Have I Been Pwned? is a website that allows you to check to see what websites wherein there was a data breach your password was used at. They know because a lot of the lists of the compromised are just published after the breaching. Ashley Madison is a classic example of how to embarrass someone along these lines. Some of this talk, which you probably have guessed by now was security-flavored, went into the history of passwords and some of the things that have gone wrong with them. Password complexity rules that are too complex really get in the way. Hackers know that you are replacing O or o with 0 and they can guess at your own common hacks to satisfy complexity requirements. Forcing users to change their password every few months also comes with some dysfunction. It creates a scenario in which users are just changing a number at the end of their password so that they may keep it in their head. The ugly alternative is to write down passwords that have really changed in order to "remember" them. What's worse? Instead companies should really ask individuals to change their passwords upon suspicion of compromise per Troy Hunt. An overabundance of faith is placed in https. Let's Encrypt now offers free SSL and its footprint is overtaking that of Comodo (now Sectigo) which had been the heavyweight in the space. Unfortunately, the Let's Encrypt freeness empowers https phishing sites. In an IDN (internationalized domain name) homograph attack one offers a domain name that looks like a legit one with just a character or two changed up along these lines. CREST (The Council of Registered Ethical Security Testers) certified industry professionals are good characters to pen test products to see what the vulnerabilities are. Some of the talk went into these guys just trying to do their jobs and some of the ridiculous pushback and vilification they get from the marketing departments of those they "embarrass" by pointing out holes. At the very end of the presentation Troy closed with a slide of a padlock with a screw visible on one side of it which could easily be undermined with a screwdriver. The public relations pushback to the obvious criticism was that the padlock was invincible to anyone without a screwdriver. That's a not technical example, but the technical examples can be just as bad with a bit of obfuscation too as average Joe is unlikely to know that the counterarguments are bogus. Some of the wacky products that were showed off were the Gator which was a smartwatch for parents to give kids that gave you the ability to phone call your child on the watch. The watch is hackable and it's not hard for anyone to call your child! The Nissan Leaf came with a smartphone app that allowed you to control the heater and air conditioner in your car. It also allowed hackers to control it too.
No comments:
Post a Comment