You are currently browsing the tag archive for the ‘security’ tag.

muscular arm showing strengthYour passwords safeguard your identity and your property, but it is challenging to manage multiple secure passwords, so many people opt for less safe options putting them at greater risk.

You can have both security and practicality if you understand what your password is and how to protect it from the thieves.

Passwords date back to antiquity such as “The Histories” by Polybius (200-118 BC) which describes the use of passwords, also called “watchwords,” by Roman sentries to challenge those who sought passage; i.e. a pass – word. The Romans used sophisticated systems to distribute the passwords among troops while keeping them secret from their enemies. How do you share a secret and keep it secret? In those days it was not smart to forget your password; you did not get a chance to reset it.

In our time you can reset a forgotten password, but you may not be able to recover from a stolen one.  It is not smart to share your passwords with anyone, no matter how much you trust them, because that practice is precisely what thieves who use social engineering rely on. Your loved one will probably not betray you, but if their account is cracked by a hacker and they have your password, then you are both forsaken.  Sharing passwords radically increases your threat exposure.

Robert Siciliano of McAffee, a major computer security company, reports that; “74% of Internet users use the same password across multiple websites, so if a hacker gets your password, they now have access to all your accounts.” Reusing passwords is an open gate for your enemies to exploit.

Identity thieves also use hacking tools such as “John the Ripper,” a brute force password cracking tool that generates many thousands of variations of text strings until one of them succeeds in logging into your account. Programmers try to defeat brute force attacks by locking the account after a number of incorrect password attempts. The crackers can bypass that safeguard in some instances, so it is really up to you to create passwords that are improbable to match by brute force.

Most people use passwords that free dictionary attack software can crack in picoseconds.

Choosing easy to remember passwords such as a pet’s name like “princess,” a birth date or a common word is an invitation to disaster. A 2012 study showed that the three most frequently used passwords are “password,” “123456,” and “12345678.” Those favorites were followed in popularity by – and I am not making this up – “abc123,” “qwerty,” “login,” “princess” and “starwars.”

It is enough to make a grown tech support man cry and I pray that informed university members such as yourself do not replicate such patterns.

A way to understand this situation is to test the passwords that you are using now.  Please do not go entering your password into a web form just because it says “test your password.” It might be a trap set by the cracker hackers.

One password testing site, sponsored by Dashlane which makes password management software – How Secure is my Password –  lets you check the strength of your passwords.

According to that testing site, it would take the John the Ripper program

grumpy cat says "drat. My password was cracked."

My password was cracked.

about .001 picoseconds to crack the password “princess.”

 

“grumpycat” would take 2 minutes.

My email password would take 158 thousand years for John the Ripper to crack. I can live with that.  You can do the same and still remember your passwords even better than before with a few strategic moves.

The primary qualities in strong passwords are length, diversity and uniqueness.

1. Make your passwords 10 characters or more.

2. Use a diversity of character types in making your passwords; a mixture of lower-case, upper-case, numbers, letters and symbols.

3. Make a unique password for every account.

Here is a schema for implementing these three qualities while crafting passwords that your over-taxed memory can handle with ease.

Start with something that you know well and is not immediately obvious about you.  A favorite movie may be such a choice; let’s go with “Star Wars: Episode III – Revenge of the Sith” (2005) in which Yoda opines; “Not if anything to say about it I have.”

His speech is 30 characters long but you can certainly remember it, if Star Wars is your thing.

Some password systems allow spaces, but we will make Yoda’s wisdom universal by using punctuation; “Not.if.anything.to.say.about.it.I have.”

Using periods or hyphens or underscores or asterisks I can make a nearly impenetrable, but memorable, passphrase.  Note that it already has two capital letters which are intuitively placed for you, but not for the cracker hacker.

The fact that master Yoda is grammatically challenged works to our advantage.

Mixing numbers into the passphrase makes it stronger still and is required by some systems, so’ “Not.if.anything.2.say.about.it.I.have.” This is a very strong passphrase which I’ll bet that you could remember even if you do not care about Star Wars, because you now know the principles by which it was constructed.

What, then about the uniqueness factor? If you have to make a passphrase for every login, how can you remember all of them?

That’s pretty simple because with a super-strong passphrase you can make two ultra-strong moves.

First, consider making unique base passphrases for different types of logins; e.g., one for school, one for finances, one for email, one for social and one for everything else. Your passphrase for each can be aspects of the movie theme, or whatever works for you.

For example, my finances passphrase may be; “M0ney.the.r00t.0f.all.evil.i$.” which is pretty Yoda-like and is super-strong because you can see how it implements all three of the strength qualities.

Second, you can customize the password for each separate login site by adding something from the site.  For example, your Oregon State Credit Union (OSCU) login may be “OSCUM0ney.the.r00t.0f.all.evil.i$.” and your US Bank (USB) login may be “USBM0ney.the.r00t.0f.all.evil.i$.”

All you need to do now is remember the base passphrase and look at the site title for your add-on clue.

Crafting secure passwords is an indicator of practical intelligence.

If you follow these principles consistently, you can make many unique and strong passwords which are always available to your powers of recall.

If the examples given here seem overly complex to you, then go back and break down the steps which taken individually are quite simple. You can make shorter base passphrases and still get super-strong passwords if you follow the principles outlines here.

According to the Dashlane password strength testing site, “OSCUM0ney.the.r00t.of.all.evil.i$.” would take 20 quindecillion years for a computer brute force attack to guess. That’s a 1 followed by 48 zeros.

1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

I think getting somewhere we are.

yoda from star wars

Wisdom is strength.

 

Work out your own system based on these principles and leave yourself some hints that will jog your memory but be obscure to others, such as; “What would Yoda do?”

Whatever you do, please do not leave your passwords in a weak, exposed condition. You have enough stress and do not need the hassle of identity theft and data loss.

When you do create those super-strong passwords, resist the impulse to share them with your friends to show how cool they are.  Bask instead in the glow of secret satisfaction.

The next great move that you can make in identity and data security is to use a password manager, such as Dashlane and LastPass.

That, my dear Padawans, the topic for next week’s column will be.

 

Image Acknowledgements

strong-310874_960_720.png
https://pixabay.com/en/strong-arm-muscle-muscles-310874

Grumpy-Cat.jpg
https://commons.wikimedia.org/wiki/File:Grumpy-Cat.jpg

Yoda_Empire_Strikes_Back.png
https://en.wikipedia.org/wiki/Yoda#/media/File:Yoda_Empire_Strikes_Back.png

Advertisements

dangerous-software-1200_croppedImagine that you are working to meet a midnight paper submission deadline.

Suddenly your computer freezes. Reboots don’t help. The Engineering major down the hall can’t help. Midnight passes helpless. The next day the repair specialist tells you that a wicked virus trashed your machine and only a total reformatting of the hard drive will save it. It is expensive.

Even worse, all of your data including your paper, drafts, research and earlier works are just plain gone.

This heartbreak is a genuine possibility, but the odds against it can be radically shifted in your favor.

“OSU is subject to 16 million hostile network attacks every day of the year.”

To understand how we may ward ourselves against digital catastrophe at OSU I spoke with Lois Brooks, Vice-Provost of Information Services (IS), and Dave

lois_brooks

Lois Brooks


Nevin, Chief Information Security Officer for the Office of Information Security.

These guardians of our networked community had two salient calls to action for you: be aware and compute safely.

dave_nevin

Dave Nevin

 

Being aware means paying attention to the daily changes in our network ecosystem in order to take appropriate action.

For example, are you aware that this week OSU Information Services is recommending an Apple computer patch and device update in order to address new security risks to the Apple OS?

If you are not aware of this current threat, then you are not network secure, no matter what operating system you use.

“Criminal hackers seek to access your personal information (e.g. SSN) and sell sell it to high-end information identity thieves.”

Nevin is blunt about the risks to the inattentive; “OSU is subject to 16 million hostile network attacks every day of the year. The hostile attacks are from criminal organizations seeking personal information and intellectual property. OSU can prevail against this assault only if students, faculty and other members contribute by safeguarding their computers and devices against the hostile hackers.”

I was like; “Did I hear that right? 16 million attacks per day? Why would anyone even do that?”

The answer is that your Social Security number and other personal information is stored digitally at OSU which criminal hackers can immediately sell it to high-end information identity thieves.

Nevin observes; “It’s tough. We’re out-numbered. The people we’re fighting against to protect that information are smart, and have a lot of resources available to them. But we have smart people too, and we’re working together to do everything we can to prevent t1hat from happening.”

norse_map

NORSE Attack Map

To see a live display of network attacks around the globe, see the NORSE Hack Attack Map (do check this out because it is amazing!)

Brooks is OSU’s chief information officer and is ultimately responsible for the University’s information technology (IT) policy and budget.

She explained to me in detail the delicate balance between security, safety and privacy at the large scale of the university enterprise.

“All OSU members participate in a social compact with one another to ensure a secure community of trust and shared resources. It requires that every individual take personal responsibility to meet that overall aim.”

Do your part by keeping all of your devices fully patched using current anti-virus and anti-malware available to you for free from Information Services.

Sometimes safety goes beyond network hacks and enters the realm of physical threat.

Brooks and Nevin affirm that OSU cooperates with law enforcement to protect public safety.

osu_recommended_software

On occasion this involves accessing information from the accounts of individuals.

Brooks emphasizes how extraordinary such instances are; “Even though we need to be able to respond when there is a problem, we at OSU go out of our way to not look at people’s data unless necessary.”

Ours is a culture of respect and I speak from experience to vouch for the integrity of our university leadership in upholding these values.

For you, dear reader, there follows from this balance of privacy and safety a principle based in the wisdom of discretion.

That is: do not use OSU network resources to post information that potentially puts you and others at risk.

Create your own balance of safety and privacy by keeping your machines full patched against hacking and by maintaining intellectually responsible content.

This is what it means on Overheard at OSU when someone posts; “Keep it classy Beavers.”

“We at OSU go out of our way to not look at people’s data unless necessary.”

Here are two simple steps that you can take to do your part in upholding safety and respect at OSU.

Be Aware: Build your expertise about the OSU’s security ecosystem at “Be Aware!”

is.Oregon State.edu/accounts-support/be-aware

Free Software: Turn your computer and devices into a personal anti-hacking fortress by installing the free and essential software at:

“Anti-virus is a requirement while you are at the university as it is part of the Acceptable Use of University Computing Resources agreement.”

Nevin invites all OSU members to contact him about network security and privacy issues: Dave.Nevin@oregonstate.edu.

Brooks has an open door policy concerning all OSU IT matterantivirus-icon[2]s: Lois.Brooks@oregonstate.edu.

You can always write to me about anything.
drtech@oregonstate.edu

I promise to make sure that your comments get to the appropriate people and I will write you back.

Have a great start to Spring term, invest some time in your network awareness and safety and keep it classy, Beavers.

Resources

OSU Office of Information Security

OSU Antivirus Software

OSU Campus Civility and Inclusivity Campaign

 

Image Acknowledgements

dangerous-software.jpg
http://is.oregonstate.edu/office-information-security-created

Dave_nevin.jpg
https://www.linkedin.com/in/david-nevin-a9a9b2

lois_brooks.jpg
http://is.oregonstate.edu/adminserv

norse_map.png
http://map.norsecorp.com/#/

osu_recommended_software.png
http://oregonstate.edu/helpdocs/security-and-tuning/computer-viruses/antivirus

antivirus_icon.gif
http://oregonstate.edu/helpdocs/security-and-tuning/computer-viruses/antivirus

This morning my bleary eyes focused on the top email in my inbox with the subject; “Immediate Action: Your Mailbox Size Notification.”

The email was simple and to the point.

“Your email account has used 23.7 GB (95%) of 25 GB.

Spear-PhishingYou will be unable to send and receive messages if you do not reset your account storage space to a higher limit.

Click the link to reset and validate your account.

http://oregonstate.edu/amiladministrator

Sincerely, OSU Mail Desk Administrator

This is a phishing attack and if I took the bait by clicking on the link, I could compromise my identity, my money and my data.

Phishing is the use of fraudulent messages disguised as coming from legitimate entities to acquire privileged information.

Phishing exploits trust, worry, and desire to trick people into giving up their up their sensitive credentials such as passwords and credit accounts.

A grim finding from an Intel Security survey shows that 97% of people globally are unable to identify phishing emails. Now that is scary.

The most powerful tool for computer hacking is social engineering which is the larger category of human manipulation into which phishing falls and there are numerous sub-categories of phishing.4894714911_42f0f50f72

Spear Phishing is targeted at specific individuals or groups and may contain familiar graphics and Web addresses to trick you.

Whaling is like spear phishing but aims at very large fish, such as a university president or corporate vice president.

Clone Phishing reuses a legitimate email and modifies it to contain the malicious url.

False Friend is email from someone that you know whose contacts have been hacked or spoofed and used to generate phishy emails.

Tab Nabbing exploits Web browser tabs to open a tab to a fake page.

Evil Twins are bogus wireless networks that mimic public networks in airports, libraries, coffee shop, and hotels in order to harvest credit cards and other personal information.

Phishing and social engineering are confidence games or confidence tricks and c7bc35f579799a5973f2b66937bcd3afcan also occur in text messages, phone calls, Web pages, social media posts, Skype calls and snail mailConfidence games are very old; read the Iliad for some prototypical instances.

Given that phishing is based in deception and some of the fakes are very convincing, how may time-stressed individuals such as yourself protect against the ruses? The solution comes in two parts: know what to look for and alter your online habits accordingly.

In his book The PrinceThe Prince Machiavelli gave advice that rings true when protecting oneself against phishing; be like the fox and the lion, the fox to discover the traps, the lion to frighten the wolves – be both smart and strong.

Here are some clues to watch for in order to detect predatory messages.

Asks for too much: computer system administrators never require your username, password, credit card or social security number. Even if sensitive information is needed online or by voice you are better off taking an alternate path to double-check the source.

Mismatched links: Don’t click on email links, but do examine them by mousing-over and you will see that phishing emails include linked text that is different from the Web address linked to.

You did not ask for it: a warning, threat or offer comes to you without you having initiated the contact – beware.

Threats and promises: fear, greed and pride are the nuts and bolts of confidence games and when you detect those elements in a message your phishy antennae should perk right up.

Poorly constructed: some phishing messages are expert but most are barely literate and would end up in the reject folder at crappypasta.com. You should know enough to reject them as well. This is one reason why advanced literacy is a practical part of your education.

“97% of people globally are unable to identify phishing emails.”

Cultivate smart habits to protect yourself against predatory messages (see my earlier columns for techniques of habit change) including the following practices.

Slow Down: most phishing threats can be disarmed by separating action from feeling. Phishers rely upon the impulsive actions of their victims and so when an email or related message gives you feelings of urgency, take that as a sign that you need to step away from the mouse and give clarity time to emerge.  Much of what feels like an emergency in life – for instance a midterm – is not as big as it seems.

Analyze before evaluating: Judging something as bad, dangerous, desirable or important are evaluations that will benefit from analysis. Learning to discern the relevant facts of situation before evaluating those facts is a fundamental critical thinking skill that will save you from confidence games. It is like looking both ways (analysis) before crossing the street (judgment).

Research the claims: What is the message seeking from you? What does it claim to be? What evidence do you have for these claims? A great way to check any message for phishing is to copy the message text and paste it into a Google search. It took me less than ten seconds to do so with the email that I receive this morning (see above) and my search returned hundreds of posts identifying the fraud. This method directs analysis to a safe and useful action.

Never link from an email: Once when I was little I put my finger in a stapler just to see what would happen. Once I clicked on a link in an email just to see what would happen. I have not done either of those things ever again.

Never reply with personal information: Todd Davis is CEO of Lifelock, a personal identity protection company. To promote his product Davis give out his social security number on television and the Web claiming that Lifelock will prevent identity theft. Within months his identity was compromised 13 times including fraudulent loans, credit cards, and gift basket purchases. Don’t be like Davis and do not give out your social security number, passwords, credit card information, and other personal information unless you are very sure about whom you are giving it to.

Be network selective: be very careful about using personal information on public networks such as coffee shops and airports because you may expose it to an evil twin or wifi sniffer.

Do not reply at all to suspects: do not reply to phishing or spam messages because even selecting the unsubscribe link will verify your email address and invite more malicious attacks.

Use your junk mail, spam filters and security programs: get familiar with7557181168_91f4af2d99_b your self-defense tools and use them effectively. Look into Google Safe Browsing for Chrome and Firefox. The OSU Computer Walk-Up Help Desk in the Valley Library and the OSU Computer Help Desk at 541-737-3474 will help you become an internet ninja.

Report phishing: the OSU Helpdesk has a feedback form by which you may report phishing messages. See jondorbolo.com for resource links. Reporting helps the community address phishing and makes you more aware because you become an active participant.

Stay informed: security specialists like McAfee Labs, Symantec and Norton are reliable sources for phishing threats and defensive strategies. Being aware of the threat environment and current protective measures is a source of personal power. OSU Computer Helpdesk has extensive online resources on Phishing including effective breakdowns of actual examples plus no-cost security software and help in using it.

Don’t be paranoid: be smart and safe but please do not let this information make you more fearful or cynical. With reason, knowledge and habit adjustment you can be cyber-secure. The key to a better life is learning to see a better world.

For more depth on phishing and other malicious hacking phenomena consider two sources which I drew from for this column.

Phishing Dark Waters, Christopher Hadnagy (2015, Wiley).

The Art of Deception, Kevin Mitnick (2007, Wiley).

Please send your experiences with phishing to me at drtech@oregonstate.edu.

Image Acknowledgements

Spear-Phishing.jpeg
https://blog.knowbe4.com/tech-firm-ubiquity-suffers-46m-cyberheist

4894714911_42f0f50f72.jpeg
https://www.flickr.com/photos/35484468@N07/4894714911

c7bc35f579799a5973f2b66937bcd3af.jpeg
http://www.amazon.com/The-Prince-Dover-Thrift-Editions/dp/0486272745

7557181168_91f4af2d99_b.jpeg
https://www.flickr.com/photos/61423903@N06/7557181168

imageConsider the following; “Installing and running anti-virus software on all of your devices is an OSU requirement.”

True or False?

It is true; anti-virus software is a requirement while you are at the university as it is part of the “Acceptable Use of University Computing Resources” agreement, which you should read because by being at OSU you have implicitly accepted that agreement.

I am not saying that you have to buy anti-virus software, because OSU Information Services and Dr. Tech have got your back on this; go to

>oregonstate.edu/helpdocs >Software >Recommended Software

You will there find pages which explain how to configure Windows Defender or install ClamXav for Mac OS X; neither program will cost you money.

The resources referred to in this article with annotations and more are available at Dr. Tech’s Bookmarks.

They are “recommended” in the sense that these are OSU’s supported anti-virus solutions.

You can use other solutions (i.e. Symantec, McAfee) but you are required to have anti-virus protection on each device.

This protection is required at OSU because your devices share common networks with tens of thousands of others.

An unprotected device is a threat to everyone.

Consider the taxonomy of software called “malware,” which is code used to replicate itself, disrupt computer processes, gather information illicitly, or gain unauthorized access to a computer.

McAfee Labs collects malware and produces anti-virus software.

In “The State of Malware 2013" McAfee reports cataloging over 100,000 new malware samples every day.

That rate is increasing and the malware is growing in sophistication.

To put this into context, as McAfee Labs states; “Malware infiltration and data exfiltration almost always occurs over a network.”

That means that whenever your devices are on the OSU wireless or wired networks, they are exposed to malware.

It does not make me feel better to know that my own government is creating and spreading malware.

Malware infiltration is the infection of a computing device by a malicious program; data exfiltration is the unauthorized transfer of data from a computing device.

I hear someone asking; “Sure, but how bad can that be? It’s just a program.”

imageConsider some of the major types of malware and what they do.

Virus: this type of program replicates and spreads by inserting copies of itself into programs, data files, email, web pages, etc. Successful viruses can do many evil things from stealing and corrupting your data to wrecking your computer.

Worm: these replicate themselves in order to spread to other computers, but unlike a virus do not attach to another program. Like a virus they are evil.

Trojan horse: they don’t replicate but covertly invade a computer in order to execute commands or steal passwords. They sneak through protections by hiding within legitimate programs, like the Greeks did at Troy (read The Iliad).

Ransomware: invades your device in order to ruin your day by encrypting files or blocking programs, then it demands payment from you in order to be removed.

Spyware: these stealth programs sneak into your devices and quietly steal your data, passwords, and credit card numbers to send to their malefic masters.

Adware: invades a computer, often to hijack the web browsers, in order to force the display of unwanted advertisements and search engines. Does this malvertising actually work as a marketing strategy?

Rogueware: these horrors impersonate an anti-virus solution which warns you that your device is infected. If you fall for it and install the lying rogueware, your device will now be infected.

Scareware: a variation of rogueware that plays on all kinds of fears from internet security to social reputation. Everyone has a secret fear (read 1984 by George Orwell) and for each there is a scareware eager to strike terror into your heart.

PUP: a “Potentially Unwanted Program” that may not be directly malicious though they surreptitiously take over functions of programs that you have chosen to use and use up resources slowing down your device.

You have probably seen PUPs in the form of weather apps, search bars, shopping tools, browser redirects that you did not consciously choose to install.

I call PUPs ‘predictably unwelcome parasites.’

That’s just the short list, but isn’t it reason enough to implement anti-virus protection now?

Even better, add malware protection to your computer.

OSU recommends MalWareBytes and SUPERAntiSpyware and has links to them at the above referenced web pages.

Both programs have free and premium versions.

With them you run scans for malware. When they find malware code it is put into a delete folder that is quarantined from the rest of the computer. You can review those programs and choose to keep or delete them.

These anti-malware tools can be set to run scheduled scans and the premium versions provide real-time protection.

While writing this I ran a scan of my desktop from MalwareBytes. It found eight Trojans and ninety four PUPs on my computer.

My last act in writing this article will be to select “delete all” (heh heh).

I strongly recommend that you visit the IS helpdocs, install anti-virus software and malware protection software and use them regularly.

In good spirit,

Dr. Tech

 

Acknowledgements: Creative Commons Licensed images

http://pixabay.com/en/malware-virus-hacker-trojan-297722

http://www.cyberlawcentre.org/unlocking-ip/blog/2007_02_01_archive.html

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 320 other followers

RSS thought currents

  • An error has occurred; the feed is probably down. Try again later.