Tuesday, July 19, 2011

The padlock icon must die

Tuesday, July 19, 2011

What do you think of when you see this little guy on a webpage:

lock

You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit.

The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleading.

Read more

Monday, July 18, 2011

The science of password selection

Monday, July 18, 2011

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password.

But there was one important question I left unanswered and that was how people choose their passwords. We now know that structurally, passwords almost always adhere to what we would consider “bad practices” but how are these passwords derived in the first place? What’s the personal significance which causes someone to choose a particular password?

It turns out there are some very recognisable patterns in the data. In fact the vast majority of passwords adhere to just a small handful of common selection practices. This is interesting research in that it begins to give a bit of insight into the thought process of the individuals who create passwords which conform to weak structural guidelines.

Read more

Thursday, July 14, 2011

Taking the pain out of database discovery with Red Gate’s SQL Search

Thursday, July 14, 2011

SQL Search box

Today I had cause to take a slightly different direction with a database that had stood for many years providing a fairly critical business function. The change of direction involved dropping a few columns out of a core table with references across an unknown number of procedures and views. What could go wrong?!

Read more

Saturday, July 2, 2011

Protecting your web apps from the tyranny of evil with OWASP

Saturday, July 2, 2011

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here and all the code used in the examples is here.

Note – so as to save myself from the tyranny of potential litigation, the evil dudes on each attack slide have been removed. Use your imagination :)