Selecting A Secure Password

July 27, 2010

Out of the many authentication methods available, biometric, security tokens, smart cards, public and private cryptographic keys, etc, passwords are one of the most common forms of authentication, especially on small private networks, such as those utilized by home users and small businesses.

Considering that we rely on this string of text to protect some of our most valuable information, access to personal accounts, and key critical systems, it should not come as a surprise that we need to ensure that we select a strong password. Nothing in this world is perfect, and password authentication is no different. A weak password can easily be broken by anything from crude tactics such as guessing to advanced tactics such as a brute force dictionary attack.

So, what are the guidelines to making a password secure enough to defend your data? Well, there are many differing opinions on this. My goal is to share my opinion with you through this blog post, as well as some helpful tips on how to create and manage a list of strong passwords.

I feel that everyone should be using what is commonly referred to as a strong password. However, I believe that some applications of password authentication, such as on a mission critical server, should go even a bit further than your average strong password, so I’ll share two sets of guidelines with you. One for everyday computer use, and some additional tips that I would recommend to protect more confidential or invaluable data and systems.

Strong Passwords for the Average User

  1. Password Length- For a strong password for the average user, I would recommend a password that is at least 15+ characters in length. The more complex your password is, the more difficult it will be for software or a human to crack.
  2. Letters, Numbers, and Special Characters- I would strongly suggest including numbers and special characters (such as: !@#$%^&*(), etc) in your password. This increases the complexity of the password, and makes it more difficult to crack or guess.
  3. Avoiding Common Words or Phrases- One common password cracking tool is a dictionary attack. It utilizes a dictionary file in order to try common dictionary words against your password. In order to prevent your password from being broken in a dictionary attack, you should avoid using common words or phrases that might be found in a dictionary.
  4. Creating a “passphrase”- To take the concept of a strong password even further, you can elect to create a passphrase. This can be particularly effective because it will easily create a long password that is easy to remember. When you mix this concept with the other tips I’ve provided, you’ve got a very powerful password that will be very difficult to crack.
  5. Substituting Special Characters for Letters- Have you ever noticed how some special characters look like letters? ($=S, #=H, @=a, !=i, etc) Use this to your advantage by substituting these characters for similar letters in your password, or better yet, your passphrase. This will help to further protect you from dictionary attacks by obscuring what the words used in your passphrase actually are, at least as far as the software can tell.

Here are a few examples of strong passwords or passphrases.

z@c# !$ t#e m@n = Zach is the man

t#!$ i$ @ $+r0ng p@$$p#rase ex@mple 2! = This is a strong passphrase example too!

Of course you can choose to make it much more complex and you can get very creative with these.

Addtional Tips For Key Systems and Data

  1. Use An Even Longer Password– You may want to consider a password length of anywhere from 20-50 characters.
  2. Randomization– If you create a massive password with no clear patterns you’ll have something much more difficult for software to crack. It should still incorporate a mix of characters, in order to create the most variety while avoiding patterns.

These tips will create some very difficult passwords for either humans or software to crack, but how are you supposed to keep up with one of these, must less several? Well, I have a helpful recommendation for that, as well. I would recommend KeePass. It’s an open source password database. You use one strong password to control access to the database, and then store all of your multiple strong passwords in the database. Now you only have to remember one strong password, to access the multiple strong passwords for each site or computer on which you have an account. You can keep the database on a USB drive so you always have it with you and so that it’s not available for hackers to attack, it’s only available when you use it.

I encourage you to share your own tips on creating a strong password as well as tips on how to manage them.


Safe Shopping Online

June 22, 2010

Today I’m going to give my two cents on a common information security question. Is it safe to shop online?

When it comes to shopping online there’s more to consider than just your own computer’s security. You also have the consider the security put in place by the people you’re doing business with.

The first thing you should ask is “are they using a secure connection?” You can check by looking at the address bar, the web address will start with “https” rather than “http.”

This is important because the information (in this case, your credit card information) passes through many devices between your computer and their web server. Anyone in the path from you to them could potentially intercept the packets of information you’re transmitting with a tool called a packet sniffer. If it’s a secure connection, then your data is encrypted while it’s on its way to their web server, so if it were intercepted, it wouldn’t be decipherable.

The next thing you want to consider is do they store your credit card information in a database, and if so is there any way to get them to remove it? You can usually find this information by reading their website’s privacy policy, which can often be found at the very bottom of the page. If you can’t find the information in the privacy policy, you can also contact the business directly and ask them if they store your information after your purchase is completed, and if so ask if you can have them remove it.

If they do store your information, then you’re relying on them to safeguard and protect your information. If they fall behind on their security patches and updates, then it won’t matter how often you update and maintain your own security. Their database can be breached and your information can be stolen from them.

Anytime you’re buying online, you should consider the implications of trusting your security to someone else. In this case their security actually matters more than yours does, as web servers that hold personal information are much more likely to be targeted by skilled and determined hackers than your home PC is.

Beyond the threat of identity theft is the threat of being ripped off. There are a lot of scams out there, as I recently mentioned in my post about a Craigslist scam which seeks to install malware on your computer. The best rule of thumb is to only deal with established businesses when you’re buying online, because it’s just too easy for anyone to setup a website to sell you something, collect your money, and disappear. Often times you can find reviews of the business on sites like Ripoff Report, especially if they’ve been up to no good. A quick Google search can also bring up some customer reviews of the business, and you can often find them on social networking sites like Facebook and Twitter, where customers can offer feedback as well.

I would also recommend checking out the business on the Better Business Bureau website, to see what kind of rating they have and if they have any complaints against them. One of the most valuable things about the BBB is that the business has no control over the content, like they do on social networking sites, so they can’t remove negative feedback and experiences.

With this information you’re now ready to safely shop online without placing your information or your money at risk. Safe shopping!

Craigslist Malware Con

June 20, 2010

Like many other people, we have a lot of junk laying around. We have yard sales to try to get rid of some of that junk, but for the big ticket items as well as the most unique, we’ve found that Craigslist is a great place to get rid of our junk and make some money along the way.

My mother was trying to sell a childhood toy of mine we uncovered in another one of our attempts at getting rid of the old junk packed into our building. It’s a Sesame Street Big Bird, who read a story by playing a cassette tape of the story that you put in a cassette player built into the back of the toy.

Shortly after posting this Big Bird toy, she gets a response from a lady who is interested in buying the toy. The lady says that she wants to make sure that this is the toy she is looking for, because in the past she has purchased the wrong toy. Everything looks alright so far, but what the lady does next set off a red flag.

The lady links to a video, asking my mother to view it in order to confirm that the toy in the video is the one she is selling. The video asks my mother to install a codec that will be required to view the video. Luckily, since I’m always talking about Information Security, my mother gets an earful of it as well, and so she knew that this was a suspicious video. The lady tries to pressure her into viewing the video by saying if she confirms it’s the same toy, the lady will come buy it that same day. This set off another red flag because the toys are not rare, and the price was researched, so it’s not hard to find or the best price to be found.

My mother calls me up and asks me to check it out. I remote desktop to her computer, and sure enough by examining the e-mail and the video, I see that it perfectly fits the method of operation for hackers trying to spread malware. As I’ve mentioned in my safe browsing habits blog post, you should never download software to view a video. If it says you need to update a program you already have, download the update from the software vendor’s website, not from the link you were contacted with and asked to use.

I’ve seen similar tactics used on Facebook to send users to malicious links, these are typically videos which require you to install software to view them, but I have never seen this type of attack on Craigslist, where the typical scam is an attempt to wrangle you out of your money through wire transfers.

Although the hackers continue to expand the venues through which they attempt to trick you into installing their malware, their method of operation typically remains the same because it’s tried and true. It’s my mission to help end users understand these methods, so that they can spot these scams no matter where they crop up. After considering this example, it looks as though I’m succeeding.

Malware Misconceptions

June 17, 2010

A common misconception is that there is no malware for Macs. I’ve informed many people of the truth behind this misconception during my volunteer work with AVG Technologies’ community efforts. I can understand the average user believing the hype, but I recently encountered an IT professional who actually thought that Steve Jobs had created a literally perfect product. Steve Jobs may have a cult following, but he is no God, and he has yet to create anything perfect.

I was answering a question on the professional networking site LinkedIn. A student in Bangalore, India was interested in learning how to secure his computer from hackers and malware.

A Disk Jockey was the first to answer the question, and had simply said “buy a Mac.” Now, ignoring the implications of a DJ answering Information Security questions with authority, after providing some useful information on the topic, I mentioned that using a different Operating System is not a real security measure.

Using a Mac or Linux OS as one’s sole security measure is called “Security Through Obscurity.” Basically the concept of security through obscurity is that Microsoft has the largest market share,  with many more people around the world using a PC rather than a Mac or using a PC that’s running Linux. Hackers and malicious software developers are looking to infect as many people as possible with as little effort as necessary. It makes sense to target the device that the most people are using, so most criminals target Windows systems.  So, basically you’re relying on nobody to attack your computer in order to stay safe. See what the problem is with security through obscurity? It’s the same as leaving your home, and closing the door, but not locking it. Sure, everything looks alright from outside, but if someone actually walks up and tries to open the door, they’ll have no trouble at all getting inside and making off with everything they can carry.

I might expect this from your average user, who doesn’t know the implications of their actions until they are provided with the evidence, but I was surprised to see an IT professional with several years of experience refute my points about security through obscurity. He actually said “no one has put forth a successful attack on the Mac OS ever.” Of course, this is a wildly inaccurate statement. Here’s just one example that cites 20,000 Mac users who were infected by malware. I provided other examples in my reply as well, such as this FAQ and this information on Mac Malware provided by Panda Labs. He also went on to say “Now, security through obscurity is a false argument. The Ubuntu OS on the iPhone is under 10,000 users. As close to the smallest user set as can be measured, and yet, it was hacked within weeks of being released.”  Now, considering that the original iPhone already had a 20% market share by the third quarter of the same year it was released. (and it was release around the middle of 2007) I don’t think that a wildly popular product is a good example of security through obscurity because the whole point is using an unpopular product that doesn’t have a large market share in order to avoid attacks, but I digress.

If the IT professionals of the world don’t know better than to do some research for themselves, how are the end users of the world supposed to get the facts? That’s why I’m writing this post, to alert you, the end user, to the dangers of the very real self imposed threat of security through obscurity. If you want to stay safe online, the first step is to take responsibility for your own actions and your own security. I recommend getting started by learning some safe browsing habits. You can’t leave all your security up to someone else, and you certainly shouldn’t leave it up to chance that nobody will attack your computer, considering that an average of at least 25,000 new malware variants are released daily, and by 2015 Trend Micro expects to see at least 25,000 new variants released per hour!

Please feel free to leave comments, ask questions, and provide your own thoughts on “security through obscurity.”

Update!: AVG has released LinkScanner for Mac after I originally published this article. I strongly suggest installing LinkScanner for Mac to add LinkScanner’s powerful protection to your tech defense arsenal.

Safe Browsing Habits 101

May 3, 2010

I’ve found that when I say “practice safe browsing habits” many people have no idea what I’m talking about. This is an unfortunate truth in our world, and I hope that by writing this post that I can help to educate some of you on how to stay safe on the Internet, so that more people will know and practice safe browsing habits.

I’ll break this up into categories. This will be an ongoing and updated page as I think of more tips to list here. I encourage those who read this post to submit your own tips in the comments for inclusion in the list if I’ve missed it, share your stories about what happened because you didn’t practice safe browsing habits, to share this link with your friends and family, and to give your opinion of this post and it’s content.

General Internet Safe Browsing Habits

  1. Always check the address bar at the top of the screen to ensure you’re at the official website, and not a carbon copy of the website you think you’re at, hosted at a different address.
  2. Always look for the little yellow padlock and the letters “https” rather than “http” when signing into an online account or making online purchases. This means that information you provide, such as your name, address, and credit card information, is being encrypted on it’s way to the web server that hosts the website you’re buying from. This is important because this information crosses many public devices before reaching its destination, and a man in the middle can access this data if it’s not encrypted.
  3. Avoid shady sites which promise offers too good to be true such as: free electronics, free software that you normally have to pay for, pirated software, nude celebrities, and the list goes on.
  4. Use a tool like AVG’s LinkScanner, which scans each page you visit before allowing you to visit it, preventing drive by downloads or malware installation scripts from infecting your computer.
  5. Install Anti-Virus software. I prefer AVG, but there are other providers out there as well. It’s up to you to get the lowdown on each and make an informed decision as to which product to use. If you trust my judgment and technical knowledge more so than your own when it comes to this subject, pick up a copy of AVG Free. If you find yourself impressed with the free version, you might consider springing for the paid version, it has a lot of great features the free version doesn’t.
  6. Always keep in mind that your Anti-Virus software is not a get out of jail free card to do whatever you like on the Internet and not get a virus. If you do not practice the safe browsing habits listed here, along with some good ole’ fashion common sense, in conjunction with your AV software, then you may do something which circumvents your AV software’s protection (such as downloading and installing a virus yourself). Also, considering How Anti-Virus Signatures Work, you may not always be protected from all the latest threats as they occur (that’s referred to as a zero day vulnerability), but if you’re practicing safe browsing habits, you may avoid a threat that even your AV software couldn’t have protected you from.

E-mail Safe Browsing Habits

  1. Don’t open e-mails from people you don’t know.
  2. Don’t open e-mail attachments from people you don’t know.
  3. Beware of e-mail attachments from people you do know. If the e-mail said nothing about an attachment or you weren’t expecting one, get in touch with the person through some medium other than e-mail and find out what’s in the attachment, and make sure they sent it. It’s common for some worms to e-mail themselves to people in your contact list, so don’t automatically trust it just because it came from someone you know.
  4. If opening e-mails from people you don’t know is a necessary evil (business e-mail, customer service, etc), or you’re just one of those people who lets their curiosity get the best of them, then consider using a virtual machine to open e-mails. Windows Virtual PC is a free download from Microsoft and will allow you to install any Windows Operating System inside a virtual environment separate from your Windows Operating System currently installed on your computer. So if you do get a worm, only your virtual pc is infected. It’s much easier to replace a quick virtual machine install that you only use to open e-mails rather then your entire OS and all the applications you installed on it.
  5. Don’t pass on “chain letters” or forwards, at least not messages that have no informative value. It may seem harmless, and I’m not really sure what people’s motives behind starting them are, but the end result is a lot of useless Internet traffic which has to be processed before real e-mails and requests for web pages can be processed. It seems so innocent, how could forwarding one little chain letter hurt anything? Don’t forget there are millions of other people around the world doing the same thing, all that useless traffic adds up. Not to mention that they’re annoying and personally I question a person’s reliability if they forward me bad news or even worse, a message that just says I’ll have bad luck if I don’t pass it on. I have broken many chain letters in my time, and I assure you no ghost is going to kill you, and you’re not going to have bad luck, so break the cycle and don’t forward spam.
  6. If you don’t want to part with thousands of dollars of your own money, getting nothing in return, then trash those generic e-mails from random foreign guy, who needs an American citizen to set him up a bank account in the US for whatever contrived reason, and will split the millions he saves by doing this with you, but somewhere along the line needs you to wire him a large cash sum. You’re not investing in your future, you’re giving your money to a con artist.

Social Networking Safe Browsing Habits

  1. Be careful who you add as a friend to your social networking account. Day in and day out you probably post personal information such as names of people you know, where you work, where you’re currently at, what you’re doing, etc. Not to mention other personal information is littered across the site, potentially phone numbers, addresses, where you go to school, where you work, etc. This information can be used against you in many different ways, (such as how personal info is often used as security questions for online accounts to reset your password) so be careful who you grant access to your social networking account.
  2. Keep a close eye on what applications you add. There are many applications on social networking sites like Facebook, Myspace, LinkedIn, etc which enhance our social networking experience. What we often don’t consider is what kind of privileges we’re bestowing to the people who wrote the software. Just as programs you install on your computer can do malicious things, apps you add to your profile can do malicious things as well, or in the very least unexpected things. Things like giving programs the ability to post to your profile without needing your approval, giving apps access to information about you on your profile that they don’t necessarily need to know to perform their intended function, and just generally giving these apps access to a lot of information about you and a lot of privileges on your page that you don’t necessarily want someone else you’ve never even met to have.
  3. Watch out for strange messages from your friends which are full of bad spelling and grammar, and contain links to external pages (youtube is a popular scapegoat, but any page could be used). Even if your friend isn’t exactly a Harvard professor, bad grammar and spelling in messages is often a tell tale sign of a malicious or spam message that your friend didn’t really write. There are worms and other malware, a prime example being the Koobface worm, which spread fake messages asking you to check out a video in a link, or some other action. The link actually leads to an attack site where a script will try to install malware on your computer. Not exactly the gold you were expecting at the end of the rainbow, huh?