Securing your Passwords

Password Security Explored

In this article we will discuss the security issues surrounding passwords. We will show how passwords can be compromised, how to ensure you maintain a good password set, and we will provide links to tools that can be used to audit your passwords’ effectiveness.

A password is usually the first and sometimes the only security defense guarding sensitive data. With all of the modern tools and technology that your business or home network may employ, the password can act as a “window” in a largely inpenatrable fortification. As a systems administrator, I feel that a compromised password may not be a top priority for your IT staff. Large and mid-size companies have other measures in place to protect the sensitive corporate data. A compromised password may effect you more personally though. Because your password is the primary security measure in place, if someone can gain access to your password(s) they can have access to all of the information that password protects. In most cases a person’s password is the same from business to home, which can translate to total access of your personal information. The intruder could then gain access to your business/personal contacts, they can run malicious programs that “sniff” out other passwords (i.e. email, financial) and they can do all of this undetected because you have no way of knowing your password has been stolen.

Password security, like network security, is more of a philosophy. For your password to help protect you, you must help protect your password.

First let’s discuss choosing a password. Since a password is so important to your overall security it should not be chosen in haste. I would highly recommend using a password generator. Password generators create a random password that consists of letters, numbers and symbols in no distinguishable order. These generators can be downloaded to your computer or usb drive, there are also some on-line password generators. At the bottom of this article I will provide links to some well known password generators.

If you choose to create your own password you should keep the following in mind:

• Choose a seemingly random set of letters, numbers and symbols while varying the case. (i.e. TXUu39!Q$66)

• Choose a lengthy password roughly between 8 and 12 characters

• If you have many password protected accounts, choose a password that can be decramented. (i.e. TXUu39!Q$66 -yahooID, TXUu39!Q$65 -googleID, TXUu39!Q$64 -workID)

• Which brings me to my next point … pay attention, this is important … Do NOT use a universal password! If the password to your workID account is compromised then all of your accounts have been compromised. You don’t use the same key for your house, car, and lockbox, do you?

• Finally, memorize! Don’t write your password(s) down and don’t write down an obvious hint. Simply say your password in your head for a while and memorize it.

Next, let’s take a look at what the Bad Guys are doing to compromise your passwords.

Most people today that have a computer also have some sort of Anti-Virus software installed. This software protects you from a variety of viruses and malware programs, including some of the favorite programs used by attackers … Keyloggers. These nifty little programs contain a very small footprint on your system resources and can run in the background collecting all of your keystrokes, web pages visited, and sometimes programs launched. Keyloggers are definitely one of the best ways to spy on a user or set of users on a computer. Keyloggers do not have to be programs run on your machine either, attackers can actually attach a hardware keylogger to the back of your computer (plugged directly into your keyboard port). Needless to say not many people (at least marginally sane people) check the back of their computer everyday for keyloggers! Other methods of obtaining your passwords can be a little more sophisticated, like: wireless traffic sniffing, dictionary attacks, man-in-the-middle attacks, memory image forensics, and much more!

By this point you are probably getting a little paranoid, if you’re not then you should be. These methods I just mentioned and the tools that employ them are being distrubuted over the internet freely and for the use of many different skill sets. Some of these hacking tools have become as easy as clicking a button. So you might be asking yourself, “How do I protect myself from these types of attacks?” The short and disturbing answer is “you can’t”, but that is a result of only the most determined attackers. For the casual kid in the basement attack there are some things you can do to protect your passwords.

Here are a few:

• Create a good password (as mentioned above)

• Don’t share your password with ANYONE

• Change your passwords regularly

• For those of you afraid of keyloggers, try filler characters. If you are entering your password “flower81″ start by typing “fl” in the box, then click away and type rubish “asdkf;lkj” then click back into the box and finish with “ower81″. If a keylogger is present your password will look like “flasdf;lkjower81″.

• Do not go to sensitive areas (like bank websites) when you are unknown or “coffee shop” networks.

• Always look for the “https” or secure lock icon on your browser when entering sensitive areas. (Https means your communication is encrypted)

• Always lock your computer or laptop before leaving it.

• Don’t use important dates or names for passwords.

• I’m going to push this one again … Memorize your passwords!

Following these rules can help deter attackers and help protect you from potential headache or worse, Identity Theft!

As I promised, here are a few links to some great password applications.

Online password strength tester: Microsoft Password Checker

Online password generator: www.techzoom.net/security-password.

Password generator and safe: Keepass (Highly recommended!!)

Secure your communication: PGP

Secure your data: True Crypt

Enjoy!

Protect your Wireless Network

Old Wireless Router = Security Decoy

Many people today have switched from their old 802.11B wireless routers to an updated 802.11G. Considering that wireless G has a greater range and faster transfer rates many people have decided to ditch their old wireless routers. Well, don’t throw that old wireless router away just yet. You can use this old router to confuse and deter would-be hackers and wardrivers. If you have recently purchased a router (depending on the model) you have probably noticed an SSID option. Your SSID is simply the name you give to your wireless access point. For example, Linksys routers have a default SSID called “Linksys”. This means when you search for wireless networks you will see an access point based on their SSID name.

If you haven’t figured it out, having an extra wireless router can offer a special network security benefit. You can use your old wireless router by applying power to it and positioning it next to a window or outside wall. The old wireless router will act as a network decoy to the would-be bandwidth moochers or network attackers. They will see the stronger wireless signal and think they are connecting to your network, when in fact they will not be connecting to any part of your network.

Further Security Details

Your main wireless router should have some security features already in place. At minimum, those features should include:

• Encryption (WPA-PSK or WEP)

• SSID Modification

• A Router password

I will explain in a later Article how to apply encryption to your wireless network but for now know that if you have the choice between choosing WPA-PSK or WEP, choose WPA-PSK. WPA-PSK is easier to use and offers much better security features. (Do not use encryption on your decoy wireless router. We want people to be able to connect to the decoy with little or no effort.)

What is meant by SSID Modification? Simply put, you need to change your default SSID to something uninformative and mildly obscure. If your router gives you the option to turn off your beacon or turn off your SSID broadcast, then you should definitely employ this option. Let’s say you live in a neighborhood or an apartment complex and you choose your SSID to be “The Smith Family” or “John’s Network”, everyone who is in proximity of your wireless signal will see this description. Most hackers and attackers want to gain something from their efforts, so if you choose a descriptive name associated with your home or your person, hackers now have a target. (This precaution should also be taken for the decoy wireless router. You do not want to announce your location or the fact that you are hosting a wireless connection to anyone.)

Finally, you need to set an “Admin” password for your wireless router. In many cases, when you buy a wireless router there is no password set or it is manufactured with a default password. If a new password is not set, anyone that can connect to your router can also make changes to your router settings. If this happens, many critical security issues can arise and a more sophisticated hacker could forward all the information you send to and from other computers (i.e. bank servers) through his machine first. This is known as the ‘man-in-the-middle’ attack and your most secretive information can be compromised. Here is a bit of proof that your default passwords are not safe. It is also one more reason to change your default SSID, if I was connecting to a “linksys” router I would use this list to locate a linksys default password. (This precaution should be taken for the decoy wireless router as well, if someone could log into your decoy router they could easily find out that router’s purpose in your home.)

Re-Cap

You can use your old wireless router as a decoy for would-be hackers and bandwidth pirates.

First, you must secure both routers in the following manner:

• Main wireless router should employ at minimum:

• Encryption (WPA-PSK or WEP)

• SSID Modification

• A Router Password

• Decoy wireless router needs:

• SSID Modification

• A Router Password

Second, your decoy wireless router should be placed next to a window or outside wall and should ONLY have the power connected to it.

Finally, …monitor. Depending on your decoy router features you may be able to log the number of computers that connect to your decoy. If not, you can always monitor by logging into your decoy and looking at your LAN status. By monitoring the number of people that connect to your wireless decoy you can effectively gauge the traffic and potential risk you assume when you host a wireless network.

Protecting your Identity

Identity Theft

Protect whats yours, don’t be another statistic.

” To secure your identity is to alter your way of thinking, a cautious and inquisitive mindset will help you protect your personal identification. “

What are thieves looking for? - Identity theft is almost always a crime of opportunity.

• Account Information. (i.e. numbers, maiden names, card types, pin numbers, exp. dates)

• Social Security Numbers.

• Drivers License.

These are the three basic needs of any identity thief, however, it is important to note that any one of these may lead to troubling times. Identity theft is becoming easier and more abundant because thieves are using the internet to exchange information and sell your identity.

Ways your identity can be stolen. - Most people don’t know their identity has been stolen.

• Internet Phishing Scams - Rouge websites posing as valid sites to gain your account information.

• Credit Card “Skimmers” - Small devices that can scan a credit card and retrieve all needed information from it. This can be used to duplicate credit cards.

• Phone or Email Inquiries - Someone calling or emailing you wanting you to verify account information.

• Computer “Hacking” - Hackers these days are not looking to just mess with your internet site or steal your meeting minutes, hacking is big business, they want some reward for their effort. It is more likely if a hacker is attacking you or your company they know what they are looking for and they know it will produce some value for them. Internal computer hacking is a much bigger threat than a random person on the internet.

• Your Person - You are sometimes the primary cause of identity theft. Keep only the nessacaties in your wallet or purse. Be conscious of your surroundings and your situation. Don’t be quick to give out information just because they ask for it. (i.e. You don’t need to give out your phone number to buy some batteries!)

Analyze the way you think, be conscious of your situation and only give out information if it is necessary. Be proactive in protecting your identity, practice it, and make it routine.

How you can protect yourself.

• Ask Questions - Don’t think that the phone company needs your social security number, ask them why. Some compaines such as financial institutions need it to run a credit report, other compaines gather this information as a convenience or for their own account verifications.

• Keep a separate CC for online purchases - I recommend that everyone has a separate card with a small limit, strictly for online purchases. If your card number is ever stolen, you know your purchases and your card limit will not effect your credit score.

• Have an IT professional help secure your network - An IT professional will be able to find security holes that you may not be aware of, remember it is their job to stay current with technology.

• Internet Consciousness - Don’t reply to rouge emails, watch out for insecure websites. If you are making a purchase or checking your account information make sure the site is secure (https://) and there is not a certificate violation.

• Check your financial records - Check your bank statements each month, look for unusual purchases. Online banking has made it easier to check your purchases with real-time updates. Be aware of your credit score, monitor it regularly, monitor it regularly, monitoring does NOT lower your score.

• Protect your documents - Keep your important documents in a secure place, like a lockbox or safe. Destroy your mail, shred any evidence of your existence in your mail. Don’t let a dumpster diver find you. Secure your laptop and thumbdrives, these portable devices can sometimes contain very personal information about you or your company, make sure they are readable by you only.

” There are an infinite number of ways your identity can be compromised, protecting it starts with you. “

10 Ways to Secure your Computer

Top Ten Ways to Secure Your System

1. Use anti-virus software and update it regularly.

If you have a PC, antivirus software is a must. Many companies offer antivirus software and some are even freely downloadable.

2. Keep Windows and your other software current.

Keeping your OS and your software up-to-date is crucial. Many patches and vulnerabilitie fixes that can pose a major threat to your software are offered through updates.

3. Strengthen your passwords.

Creating a hard to guess password is, in most cases, the first and only line of defense against an attacker. Try not to use passwords that have significant value to you. There are many random password generators on the web, but if you create your own then be sure to use letters, numbers and some special characters.

4. Enable your Windows firewall or a third party firewall.

Firewalls are used mostly to block ports and malicious internet requests. In most cases using a firewall will hide your existance on the internet from would be attackers. If you use a router you already have a firewall.

5. Use anti-spyware software.

If you are an internet web surfer then you need anti-spyware software. Spyware programs are the annoying programs that tend to make your internet experience and your computer slower. Collecting a bunch of these programs could lead to an alomost worthless computer. There are many free anti-spyware programs on the web.

6. Be cautious of installing computer software from unknown sources.

A big portion of the spread of viruses and spyware today is due to users installing software they “found” on the internet. While the software may look appealing and useful, it may contain viruses and malware code.

7. Be cautious of downloading email attachments from unknown sources

Another great way to transmit viruses and worms is by downloading email attachments from unknown sources. Rule of thumb: if you are not expecting an attachment, don’t open it!

8. Encrypt or password protect your files.

This is especially true if you own a laptop or a thumb drive. A great way to do this is by downloading the free software called True Crypt. I use it and it works great!

9. Secure your wireless connection.

If you are connected to a network wirelessly this step is a must. Without wireless security features such as WEP or WPA-PSK, you are leaving your internet transmissions open for capture. That’s right! By not using wireless encryption methods, hackers can use techniques to “listen in” to your internet browsing. They can gain passwords, account numbers, and other personal information.

10. Back Up! Back Up! Back Up!

I hope we got our point across. Back up’s are extremely important and can save you from a major headache and heartache. Just think of your impressive music collection or all of your priceless family photos … gone in a flash! If just the thought of this doesn’t set you running for an extra hard drive, then the what about all those hours of financial data you’ve set up in Quicken or Money? Your best bet is to find a back up solution and stick with it, trust us.