Steve Gibson, in Episode 366 of Security Now!, “Password Cracking Update: The Death of Clever,” presents the case for longer, random passwords saying that hackers know all the tricks humans use to create them. We all probably have suspected this, but it’s likely few of us have really given it much thought. Steve made reference to “Why passwords have never been weaker—and crackers have never been stronger,” an Ars Technica blog post by Dan Goodin. After reading it, I’m convinced that most password creation tips just contribute to the overall hacker knowledge, especially if people are actually following them. Consider what Goodin says:
…a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
To wit, “…nearly all capital letters come at the beginning of a password; almost all numbers and punctuation show up at the end. [The online games service RockYou.com breach] also revealed a strong tendency to use first names followed by years, such as Julia1984 or Christopher1965,” Goodin says. Surely, you know someone (maybe even yourself, heaven forbid) who does this. That really narrows the search field.
Character substitution using numbers and symbols instead of the letters is also predictable. You might think that a 12-character passphrase like C@n’tGu3$$Me would be relatively secure, but it’s predictable: common words, first letter capitalized, common character substitutions.
Goodin’s post mentions a computer comprising eight AMD Radeon HD7970 GPU cards, running version 0.10 of a cracking utility called oclHashcat-lite that requires just 12 hours to brute force the entire keyspace for any eight-character password containing upper- or lower-case letters, digits or symbols (96 characters). With such tools available, not even a machine-generated random password 8 characters long is sufficient. The only solution is to make it longer. For each character you add, you multiply by 96 the time it takes to test for every possible combination: add 1 more character and you’re up to 12 x 96, or 1152 hours — 48 days; add 2 characters, you’re up to 4608 days, or a bit over 12.5 years.
To be completely unpredictable, you’ll need to use a password generator. Of course, this is going to produce passwords that you will find nearly impossible to remember, so you will need to find a good password manager to remember them for you. Here are the top five applications that have free or low-cost versions:
- KeePass(Windows/Mac/Linux/Mobile, Free)
- LastPass(Windows/Mac/Linux/Mobile, Basic: Free/Premium: $1/month)
- 1Password(Mac OS X/iPhone, Desktop: $39.95/iPhone:$14.95)
- RoboForm(Windows, Basic: Free/Pro: $29.95)
- SplashID (Windows/Mac/Mobile, Desktop: $19.95/Mobile:$9.95)
Time to go in and edit all of my “clever” passwords…
In “We must be careful about what we do on the internet: Part 1” and “We must be careful about what we do on the internet: Part 2,” Hunter Mitchell discussed fake AV and P2P file sharing sites noting the dangers and how to avoid them. In this post, he gives some great advice on how to identify dangerous sites.
Downloading Tools and Tips.Google is my best friend. Everything I do, I Google it and try to get an idea of what is going on. Disastrous cooking experiments aside, Google has helped me identify a lot of sites and programs that are not safe for use. There are several ways to check the legitimacy and security of certain sites.Here is an example site: http://www.avgthreatlabs.com/sitereports/ It has a place where people can like or comment about sites and they also have reviews for them as well. Even if this site says the website you are checking is safe, read the comments also. I checked some sites and it said they were good but the comments said otherwise.http://www.malwarebytes.org/ here you can find Malwarebytes for free. Malwarebytes will search your computer for malware and remove it for you. (Some Malware is tricky, and Malwarebytes may not always be able to remove it.)Install a respected antivirus. If you have a school laptop, we have installed Symantec Endpoint Protection so your computer already has protection. That being said, it is your responsibility to scan for viruses regularly to make sure that your computer is still safe. It is also important to note that just because your computer has antivirus doesn’t mean it can’t be infected. Hackers are constantly catching on and changing codes for viruses to get past these protections.Some examples of respected antivirus programs:I know this is a long read, but believe me; everything I said may save you from your computer being infected by viruses or malware. Any other questions you may have just catch me in the hallway or the IT office and I will try to help you as best as I possibly can. If you can’t find me, see Mr. Gundelach [Hattiesburg Net Admin] or Kim [Net Admin Assistant].Take Care,Hunter
I want to thank Hunter again for giving me permission to post his excellent summary. He is going to be a valuable addition to our tech community.
In “We must be careful about what we do on the internet: Part 1,” Hunter Mitchell introduced us to fake AV programs and gave some good advice. The advice continues in this post.
FrostWire/LimeWire/Share bear etc. are not safe ways to download free stuff!!!I’m sure all of us have downloaded a free song, game, or what not. I’m guilty of it as well, but the longer I was interacting with these kinds of sites, the more I was opening my computer to viruses and other nasty programs. The thing is that you have to trust that what you are downloading is exactly what it says it is. I personally would love to trust these people who upload these songs and such, but sadly, I’ve seen too many computers fall victim to the same fate. You are downloading at your own risk every time you use these programs. These files aren’t checked before you download them so anyone could add anything they want to the download link such as viruses and malware. They also may have access to your IP address, meaning they could possibly access your computer if they had the right software.Here are some articles, but again, these go into some pretty deep IT stuff, so I will try to break it down.http://www.symantec.com/avcenter/reference/malicious.threats.pdf This one gets really deep into the threats of P2P (Peer to Peer) networking,http://www.techrepublic.com/article/take-precautions-against-peer-to-peer-threats/1048032 This one is a little bit easier to read but deals with more of the legal issue P2P networks pose for companies in which employees use P2P programs to download illegally.
As a network admin at Antonelli College, one of my duties is making sure that the students are fully briefed on safe browsing practice. It’s always nice when one of their peers gives us a hand. Hunter Mitchell, a student worker at the Hattiesburg, Mississippi campus came up with a very good summary and was gracious enough to give me permission to post it here.
Hey everybody, Hunter here and I am the IT work-study guy. I’ve noticed a pattern with some of the computers that I have been working on, here and off campus. Many are infected with fake programs being pitched as antiviruses or computer optimizers. One example I’ve recently run into is the PC Optimizer Pro virus/malware.Here’s a link describing it: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Program%3AWin32/PCOptimizerProPC Optimizer Pro is software written by hackers and played off as a legitimate computer program that cleans your registry and makes your PC more efficient. However, this is not the case, and once the software is installed it flashes fake warnings about infections on your computer. It then asks you to pay a certain fee for their special antivirus to clear the infections for you. For those that do pay, it opens up their computer to more malware and spyware to infect the computer.Once your computer is compromised, it is almost impossible to know exactly what has been modified, which makes it that much harder to actually remove the virus. In most cases, your computer will need to have Windows reloaded onto it. The Tech Squad here fixes these kinds of problems for a $25 dollar flat fee. (However, if we have to order any parts for your computer, we will have to charge you for the parts.) This is really cheap compared to Best Buy and any other computer repair medium as most of them charge $50 to $100 just to look at your computer.I would also like to add that PC Optimizer Pro is not the only fake program out there that can compromise your computer’s security. There are many different types of programs and websites that are not safe.
We must be careful about what we do on the internet!!!I know we all like to believe that everyone on the internet has the best intentions. Sadly, this is not the case at all. There are many people out there trying to steal identities and financial information. The easiest way to do this is through the internet. I wanted to find out what a word meant one time, googled it, and chose one of the first sites I saw. Turns out, the second I clicked an “Encyclopedia” site, a fake antivirus popup started searching my computer. Even by the time I had stopped it, it had already disabled my internet and my antivirus. FUN!! I wasn’t even downloading anything and my computer pretty much became an expensive paperweight, all because I didn’t double check exactly where I was getting my information.We also have friends or family that like to use our computers as well. It is good to keep an eye from time to time as you never know what they are adding to your computer.
Coming in Part 2: “FrostWire/LimeWire/Share bear etc. are not safe ways to download free stuff!!!”
From the MSDN blog:
Last year we released a beta version of our free Attack Surface Analyzer tool. The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers. Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download.
This isn’t merely a new toy to play with, it’s a serious tool for analyzing your Windows systems. I immediately added it to my toolkit and went off to check out our lab PCs at the college where I am Network Administrator.
The tool is meant to be run first on a fresh system with no applications installed in order to establish a baseline. Then, you install your apps one by one and run the tool after each install to see how your attack surface is changing.
I’m going to put my student assistants to work on this next week and I’ll deliver a more comprehensive report on what I discover.
It is an unprecedented boneheaded move that a French company, Early Flicker, or E-Flicker, is certain to regret. They have registered the Anonymous headless man logo and the slogan “We are Anonymous, We do not forgive, We do not forget. Expect us” with the French National Institute of Industrial Property. Apparently, E-Flicker plans to profit from merchandising; it also gives them the right to take action against anyone else who uses the logo.
Needless to say, Anonymous is not happy: “Their arrogance and ignorance of what they have done will not go unpunished,” Anonymous promised in a YouTube video. “Anonymous will take down any business they have going on the internet and the ninety nine per cent will not stop until the registration has been revoked and a public apology has been made. The name of Anonymous will not be the whore of the world.”
So far, pickapop.fr, E-Flicker’s website, appears to remain online, but I’m sure they can expect some mischief shortly. We’ll see how this plays out. Here’s the video:Anonymous speaks
This story bears repeating. The more things change, the more they stay the same.
Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.
The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:
- Physical access to servers, backup, and network equipment is restricted and controlled.
- Backup power sufficient to allow for graceful shutdown of servers is in place.
- The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
- If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
- File servers are protected by appropriate anti-malware applications.
- Mail servers are protected by anti-spam software or this is implemented at the gateway.
- Password policy requires strong passwords, frequent changes, and is enforced.
- Desktops use screen savers and they are password protected.
- Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
- Desktops have appropriate anti-malware applications installed.
- Company policy regarding appropriate use of the Internet is in place and enforced.
- Data is backed up and media is stored securely off-site.
- Encryption is implemented and in use for the storage of sensitive information.
- Procedure is in place for denying access to personnel upon termination of employment.
If you receive the chain letter “Invitation FACEBOOK – Olympic Torch,” don’t waste your time forwarding it: it’s a hoax, variations of which have appeared in email boxes since 1998 or earlier. Big news items generally spawn such things and the opening of the 2012 Summer Olympics in London is the genus of this one:
PLEASE CIRCULATE THIS NOTICE TO YOUR FRIENDS, FAMILY, CONTACTS!
In the coming days, you should be aware.....Do not open any message with an attachment called: Invitation FACEBOOK, regardless of who sent it. It is a virus that opens an OlympIc torch that burns the whole hard disc C of your computer.
This virus will be received from someone you had in your address book. That's why you should send this message to all your contacts. It is better to receive this email 25 times than to receive the virus and open it.
If you receive an email called: Invitation FACEBOOK, though sent by a friend, do not open it and delete it immediately. It is the worst virus announced by CNN.
A new virus has been discovered recently that has been classified by Microsoft as the most destructive virus ever. It is a Trojan Horse that asks you to install an adobe flash plug-in. Once you install it, it's all over. And there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information of their function is saved.
SNOPES SAYS THIS IS TRUE
In case you are wondering, the line “Snopes says this is true” generally is a good indicator of a hoax and if you check Snopes.com, you’ll find The link to Snopes – a well-known source of anti-hoax information – is legitimate, but says exactly the opposite, confirming that the email is false:
Don’t fall for it.
Oh, and did I mention that it also keeps you safer?
Both Firefox and Chrome have added a new security feature called “Click-to-play.” After you enable it–which you will have to do since the feature is not enabled by default in either browser–you will have to click on a specified blank placeholder on the web page if you want the content to play.
Gizmo’s Freeware provides these instructions:
How to enable Click-to-play in Chrome
- Enter “chrome://chrome/settings/content” in the Chrome address bar (without quotes)
- Scroll down the configuration page that opens to the Plug-ins section (shown in the figure)
- Click the button “Click to play”
How to enable Click-to-play in Firefox 14
- Enter “about:config” in the Firefox address bar (without quotes)
- Agree to be careful
- Scroll to the plug-ins section (shown in the figure below)
- Double-click the entry “ plugins.click_to_play” so that the Boolean value reads “true”
Just heard the best answer ever to the question of whether security
managers need to have hands-on technical skills. An Air Force Major was
complaining to an Air Force course director that the major didn’t need
to know networking and security taught in the intensive in house Air
Force course, “My people will do that; I never will; I am a manager.”
The course director asked the major, “Do you know what a router access
control list is?”
Course director: “Have you ever sat down at a terminal and written an ACL?”
Course director: “Then how do you know your netadmin is doing it right,
when just one error in one line can stop all the traffic on your
Major: eyes wide
Course director: “And how do you know whether your netadmin isn’t
Major: “Get me registered for the course.”
Alan Paller is director of research at the SANS Institute.