Bookmark and Share

January 18, 2012

Should Congress Censor the Web?

Filed under: General Ramblings,Security Ramblings,Social Ramblings,Technical Ramblings,Web Development Ramblings — AndrewSmither @ 7:16 pm

I personally do not know a lot about the upcoming vote and how exactly a yes vote will censor the internet.  For those that of you that may be wondering what I’m referring to, I’m referring to the SOPA and the PROTECT IP Act.  Congress will be voting on these acts January 24th.  From what I understand the acts are suppose to help fight piracy on the internet.  However, there are many businesses that feel this will hinder the thrive the internet gives their business.  Want to see examples?  Just check out www.google.com or www.firefox.com.  They currently have voiced their opinion on the issue on their main page.

If what Firefox and Google reports is accurate, the US government will have unprecedented control over the internet (both within and outside the country).  Firefox and Google feels this will hinder our freedom of speech on the internet.  But that in of itself brings up an interesting question.  When the freedom of speech was put into the constitution, the internet did not exist.  Should the internet receive the same freedom as our verbal speech is?  Is our written word any different than our typed word?  As far as I know the press still falls under the freedom of speech, so why should the internet be any different?  Those who think our government is becoming more of a socialist minded government will definitely see that in this move.  Why do I say that?  The same censorship the US Government wants to put into place is currently used by China, Iran, and Syria.  

Feel free to comment below.  If this is not now, it will be a hot topic.

January 11, 2012

New Office and New Location is Coming Soon

Filed under: General Ramblings,Security Ramblings — Tags: , , , — AndrewSmither @ 1:29 pm

A lot of new furniture has gone into our new office as well as a lot of work.  Earlier today Kordel moved the server, the main Eberly Systems PC, and our phone system.  Soon we will be saying our goodbyes to 1216 Carbon St after 2 years of being here.  Keep a look out on our blog, Twitter, and/or Facebook to see when we’ll officially switch over to the new location.

December 28, 2011

Received an email? Did you check it twice? Better find out if it’s naughty or nice….

Filed under: Security Ramblings,Social Ramblings — AndrewSmither @ 4:01 pm

Okay, I know, Christmas is over, but I couldn’t help myself.  Besides most people listen to Christmas music until the New Year.  We have talked a lot about various e-mail security from phishing to making sure you have a good password.  Sometimes e-mails are just a plain hoax even though it came from an e-mail address you might have already receieved legitimate e-mail from.  The latest in the news?  Cnet reports that a bogus e-mail was sent to New York Times subscribers.  The e-mail informed the subscribers that their subscription has been canceled and they would receive up to 50% off if they renewed.  Once New York Times learned of the hoax e-mail they responded via Twitter, informing everyone it was a fake.  Here is the original e-mail:

“ Dear Home Delivery Subscriber,

Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps.

We do hope you’ll reconsider.

As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.*

Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad» apps, plus you can now share your unlimited access with a family member.

To continue your subscription call 1-877-698-0025 and mention code 38H9H (Monday-Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).”

 

Be sure to check that e-mail twice, even from a legitimate e-mail address and/or company.  If you’re being informed your subscription has been canceled and you did not, check out the company’s website, Facebook page, or Twitter to see their response.  Or even call the number you have previously on file and check.

 

Source: Bogus e-mail sent to New York Times subscribers

December 5, 2011

Google Chrome Security

Filed under: General Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: , , — PeterWallace @ 9:18 am

Some of the information below can also be applied to other browsers also:

I made a comment about me not trusting Chrome for security reasons.  One of my big concerns is how much of my data can Google see and collect?  It leads me deep into Google’s r Privacy Notice (http://www.google.com/intl/en/privacy/) to see what they have to say.  At the writing of this Chrome’s Section was last modified October 25, 2011 and in viewing the archived versions it appears they up date it about 3 times a year since 2009.

Google does not require personally identifying information to down load the Chrome software or to use it.  When you use Chrome, Google only receives “standard Log Information” which has IP Address and cookie information.  Like most Web sites, Google servers automatically record the page requests made when you visit their sites. These “server logs” typically include your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser/computer.

Here is an example of a typical log entry where the search is for “security”, :

###.###.###.### – 28/Nov/2011 10:15:32 -

http://www.google.com/search?q=security -

Firefox 8.0.1; Windows NT 5.1 – 740674ce2123e969

  • ###.###.###.### is the Internet Protocol address assigned to the user by the user’s ISP; depending on the user’s service, a different address may be assigned to the user by their service provider each time they connect to the Internet or it could be the same if you have a static IP address;
  • 28/Nov/2011 10:15:32 is the date and time of the query;
  • http://www.google.com/search?q=security is the requested URL, including the search query;
  • Firefox 8.0.1; Windows NT 5.1 is the browser and operating system being used; and
  • 740674ce2123a969 is the unique cookie ID assigned to this particular computer the first time it visited Google. (Cookies can be deleted by users. If the user has deleted the cookie from the computer since the last time s/he visited Google, then it will be the unique cookie ID assigned to the user the next time s/he visits Google from that particular computer).

Wow that is some information they store and they can start to match up information based on the unique cookie ID and IP Address if users don’t delete the cookies.  So big deal, I’m behind a corporate firewall and there are a hundred computers on that connection but if you look at that information the cookie data will be directly related to MY machine, so they can pin it down to one machine.  Ok so how long will Google keep the data for?  “We (Google) strike a reasonable balance between the competing pressures we face, such as the privacy of our users, the security of our systems and the need for innovation. We believe anonymizing IP addresses after 9 months and cookies in our search engine logs after 18 months strikes the right balance.”  That’s a long time to keep that information.

In addition to the above information if you are using Chrome as a browser some other interesting things happen (this is just a short list of what’s happening)

  • As you’re typing the address the letters that you are typing are sent to your default search engine and if the engines auto complete feature is turned on it will give you recommendations. If you have set Google to be the default they are now tracking your keystrokes.
  • If you type in a bad address that is nonexistent Chrome will send that information to Google to try to suggest the correct site.
  • Chrome includes Google’s Safe Browsing feature and will scan Google’s database for reports of malware or phishing and will let you know if it finds something.  This is over and above any virus / malware scanning you are doing outside the browser.
  • Synchronization feature – will store your bookmarks, history and chrome settings on their servers but you need to setup a Google Account to do this.
  • Location Feature will send local network information to Google to try to get an estimated location of where you are located.  This will look at the IP Address you are connected, signal strength of your connection and some other information.

Things you can do to limit the information sent:

  • Disable Chrome’s Auto complete Feature (Under the wrench Icon, select options, under the hood tab, privacy section, deselect the “Use a prediction service to help complete searches and URLs typed in the address bar” checkbox.)
  • Disable suggestions on Navigation errors (Under the wrench Icon, select options, under the hood tab, privacy section, Deselect the “Use a web service to help resolve navigation errors” checkbox to disable the feature.)
  • Check the other settings that are under the privacy section to see what you think about them.  One of them that comes unchecked by default is “Automatically send usage statistics and crash reports to Google “
  • Disable Synchronization feature – (Under the wrench Icon, select options, personal stuff, sync section has your information)
  • If the box is NOT Checked that item is disabled.

Chrome does send a lot of information but in Today’s world any server we are connecting to or through is keeping logs with as much information as they can collect so I guess I really need to look into what extensions can be run to help me control what information is “leaked” out.

November 29, 2011

Google Chrome Extensions

Filed under: General Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: , , , , — PeterWallace @ 9:19 pm

Here are some extensions you can run to see what is happening behind the scene or to help protect your surfing:

  1. Web of Trust – shows you which websites people trust for safe surfing, shopping and searching on the web  (even has a setting for color blind accessible version). This extension  can access your data on all websites and your tabs and browsing activity
    (https://chrome.google.com/webstore/detail/bhmmomiinigofkjcapegjjndpbikblnp)
  2. Last Pass – is a free password manager and form filler. LastPass is also available for Firefox, Internet Explorer and Safari. All the password data is locally encrypted, so even if the LastPass service is hacked, your passwords are safe. This extension  can access your data on all websites and your tabs and browsing activity
    https://chrome.google.com/webstore/detail/hdokiejnpimakedhajhdlcegeplioahd
  3. Password Fail- Warns you if the website being used stores their passwords in plain text form. This extension can access your data on all websites and your tabs and browsing activity.
    https://chrome.google.com/webstore/detail/ockgeenjbijlgilppfieaklfopnbdpge
  4. Credit Card Nanny - This Chrome extension is just like Password Fail except Credit Card Nanny highlights websites that store or send your credit card number (and other data) as clear text. Credit Card Nanny helps you avoid the online stores that engage in this risky business. This extension  can access your data on all websites and your tabs and browsing activity
    https://chrome.google.com/webstore/detail/lfmmjpapolbaaddobpnlcjkgchmhhoog
  5. Secure Profile – It’s all fine and good not to share your passwords or browsing data with unknown online parties, but what about the people who use your PC? The Secure Profile Chrome extension encrypts and password-protects your Chrome profile data — including all those stored passwords and form auto-completes — so that anyone who gains access to your machine can’t also gain access to your online accounts. This extension can access your tabs and browsing activity.
    https://chrome.google.com/webstore/detail/eddeeogaiodnhfkingpegpmhpdiifbgh
  6. Bug Me Not Lite – Almost every web site seems to want you to create an account — and to track your access history across the Internet — even if you only plan on visiting once. With the BugMeNot Lite Chrome extension, simply click CTRL+i and those login forms will be auto-completed with anonymous information. You get access, but the site gets no data. This extension  can access your data on all websites and your tabs and browsing activity
    https://chrome.google.com/webstore/detail/lackfehpdclhclidcbbfcemcpolgdgnb
  7.  Google Alarm - Perhaps more amusing the useful, the Google Alarm Chrome extension sounds a shrill siren alert anytime you load a page where Google is collecting browsing data (Google Analytics or Google AdSense)  This extension  can access your data on all websites
    http://jamiedubs.com/googlealarm/ 
  8.  KB SSL Enforcer - If certain sites or services offer a Secure Sockets Layer login or access option, the KB SSL Enforcer will automatically select that https:// URL. This extension  can access your data on all websites
    https://chrome.google.com/webstore/detail/flcpelgcagfhfoegekianiofphddckof
  9.  Click & Clean - The Click & Clean Chrome extension is the option for erasing your browsing history. Besides removing all the URLs from your browser logs, Click & Clean also deletes every cookie, web temporary file, local web artifact, LSO and download history item from your browser — whether they could do harm or not. In short, it makes it look like you’ve never browsed the Internet before… This extension can access all data on your computer and the websites you visit.
    https://chrome.google.com/webstore/detail/ghgabhipcejejjmhhchfonmamedcbeod

So lets get out there and see if there are others we can use

November 25, 2011

Social Engineering – A Matter of Trust

Filed under: General Ramblings,Security Ramblings,Social Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: , — Jaron H. @ 9:19 am

In the world of cyber security, there is one very dangerous exploit that no anti-virus can ever detect, that no firewall can block, and that no complex password can ever protect a person from.  This one catastrophic flaw in security is enough to bring down large corporations and government agencies in mere seconds.  So what kind of security threat could possibly be that big?  Social Engineering.

Social Engineering is the art of manipulating people – usually through blind trust, habit, or curiosity – to either divulge what is seemingly innocent information or perform a rudimentary task.  Most of the time, people don’t realize they have even fallen victim to a Social Engineering attack until it is too late (assuming they ever find out!).

Most people are familiar with the popular forms of Social Engineering attacks.  For example, an email or phone call from your “bank” asking you to provide information they should already have or the ever-popular Nigerian Prince scam.  Just about any get-rich-quick plan that has been floating around in emails or even the “smilingly-innocent” Facebook games can be boiled down to a form of Social Engineering (Random fact: Did you know that all you need to pull a person’s credit report is their name and address?  Keep that in mind the next time you go to let a Facebook app access your personal information!).

A few days ago, I received a call from a man named “Tom” who works at the company that we will call “XYZ”.  I’ve never worked with Tom directly before this but he knew all of the people whom I’ve worked with and he knew many details about the project our business was doing for company “XYZ.”  The purpose of Tom’s call was to ask about a credit report that our business had processed for company “XYZ.”  Now, one of my job requirements is to help our customers with any problems so my instinct was to immediately help Tom out.  But here’s the problem: How do I know Tom really works for company “XYZ?”  Does Tom even have permission within company “XYZ” to discuss confidential credit information?

As much as I wanted to trust Tom, I couldn’t.  Caller ID’s can be faked and the information he had about the project could have been obtained through questionable means (namely, insecure emails).  As far as I knew, Tom could be trying to using a form of Social Engineering known as pretexting (the practice of getting your personal information under false pretenses ) to squeeze information out of me that could be used against either the individual whose credit report he was asking for, against company “XYZ,” or against our business.

The good news is that I was able to call my contact at company “XYZ” and verify that Tom was indeed in a position to request help from me (more on this later).  However, let’s assume Tom was trying to exploit me and look into areas where he would have been trying to exploit me through:

1)      Helpfulness:  He would have been trying to use my desire to help out a customer to gather confidential data!

2)      Trust: He would have been looking for me to trust that he really did work for company “XYZ” and that he had their best interest in mind.

Notice something?  The very things that make a good employee and support person – or just a nice person in general – can also be that person’s biggest weaknesses!  Let’s look at a few more, simpler cases of Social Engineering:

-          Holding the door:  You’re assuming that the person you are holding the door for is actually allowed in the building.

-          Piggybacking:  Letting someone who “locked themselves out” or “forgot their ID” inside the building.

-          Dumpster Diving:  If you don’t shred documents or destroy hard drives properly, anyone can get your confidential data out of the trash.

-          Curiosity/Learning (AKA Baiting):  “Let’s see what’s on this CD…”, “Let me try this application…”, “I’ll open this document/url…” – All of these are famous last words before unknowingly installing a virus or malware!

-          Diversion:  Persuading a person responsible for a legitimate delivery that the package they are delivering (data or physical) is to be delivered to an alternate location through a last minute decision the company had made.

-          Email: Most people don’t realize that all of their emails bounce from server-to-server in plain text and can be easily snooped.

Notice that all of the above examples do require an element of trust or false sense of security.  So, how do we get around this?  Simple: Don’t blindly trust anyone.  Now this solution sounds easy but how can you do this practically in the real world?

In IT, one of the most reliable forms of security is a process known as Pretty Good Privacy (PGP).  It is a complex security protocol that essentially requires a form of trust in order to allow a recipient to access its encrypted payload.  Prior to exchanging any secure data, the two parties involved will exchange what are known as “keys.”  The purpose of this is so that two key’s are required to “open” (decrypt) any secure file exchanged between the two parties.  Those key’s are:

1)      The sender’s public key (we’ll call the sender “George”):  This is the key that George presents to the individuals who are authorized to decrypt his encrypted data.  This way, since George’s private key was used to “lock” the file, his public key is required to “unlock” it.

2)       The recipient’s private key (we’ll call the recipient “Sam”):  This is the key that only Sam will possess, which will unlock anything that was locked by his public key.

As a result, George knows that Sam is the only one who can unlock the file since Sam is the only one who has the matching private key.  Likewise, Sam knows the file is from George because the file can only be unlocked using George’s public key (and only George has the matching private key required lock the file in the first place).

Why did I mention this?  Because the basic principle behind this security is also the best way to establish trust and therefore minimize the chance of being exploited through Social Engineering.  This is because your trust is based on:

-           Something you have (i.e. George’s public key)

-          Something you know (i.e.  Sam’s private key)

Going back to my case with Tom, before I could help him, I had to be sure he was who he claimed to be.  My processes of authenticating Tom went like this:

1)      Something I know:  I called up my contact at company “XYZ” and verified that Tom worked for them and that he was authorized to look into this case.

2)      Something I have:  I then asked my contact for Tom’s contact information so that *I* could call him.

The last step is just as important as the first one.  Why?  Because even though Tom (the one who worked for company XYZ) passed step one, there is no guarantee that the person I talked to was that Tom.  However, since I was the one calling him, I knew that I was talking to the correct Tom.  Therefore, I was able to address his problem and work with him in confidence.

 

Further reading:  http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/1  This details how the hacking group Anonymous used simpl attacks and social engineering to take down the entire Federal branch of the computer security company HBGary.

November 18, 2011

Web Accounts Hacked?

Filed under: General Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — PeterWallace @ 7:30 am

So I keep talking about web security and passwords but now how do web accounts get hacked?    Most of the time it is a crime of opportunity,  that is not to say talented individuals with advanced knowledge are not a threat, but it can be easier than you think to expose your password.  Wikipedia defines   crime of opportunity as a crime that is committed without planning when the perpetrator sees s/he has the chance to commit the act at that moment and seizes it. Such acts have little or no premeditation.  A lot of people think ok my e-mail really is not that important anyway as all I get is e-mails from friends or forwards of jokes. But it could be used to send notices from your banking, send passwords, or resets for accounts.  Here are some ways you may give out your information:

Recovery E-mail Account:  A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for  We have all done it and signed up for a free e-mail account to use to get information sent to or set up accounts with.  When you sign up for some services they may ask you for a backup e-mail.  You ask the site to send you your password (some will just reset it). The site says: “Sure, it’s been e-mailed to you.” As long as you have access to that other account, you are just fine and dandy.

The interval at which you need to check your free e-mail account to keep it from falling dormant and being automatically discontinued, cancelled or even deleted varies from service to service. Here are the log-on requirements of the most prominent:

If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

Avoid Duplicate Passwords: An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. At the least, use a different password for your e-mail account than everything else.

Public Computers are scary! – If you must use a public computer always remember to sign out.  Even better try to go back into the site to make sure you did not forget to log out.  How often do you see the browser box pop up and ask you if you want to save the password?  You didn’t check it did you?  Also on that shared computer it may have spyware, virus, or key loggers watching for your user names and passwords.  Also clear your history and Browser cache if it allows you to do that.  You have no idea who was there before you and who will use it next.

Beware of your surroundings: ok you just pulled out your laptop at the coffee House/Bookstore/McDonalds and you have people around you.  They could be watching what and where you are going.  Also remember that cell phones and cameras are everywhere.  If they can capture/record  or watch you enter your password they now have keys to the kingdom.

Avoid Commonly Used Passwords: I’m going to sound like a broken record here but avoid the easy passwords.  I will be trying your name, family names, pet names, favorite sports teams, and some of the other usually passwords.  The longer the password the better.  Also mix it up with upper case and lower case numbers, numbers and non-alpha charters.  Just words of warning putting a 0 or 1 at the end of your password is very common so don’t do that.  “A lot of personal information actually functions like a password and, as such, needs to be robustly protected,” said Chris Young, vice president of consumer authentication at RSA in a statement. “With a bit of sleuthing, motivated hackers can guess a password by having [a victim's] address and trying combinations that assume he’s a fan [of a particular sports team].

Written Passwords: Ok so you have all these different passwords.  You write them down on a sheet or in a book.  Guard them like they are a Million Dollars.  I will walk up to your desk and look in the top drawers, under the keyboard, in the front of your date book or under your desktop calendar, or the best spot – the post-it note fastened to your monitor.  Keep them secure very secure if you most write them down.   Also avoid the online password vaults as they may also be hacked.  In May 2011 a online multiplatform password manager, noticed “a network traffic anomaly,” possibly a hacker attack, so it forced its users to change their master passwords.

Use only Trusted Computers: This is almost like public computers.  If you do not have control of the machine a quick log into a site may just be captured and you gave up everything.  If you use the same passwords for everything you have a big problem.  Your personal machine should be fully patched with all updates for the programs running and installed on your machine.  Current firewalls and antivirus programs installed and running.

This is all stuff we hear every day but is a good reminder to check every so often.  Lastly, remember the first rule of passwords: don’t ever give them out or share them!  Now excuse me as I take this call from the Computer Department asking for my user name and password to reset something.

November 14, 2011

Zero-day Exploit Duqu has Microsoft posting hot fix

Filed under: Computer Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — PeterWallace @ 8:58 am

In the past few days a zero-day exploit named Duqu has surfaced.  It is a word file containing malware that exploits a previously unknown flaw in windows that was sent to one if its victim companies, but still doesn’t provide much more information on what Duqu is up to or who all should be worried about it.  Duqu was found in some European organizations and seemed to be going after Certificate Authorities (CAs) and industrial control-system vendors.

Microsoft and Symantec who are studying the malware have not shared any dropper information with other virus companies.  Droppers are typically very small, are designed to evade detection by anti-virus and can sometimes contain exploit code used to inject themselves onto the target computer. Microsoft is working on a fix but knows it will not be ready for patch Tuesday so they released a hot fixed November 3, 2011.   Even if you’re not a certificate authority or a manufacturing firm — the two industries cited publicly so far as having Duqu victims — security experts say there are some steps you can take to help protect your infrastructure from this new targeted attack.

1)      Install the “hot fix” from Microsoft and Workaround.  Microsoft has posted security advisory 2639658 (http://technet.microsoft.com/en-us/security/advisory/2639658) to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware.  The flaw lies in the Win32k TrueType font parsing engine, according to Microsoft: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware,” Microsoft said in an advisory today.

2)      Run updated anti-malware – Not all antivirus products can detect Duqu yet, but security experts say to keep updating to be sure you get protection for Duqu as soon as it’s released. They also highly encourage people not to click on attachments in email that seems suspicious, even if it comes from someone they know.

3)      Scan or Filter Word Documents from unknown sources - One handy tool is Microsoft’s MOICE tool (Microsoft Office Isolated Conversion Environment), (http://support.microsoft.com/kb/935865) which checks for malformed Word documents which is how Duqu starts: with a malformed Word file. It’s playing a trick on Microsoft Word to run this code.

4)      Monitor for traffic from potentially infected machines – Be on the lookout for machines trying to connect to a Duqu command-and-control server or trying to resolve to a Duqu-related domain. Two command and control servers have been taken down thus far, but there are likely new ones. The IP addresses that were found and ultimately shuttered: 206.183.111.97 and 77.241.93.160.

5)      Watch for any Port 443 traffic that’s unencrypted, and keep an eye out for ~DQ files – Watching for unencrypted traffic on the HTTP-S or SSL-based traffic port can help detect malware, including a possible Duqu infection. If it’s not encrypted it’s probably bad. Meanwhile, a Duqu-infected file may start with “~DQ” in the Windows temporary file directory, so be on the lookout for that as well.

November 11, 2011

Are you pwned?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Social Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: , , , , — PeterWallace @ 7:16 am

PWN (verb)

1. An act of dominating an opponent.

2. Great, ingenious; applied to methods and objects.

Originally dates back to the days of WarCraft, when a map designer misspelled “Own” as “Pwn”. What was originally supposed to be “player has been owned.” was “player has been pwned”.

Pwn eventually grew from there and is now used throughout the online world, especially in online games.

  1. “I pwn these guys on battlenet”
  2.  ”This strategy pwns!” or “This game pwn.”

 

About 50,000 breached records appear online every week.  Do any of them include your usernames and passwords?  A free website – http://www.pwnedlist.com – has been created that lets you easily check if your information has been compromised.  I sure would not want to be the one that sees the following message after inputting their information:

 

 As of November 4, 2011 almost 5 Million e-mail and user names were recorded in the system. PwnedList introduces itself as

“…a tool that allows an average person to check if their accounts have been compromised. No passwords are stored in our database. You can read more about where our data comes from here. Just enter an email address or username associated with any of your accounts to see if it’s on our list. Data entered is not stored, re-used, or given to any third parties. Don’t trust us? You can also use a SHA-512 hash of your email/username as input. Just don’t forget to lowercase all characters first.”

Now this will sound like great news to a lot of people. A team of security experts are doing some good work to help the folks on the internet find out whether or not they have been compromised. That’s great but how many of you know how to do a SHA-512 Hash?  Let alone what is? (You can find more information about the SHA-512 algorithm at The SHA-512 algorithm) SHA512 is a hashing algorithm that cannot be decrypted so the information they have stored may be safe.

My worry about sites like this is what is stopping a hacker from putting up a site like this to collect information?  Sure the site looks good but if you’re worried that your user name or password may have been hacked it’s time to go change them.  Also you’re not using the same user name and password on different sites are you?  Are your passwords dictionary words?  Time to change that around and create secure passwords and different ones for the different sites you are using.

Think about it is it real safe or is it fakes just trying to get your information?

November 5, 2011

Passwords? Pass the Cracker please…….

Filed under: Computer Ramblings,Security Ramblings,The Great Tech Blog-Off — Tags: , , , , , — PeterWallace @ 9:59 am

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.”  -Clifford Stoll

Why are strong passwords needed?
Good computer security includes the use of strong passwords for all your accounts. Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful. Network passwords that once took weeks to break can now be broken in hours.

Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.

For a password to be strong and hard to break, it should:

  • Contain 6 or more characters
  • Contain characters from each of the following three groups:
    1. Letters (uppercase and lowercase) A, B, C,…; a, b, c,…
    2. Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
    3. Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /
  • Have at least one symbol character in the second through sixth positions.
  • Be significantly different from prior passwords.
  • If there is only one letter or special character, it should not be either the first or last character in the password

Do NOT use:

  • Your username or any part thereof
  • Name(s) of yourself, family, friends, pets, or co-workers
  • Computer terms and names, commands, sites, companies, hardware, or software
  • Birthdays or other personal information such as addresses or phone numbers
  • A set of characters in alphabetic or numeric order (ex. abcdef), in a row on a keyboard
    (ex. qwerty), or a simple pattern (ex. 123123)
  • Words that can be found in a dictionary
  • Your UCLA ID number, a bank account PIN, credit card number, etc.
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (ex. qwerty1, 1qwerty)

Try to change your password(s) frequently.

When typing in your password, make sure no one is watching you type. Ask anyone around you to kindly look away.

Also the top 20 most common password are as follow. Is yours among them?

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. websitename (the name of the site example Microsoft or yahoo)
  8. 1234567
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Ashley
  19. 654321
  20. Qwerty

You will notice how many people have apparently used their first names as passwords.  Number 7 the password is simply the name of the site.

I  advise users to choose a strong password for sites you care for the privacy of the information you store.  If you’re concerned about being able to remember the code, here’s a little memory-jogging trick: Take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’”

Older Posts »
Privacy Policy | Terms & Conditions | Related Sites | SpyderMap | Web Portal | Exchange Links | Affiliates