SecurityFocus has a great article on Windows password security. Among other things, it addresses the real implications of the weaknesses of LanMan and NTLMv2, and a way you can use that to your advantage:

if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

And I remember creating my fist Alt+255 password years ago. It was a pain to enter, and the author makes a good point:

It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character’s ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>…. creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Might it be time to take a glance at your policy to see if your standards still make sense?
Ten Windows Password Myths [SecurityFocus]

A how-to on boarding early on Southwest…

…Use any HTML editor to change the “B” or “C” graphic on your saved boarding pass to the “A” graphic that you saved.

Not rocket science, but points out the inherent insecurity of boarding passes you print out yourself. I suspect it’s similarly easy with other airlines. Recently, Southwest filed suit against APassOnly.com which acted as a proxy to get you first in line boarding, so I don’t expect this site to stay up long.

How To Change A Southwest Airlines Boarding Pass From a “C” or “B” to and “A”! [boardfast.blogspot.com]

Counter to what the movies might say, hacking grades is not just cheating it’s a crime:

An investigation showed the professor’s network account had been accessed without her permission and grades were assigned to nearly 300 students, prosecutor Robert Fratianne said.

I bet they just guessed her password but still, there’s more legal ways to cheat.

Students face 1 year in jail for hacking [Yahoo News / AP]

I’m Lovin’ It! By registering a domain name (and presumably some other social engineering), an environmental activist gets himself on stage to present at a games conference as a representative of McDonald’s.

“Today I’m going to tell you the story of a game so serious that it changed the direction of a company,” Shimery-Wolf said. “And I’ll also talk about an even more serious game - the game we’re all playing with the future of the world.”

Shimery-Wolf then went on to talk about the dire consequences of global warming.

Environmentalist Pranksters Pose As McDonald’s Execs At Corporate Game Conference [Network Computing]

Winn Schwartau at Network World does a good job of pointing the myriad of authentication flaws present at your average bank.

My wife overheard the conversation and raised hell with me about how easy it was to gain access to our intertwined online accounts with no decent security check. AmSouth’s proof-positive security check was, in fact, public information.

Then it only got worse. AmSouth called me at home…

When are banks going to get that why we give them money is because we trust them? The lack of decent authentication goes a long way to undermine that trust. A new report from emarketer.com says:

The key factor in customer attitudes is the perception of Web site security. Being able to trust a banking site is extremely important to customers, with more than 87% saying in an Ipsos Insight survey that they wanted assurance that the bank would not sell their personal information and 83% wanted assurance that such data was protected from hackers.

The banks need to get security right or they will be losing customers quickly. This is a great chance for them to sell security as a competitive differentiator.

Big bank goes phishing [NetworkWorld]

Are On-Line Banking Sites Secure Enough [SecurityProNews]

Professor Spafford expounds on his previous article we talked about to say that we should examine all best practices to see which ones make since for a given application. My favorite example of this:

One example, told to me by a Federal law enforcement agent, is when he showed his badge and papers while passing though security. They didn’t make him take out his weapon when going through the metal detector…but then they insisted that he run his shoes through the X-ray machine!

The lesson here: don’t check your brain at the door when applying best practices. When security profeesionals walk around saying that all security requirements need to be met without doing even a back-of-the-napkin risk assessment, we all look bad.

Spaf: Passwords and Myth [Purdue’s CERIAS Blogs]

Requiring a signature on credit card transactions is a joke. This guy proves it:

The Credit Card Prank [zug.com]

Thieves in So. Louis are breaking into gas pumps and setting them to dispense gas for free. They’ve hit two stations already. Evidently it’s some what of an inside job, since only the people who service the pumps should have the keys and codes necessary to hack the pumps.

With such a small number of potential suspects, and all the video cameras at a gas station, I bet these crooks will be caught in a week.

Video: Hackers Give Away Free Gas [So. Louis TV Station KSDK]

BMW’s X5 SUVs seem to have a slight <cough>flaw</cough> in their authentication systems. The net effect: Thieves have used laptops to steal two of European soccer star David Beckham’s X5’s.

Because the decryption process can take a while - up to 20 minutes, according to Hart - the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham - the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

Now that’s strong encryption.

Maybe Mr. Beckham should stay away from wireless technologies all together.

Gone in 20 Minutes: using laptops to steal cars [Left Lane News] (via Engadget)

The British paper The Guardian exposes a hole in British Airlines website. Given someone’s name and frequent flier number you could steal their entire identity:

We logged on to the BA website, bought a ticket in Borer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

The airline responded and closed the hole. According to the article, somehow this whole issue is the fault of CAPPS II, the now-defunct TSA program for screening for airline terrorists. While I’m not excited about any program that invades my privacy and marks my friend’s 2-year-old as a terrorist, the airline is at fault here, not the TSA.

However, there are two lessons here:

1. Be careful of how you deal with any information that is a unique identifier to you. You never know what other information it might be tied to.
2. When engineering or auditing a system, approach it in a threat-based way. Ask yourself, “If I only knew X piece of information how much could I learn.” Better you find out the nasty truth than a national newspaper.

Q. What could a boarding pass tell an identity frustrated about you? A. Way too much [The Guardian] (via Likehacker)

Our favorite holes are always those that come from the same security vendors that are supposed to be protecting us from holes in software. Today’s entry into the Product Hall of Shame is Symantec’s Scan Engine. Seems they forgot to build in authentication:

The security software uses a client-side Java applet to authenticate users, but the Scan Engine server itself never checks to make sure that users have been authenticated, meaning that intruders could gain control of the server by sending their own XML (Extensible Markup Language) requests using the server’s proprietary protocol.

“It’s totally a fake authentication scheme,” said Chad Loder, Rapid7’s engineering director. “This vulnerability, as far as we can tell, has been built into the application from day one. We were just the first people to come and look into the protocol.”

This is pitiful. Our first clue should have been from their own marketing:

Easily integrates with third-party software and hardware via version 1.0 of the ICRAP protocol or the native API.

Okay, that was a cheap shot. But still, they forgot to build in authetication!

Network World: Bad Authentication Breaks Symantec Scanner

Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability

Our favorite quotable Computer Science prof, Eugene Spafford, has come out with a controversial article about the (un)importance of regular password changes.

He analyzes the threats and finds the mitigation is minimal. Even better he examines the sources of this “best practice”…

So where did the “change passwords once a month” dictum come from? … As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years.

This is one I have to agree with Spaf on. Since regular changes make a password harder to remember, it actually decreases security by:

• Discouraging long, complex passwords.
• Encouraging people to write their passwords down.

I would rather have 1 more character required in a password than require it to be regularly changed.

Spaf: Security Myths and Passwords