So the other day I received a notification email about an IP that had been blocked for failing to authenticate on this blog. What caught my attention was the fact that the attempted username, was my actual administrator account username. Initially this concerned me, as I was trying to figure out how someone might have learned the username. My first thought was that it could have been a compromised network I was on, or that worst case scenario, one of my systems had been compromised. So, I went to my logs and started doing some investigating, and it turns out, that the attacker used a method of user discovery through URL manipulation to discover the username of my administrative user. In the spirit of full disclosure, I will explain how the attacker determined the username, and how I remediated the situation.
Image courtesy of © Tatiana53 | Dreamstime Stock Photos & Stock Free Images
This is Part II of the Security for a New Year series.
This topic was originally requested by a reader at my former employer, his question was simply, “what are your thoughts on security questions?” Well, considering that the topic for part one of this series was passwords, it seemed appropriate to make this part two. Security questions are a very sticky subject when it comes to security. Security questions are used to ‘verify’ your identity by using something typically more ‘complex’ than your password. There are generally two instances when you encounter security questions: the first, and most common, is to reset your password if it has been forgotten, and the second is in the form of additional identity verification such as for a banking login. Read more
This is the third and final part of Strong Passwords for the Security for a New Year series.
In part 1 of strong passwords I covered the use of entropy and character space to create strong passwords and how the length of the password is the best defense against a brute force attack. In part 2 of strong passwords I covered methods for creating a high entropy password that is resilient to almost any dictionary attack. In both parts I mentioned that the second problem that comes with passwords is remembering them. Read more
So exciting news ladies and gentlemen, the site was attacked by a bot-net this week! Why is this exciting and not terrifying you may ask? Well the bot-net was unsuccessful at the breach attempts, which is of course always good news, but it also provided me with two wonderful opportunities. Read more
This is part 2 of Strong Passwords of the Security for a New Year series.
In part 1 of strong passwords, I discussed the use of character sets and character spaces and how they impact the overall strength of the password. I primarily discussed how the use of a longer password is significantly harder to brute force than that of a shorter one regardless of how many character sets are used. Typically longer passwords expand beyond the use of single words, and as a result they are referred to in many places as passphrases. Personally, since they serve the exact same purpose as far as authentication is concerned, I use the term password to refer to both single and multi-word passwords. The term passphrase; however, may help you expand your view on what a password can consist of. While most people may use a single word as their password, a password can also consist of several related or unrelated words, or even a complete sentence. This can be a great way to significantly increase the length of your password. Read more
In previous versions of the site, I had individuals actually register to post comments. However, this typically leads to a lot of SPAM, and can be a real pain to constantly manage. Later I integrated Facebook and allowed for individuals to login to their Facebook account to post comments. However, not everyone has a Facebook account, and even more so, many individuals tend to be very cautious about entering their Facebook credentials because of the risk of compromise to their account. This lead me to start looking for another solution. I am a member of several online communities, of which, many of them use the Disqus comment system. Disqus is a system designed entirely for comments to blogs and articles, which makes it the perfect solution for my needs. There is no risk of account compromise as the user authenticates directly through Disqus, and the account is strictly for comments. So there you have it, the Disqus comment system is now an official part of the Open Intel site.
To relaunch Open Intel, I decided to refresh the Security for a New Year series. This will be the first part of a several post series on good security practices. Today’s topic: strong passwords.
In today’s society we are connected in almost every way. From social networking to online banking and email to online stock exchange, we have several accounts across several different websites. With each of these accounts ranging in varying degrees of importance, and with the only layer of security we have being passwords, the strength of each password becomes paramount. Read more
Welcome all (or few) followers of the inconsistent security/developer blog of Michael. I have made some massive changes to the site this weekend. Since my previous attempt at restructuring the domain layout and file system failed miserably (site broke or at least anything clickable did). I decided to nuke the site from orbit and start from scratch. The site is now happily hosted at Digital Ocean, and there will be more details to come for that soon. I have the site backed up locally and I will be going through and reposting the relevant articles after briefly freshening them up over the next week or two. Hopefully with job transitions out of the way I can start being regularly active on here (I know, I know…if I’ve said it once, I’ve said it a million times…).