Password Dictionaries

February 6, 2011

Password cracking tools like John the Ripper work by generating potential passwords and then matching them against the system being tested. These potential passwords come from a “dictionary” – a list of words that are assumed to be potential passwords, that are used as seeds to generate permutations that a user might have selected.

But what’s better than permutations a user might have selected? How about password lists from breaches, so that we can see what users ACTUALLY use.

According to the site, these passwords will crack roughly 5% of user accounts on a given system. If you’re using one of them, change it now.

123456
12345
123456789
password
iloveyou
princess
1234567
12345678
abc123
nicole
daniel
babygirl
monkey

Leave a Comment » | Exploits | Permalink
Posted by matt

Adobe Reader Patches

February 5, 2011

It looks like this will be a busy patch week – in addition to the usual Patch Tuesday fun from Microsoft, Adobe has announced a set of patches for their Reader product on all supported operating systems. As malicious PDF files are one of the most common exploit launching techniques these days, it would be prudent to begin planning your patching operations.

Leave a Comment » | Exploits | Permalink
Posted by matt

Hack Chrome, Win $20k

February 4, 2011

The annual Pwn2Own contest is next month in Vancouver, and there’s an additional prize this year. As always, the latest copies of Firefox, Safari, and IE will be available as targets – hackers who manage to exploit the browser in a significant way will win a cash prize and the laptop that the browser was running on at the time. For the first time, though, Google’s Chrome is available as a target, and they’ve staked an additional $20,000 as prize money for anyone able to break their product.

Let the games begin. It seems like every year, someone manages to trot out a zero-day exploit and win the contest on at least one platform; it will be interesting to see how Chrome fares against dedicated competition like this.

Leave a Comment » | Exploits, Networking | Permalink
Posted by matt

Tandberg Default Root Account

February 3, 2011

Cisco has announced that Tandberg E, EX, and C series Personal Video Endpoints running pre-TC4.0.0 software shipped with a default root account with no password.

Well, that’s not great.

Workaround and mitigation details at the link.

Leave a Comment » | Exploits | Permalink
Posted by matt

Dealing With The Snowpocalypse

February 3, 2011

Like most of the continental United States, Buffalo was expected to suffer the brunt of a tremendous storm this week. Fortunately, we escaped relatively unscathed – despite dozens of schools and businesses preemptively canceling their workdays on Wednesday, the anticipated feet of snow and ice never arrived.

Despite this, though, I imagine that a lot of businesses in the area were taking a long look at their disaster plans. Just because some employees are unable to get to the office doesn’t mean that the business should simply close down for the day. In that vein, I wanted to mention two topics that need to be addressed if you want work to be possible outside of the physical boundaries of your business location.

Centralize Your Data

Too many small businesses work in an ad-hoc fashion, without any centralized file storage. This means that important documents are only available on a particular person’s workstation, or are squirreled away on a flash drive or floppy disk in the back of a locked drawer in the author’s desk. One of the first steps toward making your information infrastructure more robust is to properly centralize and organize your data. This has several advantages:

  • A single central data store is much easier to back up than a collection of random workstations.
  • A single employee leaving or changing jobs will not affect the information that he or she was handling.
  • A single workstation with a hardware failure can be easily replaced, since user data won’t need to be replicated from the old drive.
  • Most importantly, an individual employee’s work is no longer dependent on a single physical workstation.

Think about it – what is the biggest single factor that keeps knowledge employees from working at home now? It’s that they don’t have access to their data – memos, notes, project lists, legacy files, and the like. Most people have a computer and some sort of Internet access at home, but without data access, that doesn’t mean that they can work effectively. And without centralization of data, they can’t get that data access.

Now, centralization of data can mean many different things depending on what sort of data they need to handle. If it’s primarily textual or documentary data, a wiki like MediaWiki or Confluence might be a good option. For data that many people are editing and collaborating on, a version control system like Subversion might be appropriate. For general file storage, a file server built on Ubuntu and Samba might be your best bet. Beyond choosing the appropriate methodology for the data, the important thing is realizing the necessity of having all of the data in one place.

Deploy a VPN

Once all of the data is properly centralized, that means that any computer with proper access to your local network will be able to access it. Under normal business circumstances, this means that your employees can access or share their work from anywhere in the building. This is good – it makes work more efficient and flexible. More importantly, combining this centralized data with a Virtual Private Network means that your employees can access their data from anywhere on the Internet. This is even better.

Let’s look at the example of Alice and Bob. Alice and Bob are collaborating on a piece of documentation – Alice has deployed a new piece of equipment, and Bob is in charge of writing up the procedure for using it.Each time Bob writes a new section of the guide, Alice has to approve it.

Under the old model, where everything is stored on local hard drives, the writing of this documentation grinds to a halt whenever Alice or Bob is out of the office. After all, if Bob has changed something, and then leaves work early, the data is stored on his computer and Alice can’t confirm that it’s been changed or that the changes are accurate. A lot of time is wasted waiting for an opportunity for the two of them to work together.

In the new model, where data is centralized, Alice doesn’t have to wait for Bob – the new data is stored on some central server, like a wiki, and so she can continue checking its accuracy without his needing to be present. But if any changes need to be made, again, the project grinds to a halt. Bob needs to be on-site for the process to continue.

But if we combine this centralized data with a VPN, then Bob can work from anywhere on the Internet. A snow day, like the one that was anticipated this week, shouldn’t slow anything down; Bob can log into the business VPN, gain access to the central data store, and continue working on the documentation. Alice can do the same. And rather than losing a day of productivity to a snowstorm or a driving ban, they can finish the documentation and be ready to move on to another task when the office is open again.

Data centralization and VPN deployment are two of the many services that we offer. If you would like help disaster-proofing your business’s data, please click on the Contact button to the left and send us an email.

1 Comment | Articles | Permalink
Posted by matt

Android Data Leak

February 2, 2011

A new exploit has been discovered for a once-patched vulnerability in Android 2.3. A security hole in the default web browser allows a malicious web page to harvest the contents of the handset’s SD card, which could contain sensitive information.

Google is aware of the issue; their current workarounds are to disable Javascript, use a different web browser, or remove the SD card.

Leave a Comment » | Exploits, Smartphones | Permalink
Posted by matt

Tweet By Phone

February 1, 2011

Google and Twitter have teamed up to help the Egyptian populace spread news on the Internet, despite the country shutting down all of its Internet traffic this week. They set up a service to allow tweets to be posted with the tag #egypt by calling a certain set of phone numbers; essentially, anyone with access to voice communication also has access to post on the Internet.

Kudos to everyone involved. As I read once, the Internet will interpret censorship as damage, and route around it.

Leave a Comment » | Networking, Syndicated | Permalink
Posted by matt

Poor Response

February 1, 2011

If someone set out to write a textbook on how NOT to respond to a security incident, the recent breach at PlentyOfFish.com could serve as a template. Lenny Zeltser explains why at the Internet Storm Center.

(In addition to Lenny’s excellent points, Brian Krebs points out that storing user passwords in plaintext is also a pretty stupid thing to do. What is this, a WWIV BBS in 1994?)

Leave a Comment » | Incidents | Permalink
Posted by matt

Next Entries »