Archive for the ‘InfoSec’ Category

Password Security..!

June 11, 2010 2 comments

If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked. – White House cybersecurity adviser Richard Clarke

There has been enough awareness created in Enterprise organisations as well as by the email giants (Google, Yahoo, Microsoft, Apple, etc) regarding password security, however a recent survey by Imperva revealed that one of most common password is “123456”.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

A recent survey reported by the BBC suggests that more than half of computer users never change their passwords, and many use words that can be easily guessed.

Common Passwords:

  • 23% child’s name
  • 19% partner’s name
  • 12% birthdays
  • 9% favourite sports team
  • 9% celebrities and bands
  • 9% favorite places
  • 8% own name
  • 8% pet’s name

Enterprise companies have already made it mandatory for its employees to have complex passwords which they need to change over a period of time as a part of their password policies. The problem lies when an employee has to manage around 10 logins to different applications. SSO (Single Sign ON) is a solution, but then it has its own risks, primarily a single point of failure.

Generally the awareness programs concentrate on what is the need for a complex password, the need to keep it secret and more importantly, how it can adversly effect the organisation. But these same employees, have very simple passwords for their personal accounts, and to some extent, their personal bank accounts as well. One does question the effectiveness of the awareness programs. If the organisation, would not mandate a complex password, hardly any user will follow the secure practice.

We still tend to think that password guessing as a very time-consuming attack in which a hacker takes each account and tries a large number of name-and-password combinations. However, because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

Many users generally have a common password, for their mail accounts, social networking accounts and bank accounts. One needs to understand the reasons to have seperate accounts for each of them or atleast for each of the about mentioned categories. It has been a cake walk for hackers to hack a password, especially of social networking accounts through custom applications. A hacker with some serious intentions will study an individual completely. From his/her friends to office colleagues, likes, dislikes, hobbies.. everything. Combine social engineering with a dictionary attack and it wont take long to crack the password!

Another major glitch, especially in India is the usage of cyber cafes. A simple program running on the computer you use can capture each and every key you enter. One can also capture all the traffic that is flows through the computer you are using.

The current system is so weak that a hacker can easily walk into a cyber cafe, install a small program onto a system, and all account details of the people using that system will be mailed to the hackers account. Its about time when government should lay some strict guidelines for cyber cafes. Probably they should start issuing a license to run a cyber cafe.

One should realise that the different types of accounts can actually be interlinked by a hacker to cause a potential loss, to an individual or a organisation.. hence, the need for constantly changing complex passwords..!

Security tips:-

  • The best passwords consist of non-sequential numbers and letters used in a combination. Don’t use words or word and number combinations that can be guessed at.
  • Don’t use the same password for different sites. Especially your banking passwords. Don’t store your passwords on your computer.
  • Make sure you should protect yourself with a good firewall and anti-virus software.
  • Never write down your passwords on a sticky note and place it on your monitor, under your keyboard, mouse pad, etc
  • The best secure place for a password is in your head. However we all know that our heads are full of a lot of other info, and our non-sequential passwords may be difficult for us to remember… If you must write down a password – lock it up when it’s not in use, or at the very least, stash it safely.
  • Change your password frequently; particularly the really important ones.
  • Use passwords that are at least eight digits long. If you’re given a choice always opt for a long password as each digit makes it a longer and harder process of cracking.
  • Do not share your passwords with anyone. If you have to share your password because a technician is working on your PC, then change the password(s) as soon as the work is done.

Conducting transactions on the web is safe. Doing business on the web is safe. Filling out forms on the web is also safe. As long as you exercise a bit of security consciousness on your part these activities are no more at risk than they are in the off-line world.

Cheers 🙂

Categories: InfoSec

Social Engineering & Social Networking…!

June 9, 2010 5 comments

Social Engineering…! Thats one field about infosec which has got my attention to quite some extent..! Its said that the a computer is totally safe and secured when its switched off, but well, how about you have someone to switch it on for you??? Thats Social Engineering..!

It is a method of tricking a person to divulge information unknowingly, which is later on modified/manipulated for carrying out illegal activities…! It can be carried out using different technologies, from phones to IM (instant messaging) to social networking sites.

It is one field where there can’t be any rules set in the firewall/IDS/IPS to block it, neither can any risk management solution can cater to it nor can any antivirus, anti-spyware software avoid it..! There is only one way to handle social engineering and it is Awareness.

It is not much about making a user/employee aware of changing his passwords often, locking his computer, rather its more about making an employee aware of his role in the organisation and how can any information, relevant or irrelevant to the business, personal or professional, can lead to some severe consequences..

Social engineering exploits few important aspects of human nature.. the desire to help, the trust factor and lastly the fear..!

Its by nature that most of the people are very friendly and ready to help, especially in India.. and hence it can be exploited very easily.. We have already had instances where in call center employees have given some critical information on calls unknowingly. The other way an attacker exploits this aspect is by 1st lending a helping hand himself and then as a response, the victim helps back.

The trust factor is another aspect which is exploited by social engineering. In India, people still trust blindly.., especially on social networking sites and IM. Social networking websites carry so many fake profiles. The profiles are so well disguised, with even fake pictures, that you will never able to find it as fake.. The purpose of these fake profiles is either to have fun or to get hold of some information..

The identity factor is one big issue out here in India. Its so easy to fake an identity. With government already working on the project to have a personal identification number for each and every citizen of India, It still remains to be seen how much will be its coverage and what all information it will carry. We are really in need of something like SSN (Social Security Number) in India.

It is also interesting to note that these social networking sites, themselves offer their services for free. No issues if the services for free, but they need to verify the identity of the individual putting up his/her profile. As of now, they can charge a nominal amount, that should take care of quite a lot of fake profiles.. or they can verify the identity based on phone number. Just incase the imposter does something wrong, he should be traced back. Currently, what do these social networking sites have about imposters??

A fake email address, which is created just for the fake profile

Few fake pictures

A fake address

and to add, may be similar fake profiles as friends..

And what does an attacker do once he/she has the required information? A simple click and the profile is deleted..

Even if a social networking site has all the data, they really can’t do anything about it.. Yeah they might log the IP address, but then cyber cafes hardly keep a check on who is doing what. Recently I went to a cyber cafe, and was glad to find out that they did maintain a register. One is supposed to verify his identity using either a pan-card no. or license no. and enter the same in the register along with cellphone no. and the time. Such practices should be made mandatory across all cyber cafes. However, looking at India’s current network infrastructure, its really not that easy to track back these imposters.

This is from the websites/infrastructures behalf.. but what about the user himself?? When a person creates a profile on any social networking website, he needs to double check the information he is going to share since it will be available to the whole world. Keeping personal pictures shared with everyone isn’t really a good idea. Similarly, accepting an friend request from a stranger, just cause he/she has the same interests as you isn’t a good idea either, especially if you have personal information/pictures put up on your profile. Whats the point in sharing personal information to everyone or even a aquaintance? As for your friends, they know you pretty well.. dont they???

And if you are looking just to make new friends, make sure you don’t have anything personal put up on your profile. You can always share once you develop trust with that person. Although, there is a very thin line in regards with trusting people online and with so many fake profiles floating around, identity theft issues on rise, its very important to take due care.

A common social networking site came up with a “so-called” security feature for the uploaded images and I was like LOL!. They launched this feature where in, one could only view the pictures, but couldn’t save it onto his computer. In layman terms, “right-click–>save as” did not work..! Come on, aren’t these people aware that there is something called PRINT SCREEN?? how much effort does it take?? .. Fine forget print screen, even if you just drag the image to the address bar, the entire picture opens in a new tab and can be saved..! haah! Fools!

Once you understand all the vulnerabilities and threats related to social networking sites, it boils down to a personal choice of whether you need to still share your personal information or not. If you still share, make sure you are capable enough to handle any issues which might arise. I personally would suggest to take precautions, especially when you are a novice and unaware.

Just to brief about the consequences, for a regular home user, sharing personal information can lead to hacking of the email accounts, compromised banks accounts and for an employee, it can be as severe as causing a potential business loss..!

There is loads to write, however I will save it for the next time.. Need to do more research :-).. Cheers..!

Categories: InfoSec