Security Certification 2/3 – Learning
- At January 13, 2012
- By Josh More
- In Business Security
- 2
If you’re reading this post, it is assumed that you’ve already read my post on what certifications are for. If not, go there and check it out. This post details my method for comparing certifications.
First, go to each certification’s website and review each certification’s pre-requisites. If you don’t have any of them, it’s probably not wise to do the next step with that one. While I recommend challenging yourself and pursuing a certification for which you do not have all of the pre-requisites, if you have absolutely none of them, you’ve identified what you need to learn and that the certification you are considering will not teach you that.
Second, consider your career trajectory… then throw it away. Some certifications have specific paths that are laid out for you. If you go into the CISSP world, you’re “supposed” to be a manager. If you use Offensive Security, you’re “supposed” to be a penetration tester. While it’s true that these certifications have somewhat high value in these areas, increasingly, security practitioners are expected to know a bit of everything and be good at what they’re good at. It’s about the learning process. Unless you have no interest in learning (in which, go away, this post is not for you), you’ll be better off picking a certification based on what you’ll learn from the process. If you pick a career path laid out for you by someone else, you’re not only trusting your life to guesswork… but to someone else’s guesswork. For example, my grandfather gave me my first computer because it was the wave of the future… but also gave me a slide rule… “because you’ll need to be able to take something into the field with you”. If you’re going to screw up your career path, at least do yourself the favor of doing it to yourself so you can analyze why you wound up where you did and can correct from there.
Third, review what the different certifications cover. For each topic covered, give yourself a rating based on how well you know the topic.
- 0 = No idea what the topic means
- 1 = Have a bit of clue about the topic, maybe played with it in a lab
- 2 = Have done this professionally or played with it a lot in a lab environment. Still have room to learn.
- 3 = Have done this enough to consider yourself something of an expert
- 4 = Understand this topic inside and out. Comfortable teaching it to others.
Now, take an average of all your ratings and divide it by four. This will give you a percent of what you already know from what the certification will teach you. Subtract this from 100% to get the amount you will learn from the certification.
Fourth, you have to factor in your time. Most of us have a loaded rate for work that includes salary and benefits. If you know this number, use it. If not, take your hourly rate (convert if you’re salaried) and multiply it by 1.5. If you’re unemployed, figure out what you’d charge doing freelance work. You can quibble over this all you like. Really, you’re just measuring the cost of the time it takes to gain a certification, as that time could be used to boost your skills by working overtime at your day job or doing freelance work in the evenings.
Finally, estimate the time you’ll spend on the certification, multiply it by your rate, add the certification costs and you’ll have a dollar estimate. Take your learning percentage and divide it by the dollar estimate and you’ll get you a number that you can use to compare how valuable that particular certification will be for you.
In other words, Value = (Learning Percentage) / ((Time Spent * Hourly Rate) + (Cost of Certification)). When comparing certifications, the highest value wins.
Here are two examples. Since a lot of the information about tests is hidden behind registration links, I won’t do a complete analysis… just enough to give you an idea of what I’m talking about. In this, we’ll assume that my time value is $50/hr. Basically, I am choosing this number because it makes the math easier and should be in line with a mid-level career person that loves learning enough to drop the “personal cost” a bit. If you’re entry level, it’ll be lower. If you’re well seasoned and have other hobbies, it’ll be higher.
Note: I am also assuming a “zero” time cost to taking in-person classes. There is actually a time cost here, but for most people, it’ll be incurred by your organization, not you. If this isn’t the case, add the time cost back in.
Example: CISSP-ISSAP
This certification would extend my existing CISSP to focus on architecture. Reviewing the Candidate Information Bulletin, there’s a lot of information covered. Here are the first two domains. My score for each point is in brackets at the end. (The typo for “Methodology” is theirs… sorry.)
1) ACCESS CONTROL SYSTEMS AND METHODOLGY
A. Apply Access Control Concepts Methodologies, and Techniques
A.1 Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege) [4]
A.2 Access control administration [4]
A.3 Identification, authentication, authorization, and accounting methods [3]
A.4 Identify and access management architecture [3]
B. Determine access control protocols and technologies (e.g., RADIUS, Kerberos, EAP) [3]
2) COMMUNICATIONS & NETWORK SECURITY
A. Determine Communications Architecture
A.1 Unified communication (e.g., convergence, collaboration, messaging) [2]
A.2 Transportation mechanisms (e.g., voice, facsimile) [4]
B. DetermineNetworkArchitecture
B.1 Network types [3]
B.2 Protocols [3]
B.3 Securing common services (e.g., wireless, email, VoIP) [4]
C. Protect Communications and Networks
C.1 Firewalls [4]
C.2 Gateways, routers, and switches architecture (e.g., access control, segmentation, out-of-band management) [4]
C.3 Detection and response [4]
C.4 Content filtering [4]
C.5 Device control [4]
D. Identify Security Design Considerations and Associated Risks
D.1 Interoperability [2]
D.2 Audit requirements (e.g., regulatory, legislative) [3]
D.3 Security configuration (e.g., baseline) [4]
D.4 Remote access [4]
D.5 Monitoring (e.g., sensor placement) [4]
D.6 Network configuration (e.g., physical, logical, high availability) [4]
D.7 Operating environment (e.g., virtualization, cloud computing) [4]
So, for the first two domains of the CISSP-ISSAP, we get (4+4+3+3+3+2+4+3+3+4+4+4+4+4+4+2+3+4+4+4+4+4) / (22 * 4) = .886 for a “known” ratio. This means that the percentage that I have to learn is 11%.
Now let’s look at costs. The official textbook runs $80. The review class runs $2,195. The test costs $449. And the certification costs $82.50. (Not required, but included because the GIAC cert comes with passing the test and we want to be as fair as possible.)
So, we have two options.
* Take the full in person class (assuming the course book is included with the class) $2,195 + $449 + $82.50 = $2,726.50. Add to this, study time of 20 hours at $50/hr and you get $3,726.50
* Wing it with the textbook $80 + $449 + $82.50 = $611.50. Add to this study time of 40 hours, and you get 2,611.50
So, if I were to take the in person class, I’d get a learning value of 11/3,726.50, or 0.295%. If I were to wing it, my learning value would be 0.42%… but the burden of the work would be on me.
Example: SANS/GIAC GXPN
Let’s compare this to the SANS/GIAC Advanced Penetration Testing Essentials / GXPN option. Looking at Day 1, we have the following list of learning objectives:
Low profile enumeration of large Windows environments without heavy scanning [1]
Strategic target selection [2]
Remote Desktop Protocol (RDP) [1] and man-in-the-middle attacks [1]
Windows network authentication attacks (e.g., MS-Kerberos, NTLMv2, NTLMv1, LM) [2]
Windows network authentication downgrade [0]
Discovering [3] and leveraging MS-SQL for domain compromise without knowing the sa password [1]
Metasploit tricks to attack fully patched systems [1]
Utilize LSA Secrets and service accounts to dominate Windows targets [1]
Dealing with unguessable/uncrackable passwords [2]
Leveraging password histories [1]
Gaining graphical access [2]
Expanding influence to non-Windows systems [3]
Exploiting single sign-on systems [1]
Escaping restricted desktops [1]
So, for the first day of this class, we get (1+2+1+1+2+0+1+1+1+2+1+2+3+1+1) / (15*4) == .333 for a “known” ratio, or a learning percentage of 67%.
Looking at costs, it’s a tad more complex, with more options, but fewer parts. The vLive version of the course costs $4,370. The Self Study option costs $3,916. The Conference version costs $4,595. For all options, the test costs $549.
So we have three learning ratios to calculate:
* Self Study: 67 / ($3,916 + $549 + 60*$50) = 0.89%
* vLive: 67 / ($4,370 + $549 + 40*$50) = 0.97%
* Conference: 67 / ($4,595 + $549 + 20*$50) = 1.09%
Example: CISSP-ISSAP vs SANS/GIAC GXPN
So, as you see, even though it’s the most expensive option, you maximize learning when compared to time and dollar costs with the GXPN Conference option.
Certification | Option | Cost | Learning Value |
---|---|---|---|
CISSP-ISSAP | Class | $3,726.50 | 0.295% |
CISSP-ISSAP | Self Study | $2,611.50 | 0.42% |
GXPN | Self Study | $7,465 | 0.89% |
GXPN | vLive | $6,919 | 0.97% |
GXPN | Conference | $6,144 | 1.09% |
Now, there are a LOT of variables at play here. If you mis-estimate the time you’ll spend or the amount of money your time is worth, you’ll get drastically different values. So think about these numbers carefully before before you decide for certain which certification to pursue.
Once you’ve followed this process, you’ll have an idea as to which certification to pursue. If you are in this solely for the learning, stop now. The next post is not about certification but focuses on extending your learning in a way that is visible and gets you both known in the community (building the Who You Know) and in gaining and demonstrating experience.
Security Certification 1/3 – Certifications in General
- At January 12, 2012
- By Josh More
- In Business Security
- 0
It seems that, about once a week, someone asks me about security certification. A lot of people seem to believe that a security certification can get you over the “need experience to get experience” hurdle. The point of this post is not to tell you which certification to get (though it does do this), but to explain why this common line of thinking is wrong.
At the entry level of the job market, the “you don’t have enough experience to get experience” problem is particularly troublesome. This is especially true in the current economy where fewer jobs means that many more experienced workers are competing for the entry level ones. These are the people that typically come to me and ask “CISSP, Security+ or GSEC?”.
However, if you show someone an experience-less resume that lists a security certification, all that is communicated is that that particular certification can be attained without experience. This weakens the certification and does nothing to make you look better.
In fact, most hiring managers I’ve spoken too will take the stack of resumes and filter it as follows:
- Throw out everyone lacking a college degree.
- If the stack is still too tall, throw out everyone that doesn’t have a four year degree.
- Then they look at experience and get rid of everyone that lacks the requirements.
- If the stack is still too big, throw out everyone that has experience but isn’t certified.
- Take any resumes that come with a personal recommendation and add them back in to the pool.
It may not be fair, but when any job opening solicits hundreds of resumes, it is a fast way to get through them. It also means that if you have no experience, possessing a certification gains you absolutely nothing. In fact, the best thing you can do to be considered is to know someone in the organization. After that, the most helpful is a degree, then experience, then certification… but only as a tie breaker.
(Note, in some job areas, like the US Federal Government, certain certifications are required for specific job levels. Assume I’m not talking about these job areas. After all, if you’re going for one of those, you already know which certification you need.)
It seems, from this, that I’m saying that certifications are useless. Nothing could be further from the truth. Certifications are great… just not for getting a job. Let’s look at what employers find to be the most useful: who you know, college degrees and experience.
Who you know
If you are recommended by someone that the hiring manager knows, the manager has already vetted you far more thoroughly than is possible in a series of interviews. They know that you are likely a good person to work with, as you can clearly be friends with the sort of people that work at the organization. They know some of your strengths and weaknesses. In short, they know that you can probably do the job and that you are likely to grow with the business.
A lot of people are disdainful of the “good old boys” network, but if you’re not in it, there is always the question of “why”. Without an answer to that question, people create their own answers… and they are seldom complimentary of you as a candidate.
College degree
The industry also has a lot of disdain for college degrees. Do you need a college degree to work in security? Of course not. There are tons of people in the industry without them. (Of course, they got in because of who they knew.) Like many people state, a college degree is just a piece of paper that says that you spent four years putting up with crap… which is a really good measurement of what many organizations want.
If you can get through a university program for two or four years, toe the line and do what you’re told, a hiring manager will know that you’ll be unlikely to make waves. You might not know all you need to do the job, but you’ll likely be able to deal with stupid corporate rules for long enough to learn what you need.
In short, a standard degree is not a measure that you’ll be an awesome employee. It’s a measure that you won’t be horrible and cost the organization more money than you bring in.
(Note: liberal arts degrees are something different entirely… but from a hiring perspective, they are only useful if the hiring manager is aware of the school and what the degree means. Without that knowledge, they look the same as a regular degree, so it comes back to “who you know”)
Experience
Experience is, of course, the gold standard of getting hired. If you’ve done the job before, the manager knows that you can do it again. However, there’s a trap. If you have experience you’re somewhat stuck in that area of expertiese, and if that area goes away, you could be in trouble. A lot of COBOL programmers discovered this in recent years. If you’re in this situation, you’re really back to who you know.
Of course, it’s better to avoid getting into this situation by constantly taking on new projects and expanding your skill set. However, this series of posts is about certification, so I won’t delve into that topic.
Learning
So if that’s the situation, what do you do about it? The key, I think, is learning.
When you get right down to it, what a hiring manager wants to know is:
- What do you know?
- What are you capable of learning?
- Can you convert that knowledge into something useful to the organization?
- Can you do so without causing problems in other areas of the organization?
That’s it. Based on how well you do at those four points, your career will skyrocket or stagnate.
So, the keys are learning, translation and communication. Let’s look at certifications with that in mind.
Most people looking at security certifications look in four areas: ISC(2)’s CISSP line, SANS/GIAC’s G* line, CompTIA’s Security+ line and Offensive Security’s OS* line. The key criterion for you to consider is which line is going to maximize your learning for your dollar. Generally, SANS/GIAC is considered the most expensive, but in my experience also has the greatest opportunity for learning. Second to that, in my opinion, is the Offensive Security line. They’re more focused and hands-on than a lot of SANS/GIAC offerings, but also start a bit higher in the experience level.
So what you need is a way to compare not certifications, but what you learn from the certification process. If you can maximize the amount you learn per dollar you spend, you can both select the best certification for you and the best experience you can get from pursuing that certification.
Check in tomorrow for the method I use to compare certifications.
Angry Birds and Security
- At December 14, 2011
- By Josh More
- In Business Security
- 0
There are many exciting projects going on at my new company, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!
In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.
Clearly, there is room for improvement in terms of both offense and defense.
The Pigs
Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:
1) Preparation
The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.
2) Planning
Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.
3) Sacrificial Hierarchy
It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.
The Birds
The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.
1) Reduce Scope
First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.
2) Improved Retaliation
Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.
3) Agility
Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.
In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.
Conclusion
Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.
Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.
(This post originally published at the RJS Informer)
It’s a matter of trust
- At December 09, 2011
- By Josh More
- In Business Security
- 0
Warning: this blog entry covers sensitive current events and some of the links may use strong language.
When a big news story hits, do you ever notice a pattern or significant fact, that despite 24/7 coverage, everyone appears to be missing? The world has had three events in recent weeks get considerable attention throughout television, newspapers, radio and social media; and each of these events are catastrophes that occurred because of poor policy choice and unplanned reactions. Let’s briefly explore them.
PayPal v. Regretsy
Paypal is known to “freeze” the assets of somewhat questionable groups. However, many are saying they crossed the line by pulling the plug on a fundraising effort to get Christmas gifts for 200 children in need. Yep, you read that right. Paypal followed their policy and basically profited three times off of preventing children from receiving gifts. Is it surprising that this blew up in their face?
April Winchell, of the popular website Regretsy.com, wrote up her story and published it online with a follow-up. Not only did she get a massive movement behind her, but due to the fame of regretsy.com and the nature of what Paypal’s employee said, the story went viral and is being spread throughout Facebook, Twitter and other social networks. The story has been reported so widely, there are now over 20,000 hits on Google with titles like:
– PayPal ruins Christmas for over 200 kids
– Paypal has no problem ruining Christmas for Children
– Paypal – The Christmas Grinch
There are posts claiming “Paypal is evil” and people should “stop doing business with them immediately.” On top of that, there is a public list of Paypal and Ebay employee phone numbers and email addresses being spread along with this story.
Carrier IQ
As we have covered previously, Carrier IQ is the company that writes activity-monitoring software for cell phone providers. Some call it the rootkit of all evil but others say it’s not so bad. The news started within a rather small technical community, but rapidly expanded throughout the internet and has resulted in a class action law suit and a senate inquiry. Carrier IQ’s customers are also being sued.
Pepper Spraying Cop
Most everyone today knows the story about the cop that sprayed pepper spray in the faces of protesters at the University of California-Davis. While such events happen often, the fact it was captured with cameras and posted all over the internet made it famous. The incident has started a national discussion about militaristic police forces, a personal investigation into Lt. John Pike and endless parodies.
What does this mean?
In each case, someone did something no rational person would do if presented with the given scenario. The various parties all defended themselves by citing law and policy, yet each instance caused a catastrophic public relations nightmare they may never be able to fix.
If you asked John Pike, weeks before the instance, if he would ever walk past a line of passive college students and cover them with pepper spray, I’m sure he would have said no. If you asked the CEOs of ATT or Sprint a month ago if they ever thought about tracking every single action their customers took on the internet, they would have dismissed the idea as ridiculous. If you asked the leadership of Paypal if they planned to steal money from impoverished children for Christmas, they’d have called you insane.
Yet, each of these events happened. Why? It comes down to policy. Policy’s role is to guide behavior. It sets expectations and makes individuals accountable. Sadly, the latter is often phrased in a negative manner so employees do the bare minimum to protect the organization and, in the process, open up the potential for these types of unfortunate events.
A better way?
Think about what would have happened if the Paypal representative had taken the call and responded with “That sounds like a good cause to me. I’m not authorized to allow it, but let me get my boss on the phone.” Maybe their officers wouldn’t have gotten inundated with spam and phone calls. Maybe their name wouldn’t be equated with thievery and evil. Maybe working with the offended party would be a better approach than a half-hearted apology.
Similarly, what if Carrier IQ had entered into discussions with TrevE about his findings and then worked with ATT and Sprint to resolve the issue instead of immediately going to the legal system (and getting trounced)? Maybe the whole issue could have been avoided.
Lastly, what if, Norm Stamper’s reforms of the police system gained traction? Maybe Occupy UC-Davis would have looked a lot more like Occupy Iowa City.
It’s a matter of trust
When I write policy for a client, the goal is to protect the business from mistakes made by employees. The goal is never to restrict employees to the point their only answer is always what the rule book states regardless of gray area. If you need something done exactly the same way every time, use a computer. They’re actually pretty good at repeatable tasks. People, in contrast, are really good facing unique situations and resolving them in creative ways. As soon as a policy prevents an employee from making improvements, there is no longer use for the employee. Just automate that job and be done with it. If that’s not your goal, your policy is broken. You can fix it by looking for scenarios which can be read literally and, as a result, cause catastrophes like the ones mentioned above.
There are many ways to fix these problems, once they’re found. Some businesses give their employees discretionary budgets. What if Paypal had said “Sorry for the mix up, and since it’s a good cause, here’s $100 to buy a kid a present.” Some businesses have an official PR escalation team. What if TrevE’s report hadn’t been met with hostility, but instead they said “Huh, good point. If we give you $1,000 can you give us some consulting on doing this better?” Some organizations create an expectation of personal responsibility, where it is illegal to obey an illegal order. Might that not have helped things at UC-Davis?
If you’re going to have people working for you, you have to let them be people. Let the policy be the guideline and trust them to follow the guidelines. If you do not trust your policy to guide, and not prescribe, action, you need a new policy. If you do not trust your people to be guided by a good policy, you need new people.
This blog entry was originally posted over at the RJS informer.
Leaked Password Analysis – 2011-06 Edition
- At June 29, 2011
- By Josh More
- In Business Security
- 4
As most of you likely know, several months ago saw a shift in how a certain type of attack was being done on the Internet. Instead of breaking into a website and simply stealing information, people began breaking into sites to steal information and then release it publicly on the Internet. It is not my intent to discuss the choice of targets or the motivations of these groups. Others have written plenty on this topic and really, if you’re not working for a target or one of the attackers, anything you can say about their motivations is likely to be guesswork at best.
Instead, I want to talk about the passwords. I’ve been following these leaks and collecting password information. My goal is not to break into people’s accounts or to discuss whether or not the leaked data supports the claims of either side. I only have one goal in doing this. I want to find out what I can about people and passwords so I can help everyone choose better ones. So here is my initial analysis. If time permits, I hope to come back to this and do the analysis with more rigor and dive more deeply. However, since my initial rough analysis is done, I wanted to share my preliminary findings. I think they’re interesting, so I hope that you will as well.
Data Set
I’ve combed leaked data for all the cleartext passwords I could fine. Realistically, this means that the passwords I’ve analyzed here fall into two categories. The first category is passwords that were stored unencrypted or very weakly. The second is passwords that were weak to begin with and were easily cracked by those who released the data sets or analyzed them later. So, the important takeaway here is that this is not and analysis of typical passwords used on the Internet. This is an analysis of bad passwords used on the Internet combined with passwords that were stored poorly. Still, since I want to learn what not to do, this seems like a worthy use of my time.
The data set exceeded half a million passwords… but likely involved some duplicate records. I hope to tighten up the analysis in my next go-around.
Common Passwords
Everyone starts these analysis with a list of the most common passwords. I do not wish to disappoint, so here is what I found.
So what can we learn from this? First of all, note the number of passwords that are just numbers. 123456, 12345678, 12345, 111111, 1234, 1234567, and 123456789 were seven of the top 20 bad passwords. This is ridiculous. Who on earth thinks this is a good idea? A lot of people, apparently.
Second, notice the surprisingly large number of people who thought that trustno1, baseball and superman were good choices. Perhaps choosing passwords based on popular culture is unwise.
Password Lengths
I then looked at the average password length. There’s not much of a surprise here, but here’s the graph if you’re interested:
What I found most interesting was how relatively few passwords were seven characters long. I expected six and eight to be large, but not for seven to be so short. Also, note how quickly it drops off after 8. Nine characters and up are ridiculously small.
Keyspaces
This is where things get interesting. We have been talking for years about how people should use a mix of lower case, upper case, numbers and symbols in their passwords. I don’t want to bore you with math, but the reason is that the more characters you have to pick from, the longer it’s going to take to guess the password. If, for example, your password is one character long, if you use a lowercase letter and the attacker tries those first, it will only take 26 tries to get it. If you use a character from any of these sets, it will take 26 (lower case) + 26 (upper case) + 10 (numbers) + 32 (symbols) = 94 tries. If your password is longer, then it will be increasingly harder.
Let’s use a few pictures to make this easier to talk about.
This is what we’d like to think people are doing. We know that not everyone is following our advice, but at a guess, we’d expect there to be a reasonable mix of people doing it the right way and some overlaps within the other spaces.
Our ideal, of course, would be to widen the overlapping space. This way, more people are using more complex passwords and would be safer.
… and this is where we actually are today. The spaces aren’t the same size, which isn’t terribly surprising I guess. However, I didn’t expect not only for the special characters space to be so small, but I also didn’t expect the overlap to be so tiny. In fact, of the 519,229 I analyzed, only 315 had a mix of lower case letters, upper case letters, numbers and special characters. No wonder they got hacked. This means that 0.06% of all the passwords were considered minimally secure.
Really… is it so hard to add an exclamation point or question mark in there somewhere? Here, I’ll even give you some you can use. I mean, really!?!?!?!?!?!?
Other Metrics of Interest
When I compared the list of passwords to itself and weeded out the duplicates, I found that 65.71% of the passwords overlapped. I must say, folks are just not as creative as I had hoped.
For those that follow math, the average entropy score of the password set was 29.63. I hope to make a neat graph comparing entropy to things like length and commonality, but will apparently have to get more proficient with better graphing tools first. My existing tools found graphing 500,000+ data points somewhat challenging. :)
When I ran the list of passwords against the standard Linux word list, I got 85,196 hits out of 178,049 unique passwords. That’s a 47.85% rate of people that aren’t even trying. Again, we’re talking about the easily-cracked passwords, so this number is inflated… but it’s still much too high.
Surprisingly, I did not see many passwords that were just dates. Those stories of people using their kids’ birthdays as passwords seem to have been exaggerated… or perhaps people today don’t care about their kids very much. :)
So What Do We Do?
Given that this was a set of easily broken passwords, the key things to do to prevent your password from being broken is to make them not fit these patterns. This means:
- Use a mix of lower case letters, upper case letters, numbers and special characters. Use at least one of each.
- Make your passwords longer than eight characters. To lay outside of this data set, 10 would be fine. Personally, I’m going up to 16. After all, if you can remember an eight character password, you should be able to remember two of them stuck together.
- Avoid basing your password on popular culture, sequences of numbers (or keys on the keyboard) or sports. Those passwords are much more common than you’d think.
That’s it. If you do these three steps, you’ll be well outside of this data set and therefore, much less likely to get your password stolen. Of course, the one thing I couldn’t measure was how much these passwords are shared between accounts of the same person. The 65.71% overlap rate suggests that there is a lot of this going on, but I can’t prove it. Still, it’d be a good idea not to do that.
Do these suggestions sound familiar? They should. If you’re still not following them, maybe you should. We don’t suggest them to be annoying or to help protect against some amorphous threat in the future. We suggest it because if you don’t follow these rules, you will be hacked.
We’ve just seen it happen.
Over half a million times in the last six months.
Cuttlefish
- At June 07, 2011
- By Josh More
- In Business Security, Natural History
- 0
I know, I know. The security and squid blog is located elsewhere. Sorry, but I just have to write about this article.
A short time ago, Chuan-Chin Chiao, Kenneth Wickiser, Justine J. Allen, Brock Genter and Roger T. Hanlon published the article Hyperspectral imaging of cuttlefish camouflage indicates good color match in the eyes of fish predators. (How can you resist an article with such a fascinating title?) For those that don’t thrill to reading academic articles about the eyes of coleoid cephalopods (you weirdos), there is a more accessible press release here.
Why am I fascinated about this? Well, cuttlefish have the ability to change their patterning to blending into the background. We’re familiar with how chameleons do this, but cuttlefish are a lot better at it. Not only are they better at it, but they’re also colorblind! (Like me.) That’s right, these critters are capable of changing their own coloration when they can’t even see it. How do they do it? Well, sorry to keep you in suspense, but we still don’t know. There is some suspicion that it involves opsin transcripts, and evidence that body position may have something to do with it, but those theories are insufficient for complete explanation. What’s interesting is the approach of the paper.
Science, as you know, is all about measurement. There’s little room for guesswork and lots of opportunity to be wrong. So if you’re going to measure camouflage, you’d better have a darn good way of doing it. What these guys did was to take hyperspectral images with a HyperScan VNIR system. Effectively, it measured the different amounts of 540 different colors to determine how well the cuttlefish blended in to their background. They looked at their targets as if they were a super predator, with capabilities far beyond that of the predators we know… and the cuttlefish’s technique was still effective.
So what does this mean for us? Well, for me it means that I lost out, as I am colorblind, but aren’t able to perceive the polarization of light like cuttlefish can (lucky critters). However, for the rest of us as a group, it means this:
These creatures developed this ability over millions of years through a complex process of trying different ways to hide and, when they failed, being eaten. From a business perspective, there is some value in failing fast… but little advantage in being eaten. If you want to develop strong protections, you need to find a predator that lets you know when your defense is working and when it’s not, without eating you. Ideally, this would be a super-predator that is better than most of the predators out there.
We call these people penetration testers. Armed not with a HyperScan VNIR, but with tools like network mappers, vulnerability scanners and exploit frameworks, these people can assess your business and let you know if they could break through your defenses and how. You can then protect yourself better by making appropriate changes. Sadly, the industry is still young, and it’s hard to identify the super predators from the others. There is a project to help with this, but for now, here’s a quick evaluation process. When you call a company (like mine) and ask for an evaluation, ask this handful of questions:
- How much will a penetration test cost?
- How much will a vulnerability assessment cost?
- Rule of thumb: Due to the time involved, penetration tests cost at least ten times when vulnerability assessments do. If they don’t, find another company.
- What is the difference between a penetration test and a vulnerability assessment?
- Rule of thumb: If they only say “A penetration test tries to break in, a vulnerability assessment does not”, find another company.
- What is your assessment methodology?
- Here, you should be looking for a standard and repeatable process. You don’t need to dig into the weeds, but you do want to weed out companies that come across as “We just try stuff at random”.
- What problems have your tests caused in the past?
- Here’s a secret of the industry. Anyone worth their salt has broken something. If you don’t sometimes break stuff, you’re not trying hard enough. Companies that try to gloss over this and say “Oh, our tests are safe” are not super-predators.
Get the right help or get eaten.
It’s that simple.
Firefox and Facebook
- At May 31, 2011
- By Josh More
- In Business Security
- 1
I am involved in a great many groups that are (ostensibly) focused on technology or security to some extent. One somewhat disturbing trend that I’ve noticed in recent months is people complaining about their significant others and how they constantly put their shared system at risk through Facebook. Now, I could make this post about how being with someone means accepting their flaws along with their virtues or even go so far down the path of “all you ever do is complain, why on Earth did you marry them in the first place?”, but this isn’t that sort of blog. Instead of doing that, I’ll point out that we have all the tools we need to secure someone else’s connection and you’re having issues isn’t because your spouse is stupid, it’s because you’re lazy.
Here’s how to be less lazy… involving Firefox profiles and Facebook.
This is not another “how to secure Facebook” post. To do that, please see this post from Sophos. This is also not about basic Internet security. No, this is about how to use some built-in functionality in Firefox to create walls between dangerous sites. By itself, it will help a lot against account takeovers and complex leveraged attacks… but if you don’t follow basic security practices like using complex passwords and not sharing them between systems, the benefit will be limited. Keep this in mind as we go through this process.
Profiles
Firefox uses profiles to separate different settings. They are amazingly powerful, and yet, shockingly, people hardly use them at all. What we’re going to do here is create a specific profile for Facebook use and then adjust the default profile to block Facebook. The important thing to remember here is that this technique can be used to protect ANY website, not just Facebook.
Let’s start by installing Firefox if it is not already installed. To do that, just go over to Mozilla.com and download and install Firefox. Once it’s installed, we have to launch the profile manager. The way you do this is going to vary based on operating system. Under Windows 7 and Vista, go to the search box at the bottom left of the start menu and type firefox.exe -ProfileManager -no-remote. If you are running Windows XP, go to the start menu, click Run… and in the dialog, type firefox.exe -ProfileManager -no-remote. If you are running an older version of Windows, just give up now. Those operating systems are dead and cannot be secured. Either upgrade to Windows 7 or look at running an alternate operating system like Ubuntu Linux.
If you are running Linux, you can just open a shell and run firefox -ProfileManager -no-remote
Now we need to create a new profile for Facebook use. To do this, go to Create Profile -> Next -> Enter Facebook for the profile name and click on Finish.
Now you can just select the Facebook profile and click on Start Firefox. This will launch a basic web browser for you. Now we need to configure the appropriate add-ons.
Add-ons
Firefox supports “add-ons” (also called “extensions”) which supply additional functionality to the browser. Each profile maintains its own set of add-ons, so if you like any of the one’s we’re adding here and want to use them in your regular browsing, you’ll have to add them into the default profile as well.
To select your add-ons, you should open the Firefox menu and select the Add-ons link over to the right. For the rest of this section, we will be adding each add-on by searching for the name in the search box at the top right and then clicking the Install button by the Add-on name. The links provided are so you can read about the add-on before adding it if desired. However, please add them through the Firefox interface so that they will be automatically updated for you.
- RequestPolicy – This prevents the so-called “like-jacking” attack by explicitly allowing the browser to connect to specific sites.
- Web of Trust – This connects your browser to a free service that compares sites you try to visit to known list of bad sites.
- NoScript – This prevents your browser from running scripts except for the ones that you explicitly allow.
- AdBlock Plus – Prevents ads from displaying, however, this may break some games. If you play games, please see note 1 at the bottom of this post.
- Certificate Patrol – Improves the HTTPS security within Firefox.
- Force-TLS – Allows Firefox to refuse to connect to a site if it is not secure.
Once these are installed, you will have to restart Firefox to activate them. Either click on of the Restart Firefox links or close the browser and re-launch it using the -ProfileManager -no-remote trick above.
Automatic Tuning
Once you’ve restarted Firefox, it will launch into the automated tuning process and you’ll have to specify some configuration options.
The first thing that will come up is the RequestPolicy configuration window. By default, it allows for some automated tuning… but this makes it less secure than we really want here. Uncheck the “International” checkbox and click on “OK”. We’ll tune the rest of this add-on shortly.
The next dialog is Web of Trust (WOT). The WOT add-on just needs you to accept the EULA before you proceed. Read the EULA and then click on “Accept” if you accept the terms of the EULA.
Now you should have four to five tabs open. The order will likely depend on the order in which you added the add-ons. We will be tuning the NoScript and ForceTLS later in this process, so just close those tabs.
Web of Trust
This is where things start to get complicated. The RequestPolicy addon, by default, will conflict with WOT. You can tell because there is a red flag icon in the bottom right corner. You need to click on the flag and go up to the “Temporarily allow all requests” option.
NOTE: This is something you should do only during the tuning process. Allowing all requests basically turns off the protection that Request Policy allows, and since this is the key protection for Facebook, it should usually be on.
Once this is selected, the page should reload and give you a configuration page for Web of trust. Basic is good enough for us, so just click on Next.
The next option is to register. You do now have to do this, but if you wish to do so, fill out the form and click Finish. Otherwise click on the little red X at the top of the “window” in the browser. Then close the tab.
Adblock Plus
If you chose to install Adblock Plus, this tab will appear. If you chose not to do this, just skip to the next sub-section. On this pane, you select the subscriptions you want. Most users will be fine with just EasyList which should be selected by default, so click on Add subscription and that tab will close.
Options
Now we need to tell Firefox that this profile is to launch Facebook. To do this, click on the Firefox menu and then go to Options and select the top Options option. (And please accept my apologies for that sentence.) You should be in the General tab (far left) of the options dialog. In the area where it says Home Page, please enter in https://www.facebook.com.
Now click on the Content tab. Where it says Enable JavaScript look over at the right and click on the Advanced button. In the tiny little window that comes up, uncheck each checkbox and click on OK. This will help prevent Javascript-based attacks, which are very common on Facebook. We will protect against the rest of them shortly when we configure NoScript.
Now click on the Privacy tab and select Never remember history in the drop down. The less data you store, the less there is for an attacker to steal.
Now click on the Security tab. For the most part, the defaults are good, except that it defaults to storing passwords. Remember that every password you store is a password that could be stolen by an attacker. Uncheck the Remember passwords for sites checkbox. If you have used this profile in the past, you may also wish to click on Saved Passwords and select Remove All.
Now for the complicated step. By default, most browsers choose user convenience over security. We discovered this problem back when Comodo was hacked a few months ago, and this is what you need to do to fix it. Select the Advanced tab. Then select the Encryption sub-tab at the far right of the list of tabs below the primary tabs across the top. Click on Validation and click the bottom-most checkbox. Then click OK to close the sub-dialog and then OK to close the options dialog. The drawback to this is that if Facebook’s OCSP server goes down, you will not be able to connect. The upside is that if Facebook is attacked, you won’t be able to connect to a compromised site.
Now it’s time to restart Firefox again. This will clear the temporary setting change we made and get us to where we can start tuning the system. Run Firefox with the -ProfileManager -no-remote trick again and select the Facebook profile. You should automatically-connect to Facebook and be prompted to log in. Just log in as usual and we can start the manual tuning process.
Manual Tuning
Request Policy
This is going to be the most annoying aspect of accessing Facebook this way, but it is very much worth the extra time it takes. When you start Facebook, you will see a bunch of missing images and some grey flags in their place. This is because RequestPolicy doesn’t yet know which sites are safe, so it blocks everything.
To fix this, click on the little red flag icon in the bottom right of your browser (this is in the status bar of the browser window, not in the Facebook section). This will allow you to let RequestPolicy know which sites can talk to other sites. First we need to go to the Preferences option at the top of the RequestPolicy menu. Click on the Advanced tab over at the right and then select Allow permanent whitelisting when using Private Browsing. Now click on the red flag again and allow the two sites akamaihd.net and fbcdn.net to be accessed by Facebook by selecting the option in bold at the top of each sub-menu.
NoScript
Now we need to allow Javascript so more of Facebook will work. To do this, click on the Options button on the yellow bar along the bottom of the screen.
This works much like RequestPolicy. Just click on the Allow Facebook.com option in bold and the page should refresh.
At this point, Facebooks should be looking pretty normal.
ForceTLS
Now we need to force secure connections in the event that Facebook changes that option (again). To do this, right-click on the Facebook page and select View Page Info, click on the Permission tab, scroll down to where it says Secure Connection and click on both checkboxes.
Games
At this point, things should be more or less working securely for basic Facebook services (reading and posting to walls, getting messages, etc). If you play games, you may have to go through the RequestPolicy and NoScript steps above to allow different sites, but be aware that for every site you add, you increase your risk significantly.
Default Profile
Now we have to tweak the default profile. Restart Firefox again (sorry), and run Firefox with the -ProfileManager -no-remote trick again. This time, select the default profile and go into the Add-ons section as before. This time, we will be adding only one add-on.
LeechBlock
- LeechBlock – Prevents access to specific sites.
After it’s installed and you’ve restarted Firefox, it should come back to the Add-ons Manager. If it does not, you can get there by going to the Firefox menu, then to Add-ons then the Extensions. Now click on Options next to LeechBlock. The Block Set 1 tab should be selected. Under What to Block enter *.facebook.com. Then click on Next to go to the When to Block tab. Just click on the All Day and Every Day buttons as you never want to access Facebook from the default profile. Now, click on OK to activate this change.
Note, if you are doing this to protect someone other than yourself, you may wish to turn on some other options in this add-on to prevent them from unblocking Facebook. You may also wish to replace the standard page with one that says that Facebook is only available via the dedicated Facebook profile. These steps are out of scope for this little How To guide.
Optional Others
If you plan to do anything risky in the default profile, consider using the other add-ons that we used on the Facebook profile. After you’ve used them a bit for Facebook, it should be pretty easy to adapt them to other uses. You may also wish to load LeechBlock into the Facebook profile to prevent people from using that profile to go to other common sites (online banking, webmail, etc) from that profile.
You can also create a dedicated Firefox profile for each of these common uses, if you wish.
Desktop Configuration
Now for the final step. You don’t want people to have to manually type in -ProfileManager -no-remote every time they need to access this profile. Instead, we’ll modify the Firefox icon on the desktop to do this automatically. To do this, right click on the Firefox icon on your desktop and add -ProfileManager -no-remote to the end of the Target section (outside the quotes). Then click OK to save your change. Now when you double-click on the icon, you will be prompted for which profile you wish to run.
If you wish, you can read a bit more about Firefox profiles and make an icon that launches the Facebook profile, but this How To is long enough already, so I won’t be getting into it.
There you go, that’s it! While there’s no “Safe” on the Internet, if you take these steps, you’ll be a whole lot safer than the vast majority of Facebook users.
Notes:
- It would be best if you don’t play games at all on Facebook. There have been numerous problems with game developers being less than trustworthy… and you probably have better things to do with your time anyway. ;) If you must play games, consider using two Facebook accounts and creating a second “Facebook Games” profile to access them in. This way, if you have your friends in one account and your games in another, a bad game won’t put all of your friends at risk.
- You should still use a strong password on your account and not share it anywhere else. If you have a weak password, an attacker can figure it out without your involvement at all, and none of these protections will help. If you share passwords, an attacker can use your password to steal a lot more from you. You can generate strong passwords over at Strong Password Generator.
- You may wish to add different Firefox themes to each profile so there is a visual reminder where you are and what you can do. You can find lots of Firefox themes at the Firefox Themes Site.
- If you are technically-skilled, both RequestPolicy and NoScript allow you to export your configuration so you can import it elsewhere. If you have to set up multiple computers, this can be a time saver (or you can just copy the profile directories). In case it’s useful, here are my exported policy files:
Presentations Posted
- At May 09, 2011
- By Josh More
- In Business Security
- 0
I have finally gotten around to purging sensitive information from my presentations and they are now posted. You can see them from the menu by going to “Professional” and then to “Writings and Presentations”. For your reference, the following are new:
- Malware (2009)
- Malware and Organized Crime (2010)
- Natural PCI (2010)
- Telco Security (2010)
- Natural HIPAA (2011)
- Malware and Identity Theft (2011)
- Natural Security (2011 version, originally in 2010)
- Senior Scams (2011)
Measuring Psychological Variables Of Control In Information Security
- At January 19, 2011
- By Josh More
- In Business Security, Psychology
- 0
For much of the last year, I have been exploring an idea. As of a few weeks ago, I completed a paper based on my explorations. To put it very succinctly, I have long wondered why small businesses do not suffer more security breaches than they do. As a group, they tend to have sloppy operations practices and poor to nonexistent controls. While they are a smaller and less-tempting target, that alone doesn’t seem to explain the lack of problems. One thing that might explain this is the tendency for people at lower risk to compensate for that lower risk by taking larger personal risks. So I decided to study the variables of psychological control within an information security context. The conclusions were somewhat surprising… but that may be due to the limited sample set.
Anyway, if you are interested in Likert scales, psychology or academic analysis of information security, the paper is available here.
If you like, you can just jump down to pages 26-28 and get my conclusions.
I welcome your thoughts.