed on the Plymouth Rock in 1620. Is it secure? Of course not. Not anymore than typed passwords are. Is it fun and interesting? Depending. Microsoft is hoping it is.

You see, this was never meant to take over secure authentication. It’s just a means to get to your desktop. Yes, you can definitely see the gestures from far away, or through whatever ‘smudges’, taking into account most computer users probably eat fried calamari and then proceed to touch their screens after. Or that it’s so guessable, than most people would draw a spectacles, smiley face, beard, moustache on a picture anyway? But so what? Is it anything better or worse than having a password called ‘password123’ or ‘iloveyou’ or ‘Jesus’? It doesn’t detract or add anything to what we are already doing, except that using gestures is a whole lot more organic than typing on the keyboard.

The only plus thing is that Microsoft seems to understand the future of Human computer interaction lies in this organic movements. In 5 years, the use of mouse and keyboard will be replaced by gestures. In the future, interacting with computers will not be limited to screens or physical hardware, but by probably holograms placed all across the home, all smart devices interacting with each other. This is a future reality, and Microsoft seems to be gearing up for it. Whether they succeed or not, that’s another question. The competitive landscape has changed a lot since the days when Microsoft would be the king of the playground and smash kids like Netscape into smithereens. There’s still a few more years before we know if Microsoft rightfully belongs in this new landscape of Google, Facebook, Apple or Angry Birds.

Until then, while they might be a tech giant, Microsoft is a runt in the new tech landscape where consumer coolness is key and Apple is still the benchmark. So let’s give them an A for effort, although the idea is pretty stale.

And as for the Father of RSA SecurID, don’t punch the new kid in the face for having a nice looking cover over the same old school bag that everyone is using. Give the guys at Redmond a chance and they might spring a surprise for us consumers.

And I don’t mean a bad surprise like their Blue Screen of Death.

 

 

Stopping Insider Scans

I’ll admit it. I’ve knocked on doors before, while sitting at Starbucks.

“Knocking on doors” here means running port scanners like Nmap, or vulnerability scanners like Nessus or Nexpose, to see if that guy in the suit across the room is using a laptop that’s vulnerable to exploits. I was much younger then. WiFi was just introduced, and to a guy born with a curious mind like mine, this was exciting stuff. I wasn’t a hacker or cracker by any means, neither did I dwell too much in doing malicious scripts, but it was just curiosity that got me going.

I did find myself on the good side of the law soon, running DHL’s global security group in Asia, and there faced monumental challenges like random denial of services,and naughty scans from external.

However, it is usually the insiders that do us in.

I’m sure you heard before, a secured perimeter is only as strong as its weakest link. And the weakest link is usually inside. A disgruntled employee. A corporate spy. A curious, idle employee with too much time on his hands, and reading too much Network Security Online articles. Whatever the case, every company will have its day in the sun. It’s just a matter of when.

For instance, we ran our penetration testing services for a network. We usually don’t have too much issues in the scanning phase, where we enumerate services and probe a little for vulnerabilities. Our standard process was to inform our client when we were doing exploits. One thing we’ve learnt in almost every project we’ve done.

Not everything goes according to plan.

It was an internal penetration testing, but we weren’t given much details on the network or servers as agreed and we ran several IPs scan at once. Soon, our technical client came back to inform that their servers were not doing too well, and one of the virtual servers running HA has rebooted. We immediately stopped the scans and realised that the IPs given were all running on VM. Nessus and VM does not play nice. Do a search on nessus on communities.vmware.com and pick your poison.

Thankfully, nothing serious occurred, which shows us again how important it was to have people ready and standby especially in PenTest and to follow certain set procedures and standards. We continued the pentest exercise with greater care, taking into account the vulnerabilities of Nessus and VM, and using alternative scanners.

Which shows, how simple it is for someone to DOS (Denial of Service) a network, with just a vanilla Nessus running. What can a company do about it?

Well several options are there:

1) IPS/IDS (Intrusion Prevention/Detection System). These babies usually run on the network points and works wonders to detect scans and stop them, among other thing. We used to run Tipping Point a lot in my previous companies. The problem here is that for a flat network, how do we want to run this? The server needs to be segregated into its own server segment, and an IPS laid out in front of the network point. In a flat network where everything is plugged into a single IP address space, it still can be done, I suppose, but probably not the best way.

2) HIPS/HIDS (Host IPS/IDS). It’s like a mini gun compared to a gatling gun. It runs on critical servers and works about the same way, except that the network interface gets hit before the intrusion prevention services kicks in. It’s pretty effective and we ran a lot of Symantec previously.

3) If those don’t do the trick, then we could probably secure every end point. If we want to secure internal attacks, the best way is to properly guard your asset. Control all your laptops through proper asset management, no administrative capability to install Nessus and an asset scan to ensure nothing naughty has been somehow installed on by enterprising employees. You might want to control/choke up the USB ports as well.

4) Finally, set corporate policies. Many companies fail to do this and we don’t know why. Document what will happen if activities like scanning is done. Make sure employees understand their obligations to the company and sign acceptable use policies before giving them corporate-owned assets, bought by corporate owned money. Sometimes a little awareness works better at prevention.

There are probably other ways I’ve missed out, but generally this would be how we’d deal with idle employees with too much time on their hands scanning our network. That, and putting them on a cold-storage project to wash out their curiosity, maybe.

The Single Point of Failure

As technology becomes more and more advanced, we’re seeing an amazing progress in the security field. Companies spend millions to keep the bad guys out. We have IPS/IDS, NACs, AVs, FWs, AAA, TACACS, ADS, IAM, SIEM and more acronyms than a typical teenager’s vocabulary.  Security budgets consistently spans 10 – 15% of organisation budgets, and according to the greatest oracle of all, Gartner:

“While the global economic slowdown has been putting pressure on IT budgets, security is expected to remain a priority through 2016, according to Gartner, Inc. Worldwide spending on security is expected to rise to $60 billion in 2012, up 8.4 percent from $55 billion in 2011. Gartner expects this trajectory to continue, reaching $86 billion in 2016.”

So this year, we’re seeing an IT security spending of the GDP of Cuba. Yup, Cuba. Where Havana cigars come from and Che Guevara became famous. It sounds like a lot of money. And it will get higher. As long as more automation is done. As long as more technology is needed. As long as more day-to-day banking is needed. As long as human beings are lazier and want more things faster. Information Technology will continue to grow, and along with it, all the wonderfully, naughty activities that invariably accompany such growth.

While millions are spent on equipments, many of us neglect one of the most basic problem of all.

Passwords don’t work.

That’s because humans are invariably lazy. Or we would rather remember the phone number of that girl we met at the bar, or the pizza take out than to bother remembering our 12 letter, alpha numeric, lower case, upper case, special character password that must not resemble an english word or name, and must not be the same as the last 12 passwords you have, and recycled every month. And yeah, also can’t be your name, your family name, your dog’s name or the nickname you named your car. Or your bike. Or your computer, for us geeks.

It’s a broken feature. This article is both hilarious and scary. Like a korean horror movie.

Since biometric tech like fingerprint and face scanning is too expensive at the moment, passwords are still the defacto security problem many of us face. You can’t impose too complicated passwords on your users or your IT service desk will be flooded with “I forgot my password” tickets. Or you will have to constantly implement a “Reset you password” feature every day. But having no password policies is also asking for it. Users will tend to use password as password, which if you think about it, is absolutely genius if no one knows about it. It’s like doing the most stupidly obvious thing that your enemy would not believe that you’d be stupid enough to do it. Except now, it’s a known and acceptable stupidity, like lemmings falling off a cliff.

Password123, p@ssw0rd (or any other variants of that), password1, password2012 etc have all the same funky, useless theme: we are lazy creatures. The list has some interesting ones, like abc123 (who has never used that before?) and interestingly, Jesus, which is new. I mean, is that due to lots of IT users are christians, or that would be the first word that comes out of people’s lips when they think “Now what on earth is my password already???!”

Since passwords will never leave us for the near future, the best way to use a password is  simple, specific, and only you know about it. For instance, if you met your wife in Cicero’s on June 1986, your password could be c1cer0s1986_J. Or something. Craft out something that when you see that word, you can immediately associate it with a memory you have. Or if you paraglided down Mount Mutombo in Venuzuela with a guy called Hokey who then proceeded to almost kill you because you are a secret agent: Mut0mb0V3n_Hok3y_Di3! I don’t know. You get the idea.

So put away the normal passwords, and more importantly don’t ever, ever use yellow stick it notes on your cubicle, monitor, desk, pedestal, under your keyboard or under your chair. Please.

Convergence of the entire world with Tech

Convergence.

We’ve been talking about it for years and years. When I first started out as a young, hippie programmer who had long hair and bad breath, toiling in the underworld of Siemens, working out their WAP (Wireless Application Protocol) projects, I first came across the word convergence. There I was, fresh out of high school, on a salary that was so small that I wasn’t even in the tax bracket and they paid me monthly by cheque, where after everything paid for (my small car, and food), I had about Rm100 to spend on fun each month – the word convergence was thrown around like burgers in a high school food fight.

Of course, we all knew what happened to WAP. It evaporated. But it’s still the grandfather of much of the technologies we take for granted today. EDGE, 3G, 4G etc all got their start from the wonderful WAP speed of 14.4kpbs, much like how today’s gigaspeed lines stemmed from the noisy Motorola Modem running 14.4 on the internet when I first came to know of it.

Convergence is basically the coming together of different technologies. Telephony, voice, data, video etc. These are basically all converged now in our smart phones. Smart TV that can browse the internet and videoconference your friends. Phones that let you operate your gate and send a message to your video recorder to record the Liverpool match. Computers that double up as a coffee-holder…which has been there since the beginning of time.

And now, we see another range of convergence with Tech. The entertainment world. The recent news of Will.I.Am, the front man of Black Eyed Peas (remember, their hit, Where is the Love?) who is now Intel’s Director of Innovation, gives credence to the movement that we’ve known all along: Technology will blanket entire industries, including the entertainment and music world.

Many of course are bewildered.

According to Intel:

In his unique role, will.i.am will collaborate with Intel on many creative and technology endeavors across the “compute continuum” that may include such devices as laptops, smart phones and tablets. Complimenting his visionary role as the front man for The Black Eyed Peas, will.i.am is also already working on music expressly for Intel.”

The bewilderment stems from the fact that Intel makes chips. Not potato chips. As in computer chips. If he fronted a consumer product, it would make sense. But a chip? What are they going to do, have a “Will.I.Am Inside” Logo?

Intel knows their number is on the board. If they keep doing what they do, they will go down the path of Lucent, TI and some of the other big boys that became, not so big. Intel makes chips, but their recent foray into mobile computing with their ultrabooks wasn’t a smash hit, and possibly why they had to let their CEO go. But it makes sense. For Intel’s survival, they will need to move up the food chain and start controlling more of the hardware/software line, and possibly even come out with their own brand of consumer products. That, or start shoring up battle with guys like ARM, Qualcomm and mobile chip players. It will likely be the former, and that’s where a guy like Will.I.Am plays the role. He will be like a vehicle to transport Intel from chip giant to snazzy new tech company.

Now, time for me to get a “Will.I.Am Inside” Ultrabook!

The Trouble With Convenience

It’s probably not the best time to be working in a bank.

Especially if you’re in Europe of US.

Number 1, the global layoffs occuring, with HSBC announcing 30,000 job cuts in 2013. 30,000. That’s roughly 10% of its workforce. This is mainly due to operations streamlining and of course, cost cutting. Which actually doesn’t mean bad news to our region, since we’re considered as the backend of the world, and possibly, one analysts’ pay in US is equivalent to our CIO’s take home income. That’s just a wild, ignorant and completely ungrounded guess.

Number 2, more than ever, banks will be targeted by hackers, crackers and everything in between. Of course, with internet banking on the rise, and the fact that passwords are absolutely worthless these days, it only takes a very focused and somewhat skilled individual to exploit money away from other people. Even if they don’t they can still cause mischief by laying down DOS (Denial of Service) attacks on the target. We can’t really avoid it, using internet banking. That’s the trouble with convenience. It gets exploited.

Again, HSBC, which seem to have fallen from one of the world’s best and most beloved bank to one that is constantly being targeted by various groups. In October, the first wave of DOS hit them, and took out their UK site and many others. On November 4th, the similar attacks took out the UK site again, and reported, “As of yet, HSBC doesn’t know what’s causing the failure, though the spokesperson said it was likely to be something affecting the “servers or mainframe”.”

Hacktivists have taken credit for HSBC downtime, but whoever it was, it was certainly disruptive to the business.

Could the bank have done anything to avoid this?

They probably could have made it harder. But DDOS is one of the most annoying thing ever invented for an operational guy. And I would know it. I ran the global DHL network and DDOS was on our menu. Everyday.

One of the ways we did for our global website was running it on Akamai service, which alleviated the risk somewhat. But then, even Akamai gets hit so I suppose no one is safe. Until someone claims he/she has full proof solution, I guess it’s something we all have to live by.

Just make sure you have a backup and IT continuity plan ready.

« Older posts

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑