Security Corner


August 30, 2014  6:48 PM

A novel approach to creating secure pass phrases (that no one will use)

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

top500passwordsgraphicWe security wonks constantly entreat our users not to use common words or phrases for their passwords, and certainly to never re-use passwords on more than one site. Another no-no is using keyboard patterns. The reason people do such things is that they are easy to remember. The problem is that the bad guys have all of these common poor password practices figured out and set up in their password cracking algorithms right alongside of their dictionary files and lists of hacked common passwords. With this exercise, I’m trying to get you to think randomly, not in patterns, though there is a pattern and symmetry here. Of course, no one will use this, but coming up with this stuff is just my way of having fun.

This novel approach that will give you a minimum of 10,000 secure pass phrases at your fingertips (or in your wallet or purse) using only the words. If you choose the modify it with numeric/special character options, you can get many more. If you do the math, the number of combinations of a group of characters is N^R, or the number of choices to the power of how many of those you use. In the basic method below, you have 10 choices and will use 4 of them, so you have 10,000 possible combinations. You can use this to securely write down your pass phrases (well, the aliases for your pass phrases) anywhere you want in the form of 4-digit numbers. Since no one will know what words are on your list, they can know your aliases but they won’t know your pass phrases. If you add secret complications (more about that in a minute), the number of guesses required gets astronomical (or should I say geometrical?)

First, take a piece of paper and write the numerals 0 through 9 on the left side. Then, pick 10 words that are familiar to you. You can use any common words or names that you will remember. Rules about not using pet names, kids’ names, your name, your spouse’s name, etc., don’t apply here because they will be used in a long and random combination. We all have at least ten of those. Here is my example (not to be used, of course–create your own):

0 The
1 Quick
2 Brown
3 Fox
4 Jumps
5 Over
6 The
7 Lazy
8 Red
9 Dog

Those of you who have ever taken a typing class will recognize those words and my slight alteration of it to fill the 10 slots.

Now, what’s the model year of your main ride? Mine is 2005. So, I write down 2005 as my alias and my pass phrase is BrownTheTheOver. Need another pass phrase for something? My birth year is 1953, so I use QuickDogOverFox as my pass phrase.

This method won’t win you any awards for password strength, but they’re sufficiently strong for most purposes. If you want to ramp them up, choose a numeral or special character that you insert between each word. It’s still easy to remember, but it adds 3 more characters to your phrase. I choose @, so I now have Brown@The@The@Over and Quick@Dog@Over@Fox. Visit Steve Gibson’s Password Haystacks site and check those out. My alias for those is 2005@ and 1953@.

The only thing missing here is a numeral to make the character domain consist of upper and lower case letters, numerals and special characters, so let’s add a numeral. Just put it at the beginning or the end and make your alias reflect that. Let’s use the numeral 7 and put it in front. I now have 7Brown@The@The@Over and 7Quick@Dog@Over@Fox. Your alias becomes 72005@ or 71953@ and the strength of the pass phrases goes geometrical, astronomical or what-have-you, into the hundreds of thousands of trillions of centuries to run a brute force crack.

Of course, this is entirely too much work for the average computer user, so I’ll still try “password” as my first guess, followed by “12345678,” “letmein,” and a few others.

Have a happy and safe Labor Day weekend!


Follow Ken Harthun on Twitter
Follow me on Twitter

August 26, 2014  6:45 PM

Don’t blame the victim

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime prevention, Security, Security awareness, Security best practices

Bruce Schneier said, “Blaming the victim is common in IT: users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on.”

So true, and something that I have come to (reluctantly) refrain from doing. Face it, people do things they shouldn’t do, or don’t do things they should. Either way, if there are no immediate consequences, no lesson is learned. Unless Lizzie’s PC completely shuts down when she clicks on an email link, she’ll continue to do it, oblivious to any strange behavior in her browser that results. And she’ll never connect those ill-advised clicks to the theft of her credit card information and subsequent fraudulent charges to her account.

These days, malware is designed to appear as if it’s supposed to be there or to make its effects blend in with the normal operation of the computer. I see this stuff every day and when it simply redirects the browser to another search site or pops up a message saying I need to speed up my computer, I find myself sympathizing with the user. When the really scary popups – “You have 10 bazillion infections!!!! Click here to clean now” – show up, I realize that no one with insufficient technological knowledge is going to recognize that for what it is. The knee-jerk-click-the-button reaction to the scary message is what the crooks depend on.

So, don’t blame the victim. Don’t chastise them for what happened. Don’t make them wrong. Do gently explain to them what happened and hope that the repair bill is sufficient experience and feedback for them to think twice the next time.

 


August 7, 2014  4:57 PM

Disconnect from internet when uninstalling PUPs

Ken Harthun Ken Harthun Profile: Ken Harthun
malware, Security, Web browser security

gremlinWe’ve all seen it: You try to uninstall junkware and PUPs (Potentially Unwanted Programs) and they phone home to tell you how sorry they are to see you leave. That’s annoying enough, but what else is going on that you don’t know about? Besides not asking for your permission to connect in the first place, they may be:

  • Logging your user information such as IP, OS, browser info, etc.
  • Installing more junkware (toolbars, etc.) in the background without your knowledge or consent.
  • Installing malware such as key loggers and browser hijackers.

The only way to be sure this doesn’t happen is to disconnect from the internet when uninstalling this stuff. And the absolute best way to uninstall it safely is to reformat the hard drive and re-image the OS.


August 7, 2014  1:53 PM

Site recovers files locked by Cryptolocker ransomware

Ken Harthun Ken Harthun Profile: Ken Harthun
CryptoLocker, malware, Ransomware, Security

cryptolockerA new website has been launched that victims of the Cryptolocker malware can use to recover their files for free instead of paying the cybercrooks’ ransom.

From Krebs on Security:

…early Wednesday morning, two security firms – Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched decryptcryptolocker.com, a site that victims can use to recover their files.

The Cryptolocker malware was first spotted in September 2013. It uses very strong encryption to lock Microsoft Office documents, photos, MP3 files, and other files that victims may value. The unfortunate victims of the malware were faced with paying a steep ransom–usually starting at a few hundred dollars in bitcoins–to the cybercrooks. Victims were given 72 hours to pay; if they didn’t make payment in time, the ransom demand increased by five times or more, often amounting to several thousand dollars.

Only about 1.3% of victims ever paid the ransom, so most of them probably lost all of their important files. Even at such a low response, considering that the number of infected systems is probably in the range of six figures, the crooks made (are probably still making) huge profits. 1300 payments of $300 USD (the minimum payment) per 100,000 infections is $390,000.

The decryptcryptolocker.com site provides a free new online service that can help victims unlock and recover files scrambled by the malware.

Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.

According to Krebs, Fox-IT was able to recover the private keys that the cybercriminals were using to run their own decryption service. The firms naturally aren’t saying much about how they got their hands on the keys, but it apparently had something to do with the crooks’ attempts to recover from Operation Tovar, “an international effort in June that sought to dismantle the infrastructure that CryptoLocker used to infect PCs.”

However they did it, I say good for them. Hit the crooks where it counts–their wallets.


July 31, 2014  11:28 PM

Symantec Endpoint Protection Privilege Escalation Zero Day

Ken Harthun Ken Harthun Profile: Ken Harthun
Anti-malware, malware, SANS Internet Storm Center, Security, Symantec Endpoint Protection, vulnerability, zero-day

SEP BoxWhat do you do when the very software you depend on to keep you safe from malware has vulnerabilities? Those of us who use Symantec Endpoint Protection on our networks are pondering this dilemma. Seems that SEP is vulnerable to attack.

From the Internet Storm Center (ISC) InfoSec Handlers Diary:

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

This is a good lesson in why layered security or security-in-depth is so important. You cannot rely only upon a single protection method.


July 30, 2014  6:58 PM

Highly effective security: Think before you click

Ken Harthun Ken Harthun Profile: Ken Harthun
cybercriminals, Hyperlinks, Malicious code, Security

question-mark1This is something that bears repeating by all of us. It’s very important that everyone identify web addresses before clicking the link. Malicious web sites that look legitimate are commonly used by cyber-crooks to trick unwary users.

It’s very easy to identify the true address of a link: just place the cursor over the displayed address and the true destination will reveal itself. If anything looks suspicious (for example, a link like www.wallmart.com.cn), don’t click it.

Even greater caution is needed with shortened addresses like tinyurl.com and bit.ly and many other such services. Use their preview feature to display the true source. For QR codes, make sure your app allows you to preview the destination before opening the link.

And when it comes to apps and software, only download from trusted sources.

 


July 29, 2014  8:54 PM

Therapeutic passwords (and maybe educational, too!)

Ken Harthun Ken Harthun Profile: Ken Harthun
Passwords, Security

Can a password change your life for the better? , thinks so. He did it. Deeply depressed due to a recent divorce, he made a decision: “I’m gonna use a password to change my life.”

I’m a firm believer that you get what you put your energy into, so I can see how something like that might work. I would start by making a list of things I want to accomplish and come up with suitable passwords to match the tasks. But let’s take a different look here and come up with some passwords that serve to reinforce good security practices. How about these:

D0n’tReu$ePasswords!
N3v3rKlickLynks!
EncryptUrD@T@
L0kD@tScreEeEen!

Yes, this is slightly tongue-in-cheek, but not to make fun of the article above. It’s a valid approach. Just make sure you don’t re-use any of those on more than one site!


July 29, 2014  12:38 AM

Security worst practice: Password reuse

Ken Harthun Ken Harthun Profile: Ken Harthun
Password policy, password security, Passwords, Security

This article, “eBay’s StubHub ransacked for over $1 million, international crime ring arrested,” from Naked Security said:

It’s a shame that users all too often make it easy for crooks to just plug in credentials leaked from other breaches.

It’s yet another example of why passwords shouldn’t be reused.

Password reuse is, apparently, a given. No matter how much we lecture, a (hopefully shrinking!) percentage of people are going to commit this security sin.

Should we start expecting businesses like eBay to plan for that? Or should we just let password reusers suffer the consequences of their redundancy?

I’m certainly guilty of having re-used passwords myself, but it has been a long time since I’ve done it. In fact, since I started using LastPass, I no longer use duplicate passwords, and I am cleaning out those that still exist. What duplicate passwords I have are not on anything critical; all of my important logins such as email, banking, credit cards and other sensitive sites, have unique, strong passwords.

Now, I don’t know how we can expect businesses to plan for such a thing. How would they know a password is reused elsewhere? Monitor hackers’ sites and password dumps? They could do what Facebook did and run researchers’ recovered plaintext passwords, I suppose, but that’s a lot to ask of any company. No, I think it’s just going to take continuing education on the part of those in the know and trial by fire for those guilty of reusing passwords for critical sites.

I’ll leave you with this good advice from Naked Security:

Make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.

If those passwords are impossible to remember, that’s good – all the better. That’s what they make password managers like LastPass or KeePass for.

Don’t reuse passwords!
 


Follow Ken Harthun on Twitter Follow me on Twitter


July 22, 2014  2:34 PM

Highly effective security: Protect data on mobile and removable media

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

We all carry mobile devices be they phones, iPads or other tablet devices, USB drives or laptops. By their very nature, these devices are easily lost or stolen making the data on them at risk of compromise. It’s important to protect the actual devices from loss, but perhaps it’s even more important to protect the information that resides on them. Here’s how to accomplish that:

  1. Make regular backups of all critical data
  2. Securely wipe all data from a device before you discard it, donate it or give it away.
  3. Encrypt all sensitive data
  4. Use anti-malware software and keep it up to date
  5. Keep up with security updates for all software on your device
  6. If your device has a means to wipe it out if it is lost, be sure to configure this option.


July 17, 2014  5:28 PM

Humor: Password tattoos

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, Passwords

Tired of resetting certain students’ passwords numerous times (will they EVER remember them?), this administrator replied to an instructor’s request for a password reset with this email:

It’s on the way to you.

Please send him to see me ASAP for his tattoo. My new policy is that after the third password reset, the student must change the password in my presence and have it tattooed permanently on the inside of his or her left arm. The password tattoo, which will be in black 36 pt.  Droid Sans with slashed zero and European 7 and Z glyphs, is free. There is a $100 extra charge for aesthetic enhancement unless the student prefers to do it herself. I would encourage you to instruct them on how to design graphics around their password so that it also serves as a mnemonic. I have attached an example for your reference.

Optional: Students who don’t know how to type or otherwise operate a computer may purchase the RFID package ($150) in lieu of the tattoo. I will implant the chip in their forehead, allowing them to log in by simply banging their head against the PC (something I have been doing much more frequently these days).

Oh, I forgot to mention this: my tattoo gun is currently in the shop. Until I get it back, all tattoos will be done using the old sewing needle/thread/India ink method. This is much more painful, but just as effective.

If you or your students have any questions about this policy, feel free to drop me a line.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: