Jason Lamb .ME

Tag: #Security

  • It it’s not tied down…

    This just just shows that the bad guys are only getting better. No matter how much security we think we have, we need to constantly test ourselves. “…attacks always get better, they never get worse…” #BruceSchneier

    Given enough time, the bad guys will find a way. It’s unfortunate, but true. The bad guys are highly motivated by money. There is a LOT of money in being bad. There’s not enough monetary motivation to being a good guy. You just have to want to do it for moral reasons. On a recent #SecurityNow podcast, Steve Gibson laid out all the millions of dollars that were gained by the top recent attacks and the company behind those attacks.

    If you are responsible for your company’s security then you need to educate your users regularly on security measures and best practices. If you are a human and have any username/password combination then you MUST use MFA when you can, or when offered. Time-based is way more secure than SMS. You MUST use a reliable password manager because you MUST NOT use the same passwords on different accounts. Help yourself stay secure because the bad guys will help themselves to your data. I PROMISE YOU!

    #security #data #motivation #podcast

    Courtesy: Steve Gibson from #SecurityNow Podcast – grc.com/sn/sn-928-notes.pdf

  • Secure Password is not Secure

    You’ve seen it, “Enter your new password, it has to be this long with these character types…” BLAH BLAH BLAH. You enter your regular password of Monkey123 (Yes, monkey is always among the most popular passwords found on the internet.)

    See most popular passwords https://cybernews.com/best-password-managers/most-common-passwords/

    https://wpengine.com/resources/passwords-unmasked-infographic/
    (indecent passwords are blacked out)

    I like sites that allow you to add multiple symbols. I also like sites that allow you to set VERY LONG passwords. I personally use passwords that have UPPER, lower, numbers 123, and symbols !@#$%^&*()_+-={}|[]\:”;'<>?,./ that are super long. I also use a password manager so I don’t have to remember my passwords. See LastPass. LastPass is not a sponsor. I have used them as a paid subscriber for 10+ years.

    I was setting up a password for 8×8 which is a VoIP phone provider and I used my random password generator from LastPass and 8×8 told me my password was not secure.

    Here is an example of a password that I use for my accounts. You can see 50 characters that have upper, lower, numbers, and symbols. A password like this 50 character length has 1606 bits of entropy.

    4.53*10^94 is the total number of passwords
    94 characters on the keyboard, 50 digits = 94^50
    THAT IS slightly more than “FOUR AND ONE HALF HUNDRED UNTRIGINTILLION.”

    BUT, 8×8 limits you to no more than 25 characters. That’s half of the total possible combinations at 2.1291E+49 (or 2.13*10^49 or 20 QUINDECILLION.

    I don’t know about you but I am not comfortable with only 20 quindecillion possibilities for my password and a brute force attack. Now a days computers can guess about 1,000,000 guesses per second.

    SINCE they limit the types of characters to just ~!@#$%^&*()_+-=;:,.?<> AND a-z, A-Z, 0-1 which equals 58 character types and max of 25 digits (58^25) = 1.21815E+44 (or 1.22 Hundred Tredecillion or 1.22 * 10^44 or 121,814,739,012,626,000,000,000,000,000,000,000,000,000)

    IN CLOSING, a site that requires password should never limit the number of digits and should allow for all possible character types. If they are storing your password securely with a salted hash then the length and type does NOT matter to the database.

    Have a nice (and secure) day!

  • Do Not Do This

    Pssssn
    Photo Credit: https://howtoremove.guide/p-s-s-s-s-n-wireless-network/

    Do NOT join this network if you see it. Once you do it will brick your iPhone and will need a Reset Network Settings to fix. iOS Settings > General > Reset > Reset Network Settings.
    (NOTE: if you need to click ‘Reset Network Settings” you won’t lose any data or files on your phone except you will lose any saved Wi-Fi networks and passwords.)

    Photo Credit: Jason Lamb

    There is a bug in the text parser in iOS that tries to interpret the % as an escape character. %20 is often used in URLs and JavaScript to identify space between words. You can see a full list of URL encodes here: https://www.w3schools.com/tags/ref_urlencode.ASP

    You can play with this 074%097%115%111%110%032%076%097%109%098%032%105%115%032%065%087%069%083%079%077%069%033 and decode it here: http://www.unit-conversion.info/texttools/ascii/

    Start this video at 22:58 to hear Steve talk about this vulnerability.

    You can check out Steve Gibson’s show notes from this episode here: https://www.grc.com/sn/sn-824-notes.pdf or the written transcript of that episode here: https://www.grc.com/sn/sn-824.htm

    Also read: https://howtoremove.guide/p-s-s-s-s-n-wireless-network/