IT Trenches


August 17, 2010  5:48 PM

8-character passwords are so 1999 – 12 characters is 21st century

Troy Tate Profile: Troy Tate

Today’s computers and add-on processors (think graphics processing units – GPU‘s) are extremely powerful. The GPU of today offers about 2 teraflops (10^12 floating operations/sec) of parallel processing power. In 2000, a supercomputer yielded computing performance of just over 7 teraflops and costs $110 million.  This computing power has increased the automated password cracking (brute force attacks) threat. In a recent research project reported by the BBC, computer scientists at Georgia Tech Research Institute say that passwords of less than 7 characters with special characters will soon be “hopelessly inadequate”. They recommend passwords of 12 characters or more.

Well, time to pull out my PasswordCard and begin using my 29-character password. What other suggestions do you have for other ITKE readers? Thanks for reading and let’s continue to be good network citizens!

August 16, 2010  6:56 PM

Automated file integrity monitoring using MD5 or SHA-1 hashing

Troy Tate Profile: Troy Tate

I recently had a task to monitor some file folders for changes to files and report when changes were made to the files. The reporting requirements were just to notify each day if files and what files were changed. There were no requirements to track who made the changes due to the limited access to the folders. That would have complicated matters some. I was able to design a quick and easy solution using a hashing utility called hashdeep (nice public domain utility) and then another utility called blat to send the reports.

I setup three batch files for this purpose and used Windows scheduler to automate the tasks.

The first batch file was called filehash.bat and had the following lines:

e:
cd\
hashdeep.exe -r e:\sourcefolder\*.*>FilehashSum.txt

That process was needed to run to set a baseline of file hashing information. This created a text file with the MD5 and SHA-1 hashes of all files recursively under e:\sourcefolder. You need to make sure that hashdeep.exe is on your application search path.

After the desired period of waiting, I then ran filecheck.bat which looked like:

e:
cd \
hashdeep.exe -r -vvv -a -k e:\FilehashSum.txt e:\sourcefolder\*.*>FileChanges.txt

This compared the values in the FilehashSum.txt file with the current files in the e:\sourcefolder location and put the very very verbose (-vvv) results into a file called FileChanges.txt.

The third part of the process is sending the file change report to an administrator or whoever is interested in tracking the changes. That third batch file is called blat-report.bat and looks like:

set body=e:\FileChanges.txt
set subj=”Server Sourcefolder file change report on %date% at %time%”

set addr=admin@corp.com
blat -bodyf %body% -to %addr% -subject %subj%

The admin will receive a detailed report showing which files have NOT changed as well as those which have been changed. The schedule I setup for this is:

filecheck.bat – 11:50 PM
blat-report.bat – 12:01 AM
filehash.bat – 12:30 AM

Hopefully this will help you with monitoring files or folders in a quick and simple way. I know that this is a PCI requirement and there are many solutions out there. This tip is here to help you understand some of what might be happening in your file/folder environment with no costs.

Share with other ITKE readers what you use for file/folder change monitoring. Your advice/insights are much appreciated! Thanks for reading and let’s continue to be good network citizens.


May 28, 2010  6:49 PM

Friday fun – The Geek Alphabet

Troy Tate Profile: Troy Tate

Okay, I know school is getting out for most students across the US about this time of year, but learning never stops. How about turning your children or students onto the Geek Alphabet? This is where A is for Away team – where you should never wear red. B is for Binary, 1s and 0s in your head. This is a cute listing of the alphabet along with some nifty pictures. Remember – G is for gadgets, the way to our hearts!

Have a great weekend and thanks for reading!


May 27, 2010  5:46 PM

Particle accellerators – how about balloon accellerators?

Troy Tate Profile: Troy Tate

We have all probably heard about the Large Hadron Collider and the physicists excitement about the results of collisions of unseen particles. Well, for those of us more visually inclined, check out the video below of those Dyson bladeless fans moving balloons around a lab and the factory. Really, I’m not surprised that there are fans available for the engineers to play with since the fans are $300 each!

Enjoy and thanks for reading!

[kml_flashembed movie="http://www.youtube.com/v/4WNcjkZ6d0w" width="425" height="350" wmode="transparent" /]


May 21, 2010  5:15 PM

SC Vision – web videos for infosec professionals

Troy Tate Profile: Troy Tate

SC Magazine has announced the SC Vision TV website. Currently there is a collection of about 7 videos of interest to IT professionals on such topics as Driving More Informed Decision-Making in Information Security, presented by HP to PKI and Email Security by PGP. SC Magazine is one of my favorite resources for infosec information. This new website looks like it could be another good stopping place in any infosec professional’s travel around the internet.

Thanks for stopping by IT-Trenches. Let me and other ITKE readers know of any other good infosec resources you have come across. Let’s continue to be good network citizens!


May 21, 2010  2:08 PM

Federal Cybersecurity Game-Change R&D program announced

Troy Tate Profile: Troy Tate

The Networking and Information Technology Research and Development (NITRD) Program has announced a cybersecurity game-change research and development program. On May 19, 2010, an event was held to begin a focused research effort on three themes to game-change cybersecurity. The 3 hour event was recorded and is available for viewing.

The three game-changing themes presented are:

  • Tailored trustworthy spaces -Security tailored to the needs of a particular transaction rather than the other way around.
  • Moving target -Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
  • Cyber economic incentives -A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

The idea of these themes is that what has been done in the past is not really working. Cybersecurity thinking and actions needs to change. The theme of Tailored trustworthy spaces is very much like the proposals I have presented in my blog before about having trusted network connections and strongly managed information flow rules with monitoring and violation detection. The Moving target theme suggests that the targets should be harder for the attacker to reach and compromise. The targets become more costly to attack. The Cyber economics theme proposes that it is important to gain more understanding about data ownership, the market for data, incentives for socially responsible actions and the loss/risks due to attacks. The Cyber economics theme is critical for organizations to be able to make effective cybersecurity decisions to manage risks.

I urge you to take a look at the presentation from the event at a minimum. This research effort seems worth following and hopefully will result in better cybersecurity management strategies and risks understanding. I heard someone say that we can’t stay ahead of the cybercriminals, but we can stay close behind and build better security based on what we do understand. Another way of saying this could be, “Nothing is foolproof to a sufficiently talented fool.”

Will you be participating in this cybersecurity game-changing research? Share your thoughts with me and other ITKE readers. Thanks for reading and let’s continue to be good network citizens!


May 19, 2010  8:09 PM

Malvertisements – 1.3 million viewed per day!

Troy Tate Profile: Troy Tate

Last year the NY Times website had advertisements that served up some malicious content (Would you click if it showed on the NY Times website? – Really would you?). Now, in 2010, Dasient has released research about Q1’10 web-based malware and trends. This research is very scary and not surprising if you have been “in the wild” on the internet without the protections offered by an enterprise environment. The increase in malicious “anti-malvertising” alone has been significant in the past several months. What is a net-citizen supposed to do?

I proposed some options in 2009:

Should computers be “licensed” or “permitted” to be on the internet to reduce threats to unsuspecting users? That’s a thought for you… what governing body would issue these computer use permits? What would the rate infrastructure be like – based on processor/memory or bandwidth? Where would the permit fees go? Would there be some internet oversight body that uses the fees to have inline malware filters?

Would these still be valid options? I mean there is real money involved with the losses due to malicious software. Who is responsible for the loss? Is it the non-technical home user who does not keep their system updated because they do not know what to update? And if they do update it, how do they know the update source is credible? How many times have you gone to a website (think Facebook) and see that your Flash software needs updated? This is an example of a prime target for malvertisers. What would you suggest? Leave some feedback for me and other ITKE readers.

Thanks for reading and let’s continue to be good network citizens!


May 12, 2010  2:48 PM

Follow Twitter “How to become a hacker in 15 minutes”

Troy Tate Profile: Troy Tate

Well, it looks like it might be time for me to join the “twitterpated“. Until now I did not see much value in this additional information source. With regards to Twitter, I tend to agree with President Obama’s recent observation about technology and misinformation overload. Today my perception of the value of Twitter propagated content is challenged by the announcement that Liggatt Security is going to beginning sending tweets to followers about How to be a hacker. As an EC-Council Certified Ethical Hacker, I have already been trained to think like a hacker to improve an organization’s security posture. Now Liggatt is offering similar advice using 140 characters to anyone who can receive a Twitter feed.

I agree that information security awareness is a great thing, but how much valuable content can you communicate in such short bursts? Is the information communicated going to make a difference in the ability of a consumer to protect themselves and their systems? Is it going to improve or degrade the ability of information security professionals to do their jobs of protecting assets against threats and reduce risk? Is this similar to all of the medical websites available on the internet, has it improved the health of patients and their ability to speak with doctors?

Your thoughts are welcome. Please share them with me and other ITKE readers. Thanks for reading and let’s continue to be good network citizens.


May 12, 2010  1:16 PM

A password reminder to carry with you

Troy Tate Profile: Troy Tate

Okay, passwords may have reached the end of their useful life, but passwords are not gone yet. I know it is a challenge to come up with a unique secure password for all identities that we use to access secured resources. This is why a solution called PasswordCard comes across as a simple solution that is easy to implement at no additional cost or infrastructure changes. I’m sure that this is not an original idea but this website makes it simple to use. In a way, it is like a one-time pad.

A PasswordCard is a credit card size piece of paper which has symbols, characters and colors. You simply choose a symbol on the top row, choose a colored row and then use the characters shown to select the appropriate length of password. In the example shown below, I chose the Spade symbol then chose the green row and 8 characters for the password:$kKCSVQm. This is very simple to use and can be easily carried or posted without risk (unless the user marks their passwords in some manner).

Choose a symbol, a color and the number of characters

Choose a symbol, a color and the number of characters

The string of numbers and letters across the bottom of the card is an identification code for this specific card. Each user’s card can be unique. If the card is damaged or lost, you can go back to the PasswordCard website and regenerate the same card if you have kept a record of this code.

Let me and other ITKE readers know if you use PasswordCard or any similar solution for secured passwords. Thanks for reading & let’s continue to be good network citizens.


May 10, 2010  7:45 PM

Are you ready for “Legally Defensible” IT Security?

Troy Tate Profile: Troy Tate

It seems like the more I consider today’s information security environment, the more I feel like Ma and Pa Kettle negotiating a contract with a city-slicker. The math just seems to work differently depending on your audience. [kml_flashembed movie="http://video.google.com/googleplayer.swf?docid=-4215496701990923822#" width="400" height="326" wmode="transparent" /].

I recently saw a graphic where CIO’s and CSO’s were asked if regulatory compliance has improved the organization’s security posture. As you would expect, the CIO’s strongly agreed with the statement while CSO’s leaned more toward strongly disagree.

Well, now another thought comes to us infosec professionals from the legal world. We are already under lots of compliance requirements like BASELII, SOX, HIPAA, PCI-DSS, FISMA and such. But now another thought we have to contend with is “legally defensible” IT security. I agree that this idea does have it’s merits trying to get everyone talking the same language of risk and management. It is challenging enough to get information security talking the business language, but now we have to learn legalese? I think I’ll look to see if translate.google.com can help out with that!

Thanks for reading & let’s continue to be good network citizens!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: