Hi folks!

This week, I’ll be presenting The Mobile Edge: Consumerization and Security at the SecureWorld Charlotte event. Due to other scheule commitments Thursday, I’ll only be at the event Wednesday, April 10th. I asked for the Early Bird Session at 8:30, so I can tackle the task of waking you up.

The Mobile Edge: Consumerization and Security
Wednesday, April 10th
8:30am – 9:15am
A dive in to maintaining security as consumer-grade mobile products enter the enterprise. Join this discussion and dialogue on BYOD, the consumerization of IT, and how to appropriately apply policy and technology to security the enterprise. This session is guided with best practices, common practices, emerging trends and technologies, and tips for evaluating and selecting solutions that will make you successful. We’ll also cultivate ideas for corporate policy and technical enforcement as part of an overall strategy for BYOD and consumerization.
 

• SecureWorld Charlotte Event
  http://secureworldexpo.com/event/index.php/2013-charlotte-home
• The Mobile Edge – Session Details
  http://secureworldexpo.com/event/index.php/the-mobile-edge-consumerization-and-security-jennifer-minella

# # #

Share

Each year I like to share some of my where-abouts with you, and invite you to come say hello or join me in a session, discussion, debate or even a party. This year, I’m involved with two RSA sessions and some extra-curricular activities with organizations like TCG. Here’s the scoop!

• Monday, February 25, 2:50-3:50 PM in Room 302
  PROF-M03 – Information Security Certifications: Do They Still Provide Industry Value?

Moderator(s): Thomas Stamulis – Regional Director, Verizon
Panelist(s): Richard Moore – Vice President, Sr. IS Manager, RBS Citizens
Andrew Ellis – CSO, Akamai Technologies
Hord Tipton – Executive Director, (ISC)2
Jennifer Jabbusch-Minella – CISO, CAD, Inc.

Information security certifications have been around for more than two decades, and hundreds of thousands of professionals have attained them. As the industry matures, many academic institutions now offer bachelor and advanced information security degrees. Should the infosec community continue to support these certifications or should we encourage a more traditional academic approach?

My notes: Join what is sure to be a bang-up session as we discuss the ins and outs of infosec certifications in 2013 and beyond. Hear from Richard, who has a degree in information security and a plethora of acronyms after his name, and enjoy the rebuttal by Andy, a highly successful CSO who continues his success and initiatives without the overhead of industry certifications. As someone who has been a contributing author of the official (ISC)2 CISSP Courseware, and other certifications, I have my own feelings about the virtues and values of our alphabet soup. (ISC)2 Director Hord Tipton is guaranteed to liven the conversation, and with Tom moderating, who knows what will happen.

•  Thursday, February 28, 1:00- 2:00 PM in Room 111
  P2P2-R35 – Endpoint Integrity and Access Control / NAC is Back; Making it Work

Facilitator(s): Jennifer Jabbusch-Minella – CISO, CAD, Inc.

While current solutions have proven difficult to implement in the real world, the need for access control and network security continues to grow. Join this Peer 2 Peer session for a lively discussion of real world case studies, an exploration of technical roadblocks and a dive into vendor-specific solutions. Participants will be given a copy of the host’s proprietary Universal NAC Evaluation Framework document to reference and evaluate various technologies and solutions at a technical level.

My notes: This is a Peer-2-Peer session, and these are absolutely among my favorite formats at RSA. P2Ps are a chance to connect and share ideas with your peers. I’ll lead the conversation, get the discussion sparked and lend my experience when needed. Every year I’ve hosted a NAC session, it has been FULL. These P2Ps are limited to the FIRST 20 PEOPLE in line, so if you really want a seat, get there early. Last time the session was full before I even made it to the room, 18 minutes prior to the start time.

 Other sessions, events and places to find me:

• Monday, 10:00AM – 2:00PM in South Room 301
  TCG Seminar: Trusted Computing – Billions of Secure Endpoints in 10 Years
• Monday, 4:30-7:00PM at St Regis
  5th Annual Security Sociability RSA Happy Hour
• Wednesday, 5:00-8:00PM at private location
  Security Bloggers Meetup and awards
• Wednesday, 8PM  at unknown location
  Barracuda – Blind Tiger Party
• Thursday, 5:30- 6:50PM in North Room 134
  Flash Talks Powered by PechaKucha
• Various, Expo Floor
  Other times, I’ll be on the Expo Floor, talking to vendors
• Find parties by following @RSAparties on twitter

More resources for RSA:

• 9 Tips to Find the Best Sessions and Speakers at RSA

# # #

Share

I hesitate to post here today. I’m looking at my recent blogging history and I’m saddened. It’s as though The great Nothing has come and devoured this digital land of mine.

I didn’t fall off the face of the Earth though, and the Nothing hasn’t completely taken ownership this spot. I’ve been writing, as usual for other media outlets and analyst groups. Some of that content is publicly available and I have failed you, my readers, in linking those posts here.

And so, my sad eyes look now upon a single grain of sand; the sole remaining piece of my digital home, seemingly consumed by The Nothing. As I imagine this blog restored to its full potential, with more content, education and hilarity, I see a glimmer of hope and a landscape manifesting in front of me.

“We can’t wait for a snail. Can I carry you?”
“Don’t worry, it’s a racing snail!”
“Oh but, but, we can’t even wait for a racing snail.”
“Tally ho!”
“Hey, it really is a racing snail!”

Upcoming:

• Where to find me at RSA this year
• RSA sessions for NAC and endpoint security, wireless and trends
• What I’ve been up to
• More on wireless and wireless security
• Updated NAC white papers and vendor comparison

# # #

Share

Wow, we’re a skeptical and paranoid bunch, aren’t we? I can’t blame the numerous security professionals that are making claims that LinkedIn is likely lying about their new password salting for added security. If you’re not a cryptography junkie, it may not make sense. I’ve been running things by several cryptography specialists and our security research friends as a sanity check too, but some of these claims are getting out of hand.

Is LinkedIn lying about implemented salts to secure user passwords?

Probably not. As I noted in this post, correcting some of my colleagues, what LinkedIn claims they have done is possible, reasonable and the most secure and simple recourse to retroactively apply the added security of salting to already-stored passwords. I intend to write a short piece on salting and hashing, but haven’t gotten around to it. If there’s an explanation (with graphics) you’ve read and liked, feel free to link it here in the comments.

Here’s the argument from some skeptical friends, “You have to add the salt with the original password, so either LinkedIn is lying, or they are storing the original password in plaintext (a big no-no).”

Here’s my response, and why that’s not correct. Normally, yes, the salt would be applied to the original password, to create a salted, hash output. However, there are more ways to skin a crypto cat, and LinkedIn has probably done something slightly different.

So, what is LinkedIn doing? I, and my fellow security professionals, feel pretty sure they’ve taken the original password hashes, added the salt to that, and re-hashed with SHA-1.

For an example of what this looks like, and a simple demo of how easy or hard they are to crack, see my post on How to crack your LinkedIn password hash.

I don’t work at LinkedIn, and I don’t consult for them, so this post is a bit of technical speculation based on a little common sense. Read this and think it through before you accuse LinkedIn of lying, or assume they’re not doing whatever’s in their power to add security. If you’re still skeptical, feel free to share your questions or stories here. I invite all my colleagues to respond in kind and provide additional info too.

# # #

Share

Several people have asked what it means to crack a password hash, and others have asked for an even simpler explanation of what a hash is.

In brief, a hash is a one-way cryptographic function. In security circles, it’s not really considered to be encryption, in the technical sense, but it is a function of cryptography. When we hash something, we take a value, it can be any length of letters, numbers, text and we perform a function on it that spits out a fixed-length value. With the LinkedIn passwords, they use a hash algorithm called SHA-1. SHA-1 always gives us an output of exactly 160 bits. You’ll see a specific example set below.

It’s this method that LinkedIn, and other sites, use to store passwords. User passwords should never be stored in plaintext. Hashed passwords (with a salt, described later) are an accepted common practice for storing user passwords. Note that some security professionals will argue that passwords should be stored using password encryption, instead of these hashes. For more on that, read comments by Thomas Ptacek on Brian Krebs’ blog. For more on what LinkedIn changed, see “Is LinkedIn lying about their new password salting?”

The idea of a hash is that it’s one-way. Every time you put in a value, you get the same output, but you can’t take the output, perform a reverse function, and arrive at the original value. That means, as in our example below, if we enter “fluffyrocks” and hash it, we’ll always get the exact same hash value. But, there’s not a way to take the hash value and directly figure out the original text is “fluffyrocks”. When a site validates your password, it’s taking the hashed value of what you enter, and comparing that to what’s stored in its database. If you entered “fluffyrocks” the hash output should enter what’s stored. If you enter anything but that, the hash won’t match and you won’t be authenticated. Even the smallest change in the original text produces a drastically different hash.

Now, this one-way function doesn’t mean that you can’t crack a hash. It’s just cracked using different methods than a two-way encryption algorithm. With hashes, attacks are brute-force using dictionary attacks and/or rainbow tables. Meaning, something analyzes pre-computed hash values. When a match of hash values is found, an attacker can see what in the cracking dictionary produced the same hash. That’s how these hashed passwords are compromised.

The most common practice when storing passwords as hashes, is to use what’s called a salt. A salt adds some entropy to the mix by introducing additional bits that will be hashed along with the password. Salt strings vary in length and are applied before or after the password in the hash algorithm. Each password in a database should have a unique salt. This won’t completely prevent the password hashes from being compromised, but it makes the task a lot more daunting and processor- and time-intensive. To crack a list of salted hashed passwords, an attacker must factor both dictionaries for the original password and the salt values.

So, how hard is it to crack unsalted passwords, such as those leaked in the LinkedIn breach? Here’s an example and fun hands-on activity for you to try.

 An example:

1. Your plaintext password (not stored by LinkedIn)
   = fluffyrocks
2. LinkedIn’s unsalted SHA-1 hash stored, function (sha1($pass))
   = (sha1(fluffyrocks))
   = 4d39d3da4fe662e3a4a6a006e450612b55123416
3. Normal password salting with SHA-1 hash, salted with abcdef0123 (sha1($salt.$pass))
   = (sha1(abcdef0123.fluffyrocks))
   = 861867bdaadfc4b0ece92ba4eefa1d6f570ab019
4. LinkedIn’s salted double-hashed, now stored  (sha1($salt.sha1($pass)))
   = (sha1(abcdef0123.sha1(fluffyrocks)))
   = 4ed11b5260f33f3ac2b1bafb7b322f795c087f6b

 Try it yourself:

1. First, find out the hash value of a password or string.
You can find the SHA-1 hash of a password or phrase on several sites, try http://www.xorbin.com/tools/sha1-hash-calculator or http://www.tech-faq.com/sha-1-generator , or Google “SHA-1 generator”.

2. Then use a SHA-1 cracker online.
In my example below, I used www.CrackStation.net to test out the ease of cracking. Google for SHA-1 crackers for more options.

 Note the links provided are for unsalted hashes. There are tools readily available designed to crack salted hashes also. This is why I’ve noted earlier that salting the password before storing it doesn’t prevent it from being cracked, it just adds some protection.

 Here in the screenshot from Crack Station below, I’ve entered 3 values:

1. SHA1- hash of the unsalted password
2. SHA1- hash of a salted password
3. SHA1- hash of a salted of the original password hash* (What LinkedIn is doing now, read more here)

Voila!

You can see the unsalted hash was cracked immediately and returned my plaintext password of “fluffyrocks”. As expected, the two salted hashes were not cracked with this tool. This is why more than 50% of the LinkedIn hashes were cracked, and the original plaintext found so quickly. Had the passwords been salted, it would have slowed the process, but not prevented it.

# # #

Share

I’ve been reading the flurry of posts, blogs, tweets and offhanded comments regarding LinkedIn’s recent data breach. I’m calling it a data breach here, not a password hash breach, because at this point, I don’t think anyone knows the extent of damage, or the full breadth of what data may have been taken.

Overheard in conversations, both in person and online, are comments “I don’t care about LinkedIn, I don’t need to change my password” and “they’re just hashes, only a few passwords were posted.” To those of you with this attitude, I think you’re missing the bigger picture.

I’d like to clear up a few things and share three reasons I think you’ll care about this LinkedIn breach.

Before we jump in, I’ll share my opinion about this breach in general.

I think quite a bit of what LinkedIn has shared is ambiguous, at best. I’m okay with that for now, because I think their involvement with law enforcement agencies and the fact they’re still in the discovery stage, prevents them from sharing much. They don’t know everything yet, and what they may know, is probably not in their best interest to share.

As security professionals, we can certainly find cause to criticize LinkedIn for how they’ve handled this, but I’ll leave that to others. I’m sure there’s a copious amount of critical articles out there. For now, I think they’re doing an acceptable (but not exceptional) job.

LinkedIn has locked the accounts and sent notifications to some of the affected users. Strangely, we can’t seem to establish any pattern in the notifications, and the verbiage LinkedIn has used in describing what it deems vulnerable is very vague.

Even if you didn’t receive the “Dear user” letter, some of your online accounts may be at risk.

Three reasons you care about the breach.

For those of you that don’t think a breach of your LinkedIn password matters, here’s why you should care.

1. Someone may have full access to your account.

We don’t know if the thieves stole additional data or not. It’s perfectly possible they have the full list of email addresses to go along with the password hashes. It’s also extremely likely they have more than the 6.5 million hashes they have released so far.

2. Even in hash form, your password is vulnerable.

Hashes of passwords are vulnerable and unsalted hashes (what was leaked from LinkedIn) are extremely vulnerable. See more on this below. LinkedIn has posted  that its database now uses salted and hashed passwords. It appears this measure to increase password confidentiality was implemented prior to the notification of the breach, but after the breach itself. Meaning, the passwords are much more secured now, and as long as they are new passwords, or weren’t captured in the leak, they’re pretty safe now.

A NOTE on correcting colleagues on LinkedIn salting and hashes. I’d like to note there are some articles out there with misinformation as to the salting and hashing methods.

3. That password is a key to another door.

About 75% of users re-use passwords across multiple sites. Read the article here or the original findings (PDF).   Meaning, if someone did steal the email addresses along with the hashes, they can very easily find other sites, or doors to which your password will be the key.

If you’re not sure what to do next, read my recommendation for dealing with the breach at LinkedIn: Don’t just change your password, do this.

Share

Don’t just change your password, do this

I disagree with a lot of the sites that have made the simple recommendation to change your LinkedIn password. LinkedIn added the recommendations that users change passwords at other sites, change passwords often, and use greater complexity (more combinations of numbers, letters, characters and capitals). I’m going to go one step further and be very specific in my recommendations.

• Change your LinkedIn password to something new and unique. Make sure this password is not one you currently use, or will use on another site. This is to be known as your LinkedIn password and nothing else. If hackers still have access to the LinkedIn servers, this will prevent them capturing another shared password.
• Change the passwords on any and all sites or resources that shared your previous LinkedIn password. Make them complex and unique. If you have trouble remembering passwords, use a web-based tool like Last Pass (one example of many available). If you used that password inside your work environment anywhere, notify your administrators and have the password(s) changed immediately.
• Backup your LinkedIn connections. There’s an export feature on the site. Just in case your account is compromised further later, you’ll at least have that. Rebuilding the network is the most time-consuming task.
• Lock your credit reporting accounts. If you fear other accounts may have been compromised, and someone may have access to your personal information, you may want to contact your credit reporting agencies and ask them to lock inquiries on your accounts. This will prevent anyone from opening new fake credit or banking accounts in your name. This is for those of you that are paranoid or have a lot to lose.

See related links for more on the LinkedIn breach.

• Correcting colleagues on LinkedIn salting and hashing details
• Three reasons you care about the LinkedIn breach

# # #

Share

I’d like to note there are some articles out there with misinformation as to the salting and hashing methods and abilities of LinkedIn to retroactively fix the issue of unsalted passwords.

In one particular article at Computer World  a reference was cited as saying LinkedIn could not have implemented the salting feature with the already-created database of hashes, and that salting could only be implemented with the original password, when a user created or changed a password.

This is not accurate, LinkedIn can (and I’m sure they have) applied a second iteration of the hash algorithm with the newly-added salt. Cryptography professionals and security researchers alike will agree this is acceptable, and actually more secure than simply salting the original password. In this particular case, I’m sure the iteration was added as a necessity (since they don’t have the original passwords) and not out of an added security consideration.

Soon, I’ll provide more on what salting and hashing is, but for now I wanted to make sure and set this straight. What LinkedIn has claimed it did is reasonable, possible and what we’d expect them to do.

Update: More on salting and hashing basics, with an example and steps to crack your own password now at “How to crack your own LinkedIn password hash.”

# # #

Share

Help Bail JJ Out of Jail! 

Share

This Thursday, March 15th, I’ll be hosting the RSA Conference Online Peer2Peer chat session on BYOD, “Doubts, Dread and Decisions: Dealing with BYOD in the Enterprise”. The live P2P session at RSA was full 15 minutes before we started! If you missed that session, or couldn’t attend RSA, this is your opportunity to participate with your peers. Registration is free and open to the public.

RSA Conference Online, Peer2Peer
Thursday, March 15, 2012
8:00-8:30am Pacific | 11:00-11:30am Eastern
Doubts, Dread and Decisions: Dealing with BYOD in the Enterprise
Moderated by Jennifer Jabbusch Minella, Chief Information Security Officer, Infrastructure Security Specialist, CAD, Inc.

To participate, just register for free at http://www.rsaconference.com/events/online.htm. Please check your login access PRIOR to the event. I’ve had a few issues logging in when I originally set up my account.

To view the full RSA Conference Online schedule, visit http://www.rsaconference.com/events/2012/usa/rsac-online.htm.

I look forward to seeing you online Thursday!

# # #

Share