The following information and recommendations …...2014/08/12 · The following information and...
45
1
Transcript of The following information and recommendations …...2014/08/12 · The following information and...
1
The following information and recommendations will not make your online life any
easier. Convenience and security are mutually exclusive.
2
These are the twenty five most common/worst passwords in use on the internet as
of late 2013. If you are using one of these or something like it, we are glad you are
here.
3
• Online attacks
• These are targeted attacks trying to gain access to one account on a
particular site.
• These are the easiest attack to protect yourself from
• A long, complex password has a low probability of being in a
dictionary, making a successful dictionary attack unlikely.
• A long, random password is practically immune to a dictionary
attack and has an extremely low probability of being brute forced
with in your lifetime.
• Relatively slow attacks, guesses per second tops out in the
thousands.
• Some sites only allow so many guesses before locking the
account, you can’t get very far if you can only make 5-10 guesses
per day.
• Dictionary Attacks – not limited to just words out of the dictionary, usually
includes all known/published passwords. Can also include specialized
dictionaries like baby name books or Star Wars character encyclopedias.
• Brute Force – trying every conceivable password based on a site’s
criteria. Can take a long time.
4
• Offline attacks
• These are for discovering passwords after a site has been compromised
and password data stolen.
• Since these are processed on local systems and not over the internet,
potentially trillions of guesses can be tried per second.
• If usernames and associated passwords were stolen and stored as plain
text, then Dictionary and Brute Force attacks are essentially search
functions looking for matches.
• If the user data was hashed (encrypted) then the key needs to be reverse
engineered first. Hashes essentially stop Dictionary and Brute Force
attacks.
• Pre-Computed Dictionary(lookup) / Rainbow Tables – methods for
cracking in mass after a site had been compromised. The key to the hash
has to be derived and then the lookup table computed, which does take a
long time. Once complete, password retrieval is relatively quick and easy.
Hopefully, the compromised site informs its users to change their
passwords prior to the table being completed, but some sites may not
inform their users for months. Salting the hash renders this method
ineffective. Salting is adding a bit of random data to each hashed data set.
5
Secure Passwords
by Common Craft
This video reviews tips for creating a secure password and how to keep it secret.
Password length, words not to use, etc. are discussed at greater length in later
slides.
6
J&jwUth7 is better than any standard word or phrase.
It would not be in the dictionary so it will stand up to that kind of attack.
However, as a published password, it has been added to password dictionaries.
Never use an example password!
Looking past that it is a published password, it is still not very strong due to its
length.
A brute force attack can test every possible password in an eight character
password in as little as one minute.
That is checking every possible password, of course they will find the password
prior to checking every one.
7
The number of possible passwords grows exponentially with every additional
character.
At 12 characters it could take 174 years to find your password. Again, this is to try
every possible password and the right one is going to be found before the search is
complete. Realistically, you have about half that time. Is 87 years enough?
Probably, but upping the character count to 13 increases the total search time to
16,500 years. The more characters, the larger the possible password set, the more
time it will take to search, the probability that your password will be brute forced
drops.
8
• Never use any kind of word, from any language. If it can be pronounced, don’t
use it.
• Names are words too. If you are using a pet’s, child’s, or spouse’s name that can
be researched or found through social engineering, they’re not good candidates
for passwords. Be careful with what personal information you share online.
• Remember that birth, death, marriage, divorce certificates are publicly available
so using any of the associated dates is not a good idea.
• Also, unless you are in the Address Confidentiality Program, your address is
public knowledge too, as is your landline phone number.
• As evidenced by the 25 most common passwords, people are inherently lazy.
Please put some effort into password creation. Do NOT use example passwords
as they may have been added to a dictionary.
• Password reuse is very dangerous. If one site is hacked and your password
discovered, then accounts using the same password have been compromised.
Changing twenty or so passwords every time a site gets hacked is not fun.
9
• Variants can be used to ensure you are using unique passwords. This is
essentially using the same password but altering it slightly for each site.
• The examples shown aren’t great as it’s obvious what other passwords could be
once one is compromised.
• Use a password algorithm (method) to make the variations less obvious.
• Start with a strong base password
• Pick your own pattern to use, be creative. Every other character as shown
is not very good.
• Don’t use the site name as in the example, insert a hint instead
• For Amazon use something like ‘shopping’, ‘river’, ‘rainforest’,
‘brazil’ or ‘gilliam’
• For Facebook use something like ‘farmville’,’ or ‘pinkfloyd’
• As far as memorable passwords go, these are decent. They could be longer and
a less obvious method could used to differentiate the passwords.
• If you are going to use variants, we highly recommend changing passwords
annually or more frequently.
10
• Be wary of patterns—don’t start your password with an upper case letter, lower
case letters in the middle, and end it with a punctuation mark.
• Ideally make as long password as the site allows.
Give the less frequently used special characters some love. How often do you
use ^, ~, or { ?
11
This is a 64 character pseudo-random password generated at
https://www.grc.com/passwords.htm
Of course, these are impossible to remember and a pain to type.
To reiterate, as long as the password is 12 or more characters, it will probably
outlast you.
12
Despite what you may have heard, there is nothing wrong with keeping a hard copy
of your passwords.
People are pretty good a protecting pieces of paper.
Be creative in how you record which passwords are for what. The example shown is
for an Apple ID, again not a perfect example but demonstrates the principle.
Do not store your passwords in an obvious place: i.e. taped under the keyboard,
sticky note on the monitor.
Think like a thief, where would you look for this kind of document? Don’t put it there.
Good places are anything that locks that is crowbar resistant and not directly
adjacent to the computer.
In a book on a shelf with a bunch of books so it doesn’t draw attention. Be sure to
dust the other books and shelves so it’s not obvious that only one book is being
repeatedly removed from the shelf.
A safety deposit box would be a great place for a second copy in case you lose the
first. But once one set is lost, you will need to change all of your passwords.
13
Encrypting the hard drive will ensure that files can only be accessed on that
machine. Not useful if someone steals your laptop.
Locking the file behind a strong password that you can remember protects the other
passwords. Just don’t forget/lose your master password or you are out of luck.
14
• Creates and manages very complex, very strong, unique passwords
• One password gets you into everything.
• Your passwords are encrypted and backed up. Usually both locally and online.
On the odd chance the site is down, you can still access your passwords
locally.
• Two-factor authentication or identification is defined as something you know
(password) and something you have (smartphone, usb drive, etc.)
• Since you are not typing your passwords to log into sites, key logging software
cannot capture your passwords. Most have an on-screen keyboard for initial
log-in incase you are using an untrusted machine.
• Many protect against phishing –- won’t auto-sign-in or provide login info if you
attempt to access a site that doesn’t match stored address information.
• Most have mobile apps or web based password retrieval, so you can access
your passwords wherever you go.
15
• Your one password is the key to everything. If someone else gets their
hands on it, you lose everything.
• If you forget the master password, you’ll have to start all over again. You’ll
most likely need to create a new account with the password manager,
possibly requiring a new email. You’ll also have to individually reset every
password to regain access to those accounts.
• If you have your password to your email locked behind a manager and you
can’t access your email, you will not be able to reset any of the other
passwords. Memorize or back up your email password, just in case.
16
• LastPass –Free ($12 per year for premium account granting mobile access)
• Will email a password hint, so you need to know your email password
as well.
• Account recovery via one time passwords stored locally, must be
previously set up.
• Cloud-based
• KeePass—Free open-source password manager
• The sources code is freely available for download for one to inspect
and tinker with. If you would like to customized it for you, go for it.
• Available on almost every device or platform ever conceived, this is a
directly due to it being open source.
• More complex to use than most password managers. It is well
documented. If you have ever used open source software before then
you know what to expect.
17
• 1Password – $49.99 one-time purchase
• No account recovery
• iCloud Keychain (Apple) – free – included with iOS 7 and OS X Mavericks
• If you lose the iCloud Security Code, then you have to start over
• Dashlane –free--$29.99/year for secure backup and to sync across devices
• No account recovery, so remember your master password!
18
• If you can, vary your usernames from one site to the next.
• Have an account you want to keep really secure, e.g. banking? Consider using
a different email than you use with say, online shopping or social media.
• Keep your assigned usernames secret and don’t re-use with other sites.
19
Computer Viruses and Threats
by Common Craft
This video give a brief overview of computer viruses, worm, and trojans and offers
tips on how to protect yourself from them.
(1) Viruses are malicious programs that multiply and spread from computer to
computer via shared USB drives or file attachments. Antivirus software is your
best defense.
(2) Worms spread from one networked computer to another without direct human
action. They exploit holes in software and the best defense against them is to
keep your software up to date.
(3) Trojans are malicious programs hidden inside what appears to be legitimate
software. To protect yourself from them, only download from sites you trust, use antivirus software, and keep your software up to date.
20
• Antivirus searches files on your hard drive for known viruses by comparing
file data to downloaded definitions that contain identifiers for current viral
threats. Matches are quarantined (cut-off) from the rest of the system and
removed if possible. Sometimes the files are part of a program and the
program needs to be uninstalled first.
• Antispyware is similar but also looks for recent changes to the system
registry to track software installation to help you manage what has been
installed.
• Firewalls block unsolicited incoming data from the internet. All routers are
hardware firewalls and are sufficient for blocking incoming data. Software
firewalls are extremely important if you connect directly to the internet with
no router. If connected directly to a modem or data service through a mobile
cellular carrier (AT&T, Verizon, etc.) you should really install software firewall.
Windows had one built in since XP service pack 2. It does not hurt to have
both kinds of firewalls active at the same time.
21
Make sure it can do the following:
• Real-time monitoring – always on, monitoring changes and looking at
incoming files.
• On-demand scanning – manually tell the software to scan a file or set of files
• Automatic updates – will automatically retrieve the latest virus, spyware, and
malware definitions
• Heuristic analysis – Uses known traits of malware to guess what else might
be an unknown threat. Runs a copy of a suspicious program in a sealed off
environment to see how the program behaves. If it exhibits traits associated
with malware, then the program is quarantined and flagged so you can
decide what to do with it. (If it looks like a duck, swims like a duck, and
quacks like a duck, it’s a duck!) Can produce false positives.
• Technical Support? Is there an email address or number to call, does it cost
money to contact them?
22
Many offer additional features available for purchase.
Microsoft Security Essentials is available for Windows XP Service Pack 2 through
Window 7 and is an antivirus program only.
Windows Defender is preinstalled on Windows 7 as a anti-spyware tool and on
Windows 8 (.1) as anti-virus/spyware.
23
Most of these are Security Suites that off a wide range of protection, not just form
viruses and spyware. Some have PC tune up software to “speed up” your machine,
some will also block ads from displaying or provide internet filtering to block sites
you do not want users of your machines to have access to.
Some Internet Service Providers offer free versions of these to their subscribers.
As of June 2014 :
Comcast offers Constant Guard by Xfinity, powered by Norton.
CenturyLink provided a tiered subscription service to Norton, the basic (free) level is
just antivirus.
24
Try before you buy. Reputable companies should offer free trials of their products.
25
Most of the afore mentioned companies have mobile solutions for smartphones and
tablets. But there are lots of others, lots and lots. It’s a bit overwhelming, especially
on Android. Take your time and do your research, read user reviews in the app
store, give one a try, you can always remove it. Pick what’s best for you.
26
• Something you know (password) and something you have (key fob, cell
phone)
• The something you have will provide you with a temporary code
• Usually, you only need two factor authentication on untrusted machines.
The first time you sign in on a new device, you can mark the device as
trusted and it will not ask for code on next sign in. Do not mark shared
computers in public places as trusted devices.
• Google’s will text or call your phone with a 6 digit code, or you can install
the Google Authenticator app (iOS, Android) and it generates the codes.
• 2FA is usually something that is enabled by the site or you can opt into it if
offered in account security settings. Most banks require this when you
sign in from a new machine. Outlook.com (msn, Hotmail, etc.) and Twitter
do this if they have a phone number. Facebook purports to offer this
service, but we have been unable to get it to work properly.
27
• If you don’t recognize the sender, delete it. No one is going to give you
$100,000 just for sending them $100.
• Be very cautious when opening attachments. Especially if the email was
forwarded to you.
• This includes stuff forwarded to you by family, friends, and coworkers.
• If you are not 100% certain of the origin of the content, do not open it.
• Don’t click to see the dancing bunny! Meaning no matter how much you really,
really, really want to see that cute video/story/amazing deal, don’t click on it
unless you’re really confident you know where it’s going to take you. And if
you do click…make sure your anti-virus software is up to date!
• Links do not always lead where they say, this is the most common form of
phishing. There are a couple of ways to check links without actually clicking
on them—hovering on the link and checking the address in the lower left of
your status bar usually works. When in doubt, don’t click—HOVER instead.
28
Did you receive email demanding immediate action from a company you haven’t
done business with or a poorly worded and spelled email from a company you may
have done business with in the past? Did you receive an email requesting you
provide information such as your password, social security number, or bank account
number that you wouldn’t normally provide via email? These are all signs of
possible phishing attempts. Phishing scams may look real, but their ultimate goal is
to hand over your sensitive information to crooks. This video reviews these and
other common phishing scams and how to avoid and report them.
29
• Email is not encrypted – while your connection to the email server is most
likely secure and encrypted (https), emails are sent in plain text. If a
message is intercepted while in transit over the internet, it can be easily
read. This usually is a targeted attack on an individual or group.
• If the email does not need to hit the open net for delivery, then the
risk of interception is greatly reduced. This happens if you are
sending to an email address with the same domain as yours.
• inter-server [e.g. Gmail to Yahoo] is susceptible to
interception
• intra-server [i.e. Gmail to Gmail] should never hit the open
net and is far less likely to be intercepted
• What does this mean? It is unlikely that you would become a
target, unless you’re famous or important or wealthy. However, it is
recommended that you don’t put anything in an email you need to
keep private.
• Email recovery – in case you forget or lose your email password, make
sure all of your email accounts have some recovery method available.
This could be another email address or a phone number. It depends on
the email provider.
30
• Any machine with multiple users – if you are not the only one that uses
the device then keep these things in mind
• Be cautious – who owns the machine? Is it properly updated and
maintained? If you can’t find answers to these questions, don’t
use an untrusted machine.
• It could be loaded with software just waiting to steal your
soul (information) via key loggers, spyware, etc.
• Log out – You don’t want the next person that uses the machine
to have access to your information.
• Take out the trash – clear the browser history, cache, cookies,
temporary files, etc. Move any saved files to the recycle bin or
trash and empty it.
• Restart – If you can, reboot the machine. This usually dumps
quite a bit of stored temporary data.
31
• Open Wi-Fi networks are commonly found at Libraries, hotels,
restaurants, coffee shops, and occasionally in neighborhoods and
apartment complexes. The latter are are private networks that the
owner hasn’t set up properly or without a care for security.
• Do not open up your private network as a public service, you could
be held liable if someone uses it for nefarious purposes.
• Packet sniffers allow someone to see all non-encrypted data
transmitted on an open network.
• https indicates an SSL secured encrypted connection to whatever
site you are on. Do not enter login credentials or financial info if the
site is not secured with SSL. Once secured, the data is encrypted
prior to transmission and thus is not readable by the interceptor.
• Open networks can be secured by using a VPN. Virtual Private
Networks can secure an otherwise open connection via an
encrypted tunnel out of the open network to a different net access
point. There are many options out there, some free, some not.
Some open networks are not configured to allow this, especially if
filtering is applied. e.g. SCLD libraries.
32
Secure Websites
by Common Craft
This video reviews common security threats on the web and how to recognize a
secure website using clues such as color, the padlock icon, and https in your
browser.
33
• Only visit or download from sites you trust
• Which internet browsers is the best? IE has a legacy of insecurity.
That said, it has come a long way towards being more secure.
Firefox is the most secure with default settings and is also the only
browser that can be set to not display a site with a revoked
security certificate. Remember those from the video? Chrome is
fast and convenient if you are a google account user (g+, youtube,
gmail, etc.). There are others out there as well, Safari, Opera,
Puffin, SeaMonkey, and so on.
• Understand your browser & what it’s trying to tell you –- know what
https, the lock symbol, certificate warnings, secure site warnings,
etc. mean. See the Common Craft video On Secure Websites for
a good overview.
• Security settings – set them as restrictive as possible without
breaking functionality – medium high is pretty good
• Plugins and Extensions – only download and run if you trust the
site. These are often exploited. Examples are things like Adobe
Flash and Reader, JavaScript, Java, Sliverlight, WordPress, etc.
34
Beware the overshare! There really is such a thing as TMI.
Information you share publicly through social media CAN be used against you.
Security questions can often be answered using information gleaned from sites
such as Facebook, Twitter, or LinkedIn (to name only a few) where users regularly
publicly share birthdates, maiden names, high schools, and so on.
Criminals can also learn you’re out of town through Facebook statuses.
35
• Your files have been messed with in some way. They are either not where
you left them, or different in some way, or perhaps not even present any
more.
• Examples of unexpected behavior:
• Windows shuts down unexpectedly
• Programs starting or closing unexpectedly
• You’ve got new toolbars, links or favorites you didn’t intentionally
add or install
• Your home page or default search engine changes
• You type an address for a specific website but are taken to a
completely different site
• You see pop-up ads even when you’re not connected to the internet
• Consistent and peculiar error messages
• Your computer crashes often
36
• Everyone in your contacts start getting spam email from you
• You can’t get into your accounts
• Your sent mail folder is filled with things you didn’t send
• Things look different
37
• There have been a number of serious online security issues over the last six months, including:
• Heartbleed is a coding mistake that allows criminals to steal normally protected information like usernames and passwords. The problem was identified in early April 2014 and affected nearly 2/3 of all websites. Use
a site checker such as https://lastpass.com/heartbleed/ to see if site has been patched, then change your password. For a good overview of the Heartbleed problem and what to do about it, see http://blogs.mcafee.com/consumer/what-is-heartbleed
• Adobe Flash and Java Script have historically had number of
security issues. If you’re using either, do some research and
update your software.
• In late April 2014, a security issue affecting every version of
Internet Explorer from IE 6 forward was identified. Anyone using
Internet Explorer to visit infected websites potentially allowed
hackers to take complete control of their computer system. Until a
patch was issued, people were advised to use an alternative
browser. If your machine isn’t set for automatic updates, be sure
to visit Windows Update to install the patch.
• Online marketplace eBay was hacked in February/March of 2014
and reported in late May. 145+ millions of users’ accounts were
compromised and hackers gained access to users’ names, email
addresses, encrypted passwords, home addresses, and dates of
38
birth. If you use eBay, change your password immediately. If you
were re-using that password elsewhere, those accounts are also
vulnerable and their passwords must be changed.
There have been so many serious security breaches over the last year it’s
best to be pro-active. Don’t wait for a company to notify you of a problem.
Make sure your software is up-to-date and if you haven’t done so in the last
two months, change your password!
38
• All modern OS (mobile and PC) have automatic updates built in to them.
You may have to enable it. The newest OS’s don’t even give you a choice,
it just happens.
• Most software is updated routinely and the software prompts you when
you first start it up that there is an update available. Some will download
and update right from there, others require you to re-download the
software from the website of the developer.
• Updates are what close security holes and fix bugs affecting the
program’s function. Sometimes they even add new features!
• CAUTION: if you are just browsing the internet and a site tells you to
update some software or download some plug in, exercise extreme
caution. If you recognize the program in question, go to the official website
for the program and check for updates from there, do not accept updates
from 3rd parties. If you do not recognize the program, do not update or
download until you are able to verify the programs validity
39
• 3,2,1 backup rule
• 3 back up copies
• Files that you are using/working with do not count as back
up
• 2 different media
• Optical media (CD, DVD, BLUray)
• Flash drives (USB drives, SD, XD, Compact Flash, ect.)
• External Hard Drive
• 1 off site copy [occasionally: biweekly* to monthly]
• Catastrophe protection (flood, fire, theft).
• Cloud backup satisfies both offsite and different storage
media
• Google Drive
• Carbonite--$59.99/year unlimited for ONE personal
machine
• MozyHome--$5.99/mo for 50GB, $9.99/mo for
125GB for up to 3 personal computers
• Or any of the aforementioned media stored at a secure
location (safety deposit box, locked cabinet or locker at
work, bolted down fire safe at relative or friends house.)
* as in every other week
• Automatic back up
• Most new OS have automatic back up built in, you just have to
40
provide the storage and set the time and frequency. Computer must
be on at the appointed time or it will skip back up and await the next
scheduled time.
• 3rd party software allows for greater customization of your back up
and may offer features that built-in back up does not.
40
• Again there is nothing you can do to make yourself invulnerable, but there
are steps you can take to make yourself safer.
• Use a different browser, Chrome, Safari, Opera, Firefox, etc.
• If you were using Microsoft Security Essentials, uninstall it and get
something else. MSE is also no longer supported for Windows XP.
• Don’t run in administrator mode – if you only have one user account then
you are the administrator. Go to the control panel and user account and
create a non admin account and use that for internet browsing. This will
make you enter your admin credential every time something wants to
make changes to your system.
41
Ask Leo http://www.askleo.com
For a quick review of what we’ve covered today, check out the Internet
Safety course at http://www.gcflearnfree.org/onlinesafety/internetsafety
Norton Identity Safe Password Generator
https://identitysafe.norton.com/password-generator
Check your password—is it strong? https://www.microsoft.com/en-
gb/security/pc-security/password-checker.aspx
42
43
