PDA

View Full Version : Safer Computing: 28/11/15


Wally
28th November 2015, 08:21 AM
B U L L E T I N (ID: HKRI-A4NKU7)

Amazon has sent out a number of emails to its customers, informing them that their account password has been reset because their information may have been compromised.

It serves as a timely reminder of the importance of good password management, including having a unique password for every online account you have, as well as regularly changing those passwords.

W E B L I N K S By welivesecurity: -> http://www.welivesecurity.com/2015/11/25/amazon-resets-customer-passwords-black-friday-approaches/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A +eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

jdal
28th November 2015, 08:26 AM
Agreed, and using a reliable, secure password manager I find to be essential or you have to write them down places. I use PasswordSafe (http://passwordsafe.sourceforge.net/), which I also use for storing all my software license keys, codes, router userid & passwords etc.

OM USer
28th November 2015, 02:39 PM
I'n not keen on someone arbitarily changing my password. Being forced to do it myself when I next log in (and then validating it via a link in an email sent to the linked email address) is one thing but having it changed and being told my new one does not strike me as all that safe.

My Microsoft Windows account forced me to chamge my password recently but will not let me change it back to any of my previous ones (apparently this is part of their password policy).

pandora
28th November 2015, 09:50 PM
When I hear the word "Password" I reach for my revolver.

I advocate that all internet passwords be abolished and all sites be open to all.
Therefore no confidential information could be posted, rendering hackers redundant.
Website vandalism would be a double edged sword that would quickly destroy the internet.

We could then all go back to what we enjoyed doing over half a century ago:
Oly OMs, Pentax Spotmatics, listening to the Beatles, Rolling Stones and Elvis, etc.
No mobile phones, driving stylish cars, dating pretty girls in pretty frocks, Oh dear, what a wonderful world it was!

(Even without McDonalds!) *burger

Zuiko
28th November 2015, 10:14 PM
Agreed, and using a reliable, secure password manager I find to be essential or you have to write them down places. I use PasswordSafe (http://passwordsafe.sourceforge.net/), which I also use for storing all my software license keys, codes, router userid & passwords etc.

But surely if PasswordSafe is hacked they get all your passwords at once! :eek:

pandora
28th November 2015, 10:52 PM
But surely if PasswordSafe is hacked they get all your passwords at once! :eek:

I rest my case! :D

PeterBirder
29th November 2015, 12:08 AM
But surely if PasswordSafe is hacked they get all your passwords at once! :eek:

Hackers cannot hack pieces of paper.;)

Recent hacking episodes suggest that hackers now focus their attentions on the organisations that require password "protection" (Banks, retailers and Governments etc. ) so that they can obtain passwords etc. "wholesale" as it were which is much more efficient.:rolleyes:

Any security/encryption system etc. relying on technology can ultimately be defeated by technology. Every time you devise a "better" system the opposition will find a "better" way to counter it.
The only way to possibly overcome this cycle is to do something apparently illogical which only the MkI human brain is capable of.
I am reminded of a passage from the autobiography of the brilliant R. V. Jones who was "Assistant Director of Intelligence (Science)" in WWII. The RAF had set up a radar station in Malta and the Germans responded by setting up a jammer which completely obliterated its capability. R. V. Jones was consulted on what to do and advised to continue operating the radar as if nothing had happened. After a few weeks the Germans deduced that their jammer was ineffective and moved it elswhere. The RAF radar then continued to operate successfully for the remainder of the war.

Regards.*chr

Zuiko
29th November 2015, 09:07 AM
Hackers cannot hack pieces of paper.;)

Recent hacking episodes suggest that hackers now focus their attentions on the organisations that require password "protection" (Banks, retailers and Governments etc. ) so that they can obtain passwords etc. "wholesale" as it were which is much more efficient.:rolleyes:

Any security/encryption system etc. relying on technology can ultimately be defeated by technology. Every time you devise a "better" system the opposition will find a "better" way to counter it.
The only way to possibly overcome this cycle is to do something apparently illogical which only the MkI human brain is capable of.
I am reminded of a passage from the autobiography of the brilliant R. V. Jones who was "Assistant Director of Intelligence (Science)" in WWII. The RAF had set up a radar station in Malta and the Germans responded by setting up a jammer which completely obliterated its capability. R. V. Jones was consulted on what to do and advised to continue operating the radar as if nothing had happened. After a few weeks the Germans deduced that their jammer was ineffective and moved it elswhere. The RAF radar then continued to operate successfully for the remainder of the war.

Regards.*chr

I love that anecdote, Peter. Often it pays to think outside the box. :D

jdal
29th November 2015, 09:12 AM
To find my paswords someone would need to:
(a) Seek out my computer
(b) get through my firewall/antivirus software
(c) find my PasswordSafe file in amongst a terabyte of data
(d) get past the encryption of the password database (long complex password)
(e) decrypt the encrypted passwords
(f) work out which accounts they relate to.
The password encryption methodology the software uses is known as Twofish and has never been broken. * (correction - never knowingly broken.)

The commonest way hackers get into data is to use brute force, grab a copy of the data and just repeatedly try different passwords on their own machine. They then have Amazon's credit card data, or whoever they attacked. Writing passwords on a bit of paper does not protect you against that because it isn't your computer that's being hacked.

The MOST important thing is to use different passwords and make them long and complicated, something that software is very good at and people are bad at. As an example here's a short one I just generated "I7p5y^HgL(4_". Writing passwords down just encourages people to use memorable (aka weak) ones.

If you're really paranoid you can store the Password database on a secure memory stick like IronKey.

Something to bear in mind is that not all organisations have equal security standards, trust no-one! I'm currently writing a website for a climbing club and I'm aware that I have a duty of care to the users to store their passwords so they CANNOT be systematically retrieved in their original form, I'm not sure everyone does that.

Zuiko
29th November 2015, 09:17 AM
To find my paswords someone would need to:
(a) Seek out my computer
(b) get through my firewall/antivirus software
(c) find my PasswordSafe file in amongst a terabyte of data
(d) get past the encryption of the password database (long complex password)
(e) decrypt the encrypted passwords
(f) work out which accounts they relate to.
The password encryption methodology the software uses is known as Twofish and has never been broken.

The commonest way hackers get into data is to use brute force, grab a copy of the data and just repeatedly try different passwords on their own machine. They then have Amazon's credit card data, or whoever they attacked. Writing passwords on a bit of paper does not protect you against that because it isn't your computer that's being hacked.

The MOST important thing is to use different passwords and make them long and complicated, something that software is very good at and people are bad at. As an example here's a short one I just generated "I7p5y^HgL(4_". Writing passwords down just encourages people to use memorable (aka weak) ones.

If you're really paranoid you can store the Password database on a secure memory stick like IronKey.

Something to bear in mind is that not all organisations have equal security standards, trust no-one! I'm currently writing a website for a climbing club and I'm aware that I have a duty of care to the users to store their passwords so they CANNOT be systematically retrieved in their original form, I'm not sure everyone does that.

I stand corrected. *chr

Jim Ford
29th November 2015, 09:30 AM
The password encryption methodology the software uses is known as Twofish and has never been broken.

You can never be sure that an encryption system hasn't been broken. If a security agency breaks a system it will be a very closely guarded secret. In fact, it would be the most valuable secret they posses.

Jim

jdal
29th November 2015, 09:48 AM
You can never be sure that an encryption system hasn't been broken. If a security agency breaks a system it will be a very closely guarded secret. In fact, it would be the most valuable secret they posses.

Jim

Indeed, but it isn't security agencies I'm protecting my data from. ;)

Was it not the development of these algorithms that had governments in a tizzy in the 1990's precisely because they feared they'd NEVER be able to spy on data again? I think the software was classed as a munition by the US government. And there was an attempt to enforce something called "Key Escrow" where a "trusted" 3rd party kept the capability to decrypt things. Dunno if that ever happened, I guess not.

Jim Ford
29th November 2015, 10:33 AM
Was it not the development of these algorithms that had governments in a tizzy in the 1990's precisely because they feared they'd NEVER be able to spy on data again? I think the software was classed as a munition by the US government.

Yes, IIRC it was the RSA (Rivest Shamir. Adelman) public key encryption system that was classed as 'munitions' and required the US government to authorise its export. The problem arose when someone (I can't remember the name) released the algorithm on the 'net, and whether this action classed as 'export'. If the 'rap' stuck, the culprit stood to serve something like 999 years in a Federal jail! The furore just fizzled out.

Jim