Separate names with a comma.
Discussion in 'Tech Talk - Gadgets, Gizmos and Technology' started by Mark Holtz, Jun 2, 2012.
And turn off WPS if it actually lets you.
For an encryption challenged user, can you 'splain why WEP is no good? I use WPA2-PSK [AES], with about 19 chars and numbers, but can you teach me how to get into a WEP system when I need to?
Normally I would PM this however it's more to show why WEP sucks than it is to show someone how to hack.
WEP keys are broadcast as part of the network. With the correct applications running you will eventually just sniff out the key. It takes about 5-10 minutes at the most.
If you want to test how easy it is setup a WEP key and then use a computer not connected with http://www.aircrack-ng.org/doku.php (Linux Based)
Problem is, I keep readin' about thieves accessing personal data from sites protected by "some of them there fancy encryption and firewall systems" because some moron working for the company downloads data to his laptop and leaves it at a Starbucks.
Limits to my ability to remember and manage several hundred passwords seem to be growing as I age. There are a large number of sites on which I use a relatively simple password. There's nothing there to be gained by signing in as me. For instance, you could post here as me.
Yes, there are a relatively small number of sites on which I use more sophisticated passwords. One could gain something by signing in as me. Daily monitoring bank, credit, and other financial account activity still seems like the best protection.
I use the KeePass pasword manager. THe password file is stored on a USB stick, and backed up to a hard drive AND my dropbox.
When I was given access to a NASA network, our pass PHRASE had to be a minimum of 52 characters. No other requirements such as upper/lower case, numbers, etc.
Most people had phrases like, "I hate typing in this very stupid and long pass phrase into the computer"
Running through a standard cyclic algorithm, this phrase would take a VERY long time to guess, in fact...26.65 million trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries.
I don't think we have that much time left.
Don't discount Moore's law, Nick. In 2 years, it'll only take half that time to crack it!
There are enough people out there that think that Fluffy1956! is a secure password.
Now, to convince battle.net that 14 characters is too short of a password.... and that case sensitivity DOES matter.
One of the experts like Wilbur can confirm or tell me I'm wrong, but I'm always afraid that if a site only allows that length of password, or strips out case, that they don't store it encrypted. If they hashed it with sha-256 (or something similar), what I use as a password shouldn't matter. They'd store 256 characters of "garbage".
The less one knows about the password the better.
A set length or maximum length makes it easier to figure out.
One thing not mentioned so far is the lockout of accounts if bad passwords are used. That "million year" password hunt stretches out if people are locked out after a certain number of bad attempts. Of course, that does open up the person being attacked to personal denial of service attacks.
The lockout time only helps with online attacks.
The funny part is that I also have a password card on my cell phone for the times when I can't use KeePass (like logging into my computer at work).
Oh well, here is a file of amusement.... the 10,000 most commonly used password.
I've never figured out why all sites for both sign-in names and passwords don't accept the full combination of keyboard upper and lower case letters plus numbers and symbols effectively distinguishing between upper and lower case.
And then there's all those sites that require you to use your email address as your sign in....
Some of it I think may be reducing calls to support. Having a person answer the phone and asking a customer if their caps lock is on is expensive.
I've seen several programs about people who are hired to hack into companies to discover their security breaches and report back to them... and in almost all cases the guys find minimal security implementation to be more than sufficient... BUT they usually end up hacking the system by calling a secretary or something and saying "Bob, your boss, told me to ask you for the password" or by walking by someone's desk if they have building access and reading it off a sticky note or something.
The point being... the age old... "only as strong as the weakest link" always applies.
Install state of the art security, but leave the window open and it is all for naught.
I also note how it keeps being banks losing credit information and not me... and it is banks giving out accounts to people with stolen identities that the bank fails to verify... again, not me failing to follow protocol... but the big secret-keepers.
I also agree with the notion of odd answers to security questions. If you really want to have some fun, put something naughty as your security answer and listen to the person when they ask you to answer your security question
The most secure answers, in all seriousness, are the random ones.
"What is your favorite color" --> "Tuesday"
"Where were you born" --> "Abracadabra"
I just made those up on the spot... never used them... but odd answers are difficult for someone to pick without going through the dictionary-style hack.
Correct - people are without a doubt the weakest link in IT security.
For the challenge questions: You'll soon see "red herring" questions introduced - this will be a question you don't provide an answer to. If an attacker guesses "where were you born" with "New York" (or anything), the login will fail.
Social engineering is a huge risk. News came out last week that the huge credit card breach was a social engineering attack on the president of the company.
As far as SHA-256 goes - SHA = Secure Hashing Algorithm. A hashing algorithm will take any string and "hash" it into a string of nonsense characters which are stored on the system. Hashes are cool because (in theory) they're one-way - you can encrypt to a hash, but you can't decrypt back. The best way to make hashes secure is to add a unique salt to each thing being encrypted. The salt is added by the password management system, not the user.
By the way, the #1 way to screw yourself is to download something you didn't plan on downloading. If you didn't start thinking "I really want to download this", DON'T.
The #2 way to mess yourself up is to not keep your system and software up to date. The two biggest problems are Java and Adobe products. Windows XP is also quite vulnerable (as a security pro, I recommend moving from XP to Windows 7 if you can)
Lastly, Macs are no longer immune to attack. Because they're more popular, organized crime has targeted Macs today. Please make sure you're running a good anti-malware program on your Mac.
(Mobile is another issue!)
PS - If you're interested in this stuff, check out my favorite blog: http://krebsonsecurity.com/
The security updates is my biggest pain at work. They don't reliably patch systems, I ran into one that had Java update 16 installed. Of course when a system gets a virus, they immediately blame my product, AV like it's the only needed process to protect systems. No, it's only one component.
Amen - A/V is just one part of the defense posture you need. Tell your boos that you need a Layered Security Strategy