[I first posted this piece in June of 2007. In light of the Stuxnet attacks and Flame Malware attacks, I believe I was on the right track. It’s fun to look back and see how close we often come to predicting the future.]
It’s 2010, maybe sooner. A rogue nation has just declared war on your country. No one will be killed in this war, at least not directly. But people will die from starvation, disease, and in the general chaos caused by disruption in vital communications lines. The rogue nation’s primary weapon? Botnets capable of taking down huge segments of the Internet and telephone networks.
The ongoing cyber attacks against Estonian web sites, covered
in a recent NewsBites edition should serve as a sobering reminder that Cyber Warfare is not a theoretical threat but a very effective and real one….
Having made my own observation of the shifting threats to computer and network security, I have to agree with SANS editor Skoudis:
Before 2003, our dominant threats were hobbyists and insiders. In 2003 and 2004, the threat then changed to organized crime looking to make money. Depending on the geopolitical environment, the dominant threat may shift again, and very quickly, to state-sponsored cyber warfare.
What’s ironic is that the attacker will, to some degree, be using your own people–as well as your allies–against you. There’s certainly a good number of people in every country whose computers have become zombies in a botnet. The actual attackers are virtually untraceable, so unless the attacker makes himself known, you’ll not even know your enemy. Scary.
This is why every citizen, every government, must share responsibility in protecting the security of their country’s network infrastructure. There are steps everyone can and should take…
Nice T-shirt, eh? Yeah, it’s been around for awhile, having been part of one of Mozy’s (the online backup firm) promotions a few years back. It’s a great double entendre (not to mention the eye candy) and really punches home the need for backups. Which is what this post is about. Specifically, it’s about Duplicati, a free backup client that securely stores encrypted, incremental, compressed backups on cloud storage services and remote file servers. It works with Amazon S3, Windows Live SkyDrive, Google Drive (Google Docs), Rackspace Cloud Files or WebDAV, SSH, FTP (and many more).
Duplicati is licensed under LGPL (if you don’t know the difference between this and the GPL, well, better find out) and is available for Windows, Linux and, as of May 2012, MacOS in several languages. AES-256 encryption is built in and GNU Privacy Guard is also available. The latest version is 1.3.2.
It took me less than a minute to download and install with the defaults, but you’ll probably want to turn off the translations unless you speak several languages. After installation, the Duplicati Setup Wizard let me set up a new backup. For test purposes, I selected “Custom folder list” for my backup. After that, I was taken to the “Select password for the backup” screen. Here, you can choose the encryption method you want and set a good password. You can click the magic wand button to generate a super-strong password, or you can use one of your own. I chose to run the backup immediately and everything went smoothly.
Restoring from backup is straightforward: just click the Duplicati tray icon, open the wizard and follow the instructions.
It doesn’t get much easier than that to produce reliable, secure backups.
You know you need encryption to protect sensitive information whether you travel, upload sensitive files to the cloud, or just want to feel secure knowing that your data is accessible only to you; I won’t belabor the point. What I will do is talk about AES Crypt, advanced file encryption software for Windows, Mac, Linux, and Java. AES Crypt uses the industry standard Advanced Encryption Standard (AES) to easily and securely encrypt files:
Using a powerful 256-bit encryption algorithm, AES Crypt can safely secure your most sensitive files. Once a file is encrypted, you do not have to worry about a person reading your sensitive information, as an encrypted file is completely useless without the password. It simply cannot be read.
Steve Gibson uses AES Crypt and had this to say about it in Security Now! Episode 356:
This is simply a utility to give end users access to AES 256-bit file encryption. So it’s just a – it’s as simple as you use this in the same way that you use ZIP to zip up a bunch of files, you use this to encrypt a file. It asks you for a password. And that password is hashed and then used as the key for the encryption. And no force on Earth, as far as we know, if you use a strong password, is able to decrypt it. So it’s absolutely bulletproof.
If you don’ already have it on your system, the installation routine will install Microsoft Visual C++2010 Redistributable. Installation is quick and does not require a reboot. The program has a context menu entry so you can simply right click on a file and select “AES Encrypt.” Enter your password (be sure it’s a strong one) and the program creates a new, encrypted file with a .aes extension.
One big advantage is that AES Crypt’s file format is also published so other applications can utilize it. In fact, Duplicati, an Amazon S3 front end that I will cover in a future post, bundles the file format into their back end so the files that Duplicati stores at Amazon are AES Crypt compatible encrypted.
If you are a member of music site Last.fm, you may want to change your password. While they have not confirmed that any passwords have leaked, an announcement on their web site says they are “investigating the leak of some Last.fm user passwords.”
This is a good time to think about changing passwords on all of your social media sites. While you’re at it, do a thorough review of all your passwords. If you have a password manager such as LastPass, or KeePass, the chore is much easier.
If you are naive enough to think that you can post anything online, or even surf to a “safe” site, and maintain any semblance of privacy online, then you haven’t been paying attention. If you’re online, most of your life and all of your surfing habits are known. Gary Kovacs, CEO of the Mozilla Corporation gave a talk at TED in February, 2012 called “Tracking the Trackers.” If you aren’t outraged after watching the video, then you’re either completely apathetic or totally clueless.
As you surf the Web, information is being collected about you. Web tracking is not 100% evil — personal data can make your browsing more efficient; cookies can help your favorite websites stay in business. But, says Gary Kovacs, it’s your right to know what data is being collected about you and how it affects your online life. He unveils a Firefox add-on to do just that.
The video is just under seven minutes long and well worth watching. I also recommend you download the Collusion plugin for Firefox. Download Tracking the Trackers.
If you have an account on social network LinkedIn, you had better change it immediately. Hackers apparently got hold of an estimated 6.5 million passwords of LinkedIn users, about 4% of the 161 million population. This from Forbes:
According to security researchers, it appears that a file containing hashed passwords for about 4% of LinkedIn’s 161 million users has been posted online and hackers are working to crack it, reports Graham Culey at Sophos. “Our team is currently looking into reports of stolen passwords,” says LinkedIn via Twitter.
Security researcher Mikko Hypponen says he’s seen three lists which contain a few hundred thousand cracked passwords, including ‘nathanlinkedin,’ ‘linkedintrouble,’ ‘hondalinkedin,’ and ‘eaglelinkedin.’
I checked mine and found that it was the same password I had used on a couple of other sites and I hadn’t changed it for a couple of years. It’s changed now and it’s a good, strong password. Even if mine was among the hashes and the hackers crack it, it won’t do them any good.
We probably haven’t heard the last of this.
On a scale of 0 to 5 (0 being nearly invisible, 5 being at risk), how much of your identity is exposed on the Internet? If you’re wondering, there are some tests you can try that will give you a good idea of you Identity Exposure index (iEi). Here are the tests I performed and some calculations you can use. I chose these tests because they could give an identity thief enough information to impersonate you under the right circumstances. For example, knowing your mother’s maiden name and a former address might be enough to get past a security question or two. Heaven forbid your Social Security number shows up anywhere on line!
Keep in mind that this isn’t absolute by any means; it’s more of a quick-and-dirty estimate. But what you find might surprise you.
Use any top search engine. I used Google. My test results are shown in parentheses.
1. Search your name in the form you commonly use; e.g., Ken Harthun, not Kenny, Ken G. or other variants. Count the number of accurate hits on the first page. (9)
2. Search your full legal name as it appears on your birth certificate. Count the number of accurate hits on the first page. (3)
3. Search your mother’s married name, with and without her middle name and middle initial. If her maiden name shows up anywhere on the first page, count 10; if not, count 1. (10)
4. Search the last six digits of your Social Security number, including the dash. If your name shows up anywhere on the first page, count 10; if not, count 1. (1)
5. Search your home phone number with area code. If your current address is shown, count 10; any former address, count 5; else, count 1. (5)
Now, add all the scores. Maximum score is 50. Divide by 10 to get your iEi. It’s your choice whether or not to round off.
As you can see, my score was 28, so my iEi is 2.8, which is above the median. For comparison purposes, I also did the tests using my wife’s information and her iEi is 0.7. That makes sense because she does almost nothing on the web, save for checking her one Yahoo! mail account.
[kml_flashembed movie="http://www.youtube.com/v/nPR131wMKEo" width="425" height="350" wmode="transparent" /]
About this time last year, I posted this article about minimum password lengths and ended up recommending 15 characters. I didn’t give it much more thought after that; however, in the light of Steve Gibson’s Password Haystacks and my recent post about PassFault.com, I decided to to take those two tools and compare some passwords of various lengths, both randomly generated and using Steve’s Personal Password Padding. For this test, I chose “unto” as a common word which I used to build variable length passwords from 8 to 16 characters in length that contain upper- and lower-case letters, numbers, and special characters. I also used LastPass to generate random passwords of various lengths. I assumed a massive attack scenario with no password file protection for both tools.
|Password Time-to-Crack Analysis|
|Password||Length||GRC’s Brute Force Password “Search Space” Calculator||PassFault’s Dictionary and Pattern Based Analyzer|
|KF&x8SPw||8||1.12 minutes||less than 1 day|
|wIhE7SdAl!||10||1 week||3 days|
|8nK1Uaxh&xC3||12||1.74 centuries||50 centuries|
|iD0L&DKv39FBK%||14||15.67 thousand centuries||1,652,459 centuries|
|eS5E2p^SK#Uwg4WK||16||1.41 hundred million centuries||242,335 centuries|
|<>Unto90||8||1.12 minutes||less than 1 day|
|<>Un90to<>||10||1 week||less than 1 day|
|<>Un<>90to<>||12||1.74 centuries||4 decades, 3 years|
|<>Un<>90to<>90||14||15.67 thousand centuries||less than 1 day|
|<>Un<>90to<>90<>||16||1.41 hundred million centuries||3 months|
Obviously, PassFault’s algorithm is flawed, as can be seen in the results above. This is evident from the last three lines of the table.
I’m going to stick with 12 characters as an average minimum password length and 15 characters for critical data.
There are all kinds of password strength meters on the Internet and for what most of them do, they’re pretty good. However, nearly all of them assume a brute force attack where the algorithm has to try all possible combinations of characters. In the real world, hackers have learned to use rainbow tables and pattern-matching as their first attempts; the first thing they usually try, of course, is a systematic dictionary attack. This is usually sufficient to guess anywhere from 20 – 50 percent of passwords on a given site. We all know to avoid dictionary words, our names, etc., but what about other password practices that may be risky, assuming all of us use some sort of mnemonic or pattern to remember passwords?
I came across a nifty site called PassFault, a project sponsored by The Open Web Application Security Project (OWASP). It has a nifty application you can use to test passwords: “Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple.” What I found most interesting is the types of patterns Passfault looks for and how it is done:
Passfault identifies patterns in a password, then calculates the number of passwords that could exist in those patterns. This is the measurement of password complexity. It is more academic and much more accurate than existing password analysis tools.
According to the site, you want to avoid these patterns:
- Dictionary Word Insertion – putting random characters in between letters in a dictionary word
- Dictionary Word Substitution – substituting letters with random characters
- Dictionary Word Misspelling – “werd” instead of “word,” for example
- Dictionary Leet Substitution – 137m31n (letmein)
- Dictionary Word Backwards – “drow” instead of “word”
- Repeated Pattern – 123123123
- Random Latin & Cyrillic Characters – PasЛуни, or PasΦΘo®d
- Horizontal, Diagonal & Repeated Key Sequences – asdf, cgybfe, rrrrr, etc.
I decided to test some of this by intentionally violating the guidelines and generally playing around. Note that the tool gives you some options of what kind of cracking hardware and password protection you can specify. I just used the defaults of “a $900 password cracker” and “Unix SHA1-based Crypt.” Here are the results in time to crack:
- antidisestablishmentarianism – less than 1 day
- 137M31n – less than 1 day
- Password…….. – less than 1 day
- …password… – less than 1 day, but a weird result in that it said “Repeated – Russian”
- %^password^% – 1 day
- %^wordpass^% – 2 months, 4 days
- passwordwordpass – 1 year, 8 months
- %^word^%pass!! – 2 centuries, three decades
- Wo&rd – less than 1 day
- Wo&rdw*rd – 2 months
- Wo&rdw*rdwerd – 13 centuries
- Wo&rdw*rdwerd1337 – 450,556 centuries
- Wo&rdw*rdwerd1337drow – 7,788,860,117 centuries
- [21 random keyboard characters] – 3.74068l0448019244e+21 centuries
Conclusion: it’s a fun tool to play with, but no Earth-shattering revelations here. Longer is better and mix it up. Steve Gibson’s Password Haystacks, which presents the concept of password padding, is still the most recent innovation in password theory.