In the forth and final post in this series on passwords, I’ll talk to you about rainbow tables. I think the best way to get people to create and use good passwords is to teach them how passwords are cracked.
Long ago, when UNIX-like systems were used as shared servers and most people logged into them with “dumb terminals”, users could see who else had accounts on the system. This was convenient, especially in work or academic environments and acted as a directory of sorts. So if Alice wanted to send an email message to Bob, she would just log on to the system and look at a file called /etc/passwd. This file showed each person’s username, name, and other information. This file also contained each users password in the form of something called a hash. Trend Micro explains that, “Hash values can be thought of as fingerprints for files”. The hash is a mathematical representation of the password that cannot be reversed or
In part 1 of the Password Conundrum, we talked about how we all hate passwords and how we can never remember a strong, unique password for every website, system, and application that we use.
In part 2, we talked about how a password manager can solve this problem and make your digital life much easier and more secure.
In part 3, I’ll explain multi-factor authentication and how to use it.
You don’t need an MFA (Master of Fine Arts) degree to use MFA (multi-factor authentication). Sorry for the acronym humor. MFA requires a user to provide an additional means of authentication or verification, in addition to entering a username and password.
Before we delve into MFA, let’s talk quickly about authentication.
Almost every day we see headlines about some sort of data breach. The public is not almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.
This is likely not enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.
So why is it bad to reuse passwords across multiple accounts?
In part 1 of the Password Conundrum, we talked about how we all hate passwords and how the crazy cybersecurity wonks tell us that we have to do unreasonable things like:
Make passwords that are so complex that you can’t possible remember (long and multiple character sets)
Make a unique password for every one of the 10’s or hundreds of sites and applications that we use, oh, and they all have to be long and strong which means we won’t remember them.
Today we are going to explain how you can achieve this and actually make your life more secure and much easier than back when you had to remember all of those passwords or look them up on a spreadsheet on your computer’s desktop. Enter, the Password Manager!
Long Passwords, Short Memories
The password is something we all love to hate. Many of us have to create hundreds of passwords and we are told by the paranoid cybersecurity experts to make them long and use all of the character sets on your keyboard so that they are not easy to guess. This also makes them difficult to remember, so what do most people do? They re-use passwords—which is also a big no-no.
While we all know these general rules, most people don’t know why they exist and what the real risks are. In this blog, I will help you understand the importance of following the rules when developing your list of passwords.
Three Tips for Creating a Good Password
Below are three tips for creating complex and hard-to-hack passwords.
Make them long: There is some debate over the best minimum length of a password. Analysis from security expert, Troy Hunt, has shown that many of the sites we use, do not require very long passwords. However, research from Georgia Tech Research Institute (GTRI) shows that the
Lately, a handful of friends and colleagues told me they received an email that claiming that a malicious hacker had installed malware on their computer through a porn site. The email showed one of the recipient’s passwords and explained that the hacker has access to the recipient’s webcam and has a log of all of their keystrokes. Then the hacker gives the recipient two choices:
Ignore the email and a video of the recipient, visiting the porn site will be sent to all of the recipient’s contacts.
Or, pay a ransom in bitcoin, and the hacker will delete the video.
This email scam that has been a popular phishing attack in 2018. As cybersecurity reporter, Brian Krebs, blogged about back in July, “Here’s a clever new twist on an old email scam that could serve to make the con far more believable.”
If you happen to receive one of these emails…
Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.
Over my career, in addition to teaching computer science at the undergraduate and graduate levels at numerous universities, I have also created and managed some corporate cybersecurity education programs. In both I've found that getting the more critical concepts across to people is most effective when the message is personalized and can be applied at home as well as in their work.
Why Network Segmentation Makes Sense in Your Home
Network segmentation is a simple concept that has been used by network administrators for decades, but only recently have we seen a real need to apply this concept in the home. There are a number of contributing factors:
1. The rapid growth of Internet of Things (IoT) devices being added to home networks.
Phishing attacks have long been an effective way for attackers to trick people into divulging sensitive information or infecting a system with malware. Malware can give an attacker remote access to protected systems and networks, encrypt a user’s data and charge a ransom to decrypt the data, or use that system as part of an attack against other systems.
In March of 2017, Google stated that its machine learning models now can detect and stop spam and phishing with 99.9% accuracy. However, this is a cat and mouse game that has been played for years by the spammers/phishers on one side and the spam filter developers on the other side. Once the defenses get better against the latest spam attack methods, the spammers change their tactics to bypass the filters.
Below is an example of a fairly obvious spam email
Use firewalls and firebreaks (network segmentation): Place devices behind firewalls to protect them from untrusted networks, such as the Internet. And, use network segmentation—splitting a network into separate networks that are isolated, not connected—so a compromise in one part of the network won’t compromise the other (i.e. human resources and finance). This works much like a firebreak, which is…
As I am sure you have heard, the FBI is recommending that anyone with a home router or small office router, reboot them. If you are not familiar with this FBI recommendation, then there are a few links at the end, to get you up to speed.
The reason for the FBI's reboot recommendation is that a piece of malware, named VPNFilter, has infected hundreds of thousands of routers all across the Internet. Rebooting an infected router forces the malware to reload which will initiate an attempted connection to malware command and control (C&C) servers. The FBI has already taken control over some, if not all of the C&C servers so the reloading of the malware will do two things.
Phishing is the use of social engineering to obtain personal information for the purposes of identity theft. Phishing typically comes in the form of an email, disguised to look as if it was sent by a trusted source, and requesting personal information or authentication credentials.
As the tools to detect phishing become more effective, the phishing attacks themselves are becoming increasingly advanced and more difficult to identify.
This paper will show how a recent phishing attack from October 31, 2012, is representative of the type of attack that is not detected by spam filters and is likely to trick many recipients.