I recently picked up “Securing the Smart Grid“. In it they call out power companies for having a low level of infosec awareness when it comes to web apps, and have a few redacted examples to prove it. One of them is a screenshot of a login form that’s available over http, and also includes a message to the users that they may get a security warning but should just acknowledge the message and move on. I was aghast. I was also intrigued, and with a little help from google, I was able to locate this login form in about 2 minutes. (I simply googled the warning message at the bottom). The offending company is constellation energy, and the login form is here. I gotta say, if there was an award for ‘worst security practice of the year’, this might be a candidate.

update: After I made this post, I found Constellation’s twitter feed and sent them a note. As of Monday morning at 8:30, the page is now returning a “Service Unavailable” message. If you’re morbidly curious, the google cache of the page can be see (at least for a little while). For the record the form was not only accessible over http, but the form action was submitted over http as well. The warning message that was at the bottom of their page read as follows:

Note:   After submitting this form, you MAY see a warning message about redirecting to an unsecure document. Please acknowledge the message and proceed.

I also noticed that the notice at the bottom of the page says “Rev April 2002″, which may explain a thing or two about why it was designed the way it was designed. (I also noticed a few other poor security practices in that login form, but there’s really no need to beat a dead horse). Kudos to CEG for responding so quickly.

If anyone from CEG is reading this, you may be interested in my next post, which I hope to make in a day or two.

Gawker was recently hacked and a huge number of password revealed. I’ll leave the repetitive and vapid comments about how weak everyone’s password were to others. Instead I’ll note something interesting. When looking at numeric passwords, those with an even number of digits were far more common than those with an odd number of digits. For example 123456 and 12345678 were both more common than 12345 and 1234567.  Other common numeric passwords were 111111, 666666, 1234, 123123, and 654321, all of which have an even number of digits. I commented on this once before in the context of voicemail passwords, but unfortunately I’m still no closer to a guess as to why this should be the case, although I suspect something innate to the ways humans remember things. Does the human brain find it easier to remember a string of numbers in pairs? Do people just like even numbers more? Are there any psychologists who want to do some research on this?

Speaking of passwords….

In the last few weeks there have been a few stories about criminals using stolen credentials to steal large amounts of money from unsuspecting victims. The Zeus botnet stole about a million dollars from UK banks. Criminals stole a million dollars from UVA, and the Diocese of Des Moines had 600K stolen. All of these followed a similar pattern – criminals used stolen credentials to move money to other bank accounts. I’m reminded of the 2010 Verizon Data Breach Investigations Report (if you haven’t read it, please do). One of the recommendations was to limit the amount of damage that can be caused by compromised credentials. If these banks had been following that advice, their customers might not now be out millions of dollars. If they had implemented any sort of program to look for fraud indicators, they likely would have avoided this whole mess. I know of many banks that have such a program in place, and let’s just say that I haven’t seen any of them show up in the news lately.

There are a lot of reasons to hate passwords as an authentication mechanism – the fact that users hate them, easy to guess/brute force, overhead involved in maintaining the system when credentials, are forgotten/lost, overhead due to locked out users, over reliance on a single factor of authentication, etc, etc. All of it comes down though to one central theme: using passwords put the responsibility for security on the users and not the security folk, and this is a huge mistake. Users are not trained security professionals, and they can’t be expected to be. It is simply unreasonable to expect users to create unique strong passwords for everything they access, remember them, not write them down, and never forget them. They have other things to do, and security is just not one of them. I don’t want my employees to be the primary line of defense for IT systems I’m responsible – I want qualified security personnel. If you use passwords for authentication, then that’s essentially what you’re doing. This is the root cause of all the other problems with passwords.

In the latest issue of 2600 is an article on voicemail passwords. Because of its source it’ll be largely ignored by the mainstream, which is a shame because it actually has some good data. The author had access to a system with 40,000 voicemail passwords which were stored in plaintext and did some analysis on them. I always like having access to real data, especially when it so nicely demonstrates how people actually use security. In this sample, there were no complexity restrictions placed, although passwords had to be between 3 and 10 characters, and were obviously numeric. Some interesting facts:

• The top 17 or so passwords accounted for about 25% of all passwords in use. That means you could crack one out of every four passwords in 17 guesses.
• The most common password (accounting for 9.4% of the passwords in use) was the extension itself.
• Shorter passwords were greatly preferred over longer ones. (This shouldn’t shock anyone).

The most interesting thing though, was the distribution of passwords by length, which I’ve reproduced below:

So, even though shorter passwords are more common, passwords of an even length are more common than the odd number which immediately precedes them. (The one exception is 7-8, where 7 is more common, perhaps because people use a 7 digit phone number as a password). The main question on my mind of course is why – does the human brain find it easier to remember string of numbers in pairs? Do people just like even numbers more?

Lest this blog turn into nothing more than a source of announcements, I figured I’d post something that has been eating me up for ages. Anyone who knows me knows that I hate passwords with a passion. They’re easy to break, easy to social engineer, and provide a false sense of security. People trade them for candy bars, reuse them, and don’t pick ones that are hard to guess. As soon as they become hard to guess, they also become hard to remember, leading to lots of helpdesk calls for password resets. All of these (and other) issues stem from one single root cause – passwords move the security role from the IT security department to the end users. We IT security people are constantly trying to make new rules for the end users to make sure they protect their passwords, but the problem is that while all these rules make sense to us, the end users are not IT security experts. They don’t have the background, experience, knowhow, etc. Expecting the end users to manage security of a system they don’t even understand is a huge mistake. And yet, for some reason, that’s what we do when we use passwords as the single factor needed to access sensitive data.

Another random Windows 7 fact I learned today – if you disable the Windows 7 firewall, it will also disable IPV6 and Service Hardening. Microsoft’s logic appears to be simply that if a system doesn’t have the Windows firewall enabled, then it should be treated as an insecure machine and not trusted to connect with an IPV6 IPSec tunnel. The obvious flaw in this logic is that many enterprises use other firewalls, which Windows will not account for. Those people will then have ot enable the Microsoft firewall and just put it into a completely accepting state if they want to use IPV6.

I was clearing out my bookmark file on an old machine this morning and stumbled across something I’d bookmarked and completely forgotten about – the best default password list I think I’ve ever seen. Also, it’s actually maintained! I just figured I’d share it.

Secure wireless

Originally uploaded by bachrach44

I noticed this on the wall at a recent ISSA meeting. In addition to the obvious security issue I’m trying to bring attention to, there is a bonus security issue being illustrated here – you can see my reflection!

I’ve been using Windows 7 fairly regularly on one of my machines for the past month or so. One thing I noticed is that the default password settings for Windows 7 include the fact that password expire after 42 days. Since most home users will never change their default settings, this setting will likely become a de-facto standard. However, the default settings also have a password history of zero (no remembered passwords), and a minimum age of zero as well. This means that every home user, when prompted to change their password, will simply change it to the password they had initially, making this setting useless.