Wednesday, December 28, 2016

Are passwords DEAD?

Many compromises, well all of them, are caused by exploiting a weakness.  And, passwords are by far the most common weakness.


By Ed Higgins

When will the problem of password compromises be solved?


Perhaps never. But, come on people! We mustn't make it so easy for a novice bad-hacker to steal your personal data, identity, credit and bank card accounts, email accounts, Facebook and Twitter accounts, PCs, and other stuff by neglecting your duty to use complex pass-phrases instead of passwords like: password, or password123.  Did you know that these example simple passwords can be guessed by brute force in a matter of .0001 seconds? And using the same password for every account is bad, because once a hacker gains control of one account, their primary objective in most cases is to gain access to as much as possible with certain focus on tangible things like credit and bank accounts. Hence once the bad actor accesses, say for example, your email account, they will determine all of your other accounts associated with that email address in just a matter of minutes (most cases, this process is automated).

They say, "Security Problems Exist When the Human Touches the Computer".  This is not entirely true, since modern IT and Security groups work together to harden systems, by closing default ports, implementing security controls and policies on the systems, and testing them periodically for existing and new vulnerabilities.  By installing anti-virus software on your personal computer, you are essentially improving its security beyond its default settings.  But, any mistake such as an open port, a open shared service, or a weak password on an administrative user account can create a tiny chink in the armor by which a bad actor will quickly detect and exploit.

We need to get past simple passwords, and think of pass-phrases and use of special characters. Take the following sentence for example, or make use a sentence that you can remember and recall readily.

"Today was the best day of my month, because it is sunny outside!"

Now take the first character of every word in the sentence and splice them together to produce a pass-phrase as follows. Yes, it would be cool to include the quotation marks, comma, and exclamation point.

"Twtbdomm,biiso!"

The above pass-phrase would be considered a "strong password" and could literally take a hacker a thousand years attempting to crack using automated brute force methods. If everyone would employ password creation practices such as the above, then we'd like cut down the number of individual attacks perhaps as much as by 80%. There are other methods for cracking user accounts, but the above is a great start and a strong pass-phrase is the only defense against sophisticated password cracking mechanisms.

Since 1996, I have repeated the mantra, sometimes on deaf ears: "Security is Everyone's Responsibility".  It's not the responsibility of the sys admin, not the help desk, not the CISO, not the email system manager, but YOU. Sadly, your negligence to heeding the warnings of the aforementioned people, is often the cause given to good IT and Security personnel who get fired because an larger incident that you likely caused.

Think about the recent security breach during a political campaign where one or two weak passwords were compromised allowing thousands of sensitive data and  emails to become leaked to the public.  One simple password caused an embarrassing flood of private conversations, political strategies, and potentially nefarious campaign activities to become revealed thereby contributing to a political candidate losing an election.

People can be a tremendous asset or they can be a tremendous liability. Admittedly, many systems today do not allow the user to create a simple password. And these systems also require password changes at frequent but reasonable intervals, denying use of previous passwords, etc. But, there remain some systems that allow simple passwords. Your own PC is such an example.

There will come a day when ALL systems have more advanced controls such that there will be no such thing as a password, or even pass-phrases. These will be replaced by technologies that you carry with you. Examples of these, called multi-factor (or 2 factor) provide a hardware token (a USB device or a card) and you also provide a pin. Another example of multi-factor also includes fingerprint or retina scan technology which use a part of your body as the second factor. describe 2 factor as "bring something (your device, or you person), know something (your pin)" Each of these separately don't offer much security, but together they create a more powerful combination. Critical systems within corporate environments and governments have employed multi-factor authentication for many years.

As long as passwords are used as a security measure between the world and your information, you owe it to yourself, your employer, and your family to at least use a strong pass-phrase.

I hope you enjoyed this article, and hope it was helpful. 

Stay tuned, and stay safe

Ed
Posted by at No comments:

Wednesday, August 17, 2016

Predicted Solar Flares a Security Risk? Really?

Lions and Tigers and Solar Flares, Oh My!


By Ed Higgins


This post may seem a little off-topic, science fictitious, or perhaps it might read a bit like a joke, but nonetheless, I wonder, in our assessment of IT security planning have we seriously considered natural disaster risks such as solar flares?

As a kid of the 70's, I remember that at certain times my CB Radio (remember those?) could receive signals from locations a few thousand miles away which was well beyond the capability of my radio and antenna.  Or, I remember those times when the television reception was just not that good at all, terrible in fact?  These things were all directly related to  solar activity, sun spots, and solar flares.

So, now, we fast forward to current time, a time in which we are heavily dependent on electricity, computers, cellular, digital telecommunications, wireless, satellite communications, radio frequency and infrared devices, and anything pretty much magnetic.

In the past 10 years, we've seen our list of technology requirements grow as has our dependence on these and the resources that support them. Think for a minute... What would your life, right now, be like without a computer, network or cell phone for a week or perhaps several months?  How about no television or satellite communications?  What about our business transactions, electronic commerce, banking and trading? What if there were no electricity for several weeks or perhaps months because our energy grid management systems were broken, not able to automatically open and close the power switches along the grid that deliver electricity to our homes and businesses?  What if energy produced by hydro, wind, nuclear, coal-fired generators were all halted because the microcomputers that control them were all fried and disconnected.  Alarmist? Perhaps a bit. Thought-Provoking? Definitely. At least, I Think So!

Our Nation's energy businesses have all been diligently implementing controls and plans to protect us from the infamous "cyber attack" on our electrical grid systems. But, what if this particular threat was the least of our worries?  Driven by NERC CIP, regulators mandate that energy producers improve Critical Infrastructure Protection, or the cyber-security controls that surrounds critical infrastructure systems that control things such as the energy grid,  water treatment facilities, air filtration fans, and toxic materials disposal. These regulations greatly address the security risks of outages caused by terrorist act, accident, malicious hacker, and other cyber-villains.

While cyber attack is a very legitimate potential threat to our infrastructures, what if the bigger threat was the "11-year cycle of predictably repeated and historically accurate events relating to solar flares and sun spots that goes back millions of years"..

In these most recent of years, and at no other time in history have we all grown to be so very very dependent on microcomputer systems, cellular, and networks which are all most fragile to mass effects of solar flare activity.

In 1859, a solar eruption occurred that was so powerful  it set fire to hundreds of telegraph  offices...  people got nasty electric  shocks simply because  they were working with metal objects.  In 1859, however, we had no televisions, cell phones, power grid management systems, smart-meters, etc so arguably the impact was less visible.

Now continue these 11-year recurring events forward to modern times.....

In 2003, and the most recent peak in solar events, we experienced outages that included computer system failures, magnetic data backup tape failures, electricity outages to homes and businesses, disrupted television and satellite operations, and greatly disrupted radio signals.

NASA and the scientific community accurately predicted the solar events, however the only means of reducing the risks were to simply shut  off high-risk devices. NASA  temporarily shut down certain radar and satellite tracking antennae to avoid their destruction. NASA even grounded space shuttle programs to protect astronauts from the severe threat of deadly radiation exposure as space is not protected by the magnetic field that protects the Earth.

Check out these interesting and informative videos on the solar flare phenomena:
       
  1. Attack of the Sun
    2.    
  2. Nasa Warns Of Super Solar Storm

As we explore and deploy all of the new methods for acquiring  and producing energy... thus  expanding our power grid to accommodate wind  farms...solar arrays...  new nuclear plants ... and other renewable  energy sources. This grid will get larger... and smarter.... With microprocessors inside almost every device...communicating and negotiating  with one another...  running everything from air conditioners to power  plants.

A sudden surge of solar activity could strike the grid     directly...inflicting substantial damage on   our "smart power economy".

A similar storm today, or in 2013 when peak solar flare events are  predicted, could easily cause several trillion  dollars  in damage to  our sensitive high-tech infrastructure, potentially thousands of times greater  than   hurricane Katrina.

Modern information security strategies are focused on physically and  logically protecting data, keeping systems up during brief outages, recovering a destroyed data center to another with waiting equipment, preventing intruders or  insiders from stealing company secrets or sensitive information such as  customer credit cards, health records, et cetera ad nauseam  ad  infinitum.

Our Disaster Recovery Plans and Business Continuity  Plans tend to focus on events with which we  have some prior experience, like the horrible tragedies of September 11th, hurricane Katrina, and even the threat of widespread pandemic influenza. But, what about the global impact on a modern-day solar flare event?  How will we respond? What will we do when these naturally occurring  solar flares generate similar interference as they have over previous  11-year cycles for past millions of years, but this time they cripple the computerized devices that we have become so dependent upon?

Thoughts?  Provocative? Alarming?  Ho-hum?  Let me know...

I hope you enjoyed this article, and hope it was helpful.

Until next time,

Ed

Posted by at No comments:
Subscribe to: Posts (Atom)