Got MS17-010 deployed? Good, that means you’re immune to the Petya ransomware. I still want you to do something.
Home » NSA
A dictionary attack is a common way to steal a password. Here’s how a dictionary attack works, in layperson’s terms. More importantly, here’s how to beat the attack.
A dictionary attack is a much more efficient alternative to brute force hacking, but it requires a local copy of the user database to work. That usually means stealing the database first, if a bad guy is doing it. But nothing stops a company from doing a dictionary attack on its own user accounts to make sure people aren’t using insecure passwords. It’s unusual, but not unheard of.
The other day I heard a reference to the “high side vs low side” of a computer system in a podcast, and the speaker didn’t stop to clarify. Worse yet is when you hear “on the low side” or “on the high side.” I came from the private sector into government contracting myself. I wasn’t born knowing this jargon either, so I’ll explain it.
Ever since the Snowden leaks, there’s been considerable speculation about what cryptography the NSA could break, and why. Finally, there’s a study that goes into deep detail about what it is the NSA probably can break, and why, plus how to protect against it.
The GCHQ is the British equivalent of the NSA. They recently published a new document containing the GCHQ’s new password advice in light of the things we’ve learned in the last few years. It’s worthwhile reading, whether you’re a sysadmin or a web developer or just an end user who wants to stay secure online.
Some of the advice may be surprising.
Every once in a while the NSA or another government agency releases a whitepaper with a lot of really good security advice. This paper on spotting adversaries with Windows event logs is a fantastic example. It’s vendor-neutral, just talking about Windows logs and how to set up event forwarding, so you can use the advice with any log aggregation system or SEIM. I just happen to use and recommend Splunk. But whatever you use, these are the workstation events you want to be logging.
I want to call your attention to a couple of items in the paper. Most breaches begin on workstations, and this paper has the cure.
One of the very best things security measures you can take is application whitelisting–limiting the apps that are allowed to run on your computer.
The Australian Signals Directorate–the Australian counterpart to the NSA–says doing four things cuts security incidents by a whopping 85 percent. You probably do three of the things. The fourth is application whitelisting.
- use application whitelisting to help prevent malicious software and unapproved programs from running
- patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- patch operating system vulnerabilities
- restrict administrative privileges to operating systems and applications based on user duties.
After the story came out about factory resets not adequately clearing flash memory in phones and tablets, one of my college buddies asked me if a similar problem exists in SSDs.
Depending on the SSD, it definitely can.
So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.
Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.