Archive for August, 2008

Science

Periodic Table coolness

Through two completely different paths, within an hour I discovered two different and very cool sites about the Periodic Table of the Elements. First, the source for the coolest periodic table poster I have ever seen, periodictable.com:

periodic table of the elements poster

Poster of the Elements. Wow!

Next, a project from the University of Nottingham, the Periodic Table of Videos. They’ve done a short video for each of the elements. Here’s sodium:

Blogging, Time Management

Waking up

A coworker stopped me the other day: “You have been busy,” he said, “you haven’t been blogging.”

A quick look through the history of my blogging will show a lot of varation in frequency of posts and a general slow-down in recent years (only some of which I can attribute to Twitter), but it’s still true: I have been busy, and I haven’t been blogging because of it.

Not long after I started the new job, we started in on a professional services engagement with an identity management architect, to help validate (and correct if necessary) the direction we were going and to help lay the foundation for future work. What we’re doing is huge, and we want to make sure we’re doing it right. The next couple months were unrelenting weeks of nothing but day-long meetings and preparation for those meetings. I take issue with the methodology — it’s fair to say that a death march is just plain wrong — but it’s over now. More or less.

And I am exhausted.

I spent the latter part of 2006 writing a book. It didn’t work out for various reasons, but at the beginning of 2007 I looked up and realized that I had been nose-down for months, doing very little else with my free time except writing, and I had no idea what had been going on. It was disconcerting. Disorienting.

That’s how I felt at the end of this project, like I was just waking up from a long, fitful sleep. I had spent so long with such a rigidly controlled schedule that I wasn’t sure how to organize my time. It’s taken a while to sort that out, but of course it’s not like I’m lacking in any way for work to do, so I feel like I’m getting in a decent rhythm again.

Just in time for the Republican National Convention to come to town and disrupt everything.

Security

“Secret” Questions

I hesitated to write this, but the question has come up several times recently, so here you go anyway.

I don’t like secret questions for password retrieval. You’ve seen these, I’m sure: when you create an account somewhere, you’re presented with a list of questions to choose from and answer. The idea is that if you lose your password, if you answer the question correctly you can reset your password. Classic questions include mother’s maiden name, pet’s name, favorite song, that sort of thing.

You see secret questions because they are cheap and easy. If a customer can self-assert and reset their own password without getting someone on the phone — or if it’s a web site for which you’ll never get any help anyway — that’s a Good Thing, right? The downside is that secret questions reduce the security of passwords. (Passwords themselves are broken, as even the New York Times reports, but that’s a story for another day.)

When passwords can be retrieved or reset as the result of answering “secret” questions, answers to those questions are essentially passwords themselves. Weak ones.

Let me say that again, because it’s important and not everyone pays attention the first time. Answers to “secret” questions are weak backup passwords.

Answers are not held to the same password policies that the actual passwords are. Many systems nowadays make you jump through all sorts of hoops to have a certain complexity to your password, often enforcing a mix of letters, numbers, and punctuation. This is important to prevent dictionary attacks, a brute-force technique in which attackers cycle through hundreds of thousands of possible words, plucked from dictionaries (a word like “snowball” or name like “Voldemort” won’t stand up long to attack). It is trivial and fast to crack most passwords.

Secret questions can often be answered in a single word, a word that would violate the password complexity policy but that is still allowed as the backup password.

Answers to secret questions are often trivially discoverable. It would not take a determined attacker long to find my mother’s maiden name, my home town, or the name of any of my pets. Not only that: they’re dictionary words. Dictionary words are weak passwords.

Questions may have a limited number of answers.

  • Favorite color? Chances are good that most people will answer from just a handful of possibilities: blue, red, green, yellow…
  • Year of birth? It’s a safe bet that there will be fewer than 80 possible answers, probably quite a bit fewer.
  • Home town? Lots of people come from big cities like New York and Beijing.

When users can supply their own questions, chances are pretty good that they’ll choose poor questions, again with trivially discoverable answers. People are not good at choosing security questions. Not long ago I once walked through the office and asked a dozen coworkers what their security questions would be. The most common response? “Last four digits of my SSN.”

Four digits. I rest my case. You can argue that people could have lied, and I hope that some of them did. But seriously. Four digits.

You should also be concerned that if you allow users to create their own questions, you will inadvertently end up storing private or sensitive data (say, ahem, SSNs), which may violate your privacy policy.

The situation can be improved somewhat by well-chosen questions — NOT letting users choose their own — and perhaps using multiple questions, although something about that makes me uneasy. It’s far better to use something in addition to secret questions, such as demonstrated control of a resource: email, a cell phone, smart card, or fingerprint.

Password retrieval systems are often poorly designed and easily subverted. “Secret” questions are just one example. I have rarely encountered a password retrieval systems that lock accounts for repeated failed attempts in the same way that repeated failed logins do. Passwords are sent in cleartext emails, which is not just a problem by itself but also suggests that the passwords are stored in cleartext. Considering that we too often rely on just a password for authentication — a situation that has got to change — we should do better.

Environment, Personal

Praying Mantis in the back yard

I was hanging up laundry to dry when I spotted this praying mantis on the table next to me:

Praying Mantis Praying Mantis

I’m not sure where in the world it came from. These critters are not native to Minnesota and won’t survive the winter, but after taking a lot of pictures of it with my son and checking that it wouldn’t do damage (thanks @jojeda), I put it in the front garden where it could feast happily on whatever insects it found there.

OWASP, Security

Upcoming OWASP Events in the Twin Cities

The Minneapolis/Saint Paul OWASP chapter is organizing two events that I want to tell you about.

First, Jeremiah Grossman is speaking at the September 9 chapter meeting. This will be a reprise of his talk at Black Hat, “Get Rich or Die Trying”:

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills — all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Slides of the talk are posted on his blog. Grossman does good presentations. This promises to be excellent.

Second, on October 21, we’re planning a one-day conference at the Saint Paul campus of the University of Minnesota. Details are still being worked out, but speakers include Jeff Williams (CEO of Aspect Security and an OWASP founder), Brian Chess (Fortify Software), and Richard Stallman.

Yes, Richard Stallman. I didn’t expect that! Looking forward to it. (No, that link doesn’t explain who he is. It’s just damn funny.)

Registration for the October conference hasn’t opened yet, but from what I understand we’re going to be able to make it free of charge. Wow.

I’ll let you know when there’s more information.

Funny, Personal

Another scene from my life with Kiara

K: Look at this beautiful bowl I got.

Me: Cool design, sort of a Flying Spaghetti Monster, Cthulu thing going on.

K: I thought it was women swimming…

Me: …

K: I don’t want your dreams.