Salted Hash: Live from DerbyCon 5.0 (Day 2)

It’s Day two at DerbyCon, which is actually the day that most of the action takes place. This weekend has already seen some impressive talks, but today promises to be interesting with talks running the full spectrum of InfoSec, from medical device research, AppSec, and social engineering.

This post is being written at 0900, which is early for a hacker conference, but people are slowly starting to gather, as the picture shows.

So far this weekend, Salted Hash has posted various conversation starters along with general updates, so today’s post will continue that slight trend.

The idea for the topic came out of a technical failure on your faithful reporter’s part yesterday.

There are a number of authentication methods required before anyone is allowed to post to the Salted Hash blog, and yesterday, all of them kept me from working. As is my personal practice, I rotate passwords before and after a trip, and in this case, after I rotated the passwords, I forgot to sync them to the work laptop.

So when I went to post, I was completely locked out. Lucky for me, my boss was able to reset the password and I logged in, but there was a lesson there.

The downside to using password managers is that you never know what the password is; only that it’s a random string of characters of a given length.

In my case, because I didn’t properly administer my password system, I was completely cut off from work – not something I enjoyed. So that’s the lesson. If you don’t manage the password manager, you face the same password issues that anyone else faces when they forget it.

Hilton looking into card breach:

According to sources in the financial sector who spoke to Brian Krebs, point-of-sale systems at gift shops and restaurants have been compromised. However, at this point the banking experts are making this claim on the patterns they’ve observed while dealing with recent fraud cases. Hilton is investigating.

Based on his sources, there’s a strong chance the incident is legit, as five different banks have determined that Hilton was the common purchase point in the list of compromise cards Visa reported on in August. According to Visa’s alert, the cards were compromised between April and July 2015. However, Krebs reported that the breach may have started earlier in November, 2014.

Shocking shells:

In other news, this weekend marked the one-year anniversary of Shellshock. Remember that?

“One year after, the panic has subsided, but the threat goes on living. Attacks related to Shellshock continue to plague our digital world. Since the second quarter of the year, we have seen about more than 70,000 attacks using Shellshock and about 100,000 attacks using Heartbleed. One of our honeypots, which are vulnerable to Shellshock, has recorded 50 attacks in the past 15 days alone,” wrote Trend Micro.

Trend’s blog has a decent recap of the Shellshock story.