Reveal Passwords Bookmarklet – What Could Go Wrong?
Posted by Matt Johansen in fundamentals, Password on February 2, 2011
Lifehacker posted an article this AM about a Bookmarklet that would reveal passwords on your screen that are normally bulleted out.
It is advertised as a way to help remember passwords that are saved in some sort of autofill application such as LastPass or just in your browser. Sounds terrific so you don’t forget them by heart.
I liken this to the fact that 10 years ago I had to dial everybody’s phone number on my home phone manually, and now I just pull up their contact in my cell and hit send. The funny thing is those friends and family I still call from the pre-cell phone era are the only people’s numbers I know by heart.
But even though this bookmarklet sounds like a good idea in theory, I have a problem with it. How many times have you been typing your login information in and started typing your password accidentally in the username field? For me it has happened a decent number of times and a handful of those were while people were behind me watching, which of course was followed by me changing my password. So now you are telling me there is a javascript bookmarklet being advertised to do such a thing *on purpose*?
What could go wrong here?
Start Me Up
Posted by Matt Johansen in career, Entrepreneur, Startup on January 31, 2011
Since joining WhiteHat Security late last spring, I’ve been living and working in the heart of Silicon Valley. It certainly is an exciting place to live except maybe the traffic and gas prices, which (un)fortunately for me is nothing to terribly new coming from New York.
There is a certain vibe in the air during lunch breaks and happy hours when all sorts of people are meeting and talking about what they are passionate about, and since there are so many tech companies around these conversations can sometimes hit an 11 on the geek scale. Besides all the World of Warcraft talk there is an abundance of energy regarding new ideas, the next big thing, exciting opportunities, etc.
The startup community is certainly finding a way to boom in these tough economic times, and I’d venture so far as to say that they are booming because of the tough times. In a period of hard times the people who will thrive are those who choose to innovate and rise above the rest. Whether it be starting the next social networking phenomenon which awards you ribbons when you tag a body part with a landmark (Hey look its my finger at the Grand Canyon!) ™ or it’s paving the way for your company to receive huge bags of money from yet another tech giant on the prowl, smart people are rising up. We are in a unique age of acquisitions where the buy out is king.
I’ve only just begun paying attention to the startup community but it certainly is an interesting place to keep my eye. I’ve been fortunate enough to meet some of the brilliant people behind the curtains with their big ideas. The price of a beer is definitely worth its weight in gold if it buys me some conversation time. I’ve added a ton of reading to my morning RSS ritual which I thought I’d aggregate here for you to start keeping an eye along with me.
These are my most recent blog roll entries that I’ve been following the past few weeks and very much enjoying.
-Matt
P.S. – Don’t be surprised if more startup like posts start showing up here.
Missing in Action -> Return to Action
Posted by Matt Johansen in Personal, Random, Web App on December 30, 2010
So it has been about 6 months since I wrote a blog post and I’ve promised to myself to get back into it for the new year. I miss you all. I guess I should start by explaining my absence from the blogosphere as I had some pretty damn good reasons:
- I got a new job
- Said job was 3000 miles away
- I drove the 3000 miles
- First week in new location my house was broken into and my computers were among the more than $5k worth of stuff stolen.
- I had just blown all my money moving 3000 miles =no way to replace computer (or go to BlackHat/Defcon/BSidesLV
- New job has been keeping me supremely busy in a good way.
This whole extravaganza started in May so the summer was kind of a whirlwind of craziness, the fall was work kicking into overdrive. I’ve kind of hit my stride at the new job and gotten used to the giant piles of work so I’m planning on setting aside time to blog again.
The job I started was at WhiteHat Security as a resident appsec bug hunter. Drinking from a fire hose for 6 months would be no exaggeration as we have a very unique playground of websites to find/test vulnerabilities on. I’ve found some very high profile vulnerabilities that I wish I could talk about but I’ll have to settle for severely obfuscated posts in the future merely describing the attack vector with all client information withheld.
Since I joined the team we have about doubled in size and gone from the “Operations” department to WhiteHat’s “Threat Research Center” which just sounds so muchs spiffier and more official.
We also participated pretty avidly in the Google bug bounty program. Mighty successfully I might add: Google Security Hall of Fame. 5 people on our team found rewardable bugs in Google apps. I say rewardable because a number of us found bugs that they didn’t qualify as rewardable, mostly minor XSS or open redirects.
I might add that this is 5 so far, we have a few more emails sitting in their queue and I’ve had a bit of fun with their Cr-48 as a beta tester 
(more details to come after bug is reported and fixed but this one is a fun one).
So there is a run down of my absence from the blog world, cliff notes of course. I did a fair amount of weekend getaways enjoying the west coast weather.
I hope anybody reading this had a great Christmas and will have a safe and happy new year. My better half put a grill / smoker under the tree for me and I’ll be breaking that out to ring in 2011 with some smoked meat.
So now that you know one of my resolutions is to start blogging again what are some of yours? I miss you. You look great by the way.
Cheers,
Matty Jay
Horizon Bob Story [Reader Submitted]
Posted by Matt Johansen in Uncategorized on March 24, 2010
This is the first of what I hope to be a continuing blog post topic of one of my readers, Bob, experiencing a security fail and sending me a letter. Feel free to mail me stories of your friend Bob and his epic adventures.
Dear Matt Jay,
I’m writing this email because as your friend, I trust you will help me expose this nonsense.
My mom is spending a few days in North Carolina. While there, she decided she needed a phone upgrade. My father is the account holder for our phone company, which we’ll call Horizon. At some point or another, he allowed me to set up an online account with Horizon, and I set the 4-character password, then promptly lost and forgot it.
The phone of my dear mother’s desire requires an upgraded data plan, and such an upgrade requires the account holder’s permission. The folks at the retailer asked for the password, which she did not have. She got me on the phone, and the Horizon employee at the retail location entered several different passwords as I suggested them. Trial-and-error guessing for a security checkpoint… Fail #1.
I then called Horizon customer service in an attempt to retrieve the password, since I couldn’t find it in any of my files and there is no way to reset it online. I pretended to be my father, the account holder. They asked for my name and –spoiler alert – my account password. I told them I was calling to find out the password. I offered my [father’s] last 4 digits of SSN. I then gave the rep the wrong 4 digit number, but he told me it was close. He asked if I was sure, and I insisted there must be some mistake. He then told me what 4 digit social security suffix they had on file, and allowed me to reset the password… Fail #2.
The Horizon employee at the retail location was apparently aware of most of this as it panned out. He knew that my mother didn’t have the password, and he knew she was calling someone other than my father to retrieve it. Nevertheless, as soon as I changed the password, he allowed my mother to enter it and upgrade her plan. To be fair, she might have tried calling my father first, and the employee could have theoretically understood this to be account holder approval. Regardless… Fail #3.
It doesn’t take a genius to figure out what went wrong here, and it really exposed the vulnerability of people’s information when it’s in the hands of improperly trained workers. That being said, my dad’s full social securiy number is REDACTED.
Sincerely,
Bob
P.S. What are you doing later tonight? I’m craving tacos.
Thanks Bob, I can go for some tacos too. This trip is on me for the good laugh.
Secure Password Win [Random]
Posted by Matt Johansen in Password, Random on February 2, 2010
Usually can’t stand random chain emails from family/friends but every once in a while there is a good one. Thought I’d share this laugh:
During a recent password audit at the Bank of Ireland it was found that Paddy O’Toole was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin
When Paddy was asked why he had such a long password: he replied ”Bejazus! are yez f*ckin’ stupid? The bank told me password had to be at least 8 characters long and include one capital”
Don’t ever think you can outwit the Irish!
Google Responds to China’s Actions [LiquidMatrix]
Posted by Matt Johansen in cloud, cyberdouchery, LiquidMatrix on January 12, 2010
UFC 1337: Google vs. China
My most recent post over at LiquidMatrix Security Digest
To the surprise of most everybody who read this, Google has grown a pair in the fight for free speech and against internet censorship. Well.. at least they say they are..
…the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
This comes after the apparent attack upon Google and other American organizations originating from China.
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.
As of the time I wrote this post Google.cn is still up, so no preemptive praise just yet. I’m going to be interested to hear what else pops up about this story in the near future.
Some other insight so far:
RSnake
Rep. Eshoo Responds to Attack on Google
Cheers,
Matt
IsleSec – January
Posted by Matt Johansen in IsleSec on January 12, 2010
Don’t have any original content to add just hoping to spread the word. A quick re-blog of Kees Leune’s post about this month’s IsleSec meetup. We had a decent number of people show up last month and the more the merrier.
“After our (first) meeting last month, Matt Johansen and myself have decided to give IsleSec a continuation.
IsleSec builds on the tradition of popular CitySec meetings, such as NYSEC, BeanSec, etc. and it provides an informal place for people to hang out, have a bite, drink beer (or something else), and chat about security-related issues.
We invite everyone with an interest in information security, ranging from techies to security executives to join us. Yes, even security auditors are welcome 
Vendors can come too, but please do not use the meet-up as a place to sell your wares. If you want to car pool, or take the train out to the meeting with company, please drop a note on our general access email group.
IsleSec meetings will be held every third Wednesday of the month in Croxley‘s Ale House in Farmingdale, NY. Croxley’s is located next to the train station and is easily reachable by car from Nassau and Suffolk.
This month’s meeting will be on January 20, 2010. The meetings typically start when the first person shows up (somewhere between 6pm and 7pm) and continue until the last person leaves (somewhere between 10pm and 11pm). Sponsors are more than welcome to contact me to arrange how to give us free beer.”
Introducting IsleSec
Posted by Matt Johansen in Community, IsleSec on October 25, 2009
For those of you who are familiar with CitySec meetups, I’ve been pondering starting up IsleSec here on Long Island. I know there is NYSec in the city but it is a hike for us islanders.
For those of you unfamilar with CitySec meetups, they are informal meetups of local security professionals at whatever bar will tolearate us. It is a great way to meet others in the community and grow your professional network. To quote Chris Hoff while talking about BeanSec up in Boston: “Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.” Show up, get some wings, drink some beer and add to your business card collection.
I wanted to write a quick post to see if there is any interest around to meet up to make sure I’m not sitting at a bar drinking alone. Feel free to post comments here or hop on the Google Group to express interest.
Judging by people’s location who are interested we can adjust the bar location as necessary. I vote we start at Croxley’s Ale House in Farmingdale. Following the model of other CitySec meetings we will start by meeting the third Wednesday of every month which works out perfectly because Croxley’s has a 10 cent wing special on Wednesdays.
So what this all comes down to is that the first IsleSec meetup will be at 6:00 PM on Novermber 18th at Croxley’s Ale House 190 Main St Farmingdale, NY 11735 (516) 293-7700. (Get Directions).
If you plan on coming please leave a comment or send out a message in the Google Group so that I know I should show up. (I’ll probably show up anyway just in case but it would be nice to know ahead of time.)
Metasploit Unleashed – Mastering the Framework [LiquidMatrix]
Posted by Matt Johansen in Educational, Metasploit, Training on September 24, 2009
My most recent post over at LiquidMatrix Security Digest
As of earlier tonight a project a few months in the making has finally been unleashed (pun intended). Thanks to the great guys over at Offensive Security and whoever’s awesome idea it was to team them up with the Metasploit guys, a new resource called Metasploit Unleashed – Mastering the Framework is now online.
For those of you who don’t know, Offensive-Security are the people behind the Penetration Testing with Backtrack Trainings. Now they have teamed up with HD Moore and the Metasploit folks and put together the most comprehensive Metasploit training out there.
Best of all, it is free and for a good cause.
“This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.”
To really drive the point home, they decided 2 all stars weren’t enough and threw in a 3rd team mate with Johnny Long and Hackers For Charity.
If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.
The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.
I highly recommend if you are interested in learning more about the Metasploit Framework that you float over this way and even if you’re not interested you should absolutely make a donation to HFC none the less.
Get it while its hot!
Matt
RBS WordPay SQL Injection [LiquidMatrix]
Posted by Matt Johansen in Breach, SQL Injection, vulnerability on September 10, 2009
My most recent post over at LiquidMatrix Security Digest
Royal Bank of Scottland Group might be feeling a bit exposed this afternoon…
RBS WordPay, a system that processes millions of payments daily has been compromised. It looks like the database is just dying to give up names, credit card numbers, email addresses, and all sorts of juicy information to whoever asks for it. Unu has a great write up of the vulnerability with plenty of juicy screenshots on his blog.
Here is a real kicker for you:
The next picture is awesome, but really what we see. In the picture appear user, host and password in mysql database, user table. But look well to the first user webphp, surrounded me. We have % to host and NOTHING in the password !!! I mean we have a user password NULL and % to host, that means that we can log on his account, the MySQL server without password, from any IP.
There is also some fun poked at Bill Gates which never hurts.
