Justifiable Paranoia

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year (@rogueclown, your reign is almost up!), as well as a yet-to-be-determined prize (still owed to the very patient @rogueclown for her 2011 victory). The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

1. Go to the tournament page.
2. After logging, click “Join Group”.
3. Enter Group ID 178984.
4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.

1. Part 1 – Short name of widely used app currently being targeted in 0-day attacks (also first name of Sci-Fi comic strip hero with last name “Gordon”)
2. Part 2 – Worm that targeted Siemens SCADA systems in Iran
3. Part 3 – Last name of former employee of HBGary Federal who isn’t all that anonymous (see what I did there!?)
4. Part 4 – The number of minutes it takes LIGATT to train anyone to be a computer hacker

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 17 (the 4 play-in games on March 15 and March 16 aren’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.

The Security Twits NCAA tourney bracket contest is over. And the winner is @rogueclown (AKA Nicolle Neulist)! @rogueclown DESTROYED her competitors by correctly picking Duke to win it all. Ugh, Duke. @jfug barely edged out @ramblinpeck for 2nd place. @stevewerby (yours truly) was a measly point behind. And @theharmonyguy and @infosecjerk probably wish I didn’t post this.

So until next year, @rogueclown has bragging rights. And I owe her “a yet-to-be-designed but guaranteed-to-be-awesome t-shirt” (it’s on my to-do list…but it could be several weeks…or more).

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year, as well as a yet-to-be-designed but guaranteed-to-be-awesome t-shirt.

The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

1. Go to the tournament page.
2. After logging, click “Join Group”.
3. Enter Group ID 82792.
4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.

1. Part 1 – Something that’s in the sky
2. Part 2 – The 2010 information security acronym du jour
3. Part 3 – The mascot of attrition.org
4. Part 4 – The number of security risks found in the 2010 OWASP Top 10

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Password hints added 2010-03-17:

1. Part 1 – It’s fluffy and it’s stealing your org’s data
2. Part 2 – It’s an anagram for an androgynous fictional character from the 1990s
3. Part 3 – Really? Really?
4. Part 4 – Really? Really?

Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 18 (the play-in game on March 16 isn’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.

Last month’s quotes

Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.

I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.

Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.

The world is full of famous quotes…and quotes about information security, but famous quotes re-imagined as information security quotes is an unfilled niche. The Quote of the Day consists of well-known quotes modified ever so slightly to convert them into plausible (maybe?) information security quotes. Hover over a quote to reveal the original.