Password Reset: Your passport to a fuxored account.

Password Reset Methods Vulnerable? Really? Get out of here, you mean that many password reset methods are vulnerable to attack? You have to be kidding. The fact that people think vulnerable password reset is newsworthy have got to be crazy. This is something that many of us have been talking about for years. Now Sarah Palin’s email gets attacked and it is big deal. It amazes me why we always wait to get screwed by something before we fix it.

Why does everything in the security world have to be a response to something. Ok, not the security world but the business security world. They are definitely two different entities. I am truly tired of reactive security. Just think if other professions followed this reactive model, like a cop asking for a bullet proof vest after they have already been shot. Nobody can say they didn’t see this coming either. People make more of their life known through social networks, photo sharing, and blogs than ever before. The simple password reset questions just don’t hold up.

There is a lot of unnecessary fear about data from social networks being used to steal someone’s identity. Although this is mostly FUD, social networks can be a great source for password recovery data. A while back we recovered a password (with his permission of course) from my friend Brian’s Sprint account using data from his MySpace page. This is when we were first starting our research for the social network hacking project.

Let’s take a step back from social networks for a sec, would your friends, co-workers, significant other, etc. be able to recover your password with the information they know about you? If the answer to that question is yes, then you need to change something. Passwords should be something that you know, not you and a couple of other people.

What Types of Data are on Social Networks?

The information that people put on their social network pages range from minimal to wildly over the top. Some people even go above and beyond by posting survey questions that tell a lot about their personalities. Although they want to show off the depth of their personality, all it really does is show off the shallowness of their brain.

Social networks by their default nature basically allow you to “friend” the world. The information on people’s social network page typically contains information that was previously only known to traditional friends and acquaintances. This can be a huge problem for the password reset mechanism, not to mention a person’s privacy. If it’s deep and kinda scary from a privacy standpoint then it is probably on a social network. Remember when I mentioned if your friends knew enough about you to reset your password then you are in trouble, well you just friended the world with the information from your social network profile. Beyond standard profile information there are a users actions taken on a social network site and possibly social network applications that are being used as well. All of this information can be leveraged when attacking a password reset mechanisms.

You can use an email address to look up people’s accounts on social networking sites. On the flip side, someone social network profile might directly tell you a person’s email address or you can use the search features of the social network to query owner’s of certain email addresses. There are no secrets in social networking

Email Accounts are Gold

With password resets an email account is really the jackpot. Many password reset mechanisms, including the ones from social networks, rely on sending either the password or a temporary password to the email address of the account owner. Someone who gets their email account compromised might just find that they have every other account tied to that email account compromised as well. I mean, it wouldn’t be a far stretch to figure that out once someone had access to the email account. Just think of all the crap that sites like Amazon, eBay, MySpace, Facebook, etc. send to your email account.

Typical Password Questions

Typical password recovery questions really vary in complexity from site to site. What is the problem with password recovery questions in general? Well, they are not typically made up of data that is private. Unlike a password which is supposed to be something that only you know, recovery questions may be known to many people around you.

Here are some questions from Yahoo:

• Where did you meet your spouse?
• What was the name of your first school?
• Who was your childhood hero?
• What is your favorite pastime?
• What is your favorite sports team?
• What is your father’s middle name?
• What was your hight school mascot?
• What make was your first car or bike?
• What is your pets name?

Some of these questions look like questions that social networks ask when you are filling out a profile, don’t they? If not questions they ask, certainly data that people put on their social network profiles or divulge through other means on a social network.

The Obvious

Take a glance at someone’s profile or maybe your profile on a social network. From just this page without further probing there may be an enormous amount of information. Depending on the mechanism that is being attacked, it may be all that is needed. Here is an example of some of the things that may be found just on the profile page:

• Name
• Date of Birth
• Hometown
• Current town
• Favorite movies, artists, music, people, TV, sports teams, etc
• High School
• College
• Personal description
• Personality traits
• Networks and Groups
• Relationship information
• Family information
• Employer

The list really goes on and on. Remember that many people are on multiple social networks. Checking out other social networks may fill in the blanks. It is easy to see why this information could be a problem and I don’t think it needs any further explanation.

The Not So Obvious

Some data is not so obvious and might not be directly spelled out. This may be information that has to be aggregated or inferred from the profile data, friends list, blog, group, network, etc.

• Photos and photo tags
• Comments on other profiles
• Photo data (cloths, background, other individuals, etc)
• Pets
• Children
• Siblings
• Relatives (potentially ones with your mother’s maiden name?)
• Potential usernames
• Instant messenger data
• Blogs and comments in friends’ blogs
• Favorite teachers
• Sexual preference
• Religious views
• Political views

The data is really limitless, but after all isn’t that what a nice web 2.0 application is supposed to provide? On the surface some of this data may seem silly for password resets but it is really not. This not so obvious information can be really helpful when when non-standard questions are used in the password reset process. This typically happens when people are left to their own devices when creating security questions. They typically create questions that are common and familiar to them. Stupid things like pet’s names, favorite teams, favorite TV shows, etc.

Just think for a moment about tagging. People may tag photos themselves with useful information. Also, friends may tag people in photos helping better define a person’s relationships with people and activities they are involved in. The URL of the social network may lead you to potential usernames / IM information such as www.myspace.com/(username). Maybe the data is completely visual like photo data. A lot of information can be obtained by looking at pictures. Favorite places, sports teams, cars, and countless other possibilities. You name it, people like pictures with their favorite things.

The actions people take on social networks helps better define relationships, networks, group affiliations, and activities. The person may place comments on other people’s photos, profiles, walls, blogs, etc. You may see comments like “That is why you are my BFF”. You may also see that someone is a member of a political party or religious group. People may discuss on boards or blogs about certain things happening in their life. Sharing is caring right?

So what you get in the end is a clear picture of who these people are. You get their likes, dislikes, friends, and affiliations are all in a nice clean package. You may have never even met this person but you have all of the information a traditional friend may have, possibly more.

Need a bit more?

If you almost have the nail in the coffin then you can turn to other sites to complete the task. You could look for name / username collisions on other sites to gain more data. You could take their high school and age information and find out who they went to school with. The possibilities are endless.

The User’s Choice

When people are given the option to choose their own security it has historically been bad. There is nothing that seems to suggest that allowing user’s to choose their security will get any better, so some of this may be wasted breath.

When looking at sites like Google, it seems they have slightly better security questions. Questions such as your library card number, frequent flyer number, etc. I think sites like these with better security questions probably have a high amount of people that end up just choosing their own questions when this option is available. People don’t seem to understand that this isn’t a function that you are going to use everyday. It is ok and preferable to use data that you may not be able to recall without looking up.

So What Can We Do?

The problem of personal data leakage isn’t going to stop until people realize the potential impacts of their data being strung out for the whole world to see. I personally don’t think this will change, in fact, I think with time it will get a lot worse. We live in this voyeuristic, virtual world where people create digital representations of how they see themselves. I think that has an appeal to many people, especially those who don’t particularly find their lives that exciting.

Don’t play by the rules when dealing with a sites password reset questions. Put blatantly wrong, hard to guess, or nonsensical information in to the answer blocks. This will make any information gathered on you useless when attempting to recover your password.

It seems that many sites want you to log in. You shouldn’t use the same password on every site. Use a trusted password safe such as KeePass to store your login credentials. KeePass is open source and multi-platform. Using a mechanism like this allows you to be in control of your password recovery along with allowing you to use different passwords for different sites. It would also be a good idea to back up the database of whatever password safe you choose to use as well. Just a thought

The biggest mistake someone can make is thinking that there is nobody out there that gives enough of a crap about them to attack their accounts. People do weird things. Anybody is capable of just about anything. This isn’t being paranoid, it’s being safe. Think of it as locking the door on your house when you leave, only instead of your valuables you are protecting your data.

Hello Everyone. I just wanted everyone to know that Shawn Moyer and I will be speaking at PhreakNIC 12. We are going to do the Satan is on my Friends List talk again. There were people who didn’t get to see it out in Las Vegas, and well, since BHJP is in a different part of the world we figured if people still wanted to see it we would do it again in the United States. We will have some updates so it won’t totally be the same talk we did in Vegas.

If you aren’t familiar with PhreakNIC it is a small conference in Nashville, TN. It’s loads of fun, there is great people, great conversation, and no vendor overload. I highly encourage people to go.

I am going to be as objective as possible in this post. People who know me know that I have a distaste for some of these certification vendors due to their deception and motives. I hold quite a few certifications myself going back to the 1990′s and have dealt with many of these organizations first hand. I have had plenty of time to hone my opinions and in the end that is all they are, my opinions. Feel free to agree or disagree.

What is Certification Supposed to be About?

The world of information security tends to be quite a bit different than other professions. Other disciplines may live and die by certifications and licensure. For example, in the medical field you want licensed physicians who are possibly board certified for their specialties. Additionally stenographers, interpreters, and many other professions have national certifications that open up great opportunities for their individuals following certification. The bodies that handle these certs in other disciplines are much different than those in the information security world. Other disciplines typically have certifications issued by national associations or other recognized industry body. In the information security world it is typically done by private business and masked bodies. I will get in to this more later.

Certification is supposed to be about demonstrating a baseline level of knowledge for a particular area. Licensure, as I see it, granting of a license based on a certain set of baseline qualifications. The way you go about demonstrating competency can range from certification to certification.

What You Look for in Security People

What do you look for in security personnel? Most likely there are no objectives of a certification that cover that. Often the number one thing people look for is experience. Nothing trumps experience even certification vendors know that. Along with experience is depth of knowledge. If someone doesn’t have experience you at least want people who can find answers, who have a genuine interest in the security field, and who can think critically. I haven’t seen a Certified Information Security Googling Professional certification yet What about soft skills? Writing skills? There are many factors about the people you wish to hire that are well beyond the scope of a security certification.

Three general areas that people look in to when hiring information technology people are experience, education, and certification. They may throw these areas around and substitute them, but the requirements are going to be there. Once the gatekeepers are passed it is up to the interviewee and the impression they make to land the job.

All About the Benjamins

Certification in the infosec world is typically handled by private companies and are either vendor specific or vendor neutral. Sometimes these companies will masquerade as an org, but when you pay them for training or certification watch where your money goes. It’s not the org front It’s in the best interest of these companies to draw blurry lines between their different parts. You may hear things like, “No this company provides the training, the certification is from this other organization”. Who do they think they are fooling? It is the same people working at both organizations and proctoring the tests.

More benjamins equals more win for the companies providing the security certifications, training, or CPE style credits. Or maybe you can just take the road that SANS does and just charge and outrageous price for your certification challenges right off the bat. Yes, Yes, I know. I called GIAC SANS. Same thing They are counting on people with security training budgets and certification reimbursement and saying “screw you” to the little guy. Certification vs value, make the decision for yourself. I personally think they are pricing themselves out of the running to do any competition with the big dogs ISC2 and ISACA but, oh well. I am entitled to my opinion. Not saying they are trying to do direct competition with them, but there are more people looking for CISSPs than there are GIAC certified individuals.

Why Security Certification is hard to make

There are certain roadblocks to certs in the information security space. This is because everyone from the person that deploys anti-virus software to the individual reverse engineering software is considered a “security person”. These are wide and varied disciplines that take a greatly differing skills to perform. So from a certification perspective you either have to specialize or generalize. When generalizing you have to be very broad and lose depth. When you specialize you lose overall market appeal. It’s hard to draw that line. This may be important when you are considering certification. If you are a specialist and there is a certification that fits your particular specialty, then there may be some additional appeal.

Perception is Everything

Certification value is pretty much all about market perception, regardless of the actual value of the certification to you personally or your peers. The greatest, most perfect security certification in the world can come along, but if it has no market value then there is pretty much no value in getting it. One way to gauge how well perceived the certification may be is by going to job search sites and looking for job positions in which you are interested. You will see how many mention the certification you are considering. The business side of security likes the thought of certification. It gives them a nice warm feeling inside. Hiring people in any profession is a gamble. You never really know if someone is going to work out or not. The thought of having an additional assurance that they are getting a decent individual is very appealing to them, regardless of how valid the certification is.

There seems to be a perception of certifications such as the CISSP, CISA, etc as being technical. This perception is incorrect. I split security certifications in to two different categories: Functional and Awareness. I consider certifications such as CISSP, CISA, Security +, etc as awareness based certifications. These certifications do not go particularly deep in to each of their domains but provide awareness in all of their domains. Functional certifications are ones that are more vendor specific and / or cover the functional aspects of particular items or domains.

Certification (may) = Win

Let’s take a look at some of the advantages of certification in the information security field. Certifications in the security field are all about your professional life. They are about your job and your future job prospects. Certifications aren’t good for much else unless you just like framing them and putting them on your wall Keep in mind all of these potential win situations for certifications are all based on someone else’s perceptions at a given time.

The biggest advantage of a certification is that it allows you to display the designation. This means you can say you are certified, display it on your resume, put it in your email signature, etc. Certifications are sometimes used as filtering mechanisms to weed through potential candidates. The person in recruiting or HR may not even forward your resume on to a decision maker because they do not see the certification. The whole goal of submitting a resume is to get your foot in the door for an interview. If you can’t make it that far then it is a fail situation. Displaying the designation allows you to meet the perceived expectations of someone looking for that particular designation.

Along with the previously mentioned, certifications give you some “flare” for your resume. It allows you to add a section to your resume called “Professional Certifications”. Now, you may have more than enough content for your resume due to your experience, but for people with less experience it helps fill out a resume.

During the study process for a certification there is the possibility of learning something. Now this probably isn’t going to be some earth shattering revelation, but the more you know the better off you are. It may force you to look at concepts that you haven’t taken the time to look at previously. So there is the potential that horizons may be broadened.

Vendor specific certifications demonstrate that you are at least familiar with the interface to a particular product. The world is much better off now that you know where that check box is It may give people a sense that you have actually seen the interface before.

Certifications can prove that you have the ability to start something and see it through. Much like education, some certifications take some effort to study for and complete. It can display a certain amount of determination on the part of a potential candidate. It shows that you have not remained stagnant in your career. I know the actuality is stupid, but remember we are talking about perceptions.

Certifications are rarely something that you get looked down upon for. If you are applying for a job or have a job interview I have never heard of a case where someone didn’t get a job because of a certification they held. I file this under the “it couldn’t hurt” column.

Certification (may) = Fail

Security certifications won’t help you do your job better, lift a car, or save a baby from a burning building. Security certifications in their current iteration seem to be very poor at proving people have baseline competencies, which is what certification is all about. This is something that the business side has not really caught on to yet and probably won’t.

Certification can be a pain to get. Some certifications require a healthy dose of time dedicated to studying, practice exams, and whatever other resources are required to pass the exam. Even if you are already familiar with the material, it takes time to learn how to answer the questions the way the certification vendor wants them answered.

Certifications can be a pain to maintain. Some security certifications require maintenance. This maintenance includes either re-certifying periodically or the submitting of credits. The credit based systems require that you get so many credits per year and per certification cycle. For the ISC2 certifications these are called CPEs (continuing professional education).

The benjamins are here to stay, certification costs money up front. This is your initial buy-in to the certification. Certification costs typically range anywhere from 150 dollars to as much as a few thousand depending on what the certification is and what is required.

Oh no, the benjamins are back! Of course everything from re-certification to annual maintenance requires money. Fees, fees, and more fees. Needless to say unless it is a perpetual certification you are no doubt going to have to pay money to the vendor periodically.

You really don’t get anything from certification vendors in return for your time, effort, and money. I think this is the part about certification that irritates me the most. After you have spent the time and effort to get a certification, you really receive nothing useful from them. You may receive notifications about items from the vendor, but it is typically “who cares” communication.

You may have ethical issues with certification vendors in which you don’t want to give them your money. In this case I am right there with you. This could actually be a big turn off in your decision making process.

The Certified Conclusion

There are probably valid points that I left out, sorry, but the post is getting long I don’t know if anyone will read it anyway. I am sorry if there is anything that I have left out. I also really didn’t want to talk about particular certifications, so I didn’t really list any. They are easy enough to find though.

There is really no right or wrong answer about whether to obtain a security certification. All you can do is take the data you have and make a decision for yourself. Visit job search sites and search for jobs with that particular certification. Weigh the time, effort, and expense that you will have to endure to get and maintain the certification. See what other people are saying about the certification. If it makes sense and you think that it will help, then go for it. If it doesn’t seem worth it, then don’t. It’s really hard to judge the future and where security certification vendors are going, so all you can do is make the best decision for yourself in the present.

I am just finishing up a post on certification, but I thought this needs it’s own post… and well… I am taking too long. Seth Hardy has requested to be put on the ballot of the ISC2 Board. He needs 591 signatures on his petition in order to be put on the ballot. From his site:

Send an email to me: shardy@aculei.net using your email address on record with (ISC)2, including your member number, stating that you are signing my petition!

Signing the petition doesn’t mean you’re voting for me; it just means that you’re supporting my inclusion on the ballot. I’ll be hitting you up for votes later.

Rather than just complain about issues Seth wants to do something about them. That is something I totally support. If you have an ISC2 certification please visit his site and sign his petition. www.sethforisc2board.org

More to come on the value / lack of value in security certification. I promise I will finish it soon.