Tuesday, May 18, 2010

How to Keep Track and Have Strong Passwords With Ease

I am reading Kevin Mitnick's book, The Art of Intrusion, about real-life stories of corporate security attacks.  A frequent oversight in security that becomes repetitious is the failure to compose secure passwords.  It is quite surprising that system administrators or network administrators will have blank, weak, or one decent password for multiple authentication points into sensitive materials.  Furthermore, there has been plenty of security attacks in the news  of corporations having weak or blank passwords behind their firewall for access to sensitive information; most notably, the TJX hack.

I used to fall into the category of having a weak password and the same password for multiple websites - multiple e-mail's, on-line banking, social networking, etc.  Weak password is generally categorized as anything that would be found in a dictionary or a commonly used term and less than eight characters.   I did not know the risk involved in having weak passwords and if someone has access to one website, they will have access to all the websites.  I am sure a lot of people are in the same situation and are unaware of their vulnerability and the sophisticated password cracking tools that can break weak passwords in minutes.

Now, I use a completely different password for each website with the maximum amount of characters they will allow.  How?  KeePass Password Safe.  A free and open source software product.

Keepass is a portable database for all your passwords.  You only have to remember one password to access the database and you can carry it on your USB stick.  I recommend making a password of 20 or more characters - uppercase, lowercase, and special characters - to access the database.  The database is encrypted with AES (Advanced Encryption Standard) which is adopted by the U.S. government and used by banks.  In other words, if your password to access the database is complicated and long enough, it is near impossible for anyone to crack.

Additionally, you don't have make up every single password.  KeePass comes with a password generator that you could customize the number and type of characters you would like for your password.  The next time you logon for whatever website, you just drag-and-drop the user name/password into the textbox.  No re-typing the long generated passwords every single time.

I have been using this product for a while and feel more secure with having strong passwords.  With this ease, I recommend changing your passwords every couple of months for sensitive information; such as, online banking or your main e-mail.  Below is the necessary information to get you started:
a.       Download the Classic Edition 1.17
b.      Download the Portable KeePass if you plan on carrying it on your USB stick.  If it is strictly for home use, then you can download KeePass 1.17 (Installer EXE for Windows).

 *Edit: I found a site that generates a more complex password from the computer's RAM (random access memory).  This site adds to the security side since it is generated from the RAM and there is no way for anyone to predict what password was generated from your computer.  I am going to start using this site and paste the password into KeePass for certain sites.  The website is Generate a Secure Password.

Friday, May 14, 2010

PDF Exploits and Ways to Mitigate

PDF hacks are on the rise and expected to rapidly increase for 2010 [1].  Zeus malware has been detected to exploit the flaw in PDF documents.  Zeus malware was first detected in 2007 and the goal of the attack is to steal login information - mainly banking information.  In the past, the attacks primarily targeted operating systems but now the attacks are targeted towards applications used in the operating systems.
The recipient will receive the attack in an e-mail attachment containing a PDF document.  When the recipient opens the attachment, the document will have an executable file and ask the recipient where to save the file.

Figure 1. Saving Adobe document

Security blog from ZDNet stated [2], "This could be somewhat confusing to users, and not really knowing what is happening, they may just click save ." 

Adobe is considering releasing a patch for this design flaw but in the meantime suggested users to uncheck a box that allows PDF documents to open an external applications. The following are the steps to unchecking the box:

Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit >  Preferences >  Categories >  Trust Manager >  PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

Figure 2. Unchecking box in Adobe preferences

In short, make sure that you are not extracting files after opening a PDF document unless the file is from a trusted source.

  1. PDF exploits explode, continue climb in 2010
  2. Embedded PDF executable hack goes live in Zeus malware attacks
  3. Figures credited to security blog, Zero Day, from ZDNet

Wednesday, May 12, 2010

Importance of Patches

In connection to Microsoft’s release of two critical patches yesterday, I will write about the importance of patches. When a person uses the word patch in reference to computers, that person is noting the software. The statement, “Patching the software,” illustrates there is a small program that needs to be installed for a particular software to fix a glitch or a security vulnerability. Now days, every software manufacturer releases patches for their software; most likely, numerous times for each version.

The important aspect of this point is the security vulnerability and the required rapid response from PC users. To demonstrate a point, black hat hackers (hackers with malicious intent) wait for patches to be released. Once released, they analyze the patch to detect the security vulnerability and determine a way to exploit this vulnerability through un-patched users. The detrimental effect from the exploited vulnerability is limitless depending on the amount of information that is on the computer or that you provide during a session of surfing the Internet.

Research studies [1] state the average user has one patch every five days to install. The difficulty in keeping track of this amount of patches is understandable but being defenseless is far too risky. Fortunately, there is a solution.

I personally use FileHippo Update Checker and I have Secunia Personal Software Inspector (PSI) to supplement every once in a while. Click here for a reference website listing the top software update tools for Windows, Linux, and Mac. It would be advisable to scan your system once a week and update the necessary software the program lists to bring up-to-date. Both programs give you links to the download file for greater convenience. With Windows automatic update [2], these tools are a great way for your system to be up-to-date.

  1. Typical User Patches Every 5 Days
  2. Windows Automatic Update

In Regards and Plans for Security 4 Information

I started having a great desire in the information security field this year and I quickly realized the vast amounts of vulnerabilities that individuals face just by simply logging onto the Internet. Looking back in the past, I was unknowledgeable in the realization of how vulnerable I was through the lack of security mechanisms on my computer. The number of malware (malicious software) is growing daily and becoming stealth. Without knowing, an attacker could have control over the victim’s unit. Despite the fact that no one could ever be completely safe, I wanted to start blogging to pass on the knowledge I have gained to mitigate the threats that we face virtually to the unaware of computer security.

In addition, I plan on setting up a security lab to practice penetration testing instead of reading books without any hands-on activities.  I will be referencing, Build Your Own Security Lab: A Field Guide for Network Testing.  With that said, I will blog my steps, findings, and ideas of the various security tools that will be used.