Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.
So much has been written about how to choose passwords, and yet here we find ourselves decades after the masses began going “online,” with poor standards, security implementations, and user behavior. What to do? Well, unfortunately, most of us can do little more than follow best practices and hope for the best – Rome wasn’t built in a day, and people won’t stop using “password” or “123456” anytime soon. Password criteria and real-time “strength meters” are a step in the right direction, but of course, we need only to look at a few recent lapses in website security to observe that even when good passwords are chosen, the mechanisms that store and verify them may be flawed. A few incidents worth reading about include: LinkedIn password leak, UPEK fingerprint software weakness, and the Mat Honan hack.
I’ve been a casual student of cryptography and data security for years, and I am often asked about how I manage the problem of selecting and organizing strong passwords.
For starters, there are a few bad habits that you must break yourself of before anything else:
- Using the same password for more than one site
- Using some “creative” combination of your initials, family/pet names, birthdates, etc… Most of these patterns are well known to crackers and their software tools.
- Using short passwords and/or those based on typical words (even spelled backwards or with @ instead of an “a”)
Once you accept the above, then it’s surprisingly easy to get started with strong passwords. Here is my approach:
* Select a password manager. My preference is KeePass. It is free, open-source, cross-platform, and fast. Since KeePass runs as a traditional application, other options, like LastPass, are worth investigating if you desire a cloud-based service or tight integration to your browser. Even though KeePass has a number of plug-ins that add integration, I prefer to keep it completely stand-alone to reduce the number of ways my database could be compromised by a creative hacker or bad plug-in code. Choose your solution carefully – you will be trusting it with the “keys to the castle.” In addition to the backups (plural) you will want to have of the program database, consider exporting the contents to a text file that you either print and file under lock and key every so often, or store a digital copy in a secure way – NOT on your PC or on any drive/media attached to your PC! One of the primary reasons to use a password manager is to keep your information secure – and all of that value goes away if “Password Backup.txt” is sitting on your desktop.
* Use your password manager to store all of your online identities as separate records. You can typically store notes and other types of records as well – which can be very helpful for all of those software unlock keys, garage door codes, and similarly sensitive data you might have lying around on sticky notes right now.
* When it is time to sign up at a new site or change a password, use a unique, secure password generated by your password manager – or if you prefer, follow another secure procedure for creating strong passwords. Here is an excellent online generation tool and tutorial on writing your own.
* Don’t forget the “little things” either. Before you embark on upgrading your passwords, be sure that your email accounts are well-protected. Some would advise using a dedicated email address for each online service – or at least the most sensitive ones. That way, if someone hacks into your primary email account and attempts to reset your password on – say – your banking site, the confirmation email will go to an account they (hopefully) don’t control. Be careful with security questions, too. For extra security, I will sometimes create dummy answers to the identity verification questions, and store them in the KeePass record for that site. That way, even someone who knows (or can find out) my mother’s maiden name, or the make of my first car, will be out of luck.
Finally, a few things to watch out for. This is not an exhaustive list, but there are several characteristics of bad security implementations that are worth watching out for. I’m not suggesting you avoid such sites, but I would be cautious about what information I provide them. In no particular order, and assuming no other ID method (e.g. two-factor authentication, etc…) exists:
- Limiting passwords to a fixed length (not a maximum length – but a specific length).
- Requiring passwords to be unusually short. There is no perfect number here, but anything below 12 characters, in my opinion, is asking for trouble.
- Not allowing mixed case, numbers, and/or special characters.
- Any service that can send you your actual password (in plaintext) if you forget it.
The reasons for the above are beyond the scope of this article – but they mostly have to do with proper hashing and storage of the passwords. It is also important to note (again) that even when security measures appear strong, there is usually no way to be sure. Unfortunately, it often takes a hack or other public incident to get companies to address security issues…
Hopefully you’re already doing these things – and more – to protect yourself online. If not – best to start today!
— EDIT November 4th, 2012 —
I thought I would add a list of the most common passwords, compiled (by others) from an analysis of cracked password databases. It is hard to believe that “password” and “123456” are still so common, but Mark Burnett analyzed six million passwords, and found that 91% of users had used one of the top 1000 most common passwords. Considering that a brute force password cracking program can run through those top 1000 in well under a second, there is virtually no protection afforded by any of them.
Here is the list:
— EDIT December 11, 2012 —
An article not to be missed about the advancements in password hash brute-forcing using multiple GPUs.
The Security Ledger: GPU Monster Shreds Password Hashes
Here is a look at the relative simplicity of the architecture. Those are graphics cards being leveraged for their extremely fast processing capabilities.
While not for the electronics newbie, several recent projects detail ways that you can monitor an alarm system – or any similar device – using text messages and wireless connectivity. Here are two of the more interesting ones:
Using the Electric Imp (an great project by itself!): http://www.swblabs.com/?p=801
As off-the-shelf products allow more devices to be connected and controlled via networks, this concept will almost certainly gain popularity for low-security applications.
Basically, the affected hotel locks (from Onity, a UTC company) have a port on the exterior side that allows access to the lock controller. Connecting to this port and running some special code allows access to lock functions, as well as master key information. According to the hackers who demonstrated this weakness, this attack does not need to break any encryption – so it is fast and trivial to execute.
Here is the device in action:
There are, reportedly, four million of these locks installed in hotels, and the time to open them once the device is connected? About 200 milliseconds – or, less time than it takes to swipe a working card in the lock…
Here are slides from the hackers presentation that describe the problem and his engineering efforts.
It is difficult to understand how a data port on the secure-side of a lock was not better scrutinized (and protected) by the engineers. Onity has apparently designed a port cover that blocks physical access, but no software solution is known as of this writing…
This article describes burglaries in Houston, Texas using the exploit described above.
This is rather impressive. A software engineer named Vladimir Yuzhikov who specializes in signal and image processing has released a tool that takes some of the best known methods for enhancing an out-of-focus image and makes the process a point-and-click affair. Take a look at the before and after examples below:
Unfortunately, it now appears that we in security will have to concede that yes – SOMETIMES – you can get details out of a blurry image like they do on TV… Now if only Mr. Yuzhikov can find a way to read a license plate from four pixels of a blurry CIF recording…
Here is the project page: Vladimir Yuzhikov
A Windows executable can be downloaded from GitHub here.
The TSA is replacing a number of the controversial full-body x-ray machines with millimeter wave RF systems. According to the TSA, neither safety (of exposure to the X-rays), nor privacy (due to the detailed body images) were considerations, and the old machines are being relocated to smaller airports.
A side-by-side comparison of scanning technology can be viewed here.
Google is adding more detailed building information to its maps offering:
From the article: The building footprints include height details and have been created by computer algorithms from the vast aerial imagery Google stores with Maps. “This process enables us to provide more building footprints and a more comprehensive and detailed map than ever,”
When you consider the addition of interior imagery as well, these mapping services are definitely something to consider when evaluating physical security…
…and it’s only a matter of time before the technology creates real problems here in the U.S.
Facebook and other online services are amassing vast amount of user data linked and tagged to identifiable images. What they (and others) will do with this information remains to be seen, but the range of possibilities is concerning to many. This article from c|net summarizes the current state of regulation and concern nicely, and also points to a NIST project from 2010 that is worth a look if you are interested in understanding the present capabilities of the technology. Police departments are expanding their use of image matching as well, as this article reports.
According to the NIST report summary, “the best algorithm correctly recognized 92 percent of unknown individuals from a database of 1.6 million criminal records.” Presumably, this performance has only improved in the last two years. For security professionals, those numbers are exciting – and problematic. We now have the ability to compile massive public and private “suspect” databases if we choose, and search times will be sufficiently fast for most applications, but between false positives and misses – the technology must be carefully deployed, and expectations managed.
The NIST report can be viewed here.
It seems unlikely that facial recognition programs will be allowed to expand unchecked. At a minimum, we should expect a minefield of state and local restrictions that will be enacted in the years to come…