Network Lighthouse

e are always told to choose strong passwords, over eight characters, with lower & upper case letter, numbers and symbols, but really what difference does it make.

Lets have a look at 4 different classes of passwords each 8 characters:

A) Lower case letters only

B) Mixed case letters

C) Mixed case letters and digits

D) Mixed case letters, digits and 32 symbols

The table below shows the number of possible combinations and the time to crack based on Elcomsoft‘s rates for md5 password recovery on a dual core processor (4.7 million passwords/second)

So you can see a password that just has lower case letters can be cracked in less than a minute!  While a password that covers the full spectrum of character types will take 15 days, that’s a lot of extra effort to get into your account.

So what if you want to have a strong password, but you don’t want to have to remember a string with upper case letters, numbers and symbols.  Can you have a password, containing just lower case letters, that provides as much protection as a password that contains at least 1 character from each group?  Absolutely, you just have to trade complexity for length.  Have a look at this table to see how long passwords need to be to be at least as strong as a 8 character class D password.

So if you want a password of lowercase letters that provides the same level of protection as a more complicated password, you’ll need 12 characters.

Of course a password that is based on dictionary words is still not going to keep the bad guys at bay for long, it still needs to be a fairly random string of letters,  there are plenty of ways to come up with good passwords, but thats another article.

-Daniel

Another major organisation bans USB drives,  although this seems to be due to a severe virus outbreak.  The risks associated with USB drives and other removable media are well documented these days, with rarely a week going by with out some news story about data on media being lost or stolen.

The Pentagon Bans USB Flash Drives: Will There Be a Floppy Disk Comeback?.

While outright banning removable media seems like an attractive solution, I wonder if it really is the best option, Encryption and device control options exist that allow a large degree of control and security to be retained while keeping the flexibility of removable storage.

Over the last one or two years, we have seen a fairly major shift in the methods of criminals working on the internet.  In the past viruses that spread rapidly and took down networks were the norm.  Just cast your mind back to Code Red, Nimda (both of 2001) and Sasser (2004), and you’ll get a feel for what I am talking about.  All these worms did massive amounts of damage during their limited life spans, with their primary purpose to disrupt computer systems.

However in the last couple of years there has been a shift to more organised criminal activities, the storm worm (first appeared early 2008) which at its peak some researchers estimated as having infected over 10 million machines provides a great example of this.

The storm botnet, was created in such a manner that parts of it could be leased to others which could then be used for trojan and spam distribution, DDOS attempts and other activities.  While viruses and worms from previous generations of malware where designed to have a single payload, the purpose of storm appeared to be focused on turning a profit.

Another indication of the changes that I have alluded to is the recent release of an out of band patch release, MS08-067, by Microsoft.  In brief this patch closed a flaw in all versions of windows which, for Windows 2008 and XP at least, allowed for remote code to be executed as the local service account.   Several security experts were concerned about the potential of to be used to create a worm of Code Red/Nimda proportions.   This threat never really eventuated, there were a couple of worms that took advantage of this vulnerabilty but nothing really eventuated.

Why did the expect horror worm never eventuate?  It appears (to me at least) that today’s malware authors are not interested in high profile activities, and any worm based on MS08-067 was sure to gain additional publicity, in the interests of generating a name for themselves.  Malware authors today are looking to create more stealthy worms and trojans that go undetected for as long as possible, quietly stealing credit card data,sending spam and replicating themselves.

One example of how stealthy these new threats can be is Rustock.C, discovered in May 2008 it has been identified as been in the wild, as least as far back as October 2007.  It employeed a number of very sophisticated techniques to hide itself and prevent itself from being analysed.  No longer are malware authors working to build a name for themselves, they are looking to develop a product or service that can be sold to make a profit, just like any other software company in the world.

It used to be the case that when your computer was infected with a virus/trojan/etc you would realise eventually, something bad would happen, CIH would destroy your partition table, Blaster caused network flooding and machine instability.  These days you would be lucky to notice your machine was running slow before finding out months later that your credit card details were stolen by a trojan running quietly in the background.

That’s all for this article, stay tuned for part 2, Identity Theft and Credit Card Fraud.

-Daniel

Wikipedia have a great resourse, Timetable of notable Computer Viruses and Worms, from which information was taken for this article (a number of linked articles were also reference).

So you’re about to hire a new team member or maybe your boss left and you want to find out about the new guy. Whatever the cause at some point in time most have us have used Google to try and find out about someone. For those who have not tried this, it is often more difficult than it sounds. For example if you search for my name, even with quotes, returns over 150,000 results not one of the first 100 actually referred to me (I stopped looking after that).

This in mind how do you find out about someone using the web?

Firstly your going to need something a little more unique that a persons name. According to the 1990 US census, almost 3% of males had a first name of James and 1% of the population has the last name of Smith. This means that 1 in around 3000 males (in the US) are called James Smith. Given the current population of the US, around 300 Million, there are about 100 thousand people called James Smith in the US alone.

Of course this is the worst case scenario but it points out why names by themselves are not enough to successfully build a profile. What you need is some other details about the person, things like companies worked for, names of partners, and ideally an email address. If your recruiting the person you’re looking for, then their resume or CV will have previous employers and maybe an email address.

To make this article somewhat interesting, I’ll go through the whole process using myself as an example. Here’s what we (in terms of this article) know about me, my name is Daniel Thomas and I have worked for Virgin Blue airlines. Lets go back to google and search for me with that information with this string ‘”Daniel Thomas” “Virgin Blue”‘. This turns out to be a much better search, only returning 60 results. Going through the results one by one can be painful but fruitful exercise.

Here are the relevant results, I’ve eliminated the results that dont have any relevance:

• LinkedIn (we’ll come back to this one later)
• The Juice
  • A report on a company party, including a photo of the subject (me)
• Alumni Newsletter
  • Here’s one I’d forgotten about, not only confirming where I worked, but also work colleagues and where I went to University.

So now we know now:

• Name: Daniel Thomas
• Employer: Virgin Blue
• School at University: CIT @ Griffith University
• A photo of me from a company party
• And a list of people that I’ve worked with

Lets move on to social networks, one of the great advantages and perils of social networking sites is the amount of personal information that people can put online and share with others.

We’ve already seen LinkedIn, as it came up in the search results. Have a quick look at what it says about me. You will quickly see a full career summary with most of the jobs I’ve ever had, any education that I’ve added.
Unfortunately for this article thats about the end of the paper trail for me, I’ve gone to some efforts over the years to keep my personal details just that, with the exception of what I chose to publish at LinkedIn. Even so there is enough out on the web to buildup something of a profile.

Other social networks can be a great source of personal information, the only problem is identifying which sites a person uses. If you know their email address then this process becomes a lot simpler with RapLeaf. Just plugin their email address and they’ll search all the major social sites and show you which ones have a profile for the address you entered. In some cases they’ll even link straight to the profile you are after.

Going beyond this things get a bit complicated, but here are some other ideas of places that can be useful for finding information about people.

• News Articles LexisNexis
• Court Records
• Phone Books
• ZoomInfo
• If you don’t mind spending some money, you could also use a commercial background checking services

Anytime you find something new about a person, go back to google and search for them again trying the new information as well.

Thats it for this article, hope you found it educational.

-Daniel