Friday, June 24, 2011

Password haystacks

I was listening to a Security Now podcast the other day and security researcher Steve Gibson came up with a really interesting method for creating strong passwords that are easy to memorize. He calls his method 'Password haystacks'. The way it works is you start with a strong password and then pad it with easy to remember characters. (Like a needle in a haystack)

So let's start with a decent password: wa9PUCra

By applying the haystack method it becomes something like this:






The additional length dramatically increases the time it would take to crack the password using a brute force attack. Obviously twenty random characters would be more secure but most people can't remember a twenty character password. This method strikes a nice balance which gives a big increase in security without affecting the ability to remember the password.

You can read more about it on Steve Gibson's site.

Tuesday, June 7, 2011

Two busy bots

This morning and were pounding away on one of my FTP servers. They were attempting a brute force break-in but with three log in attempts per minute it would take them a hundred years to get in. is from Inner Mongolia, China and is from Bangladesh.

Thursday, June 2, 2011

Sony hacked again.... this is just sad. is reporting that Sony has been hacked yet again by a group called LulzSec. This time the target was The hack was carried out using a simple SQL injection attack and unbelievably the passwords were stored in plain text. Sony should unplug all of their internet connections worldwide. If I ever have someone's resume come across my desk and Sony is listed as a former employer that resume is going right in the round file.

Should SQL injection attacks really even be illegal? Think about it... what is a SQL injection attack? You enter a URL into a browser and the remote server returns data. What exactly is the crime? Seems to me everything is working as designed. Maybe Sony should be prosecuted for building a website that leaks personal information on demand.

IP addresses attacking my servers this week

Here are the IP addresses of zombie bots attacking my ssh server this week. Above is a map of their locations. has been particularly persistent. I have seen that IP just about every day. ARIN reports it belongs to Cablevision. I might just have to send an e-mail to their abuse address.