Security Corner


September 23, 2012  8:44 PM

Carry your passwords in your wallet

Ken Harthun Ken Harthun Profile: Ken Harthun

You probably own at least one USB thumb drive, stick, jump drive — whatever you want to call it. I have seven of them ranging in size from 64 MB (yes, you read that right) to 16 GB. They’re very handy and I use them all the time, but they all have one major flaw: They’re too big to carry in your wallet. Why would you want to carry one in your wallet? For the same reason that I consider your wallet your most secure password manager (see Your Wallet is the Best Password Manager), I consider your wallet the best place to keep a portable storage device.

I’m sure the picture gave it away already, but Micro SD cards are perfect for carrying in your wallet. A MicroSD card is about the size of a man’s thumbnail (giving new meaning to the term “thumb drive”). This makes it perfect for carrying in a photo slot in your wallet if you use an adapter or a USB reader like the ones shown. So, here’s what you do (assuming you don’t have some other password manager application):

  1. Create an encrypted partition on the Micro SD card (see A portable app to password protect your USB sticks);
  2. Create a text file or spreadsheet containing all of your critical logon information;
  3. Store the file on the encrypted partition.
  4. DO NOT FORGET your master partition encryption password.

For #4, I suggest a password concocted from a sentence of your own creation.  For example, “My Yorkie loves to play bone and is 4 years old!” This becomes mYltpbai4yo!

If you really want to be secure, I have some other ways for you to do this, but it’s Sunday and I’m going to watch some football and baseball. (Best time of the year – football starts, baseball season is winding down.)

September 21, 2012  1:48 AM

A portable app to password protect your USB sticks

Ken Harthun Ken Harthun Profile: Ken Harthun

Handy as they are, USB thumb drives, sticks, jump drives — whatever you choose to call them — are small and easily lost despite your best precautions. This is why it’s a bad idea to keep any sensitive information on them unless you encrypt the drive or password protect your files. Many popular USB sticks come with their own security software, but what if you have a generic one sans software? You’ll have to find a way on your own to protect it.

Most of the bundled security software allows you to either encrypt the whole drive or create an encrypted area on the drive. I have always been an advocate of TrueCrypt as one of the best Open Source encryption programs in existence. There is a catch to using TrueCrypt, however, as this MakeUseOf article points out: If you want to transfer files to a computer on which you don’t have administrator rights, you’re out of luck.

Enter Rohos Mini Drive, a portable application that allows you to work with a password protected partition on any PC. You just click the “Rohos Mini” icon on the USB flash drive root folder and enter your disk password. Rohos will start a volume and will stay in the system tray. It doesn’t require administrative privileges to open the password protected USB drive partition on a guest PC. It stays in the system tray so you can close the disk when you finish working.

Rohos Mini Drive comes in both free and paid versions. The free version has limitations, of course, the main one being a 2 GB encrypted partition size. I don’t consider this a hindrance, however; my needs are limited to transporting the occasional sensitive file and 2 GB would be more than enough to store secure notes containing passwords and other key numbers.

Give it a test drive and let me know what you think.

 


September 12, 2012  3:49 PM

Track your stolen laptop or phone

Ken Harthun Ken Harthun Profile: Ken Harthun

Your laptop bag is sitting next to you as you wait for your plane. Someone off to your left engages you in conversation for a minute and when you turn back, your laptop bag is gone. You turn to ask the person you were speaking with if they saw anything and they are also gone. Doh!

Is this a common scenario? Maybe. What matters is that your laptop has been stolen along with everything you had stored on it. If there was unencrypted confidential information such as corporate secrets, personal or corporate banking information — even if it was only personal photos and documents — this is a disaster. You’re better off if it was all encrypted, and if you have backups you’ll be OK, but you’ve still lost a valuable piece of property. Is there any hope for recovery?

The good news is that if you had installed a tracking utility, chances are good that the laptop can be located and the thief caught red-handed.

As you might expect, there are quite a few applications available, both paid, commercial solutions and free, Open Source solutions covering the major OS platforms. Here are two of the top trackers:

Hidden (Mac only) – http://hiddenapp.com/ – Basic plan is $15.00/year for one computer. “Hidden is a small application which sits idle on your computer until you need it. When your computer gets stolen simply log in to your online Tracking Control Panel and mark your computer as stolen. Hidden will kick into action and locate your stolen computer anywhere on the planet, collect photos of the thief and screen shots of the computer in use.” Hidden has been in the news a bit.

Prey (Windows, Linux, MacOS, Android, iOS) – http://preyproject.com/ – Open Source, free for up to three devices with Pro Plans available. “You install a tiny agent in your PC or phone, which silently waits for a remote signal to wake up and work its magic. This signal is sent either from the Internet or through an SMS message, and allows you to gather information regarding the device’s location, hardware and network status, and optionally trigger specific actions on it.”


September 10, 2012  3:48 PM

Humor: The History of Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

Hilarious! And just what the doctor ordered for a stressful Monday…


September 7, 2012  1:59 AM

How to protect your password manager?

Ken Harthun Ken Harthun Profile: Ken Harthun

If the bad guys already know how to get your “clever” passwords, what kind of password do you put on your password manager? You can’t risk their getting your master password and gaining access to all of your good, high-strength passwords now, can you? You must treat your master password as the key to the kingdom and it must be backed up with a second factor of authentication.

The password must be the most secure of all your passwords. I recommend no fewer than 12 characters, preferably 16 or more. You’re going to have to write it down to remember it, as it is going to be random gibberish. I suggest you use a generator such as GRC’s Ultra High Security Password Generator. Here’s but one example from that site: su4{H&*1wI#z?$]> Of course, if you use something like LastPass, KeePass or any of the others that allow you to generate secure, random passwords, you can make your own. Once you have your ultra secure password, write it on a piece of paper and keep it in your wallet.

LastPass supports Yubikey, a low-cost USB token with AES encryption for two-factor authentication and this is my preferred system. KeePass implements two-factor authentication by allowing the use of both a master password and a key file that you can store on a USB thumb drive.

 


August 31, 2012  7:14 PM

And you thought I was joking!

Ken Harthun Ken Harthun Profile: Ken Harthun

My last post, “Humor: Only an idiot…,” was a poke at the lighter side of password security, particularly ridiculously easy-to-guess passwords. Unfortunately, it is an all-to-common habit even for the savvy among us. Check out this email I got in response to the creation of a login for me on an external system:

I suppose they assumed I would immediately login and change the password, but what if I didn’t get this for a few days?

I hope their system is fully patched! Once in, someone could wreak havoc if one knew what one was doing…


August 30, 2012  3:35 PM

Humor: Only an idiot…

Ken Harthun Ken Harthun Profile: Ken Harthun

Some people just never learn…


August 28, 2012  7:10 PM

Forget all those clever password creation tips: The bad guys know them all

Ken Harthun Ken Harthun Profile: Ken Harthun

Steve Gibson, in Episode 366 of Security Now!, “Password Cracking Update: The Death of Clever,” presents the case for longer, random passwords saying that hackers know all the tricks humans use to create them. We all probably have suspected this, but it’s likely few of us have really given it much thought. Steve made reference to “Why passwords have never been weaker—and crackers have never been stronger,” an Ars Technica blog post by Dan Goodin. After reading it, I’m convinced that most password creation tips just contribute to the overall hacker knowledge, especially if people are actually following them. Consider what Goodin says:

…a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.

To wit, “…nearly all capital letters come at the beginning of a password; almost all numbers and punctuation show up at the end. [The online games service RockYou.com breach] also revealed a strong tendency to use first names followed by years, such as Julia1984 or Christopher1965,” Goodin says. Surely, you know someone (maybe even yourself, heaven forbid) who does this. That really narrows the search field.

Character substitution using numbers and symbols instead of the letters is also predictable. You might think that a 12-character passphrase like C@n’tGu3$$Me would be relatively secure, but it’s predictable: common words, first letter capitalized, common character substitutions.

Goodin’s post mentions a computer comprising eight AMD Radeon HD7970 GPU cards, running version 0.10 of a cracking utility called oclHashcat-lite that requires just 12 hours to brute force the entire keyspace for any eight-character password containing upper- or lower-case letters, digits or symbols (96 characters). With such tools available, not even a machine-generated random password 8 characters long is sufficient. The only solution is to make it longer. For each character you add, you multiply by 96 the time it takes to test for every possible combination: add 1 more character and you’re up to 12 x 96, or 1152 hours — 48 days; add 2 characters, you’re up to 4608 days, or a bit over 12.5 years.

To be completely unpredictable, you’ll need to use a password generator. Of course, this is going to produce passwords that you will find nearly impossible to remember, so you will need to find a good password manager to remember them for you. Here are the top five applications that have free or low-cost versions:

  • KeePass(Windows/Mac/Linux/Mobile, Free)
  • LastPass(Windows/Mac/Linux/Mobile, Basic: Free/Premium: $1/month)
  • 1Password(Mac OS X/iPhone, Desktop: $39.95/iPhone:$14.95)
  • RoboForm(Windows, Basic: Free/Pro: $29.95)
  • SplashID (Windows/Mac/Mobile, Desktop: $19.95/Mobile:$9.95)

Time to go in and edit all of my “clever” passwords…


August 22, 2012  1:35 AM

We must be careful about what we do on the internet: Part 3

Ken Harthun Ken Harthun Profile: Ken Harthun

In “We must be careful about what we do on the internet: Part 1” and “We must be careful about what we do on the internet: Part 2,” Hunter Mitchell discussed fake AV and P2P file sharing sites noting the dangers and how to avoid them. In this post, he gives some great advice on how to identify dangerous sites.

Downloading Tools and Tips.
 
Google is my best friend.  Everything I do, I Google it and try to get an idea of what is going on.  Disastrous cooking experiments aside, Google has helped me identify a lot of sites and programs that are not safe for use. There are several ways to check the legitimacy and security of certain sites.
 
Here is an example site: http://www.avgthreatlabs.com/sitereports/ It has a place where people can like or comment about sites and they also have reviews for them as well.  Even if this site says the website you are checking is safe, read the comments also.  I checked some sites and it said they were good but the comments said otherwise.
 
http://www.malwarebytes.org/ here you can find Malwarebytes for free.  Malwarebytes will search your computer for malware and remove it for you. (Some Malware is tricky, and Malwarebytes may not always be able to remove it.)
 
Install a respected antivirus.  If you have a school laptop, we have installed Symantec Endpoint Protection so your computer already has protection.  That being said, it is your responsibility to scan for viruses regularly to make sure that your computer is still safe.  It is also important to note that just because your computer has antivirus doesn’t mean it can’t be infected.  Hackers are constantly catching on and changing codes for viruses to get past these protections.
 
Some examples of respected antivirus programs:
 
 
 I know this is a long read, but believe me; everything I said may save you from your computer being infected by viruses or malware.  Any other questions you may have just catch me in the hallway or the IT office and I will try to help you as best as I possibly can.    If you can’t find me, see Mr. Gundelach [Hattiesburg Net Admin] or Kim [Net Admin Assistant].
 
Take Care,
Hunter

I want to thank Hunter again for giving me permission to post his excellent summary. He is going to be a valuable addition to our tech community.


August 21, 2012  1:55 AM

We must be careful about what we do on the internet: Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

In “We must be careful about what we do on the internet: Part 1,” Hunter Mitchell introduced us to fake AV programs and gave some good advice. The advice continues in this post.

FrostWire/LimeWire/Share bear etc. are not safe ways to download free stuff!!!
 
I’m sure all of us have downloaded a free song, game, or what not.  I’m guilty of it as well, but the longer I was interacting with these kinds of sites, the more I was opening my computer to viruses and other nasty programs.  The thing is that you have to trust that what you are downloading is exactly what it says it is.  I personally would love to trust these people who upload these songs and such, but sadly, I’ve seen too many computers fall victim to the same fate.  You are downloading at your own risk every time you use these programs.  These files aren’t checked before you download them so anyone could add anything they want to the download link such as viruses and malware.  They also may have access to your IP address, meaning they could possibly access your computer if they had the right software.
 
Here are some articles, but again, these go into some pretty deep IT stuff, so I will try to break it down.
http://www.symantec.com/avcenter/reference/malicious.threats.pdf This one gets really deep into the threats of P2P (Peer to Peer) networking,
http://www.techrepublic.com/article/take-precautions-against-peer-to-peer-threats/1048032 This one is a little bit easier to read but deals with more of the legal issue P2P networks pose for companies in which employees use P2P programs to download illegally.
We don’t allow any file sharing networks at the college, period. There’s just too much risk in them. Hunter’s experience mirrors my own; for years, I had to clean up the effects of people downloading from Kazaa, LimeWire, etc. Best just to avoid them altogether.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: