Britain’s Centre for the Protection of National Infrastructure (CPNI), which works with General Communications Headquarters (GCHQ), recently issued a publication “Password Guidance – Simplifying Your Approach.” I found the 13-page PDF document interesting because it provides guidance on simplifying things at a system level rather than asking users to remember complicated passwords. It also says that regular password changing as a policy is not a good thing:
Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.
But how do you prevent users from using common passwords? Simple: Blacklist the most common passwords (I’ll be writing about this later). I would include code to check to see if user name or company name or other common strategies are used and refuse to accept them.
I won’t elaborate further; you can read the document and glean from it what you will. However, here is the list of tips. A couple of them offer a different view. It’s definitely worth your time to download and read this whole thing.
- Change all default passwords
- Help users cope with password overload
- Understand the limitations of user-generated passwords
- Understand the limitations of machine-generated passwords
- Prioritise administrator and remote user accounts
- Use account lockout and protective monitoring
- Don’t store passwords as plain text
And finally, here is a very nifty infographic: Password guidance – infographic
In these days of of high profile data breaches, it behooves us to take another look (or two) at passwords. Computing power has increased at phenomenal rates over the years making it (relatively) straightforward to defeat short and simple passwords with common, freely available hacking tools. If you want to explore the exponential increase in computing power further, this Wikipedia article on Moore’s Law is quite enlightening. Here’s an interesting comparison:
[Illustration] An Osborne Executive portable computer, from 1982, with a Zilog Z80 4 MHz CPU, and a 2007 AppleiPhone with a 412 MHz ARM11 CPU; the Executive weighs 100 times as much, has nearly 500 times the volume, costs approximately 10 times as much (adjusted for inflation), and has about 1/100th the clock frequency of the smartphone.
In March, 2014, I posted “Oh no! Not another password post!” In that post, I recommended 12 characters for a minimum length and said that 15 characters is even better. I still stand by those numbers at this date; however, I did not address password complexity in that post. Length means nothing if the password is either one that is commonly used–such as those on this list–or is a dictionary word or common phrase. “LetMeIn” and “antidisestablishmentarianism” are equally useless. Even “TippecanoeandTylerToo,” though seemingly complex, would be easily cracked as it’s a common phrase from American history.
Complexity connotes intricacy: The more intricate the pattern of a maze, for instance, the more complex its solution. Intricacy connotes quantity: The more parts the there are to a machine, the more intricate its design. Therefore, we make passwords more complex by using more parts in their creation. This is simply illustrated by comparison. “Password” is eight characters long and uses only letters; “P12@#or9″ is also eight characters long but uses letters, numerals and special characters. The latter is the more complex.
So, how long is long enough; how complex is complex enough? A password that is 12 to 15 characters long, is not a common word or phrase, is a mixture of upper and lower case letters, uses special characters and some numerals, should be good for most situations.
Next up: Password advice from Great Britain’s GCHQ.
Ransomware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals.
While it used to be that only desktops and laptops were affected, now mobile phones are being targeted. According to Wired, last week news broke about “The so-called Porn Droid app that targets Android users and allows attackers to lock the phone and change its PIN number while demanding a $500 ransom from victims to regain access.” Read the article here.
It’s a very lucrative business. Last year victims paid an estimated $27 million to the crooks according to the FBI.
The best protection against becoming a victim of ransomware is to have a good antivirus and keep it updated along with making regular backups of your data that are stored on an offline device.
An interesting conversation with our interim campus president at the college today brought back to mind a post from more than five years ago. A server crash this morning made her wonder if a former network administrator, who did not leave on good terms, still somehow had a hand in the incident. Apparently, this fellow had succeeded in planting a logic bomb in the network timed to go off on the date of each new term start. Today was a new term start; today the server crashed. Our president’s logic said that “[name withheld] was up to his old tricks.” It wasn’t that, fortunately. The power supply died.
What was revealing about that conversation is that management at the time failed to consider an internal threat. No doubt the other faux pas were also committed. I saw evidence of them when I first took on the role of network administrator and have since corrected things. So, here’s a reminder of how NOT to do things.
Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Not to sing my own praises, but to sing my own praises, they picked the right guy when they picked me; there have been no major security incidents since I took over.
It seems these days that everywhere you look, there is a privacy disclosure statement. You get them from your bank, your credit card companies, lenders, and just about everyone who asks for any non-public personal information (NPI). Have you ever read one of those things? You should. You have a right to know what information is being kept and how it is used. Here is one such clause:
You have the right to know what NPI we have about you, to have access to it and to receive a copy upon request, where required by law. If you have questions about what we may have on file, please write to us. Give us your name and address, date of birth, [other information] and the type of NPI you want to receive. Some types of NPI obtained when [actions are taken] or defending lawsuits need not be shared with you.
The firm or group who has NPI about you may not have obtained all of it directly from you, so unless you ask for it, you don’t know exactly what they have. It is entirely possible that some NPI is incorrect and you will never know unless you request it. You have the right to request erroneous information be corrected.
You may contact [company] if you believe your file should be corrected, amended, or deleted. We will review your request, and within thirty (30) business days, we will make the requested change or provide an explanation of our refusal to do so. If we do not make the change, you may send a statement for insertion in your file, setting forth what you believe to be the correct NPI and explaining why you believe the NPI in our file to be incorrect. If you ask us to, we will notify persons to whom we have shared NPI of the change or your statement. With any subsequent sharing of NPI, we will include a copy of your statement.
You see, you have to ask. Any firm is going to do only what they are bound by law to do and no more. That’s their responsibility. Your responsibility is to be alert and informed and to take action if you are concerned. It’s not up to someone else.
It’s up to you.
I simply have to try this someday. It’s hilarious! No better therapy for the IT Blues than a good laugh.
The more things change, the more they stay the same. I’m still seeing PCs with serious malware infections that defy any and all attempts to clean them up. I used to persevere and eventually succeed in killing whatever beasties were inhabiting the dark recesses of the system. Just last week, I fought one for two hours before finally doing a factory reset.The trouble is, now as then the things keep coming back and if I didn’t take drastic action, I’d be facing another hours long battle. Once a machine is infected you can never trust that machine again unless you refresh or restore it to factory configuration.
Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware (as in 2015) is even more tenacious and stealthy that it was 7 years ago when I first wrote about this. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Windows 8 gave you an easy way to preserve user files while restoring the factory image and it’s still going strong in Windows 10. I’m not totally convinced that this is the best way to go, but so far I haven’t seen too many “repeat customers” after doing it.
Maybe the question should be: When can we expect to see the first Windows 10 security vulnerability? The follow-up question is: What will it be?
With the recent release of Windows 10 on July 29, 2015, we are faced with a new operating system that is bound to have some security issues. It’s impossible to predict what and when but let me point out that Microsoft has introduced some new security features (Device Guard, Windows Hello, Passport, to name three of them, all of which are covered elsewhere). Any new feature means that it has been subjected to limited testing and we can’t have complete confidence in it until the millions of true beta testers–the user base–have put it through its paces.
Having said that, I do have the feeling that Windows 10 security will be far better than in all previous versions. Still, you have to realize that security is, and probably always will be, a cat-and-mouse game. We can keep building better mousetraps, but as long as the cyber-criminals continue to realize huge profits, they will continue to build better mice (or bring humans–the one irreparable vulnerability–into the colony).
The old cliche goes, “The best laid schemes o’ Mice an’ Men, Gang aft agley” (Scots version). As I tend to use those tips that I promulgate, I have been using the method described in my previous post. Well, wouldn’t you know it, some sites don’t like the “.” character in their password fields. I had to modify my method. So, I changed the character for the dot to “-” and the character for the dash to “_” making the letter “F” appear this way: –_-.
Then it occurred to me: You can substitute any character you want, even the representation of the sounds themselves, for the dots and dashes. If you represent “F” that way, it becomes “ditditdahdit.” Talk about adding complexity! And you won’t find any of that gibberish in any dictionary attack in this universe (at least not yet). Nor will you have to worry whether or not a special character will be accepted.
You could use the letters s & l for “short” and “long”–the duration of the sounds that make up audible Morse code. So “F” becomes “ssls.” That’s not quite as good as dit and dah, but it works–you just have to substitute for a few more letters or numbers to string out the complexity.
These days, it’s all about staying ahead of the bad guys and the best way I know to do that is with increased length and increased complexity to make their dictionaries and other pattern templates useless and drive them to use brute force methods.
Oh, by the way, you can safely write down any password by substituting the real thing for the Morse, to wit: Password is Doolittle. Write that down, but use Ddahdahdaholditditttle. That one is even sort of melodic…