Insights For Success

Strategy, Innovation, Leadership and Security

Attacks

What is salting and hashing a password?

GeneralEdward Kiledjian

The LastPass hacking saga has led to non-technical users reading articles using terms such as salting and hashing, which may seem alien to them. A few people contacted me asking what they do, and I wanted to write a short post describing them.

Salting is the process of adding random data, referred to as "a salt," to a password before it is hashed. This technique helps protect against dictionary attacks, in which an attacker attempts to crack a hashed password using a pre-computed list of common passwords. A unique salt is added to each password so that the hashed value will be different even if the same password is used multiple times.

The process of hashing involves taking an input (or message) and converting it into a fixed-length string of characters called a 'hash value'. The same input will always produce the same hash value; however, a minor change to the input will result in a vastly different hash value. As a result, it is extremely difficult for an attacker to reverse engineer the original input from the hash value.

The combination of salting and hashing provides a high level of protection for passwords and other sensitive information. During the creation of a password, the salt is added to the password, and the resulting value is hashed. The hashed value, as well as the salt, is then stored in a database. When the user enters their password to log in, the system adds the same salt to the entered password, hashes it, and compares the resulting value to the stored hash. Access is granted to the user if the values match.

Although salting and hashing provide a high level of security, they are not foolproof. Therefore, you should still use a strong and unique password.

Keywords: Salting, Hashing, Encryption, Password security, Dictionary attacks, Data privacy, Hash functions, Cryptography, Information security, Data integrity, One-way functions, Secure password management, Hash algorithm, Password hashing, Password protection.

Unlocking the Secrets of ECB and CBC: A Guide to Encryption Methods

GeneralEdward Kiledjian

Cryptography methods such as Electronic Code Book (ECB) and Cipher Block Chaining (CBC) are widely used.

ECB is a simple method of encrypting plaintext by dividing it into fixed-size blocks and encrypting each block independently using the same secret key. In other words, if the same plaintext block appears more than once in the message, it will be encrypted into the same ciphertext block (aka will look the same). The ECB encryption method is relatively easy to implement; however, it can be vulnerable to certain types of attacks, such as pattern recognition.

By contrast, CBC is a more secure encryption method that addresses the weaknesses of ECB. CBC encrypts plaintext blocks using the same key and combines them with the previous ciphertext blocks through an operation called an XOR. Thus, even if the same plaintext block appears multiple times in the message, it will be encrypted to a different ciphertext block each time.

The major difference between ECB and CBC is that ECB encrypts each block independently, whereas CBC encrypts each block with the previous block. CBC is therefore considered more secure and resistant to pattern recognition attacks than ECB.

Implementation of CBC mode requires an initialization vector (IV), which is a random value added to the first plaintext block before encryption. An IV is sent along with an encrypted message, so the receiver can use it to decrypt it.

ECB and CBC are symmetric-key encryption methods, meaning that the same key is used for encryption and decryption. As computing power increases, it becomes increasingly important to use more secure encryption methods, such as AES-GCM or RSA-OAEP.

Keywords: Encryption, ECB (Electronic Code Book), CBC (Cipher Block Chaining), Symmetric-key encryption, AES-GCM, RSA-OAEP, Data security, Pattern recognition attack, Initialization vector (IV), Encryption methods, Data privacy, Information security

CISOs are stressed and I can prove it

GeneralEdward Kiledjian
face-1013520.jpg

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

hooded-man-2580085.jpg

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

digital-marketing-1725340.jpg

Some Interesting conclusions

  • 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

  • Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

  • This equates to extra time worth $30,319 per annum

  • 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

  • 83% of CISOs spend at least half of their evenings and weekends thinking about work

  • Only 2% say they are able to switch off once they’ve left the office

  • Over a third have failed to take all entitled annual leave

  • 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

darts-102919.jpg

What are the most stress inducing elements?

  • 44% being responsible for securing the organization and preventing breaches

  • 40% the need to stay ahead of threat intelligence

  • 39% the long hours worked

  • 65% of those surveyed had suffered a breach in the past 12 months

  • 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

  • A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

leaf-1082118.jpg

What are the effects of the stress?

  • Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

  • 35% also reported that their stress had impacted their physical health

  • 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

  • 31% said the stress affected their ability to fully perform at their job

pencil-2878764.jpg

How are CISOs coping with the stress?

  • A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

  • A fifth have taken a leave of absence due to stress (21%)

  • 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

  • 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

grass-455753.jpg

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

Google to protect users from IDN Homograph Attacks

GeneralEdward Kiledjian

What geeks call an International Domain Name Homograph Attack, the general public calls typo-squatting. This is when threat actors buy domain names that are close to popular ones hoping to trick users, examples:

  • gma1l.com instead of gmail.com

  • paypa1.com instead of paypal


To help protect users from these tricksters, Google is launching Navigation suggestions for lookalike URLs. Think of this as an AI powered auto-correct for URLs. This feature is in active experimentation in Canary 70 and should enter the mainstream version in the coming months. A google engineer even spoke about it at the Usenix conference.

If you are one of the courageous experimenters running Canary, you can enable this feature now using this flag:

chrome://flags/#enable-lookalike-url-navigation-suggestions

Improve your internet security right now, easily and for free

GeneralEdward Kiledjian

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?


I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?


They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.