Last Updated: 2014-05-22 13:20:49 UTC
by Johannes Ullrich (Version: 1)
Many years ago, when the internet was still a different place before Twitter, RSS and browser notifications, Tom Liston was kind enough to write a very compact task bar application displaying the current "Incocon". The application, also known as "blinky globe thing", was mostly known for its impeccable implementation of the color orange.
However, the application uses a non-standard RSS feed, and does not speak SSL. We recently changed our site to SSL only, breaking the current "blinky globe" to only show blue. Also, there are now a number of other more standard ways to receive notifications about infocon changes. As a result, I decided to stop supporting "ISCAlert". If you still use it, please uninstall it.
For alternatives, please see our notification system: https://isc.sans.edu/notify.html . We currently offer "SMS compatible" e-mail notifications and will soon have browser notifications (part of this is already live). We do also have a number of RSS feeds, simple text feeds (e.g.. https://isc.sans.edu/infocon.txt ) and Twitter to notify you of impeding doom.
For more about the Infocon, see https://isc.sans.edu/infocon.html
Last Updated: 2014-05-22 12:18:49 UTC
by Rob VandenBrink (Version: 1)
So after yesterday's news that eBay had been compromised, and that the compromise was in play for a good 2-3 months (short in comparison to many), I decided it was time to change my passwords. Yes - ALL of them.
Don't get me wrong, I do change my passwords - really. Not as frequently as I should, but it happens. I decided to use my little "make me a random string" character generator script, and set them all to 32 char gobbledygook. Except for the ones that have 10, 16 or 20 character maximums that is (really? that limit was a good idea why?)
So I dug through all my applets, "saved password" tabs and saved notepads to find them all, and change them all. It's amazing how many logins you can accumulate over the years. It's also amazing how many of these logins have my credit card info (eeps). eBay, Paypal, Apple, travel sites - it really starts to add up.
What did I find when I got going on this?
- For starters, since the last time I reset almost EVERY site has let their marketing and "design" folks at their site layout. The password change is almost universally hidden 4-10 or more clicks and menus deep in the interface.
- Many sites now disable the "paste" function. So if you have a complex password, you can't cut and paste it - you have to type it from the keyboard. This also breaks many "password keeper" applications. So what does this encourage? Simple passwords, that's what. Just because you can enable a neat feature doesn't meant that it's helpful.
- Don't even get me started on Facebook. I'm not even sure how i got to the menu (it took a while), but when I did, password change was under "General" instead of "Security". Like so many other sites, "security" to Facebook is about Authorization (who can see me) rather than Authentication (credentials). And the 3rd A" in "AAA" - Accounting - is not available to the end user, only to the system administrators. So if someone has attacked and/or compromised your account, the only folks who see that are the ones who review the logs. Oh - and I guess that's a problem too.
- Facebook does have a nice "log me out of other devices" option during the password change though. So if it's an attacker who's compromised your account, they can punt you offline as they change your password. They phrased it the other way though - I guess it's a race to see who gets to the password change page first.
- I'm still working on my Apple password. Apparently they've decided that my favourite book as a child doesn't meet their literary standards, so they've changed it. More likely, what I typed in is still there and is case sensitive - and knowing me, it's either all lower case, or the one Cap in the phrase is accidental. Long story short, I can't answer the challenge phrases. And the "send me an email" trapdoor didn't work - no email yet.
What does this all add up to? Web designers really have made it increasingly difficult for us to protect our credentials. Almost every site has emphasised the "friends and sharing" functions, and this has crowded the "protect your credentials" stuff into the background. Challenge phrases are great I suppose, but making challenge phrases case sensitive is a really bad idea. Not a single site in my list had a periodic password change requirement.
The other big conclusion? It'd be nice if more sites implemented two factor authentication - that way a password breach wouldn't be such an emergency or such big news.
Long story short, when sites say "we've been breached, please change your password", I think that's in the nature of a dare or a challenge - it's not as easy as it sounds.