Password Security Is The Foundation Of Computer Security
In password security part 1, I explained about the importance of having a strong password as the first and most important line of defence in any security strategy. I also gave you a site that allowed you to test how secure your password is (testing is essential in security).
In part three I will give you a way to securely store all the many different passwords you will have once you realise why having one password for all your accounts is a seriously bad idea.
But for today, I need to explain what makes a good and memorable password, which will act as your master password.
So let’s start out with why having a single password that you think is pretty solid that you use everywhere (usually attached to an email address) is a bad idea. It’s a fairly simple explanation. Hackers seek this kind of stuff out. Your password gets cracked once, the hacker has access to all of your accounts. They can find out where your email address is used on the web and try every single place.
Next, let’s look at the usual passwords people use. First off, probably the most used password in the world, Password123. OK it’s laughable I know, but it really is used. If we look at it there are 3 things that I can point out, right off the top of my head.
Number one – the first letter is capitalised. Hackers know this and use that information when they use dictionary attacks on password files.
Number 2, the word is a dictionary word. What we are talking about is a fraction of a second for any word in a dictionary used as a password to get cracked.
Number 3, numbers at the end. Once again, because most people do this with passwords, hackers know it and factor it in.
I know this is how people put passwords together because I have had passwords structured exactly like that – and I’m security aware!
An alternative to this may be to use numbers in place of letters where possible, i.e. P455w0rd123. Well guess what? Hackers are onto that too.
So now we know what makes a bad password, but what makes a good one?
First thing is that it is as long as it is allowed to be. What I mean by this is that some systems will have limits on password size – perhaps for example no more than 16 characters.
But for now, let’s assume you can have a longer password. I like to pad my passwords at the front and at the end with numbers. It helps. Next no dictionary words, but we can have a phrase. So I’ll pick a movie title as my example. The move I choose is The hitman’s bodyguard.
Knowing that capitalisation is usually put at the beginning of words I instead put my capitals at the second letter and the second last letter.
I then add in a couple of special characters to replace some of the vowels. Notice I don’t use the same character twice when there are two a’s. This is as a defence against cryptographic analysis (that’s whole ‘nother story and too indepth for here). But notice that in order to remember it, the special characters progression – 3,4,5 on the keyboard or #$%. Also only the e’s and the a’s are replaced with special characters.
The final attribute I would like to point out is a space between body and guard. Spaces are very good to put into passwords – no one ever seems to think of them for some reason.
What we come up with finally is:
It’s easy to remember (well if you remember the rules that you used to create them).
So that’s the low down on how to create a memorable, yet uncrackable password. Run it through an online password checker and see how many years it would take to crack.
Password security is, to me, the first (and most important) line of defence in the battle against hackers and cyber criminals. It’s also the least high tech, the most ignored and abused line of defence. It’s human nature to look for the super, high tech, bells and whistles, super solution while ignoring the simple.
Let me give this anecdote I heard about the US space program as an example. The US apparently spent over a million dollars trying to develop a biro that would work in space. The Russian simply used pencils.
The thing with passwords is that a weak password breaks strong security. It’s kind of pointless to buy, for example, an expensive edge device (a device that sits on the edge of your network) that is supposed to protect all of your assets and leave the default password on it.
I know what you’re thinking right now. You’re thinking, “no, that never happens”. Well I can tell you, it does. All too often in fact. I can actually direct you to a website where it lists literally thousands of devices that are connected to the internet now that are available for hackers to break into that have the default passwords.
So what is the takeaway of this post? Well to let you know that there are websites that you can actually check your password on. Believe me these will be an eye opener to most people!
Let’s take an actual password from someone I know – Buffst3r. Now let’s analyse it from a hacker’s point of view. First off, it’s a a social engineer’s wet dream. For those who don’t know, social engineering is where a hacker finds out things about you and uses them to break into your system. For example they look at your Facebook page and find your pets’ names and you kids’ names. This particular password is a variation of a pets’ name. That is number one no-no. Secondly it’s not very complex. It has an upper case character at the beginning.. the most common place people put upper case characters are at the beginning of passwords – hackers know that. The next thing is that it substitutes a “3” for an “e”. This is know as leetspeak and guess what? Hackers are onto this too.
So we run this password through our trust password checker and find that it will last a whole 3 hours. Sounds secure? not really. It goes like this. Hacker gets up in the morning and sets his computer running on cracking your password.He does whatever else he feels like doing. Then at lunch time, he logs onto your computer.
but anyway, like I said earlier, the takeaway is the website. if you want to check how secure your password is, you can go to https://howsecureismypassword.net/. It will be an eye opener for you.
Now the thing is, once you have secure passwords you will have a problem with remembering them all. Next post I will offer you a solution to that problem.
For more on password security, here is part 2.
The ability to use your wireless adapter with Virtualbox bridge mode is a problem that at least a few geeks on the web are asking, yet no one seems to have a convincing answer as to how to configure it.
The solution is in fact fairly simple, and also quite obvious too, once you understand the problem. However I’m still going to make you read an entire article to get the solution. Don’t worry, you will actually get some good insight into the troubleshooting process by reading it, so your time is well spent be reading the whole article
So the background is I’ve been setting up a penetration testing lab using Virtualbox. One of the virtual machines I have created is the firewall/router pfsense. In order for this to be able to connect other devices to the outside world, it needs to connect to my internet router.
Since I don’t have a wired connection to the router, nor do I want to be stuck in the same room as the router, I needed to be able to connect a bridged connection via my wifi.
However, when I tried this, I couldn’t get connectivity to happen. At first I was stumped by this. What was going on, And how could I fix it? First step, as always, a Google search. Unfortunately this didn’t work. As usually, clueless script kiddies on forums with no real idea but an inflated sense of self worth. No luck there.
OK, so where to next? Well why not find out if the bridged adapter was in fact sending out DHCP requests? Time to download an app called Wireshark. What this does for those don’t know is it capture every single network packet sent by your computer. Packet capture tools are invaluable when it comes to troubleshooting network problems. It allows you to check who is do what. Which device is sending, which is receiving, which is responding.
I implement a packet capture using wireshark and I find out that sure enough pfsense is sending out DHCP requests. Problem is, the internet router isn’t responding. Why is that I wonder? Well the obvious answer is that you need a password to connect to my wifi.
So the next question is, how can I get the bridged network to send the password to the internet router? Well I never did find a way. However, I did find a workaround. It helps to have a very indepth understanding of network architecture at times.
The bridged network adapter has its own MAC address (the hardware address of the card), although physically the bridged adapter is on the same card. The thing about network adapters is that they are not limited to a single IP address.
Also, a thing I wasn’t aware of is that the wifi authentication is in fact tied to the MAC address of the network card.
So once I figured this out, the solution at the outset I said it was fairly simple. Set the bridge network address to the mac address of the wireless adapter, then assign the Pfsense interface an ip address. And hey presto.. it works. Not a bad little bit of troubleshooting if I do say so myself.
For those who are newbies to IT, this image may help. This is the result of the ifconfig command in linux. The MAC address is highlighted. The same command can be used in Windows, although it is called ipconfig, and to see the MAC address, you have to use the command ipconfig /all.
As I have said, you take the highlighted address and put in in the virtual machine settings. Which are found under settings, which you can see in the next image. It’s a simple cut and paste, and you’re done.
It has been a while since I looked up a Microsoft security bulletin. There is no reason to keep up with security bulletins if you are not working in a particular space. The landscape changes pretty quickly, and old information is useless. However, when the Petya Virus struck I wanted to have a look and see why it had hit so hard. What is going on? There seem to be more and more cyber attacks hitting the news. For example the recent attack on the NHS system in the UK that severely compromised their systems.
But why are these attacks happening and why are they being effective? Well reason number one is that apparently there is a worldwide shortage of IT security professionals. Damn, and here’s me writing web pages for a living, when I had more security qualifications than you can shake a stick at.
On a technical level, the reasons are fairly simple. The main attacks are because of unpatched computers and poor password selection. Software patches (in Windows) are Windows updates – updates to files that happen annoying regularly to fix bugs in the software and close security gaps.
So why if it’s that easy, aren’t machines just regularly updated? How did so many companies get compromised?
Well in a corporate environment, it’s not that easy. firstly, if you have hundreds, or even thousands of computers throughout your organisation, you don’t just allow every single PC to access the internet individually for updates. You tend to download updates to to a central server and then get that server to deploy the updates. What this does is allow you to have a single point of access to the outside world. It’s a fairly standard security practise to limit the number of devices that are directly attached to internet. Browsing the web for example is usually done through a thing known as a proxy server. People accessing your corporate websites are incoming and they go through a reverse proxy.
OK, so what? So you just download the patches and schedule the updates and all is good right? Steady on there cowboy. Once again, it’s not that simple. The problem with patches is that they tend to break stuff. Imagine you’re the guy in the IT department that deploys an untested patch to several thousand computers and your key business software breaks. You are a real villain in the eyes of the organisation, aren’t you. You’re pretty much a cyber attacker as well.
What you have to do then is test the patches before release. And once again there is a complicating factor here. No large company in the world has identical machines. For years this has been the bane of desktop support. You generally have software images for each of the different machine types, so that the patch has to be tested on each of the different builds.
Naturally, all of this takes time and manpower, so a shortage of IT security professionals slows things down. One of the reasons given for the NHS attack was a lack of investment in IT by the NHS.
The particular vulnerability that Petya exploits was disclosed by Microsoft in March of this year. Given the way corporate IT works, that is plenty of time for hackers to write an exploit and deploy it, before the cautious and overworked IT staff have managed to deploy every patch.
But what can individuals do to avoid such problems? Well:
- Make sure all updates are installed
- Backup all important files
- Use better passwords
- Make sure you have a good anti virus installed
- Make sure you have a personal firewall running
- Make sure the personal firewall is properly configured.
That should do for a start. And if you want consultation, call me.
The Australian government, late to the party as always, has ordered ISPs to block traffic from torrent download sites.
It’s very interesting timing in my view. Right now torrent sites are probably not as popular as they once were, thanks to services like Stan and Presto taking off. Why take a chance of getting prosecuted for copyright infringement when for about 10-15 dollars a month you have access to a wide variety of streaming movies?
The same when it comes to music. You have services like Pandora and Spotify which are either free or you can purchase the premium service to have more control over what you listen to.
So torrent sites getting blocked now is no longer a big deal. But it does raise the question, what do you do if you are a suspicious, conspiracy theory type who doesn’t like the government snooping on everything they do on the internet?
Well, as usual, when governments legislate, it’s remarkably simple to just sidestep what they have legislated for. In this case it is a trivial matter for anyone, no matter what their level of computer expertise to set up a VPN connection. There are many service being offered now, some free. I will add the links to them at at the bottom of the article.
But first, I would like to explain what a VPN is and why is sidesteps any blocking that governments insist ISPs in Australia put in place.
When you use a VPN service you are directly connected to the service from your desktop via an encrypted connection. You still are connected to the internet via your ISP, but the VPN creates a tunnel directly through your ISP connection through to the VPN server at the other end.
As a user your requests go the the VPN server, are fetched by the VPN server and sent back down the tunnel to you. Any software at the ISP end of things sees nothing other than an encrypted connection; it can’t see what the actual traffic is. So voila! Government measure neatly sidetracked.
I personally use cyber ghost. It’s a freemium service; free with some limitations or you can upgrade and pay a small fee for extra features. I have found that the free service is entirely adequate for my needs.
The reason (other than price) that I recommend this service is that it is so easy to set up. You download, you install, you connect. It’s as simple as that. There is no crazy stuff like setting IPSec parameters or other similar stuff that simply make non technical people’s eyes glaze over.
One of the funny things about this (but a clear demonstration that you are completely invisible) is that you get Google ads in German or Dutch or where ever else you connect to, because the Google algorithm takes your location as the location of the VPN server.
By writing this, I’m not endorsing the use of torrent sites. I’m just noting how easy it is to sidestep rules about the internet.
Look here for a list of free vpn services.
Update: Here is a comparison of good value VPN providers https://pixelprivacy.com/vpn/cheap/
If I say that Google is very powerful, I don’t think I would have too many people disagreeing with me. Of course the internet being what it is, I’m sure I would have some people disagreeing, simply to be contrary. But in general terms the statement holds up pretty well. If Google says your website should be use HTTPS, you need to use HTTPS.
One of the things about Google being powerful is that Google says jump and the whole world asks, “How high?” Getting your web page to number one on Google can be incredibly lucrative, so if Google says you can get to page one by posting a video of yourself on youtube drinking sump oil, a million SEOs are going to be posting videos.
So, having said that, one of the recent things that Google has said it wants is sites to be secured by HTTPS. But what is HTTPS? In the tradition I have of explaining the technical in simple terms, let’s give this a try.
Let’s start off with the concept of encrypted and unencrypted packets. Hang on a minute, I need to take a step back there. Let’s start off with the concept of packets. This is how computers communicate over networks. In little chunks of information called packets. They are like letters with envelopes – the envelope has the address on the outside to tell the postman where the letter is going to, and possibly the from address as well.
The structure of a data packet is essentially the same thing. It has some information that identifies where it’s going from and where it’s going to and in the middle the information it needs to send. The packets are usually quite small, just a couple of hundred bytes. The reason for this is that communication isn’t perfect over networks and it’s easier to ask to resend a small amount of information than a large amount of information. Once again, analogy helps to explain. It’s easier to ask some to repeat a word you didn’t hear in a phone conversation than the ask for the whole discussion from the top.
Anyway, that’s packets for you. Now we can go on to unencrypted packets versus encrypted packets. Unencrypted packets are packets that send the information between your computer and the computer you are connected to in plain text. Hackers have these things called packet sniffers. Packet sniffers can, as the name suggests, look at the packets you and the remote computer are sending between them and see what’s inside them. If the information in those packets is unencrypted, whatever you send can be looked at, be it passwords or credit card details, whatever it may be.
Now the difference between unencrypted and encrypted packets is that if a hacker gets hold of the packets, the information inside the packets is useless to them. The information is locked up and looks like a bunch of random garbage to anyone in the middle, only being unlocked when it reaches either end.
So there are obvious benefits there for the security of the data between websites and their clients. But of course, once Google says you should do it. it’s time to act.
The claim is that it actually helps your SEO, which is where we came in. Google wants certain things. It wants websites more secure and mobile friendly. It wants unique content. It rewards those who play by their rules and penalises those who don’t. To me the benefit to SEO is marginal, but that may change as time goes by. So you need SEO on your website to please the great god Google.