Monthly Archives: November 2015

How to ensure strong passwords and better authentication

30 November 2015

Peter Wood’s ‘Five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft’ published recently on are really worth reading.

The checklist is a good starting point for a self-assessment, except for the tip on Two-Factor Authentication. I fully agree that privileged accounts and accounts used for remote access must be given special protection. But this will not stop attackers from theft of information once they got access to the company network e.g. through a phishing attack. In this case the attacker acts as an authenticated user with all the authorizations granted to this user.

If Two-Factor Authentication is required even for access to business critical information inside the company network a large bunch of attacks is no longer possible because the attacker has just no access to the second factor, e.g. the user’s smartphone and the authenticator app.

A 27 chars passphrase like ‘1sn’t th1s a good password?’ is definitely much safer than an 8 chars hard to memorize strong password. But the passphrase is as useless as the password once the attacker managed to get access to the network. In this case a second factor could make life more difficult for the attacker. In addition the chance of getting discovered increases dramatically.

Have a good week.

It was about time: Amazon introduces Two Factor Authentication

20 November 2015

Just in time for the Christmas sale Amazon introduced Two Factor Authentication (TFA) this week. Set up is as easy as for Navigate to the Advanced Security Settings page, choose Authenticator App, Scan the bar code and Verify the Code.

Except if you are a customer from Amazon in Germany. The Advanced Security Settings page is not on available on The same holds for Amazon seems to stagger the roll out, with focus on the US market because the Christmas sale starts earlier there.

Hopefully Amazon rolls out TFA in the next days also in Germany. Otherwise there will be no Christmas presents for the kids this year…

Have a good weekend.

Ten years old but still up-to-date: Ten Tips for Designing, Building, and Deploying More Secure Web Applications

9 November 2015

Although the “Ten Tips for Designing, Building, and Deploying More Secure Web Applications” were published on 7 September 2005 the list still up-to-date.

I am discussing in particular tip 2 “Services Should Have Neither System nor Administrator Access” for years with internal developers and software vendors.

We have this under control in the case of in-house developed products, but many software vendors are still not ready to meet minimum security requirements. Very often neither the account name nor the password of service accounts can be changed, and this holds even on newly developed products.

This makes a regular password change for service accounts impossible. And extra effort is required to secure such systems once the account information is compromised.

Hopefully your systems meet the requirements and, the mentioned software versions are no longer in use.

Have a good week.

A 5k walk along the Levada do Caldeirão Verde in Madeira

7 November 2015

During the week from October 26 to 31 we were on vacation in Madeira. We went hiking nearly every day, usually far more than 5 km.

On Saturday we walked along the walkway of the Levada do Caldeirão Verde. Although it was raining almost all day this was the most beautiful hike during our vacation.


We made in total 13 km, but it was fun nonetheless.

Have a good weekend.

TalkTalk warns customers about personal data breach

4 November 2015

When Warwick Ashford’s report about the TalkTalk data breach popped up in my mail box on 23 October I was busy with holiday preparations. Thus I skimmed only through the report. On Saturday morning at the airport I read the report in peace and searched for more information.

UK phone and broadband provider TalkTalk was hacked. The company announced the attack on 21 October on their website. Attackers may have accessed data of in the worst case 4 million customers.

What surprised me was that this was the second attack in this year.

But what really concerns me is the proposed solution:

“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,”aid panellist Frank Weisel, regional sales manager at Vormetric in Germany.

Data encryption as an isolated protection measure is just irrelevant in this and many other cases. Because once the attackers managed to get on the victim’s network they are authorized users. And authorized users have access to the data and the encryption keys.

Whether the initial attack is performed via SQL or command injection, an unpatched server or a phishing attack is of no interest. Only the result counts.

Alan Solomon took the same line some days later in his post “TalkTalk was hacked. But it’s silly to ask if the data was encrypted”.

In my opinion the basic problem comes from the inherently weak user authentication technology. It became again clear to me when I collected my rental car at Funchal airport.

Although the desk operator had my reservation details on his screen I had to authenticate myself with my passport and a valid driver license to get the car key. When it comes to safety Two Factor Authentication (TFA) is taken for granted.

From my point of view it’s time to secure the access to business critical company data with a second authentication factor. For all employees who have a stake in the data, and for every session, and, of course in addition to encryption, patching, secure application development, etc.

This will hinder attackers massively in getting access to a company’s secrets.

Have a good day.