Password Security and Social Engineering

I was doing some research for an upcoming blog post for work and came across this funny bit that Jimmy Kimmel did during the Sony hack hype.  It has some really important content for security professionals and the general public.

One, it is really easy to social engineer information from people.  A book I enjoyed reading, “Ghost in the Wires” by Kevin Mitnik gives endless examples of how he used social engineering  to get valuable information about corporate networks, account details, even passwords.  The Jimmy Kimmel bit illustrates one technique that not many hackers have in their arsenal (a TV camera crew) but less sophisticated techniques are used all the time. How much information do you give out over social media or phone calls from employees, telemarketers, etc.  I am not advocating dropping down the draw bridge and not sharing on those sites or in conversations (I am in the collaboration business so that would not be convenient) but I am saying be aware.  There is no reason under any circumstances that you should be compelled to give out your passwords or information about your password.

Two, it is a good reminder to go in and change your password from time to time.   If you work for a large corporation you will be forced to do this on a set schedule. However, this doesn’t cover your social media sites.  It is good practice especially with the number of devices you probably have today to go in and change those passwords.  I like to do it twice a year after the clocks change.

Last, creating a good password with decent entropy is really easy by using what I call the sentence method.  This is certainly not a new technique and I can’t remember where I first learned the technique so I would normally attribute the method here.   Here is how it works:  One, create a sentence that you can remember e.g. “My favorite teacher in 3rd grade was Mrs. Smith who wore glasses and was a star”; two, take the first letter of each word in the sentence and include a number and special character e.g. Mfti3gwMSwwgawa*.  Some websites won’t allow special characters because they are worried about across site scripting vulnerabilities so if your financial institution is one of those then use the word equivalent of the special character.  If you want a shorter version, create a shorter sentence.  There are variations of this that allow you to take the last letter of the word in the sentence or second letter, etc.

Posted in Uncategorized | Leave a comment

DropBox Compromise Truth: 6.8 Million Users May Not Be Compromised

You may be reading headlines like this one from the Daily Mail, “‘Your stuff is safe’: Dropbox denies hack after anonymous post claims it has the personal details of up to 6.9 MILLION users” , about another large cache of users falling prey to hackers attackers [Steve Gibson – bringing back attacker instead of hacker].  However, this is a good example of a couple of issues that we need to all remind ourselves of in these heady times.  One, not all headlines of reported hacks are what they seem to be.  There are groups that want salacious headlines to occur for a number of reasons:  to chum the waters for phishing attacks; bring attention to a security companies security products; link baiting for a website.  I won’t pretend to know what the reasons are for this group to report the event.  DropBox has denied that their user accounts have been compromised and I believe them.  It is in their best interest to admit that an event has occurred.  This is the first rule of responding in a crisis management event – get the truth out quickly and over communicate.  This is what builds trust even in a crisis where you are responsible.  Not to link bait myself but the CDC could apply this to their handling of the Ebola crisis.  

Second, it is a reminder for users who still use the same password in multiple sites that they are at risk.  The current theory on this event is that this group have used a subset of user accounts purchased on nefarious sites at DropBox and found a set of accounts where the username and password were successful on DropBox.  Here is a quick reminder on what not to use for a password taken from Ms. Smith, Network World on Top 25 Most Common Passwords here.



So what can you do?  If you are using the same password across multiple sites you have two choices.  One, use a password manager like LastPass, or one of the other password management tools I have covered in this blog post here.  Two, if you don’t want to pay for those services then do yourself a favor and choose three passwords.  Use one very secure password on all your banking and financial sites, use one at work, and then one that you use on all your other news or web accounts.

Posted in Access Management, Directory Services, Identity Management, Security News, Uncategorized | Tagged | Leave a comment

3 Things Users Can Do to Protect Themselves Against Russian Hackers HoneyPot of Identities

The most salacious headline last week from the BlackHat Conference was the announcement in NY Times that Russian Hackers had amassed a 1.2 Billion User email and password database.  The database included identities from sites that still had known vulnerabilities and the company that released the news and independently validated the database was not at liberty to release the names of those companies.  This is the best practice response to known vulnerabilities but it ultimately leaves the user at risk and ultimately wondering who is looking out for them.  Therefore, I have put together this quick 5 step action plan that users can do, if they are worried about protecting their identities and financial data.

Screen Shot 2014-08-12 at 10.10.08 AM1.  Change your password:  If you are one of the many users who uses the same password for multiple sites, you should change your password on your most important financial sites that use that password.  If you want to use a tool to help you with this process and implement better password management across sites skip to #2.  If you don’t want to use a Password Management tool then please use the following strategy.  Choose 3 passwords that you can remember using the following strategy below.  You can create one for your financial sites, one for email and social media sites, and one for everything else.

Creating a good password with decent entropy is really easy by using what I call the sentence method.  This is certainly not a new technique and I can’t remember where I first learned the technique so I would normally attribute the method here.   Here is how it works:  One, create a sentence that you can remember e.g. “My favorite teacher in 3rd grade was Mrs. Smith who wore glasses and was a star”; two, take the first letter of each word in the sentence and include a number and special character e.g. Mfti3gwMSwwgawa*.  Some websites won’t allow special characters because they are worried about across site scripting vulnerabilities so if your financial institution is one of those then use the word star instead of the special character.  If you want a shorter version, create a shorter sentence.  There are variations of this that allow you to take the last letter of the word in the sentence or second letter, etc.

2.  Get a Password Manager:  The password vault/managers have been on the scene Screen Shot 2014-08-12 at 10.11.14 AMlong enough to prove their worth and security to users.  If you are writing down your passwords on a note card and storing it in your top drawer in your office or at home then this is the tool for you.  These tools work on mobile devices as well as browsers and can create really strong passwords for you if you don’t want to create your own like above.  The great thing about these tools is not just the management but they can create a unique password for each site you visit and thus can limit your risk.

Top 3 Password Managers:
1.  LastPass, (Tried and true, very good security and support across all devices)
2.  KeePass, (Open and really good software)
3.  1Pasword (Mobile support impressive, Even works with TouchID so if you use IOS this is great tool for you)

3.  Turn on Free Fraud Protection:  Each of the different credit agencies has a free Screen Shot 2014-08-12 at 10.12.27 AMfeature they can turn on at your request.  Here is a link to Experian’s simple three step process to turn on 90 day fraud alert for your account click here.

Of course, when a large honeypot of passwords is released into the wild, monitor your email for notifications about unusual traffic.  Most sites today have adaptive authentication techniques in place that monitor for unusual activity (e.g. authentication traffic from unusual IP address, devices, etc.) and will notify you of suspicious activity.

It goes without saying, don’t click on the links in the email’s that are sent to you.  Go to the site directly to change a password or update information.

For other identity or security wonks that are reading this blog, please let me know if you have other suggestions for users.

Posted in Access Management, Identity Management, Personal, Security News | Tagged , | Leave a comment

Top 5 Best Beer Bars in Monterey for Cloud Identity Summit

Screen Shot 2014-07-16 at 10.54.33 AMThe Cloud Identity Summit starts this weekend and for those of the attendees that are looking to have an after hours discussion about Identity related topics while enjoying a beer, here is the definitive (ok maybe too strong) guide to the best beer bars in Monterey.

Top 5 Best Beer Bars

Screen Shot 2014-07-17 at 9.27.07 PM1.  The Crown and Anchor:  This is one of the original great pubs of Monterey and is our go-to pub when we want to get our UK fix.  The owner is from England and knows her beer’s.  They have a variety of great beers from the Emerald Isle and England for your drinking pleasure.  The patio outdoor seating area is great for a warm evening.  They have heaters for those Monterey summer nights that are worthy of Mark Twain’s famous saying.   They stay open relatively late for Monterey standards.

2.  Alvarado Street Brewery & Grill:  Screen Shot 2014-07-17 at 9.30.30 PM This place is the newest entry on Alvarado and will remind you of Gordon Biersch.  The beer is very good and there are a wide selection of on tap and in the bottle options.  I personally appreciate the wide selection of non-alcoholic options.  The decor is warm, modern and inviting and great for a large group so if your party is more than The food is california quinine and is packed on a regular basis.

3.  English Ales Brewery:  Screen Shot 2014-07-17 at 9.35.00 PMThe beer is excellent for this off the beaten path beauty.  The service is also great.  Food is ok but authentic.  My favorite is the chicken salad.  On a Wednesday night, a group of great water polo players is known to frequent this place.

4.  Jack London Bar & Grill:  If your headed to Carmel this is always a good standby for a good time.  Great bar with good food.  The ambiance is intimate so perfect place for group of 5-8 identity revelers.  If you want something a little bigger, the better bet in Carmel is Forge In the Forest but that is not for the beer more for the fires and ambiance so it doesn’t make the list.

5.  Trident Room:  This place is legendary but you can only get in if you know someone from the Naval Screen Shot 2014-07-17 at 9.24.42 PMPost Graduate School.  The history alone is worth the price of admission.  This is where Teddy Roosevelt and FDR have stayed in Monterey.  Besides the history and the opportunity to have a great beer, you most likely will be sitting in a room with some of the best men and women the United States has to offer.  On Memorial Day Weekend, NPS opens it’s doors to the public and tours are given around the grounds and inside the building.

There are a tons of other options in Monterey.  However, it can be a little sleepy so make sure you ask around and find a local as they will be able to tell you where to go to have fun and eat well.  Thanks for sharing your knowledge and Monterey with us Identity wonks.  

Please leave a comment if you find a better location that is not on the list. 

Posted in Uncategorized | Leave a comment

Cloud Identity Summit Preview – Monterey

Screen Shot 2014-07-16 at 10.54.33 AMLooks like an exciting agenda for the Cloud Identity Summit in Monterey (same week as the California Rodeo so great week to be in Monterey).  The culture at this event, which Andre Durand, has done a lot of work to foster has really broken down traditional barriers and allowed identity wonks and business owners to share and learn from each other.  This is one of the reasons that this event is one of the best in the industry to attend. And, it is in Monterey.

Here are the top 5 sessions I have on my list to attend (by time not priority).  On Friday, I will be posting a beer drinker’s guide to the Cloud Identity Summit.  There are some great micro-breweries in Monterey that you may just want to check-out.

Monday, July 21

12:30-12:55 (DeAnza ||)

Spinning New Threads with Existing Identity Systems, Mike Neuenschwander, 

A comparison of use cases for identity in cloud and enterprise deployments, with ideas on how to intertwine enterprise and cloud identity systems in the emerging cloud fabric.

1:30-2:00 (DeAnza II)

Network-Aware IAM, David Frampton, Cisco Systems 

How to position the network as a real-time source of critical security data; get more out of existing IT platforms by serving a wider set of use-cases, especially for mobility and BYOD environments; and translate heterogeneous IT platform capabilities into actionable network access policy

4:20 pm – 4:45 pm

Zen and the Art of Cloud Adoption— a Practitioner’s Viewpoint on Finding Balance, Laura E. Hunter, Microsoft

Real-life tales from the trenches about how Microsoft IT is working to strike the right balance between enterprise requirements for security, privacy, control, and compliance, and creating a great experience for their users and customers who want to stay connected and productive no matter where they are or what device they’re using

Tuesday, July 22

11:00 am – 11:30 am

User-Managed Access, Allan Foster, Forgerock, Eve Maler, Forgerock

Examination of UMA (User Managed Access) as an emerging standard, presenting both individual and enterprise use cases and showing how UMA could address many of them in an open, lightweight approachable way, while still allowing and interoperating with other technologies

1:40 pm – 2:05 pm

Identity Management for the Cloud, Jim Scharf, Amazon

What’s different in providing identity and access management for one of the largest cloud providers, some of the key technology and design decisions made along the way, and how AWS is working to make it even easier to federate with existing social and enterprise identity providers

2:40 pm – 3:10 pm

Identity in OpenStack Icehouse, David Waite, Ping Identity

Overview of the OpenStack project, in particular the Keystone subproject responsible for identity, how to leverage the features in the newest OpenStack release for your own usage for tying into external identity systems, and some of the potential directions that OpenStack could take in the future







Posted in Uncategorized | Tagged , , , | Leave a comment

Top Security & Cloud Podcasts

I get asked all the time, “how do you stay abreast of the latest trends in security & cloud?”.  I am an audio learner and I spend a lot of time in the car so listening to podcasts is one of the most efficient ways for me to learn. I listen to a variety of podcasts while I am working out, driving to work, or doing the laundry [had to put that one in for my wife].  I am also a big believer in sharing so I have listed the top 10 podcasts.  This is not a definitive list but it does get you started.  If you have one’s that you think I should have mentioned, please feel free to share.

Podcast Title Podcast Description Location
Security Now TWIT One of the first podcasts on security that I started to listen. Steve Gibson does a great job of covering the latest news and threats but also going into the background education on DNS, Encryption. I encourage people to look through the archives especially if you are just getting started in this space Here
PaulDotCom Security Weekly A great podcast that goes deep technically. These guys share openly and cover a wide range of topics. However, for the younger members of the audience pool there are some topics that do deserve the EXPLICIT tag. Here
Network Security Podcast Sad news….these guys just recently announced they are going silent….work and family commitments have taken over.  Good luck!  The archives have some great content that covers what is happening in the overall security space. Although the title suggest traditional network layer security they cover a number of larger security issues. Here
Ship Show A great title and focus area on what it means to be in the DEVOPS community.  The recent topic on QA is especially important as it pertains to security.  Not sure the DevOps model has the security/QA completely handled yet. Having said that our team has been doing this since 2008. Here
RiskyBiz Great topics on a variety of security news items and products.  The latest review of is really interesting. Here
This Week in Google A great podcast that I have listened to for years.  Jeff Jarvis has great insights on privacy topics and how Google is responding.  Gina Trapani, founding editor of Lifehacker, always has great tech insights. Here
This Week in Enterprise The Digital Jesuit, Fr. Robert Ballecer, SJ, takes us through the latest news from Enterprise IT.  He has a wealth of knowledge on compliance, running large IT organization, and his guests are always strong IT practitioners.   Here
Posted in Uncategorized | Leave a comment

Join 3VR @ ISC West

ISC West is one week away! We are excited about the event because we have exciting news to share with the industry. We have a number of activities planned during the week. Please come by our booth located at Booth 23026.

If you have not registered for the event. Be our guest and join us as a VIP on the show floor. You can register here for your free pass.
Register here

Join 3VR Thursday at ISCWestWe are also having a cocktail reception on the show floor at our booth.  It will be Thursday, April 7th from 3-5pm.  Please join the several members of our executive staff, product management and security experts for lively conversation on the trends that are changing and revolutionizing our industry.  Learn from several of our customers who have implemented 3VR and hear about the critical success factors to

Posted in Uncategorized | Leave a comment