Paul Wallbank – Brilliant Communications

Category: security

  • Password safety

    Password safety

    Online news and gossip publisher Gawker Media was hacked last weekend with nearly 200,000 usernames and passwords released to the world.

    The Wall Street Journal’s Digits Column tabulated the results and listed the top 50 passwords used by Gawker’s subscribers.

    At first view, the reaction is to think what sort of idiot would use a password like 12345678 and would only confirm most IT and security professionals’ view that most computer users don’t protect their online details very well.

    But on reflection, is using a weak password on a site like Gawker so bad? Most of the users listed have only created accounts to make a comment on one of Gawker’s websites, they aren’t using their Gawker account for anything vital and should their Gawker account be accessed the only thing the bad guys can do is post under the account name.

    So if we assume that most of the 3,000 odd people that used the password 12345678 only do so for “disposable” accounts like the Gawker comments stream, then they probably haven’t risked anything at all.

    In fact it makes sense to do so rather than to use a strong password which also happens to be your banking login or work account.

    On my IT Queries site we suggest using a layered approach to passwords where services like Gawker, where it doesn’t really matter if the password is compromised, get a simple and easy password while sites where there are serious consequences like your online banking get strong and secure passwords.

    We should always keep in mind that accidents do happen and that there are a lot of clever bad guys out there who are keen to exploit weaknesses when they see them. So security mistakes like Gawker’s will occur from time to time. The best we can do is to arrange our security so that when bad luck strikes us, the effects can be contained.

    The real moral for all of us from the Gawker password hack is to take security seriously and not to use the same password on every site we visit.

    Similar posts:

    • No Related Posts
  • What the Internet doesn’t know about us

    What the Internet doesn’t know about us

    In October 2010 Newsweek’s Jessica Bennett asked the the team behind the Internet service Reputation Defender to find all they could about her.

    The results were startling, within half an hour they had found her US social security number and a few more hours digging revealed her address, hometown as well as many other private details.

    But ultimately the picture of Jessica’s life was wrong. The team made mistakes about her personal habits, sexual orientation and the time she spends online.

    The fact the profile was incorrect shows how difficult it is for computers, or people, to understand an individual based on a series of data points.

    Most of us understand that making a generalisation based on single data point – say race, gender, appearance or sexual orientation – is usually incorrect, but when we add more data points things become even more difficult.

    Once we get more than one data point, we have to start weighting them. Would Jessica eating at McDonalds twice a week outweigh her exercising every morning in the eyes of an insurance company assessing her risk?

    That problem could be called the Google effect where a formula, known as an algorithm, becomes so complex that it becomes bogged down under the weight of its own assumptions as we saw with Tony Russo’s gaming of the search engine’s ranking system.

    All of us as are steadily revealing more about ourselves onto the web, whether we know it or not. Every time we like something on Facebook, subscribe to a newsletter or make a comment on a blog post, we are giving a little something about us away on the publicly accessible Internet.

    Over time, anyone can build a picture of us. However it may turn out that nobody will want to know about the detailed, complex and multi dimensional portrait each of our lives would be.

    As information about all of us becomes more available, we may enter a modern version of the Mutually Assured Destruction doctrine of the Cold War as each of us find that everyone around us has enough information to bring our careers, relationships and status crashing down.

    But equally we hold equally damaging data about all our peers as well and to bring anybody down based on this information we have would be to invite the wrath of many others who know about our intimate details.

    We may even find that because all of us, being human, have some damaging traits and history that employers, insurers and governments only care when you start hiding them. Today we see this with security vetting procedures which are more concerned about what we hide rather than the specifics of our foibles and indiscretions.

    The assumption of those security agencies is that a self admitted gambler, alcoholic or philanderer is a manageable risk while those hiding such secrets from their families and employers are the genuine threat to an organisation.

    So we come back to a society where a tacit agreement exists between us all that this dangerous power is only used when someone has acted illegally or hypocritically.

    Perhaps that is the future we are heading for, where the Internet knows all but we simply choose not to access it. Which assumes it’s all correct anyway.

    Similar posts:

    • No Related Posts
  • The strange story of the Stuxnet worm

    The strange story of the Stuxnet worm

    The tale of the virus infecting Iran’s nuclear program is one of the fascinating stories of the computer world.

    Whoever wrote the Stuxnet worm did a spectacular job in bringing together a number of security problems and then using two weak links — unpatched Windows servers and poorly designed programmable logic controller software — to create a mighty mess in the target organisation.

    The scary thing with a rootkit like Stuxnet is that once it has got into the system, you can never be sure whether you’ve properly got rid of it.

    What’s worse, this program will be writing to the Programmable Logic Controllers the infected computers supervise so plant operators will never know exactly what changes might have carried out on the devices essential to a plant’s operations and safety.

    Damaging Iranian nuclear plants

    A report on the Make The World A Better Place websites over the weekend indicates the Stuxnet Worm may have damaged the Iranian nuclear reactor program.

    The story behind the Suxnet worm is remarkable. It appears this little beast is a sophisticated act of sabotage involving using a number of weaknesses in computer systems as detailed by Computer World in their Stuxnet Worm hits Industrial Systems and is Stuxnet the best Malware Ever articles.

    The risk of unpatched systems

    One of the things that leaps out is how servers running unpatched systems are an important part of the infection process. The Stuxnet worm partly relies on a security hole that was patched by Microsoft two years ago so obviously the Iranian servers were running an unpatched, older version of Windows.

    This is fairly common in the automation industries. I’ve personally seen outdated, unpatched Windows servers running CCTV, security, home automation and dispatch systems. They are in that state because the equipment vendors have supplied the equipment and then failed to maintain them.

    These companies deserve real criticism for using off the shelf, commercial software to run mission critical systems that it was never designed to do.

    Commercial programs like the various Windows, Mac and other mass market operating systems are designed for general use, they come with a whole range of service and features that industrial control systems don’t need. In fact, the Stuxnet worm uses one of those services, the printer spooler, to give itself control of the system.

    Securing industrial systems

    These industrial systems require far more basic and secure control programs, a cheap option would be a customised Linux version with all the unnecessary features stripped out. In the case of Siemens, the providers of the PLCs supplied to the Iranian government, it’s disappointing such a big organisation couldn’t build its own software to control these systems.

    Business owners, and anyone who has computer controlled equipment in the premises, need to ask some hard questions to their suppliers about how secure supplied computer equipment is in this age of networked services and Internet worms.

    Similar posts:

    • No Related Posts

  • Protecting yourself from the Conficker worm

    Nearly a year after it was identified, the Conficker computer worm continues to plague Windows users, infecting systems controlling everything from fighter planes to bus lane fines.

    The problem has become so great, a consortium of vendors have set up the Conficker Working Group to deal with the malware’s spread, and Microsoft are offering a $250,000 reward for the identity of the writer.

    It’s not a problem that should be understated – the worm’s main use appears to be as a controller of botnets, networks of remote controlled computers used to launch attacks on other systems or to hide the tracks of scammers and password thieves.

    Update your systems

    Given the risks and embarrassment of being infected, avoiding this worm and others like it should be a priority for your business. First of all your Windows computers should have the latest updates as Conficker relies on some old security bugs that Microsoft patched last October.

    Run an anti-virus

    Naturally, you should be running an up to date anti-virus. Most widely used AV programs will do the job, including Open Source detectors like Clam AV and freeware programs.

    Note though that the licences for freeware programs like AVG and Avast! are specifically for home use only. If you are running those on your office system, respect the developer’s right to make a living and buy a commercial licence, they are actually cheaper and more reliable than many of the better known brand names.

    Restrict your users

    Finally, make sure your users log on in Limited User mode. The reason why Windows computers are more prone to viruses than their Mac and Linux cousins is because most users run their Microsoft systems as the powerful Administrator mode which is the equivalent of leaving your car doors unlocked all night.

    I’ve some instructions on setting up Limited User Profiles for Windows XP systems on the PC Rescue website. If you have an office with a Windows 2003 or 2008 server, your IT department or consultant will be able to do this through the network, which is a lot more secure way of doing things.

    Be warned that some programs won’t work unless they run in Administrator mode. If you find this is a problem then you should consider replacing that software as the vendor has shown they are either incompetent or are prepared to put their customers at risk to save a few dollars.

    Either way, you don’t need suppliers that have no respect for their customers.

    Your computers are too important to your business and shouldn’t be exposed to these sorts of embarrassing and expensive risks. Get your IT people to make sure the office systems are locked down properly.

    Similar posts:

    • No Related Posts

  • A ship of fools

    To accompany the launch of their new protect yourself website eBay Australia have released a survey claiming an amazing 93% of Australian Internet users don’t understand what phishing is and 72% engage in behaviour that increases their risk of falling victim to an online scam.

    This is truly mind boggling given the amount of publicity that is given to these scams.

    More depressingly, the press release claims that one in three Internet users believes that only dumb people fall for phishing attempt.

    You can see why the smart scammers do so well with attitudes like this. We look at one of the good scams at our PC Rescue and Cranky Tech sites.

    We’ll probably make this the main story for the next ABC Nightlife spot. It looks like we have a long way to go in educating people on Internet security.

    Similar posts:

    • No Related Posts