TR Forums

Finally! NIST has updated their password guidelines to get rid of some of the worst of their complexity requirements. They're now encouraging longer passphrases and discouraging symbol and case requirements. Hopefully we'll start to see organizations start to adopt these soon.

I'm just sad they did not reference XKCD in the publication

NIST also deprecated, in May 2016, the use of raw push SMS one-time passwords.

druidcent wrote:

I'm just sad they did not reference XKCD in the publication

Correct Horse Battery Staple

Captain Ned wrote:

druidcent wrote:

I'm just sad they did not reference XKCD in the publication

Correct Horse Battery Staple

That's amazing! I've got the same password on my luggage!

chuckula wrote:

Captain Ned wrote:

druidcent wrote:

I'm just sad they did not reference XKCD in the publication

Correct Horse Battery Staple

That's amazing! I've got the same password on my luggage!

Great, now I need to watch Spaceballs again.

druidcent wrote:

I'm just sad they did not reference XKCD in the publication

You know the guy who wrote that appendix begged his boss.

I read about that last week or so on the dailycaller.com
http://dailycaller.com/2017/08/08/turns ... ds-secure/

This article is interesting also…
https://sg.news.yahoo.com/computer-secu ... 13686.html

P@ssword#1 hasn’t been pwoned yet…

and then there is always this site too...
https://haveibeenpwned.com/

So did they changed the recommending of changing your password every so often? I never did follow that, and most people just keep the same password and just add a number to the end of it. It is hard enough to come up with a good password that easy to remember but hard to guess.

http://pwgen-win.sourceforge.net/ and a good offline password "vault" on the user side.

Hashing, salts, high iterations, prefect forward secrecy, and rate limiting on the app/dev side.

They can try to straddle the balance between what the average human can "easily" remember, for each of their dozens of work and personal accounts, against what multiple dedicated and increasingly fast GPU's and optimized software can achieve, but at this point the random generation + vault strategy seems to be the most viable as far as passwords are concerned. Or have any of you gerbils figured out a better way?

I guess that's a good thing.


...meanwhile, in the real world, black hats continue to bypass passwords altogether by calling customer service and asking nicely.

NovusBogus wrote:

I guess that's a good thing.


...meanwhile, in the real world, black hats continue to bypass passwords altogether by calling customer service and asking nicely.

That still works? I would have thought that people would have wised up by now.

whm1974 wrote:

That still works? I would have thought that people would have wised up by now.

Social engineering will always work as long as humans are involved. It's the rare bank exam where I DON"T have the punch-lock code to the entry door by the 3rd day of the exam. I just love writing it on a small sticky note and handing it to the security officer.

It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.

Captain Ned wrote:

whm1974 wrote:

That still works? I would have thought that people would have wised up by now.

Social engineering will always work as long as humans are involved. It's the rare bank exam where I DON"T have the punch-lock code to the entry door by the 3rd day of the exam. I just love writing it on a small sticky note and handing it to the security officer.

So how do I prevent myself from become a victim of Social Engineering? I do know better then to just give my password to someone calling me saying they are from the bank or whatever. Anything else I should be aware off?

Be like Mulder. Trust no one.

whm1974 wrote:

So how do I prevent myself from become a victim of Social Engineering? I do know better then to just give my password to someone calling me saying they are from the bank or whatever. Anything else I should be aware off?

Social engineering works much better in a face-to-face environment. Don't listen to or accept authority automatically. I get the door credentials on day 1 or day 2 by identifying myself as an "auditor" (I am not, as that would mean I'm a CPA, which I am not. Our cover page for exam reports clearly states that it's not an audit, but we are universally referred to by lower-level employees as an "auditor") and ask for the door code on the pretext that I have a whole bunch more stuff to schlep from the car. That works 75% of the time. If I get to day 3 without just asking not working, it's even easier. Employees have seen us in the building, know who we are and why we're there, and make no attempt to protect their entry of door codes from shoulder-surfing.

In any security system the human is ALWAYS the weakest link. Given that I've been doing this for 21 years and have been in all of our regulated institutions more times than I care to count, one would expect that institution security officers would post my picture in the break room ('cause the security officers know what's coming, as the institution knows our arrival date about a month ahead of time) with the stern admonition "tell this guy nothing about the doors". The fact that this hasn't happened in 21 years is somewhat disconcerting.

Redocbew wrote:

It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.

Obligatory Defcon videos from my all-time favorite infosec speaker, Jayson Street:

https://www.youtube.com/watch?v=JsVtHqICeKE
https://www.youtube.com/watch?v=2vdvINDmlX8
https://www.youtube.com/watch?v=l1OFH_H8PjQ

Social engineering is definitely alive and well; when did it ever leave? Kevin Mitnik famously said that the most powerful tool in his arsenal was a cable-guy outfit. Seriously, list the breaches in the last few years that came from cracking a password or encrypted scheme. Hell, name me just *one*. Now list all the ones where someone found a backdoor into the one database to rule them all, there was an inside man, mass pwnage via domain controller, zero day fun, USB stick full of super secret files, etc. Unique passwords for important stuff (read: money and investments) are definitely a good thing but beyond that it's just security theater. Bad guys don't care about passwords because they don't have to. Even the high and mighty two factor authentication has been sidestepped on numerous occasions by sweet talking the phone company into reassigning a "lost" device's phone number to something else.

University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots

Captain Ned wrote:

University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots

Back when floppies were still in high usage, I knew better then to put one in that I found somewhere.

whm1974 wrote:

Captain Ned wrote:

University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots

Back when floppies were still in high usage, I knew better then to put one in that I found somewhere.

With USB sticks, even if you wipe it you have no guarantee that the firmware hasn't been compromised. Just say no to "found" USB devices.

Redocbew wrote:

It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.

It is not uncommon for penetration testers to dress like an IT person and say they need to inventory your computer. Really it's just so they can put on a key logger.

About rotating passwords, I honestly think it's silly that some places do it so often on SOME systems. I view password strength in terms of work effort/time, and that all comes down to bits of entropy. With special characters commonly replacing certain words the average person is much better off using many words than just one or two with a substitution. If it would take a year to break your password then I say change it every year. Sadly, Microsoft is still using the NTLM hash for "performance" reasons. That's a very weak hashing method and it is still pretty easy to score the NTDS.dit file. So changing your work password every 60 or 90 days is unlikely to change, even though you can crack almost every NTLM password hash in will under a day.

Captain Ned wrote:

In any security system the human is ALWAYS the weakest link. Given that I've been doing this for 21 years and have been in all of our regulated institutions more times than I care to count, one would expect that institution security officers would post my picture in the break room ('cause the security officers know what's coming, as the institution knows our arrival date about a month ahead of time) with the stern admonition "tell this guy nothing about the doors". The fact that this hasn't happened in 21 years is somewhat disconcerting.

A friend in the security industry is always complaining of the high turnover, and complete incompetents that he works with.. (I'll grant that about half the issues are his fault), but if the bank security guards are on par with the corporate security guards that I hear about, it really doesn't surprise me at all.. In fact, I'm almost willing to place a bet that whoever knows that you are coming either told a guard manager that isn't there anymore, or just logged it in the system and forgot to tell anyone.

Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.

Captain Ned wrote:

Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.

Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.

Vhalidictes wrote:

Captain Ned wrote:

Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.

Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.

Did you have a clipboard, hard hat, orange vest, and some form of lanyard? If you have those ingredients then you can probably get in practically anywhere in the world.

Vhalidictes wrote:

Captain Ned wrote:

Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.

Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.

So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?

whm1974 wrote:

So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?

Catch me if you can...

Redocbew wrote:

whm1974 wrote:

So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?

Catch me if you can...

I've seen that movie.

whm1974 wrote:

So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?

Most, not all.

That's because most places have "security" to basically make sure homeless people don't squat in the lobby. If you look like you know what you are doing and are dressed appropriately, you don't even get noticed typically.

Likewise with badge doors, they exist so drunks don't just wander in. If you look like you know what you are doing etc..., you just follow someone in. Most places don't even bother to try and make it socially clear that you shouldn't just let someone in behind you, much less piss everyone off by actually punishing someone for it.

At my plant, for instance, it's all very seriously fenced/walled off topped with concertina wire and you can only get in via foot by one-person metered full turnstiles operated by badges. The vehicle gates are manned and serious too. There are armed guards, security vehicles etc... I've seen them chase off people just taking pictures from the outside!

But, you know, this is heavy industry. Hence with rail. Specifically, numerous rail lines that go into the plant.

Sure, they aren't all that obvious and inconveniently located for foot/vehicle traffic. But, if you are motivated and think about it for a moment, I mean, there *might* some DVR system "guarding" those various entry points...?

---

I've never been in the military etc..., but I'm pretty sure the only way they've found around this problem is authorizing the low-level guys at the entry points to *KILL* anyone who (almost certainly legitimately) is a higher ranked officer who "forget" his documents/whatever and is trying to just bully his way in despite procedure.

It really does take that level of credible deterrence to even approach being full-proof.