Uncrackable Passwords

The H has an interesting article on storing passwords to prevent unauthorized access and identity theft.  The article discusses the following methods and downfalls associated with each:

  1. Plaintext
  2. Hashing
  3. Hashing with salt
  4. Key stretching
  5. Hashing with multiple rounds
  6. Determining cipher used

Most importantly, don’t reinvent the wheel if you’re building an application requiring authentication.  Rely on tested frameworks such as OAuth or PHPass.

 

 

 

Stallman: Still an eccentric?

There’s an interesting article at OSNews about Richard Stallman and his FSF principles.  His philosophy rings especially true in these times with the recent passing of the NDAA, SOPA discussions, and the growing threat of increased monitoring and restrictions.

To summarize:

However, as the world changes, the importance of the ability to check what the code in your devices is doing – by someone else in case you lack the skills – becomes increasingly apparent. If we lose the ability to check what our own computers are doing, we’re boned.

The article also links to Cory Doctorow’s 28C3 keynote titled ‘The Coming War on General Purpose Computation‘. (video and transcript available)

Abstract:

The last 20 years of Internet policy have been dominated by the copyright war, but the war turns out only to have been a skirmish. The coming century will be dominated by war against the general purpose computer, and the stakes are the freedom, fortune and privacy of the entire human race.

Future of the Global Positioning System (GPS)

There’s an interesting read from the Congressional Budget Office (USA) on cost estimates for the next generation GPS system.  This is particularly of interest now due to reports that Iran may have jammed the captured US drone’s GPS receiver in order to prevent it from returning “home”.

What is GPS?

The GPS uses a constellation of at least 24 satellites, each of which transmits precise data on the time and its location. Receivers—both military and civilian—use the data transmitted by the satellites to calculate their own position; information from a minimum of 4 satellites is required to determine a position accurately in three dimensions.

Solutions for next generation GPS:

As the Department of Defense’s satellites reach the end of their service lives, the department plans to replace them with ones that can counter deliberate interference by generating stronger signals. Analysis —namely, improving military receivers to retain the GPS signal even in the presence of such jamming—would be less expensive than DoD’s plan for upgrading its constellation of GPS satellites. Furthermore, the alternative would yield benefits almost a decade earlier than DoD’s plan. However, the improvements to military receivers could make them larger and heavier (and thereby less useful to personnel operating on foot) until they could incorporate the substantial gains that have been achieved in miniaturization in other applications.

  • Option 1 would improve current military GPS receivers by fitting them with better antennas and by adding inertial navigation systems.
  • Option 2 would capitalize on a DoD research and development program by enabling current GPS receivers to integrate information received via the Iridium commercial communications satellite network.
  • Option 3 would include the improvements of both Option 1 and Option 2.

Read the complete article here.

Dropbox’s new ToS, Privacy Policy and Security Overview

I received an email from Dropbox stating they’ve updated their terms of service and privacy policy.  I took a look at the update page and I really like the new layout.

Take a look here and see for yourself.  I’d like to see every website adopt a standard format to present their privacy policy to users.

I really like the work is doing at CMU and hopefully it will get mass adoption someday….

Cloud Computing Security Considerations

Cloud computing offers potential benefits including cost savings and improved business outcomes for government and private industry. However, there are a variety of information security risks that need to be carefully considered.  Risks will vary depending on the sensitivity of the data to be stored or processed.  The Australian Department of Defence has released their initial guidance on cloud computing.

This paper assists agencies to perform a risk assessment to determine the viability of using cloud computing services. This document provides an overview of cloud computing and associated benefits. Most importantly, this document provides a list of thought provoking questions to help agencies understand the risks that need to be considered when using cloud computing.

You can find the document here: Cloud Computing Security Considerations

pandaflux’s list o’ recommended browser plugins

Firefox

  • googlesharing: encrypts your google traffic and routes it through a proxy where it is combined with many other people.
  • https-everywhere: Automatically enables a secure connection for websites that supports it.
  • better privacy: Among other things, Better Privacy will delete “flash cookies” that are difficult to manage otherwise.

Chrome

  • disconnect: Stop third parties and search engines from tracking the webpages you go to and searches you do.
  • click & clean: Deletes your browsing history, typed URLs, Flash cookies, all traces of your online activity to protect your privacy.
  • KB SSL Enforcer: Automatic security, browse encrypted.
  • NOREF: Suppress Referrer (referer) for Hyperlinks

List of 2010 Annual Security Reports

As the 2010 Annual Security reports are released from the various security firms I’ll keep our security report page updated as well as a summary of what everyone is highlighting.  So far, the main issue is “borderless security” and the consumeratization of the market which is bringing more and more personal devices into the workplace.   Organizations see an increase in the level of risk they face due to the use of social networking, cloud computing and personal mobile devices in the enterprise.

Panda Report http://isc.sans.edu/diary.html?storyid=10240&rss

Ernst & Young’s 2010 Global Information Security Survey

Ernst & Young’s Top privacy Issues for 2010