I have written before about the importance of strong passwords, well here is an example of what can happen when you don't:
On March 30, Eastern Europeans hacked into and gained personal records of over 780,000 people. Why? One technician used a weak password. Because of this, the hackers could retrieve all of this information including social security numbers. If this massive amount of data can leak out through something as "secure" as medical records, consider all of the other sites you are providing personal information.
Lessons to be learned:
--Use strong password
--Never trust your data in others' hands
http://bits.blogs.nytimes.com/2012/04/10/utah-breach-shows-vulnerability-of-health-records/
Tuesday, April 10, 2012
Monday, April 2, 2012
The Holy Password
On The Register I read about Reverend James Langstaff recommending his members use bible phrases as passwords. He recommends taking the first letter of every word in the phrase as well as the book and chapter and verse number. He believes that this will not only make his congregation safer on the web, but can help them remember bible phrases. I would venture to say he is right.
The combination of apparently random lower and upper case letters and numbers will help increase password security as long as the password is longer than 8 characters. The reverend's advice for example in John 14:1 is to take "Let not your heart be troubled: ye believe in God, believe also in me." and transform it into the password "LnyhbtybiGbaimJ14V1" This is a pretty secure password because it is very long, contains no words, and has a combination of upper and lower case letters. However this password could become more strong by adding special characters. This is my only addition to the good reverend's advice. Taking the same bible phrase the password could turn into "Lny<3bt:ybiG,baimJ14:1" This password would be virtually impossible to crack.
If memorizing biblical verses is not your deal, you can extend this advice to any passage from your favorite book. Just remember to be greater than 8 characters, lower and upper case letters, numbers, and special characters. Also, do not use the same passwords for secure sites (eg your bank or school) for less secure sites (eg sign up here to win a free iPad)
The combination of apparently random lower and upper case letters and numbers will help increase password security as long as the password is longer than 8 characters. The reverend's advice for example in John 14:1 is to take "Let not your heart be troubled: ye believe in God, believe also in me." and transform it into the password "LnyhbtybiGbaimJ14V1" This is a pretty secure password because it is very long, contains no words, and has a combination of upper and lower case letters. However this password could become more strong by adding special characters. This is my only addition to the good reverend's advice. Taking the same bible phrase the password could turn into "Lny<3bt:ybiG,baimJ14:1" This password would be virtually impossible to crack.
If memorizing biblical verses is not your deal, you can extend this advice to any passage from your favorite book. Just remember to be greater than 8 characters, lower and upper case letters, numbers, and special characters. Also, do not use the same passwords for secure sites (eg your bank or school) for less secure sites (eg sign up here to win a free iPad)
Wednesday, March 28, 2012
Dating Made Easy? or Creepy?
"Want to meet hott singles in your area?" echoes all kinds of dating websites. They all claim to have a secret formula to finding your perfect match based on things you tell it about you. What if you didn't have to tell it anything and it could still find someone who likes your same interests? There is an app for that: Yoke. This app searches through Facebook profiles of your friends' friends and see if you have any similar interests. Only one party needs to have opted in to the service too. So that may mean that you get a message from someone who "matches" you. Apparently it looks at a lot of other datasets such as things you have purchased off Amazon.
I can understand the desire to meet someone with similar interests, but I don't really think some programs trolling the internet and gathering my data is my ideal way to find a husband. It would creep me out to get an email from some stranger because of this app. The people talking about it on TechCrunch seem to be in favor though http://techcrunch.com/2012/03/28/yoke/
Personally, I think its creepy not to mention a how-you-met story killer =)
I can understand the desire to meet someone with similar interests, but I don't really think some programs trolling the internet and gathering my data is my ideal way to find a husband. It would creep me out to get an email from some stranger because of this app. The people talking about it on TechCrunch seem to be in favor though http://techcrunch.com/2012/03/28/yoke/
Personally, I think its creepy not to mention a how-you-met story killer =)
Tuesday, March 27, 2012
Public Nudity - Lude or Secure?
It seems people have quieted down a little around here about the TSA screenings, but the problems have not yet been fully addressed. There are several cases in trial right now about the perverted nature and use of these scanners. One woman claims to have been asked to go through the scanner several times because the image was "fuzzy" but she was finally waved through by a different, female, TSA agent whom she allegedly heard say that the image wasn't fuzzy and for the guys to knock it off. The woman felt very threatened and exposed. For the full article go here.
Even with many lawsuits, Congress appears to be moving slowly on the constitutionality of these devices. Recently, long-time critic and security expert Bruce Schneier was invited and then banned from giving his testimony on the value of these scanners. He believes that they are "security theater" or that they are jst there to make people feel more secure without substantial security benefit. However, according to the lawsuits and boycotting, they seem to be making the general public feel less secure and only changing the face of the bad guy.
Personally, I know there are tradeoffs to security and privacy. For me, strangers in public seeing me naked is past the line. Where do you draw the line?
Even with many lawsuits, Congress appears to be moving slowly on the constitutionality of these devices. Recently, long-time critic and security expert Bruce Schneier was invited and then banned from giving his testimony on the value of these scanners. He believes that they are "security theater" or that they are jst there to make people feel more secure without substantial security benefit. However, according to the lawsuits and boycotting, they seem to be making the general public feel less secure and only changing the face of the bad guy.
Personally, I know there are tradeoffs to security and privacy. For me, strangers in public seeing me naked is past the line. Where do you draw the line?
Monday, March 26, 2012
China Votes - NOT
Citizens in Hong Kong appear to be getting tired of not people able to vote for their leaders. In Hong Kong 1,200 elected representatives choose the chief executive. Well some anti-democracy advocates decided to demonstrate the public's opinion doesn't matter through a DDoS attack on the polling system.
A DDoS, for those of you who might not know, is a Distributed Denial of Service attack. What this basically means is that attackers control a lot of computers (called bots) and control them through Handler machines and a botmaster. A machine can become a bot from a variety of resources including accidentally installing malware. In a DDoS, bots will usually try to talk to the servers that are being attacked. Whenever computers try to talk to each other, they reserve space for that conversation much like setting up a meeting. However, in a DDoS the bots that request the meeting don't show up and have thus wasted the space in the server's schedule. If enough bots request space in the server's schedule, the server will be too busy and will crash. Alternatively, the system administrator of the server can say that the server only has time for a certain amount of requests and so although the server will not crash, it will not have anytime for users who actually want to talk to the server. Either way the server is really busy, and not accomplishing anything it needs to.
Hong Kong University seems to have set up a public opinion poll to see who people would vote for if they had the chance. Unfortunately, this was seen as against national interests and therefore the effort was thwarted by through a DDoS which is considered to be patriotic if it is in the "national interest" such as this.
If people want to speak out, should they be able to? At what point does the government become so oppressive that the rest of the wold decides it isn't okay and that the people within the country rise up? What do you think?
For more information read the original article here: http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/
A DDoS, for those of you who might not know, is a Distributed Denial of Service attack. What this basically means is that attackers control a lot of computers (called bots) and control them through Handler machines and a botmaster. A machine can become a bot from a variety of resources including accidentally installing malware. In a DDoS, bots will usually try to talk to the servers that are being attacked. Whenever computers try to talk to each other, they reserve space for that conversation much like setting up a meeting. However, in a DDoS the bots that request the meeting don't show up and have thus wasted the space in the server's schedule. If enough bots request space in the server's schedule, the server will be too busy and will crash. Alternatively, the system administrator of the server can say that the server only has time for a certain amount of requests and so although the server will not crash, it will not have anytime for users who actually want to talk to the server. Either way the server is really busy, and not accomplishing anything it needs to.
Hong Kong University seems to have set up a public opinion poll to see who people would vote for if they had the chance. Unfortunately, this was seen as against national interests and therefore the effort was thwarted by through a DDoS which is considered to be patriotic if it is in the "national interest" such as this.
If people want to speak out, should they be able to? At what point does the government become so oppressive that the rest of the wold decides it isn't okay and that the people within the country rise up? What do you think?
For more information read the original article here: http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/
Wednesday, March 7, 2012
The Great Firewall of China: Time to Fall?
Most people have heard about the extensive filtering done in China of certain content. What you may not know is how extensive it is. Many multinational companies have either ad to consent to filter content or lose the huge market in China. The government censors everything from search engine results, instant message conversations, emails, text messages, and more. Just about everything sent or posted in an electronic format is censored.
Other than the major business implications of this censorship, one should realize how much this effects the daily life of a Chinese citizen. For example, phrases such as "Falun Gong" and "Dalai Lama" are filtered out of conversations. Falun Gong is a spiritual discipline, but is seen as a threat to the Communist party and so is forbidden from electronic discussion.
Maybe this is the American in me, but when the government is taking over your basic rights such as practice or discussion of beliefs, it is time to rebel. How much government oppression is necessary before the people grow tired? What do you think should be done about the Great Firewall, if anything?
Other than the major business implications of this censorship, one should realize how much this effects the daily life of a Chinese citizen. For example, phrases such as "Falun Gong" and "Dalai Lama" are filtered out of conversations. Falun Gong is a spiritual discipline, but is seen as a threat to the Communist party and so is forbidden from electronic discussion.
Maybe this is the American in me, but when the government is taking over your basic rights such as practice or discussion of beliefs, it is time to rebel. How much government oppression is necessary before the people grow tired? What do you think should be done about the Great Firewall, if anything?
Friday, March 2, 2012
What rights should be foregone to have justice?
Recently, a woman convicted of real estate fraud was compelled to give up her encryption key because of believed evidence on the computer. Although they pleaded the fifth, the court still ruled in the prosecutor's favor. This decision later became moot when the Feds cracked the encrypted drive (For full details read the article at The Register).
This case then brings up how many and which rights are to be given up in the pursuit of justice in the information age. It is plain to see that technology has changed things, but once again I am brought back to whether or not the laws adequately reflect this. In Brazil, those convicted are compelled to give up their passwords to decrypt their drive as well, but the punishment is to spend only one month in prison. For many criminals, that is a small price to pay for the millions they have embezzled.
What do you think? Should people be compelled to decrypt their information? If so, what should be the punishment if they don't? If not, how will we catch these high-end criminals?
This case then brings up how many and which rights are to be given up in the pursuit of justice in the information age. It is plain to see that technology has changed things, but once again I am brought back to whether or not the laws adequately reflect this. In Brazil, those convicted are compelled to give up their passwords to decrypt their drive as well, but the punishment is to spend only one month in prison. For many criminals, that is a small price to pay for the millions they have embezzled.
What do you think? Should people be compelled to decrypt their information? If so, what should be the punishment if they don't? If not, how will we catch these high-end criminals?
Monday, February 20, 2012
Thrift Shops--Possible Vulnerability for your Company?
Thrift shops are in general a great place for people to get slightly used clothing. Overall, it seems to be a great system because those that give would have just thrown away the clothes anyway, and those that receive can really use the discount. Have you ever considered, however, the potential for a thrift store to lead to a vulnerability in your company?
People of all types and sizes can donate to thrift stores. This includes Cisco and Comcast employees and others that are traditionally very trusted companies that might be looking at computers or access points. Picking up an official shirt can be one of the ways social engineers use to plant malware or gain access to your sensitive information.
This is a great reason to make sure anyone who may let the real or fake worker into your home of office is trained to call the company that the person is coming from before allowing them into sensitive areas or disclosing any information. Any of these service companie should be able to tell you if they had and who they had sent over to resolve any issues.
People of all types and sizes can donate to thrift stores. This includes Cisco and Comcast employees and others that are traditionally very trusted companies that might be looking at computers or access points. Picking up an official shirt can be one of the ways social engineers use to plant malware or gain access to your sensitive information.
This is a great reason to make sure anyone who may let the real or fake worker into your home of office is trained to call the company that the person is coming from before allowing them into sensitive areas or disclosing any information. Any of these service companie should be able to tell you if they had and who they had sent over to resolve any issues.
Thursday, February 16, 2012
Social Security
No, I do mean not your social security number. I am referring to encrypting your social media, or the oh-so-private information you think can only be seen by the people you have allowed. However, without TLS or Transport Layer Security, anyone nearby with a packet sniffing tool such as Wireshark can see what you are posting or the messages you are saying.
For those unfamiliar with IT, all of the information you put into or through the internet is sent in information segments called packets. These packets can then be "sniffed" or in essence caught out of the air and read, without disturbing the user's interaction with the internet. This means that things that the user may think is private, like an address for a friend's wedding invitation, can potentially be read.
The only way for users to protect their computers is to ensure that they are sending encrypted traffic. This can be shown by the https:// designation instead of http://. Currently, Facebook and LinkedIn have an option to use secure browsing, but it is not default. So, consider opting-in to protect yourself.
Google+ has it set as default, and I recently learned at The Register that Twitter has changed secure tweets from being opt-in to default. Just make sure to always check that your browser says https://. To much work? Use Firefox and install the add-in HTTPS Everywhere. It will force a secure connection with any site that has a secure option.
For those unfamiliar with IT, all of the information you put into or through the internet is sent in information segments called packets. These packets can then be "sniffed" or in essence caught out of the air and read, without disturbing the user's interaction with the internet. This means that things that the user may think is private, like an address for a friend's wedding invitation, can potentially be read.
The only way for users to protect their computers is to ensure that they are sending encrypted traffic. This can be shown by the https:// designation instead of http://. Currently, Facebook and LinkedIn have an option to use secure browsing, but it is not default. So, consider opting-in to protect yourself.
Google+ has it set as default, and I recently learned at The Register that Twitter has changed secure tweets from being opt-in to default. Just make sure to always check that your browser says https://. To much work? Use Firefox and install the add-in HTTPS Everywhere. It will force a secure connection with any site that has a secure option.
Monday, January 23, 2012
**Elicit Information**
I have been reading lately about how easy it is to elicit information from people. Now this is not to be confused with the similar-sounding word "illicit". We won't be discussing anything illegal, but actually very legal and very present in your day-to-day life.
Eliciting information could be something as simple as getting someone's phone number or getting precious information about his or her life/company. Now, you may think that no one would disclose important corporate information with a stranger, but you would be very, very wrong. Even high level executives can feel comfortable giving out information if approached in a nonthreatening way.
Some examples in the book, Social Engineering by Christopher Hadnagy, include a small conversation at a bar that led to the executive showing the attacker the RFID access code to the building. This led the attacker to be able to pose as a repairman and infiltrate the company. Another example Hadnagy gives, is when the attacker sits down for coffee and finds out that the executive will be leaving on vacation the next week. This leads the attacker to drop off a flash drive while the executive isn't there, which will then allow the attacker access to the victim's computer.
Whether or not you are a major executive at a large organization, you likely have access to sensitive information. This includes personal bank login information, your social security number, or even smaller information that can lead to a horrific attack.
This information isn't to make you feel paranoid, but perhaps we need to feel a little more paranoid.
Eliciting information could be something as simple as getting someone's phone number or getting precious information about his or her life/company. Now, you may think that no one would disclose important corporate information with a stranger, but you would be very, very wrong. Even high level executives can feel comfortable giving out information if approached in a nonthreatening way.
Some examples in the book, Social Engineering by Christopher Hadnagy, include a small conversation at a bar that led to the executive showing the attacker the RFID access code to the building. This led the attacker to be able to pose as a repairman and infiltrate the company. Another example Hadnagy gives, is when the attacker sits down for coffee and finds out that the executive will be leaving on vacation the next week. This leads the attacker to drop off a flash drive while the executive isn't there, which will then allow the attacker access to the victim's computer.
Whether or not you are a major executive at a large organization, you likely have access to sensitive information. This includes personal bank login information, your social security number, or even smaller information that can lead to a horrific attack.
This information isn't to make you feel paranoid, but perhaps we need to feel a little more paranoid.
Subscribe to:
Comments (Atom)