Computers today are attacked and get hacked in not because of WHO we are but WHAT software and systems we are using. There is little difference whether you run a small company with 1 computer or a multinational enterprise.
Continue reading Too Small To Be Attacked? Think Again!
This short post looks at passwords attacks that were launched during 5 months’ period against a small web server of ours in 2013.
There are a lot of statistics about what is the most prolific passwords we use to login to our online accounts. What we were interested in was what passwords are being used to guess logons to online systems. We setup a WordPress website and started logging passwords tried against that website. Here are some results after about 5 months of monitoring and over 11,000 of logged attacks.
Continue reading Password Attacks – A Small Server Experiment
This attack taxonomy includes most common attacks on passwords. The table below shows attack categories split into online and offline attacks. Offline attacks require access to a database of scrambled or encrypted passwords, while online attacks would use normal user interface to test or obtain user passwords.
Continue reading Password Attack Taxonomy
Experts like to say that we are responsible for our security on internet. I disagree as we are not born as security experts. Neither does common sense always makes sense as users can’t see what is going on behind flashy images on their monitors. Who is the real bad boy? Continue reading Looking for Adversary
No matter what bad news we hear about passwords – leaks, security breaches, compromised security – passwords provide a very good protection when used properly. The real weak link here is the user. If users could remember long and random passwords, the “problem of passwords” would be much, much smaller. The hype would disappear and the real issue – how internet companies store passwords – would become much move visible.
Continue reading Why Storing Plaintext Passwords Is Bad
Banks simplify access to our bank accounts. They keep relaxing security while hoping to replicate the boiling frog story. The trouble is that no-one dies and someone will figure out – sooner rather than later.
I touch on a few things: using online banking to find valid card numbers, and date of birth, increasing chances for unauthorised access, lowering security of login credentials and changing role of debit cards.
Continue reading Online and Mobile Banking Fusion
Tokenisation is a hot topic as it makes card processing cheaper and more secure. The goal is to replace your card number with a random number that is hard to use for unauthorised transactions – and it removes the need to encrypt databases.
What we are primarily looking at now are mobile payments but we are designing solutions for e-commerce as well. Payment processing involves re-encryption of PINs (PIN-blocks) for card-present transactions.
Continue reading Tokenisation – Introduction
I watched BBC Panorama documentary with and about Snowden yesterday. Actually, I watched it twice as I was disappointed the first time round. I wanted to find out why.
Continue reading BBC’s Edward Snowden was not really that
Our emails were not being delivered. I thought it was just my ignorance but a chat with a few more people around told me it was not the case. This is a story of a geek learning a (yet another) lesson the hard way.
Continue reading The Importance of DNS to a Start-up
We have recently come across a nice check-list for whoever wants to use DNSSec and establish a good security baseline with a hardware security module (HSM), i.e., never get encryption keys compromised.
We will include detailed comparison of our platform to enigmabridge.com a little bit later but here is an initial comparison. Continue reading Encryption for DNSSec