Justifiable Paranoia

The infosec QOTD: Famous quotes re-imagined (2010-05)

Steve Werby — Tue, 04 May 2010 02:45:03 +0000

Date	Re-imagined Quote
2010-05-13	“Your attackers have not failed. They’ve just found 10,000 ways that won’t work.” -Thomas Edison
2010-05-06	“All hackers by nature desire knowledge.” -Aristotle
2010-05-05	“I asked for WPA2, I got WEP. How’s that for being born under a bad sign?” -Ferris Bueller (from Ferris Bueller’s Day Off)
2010-05-04	“I find your lack of antivirus disturbing.” -Darth Vader (from Star Wars)
2010-05-03	“To succeed in information security it is necessary to make others see things as you see them.” -John H. Patterson

The infosec QOTD: Famous quotes re-imagined (2010-04)

Steve Werby — Tue, 13 Apr 2010 03:31:23 +0000

Date	Re-imagined Quote
2010-04-28	“The best remedy for a short password is a long passphrase.” -Joseph Joubert
2010-04-27	“Pray that DoS attacks will not come any faster than you are able to endure them.” -Nnamdi Azikiwe
2010-04-26	“A wise man changes his password, a fool never will.” -Spanish Proverb
2010-04-15	“The things most people want to know about are usually trivial to find on Facebook.” -George Bernard Shaw
2010-04-14	“What the world requires of naive users is that they should continue to be naive users.” -Albert Camus
2010-04-13	“A hacker who is not dangerous is unworthy of being called a hacker at all.” -Oscar Wilde
2010-04-12	“Fear is pain arising from the anticipation of a data breach.” -Aristotle

Security Twits NCAA tourney bracket contest – winner!

Steve Werby — Thu, 08 Apr 2010 23:55:47 +0000

The Security Twits NCAA tourney bracket contest is over. And the winner is @rogueclown (AKA Nicolle Neulist)! @rogueclown DESTROYED her competitors by correctly picking Duke to win it all. Ugh, Duke. @jfug barely edged out @ramblinpeck for 2nd place. @stevewerby (yours truly) was a measly point behind. And @theharmonyguy and @infosecjerk probably wish I didn’t post this.

So until next year, @rogueclown has bragging rights. And I owe her “a yet-to-be-designed but guaranteed-to-be-awesome t-shirt” (it’s on my to-do list…but it could be several weeks…or more).

Security Twits NCAA tourney bracket contest

Steve Werby — Mon, 15 Mar 2010 01:35:27 +0000

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year, as well as a yet-to-be-designed but guaranteed-to-be-awesome t-shirt.

The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

Go to the tournament page.
After logging, click “Join Group”.
Enter Group ID 82792.
Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.

Part 1 – Something that’s in the sky
Part 2 – The 2010 information security acronym du jour
Part 3 – The mascot of attrition.org
Part 4 – The number of security risks found in the 2010 OWASP Top 10

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Password hints added 2010-03-17:

Part 1 – It’s fluffy and it’s stealing your org’s data
Part 2 – It’s an anagram for an androgynous fictional character from the 1990s
Part 3 – Really? Really?
Part 4 – Really? Really?

Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 18 (the play-in game on March 16 isn’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.

The infosec QOTD: Famous quotes re-imagined (2010-03)

Steve Werby — Mon, 01 Mar 2010 23:35:45 +0000

Date	Re-imagined Quote
2010-03-24	“Nothing is more difficult, and therefore more precious, than to be able to change users’ behavior.” -Napoleon Bonaparte
2010-03-22	“They’ve done studies, you know. 60% of the time antivirus software works, every time.” -Brian Fantana (from Anchorman)
2010-03-18	“Data loss happens to everybody sooner or later if there is time enough.” -George Bernard Shaw
2010-03-17	“A person who never made a mistake never tried writing code.” -Albert Einstein
2010-03-15	“FUD is the art of convincing people to spend money they don’t have for security solutions they don’t need.” -Will Rogers
2010-03-12	“We do not quit hacking because we grow old, we grow old because we quit hacking.” -Oliver Wendell Holmes
2010-03-11	“It’s hard to beat a hacker who never gives up.” -Babe Ruth
2010-03-10	“It is an unfortunate fact that we can secure critical infrastructure only by preparing for cyberwar.” -John F. Kennedy
2010-03-09	“What we’ve got here is a failure to remediate.” -Luke (from Cool Hand Luke)
2010-03-08	“You can avoid security, but you cannot avoid the consequences of avoiding security.” -Ayn Rand
2010-03-05	“I can’t believe I gave my password to a geek.” -Samantha Baker (from Sixteen Candles)
2010-03-04	“From there to here, and here to there, vulnerable things are everywhere.” -Dr. Seuss
2010-03-03	“The elevator to security is out of order. You’ll have to use the stairs…one step at a time.” -Joe Girard
2010-03-02	“IT security is like war – offensive weapons are developed first and it always takes a while for the defense to catch up.” -Red Auerbach
2010-03-01	“The pain of the exploit is worse than the pain of the patch.” -Publilius Syrus

Last month’s quotes

We will, we will RockYou: A list of firsts

Steve Werby — Mon, 22 Feb 2010 11:24:01 +0000

Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.

I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.

Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.

Category	Password	Rank
Numeric sequence	123456	1
Passphrase	iloveyou	5
Female name	nicole	11
Male name	daniel	12
Animal	monkey	14
Fictional character	tigger	25
Food	chocolate	27
Sport	soccer	29
Color	purple	33
Profanity	fuckyou	39
Palindrome	hannah	50
Magazine	playboy	59
Slang	hottie	62
Entertainer	eminem	75
Religious figure	jesus	103
Place	america	121
Non-English word	sakura	114
Band	blink182	165
Website name	myspace	182
Non-English passphrase	mahalkita	198
Month	september	200
Zodiac astriological symbols	gemini	211
Company name	samsung	255
City	barcelona	273
American city	orlando	275
Country	portugal	301
Auto manufacturer	mercedes	353
Repeating letter sequence	aaaaaa	374
Sports team	steaua	400
Drink	cocacola	471
Sports team (American)	lakers	480
Musical instrument	guitar	550
Celebrity (female)	shakira	569
Drugs	maryjane	597
ALL-CAPS	PASSWORD	800
Contains special character	iloveyou!	984
First letter capitalized only	Password	1856

The infosec QOTD: Famous quotes re-imagined (2010-02)

Steve Werby — Sat, 13 Feb 2010 12:10:29 +0000

The world is full of famous quotes…and quotes about information security, but famous quotes re-imagined as information security quotes is an unfilled niche. The Quote of the Day consists of well-known quotes modified ever so slightly to convert them into plausible (maybe?) information security quotes. Hover over a quote to reveal the original.

Date	Re-imagined Quote
2010-02-26	“Pretexting is the most beautiful fraud in the world.” -Jean-Luc Godard
2010-02-25	“Brian Krebs always had a way of explaining things so I could understand them.” -Forrest Gump
2010-02-24	“He best keeps from danger who remembers the Sysadmin is always looking upon him.” -Plato
2010-02-23	“The young security pro knows the rules, but the old security pro knows the exceptions.” -Oliver Wendell Holmes
2010-02-22	“Phishing is a canvas furnished by gullibility and embroidered by fear.” -Voltaire
2010-02-19	“The IT security field is always in need of new cliches.” -Alan Perlis
2010-02-18	“As far back as I can remember, I always wanted to be a hacker.” -Henry Hill (from Goodfellas)
2010-02-17	“The more you explain cryptography, the more I don’t understand it.” -Mark Twain
2010-02-16	“We are going to have cloud security, even if we have to fight for it.” -Dwight Eisenhower
2010-02-15	“Never try to teach a user information security; it wastes your time and it annoys the user.” -Robert Heinlein
2010-02-14	“An information security officer cannot always be popular.” -Harry Truman
2010-02-13	“I love the smell of malware in the morning.” -Lieutenant Colonel Bill Kilgore (from Apocalypse Now)