Cerberus_(PSF)

Kerberos Weaknesses: Pass the Ticket Is a Real Threat

August is always a good time to check up on the dark side.  Black Hat had its annual conference earlier this month, and there’s always presentations worth looking at.  I’ve been writing about Kerberos recently, and while it’s a big improvement over Microsoft’s NLTM, nothing is ever perfect.  I came across a presentation that looks…

DisneyTicketBook_wbelf

Authentication Lessons From the Magic Kingdom: A Closer Look at Kerberos, Part II

Let’s continue our journey into the Magic Kingdom as a way to explore Kerberos. Sure the comparison doesn’t completely track, but it’s close and easy enough to grasp that I think you won’t mind missing—trust me on this—the standard Kerberos protocol diagrams. Back to Disney World: you’re now in the park with your passport booklet…

800px-Syringe_and_hypodermic

Top Five Most Dangerous Software Errors

Over the years, Mitre, the MIT research group, has been analyzing software bugs and missteps that hackers have been able to exploit. Their Common Vulnerabilities and Exposures (CVE) classifications are something of a de-facto standard used for describing the root software causes in an attack.  Working with SANS, the Mitre CVE team has come up…

Billion User Breach PSA

The latest story which has the security world in tizzy is the New York Times report that Russian hackers have amassed more than a billion Internet passwords. Bruce Schneier wrote in interesting post yesterday calling into question the validity of this report. He points out that Hold Security, the company that is hyping this breach, is not only…

Magic_Kingdom_2

Authentication Lessons from the Magic Kingdom: A Closer Look at Kerberos, Part I

The flaws in NTLM I’ve been writing about might lead you to believe that highly-secure authentication in a distributed environment is beyond the reach of mankind. Thankfully, resistance against hackers is not futile. An advanced civilization, MIT researchers in the 1980s to be exact, developed open-source Kerberos authentication software, which has stood the test of…

hidden - keys-partial

Deadly credential vulnerabilities found in mobile apps

I’m beginning to be known around here as the bearer of bad news on authentication hacks. Unfortunately, I have more to share. In June, researchers at Columbia University announced they discovered secret login keys hidden in thousands of Google Play apps. Left by developers to access their own cloud-based accounts—on Facebook, AWS, Twitter, and other…

Top Minds in Online Privacy

Top 8 Minds in Online Privacy

1. Alessandro Acquisti @ssnstudy Acquisti is a professor of computer science at Carnegie-Mellon University, and is also a researcher at Cylab, a data security research center at CMU. He’s best known for an experiment in which he photographed random students on the Mellon campus and used off-the-shelf facial recognition software to match against head shots…

5-things-privacy-wearables

5 Things Privacy Experts Want You to Know About Wearables

There’s been a lot of news lately in the health and fitness wearables space. Apple just announced they’re releasing an app, called “Health,” as well as a cloud-based platform “Health Kit”. Somewhat related, Nike recently pulled the plug on its activity tracking Fuelband. The conventional wisdom is that fitness trackers are on the decline, while…

NTLM warning

A Closer Look at Pass the Hash, Part III: How NTLM will get you hacked (and what you should do about it)

I was about ready to wrap up this series of posts (part 1, part 2 ) on PtH and make my larger point, which is that you should assume hackers will break into your system. And then I learned new information about credential stealing that amplifies this warning by a factor of 10. The most…

monkeys

The Security Chaos Monkey

Jon Oltsik wrote a great article in Network World recently championing the importance of end user involvement in a company’s IT security strategy.  He acknowledges that employees are often a company’s own worst enemy, frequently scorned by their IT overlords. But Olstik argues that CISOs should instead directly enlist them to help build a security-minded…