Security Corner


July 29, 2014  12:38 AM

Security worst practice: Password reuse

Ken Harthun Ken Harthun Profile: Ken Harthun
Password policy, password security, Passwords, Security

This article, “eBay’s StubHub ransacked for over $1 million, international crime ring arrested,” from Naked Security said:

It’s a shame that users all too often make it easy for crooks to just plug in credentials leaked from other breaches.

It’s yet another example of why passwords shouldn’t be reused.

Password reuse is, apparently, a given. No matter how much we lecture, a (hopefully shrinking!) percentage of people are going to commit this security sin.

Should we start expecting businesses like eBay to plan for that? Or should we just let password reusers suffer the consequences of their redundancy?

I’m certainly guilty of having re-used passwords myself, but it has been a long time since I’ve done it. In fact, since I started using LastPass, I no longer use duplicate passwords, and I am cleaning out those that still exist. What duplicate passwords I have are not on anything critical; all of my important logins such as email, banking, credit cards and other sensitive sites, have unique, strong passwords.

Now, I don’t know how we can expect businesses to plan for such a thing. How would they know a password is reused elsewhere? Monitor hackers’ sites and password dumps? They could do what Facebook did and run researchers’ recovered plaintext passwords, I suppose, but that’s a lot to ask of any company. No, I think it’s just going to take continuing education on the part of those in the know and trial by fire for those guilty of reusing passwords for critical sites.

I’ll leave you with this good advice from Naked Security:

Make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.

If those passwords are impossible to remember, that’s good – all the better. That’s what they make password managers like LastPass or KeePass for.

Don’t reuse passwords!
 


Follow Ken Harthun on Twitter Follow me on Twitter

July 22, 2014  2:34 PM

Highly effective security: Protect data on mobile and removable media

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

We all carry mobile devices be they phones, iPads or other tablet devices, USB drives or laptops. By their very nature, these devices are easily lost or stolen making the data on them at risk of compromise. It’s important to protect the actual devices from loss, but perhaps it’s even more important to protect the information that resides on them. Here’s how to accomplish that:

  1. Make regular backups of all critical data
  2. Securely wipe all data from a device before you discard it, donate it or give it away.
  3. Encrypt all sensitive data
  4. Use anti-malware software and keep it up to date
  5. Keep up with security updates for all software on your device
  6. If your device has a means to wipe it out if it is lost, be sure to configure this option.


July 17, 2014  5:28 PM

Humor: Password tattoos

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, Passwords

Tired of resetting certain students’ passwords numerous times (will they EVER remember them?), this administrator replied to an instructor’s request for a password reset with this email:

It’s on the way to you.

Please send him to see me ASAP for his tattoo. My new policy is that after the third password reset, the student must change the password in my presence and have it tattooed permanently on the inside of his or her left arm. The password tattoo, which will be in black 36 pt.  Droid Sans with slashed zero and European 7 and Z glyphs, is free. There is a $100 extra charge for aesthetic enhancement unless the student prefers to do it herself. I would encourage you to instruct them on how to design graphics around their password so that it also serves as a mnemonic. I have attached an example for your reference.

Optional: Students who don’t know how to type or otherwise operate a computer may purchase the RFID package ($150) in lieu of the tattoo. I will implant the chip in their forehead, allowing them to log in by simply banging their head against the PC (something I have been doing much more frequently these days).

Oh, I forgot to mention this: my tattoo gun is currently in the shop. Until I get it back, all tattoos will be done using the old sewing needle/thread/India ink method. This is much more painful, but just as effective.

If you or your students have any questions about this policy, feel free to drop me a line.


July 17, 2014  4:15 PM

Stop electronic surveillance with typewriters?

Ken Harthun Ken Harthun Profile: Ken Harthun
Security, SPYING, Surveillance

In the wake of recent news about Germany’s considering using typewriters instead of computers to thwart electronic surveillance, one has to ask the obvious question: Huh?

Oh, they have to be manual typewriters. Electric ones just won’t do (you can plug in a keylogger to an electric one, apparently). Makes sense, especially in light of how IBM Selectric typewriters were hacked in the 1980s. Here’s how an installed spy sensor (bug) worked, according to CBS News:

“The devices picked up the contents of documents typed by embassy secretaries and transmitted them by antennas hidden in the embassy walls. The typewriters used a round ball with numbers and letters around the surface, which revolved before hitting the ribbon against the paper. The bugs could work out each letter typed by detecting how the ball moved.”

I don’t think that manual typewriters would solve this problem. Someone will develop a way to tell which key was pressed by the audio spectrum analysis of the “clack” sound the letter hammer makes as it hits the ribbon and paper. It doesn’t even have to be so complicated. You can just go back to the old low-tech spy methods like posing as a janitor and stealing the ribbons or relying on security lapses and stealing documents that should have been shredded.

Spying isn’t going to go away no matter the technology being used. Only on the day when we can fully trust each other will spying become unnecessary.


July 11, 2014  6:14 PM

Highly effective security: Secure your mobile devices from loss

Ken Harthun Ken Harthun Profile: Ken Harthun
Laptop Security, Mobile device security, Security, smartphone security, Tablet PCs

Mobile devices such as smartphones, tablets and laptops are certainly convenient; however, due to their portability they are security risks. It’s just too easy to lose or misplace these devices and when this happens, all of your personal data stored on them is at risk of being compromised. You don’t want that to happen, so be sure to:

  • Keep smartphones and tablets with you at all times when in public. NEVER leave a device sitting and walk away from it, even for a second.
  • Never leave a laptop in open view in your car. Lock it securely in your trunk and lock all the doors. Out of sight, out of mind.
  • When in the office, use a cable lock on your laptop or store it in a locked drawer.
  • Never put any of these devices in your checked baggage when traveling.
  • Make a list of phone numbers and/or email addresses to report stolen or lost devices.

A future post will cover protecting the data itself.


June 30, 2014  6:47 PM

Humor: Lighten up – it’s Monday (Warning: Language)

Ken Harthun Ken Harthun Profile: Ken Harthun
humor, joke, Security

mega-icon-smiley-thumbs-upA bit of security humor to brighten up your Monday. Hopefully, you’ll be able to enjoy a short week and long holiday weekend.

Password Reset Dialog

WINDOWS:  Please enter your new password.

USER:  cabbage

WINDOWS: Sorry, the password must be more than 8 characters.

USER:  boiled cabbage

WINDOWS:  Sorry, the password must contain 1 numerical character.

USER:  1 boiled cabbage

WINDOWS: Sorry, the password cannot have blank spaces.

USER:  50bloodyboiledcabbages

WINDOWS:  Sorry, the password must contain at least one upper case
character.

USER:  50BLOODYboiledcabbages

WINDOWS:  Sorry, the password cannot use more than one upper case
character consecutively.

USER: 50BloodyBoiledCabbagesShovedUpYourAssIfYouDon’tGiveMeAccessNow!

WINDOWS:  Sorry, the password cannot contain punctuation.

USER:
ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourAssIfYouDontGiveMeAccessNow

WINDOWS:  Sorry, that password is already in use.

USER:
IgiveUp!

WINDOWS:  Thank You, your password has been changed

Have fun and be safe!


June 30, 2014  3:22 PM

The best free security list in the world?

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

I’m a fan of Gizmo’s Freeware and have been for many years. They have maintained a list of free security-related programs or web applications for some time. It’s called “Probably the Best Free Security List in the World.” They say,

This article contains a comprehensive list of free security-related programs or web applications for Windows XP and later Windows PC-based operating systems. The few non-free programs on this list are included because they are of high merit (in our opinion) and lack a comparable free alternative. This list also includes links to webpages that contain security-related information.

The list runs the gamut from malware protection of all kinds to firewalls, HIPS, virtualization, encryption, data rescue, and so much more, 24 categories in all. I was pleased to find several of my favorite go-to programs under the “System Cleaning” category, including Darik’s Boot & Nuke and Active@ KillDisk. Also, under “Data Rescue” are two programs I use frequently, Testdisk and Photorec. There’s also a comprehensive list of malware removal guides and help sites.

One very nice feature of this page is the keys that inform you of the presence of adware, nagware and OpenCandy.

This list makes my old Geek Toolkit obsolete!


June 30, 2014  2:37 AM

Highly effective security: Lock your screen

Ken Harthun Ken Harthun Profile: Ken Harthun
Screen savers, Security best practices

Do you know who’s playing around on your computer when you’re not there? Think it won’t (or doesn’t) happen? Think again: It can and does happen all the time.

I’m sure you trust the people you work with, and rightfully so, but what about the maintenance crew and the janitorial service personnel? Several times this year, I have had to clean up computers in the reception area because someone got adware and toolbars all over them. The only possible explanation is that the cleaning crew people were surfing the web on them.

Had the night receptionist remembered to either shut down or lock the computers before she left, nothing would have happened.

The same goes for your workstation. If you leave it on, like many at my company do, you are at risk for someone using it when you aren’t around or, worse yet, getting confidential private information off of it.

If you lock the screen so it requires your password to get back in, you have just made it nearly impossible for an unauthorized person to get your information or wreck your system.

It’s a simple, but highly effective security practice.


June 26, 2014  4:14 PM

Highly effective security: Create strong passwords

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

managing-passwords-2012_06Passwords are usually the frontline protection against unauthorized access. In fact, sometimes a password is the only protection. If you have weak passwords, you’re vulnerable to attack and compromise of your valuable data. If you have weak passwords and use those same weak passwords at multiple sites, you’re a disaster-waiting-to-happen.

There are two rules you should always follow.

1. Always create strong passwords. This means

  • Don’t use your name, dictionary words (even foreign words), acronyms, or even common phrases or slogans.
  • Don’t use prefixes or suffixes that use common keyboard patterns such as “Asdf1.” See Steve Gibson’s Password Haystacks page.
  • Use a random mixture of upper case, lower case and special symbols. Even ASCII symbols such as ▐ (Alt-222) can be used.

2. Never use any password for more than one site. One site = one password.

If you have passwords on sites you don’t care about — as long as they don’t contain any personally identifiable information — you could use a throwaway password for those. Some sites just insist that you have a login when it really doesn’t matter. What comes to mind are pure news sites that you only read and that don’t force you to create a profile. Those would be the only exceptions, but I don’t even recommend that.

Bottom line: Create strong passwords and never use the same password for more than one site.


June 10, 2014  6:27 PM

Holy Patch Tuesday, Batman! 66 holes in Windows products

Ken Harthun Ken Harthun Profile: Ken Harthun
Adobe, Microsoft, Patch Tuesday, vulnerability

Today is Patch Tuesday and Microsoft’s seven updates address 66 security holes in Windows and related apps. Most of those vulnerabilities — 59 of them –  are in Internet Explorer (MS14-035). No surprise there. It’s the most insecure mainstream browser ever developed. Most of the vulnerabilities were labeled “critical,” meaning the bad guys can exploit them without any conscious help from users. Again, no surprise. You can read all about it here.

Lest I be unduly unfair to Microsoft, Adobe’s update for the Flash Player plugin fixes six bugs. I have the plugin set to ask me if I want to play a video. It’s inconvenient, but a lot safer than trusting a proven insecure plugin.

Bottom line: Apply the patches and hope the bad guys don’t find something MS and Adobe missed in the meantime.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: