terriko: (Default)
2012-07-12 02:46 pm

Web Insecurity: Should you really change your re-used passwords after a breach? Maybe not.

Cross-posted from my security blog, Web Insecurity.


Should you really change your re-used passwords after a breach? Maybe not.




DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.
terriko: Evil Soup (evil soup)
2012-03-28 12:13 pm

Web Insecurity: Apparently consumers do care about privacy

Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:


The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.


The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.
terriko: (Default)
2011-06-24 02:56 am

Web Insecurity: I admit, I laughed: LulzSec as popular as orgasms?

Been a while for a Web Insecurity post, eh? I blame thesis.

Anyhow, here's the teaser:

Web Insecurity : I admit, I laughed: LulzSec as popular as orgasms?




I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as orgasms... at least when it comes to scam bait.




Read the full post here (and learn about how LulzSec hacked the sun!)
terriko: (Default)
2011-02-17 12:38 am

Recent writings: Wordpress themes considered harmful, confessions, and my sexy gamer guy-pals

Bunch of posts elsewhere:

Web Insecurity: Free Wordpress themes considered harmful



It's illegal in many places to compromise someone's site to force them to serve up spammy links. But it's not illegal to put them in a Wordpress theme and then offer it for free...

Web Insecurity: To whom are you confessing?



The Catholic church has given its blessing to a new iPhone app that helps you prepare for confession. The Office of the Privacy Commissioner of Canada isn't so sure they'd approve it, though, pointing out the the developer collects a lot of information and doesn't provide a policy about how it will be used.

Geek Feminism: “How could they not have known?!”



A post about how our male compatriots are often floored by the sort of sexism women deal with daily. Also about FatUglyorSlutty.com, troll visualizations, and ...

*grin* In that post, I wrote "my male gamer buddies don’t have people freaking out or getting, er, excited when they speak on voice chat" and it took some effort to resist adding "but some of them should. Yum." Seriously, some of my gaming buddies have incredibly sexy voices and on the entirely too rare occasion when one of them sings on teamspeak... mmm...

I know, TMI, but I've wanted to brag about my hot gamer guys all day. ;)
terriko: (Default)
2011-01-27 01:48 pm

Web Insecurity:Will Facebook's choice of social authentication lead to gains in facial recognition?

New post up at Web Insecurity: Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

Excerpts:
For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.
...
So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk.


Read the rest here
terriko: (Default)
2011-01-26 03:07 am

Web Insecurity: Ethical hacking? How about some ethical writing?

New post up at Web Insecurity but since it's short, you get the whole thing here:


Now, I haven't verified this at all, but here's an interesting link for you: Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized.


An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.


Given my experiences with plagiarism among my undergraduate students and the recent Cooks Source plagarism story (which attracted quite a lot of attention)... I'm sadly inclined to believe that this entire book may be plagiarized.

What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection." Emphasis mine.
terriko: (Default)
2011-01-07 02:16 am

Recent writings: privacy, young scientists, academia

Some fun recent stuff:



And then some more sad stuff in the form of a round-up of the links I've seen lately about women leaving academia. Poignant for me given that I've got a contract that'll take me away from academia... although I'm actually leaving mostly for the "work that has impact" reason and not so much for the others.

And then one thing that I didn't write (but I wish I had):

Let's say that fighting sexism is like a chorus of people singing a continuous tone. If enough people sing, the tone will be continuous even though each of the singers will be stopping singing to take a breath every now and then. The way to change things is for more people to sing rather than for the same small group of people to try to sing louder and never breathe.


Isn't that just the way of it? Thanks Mary for sharing that one.
terriko: (Default)
2010-12-14 01:14 am

Web Insecurity: A brutally honest privacy policy

Short post up on Web Insecurity about a hilariously, brutally honest privacy policy. An excerpt from the policy:


So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.


You can read the whole policy here or you can read my summary and commentary on Web Insecurity.
terriko: (Default)
2010-11-03 12:22 pm

Web Insecurity: Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are?


Read the rest at Web Insecurity
terriko: (Default)
2010-11-02 01:49 pm

Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?


Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.




He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?
terriko: (Default)
2010-10-29 01:25 am

WebInsecurity:Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

Originally posted on Web Insecurity, but it's short so this is a full cross-post.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws



This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.


It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.


Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.
terriko: (Default)
2010-10-28 10:43 am

Recent writings: Geek Feminism, Web Insecurity, CU-WISE Blog

Tuesday's post on Geek Feminism entitled : "Quick Hit: Men, Medicine, and Meritocracy vs Affirmative Action" has some interesting discussion going on in the comments. The article is about how med schools in Canada are seeing more female applicants than male ones (and are accepting a lot of women) and some of the "stealth" affirmative action that's been taken to keep medicine from getting very disbalanced.

Wednesday's post on Web Insecurity is about firesheep. Nothing too insightful, just lauding the cleverness of it in a social hacking sense, and thinking, "why didn't we ever bother to build this in university?" (We did similar hacks for fun and education of our peers.)

Wednesday's CU-WISE blog post is on the subject of Dot Diva: The Webisode. (You can also see an extended version of the dot diva post on Geek Feminism.) We see a lot of outreach aimed at teaching girls computer science, but this is a project that tries to tackle the image of computer science. Their inspirations included the changed attitudes towards forensics thanks to shows like CSI. I'm torn because I found parts of the webisode awkward, but others fun, and I really think they've got some good brains and ideas behind this project.

Thursday's Web Insecurity post Why 12 year olds may be our best bug hunters is about this cool 12 year old boy named Alex Miller who collected on one of the Mozilla bug bounties. I always find adult reactions to smart kids can be a bit strange and sometimes condescending, so this is me musing on how the 12 year olds I've worked with are actually pretty awesome.

In non-blogging news, I'm working on some stuff about web standards vs attacks and vulnerabilities that I'll probably be posting privately soon for comments and ideas before I start putting together more comprehensive ideas for the IETF websec group. Their current discussion on dnssec irks me because it seems... mildly irrelevant to some of the real problems I assumed the group was destined to solve. I'm biased on the subject of DNSSec (see The Futility of DNSSec), but surely websec should be talking about more broad initiatives?
terriko: (Default)
2010-10-11 08:44 pm

Web Insecurity: Does expiring passwords really help security?

Yet another crosspost. Been a little while for the security blog, but there's always neat stuff coming out of ACM CCS. I expect I'll hear more about it when I head in to work this week.



Change is Easy
Originally uploaded by dawn_perry

I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:


  • It's easy to install malware on a machine, so the new password will be sniffed just like the old.
  • It costs more: frequent password changes result in more forgotten passwords and support desk calls.
  • It irritates users, who will then feel less motivated to implement to other security measures.
  • Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...

And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.

(Read the rest here.)
terriko: (Default)
2010-09-22 12:43 am

Web Insecurity: Privacy and Twitter Lists

Crossposted from Web Insecurity. Please comment there if you want to comment!

privacyI think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:



Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!
terriko: (Default)
2010-08-23 03:23 pm

Visual Security Policy... or what Megashark and infographics have to do with web security

I've posted the web version of the presentation I gave at HotSec. I find it amusing, and so did my audience. Here's some sample slides to give you the, ahem, picture. This should be a 3x4 grid if you see it on my blog directly, but who knows what it'll look syndicated?

83% of web sites have had a serious vulnerability64% of all sites have a security flaw right nowWhat makes the web so hard to secure?
There are no restrictions within a web pageSeparation between components can mitigate attacksBut not many web developers use encapsulation
Infographics make complex data easier to understand using visualsEquations allow more detailed analysis... if you understand them.The people who make web pages... are also the people who make infographics
Visual Security PolicyMath is hard; let's draw boxes!Visual Security Policy (ViSP)

The whole presentation I gave at HotSec is here.
terriko: (Default)
2010-08-19 03:22 pm

Webinsecurity: Privacy: Not just for people who are doing bad things

This is a cross-post from my web security blog.

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software?  (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.
terriko: (Default)
2010-07-09 10:16 am

Web Insecurity: Preparing some curricula on web security

What would you want to learn in a short course on web security? What do you wish other people knew about web security?

I'm preparing curricula for a day and a half of training, and I'd love some suggestions and advice on what to cover.
terriko: (Default)
2010-05-21 08:23 pm

No Web Site Left Behind: Are We Making Web Security Only for the Elite?

I put up a big post at Web Insecurity detailing my presentation at W2SP yesterday.

No Website Left Behind: Are We Making Web Security Only For The Elite?

Here's some choice slides, but you should really check out the whole presentation, or read the paper! (It's only 4 pages long and should be pretty readable even for non-academics.)

Here's 9 slides to give you an idea (in theory this should be a nice square display, but if you're not viewing this post on dreamwidth it might not be.)

w2sp: Slide 0: No Web Site Left Behind: Are we making web security only for the elite?w2sp: Slide 1: Page Creators are not all Programmersw2sp: Slide 4: Professional web page creators often have artistic backgrounds
w2sp: Slide 6: Web Security is for Programmersw2sp: Slide 11: Tainting (Fix The Code)w2sp: Slide 16: Non-Programmers still need Security
w2sp: Slide 17: The Web is a Targetw2sp: Slide 19: So... Now What?w2sp: Slide 20: Security costs may outweigh risks
terriko: (Default)
2010-05-12 02:29 pm

Web Insecurity: Will privacy issues herald the end for Facebook?

New post up at Web Insecurity: Will privacy issues herald the end for Facebook?



We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

...

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience.





As usual, Facebook fascinates me as a social statement, as much as it horrifies me as a security person. But seriously, when the facebook games are talking jumping ship and students are saying that facebook is uncool, we might have to accept that this boat isn't going to float much longer. And for those who haven't heard, the new pretender to the throne is Diaspora although I admit I haven't looked at it seriously.
terriko: (Default)
2010-05-11 10:43 am

Web insecurity: The advertising social contract vs malvertisements

Wrote this post for Web Insecurity on the weekend and scheduled it for Monday... But on Monday I was busy drinking water and getting ready to donate blood, so I never posted something here. Oops.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

It's mostly musing about how ad blocking actually makes you safer while web browsing, and whether advertisers will wind up rising to this challenge by giving us ads that are worth unblocking or ads that go beyond banners. I gave up my TV years ago, and I still have people telling me about great TV advertisements I missed. Very few people tell me about banner ads I missed. And I think the last time was those Evony ads which is an entirely different category of "you've got to see this!"

In other web security related news, or perhaps Terri-in-web-security related news, I found out last night that my W2SP talk has to be 5-10 minutes long rather than the 15-20 I expected. This presents a challenge, but I can rise to it. Just not in time to do a practice run at 3pm today as I'd planned. I actually have under 10 minute slides from my presentation the week before last, but I skipped some stuff in that talk that I need to put in to the final one, so we'll see how that goes.

Anyhow, if you're curious here's the W2SP schedule -- Apparently there's still space in the workshop if you're in the bay area and interested in attending a web security workshop next week.