Interesting Security News – 08/29/08

Interesting security news for 08/29/08:

White House Imposes New Security Mandate for Federal Agencies (Washington Post) – All government agencies will be required to implement DNSSEC by January 2009.

Apple to fix hole in password-protected iPhones (Cnet) – Apple announces that it will release an update in September to fix a hole that allows users to bypass the unlock screen.

Dan Kaminsky Soundboard (0x000000.com) - Can’t get enough Dan Kaminsky, now have him talk to you all the time, any time.

MIT working on network vulnerability analysis (Slashdot) – Researchers at MIT are working on detecting exploitable vulnerabilites by graphing attacks in near real time.

How Secure Are Your Passwords?

Courtesy of Bart Hopper:

By now, most people know that you should have a complex password of at least 8 characters that are composed of upper case, lower case, numbers, punctuation marks and ,as Dilbert said, doodles, sign language and squirrel noises. Your password requirements are so secure that it would take a Beowulf cluster 10,000,000 years to crack. Your users know that if they write down their passwords on a post-it-note, they will be shot. Are your passwords secure?

The problem with a “good password” is that it is extremely difficult to remember. Passwords that are used daily can be easily remembered after a few days. Passwords that are used infrequently can be a point of vulnerability.

Unfortunately, password aging systems do not consider the frequency of use or the number of unsuccessful login attempts prior to a successful login. Sure, you can reset the error count before lockout after x number of minutes but, it treats all accounts equally. An attacker could come in “low and slow” by limiting password attempts to every 3 minutes.

If your password aging rules dictate that all passwords must be changed every 30 days, the password that is only used every two weeks will expire at the same interval as the password that is used 5 times per day. A better method for password aging systems would be to consider the number of times a password is used and maintain a counter of unsuccessful logins before a successful login in addition to a maximum password lifetime. How would this be an improvement?

If you have a complex password that is only used once every two weeks, you will probably need to write it down somewhere that is (hopefully) secure. If you don’t write it down, you may forget your password, requiring a password reset. Password resets are the unsung vulnerability in password management. Many organizations do not properly authenticate the person requesting a password reset, reset passwords to a default value, or send the new password to the user in an insecure method. Social engineering can often bypass the “authorized password requestor” list. Are your passwords really secure?

Episode 9 Streaming Notice!

We’ll be streaming live somewhere around 7 or 8pm EST on Wednesday, August 27th.  Get the URL on our irc at irc.freenode.net #securabit and enjoy the craziness.

Internet taxes, Pro RIAA, anti-encryption? Say hello to Obama’s VP

Politics is by no means our idea of entertainment when it comes to our blogs, however to see such a strong candidate pick a “technological bi-polar” candidate as the potential VP, it makes you wonder if McCain is already a winner.

Joe Biden was picked as Obama’s VP candidate if they are to take the White House this upcoming election. Apparently his views towards net neutrality, the RIAA, and anti-encryption are a little skewed over the past few years. I’m sure the EFF doesn’t think too highly of him either. Although he may have experience in foreign policy, how does that protect our rights here in the U.S. as he was a key player when it came to the Patriot Act amongst many other laws that passed through the Senate. Follow the links below to make your own assumption of our potential Vice President.

Yahoo News

Gizmodo write-up

Red Hat Linux servers compromised

As announced on a Fedora mailing list, some Fedora servers were illegally accessed and “a small number of OpenSSH packages” were singed by the intruder. The servers were taken offline quickly after the breach was discovered.

As a security precaution, Red Hat has changed the signing keys for Fedora, updated OpenSSH packages and also issued OpenSSH blacklist scripts that allow admins to check to see if any of the affected packages are installed on their systems.

If you are running any Fedora or Red Hat systems, you might want to check them out just to be safe.

Dan Kaminsky loves SecuraBit and you should too!

We tossed him a shirt while he was at the IOActive party just before we ventured up to the Core Impact party in Ceasars Palace.  Thanks for your support Dan!

Latest tools from Defcon 16

Thanks to Mubix for his posting on ZDNet, below you will find a link that describes all of the latest tools that were presented at Defcon 16.  Use them at your own discretion and make sure you have permission if using them on an enterprise network!  As Mubix has no control over the ZDnet posting, you can visit his site and keep up-to-date on the latest happenings.

Latest tools from DC16!

And if Jay Beale is reading this, we want Middler to come out!

Free online viewable magazines?!

We are going to approach this subject very lightly as I’m sure it’s clearly copyright infringement, however Lifehacker has a great post for a website called Mygazines. (which we won’t link to for legal purposes) Basically it’s a repository of scanned magazines encompassing just about anything and everything your heart desires, minus the pr0n. Click the link below to be redirected to Lifehacker’s site to read the full article and read free magazines if you so choose to ;)

Free Mags via Lifehacker!

Weird, I could of sworn I heard someone say free 2600 mags ;)

**By no means do we here at SecuraBit encourage engaging in unlawful activity however there are some free magazines on this site as well that could come in handy.

Air Force Cyber Command halted…?

So the Air Force, which prides themselves for being the most technical branch of all the armed forces, has decided to suspend its efforts on building their latest Cyber Command. Not sure if any of you recall the latest AF recruitment commercials geared around cyber security, but it would be safe to say that those will not be airing until the Air Force works out some kinks.

“The Secretary and Chief of Staff of the Air Force have considered delaying currently planned actions on Air Force Cyber Command to allow ample time for a comprehensive assessment of all AFCYBER requirements and to synchronize the AFCYBER mission with other key Air Force initiatives,” the service said in a statement released Thursday.

Makes you wonder why ample time wasn’t dedicated in the first place for a “comprehensive assessment.”

Read the full article here compliments of Security Focus.

SecuraBit Episode 8

On this Episode of SecuraBit available here!

Back from three week hiatus!

Defcon and BlackHat

Notable Defcon Parties Jay and Chris attended:

Core Impact
EthicalHacker.net
Cisco
Isight
I-hacked
StillSecure and IOActive Freakshow

Special thanks to all that allowed us to drink for free ;) Hopefully you got a cool Securabit T-shirt out of it!

ChicagoCon: Boot Camps: Oct 27 – 31 Conference: Oct 31 – Nov 1

Defcon Badges

Ran out of Badges on first day!
TV-B-Gone built into the badges
Surbo from I-Hacked hacks the badges

Podcasters Meetup

Documentary: Hackers are People Too

BREAK
(Read More…)