Saturday, April 16, 2011

Infosec this week. Best post about security?

Hey there readers. (Or at least I hope there's more than one of you). Infosec this week - if you've not been it's a lot of fun (except for the standing up for ages bit). Be good to see a few old friends there (hey Shep), and check out whats new and groovy in the world of "Info" "Security" (don't hold your breath).

So, anyway, what with the week it is - maybe I thought i'd stick up a post about security... these crazy ideas, eh? Bit of an old topic though - risk. Specifically people mis-assessing it - including some folks who should know better.

First up - there's been a lovely message doing the rounds on Facebook. This message exhorts users to sidle on up to the url bar, and bob an "s" on their "http". Harmless advice, nay even reasonable advice - but you're really not at a great deal of risk, given that login is always encrypted, so the worst you're really looking at is a session hijack on untrusted media. So folks will bandy about useful but largely irrelevant advice - you never see a "viral" encouraging good password sense, or not leaving yourself logged in on a public PC.. and this is probably because the HTTPS advice is easy to execute - hey look, I can see there's no "s", but I can put one there and feel safe. Nice. Security, it's like a switch, you can turn it on and go back to sleep. Hmm I didn't intend this post to be about Infosec, but i'm getting a faint echo of some of the marketing guff I heard there last year...

Secondly, and these boys and girls belong firmly in the "should know better" camp... I recently upgraded my phone (finally went smartphone, the Luddite is dead). The network, Everything Everywhere (always block.. guardian3 users know the score...) allow me to set a lovely long password. It has numbers and everything. Now, don't ask why, but I ended up calling these guys a few times over the last week.. and always giving the same two characters in my password. My secure-sense (yeah right) finally surfaced, and I questioned my "customer services advisor" and yeah, sorry coincidence hunters, they always ask the first two characters. There's probably a few statistics you can use to tilt the balance in your favour (not least overhearing any call!) - my first guess, going vowel-consonant only bought me 3%, I bet you, dear reader can whip that with a bit of grep and /usr/share/dict/words! On the other hand, these guys won't post my new trombone to anything but my home address. Which I told them. After giving my "2 character 10 character" password. I wonder if this new "home address only" policy is fixing the symptom, not the cause?

Lastly i'd like to put in a good word for CEOP, who got a bit of gyp in the press for not making their child abuse reporting form HTTPS.. what's more important, being able to report such sites, or mitigating the minuscule risk of an interested party snooping?

No comments:

Post a Comment