Tag Archives: strong passwords

Does that make sense: Bitlocker for Desktop Computers?

13 January 2015

The answer is: It definitely makes sense.

Okay, this sounds strange because it’s not very likely that a desktop computer will be lost. But if your computer is stolen, the thief has full access to the data stored on the disk, even if he could not login to your system.

An attacker has just to boot a Linux from a USB stick and to mount the Windows hard disk into the Linux filesystem. This will allow him to read the information stored on your computer, credit card statements, insurance policies, or scanned love letters.

But the worst is yet to come. The thief has access to your hashed Windows passwords. These are stored in the SAM (System Account Manager) database in directory C:\windows\system32\config\sam. The SAM is locked when Windows is online, but could be easily read when mounted into a Linux System. Very strong passwords are paying off in such case…

Don’t Panic, and have a good day.

Sunset on rhine ferry Leverkusen, 11/28/2014

Sunset on Rhine Ferry Leverkusen, 11/28/2014

Sony-pocalypse -Sony hack exposes poor security practice

6 December 2014

In ‘Sony hack exposes poor security practices’ Warwick Ashford talks about the lessons learned from the latest Sony cyber attach.

‘According to the FBI, the malware comes wrapped in an executable “dropper” that installs itself as a Windows service.’

The big question is: How comes a dropper on my computer? And why could a dropper start itself as a service? Under normal conditions, administrative privileges are required to start a Service.

‘It also uses the command line of the Windows Management Interface (WMI) to spread to other computers on the network.’

This is definitely the most important information. If you are somewhat familiar with Windows computer networks you know, that you can install services on another computer in your network only, if you have administrative privileges on this computer.

In other word, this means that the attackers got access to a domain administrator account. Or a service account which is installed on all computers in the network, including the servers.

All this sounds like phishing and weak passwords, flavored with a missing concept for privileged account management. It’s always the same old story…

If you like to read more about the impressive technical details of the malware see this report on ars technica.

Lütetsburg Park, 53°35'55.0"N 7°15'39.5"E

Lütetsburg Park, 53°35’55.0″N 7°15’39.5″E

Have a good Weekend!

Review: Poor password practices put 60% of UK citizens at risk

4 December 2014

Poor password practices put 60% of UK citizens at risk.

Warwick Ahsford’s report is really alarming.  ‘More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.’

But the worst is yet to come. They are using also weak passwords: ‘Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.’

Passwords are definitely inappropriate for authentication in the age of cyber crime. The news of the past weeks show that major players on the IT market like Twitter, Microsoft or Google developed technologies to address this problem.

FIDO U2F Security Key

FIDO U2F Security Key

The FIDO U2F standard (FIDO = Fast Identity Online Alliance, U2F = Universal second Factor) appears to be a quantum leap towards secure authentication in the world-wide web. Google has already integrated this standard in the Chrome browser. The second factor is established by a security key attached to a USB port.

Unfortunately it comes to fruition only after login into your computer, phone or tablet Computer, and only for Chrome.

And that’s in my opinion the crux of the matter. In a perfect world, I would like to login to my computer with a PIN or fingerprint and the FIDO U2F security key attached to the device.

A central, world-wide available and trusted identification authority verifies my identity and creates my identity token, which is valid for the duration of my session.

All services like Google, Home Depot, Amazon, the city council or the tax office rely on this identity token. For reasons of security the identity must be checked again before critical transactions are carried out.

Sounds fantastic, doesn’t it?

Look forward to a world without passwords!

Windows 10 offers two-factor authentication out of the box – Thank’s, Microsoft!

30 October 2014

Native support for Two Factor Authentication in Windows 10. This news saved my day!

This new security feature in Windows 10 might be the reason why IT groups start evaluation of Windows 10 as soon possible. Because with Two Factor Authorization all data breaches with root cause ‘theft of credentials’ will become impossible. Phishing attacks in the enterprise environment will become meaningless and the ‘strong password’ discussion obsolete from one day to the next.

But the best is yet to come: Two Factor Authentication will be available for all platforms. With windows 10 you can use the same Two Factor Authentication method for your mobile devices as for your laptop or workstation. It’s really a pity that Windows 10 will not run on iDevices.

For details see the Jim Alkove’s post ’Windows 10: Security and Identity Protection for the Modern World’

Hopefully, Microsoft will support Two Factor Authentication also for the Windows Home Editions.

Dropbox Hacked – Minimize your Attack Surface!

16 October 2014

I heard the news Tuesday evening at 10 o’clock: “Dropbox hacked”. About 7 million usernames and passwords stolen.” I could hardly believe it. My first thought was: Why only 7 million credentials? Dropbox has 200+ million users? Why should someone be satisfied with 7 million credentials if he could have 200 million? Something seems to be very wrong with this story. Moreover, the quality of the data is very bad. Please check the Pastebin site for a sample.

And then the recantation: Dropbox announced that there was no data breach. “‘These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks, and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well,’ a Dropbox spokesman said in an email to Reuters.” For details see Hundreds of alleged Dropbox passwords leaked.

Since the media interest is nearly zero today the story is certainly true.

What really annoys me is how sloppy user credentials are treated by the ‘other services’. Data and log-in credentials were stolen from third-party apps, which actually should simplify the daily life with Dropbox. For more details see the great report Snapchat And Dropbox Breaches Are Really Third-Party-App Breaches by Elise Hu from 14 October 2014.

Unfortunately these apps increase the complexity of our life and gadgets. Each app comes with its known and unknown vulnerabilities which could be used by an attacker to get access to our private data. But the worst is yet to come: You are surrounded by friends with buggy gadgets which will have an impact even on your life when hijacked by an attacker.

To put it concisely: The more apps you use, the greater becomes your attack surface and, the higher is the danger of a data breach.

How to solve this problem? Simplify! Focus on the really important apps and uninstall the others. Activate TFA and use strong passwords. And tell your friends to decrease their attack surface as well.

Don’t Panic!

It’s all about strong passwords, but what is a strong password?

11 October 2014

In his report Apple security depends on users, hack shows. Warwick Ashford talks about the latest Apple security issues:

‘However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.’

To put it concisely: It’s all about strong passwords.

But what is a strong Password?

There are lots of advices how a build a strong password like ‘#Q7fr%78’. Unfortunately those passwords are really hard to remember and to input. Some days ago I watched a webinar about WordPress security where a different approach was presented.

It’s all about password length because the number of combinations an attacker has to try in a brute force attack depends essentially on the length of the password:

Number of combinations = [Number of characters] to the power of [length of your password]

That’s just boring math. Thus let me show what this means by an example:

If you choose a password from lowercase letters ‘a..z’ only, the number of characters is 26. For a four character password like ‘abcd’ the number of combinations an attacker has to try is

26 to the power of 4 = 26 x 26 x 26 x 26 = 456976.

That takes about 0,2 milliseconds on a desktop computer with Intel I7 processor for cracking. Four characters are definitely too short!

For a 12 character password like ‘abcdefghijkl’ the number of combinations an attacker has to try is

26 to the power of 12 = 95428956661682200, and the time to crack is about 1.5 years.

The following table shows the cracking time in relation to the password length:

Password cracking time vs. lenght

Password cracking time vs. lenght

The yellow marked shows the one-year-time-to-crack for the character set. The one-year-time-to-crack is the password length where an attacker with an Intel I7 processor based computer needs one year to find the combination with a brute force attack. For our plain character set the one-year-time-to-crack is 12.

With character set ‘a..z A..Z0..9’ the one-year-time-to-crack is 10, With the complex character set ‘a..z A..Z0..9 _-%$§&/()#=?’ the one-year-time-to-crack is 9.

Even with the complex character set you should use at least 9 characters.

As a result we get: It’s all about the password length! The influence of the character set is negligible. Even with the plain character set one could create hard to crack passwords.

I would recommend to use at least 14 characters even with the complex character set. Just to be ready for faster CPUs and to anger the NSA!

How to build strong passwords?

My passwords are easy to build and remember. Start with 4 randomly selected words, in total more than 14 characters, like

‘Never use the word.’

This password is rated ‘Strong’ by the Microsoft password checker. Never use the first words of your favourite song or something you published on Facebook or elsewhere, because an attacker will do some social engineering and use this results first.

Strong is not enough, thus write the first character of each word in capital letters and add a special character or two at both ends:

‘#Never Use The Word._‘

This version is rated ‘Best’.

If you are a masochist, hurt yourself and change the first vowel in each word to a number:

‘#N1ver 2he Th3 W4rd._‘

Isn’t this an easy to remember password? 😉


The JPMorgan Data Breach – How could it happen?

9 October 2014

Let’s start with good news. In JPMorgan’s FORM 8-K report from 2 October 2014 we could read that it could have been a lot worse:

Only ‘User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.’

And ‘… there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.’

But what really confuses me is the statement ‘As of such date, the firm continues not to have seen any unusual customer fraud related to this incident.’

How can they be sure that it has stopped?

The big question in the JP Morgan case remains unanswered: How could it happen?

Currently neither the bank nor the FBI had given an official report about the details of the cyber-attack. But reading between the lines can help to gain a rough picture of what probably had happened. I really like developing new conspiracy theories ;-).

On 2 October 2014, Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth reported in The New York Times:   “Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. … By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.”

CNET report ‘JPMorgan hackers altered, deleted bank records, says report’ from 28 August 2014 brings some light in the dark: “This case, however, involved outsiders who targeted specific employees at JPMorgan Chase to gain access to their computers and the bank databases.”

This sounds to me a lot like a successful phishing attack. Incredible!

In his post ‘JPMorgan breach heightens data security doubts‘, Alex Veiga, AP Business Writer, reports on 3 October 2014: “In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.”

Why should a company reset the passwords of all its technology employees? This makes only sense if they suspect that the passwords were compromised.

The phishing attack theory becomes much more credible!

But the most exciting statement could be read in the CNET report: ‘If hackers are capable of accomplishing this, it means they have spent a significant amount of time studying the [bank’s] records system before attempting any kind of serious manipulation,” he said. “It’s not impossible, however, if they were able to modify records using high-level credentials and do it in a way that was undetected.”‘

How can they be sure that it has stopped?