Jan 17

No, you don’t need to close your LastPass account…

By alberg authentication, hacks, privacy, risk, useful stuff Comments Off on No, you don’t need to close your LastPass account…

Your passwords…

Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager.  He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code.  This information would be sent to the attacker, who would then have access to all of the user’s passwords.

Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager.  This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.

I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts.  In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.

One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk.  Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally.  I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites.  In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.

I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view.  It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use.  Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag).  Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code.  Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access.  I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of.   I’ll let you know how it goes.

To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes.   However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion.  Password managers are still a great security solution.


Jan 02

Great DerbyCon talk on hunting for the bad guys

By alberg best practices, CSO, malware, useful stuff Comments Off on Great DerbyCon talk on hunting for the bad guys

Wabbits or bad guys, all the same to me

It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage.  This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain.  If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity).    I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big.   Best con-talk I have watched in a long time.



Nov 23

quick and dirty malware analysis

By alberg best practices, hacks, malware, useful stuff Comments Off on quick and dirty malware analysis

There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely.  My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment.  Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs.  This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs.   For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.

I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier.  MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.

It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine.  If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection.   So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.



Apr 30

galaxy s5 fingerprint authentication and lastpass

By alberg authentication, deep thoughts, online security, risk, useful stuff Comments Off on galaxy s5 fingerprint authentication and lastpass

Interesting blog post from Graham Cluley on LastPass’ support for using the Galaxy S5’s fingerprint reader as the key to your password vault.   Since the S5’s fingerprint reader has been shown to be vulnerable to low sophistication fake fingerprint attacks, he wonders whether this (admittedly) very convenient feature is worth the risk.   As a LastPass user, I don’t think I would base the security of the keys to my entire digital life on this particular piece of hardware.  However, this does beg the question – is the low but non zero risk of someone getting hold of your phone and fingerprint exceed the risk of using the same damn password on every site you visit?  LastPass also offers a mitigation for this scenario – it is possible to specifically permission which mobile devices can access your account.  If you phone is lost or stolen, it is possible to revoke that permission (if you notice the loss or theft quickly enough).  This is a risk calculation that users will have to make for themselves.

Jul 20

more (and better) social media guidance from the nlrb

By alberg best practices, CSO, law, useful stuff Comments Off on more (and better) social media guidance from the nlrb

A while back, I wrote about how US organizations writing social media policies need to beware of the National Labor Relations Board’s requirements that these policies not interfere with the rights of employees to discuss their working conditions or organize unions.  At the time of my original post, the NLRB had released a guidance document which raised more questions than it answered.  Since then, they have released additional guidance which includes a number of examples of bad policies and explains the specific problems with each.  More importantly, it includes a sample policy which is in compliance with NLRB rules and which can be used as a guide in writing (or updating) your company’s social media policy.  It is really worth taking a look at this document – many things that any normal, reasonable infosec professional would expect to be acceptable (ie. “don’t post confidential information to social media sites”) are not.

May 15

sec breach reporting requirements for publicly traded companies

By alberg best practices, CSO, hacks, law, useful stuff Comments Off on sec breach reporting requirements for publicly traded companies

If you are an information professional at a publicly traded company, I would strongly suggest reading a recent blog post by Richard Bejtlich about the SEC’s requirements for the disclosure of cybersecurity breaches.   Bejtlich points out that the ramifications of these requirements go well past getting in to hot water with the regulators – they also raise other risks, such as whistleblowing by employees or third parties as well as the potential for shareholder lawsuits when companies do not take the proper steps to secure information (or are perceived as not doing so).  Having a conversation about this issue with your General Counsel before an incident occurs makes a lot of sense.  All this being said, kudos to the SEC for recognizing the role  of cybersecurity in good corporate governance.

Jan 27

doing the shmoo

By alberg my travels, useful stuff Comments Off on doing the shmoo

Greetings from Washington, DC – the home of corrupt politicians, sleazy lobbyists, democracy destroying SuperPACs and Moby Dick House of Kebab.  I’m here to attend ShmooCon, which is (IMHO) one of the better security cons out there.  I’ll be blogging about what I learn over the next few days, so stay tuned for some cutting edge security goodness.  Interested in anything specific on the schedule?  Drop me a line at al@al-berg.com or DM me at @alberg on the Twitter.

Dec 31

this hash can give your servers indigestion

By alberg hacks, useful stuff Comments Off on this hash can give your servers indigestion

Doesn't that look tasty...

When Microsoft comes out with an out of cycle security advisory (and during a holiday week, no less), you know something big is up.  This week’s bulletin highlights a denial of service attack and two privilege escalation vulnerabilities that affect web sites built on top of ASP.NET.   The most serious privilege escalation vulnerability could allow an attacker to execute commands on a system by sending specially crafted web requests.

The denial of service issue is related to a flaw in the way that ASP.NET (as well as PHP, Ruby and Java) handle the hash tables which are used to pass information from user web inputs to the web server.  By sending specially crafted requests to vulnerable web servers, it is possible to tie up all of their CPU resources and make them unavailable to legitimate users.  This attack was revealed at this past week’s Chaos Communications Congress in Berlin – you can watch the presentation here.

There is a very good technical description of the DoS problem and attack here.

The DoS flaw is also present in PHP, Python, some Java web frameworks, and Ruby.   Apache Tomcat 7.0.23 contains a workaround fix which limits the number of parameters accepted in a POST request.  PHP version 5.4.0 will include a workaround fix for this problem, but is not yet ready for production use.   Ruby version 1.9 and higher has a fix which solves the problem by randomizing the hash tables.

Given the recent ‘hacktivist’ activity we have been seeing, it would not surprise me if this attack was used against sites in the financial industry as well as in the public sector.  In any case, the Microsoft patch is a must for your web facing ASP.NET systems now.  The US-CERT’s vulnerability page for this issue is a good place to keep track of vendors’ responses as more platforms are found to be vulnerable.


Nov 28

noted – the russian internet becomes more opaque

By alberg online security, useful stuff, worst practices Comments Off on noted – the russian internet becomes more opaque

Interesting post from security and cyberwarfare blog Digital Dao on how changes in Russian law will make it more difficult for foreign firms and investigators to track down the owners of .ru domains used for nefarious purposes.  Not a positive development.

May 25

americans are more gullible in the morning…

By alberg best practices, hacks, malware, online security, useful stuff Comments Off on americans are more gullible in the morning…

…at least according to this interesting blog post from OpenDNS’ Allison Rhodes.   It makes sense to me… in the AM, we are all going through our emails, getting ready for the day to come and in a hurry to get caught up with the latest news.  I saw this post as a result of being on OpenDNS’ site from here at the Agahozo Shalom Youth Village, where we are using OpenDNS to provide web filtering to keep the students away from some of the, um, racier sites on the Net.  OpenDNS seems to be a really good, easy to use solution for web filtering in the cloud.  If you have young web surfers at home, you might want to check it out.

preload preload preload