Lately we have seen various attacks against the various SSL/TLS usages that we have in the world. The attacks have not been technical per se, but instead use weaknesses in the procedures that are used to get a certificate. Lets first look at how trust is built up using SSL.
Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.
It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.
As software manufacturers fix security vulnerabilities they will often release new versions of their software for their users. This is a good thing and aims to protect us from many potential online threats, such as trojans that steal our personal information, or scareware that serves no legitimate purpose. However, it begs the question: How do we users learn of this newer software so that we can be protected?
Like most things, the answer is, of course: it depends.
In today’s Cyber Security Awareness Month Tip of the Day we revisit a past post to once again focus on the fact that millions of individuals are victims of their own carelessness by freely posting information such as vacation plans and family photos on social networks, and by storing Personally Identifiable Information (PII) such as medical records and financial information on mobile devices. Users are sometimes not sufficiently educated when it comes to what types of information should be shared, and with whom they should be sharing this information.
While the thoughts of many of us may turn to (American) football, Halloween, and raking leaves (at least those of us on the East Coast of the U.S.), the turning of the calendar page to October also means something else to all of us in the cyber security world. October, 2011 marks the eighth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security, in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Read More »