Ten Ways to Dodge CyberBullets, Part 4

4. Good password practice

Use different passwords for your computer and online services. Also, it’s good practice to change passwords on a regular basis and avoid simple passwords, especially those that are easily guessed.

It’s debatable whether enforced, frequent changes of hard-to-remember passwords are always constructive (they can force the user to write down passwords, for example, which may well swap one security problem for another).

However, you should certainly be aware that if some miscreant guesses or cracks one of your passwords, using different passwords for other services and for your system passwords drastically limits the damage that he or she can do. If, on the other hand, you use the same password for different accounts, you run the risk that one lucky guess will give the cracker the keys to the kingdom. Indeed, it’s likely that one of the reasons that quite trivial accounts are sometimes phished is that they give a cracker a head start on guessing the password for other, more profitable and more easily plundered accounts.

Password Selection Strategies

It’s good practice to avoid using single, fairly short passwords. Some Trojans use comparatively short, generic lists of commonly used passwords such as “aaaaa,” “password,” “qwertyuiop,” “StarTrek,” “mypassword,” “123456.” If you don’t believe that such stereotypical passwords represent a significant problem, check out “The Top 500 Worst Passwords of All Time” at http://www.whatsmypass.com/?p=415.

At the other extreme, a dictionary attack may use not only common “strings” of characters like these but lists of hundreds of thousands of real words. This may strike you as being a little over the top for capturing your Twitter credentials. However, modern computer systems are fast enough to carry out an automated attack like this far more quickly than you might think.

Here are some approaches best avoided:

  • Any correctly spelled English word, especially one which is likely to be recognized by operating system or application spell-checkers and so on. Using regional spellings, such as those from the UK, is unlikely to offer any extra protection.
  • Any correctly spelled non-English word; exceptions may be a little more acceptable in obscure languages as long as they’re not in languages you’re “known” to speak, but you are still at risk from dictionary attacks that use long, multi-language word lists.
  • Any part of your own name or username, let alone a duplication of your username (this is called a “Joe” account, and it’s one of the first things a password cracker (human or automated) looks for when it comes to trying to guess a password).
  • Any part of the name of a member of your extended family (including pets) or, worse, a colleague, your boss, or, in fact, anyone’s name. Place names are often easily guessed, whether because of an obvious link to you (if you live in Springfield, Springfield is definitely not a good password choice, for instance), or because word lists used in dictionary attacks are likely to contain common place names.
  • The name of the operating system you’re using (or accessing remotely), or the name of the PC you’re using, or the name of the service you’re accessing, or the hostname of a server you’re accessing. Well, you get the idea.
  • Personally significant numbers (phone number, car license number, National Insurance or Social Security Number, someone’s birthdate — save them for picking lottery numbers).
  • Your favorite or most-hated objects, food, movies, TV programs.
  • Easy associations with favorite or most-hated things; for instance, “Swan_Lake” may not be a good password for a ballet fan.
  • Song, book and movie titles, famous people, cartoon characters, etc. Particularly not recommended are ‘CharlieBrown,’ ‘Snoopy,’ ‘Kirk,’ ‘Spock,’ ‘Homer,’ ‘Garfield,’ ‘Dilbert,’ ‘Grissom,’ ‘Oprah’…
  • Anything so unmemorable you have to write it down, unless you take reasonable precautions to protect the paper you write it on.
  • A Post-It on your keyboard or monitor is not a reasonable precaution, unless you work in a room that can’t be accessed by other people. Nor is a piece of paper taped to the CD or USB device it’s intended to give access to. A piece of paper in your wallet or laptop bag is vulnerable to loss or theft. At the very least, take measures to avoid its being easily identified as a password, and don’t make it obvious which system/file/account it refers to. Don’t write down the actual password; use a mnemonic device or some means of disguising it such as scrambling and interleaving letters.
  • Anything with the first or last character uppercase and the rest lowercase, unless it’s a really tricky passphrase. Any example passphrase you’ve come across as in a textbook or a blog.
  • Any short passphrase consisting of a single word (system permitting — some systems actually severely limit the range of characters you can use).
  • Anything consisting entirely of letters of the alphabet.
  • Obvious anagrams of any of the above, especially simple reversals.
  • Obvious variations such as appending or prepending a digit to one of the above or an anagram thereof, or obvious substitutions of digits for letters: “pa55w0rd,” for example.
  • Reusing passwords can be really bad news. You don’t want to use the same password for your computer logon as for your bank. Important information should be protected with unique and strong passwords.

Filling the Cracks

Techniques that may help in slowing down password breaking by guessing or simple dictionary attacks include the following suggestions. The more combinations of techniques you use in a single password, the more effective they’re likely to be. However, sophisticated crack programs will attempt to counter many of these strategies.

  • Embed control characters or non-alphanumeric symbols such as digits, punctuation marks and symbols (where the system allows this).
  • Misspell (but consistently!) “Dis passéfrase 1s kwite gud bot wd b betr wiv sum #s & karakters that r nut alfan00meric.”
  • Unorthodox caPitaliZation Use a personally significant acronym, e.g., ICRMFPW (I Can’t Remember My Friendly Password) Link together two words, possibly with a symbol as a delimiter, e.g., egG^rIbBoN.
  • Replace letters with digits or equivalent characters, and words with abbreviations, e.g., BunZ4T, NeWz@10.
  • Interleave two words, e.g., RmAaInN.
  • Interleave a word with a numeric string, e.g., f9L7a0s8H.
  • Don’t use the same password on several machines. However, sensible variations might be acceptable, subject to the rules mentioned above, e.g., VdOOmAX, UdOOMniX, dOOCPM. Still, this example has the disadvantage that if an attacker gets one of these, he’s well on the way to guessing the rest.
  • Changing your password regularly is important. How frequently you change your password will depend upon how important the information you are protecting is. Generally, once every three months is a really good idea. That way, by the time a computer has cracked a good strong password, you will have already changed it!
  • One of the problems with multiple passwords is remembering them all. Tools like Cygnus Password Corral (http://cygnusproductions.com/freeware/pc.asp), Keepass (http://keepass.info/), and 1Password (http://agilewebsolutions.com/products/1Password) can be really helpful. Just remember that you need to keep your “keysafe” application on a very safe

Ten Ways to Dodge CyberBullets, Part 3

This is the third in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

3. Do you need administrative privileges?

Log on to your computer with an account that doesn’t have “Administrator” privileges to reduce the likelihood and severity of damage from self-installing malware. Multiuser operating systems (and nowadays, few operating systems assume that a machine will be used by a single user at a single level of privilege) allow you to create an account for everyday use that allows you less privileges than are available to an administrator.

Most competent system administrators are familiar with (and adhere to) this “principle of least privilege” – simplistically, the more privileges you have as a user, the more damage you can do – and use a privileged account only when it is needed to perform a specific task. Following their lead will give an extra layer of protection. However, as always, you shouldn’t think of this as any sort of Magic Bullet. Apart from the fact that there is no Magic Bullet, some modern operating systems have somewhat diluted the least-privilege model, making it rather easy for a user with little knowledge of the security implications of administrative privilege to use it nappropriately, exposing the system to threat.

Police warn of money-stealing computer virus

Malicious software impersonates the Metropolitan Police e-crime Unit (PCeU)

The Metropolitan Police is warning the public to be aware of a computer virus that impersonates its e-crime unit in an effort to steal money from unsuspecting users.

The malicious software infects people’s computers after users access certain websites. The police did not name specific sites, and only said that “various websites” were affected.

Once infected, the virus freezes and locks the PC, and a message (pictured) claiming to be from the Metropolitan Police Central e-crime Unit (PCeU) accuses the user of accessing pornographic websites and tells them that they have to pay a fine to unlock their computer.

This is a fraud and users are advised not to pay out any monies or hand out any bank details. Genuine law enforcement agencies would never contact members of the public via this method and demand funds in this way.

People who have fallen for the scam and handed over money should report the matter to their card issuer immediately and report the offence to their local police.

Ten Ways to Dodge CyberBullets, Part 2

This is the second in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

2. Catch the patch batch

Keep applications and operating system components up to date with automated updates and patches, and by regularly reviewing the vendors’ product update sections on their web sites.

This point is particularly relevant right now, given the continuing volumes of Conficker that we’re continuing to see. Win32/Conficker is a network worm that propagates by exploiting a vulnerability in the Windows operating system (MS08-67). The vulnerability is present in the RPC subsystem and can be exploited remotely by an attacker. The attacker can perform his attack without valid user credentials it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at: http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.

It’s important to note that it’s possible to avoid most Conficker infection risks generically by practicing “safe hex”. Keep up to date with system patches, disable AutoRun and don’t use unsecured shared folders. In view of all the publicity Conficker has received, and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions, but clearly it isn’t happening. Sometimes it seems that the whole world assumes that the only vendor that suffers from vulnerabilities in its operating system and other software is Microsoft. To see how misleading claims like this can be, check out the weekly “Consensus Security Vulnerability Alert” published by SANS (see http://portal.sans.org), which summarizes some of the most important vulnerabilities and exploits identified in the preceding week. Even during a week that includes “Patch Tuesday,” you’ll typically find that problems are flagged with a frightening number of applications from other vendors. Certainly, any system administrator should consider making use of this resource.

At the moment, vulnerabilities in applications are a serious threat (arguably more so than operating system vulnerabilities). Third-party applications are expected to continue to bear the brunt of vulnerability attacks for a good while yet, as security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications.

Unfortunately, users are far less savvy about patching third-party applications than they are about patching the operating system. However, this vector will also decline in impact as application vendors learn to tighten their quality control and patching methodologies. Part of this will be driven by adoption of Windows 7. Computers originally sold with Windows XP, with a few exceptions (such as newer netbooks), are beginning to age and will be replaced with PCs that have Windows 7.

Ten Ways to Dodge CyberBullets, Part 1 Disable Autorun Feature

This is the first in a series  and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

1. Don’t let AutoRun be AutoInfect

In other words, disable AutoRun in Windows. This is the item that we pretty much all agreed should be top of the list, because this facility is consistently exploited by the class of malware known as INF/Autorun. Among other threats, of course: many threats that are detected by more specific names (some versions of Win32/Conficker, for example) make use of the same vulnerability.

Don’t assume, though, that this single precaution will save you from every example of this type of threat. Most malware uses more than one technique to infect targeted systems.

Windows 7’s departure from the much misused AutoRun feature will contribute to a gradual decline in INF/Autorun and related threats.

Here’s the description of INF/Autorun threat:

This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. Security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun, unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular. Of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default AutoRun setting in Windows (though not Windows 7) will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices. While this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the AutoRun function by default, rather than to rely on antivirus to detect it in every case.

Microsoft has released the patches required to make AutoRun work with only CD and DVD drives. There is one little catch: A USB drive can be configured to look like a CD, but this patch definitely helps reduce risk.

5 ways to stay safe until ‘do not track’ button arrives

Google, Microsoft, AOL and other big companies have agreed to install a “do not track” button in Web browsers to make sure that you can surf the Web with an assured amount of privacy. It’s a big step for the industry — but until this button arrives, how can you assure yourself a little more privacy online?

The “No Track” button would stop companies from using data about your Web browsing habits to customize ads for you. They have also agreed not to use the data for employment, credit, health-care or insurance purposes. For obvious reasons, that type of usage feels intrusive.

Companies would still be able to use your general browsing patterns for market research or product development. And companies like Facebook could still track your use of the Like button to gather data.

This button will be opt out, which means you have to find it and turn it on if you want some privacy. Most privacy options work like that — you’re tracked unless you ask not to be. But until this becomes a reality, you do have some options to ensure yourself some more privacy now.

1. Start with your browser. Most browsers have a privacy option but you have to find it in the browser settings. For instance, to do this on Google Chrome (my browser of choice), go to your Preferences menu, click Under The Hood, and uncheck all the options under Privacy if you do not want to be tracked.

2. Clear out the cookies. A cookie is used to send information about where you have visited to the browser, so it can easily track you. If you want your information cleared, use the settings in your browser and clear out all cookies regularly.

3. See who’s watching. Another great way to find out what companies are watching you is to use a service called Ghostery.com. This services alerts you to the cookies currently watching you. Run Ghostery while you’re browsing your favorite websites, and you might be surprised to see the five or six different companies watching you.

4. Stop them from tracking you. You can also cherry pick the sites that you want to be sure are NOT tracking you. Web sites such as PrivacyChoice.org will let you select sites that you absolutely do not want tracking your habits. Of course this site can only request that the sites you visit do not track you. The sites then have to comply, so this isn’t a fool-proof method — but it is a good start.

5. Play it safe. And of course, use prudence when surfing the Web. Phone numbers and social security numbers are NOT for social networking sites like Facebook. And if you use a shared computer with friends or family members, remember that the Web sites you visit will affect the advertising that others see on that browser — so don’t visit embarrassing sites unless you want others to know about it.

Technology used to be so simple

In the old days, you listened to music on your iPod while exercising. During an idle moment at the office you might use Google on your Microsoft Windows PC to search for the latest celebrity implosion. Maybe you would post an update on Facebook. After dinner, you could watch a DVD from Netflix or sink into a new page-turner that had arrived that day from Amazon.

That vision, where every company and every device had its separate role, is so 2011.

The biggest tech companies are no longer content simply to enhance part of your day. They want to erase the boundaries, do what the other big tech companies are doing and own every waking moment. The new strategy is to build a device, sell it to consumers and then sell them the content to play on it. And maybe some ads, too.

Last week’s news that Google is preparing its first Google-branded home entertainment device — a system for streaming music in the house — might seem far afield for an Internet search and advertising company, but fits solidly into an industrywide goal in which each tech company would like to be all things to all people all day long.

So Facebook, which has half of its users accessing it from mobile devices, has dabbled in phones and is said to be moving even more firmly in that direction. Apple, once just a computer maker, already gets most of its profit from mobile devices and is eyeing televisions, which would play content from iTunes.

Amazon created the Kindle Fire tablet, and there is intense speculation it is developing a Kindle Phone — a prospect that became more believable two weeks ago when Microsoft’s senior director of Windows Phone development, Brandon Watson, joined the retailer.

Microsoft, which has tightened its relationship with Nokia to again be a major player in phone software, has placed its Xbox in millions of living rooms as a home entertainment portal.

The pioneer — and perhaps the inspiration — was Steven P. Jobs, the late Apple chief executive who made creating devices look easy with the iPad and iPhone. Dream them up, then make the software complement the hardware, outsource the production, sell at a premium and watch your company become the most valuable on earth.

Who knows how the model is going to play out. Nobody knows yet. But if you aren’t building it today, then you aren’t winning in five years.