Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

InfoSec Insanity: Sharing the Crazy for the Betterment of Online Security

DZone's Guide to

InfoSec Insanity: Sharing the Crazy for the Betterment of Online Security

· Cloud Zone ·
Free Resource

Insight into the right steps to take for migrating workloads to public cloud and successfully reducing cost as a result. Read the Guide.

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:

Logo

That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.

So what exactly is InfoSec Insanity? We’ll let’s take this example from the weekend on restricting passwords which was the catalyst for creating the account:

@tombuildsstuff Our systems are limited on length & ranges to ensure a smooth experience. We have multiple controls in place to protect data

Oh, so when O2 decided to stop you from putting in a nice strong, random password it was for your own good! Well I’m glad we cleared that up.

Here’s another favourite, this time from British Gas earlier this year. Concerned about the lack of ability to paste in creds from a password manager, a concerned Twitterer mentioned this and got an, uh, “awesome” response:

@passy We'd lose our security certificate if we allowed pasting. It could leave us open to a "brute force" attack. Thanks ^Steve

Now I don’t know what Steveo was smoking here, but I’m guessing it wasn’t legal.

Nutty tweets are one thing and by all means, they’re exactly the sort of thing I’m going to be sharing from this account but let’s not stop there. One of my recent favourites was this post I wrote about Stack Overflow answers to the question of password encryption. The first earnest respondent to the (now deleted) question shared many lines of code that carefully demonstrated how to use Base64 – no, not to encode the resultant cipher, but as the only means of credential obfuscation. Two others chime with basic character rotation schemes – take “a” and replace it with “f” then take “b” and replace it with “g” and so on and so forth.

So here’s the “call to arms” as it were:

Tweet links to crazy security approaches or nut job responses by social media accounts and I’ll get @InfoSecInsanity to give them a shout-out. Mention @troyhunt or @InfoSecInsanity with a link to the page or tweet and it’ll earn a spot on the timeline.

Let’s avoid the “These guys just emailed my password” or “Those guys won’t let me use quotes in my password” kind of stuff because as dumb as it is, we’d be here all day and flood the timeline with them. I’m really interested and the stuff that genuinely makes us go “WTF, are you serious?!?!”. It’ll keep it more interesting for followers.

Last thing is a quick “hat tip” to Plain Text Offenders and the recently launched HTTP Shaming. Both these sites do a great job of calling out infosec insanity in their respective areas (sites emailing credentials and those not implementing a secure transport layer where required). The “naming and shaming” they encourage goes some way to holding sites exercising dodgy practices to account and they’ve provided inspiration for InfoSec Insanity.

TrueSight Cloud Cost Control provides visibility and control over multi-cloud costs including AWS, Azure, Google Cloud, and others.

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}