Saturday, November 1, 2014

Justification for Your Paranoia

Okay, yesterday was the last day of NCSAM, so here is one last bonus security post to close out the month. As I write this, I am hitting refresh like mad trying to get into Shmoocon 2015 in January...

1) Let's start with this awesome video...

2) On the same topic, slightly less amusing, but slightly more useful...
If you have trouble coming up with sufficiently long, sufficiently random passwords, passwds.io can help. Just specify the length and how many passwords you want and it will spit several out for you. The passwords are only pseudo-random, and are designed to have pronounceable portions to make them easier to remember. Keep in mind, even a 20-character or longer password from this site will not be completely secure...
First, they are broadcast to you in plaintext. Yes, its over https, but that does not stop the guy who made it from reading them all. 
Secondly, they are only lower-case, upper-case, and numbers, which means you are pulling from a much smaller character set than you could be, making brute-force attacks easier. 
Even with those caveats, if your passwords suck, you should take a look. It might be inspiring.
 3) Facebook has actually been working hard to improve its anonymity stance...
The most recent, and best, step has been to allow direct connections through the Tor network. Facebook has come out with a .onion address (link only works on Tor-enabled browsers) that works with SSL and lets users access Facebook without disclosing their true location. While connecting through Tor is little help for those of you who plaster your real names and address all over your facebook page and check-in at every store and restaurant you go to, for the rest of us, who would like to keep track of our friends without exposing ourselves, this is awesome. 
Keep in mind that even Tor is not bulletproof.
 4) If you have a website running Drupal, you should assume it was hacked...
Nearly a million websites running the popular Drupal content management system had only hours to update their software before attacks likely compromised the systems, thanks to a widespread vulnerability, the Drupal security team warned this week.
On October 15, the security team for the Drupal content management system announced the discovery of a critical security flaw that could allow attackers to steal data or compromise vulnerable sites. Within seven hours of the announcement, attackers had begun broadly scanning for and attacking Drupal sites, according to the project’s security team, which provided the details in an October 29 public service announcement.