Policies That Work (Making IT Real)

We talk a lot about IT, but we don’t talk nearly enough about making IT real.

In particular, I’ve found that there’s a disconnect between IT – security guys in particular – and the people they’re securing. While this applies across the board, it becomes a problem when policies are being created.

One of the keys to effective security is to stop trying to create policies or procedures that aren’t going to work. It’s great on paper to require users to have fourteen character passwords that change every day, only use Internet access for work purposes, turn off their cellphones as they walk in the door, have IT install (and fix) all printer connections, and never connect their iPads to corporate wireless. Unfortunately, these requirements work best on paper….not necessarily in reality. Security policies that users don’t buy into weaken security across the board.

When it comes to wireless in particular, it’s hard to tell users to just give up their need for constant Internet access. So I say: give them a clean, safe avenue to feed their need for unlimited access to the Internet. WiFi is so cheap – Internet connections in general are so cheap – that I suggest having open third-party wireless. It goes out to the Internet, and has no connection to the internal network. You get on the VPN as if you were in Starbucks – it’s just as hostile – and you back that up with policy that you treat the VPN as if you were in Starbucks. If you find a user bridging the networks, you have appropriate policy enforcements, equivalent to the ones if you found out that someone was publishing sensitive docs from a open, public network.

The question, then, is “what does appropriate punishment look like.” Personally, I believe in having effective policies that actually result in real change, and for that I have always found that positive reinforcement works the best. Whether positive or negative, acknowledgement either way is effective and very important. When I do a security awareness engagement (pentest) and I’ve completely destroyed the place, I spend the third day going out of my way getting caught. One time, I walked out with the business processing computer from behind a teller machine. There was a guy who had let me do lots of bad stuff, but this time he caught me. As soon as he caught me, I said “ooh, you caught me.” Basically, I gave him the win! It was a bad situation and we found all these flaws in their security. But these four people were able to find something, and that caught their attention.

We spend too much time in our industry showing people what they did wrong. You can’t find everything that everyone did wrong. But you can show them examples of what to do right. That’s what enforcement policies should be based off of – what it looks like to do things right. When I do enforce a punishment, I go to their desk and make that employee stand right behind me and watch while I “check” at their computer, even if I already know what was wrong. I make them watch the process. And then I say “you do understand our corporate policies, right?” Usually, if it’s the first time, I won’t necessarily even report it the first time, but I do publicly show him what the right way forward is. I don’t just educate this person – I’m also trying to educate everyone around that guy.

Unfortunately, not many IT departments have a guy like me.

But every IT guy can be a guy like me. Every quarter, a security professional or IT team doing security needs to physically walk through the company’s buildings. Pick a floor, campus, department. Walk through while people are there. Look under keyboards and monitors for passwords. Let them know what you’re doing, and let them know why you’re doing it. Security is everyone’s job: you’re just the one being obvious about it.

Hooyah! The Challenge of BYOD Policy Enforcement in the Navy and In Your Organization

I have been off the boat (former submariner) for a few years now, but every now and again I find myself browsing the U.S. Navy’s public website to see who got promoted and to check out the new policies heading to the fleet. Last week, I saw a NAVADMIN, (a formal Navy Administration Memo for those not in the service), with the subject, USE OF UNCLASSIFIED NAVY AND MARINE CORPS INTRANET LAPTOPS WITH EMBEDDED  WIRELESS (NAVADMIN 290/15). The message goes on to present a new formal policy to a problem facing many organizations – protecting critical data and systems from the ever-growing swarms of wireless devices.

With a tradition of tech heroes like Grace Hopper and Hyman Rickover, the U.S. Navy has a proud history of being an innovator and early adopter of technology (Hooyah!). From the early days of software, through nuclear propulsion reactors and advanced weapons systems and satellites, the Navy has tackled the most challenging of technical problems. This history makes it particularly interesting to see how such a large and structured organization is tackling the proliferation of web-enabled devices.

In short, the policy states that devices issued for use on UNCLASSIFIED systems, when used in areas with sensitive networks and operations, must have the WiFi turned off by the operator. The onus is on the device owner to remember that they must disable wireless capabilities prior to entering these areas (of which the Navy has many), and re-enable when they are in an appropriate area.

But here’s the thing, relying on humans to remember to turn off WiFi will be challenging. It’s even a significant challenge when you have well trained and loyal sailors legally bound to follow your orders. So the question must be asked, how do you enforce this type of policy? The memo goes on to tease some additional measures for “detection/jamming” on the horizon so that the policy can be properly enforced, though specifics aren’t offered at this time

Sound familiar? It should, because, this is not just a problem for the military. Every organization has sensitive data and critical infrastructure that needs to be protected – and your “sailors” are not legally bound to follow orders. You might even have something similar in your enterprise where you have a BYOD or IoT policy that states WiFi should be disabled or even certain devices not allowed onto the WiFi network. Two stats are telling: While 74% of organizations permit or plan to permit BYOD, 30% of those with a BYOD policy in place have no way to enforce it or simply rely on the honor system.
Now, ask yourself, how will your organizations develop and enforce policies to mitigate risk and protect your important assets in 2016? Let us know below.

Creating A Secure PassPHRASE and Ditching PassWORDS

In a nearly two decade career in technology, mainly in security, I can count on my two hands the amount of times that I’ve changed my personal behavior because of something I’ve heard in a meeting. Typically it would happen as I was sitting in the audience watching a presentation at some con, and a sudden realization came over me that if I tweaked my behavior just a bit I could better secure myself. At the same time I’ve been really lucky to sit next to super smart security people, literally, at work each day and listen in as they detailed why what I was doing was WRONG (or dumb, or idiotic…). Unfortunately, it isn’t always done with grace. There’s nothing I hate more than a smug reminder of how insecure I am with no suggestion of how to make it better.

Last week in a cramped conference room in Boston it happened again, but this time it was done with such ease and simplicity I not only wanted to change my behavior, I wanted to punch myself in the face for not having realized it sooner. The conveyer of this great idea – though not the first person to say it – was Jayson Street, well known throughout the community and of course on this blog for saying what he means, telling it like it is, and always trying to help all of us in need. The advice might be old hat for some, but it hit me like a ton of bricks.

The one thing you can do to better secure yourself in 2016 is to ditch your passwords and start using passphrases.

Yes, I know, many of you have been talking about and doing this for years. Even Edward Snowden got on the bandwagon earlier this year. Simply because it’s been talked about doesn’t mean people are actually adhering to the advice, and that means we have to keep talking about this one as much as possible, since our biggest threat remains the uneducated consumer. AND, yes, the strongest password is the one you can’t remember…but people outside of a very few in security simply laugh at the absurdity of that statement.

Now, with that all behind us, let’s talk about how to implement this into your connected lifestyle.

5 Ways To Create a Secure Passphrase…and Ditch Passwords

Think of a passphrase as a complex sentence, versus a password that is simply, well, a word that maybe has some digits or a few symbols (yes, you are SO tricky using ‘$$’ as ‘ss’). But there are a few tips you should follow (or share with your employees) to create the strongest passphrase.

1. Use The Space Bar

Most online accounts will now support the use of blank spaces in your passphrase, this will allow you to create that sentence we talked about above, but it also makes it harder to figure out by both humans or sniffers.

2. Go Long…15 or More Characters

Most password crackers will slow when the passphrase hits 15 or more characters, and that’s when they get past the NTLM hashes and have to actually work at it! Can they still figure it out? Sure, but the longer it takes for them to get your password your chances of them giving up rises.

3. Use a Passphrase That is Personal, but Unique

The beauty of a passphrase is that it should be something that you can remember a bit more easily, but it can’tcreate a secure password be something that people would easily guess. Say, for example, you are a huge Star Wars fan (I hear there is a new one that came out recently), so you decide to create a passphrase of “May the force be with you!”. Look at you, it’s more than 10 characters, it uses the space bar, and even that pesky exclamation point. Nice work, but it’s not stronger than you’re old “w00ki3” password.

Most likely you have already liked Star Wars on Facebook and everyone knows you were at the midnight showing dressed as Jenga Fett. While that passphrase was personal, it wasn’t unique. You may have, instead, chosen something that was both personal and unique, maybe:

Think of something you’d tell someone close to you, but not your coworkers. Unforgettable? Slightly embarrassing? (“I actually like Episode one. Don’t tell anyone!”) Perfect.

“I actually like Episode one. Don’t tell anyone!”

4. Keep Being a Character

No, not you personally, your passphrase. Still use those exclamation points, hyphens, ampersands…they are even more effective in a passphrase. Building on our example:

“I @ctually like Episode 1. Don’t tell anyone!”

5. Variety is the Spice of Live…and Passphrases

Here is where I’m still going to tell you that you need different passphrases for different accounts. Now, is it realistic that you’ll have a different passphrase for every single site, app, and account? Probably not.. Doesn’t mean we can’t try. One suggestion here is to create a variety of passphrases that also will help you remember where each one belongs. Example:

“I @ctually like Episode 1. Don’t tell anyone at the bank!”

Feel better? Feel more secure? Good! Now, make it your 2016 resolution to replace passwords with a secure passphrase.

Researcher Develops First Drone Malware

Small unmanned aerial vehicles (UAVs), often referred to collectively as “drones” are all the rage right now. From delivering packages for Amazon to crashing on the White House lawn, it seems every week there is some new debate about the usefulness and potential danger of the widespread availability of what was once a technology limited primarily to the military.

Questions as to the safety and security of what essentially boils down to a flying computer is unlikely to abate with the news that security researcher Rahul Sasi has developed what he claims to be the world’s first drone malware: Maldrone.



The full details of Sasi’s research won’t be revealed until nullcon in February, but he’s already put a demonstration video up on YouTube and described the general idea on his blog. While there are still some unanswered questions, what Sasi has already shown is enough to call into question how secure some of these consumer-level “drones” really are.

For his research Sasi targeted the AR.Drone, manufactured by Parrot, a Linux powered drone that users can control with their smartphone or tablet over WiFi. In his demonstration, Sasi shows a Python script ( which uploads a payload to the AR.Drone over the local WiFi network, to which the drone responds a few seconds later with a reverse shell connection.

Sasi’s software then demonstrates running some standard Linux commands on the drone’s onboard computer, which in this case simply returns the version of Linux it’s running, but could just as easily report data from the drone’s sensors back to the attacker. Finally, the malware shuts off the drone’s autopilot system, causing it to drop out of the sky like a brick.

This demonstration is simply a teaser for Sasi’s larger reveal, but it proves there is real potential to turn these drones against their masters. With the number of sensors onboard these vehicles (GPS, camera, WiFi radio, etc), they could be used for remote surveillance without the legitimate operators knowledge, or simply stolen from the owner by commanding the drone to fly back to the attacker’s location.

One big issue not fully addressed in the demonstration video or the accompanying blog post is whether this exploit can be performed remotely on a stock-firmware AR.Drone, or if the drone in the demonstration has already been compromised by way of a modified firmware. Obviously, the attack is much more potent if it works on the out of the box drone, so the answer to that question will go a long way to prove Maldrone as a valid threat.


Picking on Parrots

Parrot’s AR.Drone line is no stranger to security audits. In 2013, Parrot’s AR.Drone 2 (an enhanced version of the one Sasi is working with) was used in Samy Kamkar’s SkyJack. Kamkar strapped a Raspberry Pi and Alfa AWUS036H onto the AR.Drone 2, and loaded with his software it was able to knock other drone operators off of the WiFi network. With the legitimate user’s smartphone or tablet off the network, Skyjack was able to establish a new connection and remotely command the drone.

The reason the AR.Drone has been targeted in both of these demonstrations is pretty simple; rather than using a custom radio communication protocol like more advanced remote controlled vehicles, Parrot chose to simply go with standard WiFi. This means the AR.Drone is susceptible to a lot of the traditional WiFi tools and exploits, making it a much easier target. That also means that security vulnerabilities in the AR.Drone’s control systems aren’t necessarily indicative of problems with drones technology in general.

That said, increased scrutiny of drone security is coming. The impressive computational power and suite of sensors required to keep one of these vehicles in the air is simply too tempting of a target to be ignored for long, especially as commercialized drone services (such as package delivery) start becoming mainstream.

Rethinking Biometric Security

For many, biometrics are considered the ultimate form of two-factor authentication; where a user must provide something they know in addition to something they have. Most systems currently implement two-factor authentication with security tokens, which can either take the form of a hardware device (such as the RSA SecurID fob) or software running on a smartphone (Google Authenticator), both of which have their logistical problems. Supplanting these tokens with something that is literally part of the user, such as a fingerprint or iris scan, would take a lot of the implementation headaches out of two-factor authentication.

But new attacks have shown that the most common form of biometric authentication, fingerprint scanning, are not nearly as secure as originally thought. The next generation of scanners aim to increase security, but is it too little too late?


High Profile Vulnerabilities

Hacking fingerprint scanners by cloning fingerprints is hardly new, but it definitely got a lot of mainstream attention when it was shown that Apple’s iPhone 5S was susceptible to this type of attack just days after its release. Chaos Computer Club member Jan “Starbug” Krissler created a detailed guide on a how a print could be “lifted” from a smooth surface (such as a drinking glass) and reproduced in a form that can be glued to an attacker’s own finger. A video was released that even showed how to recover a usable fingerprint from the iPhone’s screen using nothing more exotic than a desktop scanner.

These hacks were by no means simple, they required patience, skill, and even some volatile chemicals. But it was very much possible, and anyone who had the drive to follow the widely available information could replicate it on their own without much expense. If somebody wanted into your iPhone badly enough, it was clear they could do it.

Many hoped that the iPhone 6 would pack in a more sensitive fingerprint scanner that would be harder to trick, but upon its release, it was demonstrated that the same method worked on the newer device as well.

But to many, this didn’t come as a surprise. The fingerprint scanner on the iPhone is meant to be more convenient, but not necessarily more secure, than simply using a traditional PIN to unlock the device. For the average user, the iPhone’s fingerprint authentication would work fine, but it shouldn’t be relied on for high security applications.


Hands Free Hack

As if his attack against the iPhone wasn’t enough, Krissler has recently released information on how he was able to to create a duplicate fingerprint using nothing more than high resolution images of the target’s hands.

In his demonstration at the 31st Chaos Communication Conference, Krissler showed how he was able to use images of German Defense Minister Ursula von der Leyen’s thumbs and the commercially available VeriFinger SDK to create a replica of her fingerprint without ever having access to a physical object she touched. Given the availability of high resolution images of public figures, this attack could conceivably have long reaching security implications.

During his presentation, Krissler quipped that “After this talk, politicians will presumably wear gloves when talking in public.” While the statement was in jest, it will be interesting to see if policy on photographing public officials will be in anyway impacted by Krissler’s work.


Next Generation Hardware

With attacks like these already in the wild, it’s clear that fingerprint authentication needs to be rethought. New approaches to fingerprint scanning include what are known as “living biometrics”, where it isn’t enough to simply have an image of a fingerprint, the scanner must also see evidence of living processes.

One such method is finger vein recognition, where the veins in the finger (which are as unique to each individual as the fingerprint itself) are photographed through the use of infrared light. Since the veins are under the skin, there’s no way to duplicate them using images of the hands or prints lifted off of glass, as these only give surface details.

While the technology and method is still being actively researched, the results so far are very promising. Britain’s Barclays bank has announced that this year they will be making vein recognition systems available to their commercial customers, with a full rollout to follow if it’s successful.
While it will be quite some time before we see vein recognition hardware on our smartphones, the technology will one day become common enough that a user’s finger may still end up being as worthwhile a security token as anything currently available.