This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws. Continue reading “This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9”

Why Walking Tanks Never Became A Thing

The walking tank concept has always captured imaginations. Whether you’re talking about the AT-AT walkers of Star Wars, or the Dreadnoughts from Warhammer 40,000, they are often portrayed in fiction as mighty and capable foes on the battlefield. These legged behemoths ideally combine the firepower and defense of traditional tanks with the versatility of a legged walking frame.

Despite their futuristic allure, walking tanks never found a practical military application. Let’s take a look at why tracks still rule, and why walking combat machines are going to remain firmly in the realm of fiction for the foreseeable future.

Continue reading “Why Walking Tanks Never Became A Thing”