How safe is your data?

Network security is something big businesses spend big money on. It’s something you hear about on the news, read about in the paper, and it’s something your workplace worries about, but not something you need to worry about as an individual, right?

On Passwords

What makes a good password? Firstly, it shouldn’t be a word at all. When someone tries to crack a password, one of the standard methods is a ‘dictionary’ attack, which basically fires every word in the dictionary at a system to see which one works. If your password is a word, and it’s in the dictionary, then you’ll be hacked - it’s that simple. A random set of letters, numbers and symbols is the best password, and the longer it is, the better it will work. 200 or more characters arranged bit like like this is ideal; sMkms!Psw2uU3$zaaTAQa^rApnt_). For most people, however, a password like that is unusable. You’d have to write it down, save it in a file, or have an incredible memory to use it on a day-to-day basis. Writing it down or saving it defeats the whole purpose of it being so strong, so you might as well use something you can remember.

A usable alternative is to create a pass-phrase which has multiple words stitched together. Ideally you’d throw in a number or two and some punctuation as well. For example, something like browN.doG-bluE.birD is going to be difficult to crack, but not too hard to remember. The first letter or two of each word of a sentence can also be a good option. For example, “One Flew Over The Cookoo’s Nest” could become onflovthcone. Bare in mind that now that I’ve given these as examples, they will probably show up in the larger password dictionaries available for download and used by hackers all over the world, so don’t use the examples I’ve given, be sure to invent your own.

Save This Password?
How many passwords have you used today? A moderate user might enter a dozen passwords into various websites in an hour or two of internet use.

Accessing secure sites such as online email, paid subscription services, social networking and financial sites, most browsers (eg. Internet Explorer, FireFox, Chrome and Safari) will offer to save your passwords for you. This is certainly more convenient than entering the username and password every time, especially if you have different details for different services and have trouble keeping track of them all. The downside is that anyone who has access to your computer has these passwords in their hands. For the novice intruder, surfing their way to the target site using your machine may be enough to get them access to your information. When your browser is helpfully remembering your username and password for you, logging out is of limited value. For the better organised intruder, 15 seconds on your computer is plenty of time to strip out every username and password that you have conveniently stored and save them for later use.

The Same Password

It’s not unusual for people to come up with a good secure passphrase, and then use it everywhere. You might have it on your email, use it at work to login to your computer, use it for facebook, and use it to encrypt an important document. Let’s say one of these locations is compromised. For example, your work network is hacked and your password is discovered. The issue you now face is that the offender who hacked your work network can now also access every other account you have, and not only do they have a head start, but can probably also do it faster than you can.

It may not be feasible to use a different passphrase everywhere, but there are half-solutions I’d recommend. Using several different passphrases for different purposes can be a workable method. For example, you might have a long, highly secure passphrase you use for internet banking and only in a few other places, then a second-tier passphrase, perhaps shorter and quicker to type, which you use for work purposes, and a third passphrase you use at home, on facebook, and for your personal email. If you need to create an account on a message board or some other site where you’re worried might not be very secure, you could have another password you only use on things that really don’t matter very much. I always recommend you keep home and work separate; don’t use the same password for your email at work as you do on facebook or on your personal email.

Can I borrow your computer for a minute?

Sounds harmless enough - would could he do in a minute? The answer, unfortunately, could be anything and everything. It takes seconds to harvest all your saved passwords, or to install a keylogger or a back-door into your system. The process can appear completely benign; a well crafted piece of software might look exactly like a word processor or an email client, but in the background could be doing 10 different things you don’t want it to!

Your Wireless Network Most people have a wireless (‘WiFi’) network at their home and/or workplace. Wifi offers a simple and cheap way to share internet access, printers and files within a fairly short distance.

There are a couple of open wireless networks near my office, though fewer than there once were. With the rise of the smartphone, and the common-enough feature where the phone helpfully offers to attach itself to any open wireless network it can see, most people have implemented some kind of security on their wifi network. There are a number of ways to ‘secure’ your wifi. The old standard was to use ‘WEP’ encryption, and many people still use this today; in my own street there are over a dozen WEP-secured networks visible to me as I drive past with my phone tasked to ‘listen’ for them. All WEP networks, no matter how tricky or how long their password (or ‘key’) is, are basically open-access to me. WEP encryption is so insecure that I can literally crack it with software running on my phone. DO NOT think you’re secure if you’re running a WEP encrypted network.

Your MAC address is a bit like the licence plate on your car - it is a unique identifier for your wireless adapter; this could be a USB device hanging out the back of your machine, or a tiny chip build into the middle of it. Some people ‘secure’ their wireless network by configuring it to only allow certain MAC addresses to connect. This would be pretty secure, if it weren’t so painfully easy to change your MAC addresswith a few keystrokes. There is even free software for smartphones which can do the same thing in seconds. So if your network is secured through only allowing a certain set of MAC addresses to connect, it’s not really secure at all. WPA, or WPA2 is a much more secure method for securing your network. If you have a home or work wireless connection, get into it and change it to WPA or WPA2 as soon as you can. Ideally, your passphrase should be long and random, and definitely not be single word or name. With a WPA network and a good passphrase, you can feel reasonably secure that your wifi won’t be hacked directly.

Be wary of ‘free wireless’. With less than $100 worth of equipment, unscrupulous characters can create a free wireless hotspot and allow anyone to connect and have internet access, and use this connection to tunnel into your computer to extract information, or simply to ‘listen in’ to your internet traffic, stealing passwords as you use them. Remember that if someone was to access your computer, even for a few seconds, any of your data, including the key to your own wifi network, can be extracted. Location tracking, iPhone, android phone, various software. encrypt iphone backup

Documents with Passwords The pervasive Microsoft Office, including the commonly used Word and Excel, includes a password protection option as a built-in feature. PDF documents can be password protected so that they can only be viewed by those in-the-know, and then placed on websites or intranets, making them available to everyone.

As much as it pains me to shatter your illusions of security, a Microsoft Word (or Excel, etc) password can be cracked in somewhere between 20 seconds and 10 minutes, depending on the method and the computing power applied, and a password-protected PDF is similarly insecure. If you want to secure a document, use a third part encryption tool like truecrypt. As with any tool, your encryption is only as secure as your password, so a good passphrase is still important.

Lost or Stolen Computer

Most people don’t encrypt their hard drive. If you use the built-in encryption that comes with your operating system, then it’s only as safe as your password, which takes less than 5 minutes for a specialized tool to crack. If you’re serious about security, I recommend encrypting your whole hard drive with a tool like truecrypt. It will allow you to encrypt the entire disk, making it inaccessible to all but a professional hacker with a lot of equipment and lot of time on their hands.

Email Security If you’re using an online email provider like GMail, Hotmail or Yahoo, the server itself is pretty well secured. The most likely method for someone to get into your online email is to obtain your password. The easiest way to get someone’s password is to ask them for it. This is the principle used in phishingattacks, where you are usually tricked into entering your username and password in an imitation site. When visiting your email site, you should get to the site directly rather than using a link provided in an email.

Another way your email may be accessed is by catching it during the transmission. For example, a packet sniffer may ‘listen’ to your network traffic and put all the pieces together to reconstruct an email as it passes through the network. One way to safeguard information during transmission is to encrypt it using PGP (or OpenPGP). A free software package like Thunderbird can be combined with a free OpenPGP pluginto give you secure encryption and decryption capabilities, right on your desktop. In this way, you’re safe from losing data by sending email to the wrong address, or leaving email in your inbox and having someone else access it there As long as your computer is secure, you use a secure passphrase, it isn’t compromised by having been used somewhere else where it can be harvested, you’re not tricked by a phishing attack, and your data isn’t captured unencrypted en-route, your email should fairly secure.

The Bottom Line

As one of our services, we often perform Penetration Testingfor clients. We crack their wifi, sniff their packets, phish their staff, decrypt protected documents, and as a part of that, as often as not, we harvest valuable information from staff computers. One of the easiest ways into a secure corporate network is to penetrate the home network of a staff member first, so it should be remembered that when it comes to data security, securing your home is as important as securing your workplace.

Related Stories

Password cracking

Browser fingerprinting

SecurID Tokens breached