Security

Security Threats 2012

Two friends were walking across the savanna when suddenly a cheetah begins to chase them. One friend starts to run but the other stoops to put on his running shoes.
Says the first, "Are you mad? You can't run faster than a cheetah".
To which his friend responds, "No but I can run faster than you."

Thus with IT security. You can't have full protection but you can have better protection than others, and rely on hackers taking the easier option.

Threats change constantly.

In the old days we were obsessed with viruses coming as attachments to e-mails. Remember the e-mail address hackers ?

They would send spam to loads and loads of likely e-mail addresses and by chance , hit on real ones.
e.g. JohnSmith@, JSmith@; JSmith1@ etc

Simple names become a target for spammers - but mail services such as Gmail have excellent Spam filters …so this has faded as a problem

Now we have password hackers.

This is a very useful way of getting at both private data …shopping accounts…and bank accounts

Every password can be thought of as a needle hiding in a haystack.

Password Hackers, like e-mail address hackers start off with the obvious.

a) Try all the simple (and widely used passwords) (“password”, “123456”, “cat” )

Tip: check out the following websites to see if your passwords are there ! :

http://modernl.com/article/top-10-most-common-passwords
http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

b) Variations of all the well knows passwords:
"pa$$wOrd"

c) Refer to a password dictionary
36 % of the million passwords recently lost by Sony were in a password dictionary.
Here's a dictionary with 2.5 million passwords (Note: it takes ages to load !)
http://dazzlepod.com/site_media/txt/passwords.txt

d) Plain guessing and brute force calculations:

Whitepixel software is able to break 28.6 billion passwords / sec
See: blog.zorinaq.com/?e=42
The computer uses four graphics cards to help with the number crunching.

How to create a saf(er) password?

Some people like to use Mnemonics
"Mary Had a Little Lamb" MHALL
or "There Were Bells on the Hills" TWBOTH

….but film titles and lines from popular sings find their way into Password Dictionaries!

Therefore passwords should be random and very long…problem is - the user cannot remember them!

Still - you can make a password long by padding with characters: 2244JCCC4422

Tip: Check out how safe your passwords are on:

https://www.grc.com/haystack.htm

Safest Passwords will be:

  • At least one letter in upper case
  • Another one in lower case (some accounts don't discriminate between upper and lower case)
  • There will be at least one digit
  • And one symbol (some sites don't like symbols)
  • 12 characters long

Question: Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g…………………
PrXyc.N(n4k77#L!eVdAfp9

Answer: The first is one character longer and would take 95 times longer to find by searching…unless the hacker is searching for simple padding like this !

However, if you use a particular pattern of padding and let your password slip on a phishing site …then your method of padding will be "out" and available to the hackers….

Try to use different passwords.
If remembering them is difficult, use Password management Software such as KeePass
http://keepass.info/

Other security threats:

File sharing:
Is your laptop set up to share files across your network at home ? - if so, it might be sharing important files with everyone else in the Club.

Browser attacks:
The main source of attack these days is through the Browser and Internet websites.
Remember to update your browser as and when new release comes out.

Certain sites - Particularly Porn and (surprisingly) Religious web sites are especially harmful

http://blogs.wsj.com/tech-europe/2012/04/30/religious-sites-are-worst-for-malware-report-finds/?mod=google_news_blog

The most dangerous type of malware is Zeus (Trojan horse). It enables hackers to get into on-line bank accounts and payroll services and carry out financial transactions, often without people noticing. It is spread via "Drive by downloads" and Phishing schemes.

Drive-by-download: Software which loads on your computer without your permission. Often pretending to be fake anti virus software .

A much publicised recent Mac Attack is of this type:
Flashback malware exposes big gaps in Apple security response
http://www.zdnet.com/blog/bott/flashback-malware-exposes-big-gaps-in-apple-security-response/4904?tag=nl.e539
…and there 's a now a similar threat for Android devices
A first: Hacked sites with Android drive-by download malware
http://www.zdnet.com/blog/security/a-first-hacked-sites-with-android-drive-by-download-malware/11810?tag=nl.e539
…and hackers are now making malware to attack both Windows and Macs
http://www.zdnet.com/blog/bott/the-slow-and-steady-evolution-of-cross-platform-malware/4930?tag=nl.e539

Phishing: Fake website pretends to be the real thing - people are lured in by authentic looking e-mails.

Zeus uses Man in the browser and Key Stroke logging

Man in the browser is a security attack where the perpetrator installs a Trojan horse on a victim's computer that's capable of modifying that user's Web transactions as they occur in real time.

http://en.wikipedia.org/wiki/Man-in-the-browser

BBC Click explains how Zeus is difficult to detect.
How latest malware uses disguises to avoid detection
http://news.bbc.co.uk/2/hi/programmes/click_online/9692842.stm

Keystroke logging - tracks your key strokes as you press them. This is why banks now ask you to use your mouse to enter the characters of your password.

http://www.creditcardguide.com/creditcards/credit-cards-general/spyeye-malware-covers-thieves-tracks-1365/

Remember: As soon as a bank or business responds to security threat by improving its security, the hackers work to find another way in. There is no cast iron solution.

Get your running shoes on !

TIPS

USE DIFFERENT, SECURE PASSWORDS;
UPDATE YOUR BROWSER AND ANTIVIRUS SOFTWARE CONSTANTLY;
WATCH OUT FOR SUSPICIOUS QUESTIONS, EVEN FROM APPARENTLY TRUSTED WEBSITES

Chris Betterton-Jones
May 2012

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License