Security Questions are Bullshit

  I’m pretty much unhappy with the use of “Security Questions” – things like “what’s your mother’s maiden name”, or “what was your first pet”. These questions are sometimes used to strengthen an existing authentication control (e.g. “you’ve entered your password on a device that wasn’t recognised, from a country you normally don’t visit – please answer a security question”), but far more often they are used as a means to recover an account after the password has been lost, stolen or changed.   I’ve been asked a few times, given that these are pretty widely used, to explain objectively … Continue reading Security Questions are Bullshit

The Automatic Gainsaying of Anything the Other Person Says

Sometimes I think that title is the job of the Security Engineer – as a Subject Matter Expert, we’re supposed to meet with teams and tell them how their dreams are going to come crashing down around their ears because of something they hadn’t thought of, but which is obvious to us. This can make us just a little bit unpopular. But being argumentative and sceptical isn’t entirely a bad trait to have. Sometimes it comes in handy when other security guys spread their various statements of doom and gloom – or joy and excitement. Examples in a single line … Continue reading The Automatic Gainsaying of Anything the Other Person Says

Why am I so cross?

There are many reasons why Information Security hasn’t had as big an impact as it deserves. Some are external – lack of funding, lack of concern, poor management, distractions from valuable tasks, etc, etc. But the ones we inflict on ourselves are probably the most irritating. They make me really cross. We shoot ourselves in the foot by confusing our customers between Cross-Site Scripting, Cross-Site Request Forgery & Cross-Frame Scripting. — Alun Jones (@ftp_alun) February 26, 2016 Why cross? OK, “cross” is an English term for “angry”, or “irate”, but as with many other English words, it’s got a few … Continue reading Why am I so cross?

Artisan or Labourer?

Back when I started developing code, and that was a fairly long time ago, the vast majority of developers I interacted with had taken that job because they were excited to be working with technology, and enjoyed instructing and controlling computers to an extent that was perhaps verging on the creepy. Much of what I read about application security strongly reflects this even today, where developers are exhorted to remember that security is an aspect of the overall quality of your work as a developer. This is great – for those developers who care about the quality of their work. … Continue reading Artisan or Labourer?

The Manager in the Middle Attack

The first problem any security project has is to get executive support. The second problem is to find a way to make use of and direct that executive support. Developers should be prepared to defend against a Manager in the Middle attack. — Alun Jones (@ftp_alun) November 9, 2015 So, that was the original tweet that seems to have been a little popular (not fantastically popular, but then I only have a handful of followers). I’m sure a lot of people thought it was just an amusing pun, but it’s actually a realisation on my part that there’s a real … Continue reading The Manager in the Middle Attack

NCSAM post 1: That time again?

Every year, in October, we celebrate National Cyber Security Awareness Month. Normally, I’m dismissive of anything with the word “Cyber” in it. This is no exception – the adjective “cyber” is a manufactured word, without root, without meaning, and with only a tenuous association to the world it endeavours to describe. But that’s not the point. In October, I teach my blog readers about security And I do it from a very basic level. This is not the place for me to assume you’ve all been reading and understanding security for years – this is where I appeal to readers … Continue reading NCSAM post 1: That time again?

Why didn’t you delete my data?

The recent hack of Ashley Madison, and the subsequent discussion, reminded me of something I’ve been meaning to talk about for some time. Can a web site ever truly delete your data? This is usually expressed, as my title suggests, by a user asking the web site who hosted that user’s account (and usually directly as a result of a data breach) why that web site still had the user’s data. This can be because the user deliberately deleted their account, or simply because they haven’t used the service in a long time, and only remembered that they did by … Continue reading Why didn’t you delete my data?

Lessons to learn already from Premera – 2. Prevention

Not much has been released about exactly how Premera got attacked, and certainly nothing from anyone with recognised insider knowledge. Disclaimer: I worked at Premera in the Information Security team, but it’s so so long ago that any of my internal knowledge is incorrect – so I’ll only talk about those things that I have seen published. I am, above all, a customer of Premera’s, from 2004 until just a few weeks ago. But I’m a customer with a strong background in Information Security. What have we read? Almost everything boils down rather simply to one article as the source … Continue reading Lessons to learn already from Premera – 2. Prevention

Lessons to learn already from Premera – 1. Notification

Last weekend, along with countless employees and ex-employees of Microsoft, Amazon, Expedia, and Premera itself, I received a breach notification signed by Premera’s President & CEO, Jeffrey Roe. Here’s a few things I think can already be learned from this letter and the available public information: Don’t claim “sophisticated” Whenever I see the phrase “sophisticated cyberattack”, not only am I turned off by the meaningless prefix “cyber”, which seems to serve only to “baffle them with bullshit”, but I’m also convinced that the author is trying to convince me that, hey, this attack was just too amazing and science-fictiony to … Continue reading Lessons to learn already from Premera – 1. Notification

Thoughts on a New Year

It’s about this time of year that I think… Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ? How can we expect people to write secure code when: they don’t know what it is? they can’t recognise insecure code? it’s easier (more clicks, more thinks, etc) to write insecure code? What does it take for a developer to get: fired? a bad performance review? just mildly discomforted? What is it about developers that makes us all believe that nobody else … Continue reading Thoughts on a New Year