Verification Codes

One would hope that verification codes would be extremely random. More randomness makes it harder for a malicious entity (person or computer) to guess the code. Less randomness makes it easier. With all the Two-Factor Authentication (2FA) out there, we hope there is enough randomness in these methods to make them unguessable by someone attempting to get into our accounts. But, like all security technology, the hackers get better and protections get easier to break over time.

There is a current temptation to record the codes my generators provide to see if there is a pattern. At least in the back of my head it “feels” like there might be one. My intuitions sometimes turn out true (confirmation bias) and usually do not (reality). If little ole me can see the pattern, then I am sure smarter people than I have seen it as well and maybe even have a way to anticipate the codes.

TED Talk: The Internet’s Immune System

I really enjoyed this TED Talk on hacktivists the first couple times I watched it a year ago and a few months ago. Not sure why I have not yet posted it.

The beauty of hackers, says cybersecurity expert Keren Elazari, is that they force us to evolve and improve. Yes, some hackers are bad guys, but many are working to fight government corruption and advocate for our rights. By exposing vulnerabilities, they push the Internet to become stronger and healthier, wielding their power to create a better world.

Security Inside Out #USGRockEagle13

Eddie Carter and Orrin Char, Oracle

    • Identity management and security and access management.
    • Eddie wore a UGA shirt. Guy in front of me made fun of him obviously not wanting to sell to Georgia Tech. Turns out he’s from  Kennesaw. The GT-UGA rivalry knows no bounds. Love it!
    • Handout: Database firewall more auditing and ACLs than enterprise firewalls access to many hosts.
    • 67% records breached from servers. 76% breached through weak or stolen credentials. Discovered by an external party. 97% preventable with basic controls. Source: 2013 Data Breach Investigations Report.
    • Pre-1997: security issues mistakes. 1998-2007: Privilege abuse. Curiosity. Leakage. 2008-2009: Malicious. Social engineering. Sophisticated attacks. Business data theft. Loss of reputation.
    • Can be fined. Buy services for people affected by the breach.
    • DBAs are the targets. Phishing to get credentials.
    • Change is where gaps are opened. Being more available means more highly privileged users. Consultants and vendors claim they need DBA level access.
    • 80% of IT security programs do not address db security. They address outside computers such as with firewalls. More and more attacks exploit legitimate access applications and user credentials.
    • Supports SQL Server and MySQL.
    • Preventative
      • encryption : If data stolen in encrypted form, then do not have report the breach? Application should not even know it is encrypted. Network encryption now free to us. Autonegotiates with destination. No application changes. Little overhead. Integrated with Oracle technologies. Key management 2 layers. Master in hardware module or in a wallet. Wallet can be tied to hardware and accessed at restart. Data encrypted with table or column key. Table and column keys encrypted with master key.
      • redaction : Use ACLs to determine who can see. It will replace text such as on credit card numbers, SSNs, so can only see a full, partial, fixed.
      • data masking for nonproduction use : copy of production data in test with test being less secure. Masking means no longer valuable data. Finds sensitive columns through templates and convert the data so meaningless. Shuffle salaries. ID numbers randomized even partial. Randomize all but first two characters of last name. Can be two way so change for sending to a partner for process but then revert back when returned.
      • privileged user controls : Compartmentalization of commands. Prevent consultants from querying certain tables. Creates protective zones around schema objects.
    • Detective
      • activity monitoring :
      • database firewall : sits on the network. Parses SQL to determine the intent. Whitelist and Blacklist and exception list. If none, then alerts security to it and potentially added to a list. Have a learning and blocking mode. Can return empty result list to a hacker so thinks there are no records.
      • auditing and reporting : analyze audit-event data. Central audit repository so hacker unaware. Default and custom reports.
      • conditional auditing framework : if-this-then-that
    • Administrative
      • privilege analysis : privilege capture mode. report on what actual privileges and roles that are used. Revoke unnecessary.
      • sensitive data discovery : scan Oracle for sensitive fields. data definitions.
      • configuration management : discover and classify databases. scan for secure config.

Extending Gmail Addresses

Surprised I have not posted prior about this. Gmail allows one to use username+anything@gmail.com and have it delivered to username@gmail.com. Use it to sign up for web sites or things and filter later. Should this address be compromised, you can create a filter to delete anything sent through just that address.

Keep in mind…

    1. Though I would expect pretty good spammers or hackers to remove the +anything. 
    2. Some web sites use algorithms that consider these addresses not real.

So your results may vary.

Just Get Rid of Java

Apparently there are security flaws in the current version of Java allowing the installation of malicious software through web browsers unknown to the user. The known attacks using this flaw work on Windows, OSX, and Linux. According to Reuters:

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security recently said computer users should disable Java. At first this seems odd. The vulnerability in question is only in Java 7. So why not go back to Java 6? Well, Java 6 has vulnerabilities too, which is why DHS and others have recommended getting to 7. Also, starting in 7, the automatic upgrades are more aggressive. So going backwards is probably not a great idea. (If just happens I had to go backwards to get a tool I needed to work and forgot to go back forward.)

Also, for a similar situation back in August the recommendation was to make the browser prompt before allowing Java to run. The strategy is just stop Java entirely. Apple has removed Java browser plugins. That could work too. Except for bad, bad software like ours (sorry, sarcasm if you could not tell) which makes use of a few applets. In the last week I have gotten a request to add another applet.

A fix to Java 7’s vulnerabilties should be available in a couple days.

Book: The Girl With the Dragon Tattoo

The Girl With the Dragon Tattoo (Millennium, #1)The Girl With the Dragon Tattoo by Stieg Larsson

My rating: 4 of 5 stars

I understand the Swedish title translates into the The Men Who Hate Women. That is a more appropriate title. Though, I would imagine such a title would hurt sales in England and the USA. Each part has a statistic regarding violence against women in Sweden. I was not quite prepared for this. A very faithful to the book movie would be NC-17.

Reading the graphic violence made me feel sad. Also difficult is the intertwining of attraction and love with hurt and anger. The hero and heroine are tragic-ish. The villains are sadistic. No character has an easy to understand relationship with another. Everything is complicated by something. Well, okay not Vanger and his right hand man Frode. That was only simple boss and employee.

Salander is a goth, hacker, perceived sociopath. (She acts more sociopath than she is.) My adolescent reading was perhaps too much TSR novels about D&D settings. Women were strong. Salander evokes a toughness she would rip those other women apart.

I am glad to have read the book. Now. Can I take the movie?

View all my reviews