March 15th, 2011
112 Comments
I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year (@rogueclown, your reign is almost up!), as well as a yet-to-be-determined prize (still owed to the very patient @rogueclown for her 2011 victory). The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.
To participate:
- Go to the tournament page.
- After logging, click “Join Group”.
- Enter Group ID 178984.
- Enter the password.
Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.
- Part 1 – Short name of widely used app currently being targeted in 0-day attacks (also first name of Sci-Fi comic strip hero with last name “Gordon”)
- Part 2 – Worm that targeted Siemens SCADA systems in Iran
- Part 3 – Last name of former employee of HBGary Federal who isn’t all that anonymous (see what I did there!?)
- Part 4 – The number of minutes it takes LIGATT to train anyone to be a computer hacker
In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.
Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 17 (the 4 play-in games on March 15 and March 16 aren’t part of the contest).
The fine print:
And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.
April 8th, 2010
79 Comments
The Security Twits NCAA tourney bracket contest is over. And the winner is @rogueclown (AKA Nicolle Neulist)! @rogueclown DESTROYED her competitors by correctly picking Duke to win it all. Ugh, Duke. @jfug barely edged out @ramblinpeck for 2nd place. @stevewerby (yours truly) was a measly point behind. And @theharmonyguy and @infosecjerk probably wish I didn’t post this.

So until next year, @rogueclown has bragging rights. And I owe her “a yet-to-be-designed but guaranteed-to-be-awesome t-shirt” (it’s on my to-do list…but it could be several weeks…or more).
March 14th, 2010
129 Comments
I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year, as well as a yet-to-be-designed but guaranteed-to-be-awesome t-shirt.
The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.
To participate:
- Go to the tournament page.
- After logging, click “Join Group”.
- Enter Group ID 82792.
- Enter the password.
Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.
- Part 1 – Something that’s in the sky
- Part 2 – The 2010 information security acronym du jour
- Part 3 – The mascot of attrition.org
- Part 4 – The number of security risks found in the 2010 OWASP Top 10
In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.
Password hints added 2010-03-17:
- Part 1 – It’s fluffy and it’s stealing your org’s data
- Part 2 – It’s an anagram for an androgynous fictional character from the 1990s
- Part 3 – Really? Really?
- Part 4 – Really? Really?
Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 18 (the play-in game on March 16 isn’t part of the contest).
The fine print:
And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.
February 22nd, 2010
97 Comments
Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.
I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.
Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.
| Category |
Password |
Rank |
| Numeric sequence |
123456 |
1 |
| Passphrase |
iloveyou |
5 |
| Female name |
nicole |
11 |
| Male name |
daniel |
12 |
| Animal |
monkey |
14 |
| Fictional character |
tigger |
25 |
| Food |
chocolate |
27 |
| Sport |
soccer |
29 |
| Color |
purple |
33 |
| Profanity |
fuckyou |
39 |
| Palindrome |
hannah |
50 |
| Magazine |
playboy |
59 |
| Slang |
hottie |
62 |
| Entertainer |
eminem |
75 |
| Religious figure |
jesus |
103 |
| Place |
america |
121 |
| Non-English word |
sakura |
114 |
| Band |
blink182 |
165 |
| Website name |
myspace |
182 |
| Non-English passphrase |
mahalkita |
198 |
| Month |
september |
200 |
| Zodiac astriological symbols |
gemini |
211 |
| Company name |
samsung |
255 |
| City |
barcelona |
273 |
| American city |
orlando |
275 |
| Country |
portugal |
301 |
| Auto manufacturer |
mercedes |
353 |
| Repeating letter sequence |
aaaaaa |
374 |
| Sports team |
steaua |
400 |
| Drink |
cocacola |
471 |
| Sports team (American) |
lakers |
480 |
| Musical instrument |
guitar |
550 |
| Celebrity (female) |
shakira |
569 |
| Drugs |
maryjane |
597 |
| ALL-CAPS |
PASSWORD |
800 |
| Contains special character |
iloveyou! |
984 |
| First letter capitalized only |
Password |
1856 |
February 13th, 2010
146 Comments
The world is full of famous quotes…and quotes about information security, but famous quotes re-imagined as information security quotes is an unfilled niche. The Quote of the Day consists of well-known quotes modified ever so slightly to convert them into plausible (maybe?) information security quotes. Hover over a quote to reveal the original.
| Date |
Re-imagined Quote |
| 2010-02-26 |
“Pretexting is the most beautiful fraud in the world.” -Jean-Luc Godard |
| 2010-02-25 |
“Brian Krebs always had a way of explaining things so I could understand them.” -Forrest Gump |
| 2010-02-24 |
“He best keeps from danger who remembers the Sysadmin is always looking upon him.” -Plato |
| 2010-02-23 |
“The young security pro knows the rules, but the old security pro knows the exceptions.” -Oliver Wendell Holmes |
| 2010-02-22 |
“Phishing is a canvas furnished by gullibility and embroidered by fear.” -Voltaire |
| 2010-02-19 |
“The IT security field is always in need of new cliches.” -Alan Perlis |
| 2010-02-18 |
“As far back as I can remember, I always wanted to be a hacker.” -Henry Hill (from Goodfellas) |
| 2010-02-17 |
“The more you explain cryptography, the more I don’t understand it.” -Mark Twain |
| 2010-02-16 |
“We are going to have cloud security, even if we have to fight for it.” -Dwight Eisenhower |
| 2010-02-15 |
“Never try to teach a user information security; it wastes your time and it annoys the user.” -Robert Heinlein |
| 2010-02-14 |
“An information security officer cannot always be popular.” -Harry Truman |
| 2010-02-13 |
“I love the smell of malware in the morning.” -Lieutenant Colonel Bill Kilgore (from Apocalypse Now) |