Sometimes, it’s a good thing to take a breather from the routine, to venture off into something more fun than the serious day-to-day concerns of network and computer security. One of my interests is cryptography, especially its history, and I love to play around with cryptograms in the daily newspaper, even though they’re just simple substitution ciphers (though there are some puzzle books out there that use polyalphabetic and transposition ciphers).
There’s no question that computers have taken cryptography well out of the realm of human-generated codes and ciphers. Done properly, modern encryption systems produce output that appears to be nothing more than random noise to a human–and no human will ever be able to break those ciphertexts without the help of powerful computers. Yet, there are human-generated ciphers that haven’t been cracked. One of those is the D’Agapeyeff cipher, which appears as “…a cryptogram upon which the reader is invited to test his skill” in the first edition of “Codes & Ciphers, ” written by Alexander D’Agapeyeff, published by Oxford University Press in April, 1939.
The book is an elementary text on classic encryption methods and the cryptogram is placed on the final page of the final chapter which details methods of decryption of the various types of ciphers. Here’s the cryptogram as it appears in the book (this was omitted from later editions for reasons unkown):
75628 28591 62916 48164 91748 58464 74748 28483 81638 18174
74826 26475 83828 49175 74658 37575 75936 36565 81638 17585
75756 46282 92857 46382 75748 38165 81848 56485 64858 56382
72628 36281 81728 16463 75828 16483 63828 58163 63630 47481
91918 46385 84656 48565 62946 26285 91859 17491 72756 46575
71658 36264 74818 28462 82649 18193 65626 48484 91838 57491
81657 27483 83858 28364 62726 26562 83759 27263 82827 27283
82858 47582 81837 28462 82837 58164 75748 58162 92000
I assumed (correctly, I think–see this article) that two numbers represent one letter and that this was some sort of simple substitution cipher. I divided the cryptogram thus, omitting the three zeros that are obviously nulls:
75 62 82 85 91 62 91 64 81 64 91 74 85 84 64 74 74 82 84 83 81 63 81 81 74
74 82 62 64 75 83 82 84 91 75 74 65 83 75 75 75 93 63 65 65 81 63 81 75 85
75 75 64 62 82 92 85 74 63 82 75 74 83 81 65 81 84 85 64 85 64 85 85 63 82
72 62 83 62 81 81 72 81 64 63 75 82 81 64 83 63 82 85 81 63 63 63 04 74 81
91 91 84 63 85 84 65 64 85 65 62 94 62 62 85 91 85 91 74 91 72 75 64 65 75
71 65 83 62 64 74 81 82 84 62 82 64 91 81 93 65 62 64 84 84 91 83 85 74 91
81 65 72 74 83 83 85 82 83 64 62 72 62 65 62 83 75 92 72 63 82 82 72 72 83
82 85 84 75 82 81 83 72 84 62 82 83 75 81 64 75 74 85 81 62 92
You can see that no pair begins with a number less than six and no pair ends with a number greater than five. This suggests a matrix like this:
1 2 3 4 5
6a b c d e
Using this hypothetical grid, 61 is “a,” 65 is “e,” etc. That’s as far as I’ve managed to go.
Anyone else like to play with this?
OK. So you’ve installed a NAT router, you’ve changed the default login and passsword, and you’ve used an unguessable password. You’ve done everything right so far. However, you still may be vulnerable; in fact, you probably are, even if you keep your operating system patched. In a Lockergnome posting last year, I wrote:
To say nothing of Microsoft Windows, there are few, if any, application software packages that are free of security vulnerabilities. The SANS Institute publishes its Top 20 Internet Security Attack Targets on a regular basis and Secunia currently lists 14,043 pieces of software and operating systems with vulnerabilities.
Not surprising, Secunia reports that as of this date, the above number has increase by more than 3,300:
Our database currently includes 17,406 pieces of software and operating systems.
It probably won’t surprise you that Microsoft leads the list, but that is by no means the only source of security vulnerabilities out there. The truth is, if you’re on the ‘Net and running any unpatched software, you’re a target; I can look at my firewall logs and identify what vulnerabilities are being targeted on my machine. Many of these holes have long since been patched and there’s no excuse for your not having patched them.
So much for the bad news. The good news is that most reputable software companies, when informed of a vulnerability by security researchers, promptly issue a software patch to fix it. These are widely available to the public for free download or through update features built into the software packages. Windows and other software packages allow you to enable automatic updates (which you should do).
I give you Security Maxim #5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
In my last post, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort.
I have two clients, both of which generate some serious confidential data, who set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me.
According to Wikepedia there are several things many people use as passwords that results in their being predictable:
Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:
- blank (none)
- the word “password”, “passcode”, “admin” and their derivates
- the user’s name or login name
- the name of their significant other or another relative
- their birthplace or date of birth
- a pet’s name
- automobile license plate number
- a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
- a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.
Next time: How you can do everything right and still be vulnerable to attack.
Last time, I stressed having a NAT router–or router/firewall–between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device.
So, put this on your list as Security Maxim #3: Always change the default username and password of any configurable device you put on your home network.
Next time: You’ve changed your default router password; you still may be vulnerable.
The other day, I gave you what I consider to be the most basic security maxim, one on which I base all of my security practices: The best security measures are completely useless if you invite attackers into your PCs or networks.
Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers already know how to take down XP’s firewall.
Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net or worms that are infecting the ‘Net. The IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week. I certainly don’t want my PC’s software firewall subjected to this kind of thing; yet, most people, not knowing any better, plug their computer directly into the broadband modem. Why do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router?
Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:
I must mention that except for one, simple configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.
So, here’s Security Maxim #2: A first, important step in securing your PC is to install and configure a NAT router.
(Note: I first posted this maxim nearly a year ago at Ask the Geek, Too. The article was entitled, How to Secure Your Computer: Maxim #2 (or, How Not to Invite Attackers Into Your PCs and Networks). Since then, many routers now contain built-in firewalls, so do double-duty and are even more secure.)
Next time: the one, most overlooked configuration option that can render your router or firewall useless and make you even more vulnerable than you were without it.
Your comments are welcome!
The good folks at IT Knowledge Exchange and TechTarget have granted me the privilege of sharing my views on computer and network security with you. I’m proud to have this opportunity and I thank them for the opportunity.
Having worked in IT in various capacities since the early 1980’s, I’ve seen the need for security evolve from simple protection against viruses to the need for complex security policies designed to combat multiple attack vectors. These days, it takes constant vigilance to stay ahead of criminal hackers, to say nothing of terrorists; moreover, clueless users are often unwitting accomplices in security breaches. (See my article “Will You Be Used As a Weapon Against Your Own Country?“)
Today’s Internet is reminiscent of the Wild, Wild, West, only now it’s the Wild, Wild Web: Make a mistake, and you could be virtually dead before sundown, your identity stolen, your financial resources drained, your reputation ruined. Protecting yourself online seems like a daunting task, especially for the average home computer user; however, it’s not as hard as it seems, given some common sense and an understanding of basic security principles.
My goal for this blog is to provide simple, sound advice, news, and tips that will help you be more secure in your computing both at home and at the office. And the first piece of advice I’ll give you is one I consider the most basic principle of computer security, the first in my series of computer security maxims, Maxim #1: The best security measures are completely useless if you invite attackers into your PCs or networks.
In this blog, we’ll be exploring how not to invite attackers into your PCs and networks as well as a myriad of other topics. I hope you’ll join me in my explorations and ruminations, and I look forward to your comments and contributions.