Sunday 20 September 2015

Code-Signing Keys

I'm aware of several instances where the private, code-signing key of a company has been compromised. But D-Link seems to have saved the bad guys some effort by publishing their private key themselves:


Three concerns immediately spring to mind:

1) Why aren't companies putting in the proper controls to protect their private keys from both malicious attack and accidental disclosure.

2) Why don't Microsoft / Apple / Symantec / CAs etc. have the correct checks in place to ensure these companies and the whole ecosystem are properly secured.

3) Once there is a compromise, where are the processes to respond with the issue in a timely manner, for example revoking the compromised certificates / notification etc.?

Friday 18 September 2015

GCHQ Password Guidance

GCHQ recently updated their password guidance:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

A few interesting points:

Don't make passwords unnecessarily complex
This drives me nuts. It takes ten tries to get a password accepted and then two minutes later you've already forgotten what was eventually accepted, before you've even had a chance to write it down.

Users don't need to frequently change passwords
This was the only one that came as a surprise, but their explanation does make sense.

Don't replace characters in a word with something similar (ie. '5' for 's' or '!' for '1')
I've been saying this for a while. It's easy to implement a dictionary attack and substitute certain characters, eg. 0pt1c5 (optics) or 5ugar (sugar). I'm surprised to see this practice being recommended in some quarters. This also includes mixing capital and lowercase characters, as it's still easy to launch a dictionary attack.


Tuesday 8 September 2015

CISSP

Just been informed I've been awarded the CISSP certification! :)

My number is nearly 10x the number I was originally awarded in 2003 (but expired).

Saturday 5 September 2015

Information Security Update

Just updating the blog with Information Security in mind, rather than more general networking.

The site is really just for me to keep a list of my favourite blogs and news sites, but it's a bonus if anyone else finds this useful!