Mastodon

InfoSec Insanity: Sharing the crazy for the betterment of online security

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:

Logo

That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.

So what exactly is InfoSec Insanity? We’ll let’s take this example from the weekend on restricting passwords which was the catalyst for creating the account:

@tombuildsstuff Our systems are limited on length & ranges to ensure a smooth experience. We have multiple controls in place to protect data

Oh, so when O2 decided to stop you from putting in a nice strong, random password it was for your own good! Well I’m glad we cleared that up.

Here’s another favourite, this time from British Gas earlier this year. Concerned about the lack of ability to paste in creds from a password manager, a concerned Twitterer mentioned this and got an, uh, “awesome” response:

@passy We'd lose our security certificate if we allowed pasting. It could leave us open to a "brute force" attack. Thanks ^Steve

Now I don’t know what Steveo was smoking here, but I’m guessing it wasn’t legal.

Nutty tweets are one thing and by all means, they’re exactly the sort of thing I’m going to be sharing from this account but let’s not stop there. One of my recent favourites was this post I wrote about Stack Overflow answers to the question of password encryption. The first earnest respondent to the (now deleted) question shared many lines of code that carefully demonstrated how to use Base64 – no, not to encode the resultant cipher, but as the only means of credential obfuscation. Two others chime with basic character rotation schemes – take “a” and replace it with “f” then take “b” and replace it with “g” and so on and so forth.

So here’s the “call to arms” as it were:

Tweet links to crazy security approaches or nut job responses by social media accounts and I’ll get @InfoSecInsanity to give them a shout-out. Mention @troyhunt or @InfoSecInsanity with a link to the page or tweet and it’ll earn a spot on the timeline.

Let’s avoid the “These guys just emailed my password” or “Those guys won’t let me use quotes in my password” kind of stuff because as dumb as it is, we’d be here all day and flood the timeline with them. I’m really interested and the stuff that genuinely makes us go “WTF, are you serious?!?!”. It’ll keep it more interesting for followers.

Last thing is a quick “hat tip” to Plain Text Offenders and the recently launched HTTP Shaming. Both these sites do a great job of calling out infosec insanity in their respective areas (sites emailing credentials and those not implementing a secure transport layer where required). The “naming and shaming” they encourage goes some way to holding sites exercising dodgy practices to account and they’ve provided inspiration for InfoSec Insanity.

Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals