Blog‎ > ‎

Netvisor API, Default accounts, Passwords, EDRi, EFF, New TLDs, Windows 8.1 hibernate

posted Aug 20, 2014, 9:05 AM by Sami Lehtinen   [ updated Aug 20, 2014, 9:09 AM ]
  • Studied Netvisor Web Service REST API for system integration. As well as checked out Netvisor Python API Wrapper by Fast Monkeys
  • Once again wondered information security issues. Lack of access controls, data stored indefinitely, etc. But in some cases, it's result of lack of processes. In some other cases, it's done by design. I guess this topic is so boring, people working in this field know it's never ending task.
  • In one audit, 25% of database servers facing public internet, were using default administrator credentials. I don't know if I really got words for it. Maybe best word to decribe that would be, normal?
  • Support EDRi, it's protecting digital freedom world wide. Don't forget the Electronic Frontier Foundation EFF. If you live in Finland, there's also Electronic Frontier Finland EFFI.
  • New domain names are messing up things in some companies, which have been using invalid addressing internally. That's no news, it was known a long time before the address registrations started. Nothing new. I guess I should register .local and then install credentials snapping honey pot there. The main problem is that in some organizations they forget to use the local. So if there's server called guru and there's tld .guru, which one should you open? Solution is simple, the local guru should be guru.example.com or guru.local. One way to is fix issue by automatically always appending the company domain instead of using local. So plain guru becomes always guru.example.com. I'm just wondering why this 'problem' is again in the news.
  • Wondered where has hibernate gone, it seems that MS isn't allowing it anymore with Windows 8.1. This means that battery life of all Windows devices is going to be absolutely dismal. New InstantGo mode sucks life out of battery in no time. Microsoft claims that it's better way, I think it's absolute failure. Enabling hibernate is made hard for professionals and practically impossible for normal users. Web is absolutely full of disinformation about this matter. There are tons of instructions that are invalid or do not work at all. After all, it seems that the hibernate has been permanently removed from options when system is InstantGo capable. I really hate it when some thinks are broken on purpose and designed to make life harder for people. - Based on my previous post, is this sabotage on purpose, or just an accident?
  • One password audit gave following results. Total failure 47%, Bad / Weak 10%, Acceptable / Ok / Normal 35% and finally perfect strong passwords 8%. Total failure is something like 5 small letters / numbers, users own first name. Bad / Weak, is name+birth year something about 6-7 characters. Acceptable level is 8-10 characters with special characters and enough entropy. Perfect passwords are 10+ and nearly fully random. I would say, that the resuts were what I expected and not any kind of surprise. Analysis was run on database containing about 800 user accounts. Every password was rated by person. Something like Password123 does not count as strong password. But (Zh3nW3$fP does.