In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:
#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as the encryption key.
#8: Physical security is almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.
In the book, each one of these rules is explained in detail with links to tools and other information.
I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.
Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.
Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.
Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:
You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs – the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.
An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)
The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.
A visitor to my Ask the Geek site told me about a great little utility, UNetbootin for Windows and Linux that allows you to create bootable Live USB drives for a variety of Linux distributions without requiring you to burn a CD. Not only that, but UNetbootin can be used to load system utilities, including:
- Parted Magic, a partition manager that can resize, repair, backup, and restore partitions.
- SystemRescueCD, a system repair, backup and recovery tool.
- Super Grub Disk, a boot utility that can restore and repair overwritten and mis-configured GRUB installs or directly boot various operating systems
- Dr.Web Antivirus, F-Secure Rescue CD, and Kaspersky Rescue Disk, which remove malware from Windows installs.
- Backtrack, a utility used for network analysis and penetration testing.
- Ophcrack, a utility which can recover Windows passwords.
- NTPasswd, a utility which can reset Windows passwords and edit the registry.
- Gujin, a graphical bootloader that can also be used to boot various operating systems and media.
- Smart Boot Manager (SBM), which can boot off CD-ROM and floppy drives on computers with a faulty BIOS.
- FreeDOS, which can run BIOS flash and other legacy DOS utilities.
The tool works like a charm. I’ve made bootable USB drives with ClamAV Live CD, the Kaspersky Rescue Disk, Dr. Web Antivirus, and a couple of others, just to see how it works. These are invaluable tools for we security wonks and I thought I’d pass it on.
Be sure to check out the UNetbootin site for complete information and tutorials on how to make it work.
OMG! I just opened that box that Pandora gave me. I have often said that I don’t like password managers because I don’t consider them secure. That goes double for the password managers built into the browsers. I don’t like anything to reside directly on my system, so that leaves a remote location. These days, “remote location” equates to “The Cloud.”
That’s why I use LastPass and have been using it for more than a year now. All of my passwords are stored online, encrypted, and I only have to remember one master password to unlock the vault. I don’t have to carry anything with me on a thumb drive or install any programs on someone else’s computer in order to access my stuff when I’m not using my own PC.
Don’t take my word for it, check out this list of features. And then decide for yourself.
Oh, by the way, you can generate very secure passwords with LastPass and you don’t have to worry about remembering them, because LastPass will do it for you. Firefox and IE add-ons make things even easier. When you come to a new site you need to set up an account with, LastPass offers to generate a password for you. Then, when you log in, LastPass offers to save all information for the site. If you do that and then come back to the site later, LastPass will give you the option to either auto-fill the information or perform an auto login.
Highly recommended if you don’t want to do your own password management. You can still use all of the methods I’ve proposed for generating secure passwords, but you’ll never have to worry about remembering them. Use my methods to generate the most secure password you can for your LastPass master password and encode it so you can write it down securely, but use LastPass for all your password management needs.
The sheer number of passwords most of us have is a big problem. Even if we have hints written down, how do we know which one created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.
Let’s say you found a piece of paper that had this written on it:
What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; in my Ask the Geek blog, my article How to Write Down Your Password and Not Worry About Someone Stealing Them, I explain:
[It’s] a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.) [Note: even if someone guesses that it’s Abe’s birthday, they still have a long way to go to figure out how it was used – Ken]
Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the "something only you know," with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).
Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.
I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.
A little Alliteration is good for writing effect every now and then; why not apply this to passwords? I don’t mean to write out an alliterative phrase and turn it into a password or passphrase (though you could, I guess); what I mean is to use a pattern that makes it easy for you to remember the password, but still results in a very strong, un-guessable one. Here’s an example of a very strong password: 19[-[Phrase]-]60.
This one is very weak: %6*Some*Phrase*6%. Can you see why? Too many repetitions of characters. Change it slightly, %6!Some*Phrase!6%, and it becomes very strong.
The trick is to come up with a pattern that means something to you. By no means should you use the patterns I suggest—use something that will be easy for you to remember.
I’ll leave it to you to analyze the two examples and let you come up with your own. Remember, the bad guys read these blogs, too.
The Sydney Morning Herald reports, “Hackers break into police computer as sting backfires:”
An Australian Federal Police boast, on the ABC’s Four Corners program, about officers breaking up an underground hacker forum, has backfired after hackers broke into a federal police computer system.
Well, if you read the article, you’ll see that they use the term “broke into” rather loosely. It wasn’t much of a break-in as one of the hackers wrote on a forum post:
The hacker wrote ‘I couldn’t stop laughing’ on seeing that the federal police’s server was running Windows, which is known among hacker communities for being insecure. Police had also ‘left the MYSQL password blank’.
No password! Absolutely ridiculous. These are the police, people responsible for security on many levels, and they don’t even put a password on their database? Unbelievable.
People, come on; there’s only one thing worse than having a weak, easily guessable password and that’s having no password at all. I can see why the hacker was in stitches; stupidity is often funny, especially when exhibited by people who should know better.
Let me repeat Golden Rule of Computer Security #1: The best security measures are completely useless if you invite attackers into your PCs or networks.
No better invitation than an open door, is there?
Linux proponents often gloat over the seeming lack of security vulnerabilities in the Linux kernel when compared to Microsoft Windows; Windows proponents counter saying that Linux is just enjoying “security through obscurity.” Seems the Windows people may be justified to some degree as reports of a Linux vulnerability puts most versions of the Linux kernel built in the last eight years at risk of complete takeover.
According to The Register, “The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn’t always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.” This means that it’s trivial for an attacker to put code in the first page and that code will get executed with kernel privileges. You can read a full rundown of the vulnerability at the CR0 Blog.
All Linux kernel 2.4 and 2.6 versions since May 2001 are affected. The vulnerability has been patched, but “this is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise,” according to The Register.
There’s no question that Microsoft has ongoing security issues; it’s no surprise that Linux is beginning to show the same. The only difference lies in the attack surface; Microsoft is still the biggest target. As Linux continues to gain market share, however, we’ll be seeing more researchers focusing their attention on the Open Source OS; as they do, they’ll find more and more vulnerabilities there, too.
There’s a technology called “secure coding” that still hasn’t been fully developed, much less implemented on a grand scale; until programmers fully get this concept, we’re saddled with insecure OS’s and applications.
There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.
Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.
Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa, 12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.
Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.
If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.
A botnet that uses Twitter for command and control? You bet. Jose Nazario over at Arbor Networks apparently found one: “Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.” The bots connect to the Twitter account using an RSS feed, allowing them to receive the tweets in real time without having their own accounts on Twitter. Pretty slick.
The tweets themselves are base64 encoded and when Nazario translated one of them, it was clear the encoded tweet was sending links to the bot.
Oddly enough, there’s no mention of this at http://status.twitter.com, but the account in question (well, one of them, at least—there are probably more), https://twitter.com/upd4t3, has been suspended, so it appears that Twitter security folks are on the ball.