The Art of Creating a Password Part 2

In my last post (cue trumpet solo) I described some techniques you can use to come up with a strong password. A strong password, as opposed to its weedy cousin the weak password who gets sand in his face when kicked to the ground, is very difficult for a hacker to crack and so ideal to protect your valuables on-line.

Unfortunately your man of steel password could be as safe as a woman of kleenex if your PC becomes infected by a keylogger. Not someone who cuts down trees and skips and jumps, a key logger is a piece of software that sits on your PC and transmits every keystroke you enter back to the criminal who wrote it. So as you smuggly enter your 15 character super password, with more special characters than an episode of Heroes, a vilain with an even smugger smile on their face could be receiving it on the other side of the world.

First and foremost, you should protect yourself from spyware and malware in general to the best of your ability (see my post Tinker, Taylor, Soldier, Spyware for details of how to do so). However, even with the best protection in the world, there is still the chance that something slips under your radar. So what do you do?

The solution to this problem is to use a password manager. A password manager can sidestep keylogging by storing all your passwords in an encrypted file on your PC then entering them via a virtual keyboard. As the keyboard is never used the key logger wouldn't get a sniff of the details you enter. Hurrah !!!

Reccomendation

A few years ago I spent a significant amount of time burning the midnight oil and researching password managers on-line, reading reviews, downloading and using trial versions and ending up with rings round my eyes so I looked like a panda. Finally I settled on a product from Siber Systems called Roboform.

Features

The features that sold me on Roboform initially and still have me using the product today are:

• Security - Roboform stores your login details in an encrypted file using 256 bit encryption using AES, Blowfish, RC6, 3-DES or 1-DES algorithms. The Pentagon may be able to crack it, but your average hacker probably wont.

• Single Click Web Page Entry - Roboform has the ability to login to a website with a single click, and to poplulate personal information fields, such as address and phone numbers, again with a single click. It can also fill in card details, warning you when it does so. Again this information is encrypted on your PC and again it wont fall foul of a keylogger.

• Multi-Browser support - A Roboform plugin works with Firefox and IE. For unsupported browsers you can still use it by drag and dropping your information into the relevant fields on the webpage.

• Safenotes - Another feature of Roboform is the safenote. A safenote is a free format note that is encrypted using the same algorith as everything else. This means, for example, if there was sensitive information you wished to keep on your PC you could enter it into a safenote to stop it being hacked.

• One password to rule them all - Roboform has one master password which it uses as the encryption key for the data you store. As such you only need to remember a single password to access all your others. This password should be strong and I would reccomend you follow the techniques I previously outlined in The Art Of Creating A Password. If you just need to remember one password, make it a good one.

• Automatic password generation - One useful utility included in Roboform is the facility to automatically generate a password. This allows you to specify the length of password you want and the type of characters you want to include (alpha, numeric, special). Press generate and a password is randomly generated to your specification. As you can imagine this tool can provide you with some very strong passwords. As you don't need to remember them you can generate the best possible password that meets the constraints of the account you are logging in to, thus giving you the maximum possible password security.

All in all I've found Roboform an excellent tool that definitely makes my A-List. There are other features available which you can check out on their website at http://www.roboform.com/. My advice would be to download it, try it and then buy it.

The Art of Creating a Password

One area of security that hackers regularly exploit is your password. Most people struggle to remember long and complex passwords and so resort to either using short and simple ones, which are easy to crack, or more complex ones that they end up writing it on a postit note generally found attached to their computer monitor.

The Ten Password Commandments

1. Don't use repeated characters (e.g. aaaaaaa), sequences (123456 or abcdefg) or adjacent keys on your keyboard (e.g. qwerty) .
   
2. Don't use words found in the dictionary
   
3. Chose a password that is easy to remember to avoid your having to resort to variations of the post-it trick. Note that if you do resort to writing it down then do so in a secure fashion. Consider splitting it up and storing the fragments in different places. Store the written password using an easy to remember code such as adding an offset to the characters in it or reversing it.
   
4. Don't share a password between accounts. If a hacker cracks it for one they can use it for any others you've used it for. You may also inadvertently use it on a bogus website where it will be stored and systematically tried against your legitimate acounts.
   
5. Incorporate as many keyboard characters on the keyboard as possible (if possible include upper and lower case letters, numbers and special characters). The fewer you use the longer it needs to be to have the same strength.
   
6. Your password should be as long as possible (preferably 14 characters or more long but 8 as a minimum).
7. It should not the same as your user name, any part of your (or family members) name, birthday or other personal information. Hackers will try variations of these if they can get hold of this information.
8. Don't store it on the internet or on a network. Don't store it on your PC unless it is encrypted. If a hacker gets at the file containing them then they can use them.
9. Change your password regularly. The stronger the password you use the less frequently you need to change it.
10. Don't just use simple letter substitution on a weak password. P@$$W0rd may look strong but password cracking software will often incorporate this kind of letter substitution.

The third and sixth of these criteria would at first glance appear to be mutually exclusive. Most people struggle to remember a 5 or 6 character password, without traversing the heady realms of passwords that contain ten or more.

Johnny Mnemonic

One way around this is to base your password on mnemonic phrase, saying or the lyrics of a song that you remember. Take the first letter of each word in your key phrase, et voilla an instant long password that is easy to remember. Marvelous.

For example take the old Nancy Sinatra song "These Boots are Made for Walking". Taking the first 12 words you get "These boots are made for walking and thats just what they'll do". Taking the first letter of each word gives you the letters "TBAMFWATJWTD" which to all intents and purposes looks pretty random.

Substitute

To widen the range of characters used in your password you can now apply the rule that you use and upper case letter for the first letter of each word on your phrase that is greater than two characters long and lower case for the rest. You now get "TBAMFWATJWTd", not a huge improvement in this example but hey you can always choose a new key phrase. To widen the range of characters even further, consider substituting special characters for certain letters. For example: -

• '@' for 'a'
  
• '8' instead of 'B'
  
• left bracket '(' instead of 'C'
  
• '!' for an 'i' (invert ! and you get i)
  
• zero for 'O' 
  
• '$' instead of 'S' 
  
• '+' for 't'. 
  

Your password would now be "+8AMFWA+JW+d".

The Specials

Finally add one or more additional special characters to the mix at predetermined points in your password. For example you could always enter "~" as the third character of your password and "#" your last.. As long as you're consistent you should be able to remember as you key it in. Adding these in would give you "T8A~MFWATJWTd#" which is pretty strong. Just don't go humming the tune to yourself as you're entering it.

Remember that if you don't use a strong password, then one of these days these hackers are gonna walk all over you.

Just What the Daktari Ordered

Apple has released Safari 3.02 this week.  This new version of their beta Windows browser, includes a number of stability and security fixes. 

So far I've been quite impressed with  Safari. Loading times for web pages are as fast as a Gazelle in flight and its interface as uncluttered as a water hole with a Lion in residence. Watch this space, it'll soon have other Hippo like pieces of browsing bloatware in its sights.

Tinker, Tailor, Soldier, Spyware

Combating the Insidious Threat to Your Privacy posed by Spyware

What Is Spyware?

Spyware is any software that uses your Internet connection in the background without your knowledge or explicit permission.

It has the ability to: -

• Read cookies
• Scan files on your hard drive
• Monitor your keystrokes
• Install other Spyware programs
• Alter your default home page
• Send information back to its creator

This can result in information theft of sensitive information such as PIN numbers and passwords, reduce the performance of your PC and cause it to become unstable (it is thought that Spyware is the cause of up to 50% of PC crashes). Spyware can also take over your PC using it as a Zombie for such illicit activity as denial of service attacks or propagating spam.

In general Spyware is produced by a group of people for profit whereas viruses were produced by an individual for kudos.

Network performance can also be adversely affected by a Spyware attack. For a business the act of tracking down and removing the offending software will lead to disruption and loss of productivity.

Types of Spyware

Spyware generally fall into one of two categories; Adware, or Malware.

Adware
Adware is generally benign and is usually produced by advertising companies. Adware generally generates annoying on-screen advertisements (normally pop-ups).

The worst forms hijack links on websites and take you to destinations of your choice. The reason for this is that by artificially inflating the amount of traffic to their websites, your friendly neighbourhood hijacker can command higher advertising revenues. This can be worrying if you've got a child who surfs the net as the destinations routed can be anywhere on the web and pornography companies do make use of Adware in this manner.

Adware uses cookies to hold details of your browsing habits which are periodically sent to the marketers.

Although not directly compromising your system in the way that the far more more malign Malware does (see below), such software can cause it to become unstable and have a detrimental effect on its performance.

Malware
Malware is an abbreviation of malicious software and is often written to harm your system, much in the way that a virus can. Other forms use key logging to send details of your typing to the perpetrators. This has implications of identity theft and other criminal acts being perpetrated on you. A hacker potentially could use these programs to get your credit or bank card details.

A Growing Threat

"Over the past three months, EarthLink and Webroot found more than 29.5 million instances of spyware. This figure equates to an average of nearly 28 spyware items per computer and demonstrates the broad proliferation of spyware." said Cobb. "While most spyware is Adware-related and relatively benign, it's disturbing that over 300,000 of the more serious System Monitors and Trojans were uncovered. This figure represents how real a threat identity theft or system corruption is for users."

Earthlink and Webroot

Spyware has been around for less time than viruses but is rapidly becoming a greater threat.

In a recent survey by Earthlink and Webroot an average of 28 pieces of spyware were found on infected PC's. Most were relatively benign Adware, but 300,000 cases of more serious Trojans and System Monitors were found (from 1,062,756 scans).

It is currently thought that 90% of all computers connected to the internet are infected.

The Legal Position on Spyware

While the legal position regarding viruses is pretty well laid out the legality of Spyware is not.

Direct advertising companies sometimes use the spurious argument that because a user agrees to the terms and conditions of a piece of software they download, which includes mention of dubious activities in the smallest of small print, they consent to having Spyware running on their machine. Furthermore they state that to legislate against these nefarious products would have a dire effect on the economy. I seem to remember similar arguments were used when the slave trade was abolished, which is ironic considering that the zombification of your PC by some Spyware constitutes a form of cyber slavery.

The legal position of Spyware in the United States is also murky, in some states it constitutes a criminal activity, in others it doesn’t.

How You Can Get Infected?

Spyware can be installed by clicking on a weblink, opening an attachment in an email or by the payload of a virus. In fact you only have to visit a website, known as drive-by installation, or view a HTML e-mail message to get infected.

Spyware can also piggyback on the back of a utility you install (such as a P2P file sharing system).

Symptoms of Spyware

As with any disease there a number of tell tale signs that you've probably got it. Some typical spyware symptoms include: -

• Your browser being hijacked i.e., it takes you to sites other than the ones you type in

• A repeated, or sudden change, of your browsers home page that you didn't make

• Your being inundated by a plague of pop-up ads

• New toolbars appearing in your browser you don't expect to see

• Unexpected new icons appearing in your system tray

• Keys that don’t work properly when pressed (e.g. the 'Tab' key doesn't work or is delayed when used on a Web form to move to the next field)

• Poor system performance when saving files or opening programs

• Random error messages appearing

Steps You Can Take To Avoid Infection

Take Care When Downloading Software
Be careful what software you download and install on your PC. Only download software from reputable sources.

Carefully read the End User License Agreement (EULA) of any software you plan to download. Often buried within the EULA will be a disclaimer stating something along the lines that

"...information about you and your browsing habits will be sent to the company's website."

Spyware mongers take your acceptance of this as giving them Carte Blanche to infect your PC, so be careful.

If the EULA is hard to find, or understand, or contains a clause like the one shown above, then seriously reconsider installing the software.

Be Wary of Gadgets
Use the active protection inherent in Anti-Spyware products to help protect your PC (see Anti-Spyware Products below).

With the advent of Windows Vista the use of Gadgets is becoming more and more prevalent. A gadget is an application that you can embed in a web page that delivers a piece of functionality to the user, such as showing the weather forecast for your area or displaying a digital clock on their webpage.

Quite often gadgets are created by hobbyists and delivered free of charge. Quite often they will also have a hidden payload of Spyware hidden in their code.

You can add gadgets to a website you administer or to a blog you post to. The revamped version of Google's homepage, iGoogle, also allows you to add gadgets.

In Windows Vista you can add gadgets to the windows sidebar. Unlike installing a gadget on a webpage where the Windows & Browser security will stop them accessing your file system, Vista gadgets have full access. That means that they can copy any embedded DLL, file or program to your hard drive. Vista gadgets execute with full system permissions and so can then execute those programs.

To quote the old saying, there's no such thing as a free lunch. In the case of gadgets the cost of your free lunch may end up being more than a Champagne and Caviar feast at the Ritz.

Take Care When Opening Attachments
If you receive an email with an attachment you are not expecting, the safest course of action is not to open it, and just delete it. If you later find that it was legitimate then you can always arrange to have it resent to you.

Ramp Up Your Browser Security
Ensure that the level of your browser security setting is sufficient to detect unauthorised downloads. In the case of Internet Explorer this should be set to at least 'Medium'.

This minimises the risk of drive-by downloads getting their teeth into your system.

Turn Off the Preview Pane in your Email Client
As previously mentioned the mere act of viewing HTML can cause Spyware to be installed. If you automatically view your current email in your email client this could potentially result in infection. To stop this from happening, turn off the preview pane. In MS Outlook on the View menu clicking Preview Pane toggles whether it is displayed or not.

Use a Browser Other Than Internet Explorer
The main way that Spyware is spread is through your web browser. A lot specifically target vulnerabilities in Internet Explorer, such as ActiveX, so one way of improving your security is to use an alternative web browser, such as Firefox, Opera or Safari. These browsers are not targeted as much as IE. Unfortunately a large number of websites only work using Internet Explorer so you may still need to use it. If this is the case make sure that you upgrade to at least IE7, security in this version was significantly improved.

Add Known Bad sites to IE's Restricted Sites Zone
If you are forced to use Internet Explorer it is worth considering blocking known bad websites. To avoid these you can install IE-SPYAD. This free program adds known bad sites to Internet Explorer's Restricted Sites Zone.

If you do use it then remember to update it on a regular basis to keep your list up to date.

Screen websites via a Browser Add-on

An alternative to blocking known bad sites via IE's restricted zone, which can be technically demanding, is to use a product such as Sitehound to alert you before you enter a known bad site.

Sitehound is a plug-in for Internet Explorer and Firefox. It works by using a list of known bad sites to check an entered URL against before you are directed there. The basic version of the product is free but requires you to manually update the bad site list. The pay for version does so automatically and also includes other features such as giving additional information about a suspect website.

Don't Click any Pop-Up Links
If a pop-up window appears don’t click any links within it. Doing so may cause the installation of Spyware on your computer. When a pop-up appears, close it by clicking the 'X' icon in its title bar.

Don't click on links in Spam
If you receive e-mail that claims to offer anti-spyware software, don't click on any of the links in it. Some of the Anti-Spyware products offered in spam actually install the spyware they claim to protect you from! If you want to install any Anti-Spyware products then a good place to start is with those listed later in this blog

Use Anti-Spyware Products
Use the active protection inherent in Anti-Spyware products to help protect your PC (see Anti-Spyware Products below).

Update Your System Regularly
Use Windows Update regularly to ensure that your operating system and web browser always has the latest patch or security update applied. Configure Windows Update to update automatically.

Use a Hosts File
A Hosts file allows you to specify an IP address that will be accessed when you enter a specific IP address in your web browser. By creating a file where the IP address for known malicious sites point back at your own computer, you can effectively make it impossible to visit them in the first place thus removing the chance of infection. Host files of this nature can be found on-line.

It is debatable however how effective this strategy is as Spyware can connect directly to the IP address, and thus circumvent this form of protection.

As an aside some Spyware modifies the host file as a means of redirecting you to sites of the authors choosing.

Consider Using a Program to Check Your E-Mail
As e-mail is one method that Spyware and viruses can infect your computer you could consider using a product to scan your e-mail for potential threats. One such product, Mail Washer Pro, is ostensibly a Spam removal tool but as the emails it screens for can also contain a virus or Spyware, it also provides another line of defence against infection. The preview pane it uses just shows the message in plain text so allows you to safely check your mail before you download it.

Detecting Spyware

Network and systems administrators can detect Spyware by: -

• Capturing and studying network transmissions for suspicious packets using a network analyser.

• Using the Netstat utility to monitor all ports. This is a TCP/IP application that reads network data structures. It can be used to find any suspicious ports open on your PC; they can then conduct a Web-based search on any suspect ports which may reveal the existence of Spyware.

There are also a number of third party products that can be used to scan your ports and provide a graphical interface (e.g. X-NetStat).

A more effective means of detecting Spyware is to use a dedicated Anti-Spyware application.

Anti-Spyware Applications
Some anti-virus products profess to also protect your computer against Spyware but the truth of the matter is that none of them do a very good job of it. To protect yourself properly from Spyware you should run a dedicated anti-Spyware product.

The pick of the crop of products at time of going to press are: -

Freeware

• Windows Defender
• Ad-aware
• Spybot Search and Destroy

Commercial Products

• Spyware Doctor - Spyware Doctor has consistently topped the ratings in reviews of anti-Spyware products and has a detection rate of around 97%. Another advantage of Spyware Doctor is that updates for new threats are made available for download within days (or in some cases hours) of the threat being identified. In the case of some well known products, it can be a week or more before countermeasures are made available.

As well as scanning for Spyware some products, generally the ones you have to pay for, also provide active defence to stop your PC getting infected in the first place. These active defences, although not 100% reliable, do provide some protection and are therefore recommended. The only downside to running active defence is you may find some degradation in performance.

One thing I would recommend is periodically scanning with more than one anti-Spyware tool. Even the best software won’t detect all current Spyware, so by scanning with more than one product you increase the chances of finding it. A combination of the current best commercial and the best of the free ones run on a regular basis will give you the best protection.

Keep Your Spyware Product Up-to-date
Update your Spyware signatures on a daily basis.

Scan Your PC for Spyware Often
You should perform a full Spyware Scan at least once or twice a week. In addition to this, if you have the option, configure your product to scan key areas on a daily basis, if possible on start-up.

Sometimes Spyware can mask itself during start-up making it difficult to detect and remove. To counter this, you should periodically run a full scan in Safe Mode. Safe Mode can be accessed by repeatedly pressing the F5 key (or on some systems F8) during the boot sequence.

False Alarms
Anti-Spyware programs use the following methods for detecting Spyware: -

• They contain a list of known Spyware which the use to compare against;

• They detect suspicious activity including Windows registry entries that are out of place, suspicious network connections and programs that exhibit suspicious behavior.

Sometimes they can falsely report a valid application as being Spyware. Always check any reports produced and make sure you don’t accidentally remove legitimate software.

Blocking Spyware Transmissions Using a Firewall
As previously mentioned, Spyware sends information back to its creator. Running a firewall, such as Zone Alarm, not only stops unwanted intrusions getting in, but can also stop unsolicited transmissions getting out.

By configuring your firewall to only give internet access to legitimate applications you run, you can deny any Spyware that has managed to evade your defences the ability to accomplish its objective.

Some Useful Web Sites

For further reading on the subject, check out the following websites.

• Spyware Warrior - Spyware Warrior lists free and pay for software. It also lists bogus spyware that, when installed, spy on you.

• Spywareinfo - this site has a number of spyware forums where experts in the area participate. As such it provides a good port of call should you have any questions.

• Malware Removal - a site with a number of Malware related forums. It also has some useful downloads that help you remove some specific Malware infections.

Conclusion

Today most individuals and organizations measures in place to deal with the threat posed by viruses; they should also invest in separate countermeasures to combat the rise of Spyware.

Failure to do some can harm your efficiency, reputation, productivity and ultimately, your financial wellbeing.