Tuesday, June 12, 2018

Is your organization still following the outdated password policy?

If you were told or forced to set up a so-called "strong password" which required to be determined as complex (must consist of combination of uppercase letters, lowercase letters, numbers, special characters, and so on...) just to safeguard your user account from password guessing, peeping, and/or brute-force attack, the policy is outdated and should be obsoleted as soon as possible.

If you were also told or forced to change your password periodically, let's say every month or so, that thinking also has been admitted by certain cybersecurity experts to be foolish and will not make your account more secured.

Indeed, it only serves to make your life more difficult, and makes your account much more vulnerable if you eventually did either one of the following attempts to help remembering your latest password:

  • Write your latest password on Post-It notes or inside your diary book.
  • Tape your password somewhere near your computer (similar way to what character Nolan Sorrento in movie Ready Player One did).
  • Keep your password in a computer file (text, Word, Excel, ...), either password protected or not.
  • Store it with your web browser's auto-complete feature.
Apparently, the outdated password policy that required complex password and frequent change was derived from a 2003 National Institute of Standards and Technology (NIST) report namely "NIST Special Publication 800-63. Appendix A."

Interestingly, it is also NIST who has overthrown its own password guidelines in its recent NIST Special Publication 800-63A report namely "Digital Identity Guidelines:  Enrollment and Identity Proofing Requirements." released in June 2017. You can download the complete report here for free.

The new report has made the following important suggestions:
  • Verifier SHOULD NOT impose annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. They make most people remembering password by Post-It notes or computer file. It's better to allow people to use pass phrases.
  • Verifier SHOULD NOT bother user with password expiration. That was an old idea for an old way we used computers. Only force a password change when there's indication of compromise.
  • SHOULD use dual factor authentication (2FA). This is the proven to be the more robust and secure way.
Dual factor authentication adds an additional layer of security by requiring not only the password, but also another piece of information that only the account holder has or know. One of the most commonly used method for dual factor authentication is one-time-password (OTP) which could be  event-based (OTP is generated by triggering an event, such as a keypress, explained in RFC 4226) and/or time-based (OTP will keep on changing by time, explained in RFC 6238).

The account holder need to read the OTP from a token, and use it for successful account login. The token can be generated from a hardware device such as key fob, display card, USB authentication key, OCRA keypad, etc. It can also be generated and delivered to the account holder by software, in the form of SMS, email, mobile app display, push app notification, etc.

Note that the use of SMS or email for OTP is also outdated method which is vulnerable to trojan horse interceptions and/or malicious software crack-in. You can search the Internet for the following keywords to read more about how insecure to use SMS for OTP:
  • ZeuS-in-the-Mobile (ZitMo)
  • SpyEye-in-the-Mobile (SPITMO)
  • Android.Bankosy
Besides, the OTP in SMS and email is very likely to be sent in plain text form, which subject to ISMS threats of interruption, interception, modification and fabrication along its way.

Therefore, all organizations should update their password policy for all users to be:
  • Use pass phrases instead of password
  • Use dual factor authentication with secure token (avoid using the outdated SMS or email method)

Sunday, April 22, 2018

Google Chrome and Firefox will distrust websites with SSL/TLS certificate issued by Symantec / Verisign / Thawte / GeoTrust / RapidSSL

Web browsers Google Chrome (with 57.69% global market share as of March 2018) and Firebox (with 5.4% global market share as of March 2018) will start to distrust all the websites with SSL/TLS certificate issued by Symantec, Verisign, Thawte, GeoTrust and RapidSSL.

This means that soon in the near future, every time when you visit such websites using HTTPS protocol with Google Chrome, Firebox and possibly other web browsers which follow suit, the browser will give you a security warning before you can read their webpage.

Some of the affected popular websites including (but not limited to)...

 



In late 2017, DigiCert has acquired Symantec's Website Security and related PKI solutions which was the Certificate Authority for those affected Symantec, Verisign, Thawte, GeoTrust and RapidSSL SSL/TLS certificates.

Webmasters of all the affected websites can make arrangement with DigiCert to replace their SSL/TLS certificates with a new one issued by DigiCert, which is still trusted by Google Chrome and Firefox.

You can click here to read for more information about this issue.

Tuesday, April 17, 2018

How to enable using F8 during boot up to enter safe mode in Windows 10

Seasoned MS Windows users are very likely to have experience using F8 during computer boot up to enter into "safe mode" of the Windows operating system.

In many occasions, "safe mode" can save your day to enable you to fix something that is broken in the Windows system. Such occasions including but not limited to:

  • Windows update has caused problem and instability to the system. 
  • Problematic hardware device driver (normally arises after new driver update). 
  • Incompatible screen resolution with the monitor causing blank screen or distorted display.
  • Windows is infected by virus or malware that unable to be removed in "normal" mode.
  • Problematic software/application that causes system crash (and unfortunately it autorun during Windows start up)
  • Minor damage to Windows registry or system file due to improper power off.
You can keep on pressing the F8 key on your keyboard during boot up of Windows 7 to enter a boot up menu that include the "safe mode" boot up option. However, this F8 function is disabled by default in Windows 8 and Windows 10.

You can still reboot Windows into "safe mode" if you are able to boot into the login screen of Windows 8/10 and the login screen is still functioning properly. You just need to hold down the Shift key on your keyboard while clicking on the Power icon in the login screen and select the Restart option to reboot your computer.

You can also create a bootable Windows recovery USB drive that can be used to fix Windows problem.

If you want to enable using F8 during boot up to enter safe mode in Windows 8/10 as another rescue resort, here are the steps.

Step 1: Enter Command Prompt with Administrator's right

Click on the Magnifying Glass in Windows Quick Launch bar and search for "cmd".


You should be able to find "Command Prompt". Right click on it, and select "Run as administrator". This will open the Command Prompt window with Administrator's right.


Step 2: Change the Boot Menu Policy to Legacy

In the Command Prompt, type the following command and press .

bcdedit /set {default} bootmenupolicy legacy

This command edits the boot configuration data (BCD) to bring back the F8 safe mode function.

Upon successful execution, you will see the message "The operation completed successfully". You are done!


Step 3: Testing

Now, restart your Windows and test your F8 key. It should be able to call out the following Advanced Boot Options menu.


If for any reason you want to roll back and disable F8 during boot up, you can use the instruction in Step 1 to enter Command Prompt with Administrator's right again, and issue the following command instead:

bcdedit /set {default} bootmenupolicy standard

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.