InfoSec links June 9, 2014

Complexity as the Enemy of Security - Brian Krebs - Krebs on Security

The Syrian Electronic Army (SEA) has been at the center for several high profile hacks. They've hacked major news websites such as Time, CNN and The Washington Post. More recently they got into the RSA Conference site after they were called coachraoches by Ira Winkler. They accomplished this by a third-party content provider. This past weekend I went to BSides Asheville and Paul Coggins had an interesting talk on cloud networks and how "third-party" service providers could be the weak point in a network's infrastructure. The more entities you add the bigger the attack surface and the more potential vulnerabilities that may be out there.

Which of your favourite websites are terrible at passwords? - Lisa Vaas - Naked Security

Strong passwords are something that's preached pretty regularly by the infosec community. Typically, it's preached at users, but it should also be preached at websites that offer you to create accounts. Match.com tops the list of sites that allow weak passwords such as:

  • Qwerty
  • 123456
  • 111111
  • and many others

They also don't lock accounts after a certain number of attempts or limit how long a password can be. Seriously, why would you limit someone from creating a longer password? or not allow you to use special characters?

They Hack Because They Can - Brian Krebs - Krebs on Security

Highway signs are being hacked again for....well because they can be hacked and because the security on these types of signs is awful. The prankster appears to be a foreign script kiddie who enjoys defacing websites, according to Krebs. The methods used to perform the hack appear to be trivial at best.