netsekure rng

In case you haven’t seen it yet, zf0 summer of hax was released in the last few days. While scanning through the content, I read a paragraph in the “Industry Check” section that perfectly sums up the state of computer security these days:

Are you professional types really this out of touch? I see all these papers
about how to protect yourself from these super-fucking-advanced techniques and
exploits that very few people can actually develop, and most hackers will NEVER
USE. It's the simple stuff that works now, and will continue to work years into
the future. Not only is it way easier to dev for simple mistakes, but they are
easier to find and are more plentiful.

It is indeed much easier to look for a misconfiguration in the web app than to hack the actual web server software (be it apache, IIS or some other). It is much easier to guess the secret questions of a person and gain access to their account than it is to hack the actual service (be it web mail or something else). At the end of the day, people should be looking at security as an end-to-end picture, not just focus on parts of it. The tried and true “a chain is as strong as its weakest link” is in full force here.

I recently read a paper on the topic of strong passwords. While going through it, it hit me that very often people will discuss a way of solving some problem (phishing for example), but they fail to enumerate what the attack vectors are and subsequently how the solution addresses these attack vectors. I like how the paper actually lists the threats at the very beginning and discusses them throughout. When solving a problem or coming up with a security product, one should be very clear as to what it is protecting against. It is not often that you see this clearly addressed.

I don’t quite agree with all the views presented in this paper, but it was overall a very interesting read. The idea of brute-forcing not only a single account but all accounts based on statistics was an approach I had not seen before.

The recent story on the twitter breach of company information reminded me of an interesting research I recently saw. A few researchers have worked with real people to gather data how well security questions used by online apps work. Their paper has all the glory details,but there are two things that stood out to me:

• secret questions are statistically easy to guess with just a bit of information about a person
• putting bogus data as the answers is doomed to fail

If one looks back in time, most (highly visible) account compromises happen through the password reset/recovery mechanisms, not through a vulnerability in the web application itself.
It is common for people to focus on the wrong thing to improve on. In addition to ensuring the security of the site, more research needs to be done in improving the authentication and recovery/revocation. With the growing popularity of social networks, finding information about people is trivial, so I think unless some changes are made, we will see more and more of these compromises.