How do you feel about NIST recommendation that passwords should no longer be rotated and instead have a longer minimum requirement?
— Timothy De Block (@TimothyDeBlock) June 14, 2018

Digging into the new NIST password policy recommendations

June 15, 2018 by Timothy De Block in Technology

I've had a few instances recently, where questions around the new NIST password policy recommendations have popped up. It first happened last week when I was at ShowMeCon. The second question for our panel was around the new NIST recommendation for passwords. Then I had someone ask me about it in the comment sections on this site. I feel like there was another instance, but I can't remember it.

I tweeted out the poll above on Twitter. As you can see two-thirds of infosec professionals like it. I am in that camp as well. There was some great discussion on why it's not a good recommendation in the replies to the poll. Dave Chronister was also against it on the panel at ShowMeCon. I decided I wanted to dig into it a little more.

My understanding of it is that NIST recommends increasing the minimum requirement for password complexity and ditching the rotation of passwords every 90 days. The idea being that people are more willing to remember longer and more complex passwords if they don't have to rotate it as often. I've asked some people at work about this and they are in favor of not having to change their password as much.

I know how easy it is to either crack or compromise someone's credentials via a phish. The question I have is if anyone on a penetration test has had their credentials stop working because that person's password was 90 days old (If you've had this experience I would love to hear about it in the comments). In my view this new recommendation improves the user experience while asking them to improve their password. Someone would still need to rotate their password if compromised.

Before we get to far down user experience, lets take a step back and look at what NIST actually recommends. The guideline is NIST 800-63b. This is my first time reading it as I'm writing this post (and having a delicious home-brewed chocolate milk stout).

We're looking at section 5.1.1.1. There it says password lengths, "...SHALL be at least 8 characters in length if chosen by the subscriber." It goes on to say later, "No other complexity requiremnets for memorized secrets SHOULD be impost." There is no mention, specifically, of rotating passwords. My assumption is that it was removed from the documentation. According to passwordping.com it added the requirement to screen for commonly used or easily guessable passwords. Which I see in 5.1.1.2.

Based on that NIST is suggesting we ditch password complexity and rotating passwords, but keeping an 8 character minimum. I'm not sure I'm on board with that. I'd prefer to require longer passwords and ditch complexity and rotation of passwords. I think there needs to be a give and take here with passwords. We'll require less rotation of passwords (they're just enumerating anyways) for longer passwords. That doesn't seem to be the case with the new NIST recommendation.

I like the idea of challenging some of our old ways of doing things in the industry. I recently talked to someone about passwords. They were complaining to me about how many passwords they had to remember. I asked if they were using a password manager. They were not. That was a red flag right there that they were probably using weaker passwords. That also meant they were probably enumerating their password by numbers or characters. Which meant that even if they rotated their password you could probably guess the new one.

I am a big believer in practical security. I think it's a good approach. It's a good balance between meeting people's needs and getting security most of what they want. If ditching the rotation of passwords results in longer and stronger passwords I'm all for it. I like the idea of checking for commonly used or easily guessable passwords. I really like the idea of checking for compromised passwords from a site like Have I Been Pwned?

2018-06-14 00_21_42-Titus S03EP09_ Errrr 3_3 - YouTube.png

ERRRR Suicide

June 14, 2018 by Timothy De Block in Experiences

Christopher Titus saved my life.

I graduated from high school in 2000. Right around that same time Titus appeared on Fox. I was instantly hooked. The show was funny and dealt with some deep dark emotional issues. It was the realist thing I could come to a comedy. In 2002 it ended up saving my life and to this day has abated any thoughts of suicide.

I was in the Navy at the time. I don't remember my exact reason for being in the lounge at our barracks, but I was having a pretty shitty day. I remember thinking, "Maybe I should just kill myself." That's when I found Titus on the TV I was flipping through in the lounge. The episode was, "Errrr." The premise of the episode was Titus catching his niece trying to commit suicide. He stops her and sits down for a chat about the time he tried to kill himself. The episode was hilarious and at the end of it I realized, how ridiculous the idea was.

I wanted to share this, because I recently had someone IM me about leaving work. They were concerned that I left agitated. I responded that I had a lot on my mind recently and I was working through it. They responded with encouraging words and let me know I could call a suicide hotline. I responded with a clip of the episode from YouTube. Suicide is not something that has crossed my mind, but I know it has crossed the minds of others.

Our industry is tough. We have a lot today and a lot of push back from people inside our organization. I'm blessed that the push back is minimal from my organization. We have our frustrations. Overall I realize I'm in a good situation. I have my good days and my bad days. I struggle to meet internal expectations.

I should drink less. I stay up to late. I should play video games less. I should spend more time with the kids and my wife. I should get this certification. I should blog more. I need to get another guest for the podcast. I need to edit these three podcasts. I should spend more time at work getting all this work done. I should. I should. I should.

I still struggle with internal expectations. I fail constantly. I go to bed too late. I don't spend enough time with the wife and kids. It's gotten better moving to Tennessee. I take them with me to some of the conferences I attend. Still I'm not with them. I'm attending the conference. I'm working late. I'm hitting the gym, because I need to relieve some stress and I want to show them the good habit of working out.

I'm still trying to figure it out. I mention this because I think a lot of us are. I've had conversation with people about alcohol after my alcohol posts. I think they're some of my most liked content on the site. I think that with social media we see a lot of the wins in people's lives. Not a lot of their loses. I'm hoping this post can change that. For all my success: the podcast; speaking engagements; a great job. I can show that we don't always have it together. Even the best of us still frown. Even the best of struggle and just try to make i through the day. It's okay.

After tomorrow is a new day. A new opportunity to do something great or learn from a failure.

2018-06-14 00_23_06-Titus S03EP09_ Errrr 3_3 - YouTube.png

Converge and BSides Detroit wrap-up

May 14, 2018 by Timothy De Block in Experiences

Last week, I headed to Detroit for a wonderful conference called Converge. It was quickly followed on Saturday by BSides. This is one of staple conferences every year. The crowd is great. The venue is top notch. The other speakers are fantastic. The organizers are awesome! And of course dueling coney dog restaurants.

This year I got the opportunity to both speak and put on a workshop. The topic is the one I've been peddling all year, Social Engineering for the Blue Team. The talk went well enough. I had to transfer slides to our new company template and I missed some notes. The workshop went really well. I got some great feedback and found some refinements that need to be made. I only had six people in the workshop. Which worked out well, because I had a lot of back and forth and contributions from the crowd. I look forward to doing it again in the future.

I recorded one podcast interview and then did another conference interview that will come out this week. I'm going to try and do more podcast interviews while I'm conferences. Before I wanted to enjoy the conference and not worry about audio equipment and recording. That's a bit selfish, because I think I can record in-person with people. This would ideally lead to some better quality interviews and content. Shout out to Jesse who told me that he liked the new format. Thanks Jesse!

I'm playing with the format a bit so, I think this can slide in nicely. I plan to record some impromptu interviews where I just hit the record button and go. I think for the over-the-internet interviews I'll use my old format. I'll tweak it a bit. Ditch the old opening where I have the interviewee listen in. Instead I'll record an intro for each episode. This will allow me to give impressions of the interview and any promotional things. Still experimenting.

The conference went really well. I caught up with some friends and made some new ones in the process. If you missed it this year, I highly encourage you to check it out next year.

Speaking and workshop update

April 01, 2018 by Timothy De Block in Experiences

BSides Nashville

I got picked up to do my Social Engineering for the Blue Team topic as a 25 minute talk. It's the last talk in the green room. Maybe I'll take that opportunity to see how long I talk before everyone leaves. Because it's in the green room, I'm going to try and give the talk a new twist.

I'll be at the conference as the photographer again. I've also been asked to help out with the resume and interview workshop. If you need help with your resume or interviewing stop by the workshop. I'm going to start preparing interview questions next week, which might make a good blog post.

Converge and BSides Detroit

The signup for my Social Engineering for the Blue Team workshop is up. It will be a four-hour workshop. Be sure to check out the other workshops. They're all fantastic and I wish I could go to all of them.

I've also been picked up as a speaker for the conference and we're in negotiations to do an Exploring Information Security panel. A year after I said I'd never speak twice at the same conference, I am now speaking three times. It's going to be awesome!

ShowMeCon

I'm back at ShowMeCon for my third year. This year I'll be doing a panel for the conference. Converge and ShowMeCon will be my first time hosting panels. I want to get it right while also making it something worth attending. The basic idea is to allow the audience to ask questions of the panel. Similar to what I do with guests on the podcast. It'll be an interesting experience and something I can pitch to other conferences.

Snow in McLean, VA

SANS SEC487 Open-Source Intelligence Gathering and Analysis

March 28, 2018 by Timothy De Block in Experiences

Last week I had the pleasure of attending the brand new SANS course for OSINT in McLean, VA. The creator of the course, Micah Hoffman, has been on the podcast a few times and someone I consider a friend. He'll make his fourth appearance in a future episode on the topic of the SEC487 course. I wanted to take this opportunity to give some impressions of the course, while it's still relatively fresh.

Micah created videos for help with the labs as part of the course. This was one candid moment from those videos.

Simply put, the course is fantastic. I recommend it for those with OSINT experience and those without. I have some OSINT experience. As part of my job, I've investigated internal and external people. Working in a Security Operations Center (SOC) for the State of South Carolina, I did a lot of OSINT looking up IP addresses, URLs, and various other things. I've used it to figure out if a marketing or technical recruiter email is legitimate. I've used it in job hunting.

I still took quite a bit away from the course. I took 18 pages of notes. Another project idea came out of the course, OSINT for the Blue Team. I couldn't wait to get back to work to start building out some OSINT standard operation procedures (SOP). I've already taken my notes and built out a resource page for others to use.

I got to build my first sock puppet. Work on better documentation (I love mindmaps for documentation!). I used Tor for the first time and visited the "dark web." Got a ton of new tools and resources to check out. I'm excited to start using Hunchly and Spiderfoot as part of my processes. The capture the flag (CTF) on day six was fun and engaging.

We laughed a lot. If you're in the area, I recommend Super Chicken and the food trucks on Pinnacle Drive. Center of the Universe brewing has got some really good beer. Which reminds me, Untapped is a gold mine for OSINT. I got to see snow (see above)! Best of all, I got to see Micah teach a five-day course on one leg. He got really good at the three-point turns towards the end of the week.

Enjoying #SEC487 with @webbreacher! Learning tons of OSINT goodness already.

A post shared by Timothy De Block (@timothydeblock) on Mar 19, 2018 at 8:02am PDT

The course was a beta, so it had it's rough moments. Those were rare. Most of the feedback I had was for improving the course. Moving content to earlier in the week rather than later. Maybe doing a little less on this topic here or more of that topic there. The course is solid and it's only going to get better.

Future dates include:

Denver, CO - May/June 2018(not listed yet)
Baltimore, MD - September 10-15, 2018
Las Vegas, NV - September 23-28, 2018
Singapore, Singapore - October 22-27, 2018

Click here for more details.