Improve your security

Everything what you wanted to know about computer security and didnt know who to ask

Sorin Mustaca

Improve your security

Everything what you wanted to know about computer security and didnt know who to ask Sorin Mustaca
This book is for sale at http://leanpub.com/Improve_your_security This version was published on 2013-06-07

This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do. 2013 Sorin Mustaca

Tweet This Book!

Please help Sorin Mustaca by spreading the word about this book on Twitter! The suggested hashtag for this book is #improve_your_security. Find out what other people are saying about the book by clicking on this link to search for this hashtag on Twitter: https://twitter.com/search/#improve_your_security

Contents
1 1. Complex passwords arent always better . . 1. To login on a computer. . . . . . . . . . . . . 2. To login to a service (like email, website, etc.) Whats the solution? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 2 3 4 4 5 10 10 12 12 13 13 16 16 17 17 18 20 22 23 23 23 24 25 27 27

2 2. Securing your notebook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active measures: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passive measures: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Online Protection Layer 1 . . . . . . . . Layer 2 . . . . . . . . Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 4. Update your Software often . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Our house . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Use dedicated accounts for each user Whats to be learnt from this story? . . . Additional advices to be considered: . . . How did the story with the fighter end? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 6. Harden your Facebook account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Password protect your smartphone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. Change the default passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. Create good passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What is a hash? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What can a company that stores password do to prevent cracking of passwords? What can you do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How about other methods to manage passwords? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10 10. Make backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . But, what exactly does backup mean? . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CONTENTS

Simple backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Complex backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27 28

1 1. Complex passwords arent always better

This article is the first one from a series of technical advices how to improve your IT security at home and at work. To be honest, I hate passwords and PINs. Those of you who have more than one email address, account or bank card, know exactly what I mean. To make things worse, these days it seems we need a password everywhere, recently also on credit cards in order to make more secure payments online. These passwords are so complex that it is complicated to remember them. Of course, you are not one of those who use one password for all accounts. This is a very bad practice, because if someone gets your password, can potentially track your username across many websites and impersonate you. But lets be realistic and leave our feeling aside: Passwords are usually the first line of defense against unauthorized access. Often when encryption with keys is not used the only one. They protect your own personal information. If a password also provides you access to companys intranet, then this is also the key to the entire companys network. This article doesnt intend to be a guide to make better passwords. There are plenty of resources on the Internet (just search for guide to make good passwords). The scope of this article is to raise conscience on some practices which many network administrators use to create secure passwords which, sometimes, users cant even change. I am talking about something like this: > > Cz>Iah]-_zH7s>Spha) This is a highly secure password! 20 random characters, small and capital letters, special signs. This is a perfect password from a security point of view. But can you remember it? Can it be remembered by someone? I doubt this very much. So whats the solution to be able to use this password? It depends on where the password has to be used.

1. To login on a computer.
No matter how absurd it seems to have such a complex password, I am sure that similar passwords are used in the world. Maybe not 20 characters, but the memory of normal person cant really remember such complex random passwords bigger than 6-8 characters. And even that only with a lot of repetition. So, what will people do to use such a complex password? They will obviously write it down and keep it at hand. Actually, as far as I could research, in some places the administrators give the passwords written on a paper so that the user can have it always at hand. 1

1. Complex passwords arent always better

What are the risks of such a practice? Obviously, anyone can read it, make a copy of it and use it without your knowledge. This can lead to data leakage, compromised network security and many other dreadful things for a security administrator.

2. To login to a service (like email, website, etc.)

In this case, the situation is not as bad as with the first case, but nevertheless, the password has to be kept somewhere in the computer in written form. If the website is not secured, then the browser will usually offer to remember it, but if it is secured, then you have to enter it every time you want to login. If you want to login to that service from another computer or place then you have to physically carry the password with you. Either you write it on a piece of paper as in the first case, or save it on a removable media. So, the possibilities are quite reduced in this case to a USB stick or to a Smartphone. Whats the risk here? Removable media can be lost or stolen. The same applies to a piece of paper. Because usually many passwords are required, they are written together with the address where the service is. So, youve shown the door and handed the key to a complete stranger.

1. Complex passwords arent always better

Whats the solution?

There is only one solution for this kind of problems. Make these complex passwords one-time passwords and force the user to change it upon first login. Make also sure that you enforce the usage of strong passwords on the server side. Ideally, let all passwords expire just for the case that an employee leaves the company and his account expires. This also helps to mitigate the danger of having users who do write down their passwords despite the fact that they were able to set it as they want.

2 2. Securing your notebook

Quite a lot of people take now their netbook or smartphone with them when travelling. Because of this, almost every quarter of the year we read stories about sensitive personal data was lost because some laptop or USB stick got stolen. Moreover, with the rise of the mobile devices like smartphones, tablets and pads, anyone can carry gigabytes of data anywhere. All these problems can disappear if we simply encrypt the data no matter where we carry it. But, while encrypting each file is the most secure method, it is also the most inconvenient of all. In this article I will describe simple, effective and gratis methods of securing your devices. There are several layers of protection possible for the information on your laptop.

Active measures:
Set up a BIOS password Set up a Power on password Protect the Hard drives from being accessed in any way by setting up an HDD activation password Protect the operating system to be accessed by setting up user authentication using a password and/or fingerprint recognition With these areas protected, even if the device is stolen or lost, it is, more or less, just a useless but expensive piece of hardware. Of course, there are ways of overriding the BIOS protection, but I really dont think that anyone would invest so much to exchange some chips on the motherboard just to get access to the laptop. The user has to type a password in order to proceed further. In this category the layers 1, 2, 3 and 4 belong. In these cases, the user has to set up first a password in the respective area, as follows:

BIOS
At startup, press F2 or F10 or ESC (depending on the manufacturer of your device) and go to Security. Choose Password and set up a 6-12 alpha-numeric chars password. While in BIOS, under Security:

Power On
Choose Power On password. This password will be asked before booting the device. Failing to authenticate, prevents the device to start the boot sequence. 4

2. Securing your notebook

Hard drive
Once the first level of boot initialization took place (initialization of hardware parts), the hard drives have to be enumerated in order to select the bootable one to start the operating system. Failing to provide this password completely deactivates that hard drive, but allows booting from another device (hdd, CD/DVD, USB Stick) installed on the computer.

User authentication
This forces the user to enter a password upon login, instead of clicking on an icon. Unfortunately, the default installation of Windows is intended to make the login easy and not secure. In order to activate this login mode, go in Control Panel, User Accounts, Manage the way users logon and choose that the users must enter a password in order to logon. Some laptops also allow entering an additional fingerprint to the password. This is an easier way to secure your data if you dont like to write a password each time.

Passive measures:
Protect the data on the hard drive(s) by encrypting the data. Work as a non-privileged user Deactivate booting from USB Devices, CD/DVD, Network Deactivate automatic execution of the autorun file for USB Devices

The user doesnt have to do anything after setting up the protection method. In this category enters the layer 1 of the passive range, encrypting the data on the drive. The tool I present in this article is called TrueCrypt. This article is not a replacement of TrueCrypts tutorial, but more a summary of what is possible to do with this tool and how this may help securing your data. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc). The advantage of TrueCrypt is that it integrates perfectly with your operating system and that it is cross platform (Windows, Mac, Linux). This means that a drive or crypt file encrypted on any of supported operating systems can be decrypted on any of the other supported operating systems. In order to start using TrueCrypt, you must choose one of the three methods available: encrypt a partition, create a TrueCrypt file, encrypt the entire disk, including the bootable partition. I strongly recommend the second option: create a TrueCrypt file. The reason for this is that this way you have a file which contains all your data, and you can (and you should) create a backup of that file. The

2. Securing your notebook

only problem with this method is that if this files get damaged, then you probably lost all your data. However, I am using TrueCrypt for at least 5 years and I have never had a problem. But this can happen, so this is why I do not recommend this method as a replacement of traditional backup software, but only as a secondary emergency measure. If you dont change your laptop as often as I do, then also the first method (encrypt an entire non-bootable partition) is a very good choice. I do not recommend the 3rd option, encrypt the boot partition, because I dont know any software except Microsofts Bitlocker that can do a good job in any circumstance. But, Bitlocker is available only on the high-end Windows versions, and I promised to talk about a completely free solution. In the Beginners Tutorial it is described how to create a TrueCrypt Volume.

Once you created the TrueCrypt container, you can assign a drive letter to it and then start using it normally. I also suggest to have it added in the Favorites so that it is automatically mounted on startup.

2. Securing your notebook

After the drive letter is created, you can access your encrypted container as any normal drive. A tip how to force Windows XP to save your information in this container: Open an Explorer window, right click on the My Documents (or Documents if you have Windows 7) and choose Properties.

2. Securing your notebook

The first thing that pops up is a Target folder location screen. Select the button Move and choose the network drive created from the Truecrypt container on your computer. In Windows 7 this is done more elegantly and you can include your encrypted drive in Documents Library.

2. Securing your notebook

3 3. Online Protection
It is usually said that those who are behind a hardware router are protected from any danger. This is true in regard to the connections that come from outside but it is not true for the dangers which come from inside the local network. We must not forget that most of threats are landing on users computers via email or web traffic (either drive-by downloads or web bugs and exploits). Thus it is important to use multiple layers when it comes to online protection. For the sake of simplicity, I separated the protection layers in three areas: External area, Network and Personal area.

In each of these layers protection mechanisms have to make sure that each category of threats can be filtered before it produces some damages to the end user.

Layer 1
This security layer has to ensure that only the authorized applications are allowed to receive and send data to other computers in the Internet. It mustnt filter any connections which are taking place inside the network area. This effect can be produced either with a hardware device or with software and, in general, with a combination of both. Hardware devices are hardware firewalls, 10

3. Online Protection

11

routers, modems, NAT servers, and so on. Any device which can control the network traffic coming from or going to outside the network can be used here. Software firewalls installed on each device which connects to the network have also the same role.

Special devices
A special category of hardware which resides as this level is represented by proxies, network monitors and network intrusion detection devices. Proxies are devices which take the responsibility from the user to communicate with the external network. This makes them extremely important, because if they fail, the user is directly exposed to the raw, unfiltered data coming from the Internet. Example of proxies are web proxies (Apache, Squid, IIS, etc.) and SMTP Servers. Monitoring involves examining network traffic, activity, transactions, or behavior to detect securityrelated anomalies. In medium-large companies there should be special appliances or computers which filter and monitor the network traffic according to some policies. Monitoring can also be implemented per protocol, thus such functions can be found in Web Proxies, Mail proxies and so on. A network intrusion detection system (NIDS) attempts to identify inappropriate activity on the network. It provides the same functionality as a burglar alarm system in case of a possible intrusion, the system issues an alert. NIDS work on the principle of comparing new behavior against normal or acceptable behavior previously defined. Usually, a NIDS device listens the network traffic and when it founds something unusual it reacts accordingly: It creates a dynamic firewall rule to prevent a DoS Saves the packets for further analysis Informs various entities that an attack is taking place Terminates connections

So, if monitoring is the passive element, a NIDS is the active element in a network.

Hardening the devices

No matter how intelligent the devices at this layer are, they have the same problems as all other devices which operate at any layer: they have bugs which can be exploited. Bugs can be found in the software running on these devices as well as in hardware. This is why it is important to keep these devices updated and replace them as soon as a newer and better version is available. A very important factor which makes these devices heavier to exploit is to use only the minimum services which are required for the device to perform its functions.

3. Online Protection

12

Layer 2
On this layer reside various software applications which can filter the received data for malicious content. This includes web filters (filtering the protocols HTTP and FTP), Antispam and Antiphishing filters, IM filters, etc. A special category of programs operating at this level are applications which monitor the behavior of other applications. They can be Host Intrusion Prevention Software or a special component in the operating system (like Data Execution Prevention in Windows). Lately, because of the publicity made for tools like Firesheep a new category of programs started to become more popular: session encryption software. This kind of software can be integrated inside a browser and practically encrypts all the data transferred between the user and some websites. Since not all websites have the capability to encrypt the traffic, the effect of such tools remains limited.

Layer 3
This layer is the last and represents the end user. This can be a real person (usually) or a layer of software which performs some tasks automatically. Lets assume that we have a user standing in front of his computer. No software can fully protect the user against all threats. The reason for this is not that the software is bad but because the security software is not allowed to operate in the same way as the malicious software does. This is why the last category will always have an advantage over the security software. What the malicious software does illegally, the security software has to do with a lot of work and intelligence. So, the last barrier between the fraudsters which want to take control of the users computer and private data is the user himself. In cyber attacks the human factor plays a very important role: It can decide if an attack is successful or not. If the user makes sure that the data is correctly structured (not everything in one place) and protected (maybe not necessarily stored local, but at least encrypted), the damages which an external attacker can do can be close to zero. If the user deactivates the security software for whatever reason, if he ignores the warnings he receives and provides all kind of information to any website he sees, then no software can prevent this.

4 4. Update your Software often

Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office suites, and so on. It is critical to install the available updates for all these software packages in order to not become a victim of malware and online fraudsters. A neighbour of mine without any IT knowledge asked me some time ago why she should update her programs when everything works perfectly for her and she doesnt need other features from that software? She was using her rather old laptop running Windows 95 only for casual browsing and basic email communication. She didnt have an antivirus solution installed because it was slowing down the laptop significantly. IE6, Outlook Express and Notepad were everything she ever needed and used. She never heard of Facebook, Twitter, instant messaging or drive-by-downloads. When I am confronted with such a situation where it doesnt make any sense to explain the dangers of the online world, I try to use simple terms and analogies which everybody can understand. Imagine that your computer is like a house in which you have your goods and where you live. Of course, just like everybody else, you want to feel comfortable and secure in your house, you want privacy and make sure that no one can steal your goods when you are not at home.

Our house
For comfort, a house needs basic facilities like water, electricity and gas. You may also want to have certain commodities like TV with cable network, a telephone and an Internet connection. For security and privacy, the house needs walls, doors and windows with locks. Depending on where you live, for example in a village or a big city where the crime rate is higher, you may want to install a burglar alarm to secure your windows and doors. If you live in a country where the winter is very cold, you may want to insulate the walls in order to keep the heat inside. Just like a house, the computer also needs some basic components to function correctly and you need some additional elements to give you comfort when using the computer. These basic components are the operating system (Windows, Mac, and so on) with all its elements (drivers, programs) and your commodities are for example a web browser, a document reader, an email client and an office suite. If you restrict yourself to the basics, never exchange or receive documents with and from the external world, you can compare your computer with a house with minimal facilities or a hut. I doubt that these days this is a real use case for anyone. Assuming that you are just like the rest of us who need a computer with an Internet connection, then the situation looks different. When you are on the Internet, it is just like you have a house in the middle of a big city. Can you imagine it without doors, windows (with blinds) and locks? Of course not, otherwise it would be 13

4. Update your Software often

14

like a public domain and you wouldnt have any privacy and security. So, you need some security elements. For a computer this means that it needs some kind of security software which keeps strangers away from your information. But a software which has problems (like security vulnerabilities) is the equivalent of a house which has doors and windows but the locks are damaged, thus allowing unrestricted access for everyone. In a house one can enter through the main door, basement, windows or a balcony. These elements which can grant access must be closed or locked in order to guarantee you security and privacy. Exactly like in a house, in a computer there are many ways to get access. A vulnerable operating system or program can be like the basement door left open or even closed but unlocked, no matter if the main door has the latest generation of security system. This is why it is important to have everything secured, or in a computer, updated to the latest version. A security software is like having a security system installed on the main door and windows. Depending on the type of security software, it can make sure that nobody enters on the basement door or other doors. It might even tell you that some locks in the house are damaged and that they should be replaced. Like in an intelligent house, it could even order the replacements for you and call a technician to install them. For example, this is what an update service does for the software on your computer; it downloads and installs the required software for you. To close the story with my neighbour, I managed to install the Avira AntiVir Personal edition, scheduled Windows to update itself automatically every day, and installed Firefox and Thunderbird as default Web and Mail clients instead of IE6 and Outlook Express. I created also a free account on an online backup provider and scheduled a synchronization with the cloud every day. This way, her documents were also safe (she didnt have an external hard drive for backup). The old laptop of my neighbour wasnt working significantly slower as before, but now it was like an old house which got renovated: It looks good and it is comfortable, it is secure and provides privacy, but from time to time you hear the floor or the walls making strange noises because the components are old. With a little help On a side note, there are various free software solutions which can help identifying the applications which need updates because of known security vulnerabilities. Perhaps the best known is Secunia Online Software Inspector (OSI) and its equivalent for installing on the PC called Secunia Personal Software Inspector (PSI).

4. Update your Software often

15

5 5. Use dedicated accounts for each user

I remember that at the beginning of this year a strange news has made it around the globe: a 7 years child almost bought a British Harrier jet fighter on the online auction site eBay. The price of the plane was around 113 thousand U.S. dollars. How was this possible? The child found the toy on eBay while playing on his fathers computer and immediately loved it. Seeing a Buy Now button available, he clicked on it and closed the transaction, because his father was logged in on eBay with the credentials saved.

Whats to be learnt from this story?

There are two critical things to be learnt and there are some others which are also important. 1. The child was able to use his fathers computer account. Either the account was without a password, or the child had the password of the account. Always make sure that every user of the computer is using a different account and that those accounts are protected with a password. This has advantages for everybody: privacy each user can protect his data from the others (even for the administrator if he wants, using ACLs) security if one account gets infected with a malware, the chances to infect everybody else using that computer are sensibly reduced possibility to have different settings for almost everything every user can have his/her own background picture, shortcuts, email and browser settings. Lets not forget also that you dont want everyone to see who are your friends in your instant messaging program. 1. The child was able to purchase something on behalf of his father. Because the computer had already stored the session cookie of his father account on eBay, he only had to open the 16

5. Use dedicated accounts for each user

17

browser and everything was available to him. An eBay is created in such a way that with one click anyone can purchase anything (without limits) and even if the user doesnt have the money in reality (e.g. a credit card is registered as default payment option) the merchandize can be purchased. The problem in this situation was that the login session is persistent. While this makes everything easy for the user, it also exposes it to such dangers. The solution to this problem is to not save the password in the browser and to not allow the website to make a persistent cookie. Unfortunately, the default on ebay (both .com and .de) is to keep the user signed in.

Additional advices to be considered:

Always set a password on your computer account. Microsoft still doesnt understand that it has to enforce this, but they are more interested in the usability than in security. Set your computer to automatically lock the session after a timeout. You can do this starting from the Power Settings or from the Screen Saver (it depends heavily on the Windows version you are using).

How did the story with the fighter end?

Actually, they werent able to pay for it, as this was not really a bargain. So, they explained the situation and asked the owner of the jet fighter to cancel the auction.

6 6. Harden your Facebook account

Nowadays the social media life is a significant part of our every day lives. We must make sure that we keep this part of our lives under control. Failing to do so may have significant repercussions like identity stealing (somebody is impersonating your online profile). Facebook is by far the most used social media portal. This is why it is important to have this account careful configured so that no one except you can access it. In order to configure the access to your Facebook account, you must go to Home -> Account Settings. You will see a menu like the one below.

After choosing the first option, you must select from the left side menu the second entry -Security:

You can select in this window a couple of options. Read below what each of them means. Secure Browsing - if activated, no matter where you are, as soon as you login in your account you 18

6. Harden your Facebook account

19

will use Facebook over an encrypted connection. It is highly recommended to always activate this option. Login Notifications - can notify you when your account is accessed from a computer or mobile device that you havent used before. There are two notification methods available : Email and Text message. It is highly recommended to use at least Email. Login Approvals - requires to enter a security code each time an unrecognized computer or device tries to access your account. Recommended to be activated. This requires to have a mobile phone to be set up in the account. App Passwords - if the Login Approvals is activated, some Apps might not be able to function because they are not ready to work with codes. Instead, you could generate a password for these Apps which is different than your Facebook password. This allows a more granular control over your security. Highly recommended if you use third party Apps. Recognized Devices - Facebook will store a cookie on your device as soon as you login. If that cookie is no longer found, Facebook will consider the device you are using a new one and will ask for authentication. If you use many computers, enabling this option is highly recommended. Active Sessions - this options allows you to remotely control the sessions which are using your account. This means nothing else than removing from the server side the cookie which was created on login. If you think that your account was misused, the first thing to do is to end all active sessions and change your password. The last option on this page is to deactivate your account. Think twice before doing this.

7 7. Password protect your smartphone

A recent study published in various online magazines showed that more and more people tend to replace their traditional mobile phones with smartphones. This trend applies not only to young people who are usually more interested in new technologies but also to older people. So, what does this has to do with security? A smartphone has a lot of possibilities to store data on it. All kinds of data: private pictures, private documents, social media logins, emails, web pages visited, login information to many commercial services (Paypal, ebanking, eBay, Amazon, etc.) and other types of information you want to keep for yourself. Additionally, if you use a smartphone for business purposes also the device might also contain business emails, contacts and even VPN login information. Do you care about that data? Of course you do, and in this case it makes sense to protect it. The easiest, cheapest and most reliable way to protect the data you have on your smartphone is to use a password (also called a PIN, depending on the device).

There are many ways in which you can enter a password: numbers only, alpha numeric codes or gestures. If you use gestures (a way of following a track with your finger on the touch screen) make sure that you clean up the display regularly. If your fingers leave traces on the screen, someone could simply follow that track and unlock your phone. Every smartphone has a different way of setting and activating a password. If you own an iPhone, in order to set and activate the passcode go to Settings, General, Passcode Lock. Enter a four-digit number and please dont use parts of phone numbers, birth dates or trivial codes . Tap Require Passcode to set how often youll be prompted to enter a code after your most recent unlock. I recommend Immediately _or after one minute . Turn _Erase Data on if you want the phone to clear its memory after 10 incorrect password attempts. After setting the code, go in the General Settings

20

7. Password protect your smartphone

21

and verify that Auto-Lock is ON so the phone will go to sleep when idle and ask for the password when revived.

8 8. Change the default passwords

Very often people buy new gadgets or devices which because they are secured out of the box. Or, better said, this is what the producers write on their boxes, because the reality is quite different. These devices are delivered most of the time with default passwords like 0000, admin, 1234 and so on. This is not security, this is a bad joke made by marketing people who pretend to sell security. First thing to do when buying a new device is to change its default password. For example, many producers have started already to understand that it is not at all user unfriendly to ask for a password or PIN as first thing after the installation of a router or at the first startup of a mobile phone. Seriously, there are websites like http://www.routerpasswords.com/ for routers and thousands of websites giving the default password for most of the mobile phones available.

Unfortunately, the situation is not much better in other areas which are not related to devices but to software. For example, many wireless routers come with default SSIDs for the wireless network and with no password or with a default password like those mentioned above. In a continuous fight between security and usability, many forget that it is actually absolutely OK to reduce the usability a little in order to have a minimum security. After all, what would you prefer, to allow full access for anyone to all your photos and documents or to be forced to enter a password when enabling the wireless network access in your router? Another issue is represented by the DECT telephones and headsets. In case you didnt know, their default password is 0000. The worse part is that many of them dont even accept anything else than 0000. The same applies to many bluetooth headsets, but here the situation is not that bad because usually the mobile phones ask the user for manual confirmation before connecting a headset via bluetooth. As a conclusion, please change the default password of your devices (router, smartphone, laptop, DECT phones, etc) and wireless networks.

22

9 9. Create good passwords

After seeing three major websites (LinkedIn, LastFM, eHarmony) which got somehow (yes, somehow, because we still dont know how) hacked and lost a large amount of passwords, here are tips about how to create better passwords. What have these problems in common? Of course, excepting the obvious passwords Actually, we dont know yet what else they might have in common: maybe the same hackers, maybe the same vulnerability which got exploited, maybe others. The clear thing we know is that at least in the case of LinkedIn the hackers didnt get the passwords in plain text, but their SHA-1 hashes. They somehow cracked the passwords and published them on the web.

What is a hash?
According to Wikipedia, a cryptographic hash function (or simply a hash) is a hash function, that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the message, and the hash value is sometimes called the message digest or simply digest. The ideal cryptographic hash function has four main or significant properties: - it is easy to compute the hash value for any given message - it is infeasible to generate a message that has a given hash it is infeasible to modify a message without changing the hash - it is infeasible to find two different messages with the same hash So, if a hash has all these properties, why do we have today the trouble with the leaked passwords? Because those passwords were pretty easy to be guessed or reverse engineered using algorithms like dictionary attack, brute force attack, Rainbow Tables and so on.

What can a company that stores password do to prevent cracking of passwords?

Besides the obvious make sure that you dont lose the passwords in the first place, they can make the generation of the password hash more complex. More complex means complex to find the plain text starting from the hash. This can be quite easily done if they alter the original plain-text 23

9. Create good passwords

24

password before creating the hash. This process is called Password Salting and it is nothing new. Unix systems are using this procedure since ages now. Please do not confuse salting with padding. Salting makes the process of cracking passwords much slower, but not impossible. The goal is to make the operation so expensive to the attacker that from some point on it quits doing that.

What can you do?

You can create more complex passwords which you still can manage. Dont do as I mentioned already in Chapter 1. (http://techblog.avira.com/2011/01/31/improve-your-security-1-complex-passwordsarent-always-better/en/)(writing the password on a post-it and stick it on your monitor or keyboard). Here are some tips how to create good passwords which you can remember: - use long passwords: some websites even enforce a minimum password length of 6, 8 or even 10 symbols. I strongly advise to use at least 8 chars. - An easy way to remember a long password is to associate it with something:
1 2 3 4 5 6 7 8 9

- for email passwords: **I** **w**rite **e**mails **o**n **G**mail **e**ve\ ry **d**ay **_at_** **12**: IweoGed@12 (replace at with @) - Write the number of the website in the password: - Gmail: My.G-Mail.Pa$$-Word1 LinkedIn: My-Linked.In-Pa$$

- Last.FM: Last1FM2Pa$$3Word - mix letters (small and capital), numbers, symbols: 1stPa$$-W0rD

An easy way to remember these combinations is to associate them: change a s with $ split long words like password in two or more split long words into syllabus: computer in to com-pu-ter as separator use symbols like - . # or similar use incremental numbers for separators In case you forget the password, make sure you update the recovery information, this means usually : an alternate email address a question that only you know to answer (No, what is your pet name is easy to find out) Mobile phone number for two factor authentication Change your password regularly

9. Create good passwords

25

What you should not do - dont use dictionary words like: Microsoft, person names, pet names, name of months or seasons, car brands, etc. - dont use your name and your birthday together (e.g.: John21021978) - dont use defaults like: 12345, root, qwe123, abcd etc. - use the same password on all import websites - just simply close the browser without signing out of your account after you use a publicly shared computer

How about other methods to manage passwords?

There are other methods to store passwords, but I dont recommend them. These methods are: Password management software Basically, there is a software running on your computer which holds the passwords securely to be always at your hand. The problem with such software is that sometimes they store the passwords in plain text (like Mozilla), sometimes with a puny MD5 on it and almost always unencrypted in memory (at least temporarily). Using such a software is just moving the target for the hacker one step ahead. It doesnt actually solve the problem for good. But, the biggest problem with such software is the most non obvious: availability. What do you do if youre not near your computer where your password management software runs? Do you call your wife/neighbor/colleague do open your computer and give you the password? I hope not. Pen and paper

9. Create good passwords

26

The Pen and Paper method means to write the passwords down thats basically no security since anyone is able to get that piece of paper at some point. One can argue that there are safes, lockers, etc. which can improve the security, but you basically dont do anything else than storing the treasure (your password) behind a closed door. If that door gets open, you lost everything. Also, this method suffers from the same problem as the software: it is not always available. Password management in the cloud I didnt want to write initially about this method because it might bring some of you to the idea that this makes sense. It doesnt just forget about it because it means too much trouble on long term. And yes, this would solve partially the availability problem, but not completely, because there are systems out there which are not connected to the internet. As a conclusion, learn your passwords using some of the tricks I mentioned above.

10 10. Make backups

It is said that three things are certain in life: we are born, we pay taxes and we die. Adding a little bit of IT facts on top of this, I can add a fourth certain thing: hardware fails. It is only a question of when and not if it fails. And when it fails, you want to make sure that you have your data securely stored somewhere where you can always access it without too much hassle. There are many ways how to secure your data thanks to the cloud services, the affordable prices of hard drives, network attached storage and the existence of so many free backup solutions.

But, what exactly does backup mean?

Backup, or Backing Up represents in the IT the process of making a copy of some data with the purpose of being able to restore it in case of data loss (e.g.: this is what is happening when hardware fails). How can one make a backup of his data? There is a simple and a complicated answer to this question. Lets start with the simple answer and if you feel that this solution doesnt fit to you, then read the complex answer.

Simple backups
The simplest backup possible is a synchronization of your files on an external medium like an USB hard drive, a Network Attached Storage (NAS), an FTP server or in an online service. Synchronization means nothing else than to mirror your files on the external medium. A synchronization can be performed in real time or on a schedule. Real time synchronization means that there is a service working in background on your computer and monitors the files which are changed. As soon as it detects that one or more files which it was configured to monitor were changed, it tries to copy them to the external medium (USB, or cloud service). This has the advantage that your backup is always up to date, but it also has sometimes the disadvantage that it slows down your computer if you have configured to backup many folders. There are many tools that provide a real time synchronization, most of them offering also a basic gratis version. Some examples are Dropbox, Bitcasa, Memopal, CX and others. It is not recommended to have more than one such tool installed and active on your computer because this will seriously slow down your hard drive and the overall performance of your computer. Scheduled synchronization means that a sync of your files is only performed at specific pre-configured time intervals or events. For example, you could schedule a backup every day at noon while you are in the lunch break. Or, you can schedule a backup when the computer is in idle mode (usually when the screen saver starts). You can use several gratis tools to perform a scheduled synchronization. A nice synchronization tool comes from Microsoft and it is called SyncToy, but it can only work with folders on local mediums like hard drives or shared network folder (in other words, it supports only Samba). If you are a computer geek, you can also give RSync a try. 27

10. Make backups

28

Complex backups
Simple file synchronization should be enough for most users, but there are cases when you want to backup more data in a secure way. Example of complex backups are incremental backup, differential backup and reverse delta backup. In the incremental backup you create once a full backup and several snapshots from that point on. If you want to fully restore the backup, you need to restore all incremental backups until the full backup in the exact reverse order. My favorite tool to create incremental backups is Duplicati because it also allows to encrypt the files before you upload them to the external medium. The great news is that Duplicati comes with support for various mediums like FTP, Cloudfiles, WebDAV, SSH (SFTP), Amazon S3 and others. In the differential backup you create a full backup and each time you create a snapshot, all differences between the full backup and the current state are saved. If you want to fully restore the backup, you need to restore only the latest snapshot and the full backup. In the reverse delta backup, you create a full backup and then several snapshots that contain only the differences from the full backup. The perfect examples of such tools are the rdiff (the base of CVS) and Apples Time Machine. No matter of which method you use, make sure that you respect the golden rule of backup which I see as common sense: Dont keep your backup in the same place with the files that you backed up. If something bad happens, you will lose both.