Finally sitting down at Paul’s laptop to write up some notes on the talks I’ve seen so far. I’m going to break it up into days becaus eI’ve taken a lot of notes :) Here goes, with comments in brackets:
Gadi Evron on Cyberwarfare
- EU security operations / CERTs are not very organized
- cyber warfare is mostly bull****
iPhone hacking
- They’ve fully soft-unlocked the phone, but it’s been done in such a way that Apple can still fix it with a software update
Memory Forensics with the Cold Boot Attack
- attack has been fully weaponized to USB keys (or functional iPods) and PXE boot
- Jake has found a somewhat unrelated bug in Mac OSX’s Login.app which results in logged-in users’ passwords being stored in RAM; Apple is aware of the issue and not fixing it. Same for FileVault keys [o_0]
- Linux dm_crypt is vulnerable
- loop_aes devs thought they weren’t vulnerable because of some key-shifting stuff they do, turns out it just means that they store twice the keydata :)
- Co-author of USENIX paper Nadia wrote an awesome keyfinding tool which can grab keys from RAM even with something like 75% corruption
- Bitlocker default / simple mode is totally pwned
- Even with TPM in use Bitlocker is still vulnerable if precise timings are used
Dan Kaminsky – Why were we so vulnerable to the DNS vulnerability?
- random person named Paul sitting beside me on the couch by the Go boards describes it as “+5 insightful”
- My Paul is all excited that Dan is now publicly in favour of DNSSEC :)
Edited to add: For some additional perspectives on Day 1, have a look at my Belgian friend Security4All’s blog post, which has a different selection of talks.
2 Comments »
My browser was behaving strangely when I tried to log in to the TD Canada Trust online banking server, so just to be paranoid I decided to change my password using another machine. I then realized that it was just me being dumb – my user agent was set to IE as I had been testing something earlier. Oops!
However, it did all lead me to discover this gem epic failboat of a password policy:
When changing your password, please remember that it must be between 5 and 8 characters in length and should contain both letters and numbers. Special characters (e.g. #, &, @) must not be used as they will not be accepted by the system. Passwords consisting of all letters or all numbers are not recommended. Although TD Canada Trust does not require you to change your password, we recommend that for security purposes you change your password every 90 days.
Okay, wtf people. 5-8 characters seems awfully permissive, and doesn’t let me put in a nice long password… but not requiring numbers and letters? Just recommending it? And their system doesn’t support punctuation in passwords? Yeesh.
It gets worse. I decided to play around with it, and was able to change my password to the following:
- foobar
- 12345
- 11111
- aaaaa
- the first 5 characters of my bank card number (which is the username when one logs in, and is common to many TD customers).
Obviously I’ve changed the password to one which is as secure as I can make it given their crappy constraints, but it really angers me that I’m paying through the fees I pay them for this kind of asinine security policy. It almost makes me want to go through the hassle of switching banks… but I’m sure the others all have similar issues on one level or another.
Some days, though, this industry just makes me want to set things on fire – today is one of those days.
-Leigh
2 Comments »
Entries (RSS)