Information Security Tips from Westfield Insurance: Passwords

Follow @WestfieldIns

Search

About

Westfield Links

Westfield Blogs

InfoSec Favorites

CMU Anti-Phishing Game
Learn to identify fraudulent URLs
OnGuard Online
Many security tips and educational materials collected and shared by the FTC
Anti-Phishing Blog
Lots of examples of phishing and other scams
SEO by the Sea
Search Engine Optimization
Fraudwar
Schneier on Security
eDiscoTECH
Reviews of legal cases and decisions in the new field of Electronic Discovery
IT Business Edge

18 posts categorized "Passwords"

Work Out the Bugs in Your Information Security

A free eBook on Information Security from the Westfield Insurance InfoSec Blog Team

In today’s global economy, the sharing of information has become essential to business transactions. From providing information through online billing, or managing multiple passwords for various platforms and operating systems, the world of business has become more sophisticated than ever before.

Just in the last decade, organizations have seen a dramatic conversion to digital information storage. Regardless of how your company stores customer or employee information, rules of privacy and security apply.

With increasing effectiveness, hackers are able to acquire sensitive information from your office, computers, servers, mobile devices and the like. That’s why it’s vital that your business implement basic security measures to help protect sensitive information trusted to your company and its employees.
Whether it’s the personal information of your employees or sensitive client information, your business needs to proactively take steps to eliminate unnecessary security exposures.

Introducing the Westfield Insurance eBook: Work Out the Bugs in Your Information Security.

Why an Information Security eBook?

In 2004, Westfield Insurance started publishing internal tips and reminders about computer and personal security to help serve as a reminder to employees about company-specific policies, as well as the importance of protecting their personal information.

After seeing the success of this approach, we expanded the distribution to include our network of independent agents and colleagues. In 2008, we officially launched the InfoSec blog, authored by members of our IT-Risk, Security and Compliance team.

Since that time, the blog has offered our readers tips on how to best protect private information from risks such as password and system hacking, spamming, tailgating and more.

Download our free eBook

We’d love to hear your feedback. Please comment below!

Westfield Insurance on 08 March 2011 | Permalink | Comments (0)

Cyber Monday: How to Manage Online Store Passwords

Have you ever been sitting in front of your computer, getting ready to purchase a gift for someone and just as you click on the checkout button you see the dreaded "Create a new account" option staring back at you? To me this means yet another password and user ID that I'll need to somehow remember but keep secure at the same time. To make matters worse, I need to figure out some way to allow my wife access to the account as well, without leaving the password lying around for any and all to pick up and use.

My idea: Create a password list!

Here's my example:

Create a simple word or text document on your computer, choose a name for the document that would normally not be interesting to someone who was searching for a password like, FinalEssayOntheMigrationofBirds.doc or VehicleRepairTips.txt.

Next, fill it in so it looks something like this!

OnlineStore1 User3251 Y78
SuperBank 2729303 8n!
OnlineStore2 HappyMe123 Ii4

Your first row is the purpose or website for the account, if you feel really daring you can even create a link from this name to the website where you use it. The second row is your user account or ID for that website. And the last is a set of numbers, letters, or symbols you would either append to the end of your "known" password or place in front of your "known" password.

A "known" password is a simple word that is easy to remember for you and anyone you share the list with, for example November or Snowstorm might be common shared passwords. You'll never write or type this one anywhere; it should only be known by the people who share it.

For example, let's take the information I entered above, OnlineStore1 User3251 Y78. If I was going to login to OnlineStore1, and I used the account User3251, my password would be NovemberY78.

Hope this helps keep some passwords secure this shopping season!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 29 November 2010 | Permalink | Comments (6)

Smartphones are great, but are they secure?

Something I've noticed over the past month is the tremendous amount of smartphones in use, whether at the grocery store, or in a local coffee shop. These devices are really pretty amazing, even playing some of the most high definition games on a simple little phone. I saw someone swipe their shopping card at the register the other day, I sure could use that. Up until the most recent series of smartphones, most people didn't really have the ability to store information other than contacts or small pictures on their phones. But now, the opportunities are endless. Most have browsing history available, pictures, videos, stored passwords, emails, and the list goes on and on, what's next? credit cards?

So what are people doing to ensure the sensitivity of the information stored on these devices remains sensitive?

The short answer is very little. I haven't come across many smartphones with a password set, and the memory card has only become increasingly easier to get at. Next time you have a few minutes (please not while driving your car), take a look at the security settings available to you.

Ensure you have a password on the device .
Review your application settings, do any applications have permissions to send information to the internet about you?
Check on your internet browser settings, paying special attention to your identity and privacy options.
Review the media (pictures, videos, text logs) that you keep on the device.
Check into solutions that will send a remote wipe to your device, in case its lost.
Know how to contact your provider to report the device lost or stolen as soon as possible.

Share your ideas for keeping smartphones and other mobile devices secure!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 16 September 2010 | Permalink | Comments (0)

Sir, May I See Your Drivers License

I was reading some of the ever increasing material relating to identity theft and ran across an article that I wanted to share. Apparently there has been a sharp increase of fraudulent identification being given to police and state troopers when they are pulling people over in traffic stops and at driver’s license examination stations.

http://www.daytondailynews.com/news/ohio-news/ohio-highway-patrol-id-theft-increase-alarming-858936.html

Imagine getting a speeding ticket in the mail or having your auto insurance go up because someone falsely used your information when they were pulled over or committed a crime.

I wonder if the police will ever consider making drivers licenses into a multi-factor credential similar to how ATM cards work. With ATM cards, you have to have the card and know a PIN number in order to use it. That way when you presented your drivers license you would have to tell the policeman something that he could check to ensure that you were really you. I am sure that this approach could be easily bypassed as well.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust

Bill Murray on 23 August 2010 | Permalink | Comments (0)

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused. To help, there is the security concept of using one secret (a key) to unlock keys to other services. The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles. That collection of keys is kept in a locked wall-mounted cabinet. Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied. They are stored in a browser-managed repository which is the equivalent of the “key locker” described above. Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials. But there is simple way to mitigate this risk. For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords. This master password is the equivalent of the key to the key locker in our physical world example. This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard. These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments. Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

you create an account at the payment service using a unique string such as your email address
you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it! Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
proceed to check out and notice that there is a PayPal option, choose it
Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
you confirm your PayPal password and then tell PayPal which of your accounts to debit
when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that? In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information. Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time. So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services? Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history. Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 01 July 2010 | Permalink | Comments (2)

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves. There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect. Really take the time to think about it. Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers. These are easy ones, but how about your customer contact lists? new product ideas? customer order histories? etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control? In addition to data loss, think about data integrity. When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers? How important are the decisions you make from your data. The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located. In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone. Ask yourself these questions:

Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
Where do you store and how do you protect your system backups?
Could someone gain access to a system backup and restore the information to their computer?
Can you reduce the number of locations that your critical information or copies of it are stored?
Are you relying on third parties to protect your information when it is in their systems? Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information. You should align your controls across systems based on the value of the information you are trying to protect. You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored. Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently. Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Bill Murray on 08 February 2010 | Permalink | Comments (0)

4 steps to protect your data in an online transaction

Hello readers of the Westfield Insurance Information Security Tips blog! I am new to Westfield, joining the InfoSec team in the capacity of Information Security Architect. Previously, I was an information security consultant working predominantly in banking and pharmaceuticals.

You may be asking, "What is Information Security (IS) Architecture?" In its broadest sense, architecture in the IT industry involves marrying an enterprise's business objectives to its current and future technology capabilities. A good architecture does this by leveraging what is already present, or when needed, carefully introducing new types of technology. When properly architected, the IT environment adapts smoothly to constantly changing business demands. Information Security Architecture tries to achieve these same outcomes but within the specialized domain of information security.

What tips does an architect have regarding day to day information security? Well, let’s take a security architecture concept and apply it to your situation. For example, consider the idea of ensuring the confidentiality of sensitive information. This idea is broadly applicable everyday on the web. From an architectural perspective it is helpful to think about the two states of confidential information, namely, at rest (e.g., stored in a file) and in transit (e.g., whizzing across the Internet from server to laptop).

Take a scenario where you keep your credit card and expiration date in a file on your PC (you can remember your CVV, that three digit code on the back of your credit card, because it's so short). Doing this makes it so much easier for you go shopping on the web because you can just cut and paste your information quickly, conveniently and without worrying about typing errors, etc. So you surf to your favorite shopping site, find the widget you want to buy, follow the checkout process, open the credit card file, cut and paste your credit card information, submit it, and in a few days your stuff arrives.

Let's talk about your information's confidentiality during the 4 steps in an online transaction:

1) In your computer file: First, if you saved your credit card information on your computer, it is sitting in a file. Here it definitely should have been encrypted in such a way that only you could decrypt and read it, for example, using a password protected file encryption such as the free GNU Privacy Guard.

2) On the merchant's order form: Next, you cut and pasted it to the online merchant’s checkout page. Did you make sure the browser was indicating that the communications were protected by verifying that there were no browser warnings about unrecognized or expired digital certificates? These certificates are used to help you make sure that you’re really at the web site of the merchant you think you are. Some browsers use a color coding scheme in the URL field and green is usually the color indicating the site’s authenticity has been successfully verified.

3) In transit on the web: When you submit your credit card information, the data will suddenly be in transit across the Internet! Prior to submitting anything, make sure it is protected in transit by confirming the URL of the page where you entered your personal data begins with the string https://... Instead of the normal http://... . That extra ‘s’ in https is for security and it means the data stream between your browser and the merchant’s web server is encrypted.

4) On the site receiving your info: And finally, after you press Submit, if you get any browser warning about information being sent unsecured, your browser is warning you that, although the page you were on was secure, the place you’re submitting the credit card info. to may not be. When you recieve such warnings while transacting confidential information you should cancel out of the transaction and perform your purchase via a different medium (e.g., over the phone).

So, from an InfoSec architecture perspective, assuring that the encryption infrastructure is guarding your information at rest and in transit is all part of your personal information security architecture.

John Brady on 26 January 2010 | Permalink | Comments (0) | TrackBack (0)

Stolen laptops

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It's not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don't think you've ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee's practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don't give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet - out of sight, out of mind. Don't assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don't just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You'd never be that careless at home. Don't let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it's time to ask for your free copy of your credit report from the next agency.

Mike Rossander on 03 November 2008 | Permalink | Comments (0) | TrackBack (0)

Managing multiple passwords

These days, keeping all your passwords straight can be an almost impossible task. Every website and application needs a password. Do you pick the same password and use it everywhere or do you write them down? If you use the same password, you'll lose them all as soon as any one of those systems gets compromised. But if you write them down, you lose them all when your sticky-note gets lost or stolen.

Here's a trick for making semi-customized passwords that will be easy to memorize but still unique to each site.

Pick a "static" password. (For this example, I'll use "Bluebird" but a passphrase is much better.) Now look at the website or application that you're signing onto. Make up a personal rule about the website name such as:

The first digit of my password will always be the second letter of the website's name.
The second digit of my password will always be the number of characters in the website's name.
The third digit will be a dash.

The password at Amazon would be "m6-Bluebird" and at eBay would be "b4-Bluebird". The password on your home Dell computer might be "e4-Bluebird". A password in this pattern is reasonably strong because it has all four character classes (uppercase, lowercase, number, punctuation) and because it doesn't follow the predictable tendency for English speakers to capitalize the first letter and put the number(s) at the end. Best of all, every password is different but you only have the one phrase to memorize and one rule.

There are a couple of limitations to this technique.

You must be the only person who knows your exact rules. Do not use the exact rules above. Make your own choices about which letter, punctuation, etc.
Some systems won't allow special characters (like the dash) or may have size limits on the password. Unfortunately, there's no easy way around those problems. Make the best choice you can given the limits of the system and write down only enough to remind yourself what's different (such as "401k - no dash"). If it's an important system (like your online bank), lobby the company to allow stronger passphrases.

Mike Rossander on 18 February 2008 | Permalink | Comments (0) | TrackBack (0)

Never share your password

As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.

As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.

The user's co-workers should never have access to each others' passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user's files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
Not even your own IT staff should ask for a user's password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
You don't need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don't want to have counter-accusations that the chain of evidence was compromised.

Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.

Mike Rossander on 28 January 2008 | Permalink | Comments (2) | TrackBack (0)

Resolve to make stronger passwords in 2008

According to a non-scientific survey I just conducted, the most common question this time of year is "How were your holidays?" The second most common question is "Have you broken your New Year's resolutions yet?"

Here's a trick to help keep at least a few of those resolutions by choosing stronger passwords. As we've talked about before, passwords are fairly easy to break because most of us pick an English word, capitalize the first character and add a number at the end. That's a statistically common trend among English-speakers. It meets the minimum complexity rules but will fail to a password cracking tool in 30 seconds or less.

If your New Year's resolution is your passphrase, you'll get a strong password that is hard for an outsider to break. (Microsoft's password rules allow up to 127 characters and permit any character on the keyboard, including the spacebar. You can pick a whole sentence including spaces and punctuation for your password.) And by typing it several times a day, well, maybe repetition will help me actually live up to the resolution. For example, I need to eat less and exercise more. If my password for the month is "Take the Stairs.", I'm reminding myself several times a day that I shouldn't be lazy – that those extra steps are good for me.

A couple of thoughts, though. First, don't make your password obvious to others. If your password is "Spend more time with your Kids!", don't make a poster with the same phrase and hang it in your office. Second, add unusual capitalization or swap a letter for a number in the middle of the phrase. For example, "Give more time 2 Charity." Even if someone does guess your resolution, they won't know what little change you've made to the way you type it. Put together, you'll have a strong password that's easy to remember and might actually help you keep that resolution a little longer.

Mike Rossander on 07 January 2008 | Permalink | Comments (0) | TrackBack (0)

Password security

Passwords are only useful if they are kept secret. That sounds obvious but we are still finding users who tape their passwords to the computer or "hide" them in an unlocked desk drawer.

Laptop and desktop computers represent the single greatest risk to the computer systems and customer private information of most organizations. A stolen or lost laptop is a gold mine for an identity thief. Laptops and desktops hold all kinds of private information (often including the access rights and certificates necessary for a hack to get onto the rest of the network).

In order to mitigate the risk, many organizations have encrypted their computers – scrambled the content so that, in theory, if a computer is stolen, the thief gets away with a $2000 doorstop. Unfortunately, that encryption is often completely dependent on the password. If the thief also gets away with the password, they have access to everything and all the organization's defenses are for naught.

Make it very clear to your staff that leaving a password unprotected is a very serious violation of your security policies. If they see an unsecured password, have them report it immediately to their manager or supervisor.

Mike Rossander on 13 August 2007 | Permalink | Comments (0) | TrackBack (0)

Drive-by router vulnerability

If you have a home network or wireless router, it can add a layer of security to your computer. But if you haven't changed the default password on your home router, that can be worse than doing nothing. Hackers have recently developed some new tricks to automatically attack your computer's router just because you were at an infected site. It might not even be the primary site you were visiting – it could be the site hosting one of the ads on the page.

In this attack, hackers use small bits of code that automatically try to log in to the router using the default password. The default password is the one that came on the router when you got it from the manufacturer. It's usually something like "admin", "password", "1234" or sometimes blank. Default passwords are printed in the user manual (which is also available online). An online search for "default password list" turned up over 60,000 sites sharing this information, most of them hacker sites.

In a variation, some local hackers will try the same default password against your wireless router as they drive through your neighborhood.

Once the bit of code has successfully logged into the router, it opens a port. The hacker will later come back to your computer and attack it through that port. One common attack is to send false directions to the computer so that when you attempt to log in to your bank's website, the compromised router instead sends your request to a fraudulent site designed to look and feel like your bank's website. Read this CSOonline article for more.

If you haven't changed the default password, do it today! Follow the router manufacturer's instructions to change the password. Make sure you pick a strong password when you change it.

Mike Rossander on 09 April 2007 | Permalink | Comments (0) | TrackBack (0)

Hackers attack computers every 39 seconds

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer - the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That's an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

Mike Rossander on 26 March 2007 | Permalink | Comments (0) | TrackBack (0)

Resolve to pick stronger passwords in 2007

Resolve to pick stronger passwords for the New Year.

A surprising number of people still think that January07 is a good password. Admittedly, it does pass the Microsoft password-complexity rules. It has an upper-case letter, several lower-case letters and two numbers. The problem is that it's an English word with the capital letter at the front and the numbers at the end. English-speakers have a natural tendency to follow this pattern. We know it – and the hackers know it too. That password can be cracked in under 30 seconds.

Pick whole sentences for your password. A whole sentence (including spaces and punctuation) makes a very strong password that is easy to remember and to type. Windows accepts any key on the keyboard in your password (and some that aren't on your keyboard) and allows it to be up to 127 characters long. You only need a 4 or 5 word sentence to make a very strong passphrase. I particularly like sentences from children's counting books.

For systems with limits on password length or allowable characters (like mainframe accounts), you can keep your passwords in synch by using rules to transform your sentence into a shorter code. For example, you could start with the number of words in the sentence, then take the second and last letters of each word in the sentence, capitalizing each third letter. As long as you follow the same rules each time, you can consistently convert your easy-to-remember passphrase into a strong random-looking password.

Remember – your password is the key to all of your electronic defenses. Keep it safe, never share it and pick them strong enough that they can not be easily cracked.

Mike Rossander on 02 January 2007 | Permalink | Comments (0) | TrackBack (0)

Stored password vulnerability

If you have your internet browser set to store your usernames and passwords, disable it immediately.

A vulnerability was just discovered in the both Microsoft's Internet Explorer and Mozilla's Firefox browsers which allows a hacker to create a fake login page. When your browser auto-fills the username and password into the form, the data is passed off to the hacker.

This vulnerability has been named a "reverse cross-site request" vulnerability by its discoverer, Robert Chapin. It has been found on at least one MySpace.com page and is a risk to any user who goes to forum or blog websites.

So far, there is no known fix except to disable the password fill-in feature.

In Microsoft Internet Explorer, use the menu to go to Tools/Internet Options. On the Content tab, select AutoComplete and make sure that "Usernames and passwords on forms" is not checked. (If the entire line is grayed out or "ghosted", you are okay.) You might want to click the "Clear Passwords" button while you're here just in case there were some in history.
In Firefox, use the menu to go to Tools/Options. On the Security tab, make sure that "Remember passwords for sites" is not checked. Click on the "Show Passwords" button to remove any that have been saved previously.

Mike Rossander on 28 November 2006 | Permalink | Comments (0) | TrackBack (0)

Remembering your passwords

For years, security professionals said "Never write down your password." In many situations, that's still good advice. Anything you write down can be lost or stolen. But when you have dozens of passwords, PINs and other security codes - some work-related, many personal, some static, some changing regularly, some simple, some complex, some used daily, others that go weeks between uses - it's hard not to. If you cannot memorize your passwords and must write them down, here are the ways for doing it at reduced risk.

Don't store your passwords on your computer. It doesn't matter how well you hide the file, hackers know how to search the contents of your computer to find likely password files.
Don't record the complete password. Write down just enough to remind yourself of the rest of it.
Keep the password hints with you at all times. Your wallet is a good place. Don't leave the list in your desk or under your keyboard. Hackers and thieves know where to look.
If you have a PDA or Blackberry, use a secure, approved password vault on the device. These applications use strong encryption to protect your password list.
If the list is out of your control even briefly, quickly change your passwords to maintain their security.

Mike Rossander on 10 July 2006 | Permalink | Comments (0) | TrackBack (0)

Keeping your customers SAFE

This article was originally published in the Oct/Nov 2005 edition of The Agent Newsline, a publication of Westfield Insurance.

Based on recent identity theft events, it is clear that U.S. businesses are operating in an increasingly hostile environment. Identity theft remains the fastest growing category of crime in the U.S. Criminals are getting more creative and more technologically adept every day. In this age of rapidly rising threats, every company needs to take serious steps to ensure the security of the private information in their custody.

What does Westfield do to keep your information safe?
Westfield holds private infromation in trust for you and our policy holders. Rest assured, we take our responsibilities seriously. We have never suffered a serious compromise of our data or systems and work hard to keep it that way. Here's how:

Dedicated security team. In early 2005, Westfield created and filled new roles dedicated specifically to information security. These people are charged with the coordination and continuous improvement of information security. We also formed a corporate security response cabinet with responsibility for all security-related issues. This group was formed in recognition of the increasingly blurry distinction between the physical and the electronic perimeters.
Password protection. Westfield has password complexity standards and requires our employees to change passwords every 60 days. We continuously upgrade hardware and software in order to make sure our systems are patched for security vulnerabilities.
External defense. We also commission external vulnerability scans and penetration tests. With your interests in mind, we regularly conduct internal scans of our systems and defenses and use that information to improve our systems.
Disaster plan. Westfield also has moved aggressively to guarantee our ability to operate even after a potential physical disaster. Mainframe data is mirrored real-time to an off-site facility. In addition, we conduct semi-annual tests of our business continuity plans.
Mandatory shredding policy. All office paper must be shredded. Even in this electronic age, most identity theft occurs as a result of access to physical copies of the information.

We want you to know that we take precautions to protect the private informaiton you've entrusted to us.

Shredding... It's now the law

The Federal Trade Commission's regulation on the disposal of information went into effect on June 1, 2005. According to the regulation, any information about an individual that is derived from a consumer report or is a compilation of such records must be properly destroyed. Much of the information routinely used in insurance operations has some connection to a consumer report and is covered under this regulation.

Failure to comply with the regulation could result in fines and/or in lawsuits if the information is misused to commit identity theft. This law implements the "disposal provision" of the Fair and Accurate Credit Transaction Act of 2003 (FACTA).

For more information on the FTC regulation, visit www.ftc.gov and search on "disposal".

The regulation includes several examples of ways to comply and to ensure that the consumer's private information remains protected during the disposal process. Westfield requires that all papers be secured until they are ready for disposal and has contracted with an accredited shredding company to make sure that the papers are thoroughly and properly destroyed.

Mike Rossander on 30 October 2005 | Permalink | Comments (0) | TrackBack (0)