Sunday, June 22, 2008
My Car is super highly Secured
I've been to a friend of mine yesterday and sadly i forgot the keys inside the car and locked the doors. Usually in these situations I have to go back home and get my spare keys. But this time it was different. One of my friends said "wait I have a master key that opens all cars!" . I was like "hahaha ok that's a joke, so what are we going to do now". And then I was surprised that he actually was trying to open MY CAR with HIS car's keys !!! . The strangest was that it opened!! .. If I didn't see this myself I would have thought that it's a trick. My car is a hyundai and his is a slavuta!!. And it seems that he's tried this before on different cars .. Although my car is old .. but not that old!! I think I'm gonna have to use my new security alarm system on that car. But after I fix it because it got hit in an accident on the very same day! :D
Tuesday, June 10, 2008
Passwords (part II ... Suggested solutions)
well here we are with passwords again. I talked earlier about passwords importance and risks. Today I wanna talk about best practices.
Generally, system administrators advise employees to follow the following practices to keep their passwords secured :
•Use very lengthy passwords. It’s ok to have a meaning if it’s long enough (using a sentence of 100 characters for example as a password). But this means you’ll have to memorize a new sentence every now and then. And even a sentence for every site or program because you don’t want a single password compromised to break down all you secrets and identities.
•Add alphanumerical characters to you passwords to make it difficult. (And of course you’ll make it difficult for yourself to remember!)
•Use alternating case. For example (TeStPasSworD). This pattern also hardens passwords but still have the draw backs mentioned in the previous points.
•Add some special characters that are not on the keyboard. It’s a good trick that few people know. You can add a character that is not on the standard keyboard by pressing the (Alt) key and while pressing, enter the UNICODE numerical value that corresponds to a special character. For example (Alt + 1223) gives (╟). This technique is very powerful actually, but a lot of password providers limit the characters that can be entered in a password to a limited set of characters
As a conclusion for all the previous practices, I suggest a tricky technique that tries to make it easier on the user and more difficult on the cracker. Every one of us has a favorite password or two that he remembers very well. Well, why don’t we use this password plus some additions to make it difficult on the cracker but easy on you.
The technique I'm describing here suggests that you use a password that consists of two parts. The fist part is a password that you know very well and remember. (6-10 characters). The second part is a number that is changed every now and then (4-6 characters) and changed for every program or site. You don’t have to memorize this number. You can put it on your favorite sticky note or a memo on your mobile or even on a file on a USB flash drive because this number alone doesn’t mean anything.
You could also use the first part of the password to make categories. Like social networking sites have as the first part. Important accounts (bank, OS account) have as the 1st part. and of course the 2nd part is randomized and different for each site.
Now let us take look on the resulting password. The result is a password that you remember very well, you can write the part that you don’t remember on anything, this part can be changed by any frequency since you don’t remember it from the beginning, you can create levels of security where for example the “not so important” passwords you can have them grouped with the same keyword that you remember well and they differ internally by the number that is generated randomly by the administrator and the best of all is that the password you just created is an alphanumeric password that is 10-16 characters length and very hard to break!
Ok, now Mr. Black hat, if you wanna a piece of me , come n' get it.
Generally, system administrators advise employees to follow the following practices to keep their passwords secured :
•Use very lengthy passwords. It’s ok to have a meaning if it’s long enough (using a sentence of 100 characters for example as a password). But this means you’ll have to memorize a new sentence every now and then. And even a sentence for every site or program because you don’t want a single password compromised to break down all you secrets and identities.
•Add alphanumerical characters to you passwords to make it difficult. (And of course you’ll make it difficult for yourself to remember!)
•Use alternating case. For example (TeStPasSworD). This pattern also hardens passwords but still have the draw backs mentioned in the previous points.
•Add some special characters that are not on the keyboard. It’s a good trick that few people know. You can add a character that is not on the standard keyboard by pressing the (Alt) key and while pressing, enter the UNICODE numerical value that corresponds to a special character. For example (Alt + 1223) gives (╟). This technique is very powerful actually, but a lot of password providers limit the characters that can be entered in a password to a limited set of characters
As a conclusion for all the previous practices, I suggest a tricky technique that tries to make it easier on the user and more difficult on the cracker. Every one of us has a favorite password or two that he remembers very well. Well, why don’t we use this password plus some additions to make it difficult on the cracker but easy on you.
The technique I'm describing here suggests that you use a password that consists of two parts. The fist part is a password that you know very well and remember. (6-10 characters). The second part is a number that is changed every now and then (4-6 characters) and changed for every program or site. You don’t have to memorize this number. You can put it on your favorite sticky note or a memo on your mobile or even on a file on a USB flash drive because this number alone doesn’t mean anything.
You could also use the first part of the password to make categories. Like social networking sites have as the first part. Important accounts (bank, OS account) have as the 1st part. and of course the 2nd part is randomized and different for each site.
Now let us take look on the resulting password. The result is a password that you remember very well, you can write the part that you don’t remember on anything, this part can be changed by any frequency since you don’t remember it from the beginning, you can create levels of security where for example the “not so important” passwords you can have them grouped with the same keyword that you remember well and they differ internally by the number that is generated randomly by the administrator and the best of all is that the password you just created is an alphanumeric password that is 10-16 characters length and very hard to break!
Ok, now Mr. Black hat, if you wanna a piece of me , come n' get it.
Monday, June 2, 2008
Passwords (part I ... The Problem)
How can you prove yourself?
Well, everyone wants to prove himself by working hard and so on but I didn’t mean that here. I meant how can you prove yourself literally?. How can we be sure that you are yourself?! If there’s somebody telling me “I’m Mr. John Doe”, probably I want him to prove it; maybe by showing me his national number identification card or something similar. But what about computers?
Since a long time passwords have been the most popular way for authentication and proving identity. Some new biometric techniques have evolved recently and have proven great accuracy and security. However, they are not used except in very sensitive places due to its high cost. According to a survey made by RSA Security and Nokia on different 505 large enterprises ; 66% of them relied on passwords to authenticate remote users. This survey leverages the importance of passwords and pushes security engineers to come up with password policies to ensure that the passwords are kept secured and uncompromised. On the other hand this seems to be like a very attractive target for black hats. A simple password compromised could mean a lot of money. And even worse, some hackers now once found a flaw in the system; could get in and cause chaos everywhere. Deleting files won’t be the worst nightmare. Sending false emails with inappropriate contents to the company’s clients is another form of fatal damage that could be caused. There's a great white paper i read recently in the reading room of sans.org named "Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider" by A. Abdel-Aziz. It illustrates clearly that script kiddies are no longer the prevelant hackers.
Despite the obvious importance of keeping passwords secured and of course setting a password on everything private, a lot of people ignore this, claiming: “keep life simple”. Symantec recently have made a research concerning modern security threats . It indicated that more than 50% of households that have routers keep its default passwords unchanged! allowing black hats to wander around freely doing whatever they want and usually using your unsecured routers for their benefits (consider pharming).
On the business side, companies started to figure out the importance of having a password policy. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. These security policies are enforced by IT departments on the organizations’ employees to help keep the company’s data safe. On a random sample of 6,807 companies (in some survey in england) 49.7% of them enforced passwords more than 6 characters length and 36.7% more than 8 characters length. Also 51.2 % of these companies require both letters and characters in the password (e.g.: $4&@T).
This security awareness steps that the companies started to take towards more data security, are faced with the human nature. Non-IT employees still consider passwords of minor importance. Sticky notes, what a wonderful non-sophisticated non-electronic invention!!. A lot of employees tend to write down their passwords on sticky notes and stick it on their screens because the passwords themselves are hard to remember especially if they are alphanumeric characters with no meaning. Also another very bad habit is sharing passwords with other co-workers. In London, 66% of employee’s give their passwords to co-workers. However, the employee’s are somehow excused. The following pie chart shows the number of passwords that each employee has to memorize as part of his work
We can see that this is not a small number on average. Also a good security practice is to change the password every now and then which adds more burdens on employees to re-memorize new passwords whenever they are changed. Another survey on IT administrators was a question of “How often do you require users to change their passwords? “
The answer was ( for a sample of 529 Administrators) :
• 17% Every month (or more frequently)
• 18% Every two months
• 36% Every three months (or longer)
• 29% We do not require users to change their passwords at a specific interval
So Administrators are in a very tight situation here. The more they make the password easy the more it is easy to break. Black hat hackers use various techniques to crack passwords. Brute force password attacks are very common. However they rarely work. Dictionary attacks works very often but this type of attacks is avoided using non-meaningful passwords but as we said before this makes it hard to remember.
So WHAT ARE WE GONNA DO!!
to be continued ...
References that you might want to check:
Password Usage Survey, a study by SafeNet/Rainbow Technologies.
Information Security Survey, a study by Infosecurity Europe.
Password Practices Survey, a study by TechRepublic NetAdmin
Well, everyone wants to prove himself by working hard and so on but I didn’t mean that here. I meant how can you prove yourself literally?. How can we be sure that you are yourself?! If there’s somebody telling me “I’m Mr. John Doe”, probably I want him to prove it; maybe by showing me his national number identification card or something similar. But what about computers?
Since a long time passwords have been the most popular way for authentication and proving identity. Some new biometric techniques have evolved recently and have proven great accuracy and security. However, they are not used except in very sensitive places due to its high cost. According to a survey made by RSA Security and Nokia on different 505 large enterprises ; 66% of them relied on passwords to authenticate remote users. This survey leverages the importance of passwords and pushes security engineers to come up with password policies to ensure that the passwords are kept secured and uncompromised. On the other hand this seems to be like a very attractive target for black hats. A simple password compromised could mean a lot of money. And even worse, some hackers now once found a flaw in the system; could get in and cause chaos everywhere. Deleting files won’t be the worst nightmare. Sending false emails with inappropriate contents to the company’s clients is another form of fatal damage that could be caused. There's a great white paper i read recently in the reading room of sans.org named "Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider" by A. Abdel-Aziz. It illustrates clearly that script kiddies are no longer the prevelant hackers.
Despite the obvious importance of keeping passwords secured and of course setting a password on everything private, a lot of people ignore this, claiming: “keep life simple”. Symantec recently have made a research concerning modern security threats . It indicated that more than 50% of households that have routers keep its default passwords unchanged! allowing black hats to wander around freely doing whatever they want and usually using your unsecured routers for their benefits (consider pharming).
On the business side, companies started to figure out the importance of having a password policy. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. These security policies are enforced by IT departments on the organizations’ employees to help keep the company’s data safe. On a random sample of 6,807 companies (in some survey in england) 49.7% of them enforced passwords more than 6 characters length and 36.7% more than 8 characters length. Also 51.2 % of these companies require both letters and characters in the password (e.g.: $4&@T).
This security awareness steps that the companies started to take towards more data security, are faced with the human nature. Non-IT employees still consider passwords of minor importance. Sticky notes, what a wonderful non-sophisticated non-electronic invention!!. A lot of employees tend to write down their passwords on sticky notes and stick it on their screens because the passwords themselves are hard to remember especially if they are alphanumeric characters with no meaning. Also another very bad habit is sharing passwords with other co-workers. In London, 66% of employee’s give their passwords to co-workers. However, the employee’s are somehow excused. The following pie chart shows the number of passwords that each employee has to memorize as part of his work
We can see that this is not a small number on average. Also a good security practice is to change the password every now and then which adds more burdens on employees to re-memorize new passwords whenever they are changed. Another survey on IT administrators was a question of “How often do you require users to change their passwords? “
The answer was ( for a sample of 529 Administrators) :
• 17% Every month (or more frequently)
• 18% Every two months
• 36% Every three months (or longer)
• 29% We do not require users to change their passwords at a specific interval
So Administrators are in a very tight situation here. The more they make the password easy the more it is easy to break. Black hat hackers use various techniques to crack passwords. Brute force password attacks are very common. However they rarely work. Dictionary attacks works very often but this type of attacks is avoided using non-meaningful passwords but as we said before this makes it hard to remember.
So WHAT ARE WE GONNA DO!!
to be continued ...
References that you might want to check:
Password Usage Survey, a study by SafeNet/Rainbow Technologies.
Information Security Survey, a study by Infosecurity Europe.
Password Practices Survey, a study by TechRepublic NetAdmin
Subscribe to:
Posts (Atom)
