Of Passwords and PINS (2)

6 10 2012

In the last posting I briefly referred to ‘strong’ passwords and said I’d come back to them a bit later on. So, what is a ‘strong’ password? As I said last time, the holy grail of password creation is to have something which is easy to remember AND hard to guess. Individually these are simple to achieve, putting them together is a much harder task.
Before getting into the mechanics of password creation, let’s take a couple of seconds thinking about how the ‘bad guys’, (and gals), will try and misuse them. At the most basic, they sit at a computer, enter your account name and then just try and guess your password by hitting characters on the keyboard. If the system allows infinite attempts then they can continue until they get bored or strike lucky. The more sophisticated attacks will use technology, i.e. software, which will perform the same activity but automatically. So called ‘dictionary’ attacks, do just that. The software has millions of words in their database and they just trawl through them until they get a match or run out of words. The more sophisticated also include character replacement checks as well (more on that in a moment) which provides millions of additional permutations. The final way is to obtain the password file from the system itself which is hopefully encrypted. If it’s not then it doesn’t matter how good your password is, they’ve got it! If it is, then the complexity you use will make it that much harder for ‘them’ to decode it.

So lets look at our two objectives separately to see how we can solve the problem.
Picking something really obvious would be daft of course and no-one would do that would they? Think again, surveys of the most common passwords are produced every other week such as this report in the Daily Mail, with ‘Password’ and ‘123456’ always being in the top 10, (quick pause here whilst you go off and change yours?).
It is generally easier to remember something which is personal to you rather than a completely abstract item, but make it too personal (pet’s name, your birthday, mother’s maiden name(!)) and far too many other people will already know it. Quick aside here, just because you are are asked to provide your mother’s maiden name at registration does not mean you actually have to provide the exact name. It’s a security control, not a test. Just make sure you remember what you tell them!
But there are things which are personal to you that you can use as long you mix it up a bit. Favourite places, favourite songs, recent events are all good sources for passwords, you can have those little triggers in the back of your mind to help you remember them BUT, as I’ve already said you need to mix it up a bit, which is where we apply the ‘hard to guess’ angle.
Let’s start with the basics. Say you wanted to use the name of a city where you had a great weekend, such as Norwich. It’s quite hard to guess, unless people knew you liked it, seven characters long so it’s not bad from that perspective, but it’s in every dictionary so would be a soft target from that angle. Simple character replacement and changing the case of the letters will immediately make it even harder to guess (e.g. N0rw1cH), and placing the first and last characters in the middle will defeat any dictionary attack however sophisticated (e.g. 0rwNH1c), simples (as the Meerkat says). But the root (Norwich) is still a valid word and potentially guessable, so another approach is to use a phrase as the root. Pick the first 8 words from a song and use the first letter from each word (e.g. gsogqllo – “God save our gracious queen…”), mix up the cases and do a bit of character replacement (G50gQll0), and bob is your mother’s brother as they say. You can try the same thing with first words from a favourite book, or just a favourite saying. Easy to remember and had to guess, just don’t hum the tune as you type it in!
Now for the really clever bit. Best practice says, have a different password for each account, common sense says you’re never going to remember all of those passwords. So how can you get the best of both worlds? If you take your common password, say G50gQ110, and then add two letters to signify the application you are using it for, e.g. FB for Facebook, HM for Hotmail, NW for your Nat West bank account etc., you have something you will always remember and something that will be extremely hard to guess.
So there you have it, strong passwords with minimal effort.

Till next time



Of Passwords and PINS (1)

25 08 2012

In the world of Information Security, few things generate more debate and argument than how to authenticate a user.
Authentication is one of the two pillars of access, the other being authorisation. One to prove who you are, the other to control what you are allowed to do. You can have authorisation without authentication (for example anyone can use Google to search for something on the web) and you can have authentication without authorisation (“you may well be David, but you aren’t getting in here my son!”).
The most common authentication mechanism around is the good old userid/password combination. The biggest problem with this is that the userid is often easy to guess (or may even be made public intentionally), so it really falls back to the password on its own and for a password to be acceptable the party who owns what is to be accessed has to trust that the person who presents the password is actually the person who is meant to know it. We’ve all seen the films where the bad guys find out the secret password for entry to the castle and then massacre everyone inside. If you rely on a password as the authentication method then you have to rely on the person who knows it keeping it secret, and that it is pretty hard to guess!
Therein lies the problem. If you only have to remember one userid/password combination then it’s not beyond the wit of man to make it complex and keep it safe in your head, however a very quick count will show that you have lots of accounts which require you to authenticate yourself before you are granted access. Actually, let’s just take a few minutes to do just that. Count up all of the different computer accounts you have; at work, at home, with your bank(s?), e-mail accounts, Facebook, Twitter, don’t forget your phone, laptop, car(?) etc. etc. Passed 20 yet? Thirty, Forty, One Hundred? OK, now think how many DIFFERENT passwords you use across those accounts, is it one for all of them or a different one for each?
This is where the real world and ‘best practice’ collide, and where I will disagree with many of my colleagues. ‘Best practice’ for account management will offer you the following rules: 1. Have a different password for each account; 2. Never write your password down; 3. Change your password frequently; 4. Make your password hard to guess but easy to remember; 5. Never share your password with anyone.
4 and 5 I’ll go along with, and there are lots of places you can go to help you with the first part of 4, however the challenge can be achieving the second part at the same time. R&h(0kl.!B may well be a very strong password, but you’ll be hard pressed to remember it. I’ll come back to how to achieve both parts of (4) in the next post. To my mind 5 is a no brainer, but (and there is always a but), I’m sure you can think of situations where you want to share because it’s easier, and that is where Corporate rules and Personal choice can collide. Your employer may make it a disciplinary offence to share the password to your company account with a colleague, but you may choose to share your personal e-mail password with your partner (only you can decide if that is a good idea!!).
So let’s have a look at 1,2 and 3.
1. Have a different password for each account. Are you serious?? It’s hard enough to remember the separate accounts without having to remember all those passwords.
2. Never write your password down. You’ve just told me to have 50 different passwords, and now you expect me to remember them all? Dream on!
3. Change your password frequently. So, not only do I have to remember 50 separate, complex passwords, without writing them down, I’ve now got to change them every month or so.
And we wonder why users get upset with us.
So what can you do? This may not work for you, but it’s my solution and it seems to have kept me safe for a few years.
First step is to separate your accounts into their relative importance (perform a risk assessment if you will). Ask yourself how much pain you will suffer if someone else can use the account that you are protecting. If it’s your online bank account, then you want it pretty secure, other things you may care less about. For the ones I really care about, as there are not many of them and it’s not a massive overhead, I apply rules 1-5 in full. I then temper the rules as the risk decreases, to the point where I have a couple of passwords that I use for all of the unimportant accounts (insurance quotes, or brochure sites which feel obliged to force you to log in for some reason). Rules 4 and 5 still apply to these though.
So lets look at Rule 1. You may also decide to have one password to cover a particular group of accounts (e.g. your e-mail accounts, or your social media accounts), this has the advantage that you only have to remember one password and when it comes to changing it you only have to think up one new value. It does of course have the disadvantage that if it is compromised then all of those accounts could be at risk, so as soon as you think someone knows your password CHANGE IT! Hence the risk assessment.
On to Rule 2. If you are going to write your passwords down, then don’t write the password next to the account name it belongs to. As I said in an earlier posting, Information Security is basically common sense, and that would be plain stupid. Think of a clever way of making the relationship obvious to you, but impossible to guess for someone else. If you don’t need to carry them with you (and let’s be honest you probably don’t), then store them in a file on your computer (and don’t name it ‘my passwords’), which you could always protect with another password!
Finally Rule 3. When it comes to changing passwords, other than your Corporate accounts, I’m pretty sure that none will ever remind you, and most will never expire. Two tips here; one – if you hear about a company you have an account with being ‘hacked’ (such as the recent stories about Sony, LinkedIn and World of Warcraft), then change your passwords immediately, and 2 – never change your password in a hurry or when your mind is on something else. You WILL have forgotten it the next time you log in!

So, that’s a first toe-dip into the world of authentication. Lots more to cover in later postings, but in the meantime, as always, keep safe online, and remember –
Just because you’re paranoid it doesn’t mean they’re not out to get you!


Facebook and Security – part 3

13 08 2012

In the first two posts I told you how to use the Facebook security settings to protect your information and how to manage your ‘friends’ to ensure you are only sharing your innermost secrets with the people you think you are.
In this final post I’m going to return to areas I touched on briefly in the first post which are the Facebook Applications and advertising. Facebook is a commercial organisation, even more so since their flotation on the NYSE earlier this year, and as such they have to find ways of generating income from a service which “is free to join and always will be”.
Let’s start with the Applications. Many of you will be familiar with ‘Farmville’, ‘Fishville’, ‘Mafia Wars’, but you can also create virtual worlds in other areas, play poker, play slot machines and so on. Other Applications offer to tell your future, share birthdays with your friends, or let you see what’s happening in the news, all incredibly vital stuff I’m sure but as I’ve said before, nothing is free in this life.
Most of these applications are free to download, and the ‘only’ price is your agreement to let them post on your behalf, share your details with pretty much anyone they wish and pester you with requests. In return some of them let you give them your credit card details so that you can buy all of those wonderful upgrades that you never knew you needed. The problem is that by participating, you have agreed to the application becoming one of your friends, and we’ve already looked at what that can mean. Before signing up, have a quick read through what it is you are signing up to. Do you have any idea what this organisation is about, are they even who they say they are? Is your mailbox (the one you’ve registered with Facebook) going to be filled with spam, as they share your details with other organisations who will pay good money for ‘live’ e-mail addresses?
So two tips for managing Applications. Firstly, think before you click ‘accept’, or ‘agree’, you are about to make a complete stranger your Friend. Do you really want to do that? Secondly, have a regular review of what Applications you have signed up to. You do this by clicking that little downward pointing arrow in the top rightof the Facebook page and then selecting Apps on the left hand pane. A regular cull never did anyone any harm.
So now for the biggest earner of all, Advertising. Facebook knows everything about you; your name, age, sex, marital status, hometown, where you go, what you do and who you do it with. Who your friends are, possibly their birthdays, their friends, interests etc. etc. etc. This is marketing dreamland. Want to advertise a wedding service to someone living in Norwich? Facebook can identify everyone with a status of Engaged, select those living within say 20 miles of Norwich and post a link on their home page. Rather than me telling you how easy it is to do, why don’t I let Facebook? Follow this link to read all about it https://www.facebook.com/advertising/how-it-works. So why should you care from an Information Security perspective? Two main reasons, firstly the ease with which adverts can be created, means that you should not simply trust what appears on your Facebook page, as I said in an earlier blog, “on the Internet, no-one knows you’re a dog”, just because it looks like a duck, walks like a duck and quacks like a duck, on the Internet it could still be a Rotweiller. Secondly this should make you appreciate the implications of being too free and easy with your personal information. Information is power and money, I’m going to cover Social Engineering in a later post, but for now let’s just say that if someone comes across as credible then we tend to believe them. If something looks personalised we will tend to trust it. By using the information you have put on Facebook, the advertisers will be both credible and personalised, but are they trustworthy? Do you really want to follow that link to an advert written just for you and then give them your credit card details?

Anyway, that’s enough for today.
As always, if you have any thoughts or comments please share them, if you’ve enjoyed reading this then please click on the ‘share’ button below, and as always Safe Surfing


Facebook and Security – part 2

29 07 2012

In my last post I introduced you to the various ways you can use Facebook settings to control who can see your information. That is only part of the story however as it assumes you are effectively managing your Facebook community.
Before we go into the details, lets just step back from the virtual world and re-enter the physical one. How many friends do you have? By friends I mean people with whom you would normally share your thoughts and opinions, show your photographs and discuss films or TV programmes. People who are interested in what you have been doing and who you have been doing it with, and who care enough to stop what they are doing and listen to you. If you extend that to include family and work colleagues, the number will increase but the type of information you want to share will change. So, what’s the number? 10, 20, 50, 100 even? Now, how many friends do you have on Facebook? I bet that number is at least double the previous one, and therein lies part of the problem. Most of us are a lot more promiscuous online than we are in the real world, we make online friends much more easily, partly because it is less hassle and partly because we feel a peer pressure to appear popular. It’s probably not surprising, but the number of Facecbook friends varies according to your age. Those under 34 (Generation Y, and the Internet Natives) have over 300 on average, Generation X have around 200, and even the baby boomers (of which I’m one) still have over 150 Facebook friends. Incidenntally, I’m probably a frustrated Gen Xer as I’ve got over 200.
So you have over 100 FB friends, and every day you tell them about getting up, going to work, maybe suggest a good film or TV show, add a couple of witty anecdotes, post that photo your kid doing a wacky thing, and the photo of you throwing up after a good night out. Hang on, let’s rewind that last bit, you’ve just posted a photo of you throwing up? To 100 people, may of whom are work colleagues, maybe your boss? Not so sharp heh? Oh, and they can share it with their friends, and so on, and so on. And that is the real danger of Facebook, it’s not what you tell people it’s what they can do with what you told them. I’m sure you’ve read about kids telling their Facebook friends that their parents are going away and that they are having a small party, and hundreds turn up. Facebook is a social media tool, designed to share information with as many people as possible. Once you post, you lose control over the posting.
In the ‘real world’, if you tell a friend something in confidence, you can be reasonably comfortable that they would not share it because they are your friend. Plus, what you tell one friend may not be the same as what you share with another, as the relationships are different. On Facebook, you have two relationships, friend or not friend, and as we have already agreed, most of your Facebook friends are not actually friends at all (at least not in the ‘I will bare my soul to you’ manner). You have no idea what they will do with that bit of information you just gave them and probably not much idea of how they will react.
So what can you do? Firstly, review your Facebook friends. De-friending is becoming quite a trend at the moment. When was the last time you had any interraction with that person, electronically or physically? If you remove them from your list would you care?
Secondly, think before you post. Are you happy for what you are about to share being spread across the world, because even if you tie down the settings, there is still a real chance of it getting out, and don’t forget, there is no delete function on the Internet. If it’s out there it’s going to stay out there.
As with so much of Information Security, it always comes back to common sense. Be aware and be safe.

If you have any thoughts or comments on this blog, please feel free to share them.

Until the next time, safe surfing.


Facebook and Security

21 07 2012

Did you know that if Facebook was a country it would have the third highest population in the world? Why should you care? Well, if you get your privacy settings wrong you could be exposing your personal details, innermost thoughts and candid photographs to a community with more than twice the population of the USA.
Before we get into how you can manage your privacy on Facebook, it’s probably worth spending a little while looking at the ethos behind the company and the ideas of its founder Mark Zuckerberg. Whilst not wanting to put words into his mouth, Zuckerberg’s underlying philosophy is that people should share information about themselves, their interests and their communities. His dream is to create an ‘open information flow’. Whilst that may be commendable, in the early days he drew a lot of flak by making the default settings on Facebook ‘Public’ to help realise that dream. Whilst that has changed in recent months they do occasionally revert to type and bring in new functionality that shares everything with the world again. Not a good place to be if you care about your privacy.
So how do you go about checking what Facebook is revealing about you to the world? Your first port of call is to click on the little downward pointing arrow on the top right of the Facebook screen and to select ‘Privacy Settings’. That brings up a screen with a number of options, so lets work through them one by one.
First things first, set the ‘control your default privacy’ to ‘Custom’.
How you connect – this is the most basic level of connectivity with the Facebook world. Who can see your e-mail address and phone number, who can ask to be your friend and who can send you messages. Each of the options offers you three settings ‘Everyone’, ‘Friends of Friends’ and ‘Friends’. For what its worth I have all three of these set to ‘Everyone’.
Timeline and Tagging – now we’re starting to get a bit more intimite with the community. This is where you start sharing information you post, but also control who can post on your pages (which will also be shared don’t forget). I’m more cautious in this area so I have them set to ‘Friends’, except for the two ‘review’ options which I have turned off.
Adds, Apps and Websites – these are the areas where Facebook moves away from you and your world into a much more commercial arena (with you as the focal point). You are now entering the Marketing space and these people want to get your details. Some want to sell you things, some want your endorsement so that your friends will buy things and some are just plain criminal. Click on the first entry and you will see all of the things that you are allowing to access your Facebook details. Thought you had this tied up in the ‘Timeline and Tagging’ settings? Think again! When you clicked on that fun app which let you do something on Facebook and selected the ‘allow to share’ option (and of course you could not use it if you didn’t), did you realise that you have just exposed a whole heap of your details to an unknown company for them to do with as they wish? Have a wander down that list and delete those which you no longer want to be part of. Also, check the last two entries on this screen ‘Public Search’ and ‘Adverts’. The first reveals how much you are exposing to ‘strangers’ when they search for you via a search engine such as Google. the second is a classic Facebook activity’ “We aren’t doing this yet, but if we were this is what would happen”. I’ve set both of these to ‘no-one’. Back to the main list and the next option allows you to retrospectively limit past sharing activity.
Limit the audience for past posts – this is a ‘nuclear option’ but in essence it means that in one stroke you can remove all of the ‘friends of friends’ or ‘public’ access to historical posts. This can’t be undone in a single stroke though.
Blocked people and apps – this is where you can block the stalkers, or those persistant apps which keep trying to make you join them.
So there you have it. Privacy on Facebook is much more granular than it used to be, but you do need to keep an eye on it, just to make sure nothing has ‘reverted’ since you last checked.
In my next post I’ll dig deeper into the world of Facebook from an information security perspective, looking at steps you can take to protect yourself in your posts and sharing some of the Facebook disasters that continue to appear.
As always, if you have any thoughts or comments then please get in touch.

Until next time, surf safely.


Some Basic Tips for Internet Safety

14 07 2012

There is a saying that “on the Internet, no-one knows you’re a dog”‘. What this means is that it is very easy to hide your identity, but that cuts both ways. The person you think you are chatting to, or accepting as a friend on Facebook may not be who you think they are. Trust is a basic human instinct, it’s how societies develop, enabling co-operation and progress. The problem is that there are always people looking to take advantage of that situation. When you meet someone in person there are certain actions you follow to assess them. Looks, voice, mannerisms, dress are all used by us to decide whether we are going to like or trust them. First impressions count for a lot and people take great care to create good ones. Interractions on the Internet are no different. A professional looking web site, a well crafted invitation, suggestions of mutual friends, all go a long way towards establishing credibility. Unfortunately on the Internet you are at a disadvantage because it is very difficult to validate the information you are presented with, but it’s not impossible.

So here are a few basic tips you can follow to validate that connection BEFORE you commit.

1. Use Google (or your search engine of choice) to cross check the web site before you pass any information over. Many of the scam sites have been identified and ‘outed’ on the Internet.  A quick Google will bring these to your attention.

2. Before accepting that Linked-in or Facebook friend request, have a look at their profile. Does it look credible, are there errors, does it make sense?

3. Whilst not foolproof, a very simple check is to ‘hover’ your mouse pointer over a URL before you click. Does the address that appears at the bottom of the screen look ‘right’? If you are expecting it to point to your bank, and the address seems to be going to Russia, it probably makes sense to be cautious.

4. If you are going to send personal or financial information to a web site, make sure the connection is secure. The URL should start https (instead of the usual http). This shows that the information will be encrpyted whilst it is being transmitted.

So there you go, a few more tools to add to your bag. The surface has barely been scratched, but as someone else has trademarked ‘every little helps’.

See the next blog for some more hints and tips.



12 07 2012

Welcome to the first post on Information Security Made Easy, your window into the world of InfoSec and the simple steps you can take to help protect yourself from the bad guys.

This is not going to be a mega-technical geek haven, I want it to accesible to those who know enough to get themselves into trouble, but not enough to get themselves out.

Silver surfers are more than welcome, as are the newbies who are just getting online.

To get you started, here’s a useful link:


I’ll be adding more info over the coming weeks, so please come back and see what I have to say.

%d bloggers like this: