Archive for the 'Security' Category

« Previous Entries
Next Entries »

MySpace phishing site reveals password patterns

Published by
John Biasi
May 7, 2007 in Beginner, Passwords, Phishing and Security. Comments

MySpace logo

As a follow-up to my previous post about creating good passwords, I thought it would be helpful to mention an article that shows some of the bad habits in password creation.  In Note to MySpace Users: Get Better Passwords, Brian Krebs discusses a phishing website that targeted MySpace users.  The site was used to obtain the usernames (which in MySpace’s case are email addresses) and passwords of close to 60,000 people.

On top of that, the list of usernames and passwords was stored as a text file on the phishing website, which security researchers were able to grab and analyze.  Here is the list of the most common passwords used:

password1 (106)
abc123 (73)
swimmer1(43)
iloveyou1 (41)
monkey1 (40)
****you (37)
123456 (33)
myspace1 (32)
****you1 (32)
i(32)
password (27)
babygirl1 (25)
iloveyou2 (24)
football1 (24)
danny12031986 (23)
blink182 (23)
princess1 (22)
freesh**4me (22)
16188s (22)
123abc (22)

This is revealing for a number of reasons.  First of all, the most common passwords used on MySpace are far from unique, and far from complex.  Most of these passwords would be easily guessed or cracked.  Since this post is a few months old, these people obviously haven’t been following my advice, as they wouldn’t have seen it yet.

 Secondly, it shows how easily people can be fooled by phishing websites that look authentic.  As this was from a few months ago, hopefully the introduction of in-browser anti-phishing tools in Internet Explorer  7 and Firefox 2.0 should help reduce the likelihood of this happening again.

And lastly, it provides a good justification for using different passwords on different sites.  If someone is able to get your MySpace password, no big deal, right?  It’s not exactly a critical site (to most of us, anyway).  But many people use the same password on many sites, including online banking sites.  So obtaining your MySpace password could be the key to all the sites that you share that password between.

Hopefully this scares you enough into making sure those passwords are strong, unique between sites, and that you pay attention to potential phishing scams.  Soon, I’ll give you some ways to help manage your passwords.

What makes a good password?

Published by
John Biasi
May 6, 2007 in Beginner, Passwords and Security. Comment

Black Keyboard

How do you create a good password?  It’s a common question, and there are a number of different approaches to this problem.  Understand that using strong passwords is critical, whether you are creating a password for your home computer, your online banking site, or any other type of web site or forum.

So what constitutes a strong password?  The standard definition of a strong password is “choose a password at least 8 characters in length, containing letters, numbers, and special characters.”  In case you’re wondering, special characters are usually the ones above the number keys on your keyboard, plus characters such as spaces, commas, periods, and the various other symbols on your keyboard. 

This definition is perfectly fine, but gives you little guidance on how to structure a password.  It can often lead to difficult-to-remember passwords, such as I$hg7p3V*!.  It can also lead to passwords that seem secure, but in fact are very easy for password crackers to break, such as P@ssword1.

There are two approaches to password creation that I consider to be good options.  The first one is to think of a phrase, such as “My dog Spot likes to eat dog food.”  You can take the first letter of each word and turn that into a memorable password such as “Md$ltedf05.”  As long as you remember the phrase, you will remember the password, and anyone else looking at it will find it incomprehensible.

Another approach that I feel is even better, if a bit typing-intensive, is to forget about passwords entirely and consider passphrases.  This approach creates even stronger passwords, but you will probably end up typing 15 or 20 characters in a password.  Take the example above.  Instead of taking the first letter from each word, just use the whole phrase as your password.  So your password would be “My dog Spot likes to eat dog food.”  This password contains all the elements of a strong password except for numbers, but it also is considerably longer than your standard password.  I would challenge any password cracking program to break that password.  The only limitation to this method is that certain applications and web sites have a maximum password length, so you may have to choose shorter phrases, or go back to the previous method for these sites.

Does anyone else have any password best practices that they want to share?  I’m open to any other methods that can create strong passwords that anyone can use.  Weak passwords are a serious risk and should be addressed in any way that you feel comfortable.

How to protect your mobile devices

Published by
madelman
June 8, 2006 in Beginner and Security. Comments

Using mobile devices to store private data can be a big security risk in case you lose them and they are not conveniently protected. If you use these kind of devices you should follow some rules.

Password protection. You should use passwords or a PIN to access your device. This might be a very basic protection, but can stop casual attackers from accessing your data.

Cipher your data. Many mobile device include this capability built-in, but if yours don’t you should find some software which you can trust.

Use a firewall. If you need access to Internet you should use the same levels of protection as at home, so use a firewall to avoid attacks.

Use device lockdown functions. Many mobile devices include some way to wipe its contents remotely if someone steals it. Be sure to have copies of this information before wiping it.

If you don’t follow some simple rules your information might fall in the wrong hands.

 

F-Secure Online Scanner

Published by
madelman
May 17, 2006 in Beginner, Security and Virus. Comment

F-SecureIf we have to check one computer for viruses and we don’t have any antivirus at hand, F-Secure Online Scanner may be a good option, as it allows you to scan your files without installing any software in your computer.

You only have to browse to its page and download an ActiveX control which will scan the computer searching for viruses. You will need to use with Internet Explorer, as this is the only supported browser.

Another service I like to use is VirusTotal, which offers free online analysis of files with 23 different virus scanners, although in this case you can only scan individual files one at a time, but it is very useful in case you are suspicious of a file and want to test it throughfully. As no antivirus is 100% reliable, checking the file with so many different scanners may guarantee better results.

Anyway, it’s always a good solution to have a resident scanner which avoids viruses even being written to your disk, even less getting executed.

Chain letters

Published by
madelman
May 15, 2006 in Beginner, Email and Security. Comments

With some regularity, everyone receives in our inbox some e-mails sent by someone they know where they try to warn you against some kind of really dangerous virus or asking for collaboration in a project to help a poor kid,…

These e-mails are known as hoaxes and, although they are send with a good intention, they are almost always false, a kind of urban legend spread through Internet.

You can spot this kind of e-mails because they say you will have a big loss if you don’t forward them, they are not signed, they promise some presents from a company or offer some difficult to believe information.

Some examples of these kind of messages:

  • The Make A Wish Foundation, has agreed to donate 7 cents evertime this message is sent on.
  • If you forward it to 20 friends, you will receive the brand new Ericsson R320 WAP-phone.
  • DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE NOR NORTON CAN DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST. IT WILL BE TO LATE THEN. WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

These e-mails have all been extracted from Break the chain, a site dedicated to recopilating them, so you can know if an e-mail you receive is a hoax or not.

You should never forward this letters to your friends, because they are very annoying, clutter up your inbox and many times, they can be used to get e-mail addresses to spam them. If your friends send them to you, you should tell them not to do it and why is it bad, redirecting them to Break the chain if necessary.

Sharing a computer securely

Published by
madelman
May 9, 2006 in Medium, Security and Windows. Comments

If you are in charge of a computer used by some different people, you will have found yourself formatting and reinstalling it from time to time to clean it from everything the users have installed, voluntarily or involuntarily.

In computers located at Internet cafes, public libraries or school the risk of being infected by spyware or viruses is very high, as they are used by people who, sometimes, are not very knowledgeable about security. So copying files from them or accessing important sites from there can be very dangerous.

Microsoft has released Shared Computer Toolkit for Windows XP which makes it easier to manage this computers in a secure way. The main features of this toolkit are Windows Disk Protection, User restrictions and Profile Manager.

Windows Disk Protection clears the changes made to the hard disk when the computer is rebooted so, if it gets infected with a virus it will be deleted next time you turn the computer on. You can also define some zones which must not be cleared, for example where the users save their documents.

User restrictions allows the creation of user profiles in an easy way, so you can give different sets of permissions to the different users or groups of users who must use the computer. For example, you can disallow the use of unauthorized software or set timers which limit the time a user can be logged on.

With Profile manager you can create permanent spaces which will not be cleared by Windows Disk Protection, where the users can save data.

This is a good solution unless you have a large number of computers, because the control is not centralized. In that case it will be better to use Active Directory and Group Policy. It will also allow you to test software in your own computer without fear of destroying important data.

To use Shared Computer Toolkit you will need a legal copy of Windows XP, as you must pass the Windows Genuine Advantage validation. You will also need 5 MB of space in your hard disk and a NTFS file system.

For more information and download you can go to Microsoft Shared Computer Toolkit for Windows XP.

Instant messaging security

Published by
madelman
May 4, 2006 in Beginner and Security. Comments

While many people have become used to e-mail being a source of potential problems (spam, viruses, phishing,…) most of them are not so cautious when it comes to using instant messaging applications.

Although the problem is not so big as with e-mail, attackers are switching to IM to evade the filters we are using when dealing with mails. Instead of spam, we might be receiving spim (spam + IM). Luckily, most of this programs allow us to block messages from unknown senders. This is really recommended just in case this attacks get more common.

Also, viruses which used e-mail to distribute themselves are turning into instant messaging to spread themselves, sending the files as if they are coming from someone you know and infecting you when you open the received file.

As with e-mail, the best recommendation is to keep your computer software up to date, from the operating system to the instant messaging programs. Also, take care with received files which were not requested, If you receive any of these files you can ask the sender if they send it on purpose.

Finally, the use of antivirus and antispyware will help you to keep your computer clean.

From | PC Doctor.

RFID viruses are not a problem

Published by
madelman
May 2, 2006 in Advanced, Privacy and Security. Comments

I read about RFID viruses some time ago but I hadn’t commented anything here because I didn’t see the point of it.

Let’s situate ourselves. Some investigators from Vrije University, at Amsterdam, wrote some papers predicting the apparition of RFID viruses, explaining how to code them and giving some examples. Although it can work theoretically, I don’t think these viruses pose any threat in the near future.

RFID tags do not contain code, they only contain some data which can be read with an appropriate scanner. The basis of the papers these investigators wrote is that the software controlling the reading of the data will contain bugs that will allow this data to get executed. Technically, this is known as SQL injection, where data is interpreted as SQL code and executed by the database. This is a known trick which has been used by hackers for a long time, allowing them to deface websites and other nasty things.

But, in the physical world, it will be more difficult to make this work. First of all, you will need to know how the software you want to hack works. This is much easier in the web, where many times you can get the source code for the application you want to hack and can examine it line by line. In real world, not many applications will be available for inspection. For example, your local supermarket using RFID won’t allow you to have a look at their source code.

This doesn’t imply it can’t be done, as with some experimentation one can guess how the system is built and how to work around it, but will probably limit a lot the attacks.

For me, the privacy implications of RFID are more important than the probability of a RFID virus appearing some day, and this is something that has not been extensively discussed.

From | Help Net Security

USB security: how to lock down the ports

Published by
madelman
April 28, 2006 in Medium and Security. Comment

USB ports can be a security risk, seeing how flash-based USB drives have got so common and are capable of containing lots of data. It’s really easy to enter a 1 GB disk in a company, carrying it in your pocket, and copy private data which should not leave the organization. Usually you only have to connect the disk and works out of the box, without needing any driver installation.

If you want to avoid these kind of risks you can use hardware-based or software-based methods. The hardware based ones can be the most effective, but also have the burden of not being able to use the USB in case you need it.

To deactivate an USB port you can either disconnect it from the motherboard (if it’s not integrated), deactivate it from the BIOS (not very reliable) or fill the hole with glue so nobody can insert anything in it.

If you want to it by software, you can disable the USB ports completely as explained in the Microsoft Knowledge Base: How to disable the use of USB storage devices. You can also make the USB devices read only.

Phishing (II): how to protect

Published by
madelman
April 27, 2006 in Beginner, Phishing and Security. Comments

Now we know what is phishing and how it works, it’s time to learn how to protect against it.

For me, the most important thing to be protected against phishing is incredulity. Simply don’t believe everything you receive by e-mail. E-mail can be forged very easily and the sender of the message might not be who it seems.

Also, take into account that most companies will never contact you by e-mail to ask for information. Well, there are some companies which do this, but if you follow these rules that won’t be a problem.

  • Don’t reply with personal information. If you ever get any kind of message from anyone asking for personal information, never reply to it. If you think this is legitimate it’s always better to call by telephone and give this data. Take into consideration the fact that e-mails travels as plain text through the net, so anyone can see it.
  • Don’t click in hyperlinks within emails. Although they might look legitimate, there are techniques for redirecting you to another site controlled by the attacker. If you think the mail is real and you have to input information, it’s better to open a new browser windows and and type the URL in the location bar, to make sure you are going to the site you intended.
  • Check for Secure HTTP. Once you have gone to the site, check it’s legitimate by looking at the location bar, checking it uses Secure HTTP (the URL begins with https). If it does, then check the certificate of the site by clicking on the lock that appears and have a look at the information in the popup windows to see if it’s the same that you expected. 
  • Check your bank accounts and report to authorities. It’s really convenient to check your accounts from time to time to see if there’s any unusual or suspicious activity. If there’s something unexpected, you should better contact your bank and if they confirm it’s fraudulent, report it to the local autorithies so they can investigate the case.
  • Use antiphishing toolbars. This is a convenient software to know if a site is a suspect of being a phishing site.

You can either use Google Toolbar for Firefox which shows an icon indicating if a site is forged or not.

Googletoolbar

You can also use Netcraft Toolbar which can tell even the country where the server is located, so if you access an american bank and the server is located in Russia, you can get really suspicious.

Netcrafttoolbar

With all these measures you should be quite safe against phishing.

« Previous Entries
Next Entries »
Text Link Ads

About

Becoming paranoid is a weblog about computer security, privacy and staying safe online, specially dedicated to novices
If you want to know something more about us, visit our contact page.

If you enjoyed Becoming paranoid, you can have a look at the rest of our blogs:


Latest

RSS

Sponsored links


Search

Search in the Becoming paranoid Archive


Subscribe

Enter your email address:

Delivered by FeedBurner

Archives

Categories