Secure IT Foundation

Posts Tagged ‘password security

Well you won’t be alone, there is at least a quarter of a million others as well. If you get the email then do read the explanation from the UK AV company, Sophos and don’t take it personally. Have a read of the stats below from the US and feel lucky it was only your Twitter account, not your bank account or another site with access to your money. Simply put, you have a unique key for each lock for the car, house and work. Do the same with your passwords before your bank or ebay refuses to refund money lost due to user stupidity!
 Hacked Infographic

Thanks to OnlineCollegeCourses.com for use of this graphic

Advertisements

As can be seen from recent news of leaks of 100, 000s user names and passwords, regardless of the length or strength of your password, you should change it at least once a year for all your email, websites and computer accounts.

The reason being is that passwords are mathematically secure for a limited period of time. The longer time between you changing the password gives the bad guys longer time to crack it. Same also applies to your bank PIN numbers! So do your security a favour and do change your password (and your PIN numbers) at least once a year. Can’t remember your passwords then use a password manager like LastPass or write them down and store the paper securely. Better to change your passwords regularly with a bit of paper than never changing them or worse using one password for everything online!

You can read more about the topic of password cracking on wikipedia.

SecurityBrad

It has been difficult to avoid the news stories regarding a Dutch company called Diginotar and the prediction of the end of Internet security as we know it. Some stories have been based on facts, while others have clearly been written just to sell news or by those who have little comprehension of how the Internet and computers work.

To help explain the saga we have written a FAQ based on queries we have received.

Who is Diginotar?

Diginotar is a private company set up in 1998 to supply electronic identity management products including the issuing of ‘digital certificates’ for secure Internet transactions. In 2004 the Dutch government trusted Diginotar with the responsibility for providing digital certificates for all government / citizen interactions under a scheme called ‘PKIoverheid‘.

What are digital certificates?

Digital certificates are part of the technology which allows a home computer user to communicate securely over the Internet for important transactions like banking, paying bills, interacting with government services online etc.

Each time you see padlock in your browser, or the address bar turns green or you see https:// in the address you browser has established a secure channel over the Internet using complex mathematics to provide encryption.

If you think that most of your Internet activity does not involve using a secure channel, you can liken it to using a postcard to send a message to a friend in the real world. Anyone can read the message between you and your friend. This may be fine for arranging a meet in a bar but you would not the world to be able to view your banking transactions in the same way. This is where digital certificates come in, to provide secure electronic communications.

Each major company who wants you to communicate with them purchase digital certificates from companies like Diginotar, called Certificate Authorities officially. These Certificate Authorities verify the identity of the company wishing to buy a certificate, and issues the company with a unique code. When you want to establish a secure channel with your bank, your browser receives part of the unique code and checks that is really does belong to the company it claims to be. This proves that you are talking to the right company and allows a secure channel to start.

How does my browser know the identity of my bank?

Your browser e.g. Google Chrome, Apple Safari, Mozilla Firefox, Microsoft’s Internet Explorer etc all contain a list of trusted Certificate Authorities including Diginotar, each represented by a unique code. These companies around the world are trusted to provide digital certificates, some government owned but mostly private companies.

When your browser wants to verify the identity of the company or organisation e.g. a bank, it obtains the unique code from the digital certificate for the bank and mathematically checks it that it is valid with the unique code stored by the browser for the issuing certificate authority. If all checks pass then a secure channel is started. The proper name for this secure channel is an ‘SSL‘ connection.

The digital certificate gives you trust that you are communicating with the right organisation or company. Extra checks are made for a scheme called Extended Verification SSL certificates. When used, these ‘EVSSL‘ certificates are the type that make your browser address bar change colour to green, which highlights the verified nature of the company you are communicating with.

So what actually happened?

Based on the information published by Fox-IT BV, a major Dutch computer forensics company sited close to the Secure IT Foundation base in Rotterdam. It seems that hackers gained access to Diginotar’s internal computer systems as early as 6th June 2011. The hackers then attempted to make their own digital certificates. On the 10th July they succeeded in making a certificate which allow them to impersonate Google. The hackers continued for 10 more days making hundreds of digital certificates for major companies and computer systems.

Finally a security breach was detected by Diginotar on the 22nd July and an unnamed security company was called in to report, which they did on 27th July 2011. The same day, other security experts began to report unusual use of Google’s digital certificate and the next day traced it and it was being used in Iran. Diginotar went public on the security breach on the 30th August 2011, with the consequence that Diginotar’s validity as a certificate authority has been revoked by most browsers in recent updates.

While information is still being gathered and full facts may never be known publicly, it appears that the Iranian authorities have been able to intercept ‘secure communications’ with any of the companies impersonated by these rogue digital certificates by anyone using an Iranian computer network for about a month. In addition there was a potential for people outside of Iran to have been redirected to websites under the Iran authorities control, allowing for interception to occur to non Iranian citizens.

A similar attack on another certificate authority was made earlier in March 2011 on a US company called Comodo, which Comodo blamed fully at the Iranian authorities. However in this case only 9 rogue digital certificates were produced and the incident was stopped in a much shorter time frame than Diginotar.

How does this affect my home computer?

You may have noticed Mozilla and Google updated their browsers recently and Microsoft issued a patch via Windows Update. These changes remove the use of Diginotar as a valid certificate authority. If you visit a website using on of the rogue digital certificates then you should get a message not to trust the website you are communicating with. If you see a browser warning about the website’s authenticity then it is best not to continue the session and seek expert advice.

Outside of The Netherlands and Iran, most people will not see any impact from this security breach. Secure communications in Iran have become significantly harder but the most affect country so far is The Netherlands. Diginotar also managed part of the PKIoverheid system for secure Government communications so there has been some disruption to the service while new digital certificates have been issued to replace Diginotar supplied certificates. Thankfully the Dutch government had the sense to use multiple suppliers so the digital certificates issued by Diginotar have been replaced by one of the other three accepted certificate providers, without collapsing the whole Dutch system.

Is the problem now solved?

The dust has yet to settle and there are claims that other certificate authorities like Diginotar have also been compromised, however until new information is confirmed it does appear that the matter has been finalised. Diginotar’s continuing ability to trade is certainly going to be questioned as the initial findings from Fox-IT show Diginotar to be well below best practice for a security business.

By strong password, we don’t mean how much can it support if printed out in 3D lettering! We mean a password that cannot be easily guessed, is not found in a dictionary of any language, is made up of lower and upper case letters, includes those funny symbols from the number row on your keyboard and is over 8 characters longs.

To be sure, and please don’t email us your passwords to find out if they are strong, use the Microsoft password checker at the following address:

https://www.microsoft.com/protect/fraud/passwords/checker.aspx

Note the https:// in the link means it is a secure connection between you and Microsoft, but do not use if you worry about giving password information to Microsoft, their own privacy policy aside.

Do not use in the workplace as your own network may actually be more secure at home.

Warning though, if you have been held under RIPA being forced to disclose your password in the UK, do not use this service to see how strong the password really is, you know that password that you will not reveal the authorities, who would never be tapping your internet connection!

SecurityBrad

Currently the most popular method of securing a computer is to use passwords. This is an old technology that dates from the earliest shared computers. To understand why passwords on their own are not ideal for security, you need to understand a little history of early computers.

In the old days, many academics shared a very big computer called a ‘mainframe’, the type that took up a whole floor in a building! Only people with authorised access to the building could use the mainframe, and to keep the results and information separated, short passwords were used. 6 characters or shorter passwords were the norm like ‘god’, ‘robot’, ‘123456’ and ‘passwd’. As you had to be in the same building as the computer and knew most of the other users there was little need for security. Only when academic rivalry and corporate information stealing become widespread did the situation begin to change. The capability for longer and longer passwords were introduced with each new computer operating system. Windows XP and later can use over a 100 character long passwords, not that you would want to type that in every time you logged in.

Passwords are better than no security, but there are two major flaws in passwords. You have to type it in, and the way the computer sees the passwords.

When you type in a password, anyone watching can copy it. Technology called ‘keylogging’ allows a bad guy to copy the keystrokes you type in, either by attaching a device to your computer or by having software installed on your computer. This can be by a virus or by a legitimate application that has been modified by a bad guy before putting on a peer to peer network like Bittorent. You think you are saving money by downloading illegal software, but may be installing the bad guy’s keylogger for him! Once your details copied, you may not know until money comes out your bank account or unusual events start happening in your life.

The second issue is the way computers store passwords. The computer receives the keystrokes from the keyboard so if a password was ‘securityforall2009’ and the computer just stores this in readable text, then anyone with access to the hard drive could read the password. To make it harder for passwords to be read of a computer hard drive, a mathematical formula is used so that the computer converts the password into gibberish. When you enter a password the same formula converts you typing into gibberish, and if the two sets of gibberish match then you are let in. As usual with human designed technology, problems are found in the formulas, or ways to circumvent the whole password access are found. If anyone can physically access your computer (PC or Mac) they can change your passwords with a little time and skill using just a CD!

So what do you do if passwords are known to have problems, stop using them? In an ideal world yes, passwords would be consigned to the history book. There are other ways to identify the computer user e.g. fingerprints, iris scans, facial recognition but all have their own problems. You can give your password to someone intent on knowing it, but do you want your fingers cut off or eyeballs removed by a bad guy! Passwords can be changed if no longer secret while your biometric information cannot be changed so easily.

The best security method for proving you are who you are and you are authorised to use the computer, is to use ‘two factor authentication’ as it called. This combines a password (something you know) with a token / dongle (something you have). A bad guy needs to have both…

Dutch banks already use this method to secure bank accounts. You place your bankcard (something you have) into a device called an authenticator which gets you to enter your PIN (something you know) plus a code from the web page. This uses a complex formula to generate a code that can only be used once for the current session which proves it is you making the transaction. Because you need both items, the PIN and the bank card, it makes stealing your money on the Internet very difficult (but not impossible!).

So how do you get this ‘two factor authentication’ security on your home computer? Read part two.

SB

In the first part of this blog we told you about the history of password, the second part we explained how to create a secure password. The third part of this trilogy is to explain how to improve your security by using something you know i.e. a password, with something you have i.e. a token, dongle, USB stick, fingerprint reader etc. This is called two factor authentication. Although not foolproof it is more secure as the bad guys need more than just your password. Normally it means he must steal your two factor token so must know where you live and be able to get access. This geographic side of two factor authentication means the bad guys can’t use your computer, access your passwords or use your banking information (if you live in NL) without being in the same geographic space as you.

So what two factor authentication should I use?

Online

We already recommend you use software called ‘LastPass‘ to store all your passwords when online. To make this even better there are two options to add two factor authentication. First they allow you to use any USB stick to store a special file on it. After you enter your password to LastPass then it requires the USB stick to be inserted to prove it really is you. Their second option is to combine the two factor authentication using a Yubikey which gives a code when inserted into your USB slot that LastPass can read to prove it is you. The Yubikey is more secure than just a USB stick as the token cannot be copied so easily, but either method is better than just using a password on its own.

Offline

To logon to your Windows computer you cannot use an Internet based solution for two factor authentication. For local access using a password and a token, then you need a different approach.

If you already have encrypted your hard drive using TrueCrypt then you have done half the work. It is possible to add a USB stick storing a special file to prove it is you, to the TrueCrypt settings. See the guide here. It is even possible to tie it to a smartcard but this can become an expensive option if you have many users.

Windows for home computers can be converted to use two factor authentication, like many big companies who use smart cards or token, using the Rohos software product, which works with many device types or just an ordinary USB stick. It is a matter of personal preference if you like to use a USB stick with TrueCrypt plus a different method with a Rohos device for the ultimate in dual two factor authentication, but personally the TrueCrypt with password and USB stick is the simplest. It keeps your hard drive encrypted and provides secure pre boot authentication.

Another popular method is to use fingerprints. Many laptops have fingerprint readers built in to them, and the manufacturers offer various forms of software to make the most of it. Also you can buy USB based fingerprint readers like the DigitalPersona U.areU. devices. Problem with fingerprints is in the situation if you were forced to hand over your computer accounts to a bad guy.

If you have read the Home Computer Policy then you will have all your computer and password manager accounts written down on one piece of paper, stored safely. If you are forced by a bad guy to hand over your passwords then you can give them the piece of paper, without the shock of the bad guys affecting your memory, and hopefully they leave. If you then tell them you have a fingerprint based solution they will need your fingers. Worst case you will be going with them to provide the access at their safe location and then you will be surplus to requirements and know too much about the bad guys… or best case just fingerless. Better to give out the information and enable the bad guys to make a clean exit then becoming a problem to them. Changing your passwords to online information is easily done before they can use the information, so the only loss would be the information on the hard drive. As long as you have a recent backup of your computer then the damage will be limited in scope and the risk will be known.

No solution is perfect or unbreakable despite many media claims. There is always a human involved! So use simple two factor authentication with a USB stick containing your TrueCrypt pass file, plus a strong password. You will be more secure than most but without the expensive of becoming MI6 or the CIA.

SB

Last time we discussed the history of passwords, this week  you will learn how to create a secure password and next week what two factor technology can be used to secure your computer accounts and passwords. To understand what is a secure password you need to know how the bad guys can break your password. There are two types of accounts that can be broken into, Windows or Mac user accounts or website accounts.

Web Accounts

For web site accounts, imagine you login to website X with a user name and password. The bad guys also do the same to try to get access to your account. As your user name may well be the same name you use on other websites or publish using Facebook, Hyves, Myspace etc they may already know this, so they try to crack the password. The way this is done by the bad guys is they use a long lists of words, letter, phrases stored as a text file on a computer and try each one on web site X. If it lets them in, they have cracked your password.

Their list is made up of words from dictionaries in all languages, plus lists of passwords from previous cracked passwords. If the list of thousands of entries does not work for the bad guys they have another method up their sleeve. They take their list of words and run it through a computer program which modifies the words with numbers, capital letters and symbols and they try this new list. If that does not work then they can use the same program to generate every possible combination possible and try that. This list of every possible password only works on one website and can take months or years to make but a determined bad guy has patience.

Computer accounts

Just like web site accounts, computer accounts can be broken into using the word lists of the bad guys. One advantage with computer accounts for bad guys, is normally your user name is shown on screen and only the password is needed. However if the bad guy has access to your computer in person, then your computer is easily broken into without additional security. The Mac operating system, like all UNIX based operating systems (including Linux) have what is known as ‘single user mode’. With a Mac you only need to hold down the apple key and ‘s’ to access it and it will let you change any password. Windows is different but nearly as easy. There is a CD that resets the administrator account see here.

Create a secure password

Firstly to create a secure password, the goal is to create a line of characters that cannot be guessed or cracked. You know now that that given time any password can be found, so what do you do? Simple – just change your password (and PINs!) at least twice a year. Ideally this should be about 30 days as it will take the bad guys longer to work out your password, but that is not the most practical advice. So what do you do to create a secure password, knowing that it will have to be changed in 6 months at most.

  • Should be over 12 characters long with letters, numbers and symbols like ‘!”£$%^&*(){}:@~<>?’ and not made up of just words found in a dictionary, and never the same as your user name.
  • Too hard to remember then the next best thing is a long combination of words commonly known as a sentence e.g. “Mary had a little lamb and 1 ate it for lunch” or “My hi-fi came from the back of a lorry”. Count the number of letters / spaces and both examples are over 20 characters long and would be hard to guess. Spaces do count but must not be used at the start or end of the password. These sentences are known as pass phrases.
  • Note – our examples are for a guide only, please don’t use them yourself – don’t be that silly, the bad guys will have copied them already to their list of words!

What can you do?

  • Encrypt your whole hard drive and use ‘pre boot authentication‘, this makes the above methods of resetting passwords impossible without knowing the ‘pre boot password’, as the disk is not readable. Sounds hard? See the Truecrypt website or call in a security professional to do it for you.
  • Change your password regularly. If someone has captured the gibberish that is a password as a computer sees it, they will eventually over time be able to break the formula protecting it. Changing it often makes this pointless.

SB



  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]

Categories