In many cases, it's desired to know the IP address of someone in the reconnaissance phase. The first question to ask is what information do I have about this person. In most cases it's possible that you have the email or IM of the target. First let's discuss the methods:
Method #0x01
if you have a web server hosted someplace where you can see its logs then it's very easy to send someone a URL of an image or any webpage hosted on your web server (http://123.123.123.123/veryfunnyimage.jpg) whenever this page is visited the web server keeps a log of who visited that page (IP address, time, browser, OS ... and lots of more info) where you can check later to collect IP addresses. if
Method #0x02
sometimes people get freaked out from addresses that have ip addresses in the URL so having your webserver with a domain name would really help the person you sent the URL to press on the link (www.mywebsite.com/veryfunnyimage.jpg)
Method #0x03
Some paranoid people don't open links to unknown sites. so here comes the cool trick. you can embed the image in a post of yours in a known site that allows HTML tags with image sources like < img src = (your image URL). in this case the URL you are going to send to the person is a link to a known website but the website contains another link to your web server. And whenever someone views this page on the known website, the "img src" link is invoked and voila!, you have a log entry on your webserver.
Method #0x04
Some Ultra paranoid people don't open links at all!! for these people I use my old trick. I send an email to the target that looks important to him (depending on the target actually and what's important to him). This email is in HTML format and contains a tag that links to an image on my webserver (probably a white image not to attract attention). Now upon merely opening the email, my webserver is invoked and a log entry is saved about the persons current IP address.
Note that this method only works if the email client allows images to be displayed (gmail disable that by default)
Method #0x05
A more faster approach is IM. If you have the IM of the target, then it's possible that you try to send him a file (not malicious, a picture or smthng). upon sending the file, a direct connection is established between you and the target. with a simple connection monitoring application (e.g.netstat on windows), you can know the Ip address.
Method #0x06
Some paranoid people don't accept files! so another trick in case of MSN is background sharing. the default for MSN is to accept backgrounds shared by others. Actually background sharing performs file sending if the background is not one of the default backgrounds. So the trick is to set your background for the IM to a cool pic from your computer and share it. if the default setting was not altered on your target's IM, then he will automatically accept it right away and a connection is opened. here comes again the connection monitoring app where you can identify the new connection and extract the IP add of the target.
Well those are one's that I used .. do you have any other methods ?? sometimes I only have the username on a forum or website. Any clues?
UPDATE:
Method #0x07
In MSN messenger, if u don't have the display picture of the person you're talking to, the messenger will try to download it by default. this cause the the MSN to open a direct connection. Using a sniffing tool like wireshark will allow you to know the IP of the remote person.So basically if you don't have his display picture and you opened the chat window you'll get your log entry. You can either convince the target to change his/her display picture or you can remove the your local directory that caches the display pictures for all contacts (located in application data folder for the msn) to force the messenger to redownload the picture. [ NOTE: thanks to rvdh for the great tip :) and thanks to Borry for letting me taking him as a test subject :D ]
Wednesday, December 10, 2008
Friday, September 5, 2008
25 DEC = 31 OCT
I've been wandering around surfing the net as usual when I found out this very odd thing... we all know that 25Dec(ember) is the christmas and 31 oct(ober) is the halloween. The weird thing is at the same time 25 dec(imal) number is euqal to 31 oct(al) number !! what a conincidence.It's like 25 dec = 31 oct -> christmas = halloween!! I think this must have a meaning don't you think?
Saturday, July 19, 2008
A Certificate Dilemma
I've been trying to get a new certificate for my SSL enabled software from a very reputable certificate giving web site (cacert.org) and I was shocked with a notification that the certificate of this web site is not proper!! see the image below for yourself. How come that the certificate issuer web site has an untrusted certificate!!? :D
Monday, July 7, 2008
Screw symbian and their DRM
I've been struggling for a week now with that piece of metal of mine (mobile phone) trying to install a simple app and yet I couldn't !!. The problem is that symbian (God saves their brains!) decided that no application to be installed on your very own mobile except if it's signed by symbian (hmm maybe someone is paranoid over there or something!!! ) . Of course there's that "self signing" thing that you can do. But it only grants you access to limited set of APIs and you cannot access all system calls. Funny it is how this DRM stuff work. You have your mobile at your palm and you app on you pc and due to some DRM "issues" you can't install it!!. My last option is to hack the image of my symbian OS to make it bypass signing from the beginning. I was hoping not to come to this part because the place where i read this article it had this big warning
" !!!!!!! This hack is not for the faint hearted and is known to brick a few models that perform a CRC check. Anything that you do following the article below is at your own risk and responsibility.!!!!!!"
so i decided to wait and give it another try with searching.
Symbian was so generous to allow people to have their apps signed online (What if I don't want anybody to see my app?!!! , what a big nose !) and of course this online signing is also limited to the IMEI and must have the UID same as the email that you wrote in the app. itself. which means that you can't give your app to some friends to try it. shame on you! ... symbian people are the best guys can't you see it!
And last but not least of symbian's generousity is their developers' signing request program. If you are a developer and you want a certificate to test up some apps. you can send a request to symbian and they will give you one. However the trick here is that you have to sign up with your email which MUS NOT be a public known or unknown! free email service provider neither it can be any domain with lots of people signing up from. Whenever a domain (even it's your domain) has a certain limit of users singed up from, it gets banned!! .. so you can imagine how many free emails I've singed up in the last couple of days and tried with that stupid program.
ANYWAY, like a friend of mine always says "A brownie can always solve the problem" . I think I'll just eat some brownies and try to forget.... (hhh sighs)
UPDATE: I used a hack that was mentioned in the comments. Thanks Sheero for the hack , it WORKEDDD :D ..you saved my day (or month actually!) I shall rename the post "God saves old friends (& screw symbian & their DRM!)" LOL .. I think um gonna save the cookies for some other problems.
" !!!!!!! This hack is not for the faint hearted and is known to brick a few models that perform a CRC check. Anything that you do following the article below is at your own risk and responsibility.!!!!!!"
so i decided to wait and give it another try with searching.
Symbian was so generous to allow people to have their apps signed online (What if I don't want anybody to see my app?!!! , what a big nose !) and of course this online signing is also limited to the IMEI and must have the UID same as the email that you wrote in the app. itself. which means that you can't give your app to some friends to try it. shame on you! ... symbian people are the best guys can't you see it!
And last but not least of symbian's generousity is their developers' signing request program. If you are a developer and you want a certificate to test up some apps. you can send a request to symbian and they will give you one. However the trick here is that you have to sign up with your email which MUS NOT be a public known or unknown! free email service provider neither it can be any domain with lots of people signing up from. Whenever a domain (even it's your domain) has a certain limit of users singed up from, it gets banned!! .. so you can imagine how many free emails I've singed up in the last couple of days and tried with that stupid program.
ANYWAY, like a friend of mine always says "A brownie can always solve the problem" . I think I'll just eat some brownies and try to forget.... (hhh sighs)
UPDATE: I used a hack that was mentioned in the comments. Thanks Sheero for the hack , it WORKEDDD :D ..you saved my day (or month actually!) I shall rename the post "God saves old friends (& screw symbian & their DRM!)" LOL .. I think um gonna save the cookies for some other problems.
Wednesday, July 2, 2008
Social networks... How to surf safely
Social networks is actually a crawling disaster with all this information passing, threats that we never thought of has emerged leading to serious problems
I was reading this article on Outpost security lab and they suggested few practices to make surfing through social networks more secure.
Best Practices:
"
Use the latest browser software and install Windows Updates as soon as they become available.
Use a firewall to protect your system against unknown threats; use up-to-date antivirus to block known threats and intrusion prevention software to alert you to potentially dangerous activities on your computer.
Do not download, open or respond to content published or sent by unknown people. There has recently been a virus outbreak in the Russian portion of an SN that resulted from unwary users clicking on a reference to a fake image file that led to the activation of a virus that then wiped user data from the affected computers.
Remember that SN is still in its infancy: the engines are still immature and the platforms are vulnerable to determined attackers. Reports of faulty SN code appear regularly in the media, and you cannot rely on the integrity and non-disclosure of your personal details due to multiple weaknesses in SN systems. Cross-scripting errors (XSS) enabling attackers to view restricted sections of user data have affected almost every SN site, much like the way spyware targeted Windows systems that had not been patched with SP2 back in 2003.
The 3rd party applications (widgets) that Facebook and Myspace offer as additional downloads are even more problematic. These programs are not tested for compatibility or security defects, so be sure you understand exactly what you are installing when you choose to use one of these applications.
Don’t access your online profile from public computers – such actions are fraught with additional risk because of the potential for theft or malware compromise. Your log-in details might be stored in a local cache and later extracted and used to illegally access your profile, or the computer may be infected with keylogger that will silently capture any piece of information, including log-ins and dialog sessions, and relay this data to unauthorized third parties.
Do not disclose sensitive information ever! - A recent British survey revealed that more than half the SN users interviewed publish contact details and private details in their online profiles, making them the easy targets to ID thieves and other miscreants.
Due to the open nature of the Internet and the fact that your account can be hijacked, coupled with the vulnerabilities of SN platforms, you should NEVER publish any sensitive information about yourself, like your home address, Social Security or cell phone numbers. And don’t post anything that could backfire against you, like videos of your student parties, or anything else that you wouldn’t want a prospective employer to see.
Prevent anonymous users from viewing your profile
By making your profile private, you limit access to your online profile only to friends and people you know.
Authorize and add as friends only people you know
The smaller your inner circle of friends, the more private your online profile is.
Never trust online-only acquaintances
It’s important to keep in mind that people and their identities are not always what they claim to be, and you should not blindly trust people that you meet online. Don’t meet these people in real life except in very public, safe places, and you must strive to avoid any other physical contact with them.
You may have heard the dramatic story of a girl committing suicide after her online date supposedly let her down, whereas in fact the cheating partner was the mother of a teenager who didn’t want her son to date the girl. If she had been a little less trusting of what she read online, she would probably be alive today.
Favor sites that use encryption
Facebook, for example, encrypts your interactive sessions, whereas Myspace hasn’t yet followed suit. Encryption garbles data in transit so that no-one can read intercepted information, protecting your passwords and other information from outsiders.
Report abuse
Should you encounter cases of spam, harassment, stalking or other intrusions into your private life, you should report such incidents to the people responsible for proper conduct on the social networking site. Consult the FAQ or Contact Us section to find specific contact information.
Don’t access SNs from your workplace
Research indicates that half of the workforce access SNs during the workday, reducing productivity and distracting from work-related issues. Such activities may also be in violation of your employer’s “appropriate Internet use” policies.
"
After all, nothing is totally secure. And if the information is there then someone somtime will be able to get it somehow!. Maybe I'm paranoid but who knows what can happen :D
I was reading this article on Outpost security lab and they suggested few practices to make surfing through social networks more secure.
Best Practices:
"
Use the latest browser software and install Windows Updates as soon as they become available.
Use a firewall to protect your system against unknown threats; use up-to-date antivirus to block known threats and intrusion prevention software to alert you to potentially dangerous activities on your computer.
Do not download, open or respond to content published or sent by unknown people. There has recently been a virus outbreak in the Russian portion of an SN that resulted from unwary users clicking on a reference to a fake image file that led to the activation of a virus that then wiped user data from the affected computers.
Remember that SN is still in its infancy: the engines are still immature and the platforms are vulnerable to determined attackers. Reports of faulty SN code appear regularly in the media, and you cannot rely on the integrity and non-disclosure of your personal details due to multiple weaknesses in SN systems. Cross-scripting errors (XSS) enabling attackers to view restricted sections of user data have affected almost every SN site, much like the way spyware targeted Windows systems that had not been patched with SP2 back in 2003.
The 3rd party applications (widgets) that Facebook and Myspace offer as additional downloads are even more problematic. These programs are not tested for compatibility or security defects, so be sure you understand exactly what you are installing when you choose to use one of these applications.
Don’t access your online profile from public computers – such actions are fraught with additional risk because of the potential for theft or malware compromise. Your log-in details might be stored in a local cache and later extracted and used to illegally access your profile, or the computer may be infected with keylogger that will silently capture any piece of information, including log-ins and dialog sessions, and relay this data to unauthorized third parties.
Do not disclose sensitive information ever! - A recent British survey revealed that more than half the SN users interviewed publish contact details and private details in their online profiles, making them the easy targets to ID thieves and other miscreants.
Due to the open nature of the Internet and the fact that your account can be hijacked, coupled with the vulnerabilities of SN platforms, you should NEVER publish any sensitive information about yourself, like your home address, Social Security or cell phone numbers. And don’t post anything that could backfire against you, like videos of your student parties, or anything else that you wouldn’t want a prospective employer to see.
Prevent anonymous users from viewing your profile
By making your profile private, you limit access to your online profile only to friends and people you know.
Authorize and add as friends only people you know
The smaller your inner circle of friends, the more private your online profile is.
Never trust online-only acquaintances
It’s important to keep in mind that people and their identities are not always what they claim to be, and you should not blindly trust people that you meet online. Don’t meet these people in real life except in very public, safe places, and you must strive to avoid any other physical contact with them.
You may have heard the dramatic story of a girl committing suicide after her online date supposedly let her down, whereas in fact the cheating partner was the mother of a teenager who didn’t want her son to date the girl. If she had been a little less trusting of what she read online, she would probably be alive today.
Favor sites that use encryption
Facebook, for example, encrypts your interactive sessions, whereas Myspace hasn’t yet followed suit. Encryption garbles data in transit so that no-one can read intercepted information, protecting your passwords and other information from outsiders.
Report abuse
Should you encounter cases of spam, harassment, stalking or other intrusions into your private life, you should report such incidents to the people responsible for proper conduct on the social networking site. Consult the FAQ or Contact Us section to find specific contact information.
Don’t access SNs from your workplace
Research indicates that half of the workforce access SNs during the workday, reducing productivity and distracting from work-related issues. Such activities may also be in violation of your employer’s “appropriate Internet use” policies.
"
After all, nothing is totally secure. And if the information is there then someone somtime will be able to get it somehow!. Maybe I'm paranoid but who knows what can happen :D
Sunday, June 22, 2008
My Car is super highly Secured
I've been to a friend of mine yesterday and sadly i forgot the keys inside the car and locked the doors. Usually in these situations I have to go back home and get my spare keys. But this time it was different. One of my friends said "wait I have a master key that opens all cars!" . I was like "hahaha ok that's a joke, so what are we going to do now". And then I was surprised that he actually was trying to open MY CAR with HIS car's keys !!! . The strangest was that it opened!! .. If I didn't see this myself I would have thought that it's a trick. My car is a hyundai and his is a slavuta!!. And it seems that he's tried this before on different cars .. Although my car is old .. but not that old!! I think I'm gonna have to use my new security alarm system on that car. But after I fix it because it got hit in an accident on the very same day! :D
Tuesday, June 10, 2008
Passwords (part II ... Suggested solutions)
well here we are with passwords again. I talked earlier about passwords importance and risks. Today I wanna talk about best practices.
Generally, system administrators advise employees to follow the following practices to keep their passwords secured :
•Use very lengthy passwords. It’s ok to have a meaning if it’s long enough (using a sentence of 100 characters for example as a password). But this means you’ll have to memorize a new sentence every now and then. And even a sentence for every site or program because you don’t want a single password compromised to break down all you secrets and identities.
•Add alphanumerical characters to you passwords to make it difficult. (And of course you’ll make it difficult for yourself to remember!)
•Use alternating case. For example (TeStPasSworD). This pattern also hardens passwords but still have the draw backs mentioned in the previous points.
•Add some special characters that are not on the keyboard. It’s a good trick that few people know. You can add a character that is not on the standard keyboard by pressing the (Alt) key and while pressing, enter the UNICODE numerical value that corresponds to a special character. For example (Alt + 1223) gives (╟). This technique is very powerful actually, but a lot of password providers limit the characters that can be entered in a password to a limited set of characters
As a conclusion for all the previous practices, I suggest a tricky technique that tries to make it easier on the user and more difficult on the cracker. Every one of us has a favorite password or two that he remembers very well. Well, why don’t we use this password plus some additions to make it difficult on the cracker but easy on you.
The technique I'm describing here suggests that you use a password that consists of two parts. The fist part is a password that you know very well and remember. (6-10 characters). The second part is a number that is changed every now and then (4-6 characters) and changed for every program or site. You don’t have to memorize this number. You can put it on your favorite sticky note or a memo on your mobile or even on a file on a USB flash drive because this number alone doesn’t mean anything.
You could also use the first part of the password to make categories. Like social networking sites have as the first part. Important accounts (bank, OS account) have as the 1st part. and of course the 2nd part is randomized and different for each site.
Now let us take look on the resulting password. The result is a password that you remember very well, you can write the part that you don’t remember on anything, this part can be changed by any frequency since you don’t remember it from the beginning, you can create levels of security where for example the “not so important” passwords you can have them grouped with the same keyword that you remember well and they differ internally by the number that is generated randomly by the administrator and the best of all is that the password you just created is an alphanumeric password that is 10-16 characters length and very hard to break!
Ok, now Mr. Black hat, if you wanna a piece of me , come n' get it.
Generally, system administrators advise employees to follow the following practices to keep their passwords secured :
•Use very lengthy passwords. It’s ok to have a meaning if it’s long enough (using a sentence of 100 characters for example as a password). But this means you’ll have to memorize a new sentence every now and then. And even a sentence for every site or program because you don’t want a single password compromised to break down all you secrets and identities.
•Add alphanumerical characters to you passwords to make it difficult. (And of course you’ll make it difficult for yourself to remember!)
•Use alternating case. For example (TeStPasSworD). This pattern also hardens passwords but still have the draw backs mentioned in the previous points.
•Add some special characters that are not on the keyboard. It’s a good trick that few people know. You can add a character that is not on the standard keyboard by pressing the (Alt) key and while pressing, enter the UNICODE numerical value that corresponds to a special character. For example (Alt + 1223) gives (╟). This technique is very powerful actually, but a lot of password providers limit the characters that can be entered in a password to a limited set of characters
As a conclusion for all the previous practices, I suggest a tricky technique that tries to make it easier on the user and more difficult on the cracker. Every one of us has a favorite password or two that he remembers very well. Well, why don’t we use this password plus some additions to make it difficult on the cracker but easy on you.
The technique I'm describing here suggests that you use a password that consists of two parts. The fist part is a password that you know very well and remember. (6-10 characters). The second part is a number that is changed every now and then (4-6 characters) and changed for every program or site. You don’t have to memorize this number. You can put it on your favorite sticky note or a memo on your mobile or even on a file on a USB flash drive because this number alone doesn’t mean anything.
You could also use the first part of the password to make categories. Like social networking sites have as the first part. Important accounts (bank, OS account) have as the 1st part. and of course the 2nd part is randomized and different for each site.
Now let us take look on the resulting password. The result is a password that you remember very well, you can write the part that you don’t remember on anything, this part can be changed by any frequency since you don’t remember it from the beginning, you can create levels of security where for example the “not so important” passwords you can have them grouped with the same keyword that you remember well and they differ internally by the number that is generated randomly by the administrator and the best of all is that the password you just created is an alphanumeric password that is 10-16 characters length and very hard to break!
Ok, now Mr. Black hat, if you wanna a piece of me , come n' get it.
Monday, June 2, 2008
Passwords (part I ... The Problem)
How can you prove yourself?
Well, everyone wants to prove himself by working hard and so on but I didn’t mean that here. I meant how can you prove yourself literally?. How can we be sure that you are yourself?! If there’s somebody telling me “I’m Mr. John Doe”, probably I want him to prove it; maybe by showing me his national number identification card or something similar. But what about computers?
Since a long time passwords have been the most popular way for authentication and proving identity. Some new biometric techniques have evolved recently and have proven great accuracy and security. However, they are not used except in very sensitive places due to its high cost. According to a survey made by RSA Security and Nokia on different 505 large enterprises ; 66% of them relied on passwords to authenticate remote users. This survey leverages the importance of passwords and pushes security engineers to come up with password policies to ensure that the passwords are kept secured and uncompromised. On the other hand this seems to be like a very attractive target for black hats. A simple password compromised could mean a lot of money. And even worse, some hackers now once found a flaw in the system; could get in and cause chaos everywhere. Deleting files won’t be the worst nightmare. Sending false emails with inappropriate contents to the company’s clients is another form of fatal damage that could be caused. There's a great white paper i read recently in the reading room of sans.org named "Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider" by A. Abdel-Aziz. It illustrates clearly that script kiddies are no longer the prevelant hackers.
Despite the obvious importance of keeping passwords secured and of course setting a password on everything private, a lot of people ignore this, claiming: “keep life simple”. Symantec recently have made a research concerning modern security threats . It indicated that more than 50% of households that have routers keep its default passwords unchanged! allowing black hats to wander around freely doing whatever they want and usually using your unsecured routers for their benefits (consider pharming).
On the business side, companies started to figure out the importance of having a password policy. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. These security policies are enforced by IT departments on the organizations’ employees to help keep the company’s data safe. On a random sample of 6,807 companies (in some survey in england) 49.7% of them enforced passwords more than 6 characters length and 36.7% more than 8 characters length. Also 51.2 % of these companies require both letters and characters in the password (e.g.: $4&@T).
This security awareness steps that the companies started to take towards more data security, are faced with the human nature. Non-IT employees still consider passwords of minor importance. Sticky notes, what a wonderful non-sophisticated non-electronic invention!!. A lot of employees tend to write down their passwords on sticky notes and stick it on their screens because the passwords themselves are hard to remember especially if they are alphanumeric characters with no meaning. Also another very bad habit is sharing passwords with other co-workers. In London, 66% of employee’s give their passwords to co-workers. However, the employee’s are somehow excused. The following pie chart shows the number of passwords that each employee has to memorize as part of his work
We can see that this is not a small number on average. Also a good security practice is to change the password every now and then which adds more burdens on employees to re-memorize new passwords whenever they are changed. Another survey on IT administrators was a question of “How often do you require users to change their passwords? “
The answer was ( for a sample of 529 Administrators) :
• 17% Every month (or more frequently)
• 18% Every two months
• 36% Every three months (or longer)
• 29% We do not require users to change their passwords at a specific interval
So Administrators are in a very tight situation here. The more they make the password easy the more it is easy to break. Black hat hackers use various techniques to crack passwords. Brute force password attacks are very common. However they rarely work. Dictionary attacks works very often but this type of attacks is avoided using non-meaningful passwords but as we said before this makes it hard to remember.
So WHAT ARE WE GONNA DO!!
to be continued ...
References that you might want to check:
Password Usage Survey, a study by SafeNet/Rainbow Technologies.
Information Security Survey, a study by Infosecurity Europe.
Password Practices Survey, a study by TechRepublic NetAdmin
Well, everyone wants to prove himself by working hard and so on but I didn’t mean that here. I meant how can you prove yourself literally?. How can we be sure that you are yourself?! If there’s somebody telling me “I’m Mr. John Doe”, probably I want him to prove it; maybe by showing me his national number identification card or something similar. But what about computers?
Since a long time passwords have been the most popular way for authentication and proving identity. Some new biometric techniques have evolved recently and have proven great accuracy and security. However, they are not used except in very sensitive places due to its high cost. According to a survey made by RSA Security and Nokia on different 505 large enterprises ; 66% of them relied on passwords to authenticate remote users. This survey leverages the importance of passwords and pushes security engineers to come up with password policies to ensure that the passwords are kept secured and uncompromised. On the other hand this seems to be like a very attractive target for black hats. A simple password compromised could mean a lot of money. And even worse, some hackers now once found a flaw in the system; could get in and cause chaos everywhere. Deleting files won’t be the worst nightmare. Sending false emails with inappropriate contents to the company’s clients is another form of fatal damage that could be caused. There's a great white paper i read recently in the reading room of sans.org named "Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider" by A. Abdel-Aziz. It illustrates clearly that script kiddies are no longer the prevelant hackers.
Despite the obvious importance of keeping passwords secured and of course setting a password on everything private, a lot of people ignore this, claiming: “keep life simple”. Symantec recently have made a research concerning modern security threats . It indicated that more than 50% of households that have routers keep its default passwords unchanged! allowing black hats to wander around freely doing whatever they want and usually using your unsecured routers for their benefits (consider pharming).
On the business side, companies started to figure out the importance of having a password policy. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. These security policies are enforced by IT departments on the organizations’ employees to help keep the company’s data safe. On a random sample of 6,807 companies (in some survey in england) 49.7% of them enforced passwords more than 6 characters length and 36.7% more than 8 characters length. Also 51.2 % of these companies require both letters and characters in the password (e.g.: $4&@T).
This security awareness steps that the companies started to take towards more data security, are faced with the human nature. Non-IT employees still consider passwords of minor importance. Sticky notes, what a wonderful non-sophisticated non-electronic invention!!. A lot of employees tend to write down their passwords on sticky notes and stick it on their screens because the passwords themselves are hard to remember especially if they are alphanumeric characters with no meaning. Also another very bad habit is sharing passwords with other co-workers. In London, 66% of employee’s give their passwords to co-workers. However, the employee’s are somehow excused. The following pie chart shows the number of passwords that each employee has to memorize as part of his work
We can see that this is not a small number on average. Also a good security practice is to change the password every now and then which adds more burdens on employees to re-memorize new passwords whenever they are changed. Another survey on IT administrators was a question of “How often do you require users to change their passwords? “
The answer was ( for a sample of 529 Administrators) :
• 17% Every month (or more frequently)
• 18% Every two months
• 36% Every three months (or longer)
• 29% We do not require users to change their passwords at a specific interval
So Administrators are in a very tight situation here. The more they make the password easy the more it is easy to break. Black hat hackers use various techniques to crack passwords. Brute force password attacks are very common. However they rarely work. Dictionary attacks works very often but this type of attacks is avoided using non-meaningful passwords but as we said before this makes it hard to remember.
So WHAT ARE WE GONNA DO!!
to be continued ...
References that you might want to check:
Password Usage Survey, a study by SafeNet/Rainbow Technologies.
Information Security Survey, a study by Infosecurity Europe.
Password Practices Survey, a study by TechRepublic NetAdmin
Subscribe to:
Posts (Atom)
