Password Management Best Practices: Stemming the Tide

This one is geared to all you IT professionals out there who are looking to create a strong, effective, and simple to manage password policy.  We’ve talked before about password best practices, and what not to do.  If you want some more information on that particular subject, check out some of the information provided by the security experts over at PortalGuard.  Today, however, we’re going to look at the password policy in some more detail to figure out what password management best practices are the most effective in actual use. 

Contextual Authentication - Who is Behind the Keyboard?

Have you ever asked yourself this question before? The MTV TV show Catfish asks this question in every single episode. They work with people all over the United States that have fallen in love with someone they have never met in person, or even talked to on the phone before. On the show, the two hosts work together to find the person who is behind the other keyboard in order to play matchmaker. Nine times out of ten, the person on the other end of the line is not who they say they are. They might not even look remotely close to who they are pretending to be online.

This got me thinking a couple of things… Why do people do this? And how can user fraud be stopped online?

3 Different Hacker Types

You’ve been watching and reading the news right?  All of those data breaches that have made headlines; it’s a crazy, risky, digital world that we live in.  The digital world is one where knowledge and information equates to power, or scientias est potestas as the old Latin phrase goes. Sure, these digital attacks sometimes surround money, or politics, but it is the knowledge these hackers possess and gain from their subterfuge that grants them so much influence.  To be a substantial Hacker Attacker, you need knowledge of your own.  Here, I will give you the building blocks to form your own power base to better protect yourself against the biggest aggressors of the digital age. 

Phishing News: Windows Live Digital Certificate Risk

Looking to spend a little bit of that tax return on some sweet online deals? The latest news from Microsoft should make you do a double take before entering your credit card data. There is anew report of a windows live digital certificate risk making the rounds. They are reporting that an unauthorized SSL certificate was issued for “live.fi” that could have been used to leverage man-in-the-middle attacks or even spoof official Microsoft announcements.

Defending against the Man in the Middle

I remember as a child trying to eavesdrop on conversations I would hear in school. They usually were centered around who kissed whom or who had a crush on someone. As an adult, like most others, I still listen in on other people’s conversations from time-to-time. Usually this happens when you’re standing in line somewhere, and it is hard to not listen in on the people next to you. After talking with a colleague over the weekend about man-in-the-middle (MITM) attacks, I found some similarities to the more typical activity of eavesdropping on others conversations.

What Came First . . . The Computer or the Hacker?

The chicken and egg version of this question has been asked and discussed for years, and I am not about to crack that question open and get egg on my face. But I do want to take a look at the computer and the black hat hacker (aka security cracker), and take you back in time to the first computer. So get ready to blast into the past to uncover some fascinating facts about the first computers.

Hackers: Experts in Their Field

When you think of someone being an expert in their field, commonly you think of someone with a Dr. in front of their name. However, with a hacker it is a little different, there is no real way to add the abbreviation to the beginning or end of their name. Plus, having the term “professional hacker” attached to your name may be cool to some, but like being a “professional hit man” it may not land you that corner office with a view of the bay.

However, a professional hacker is a highly skilled individual that knows their way in and out of a software, network, or database. These men and women have a skill set that allows them find holes in a system, but that is where the road can fork between a white hat and a black hat hacker. How will they use their skills and the information they have gathered?

TedTalk - A Future Without Secrets

When you think of social media being used to find out information about you, you may be thinking that you have nothing to hide, and your Internet identity is looking pretty good. In fact, you have spent a lot of time creating an image of yourself that is pretty close to perfect in your eyes. But do you believe that the data on Facebook alone can be used to guess your Social Security Number, compromise a job opportunity, and manipulate advertisement?

Any information can become sensitive information. By using algorithms, technology, your friends on Facebook, and face recognition, you can be manipulated both knowingly and unknowingly. Protecting this information is important to your future, and it is time to take action!

Hackers Gonna Hack

Whether a white hat hacker or a black hat hacker, “hackers gonna hack.” Now not all “hackers” are out for personal gain for to wreak havoc, but I do submit that whether white or black, they are addicted to hacking.

Benjamin Franklin: Hacker

This morning I was sent a link to a Ted Talk featuring Catherine Bracy, Why Good Hackers Make Good Citizens. A good friend thought I would be interested in this video since I write for this blog and they were right! In my life I like to look at the big picture and see what is beyond the painting or lyrics, what is the meaning of the words or imagery? It helps keep my mind open and fresh as an intellectual.

This Ted Talk was right up my alley and took a different approach to the term “hacker” and opened my eyes to a new term: “civic hacker.” A civic hacker is someone who sees a problem and wants to figure out a solution to make it better, improve a way of life or make a change for the greater good of society.  

She calls out Benjamin Franklin as a civic hacker, he invented so many things that we use everyday, however he invented something that is life saving and yet not something that immediately comes to mind when you think of the only non-president to grace a US currency note. He invented the first volunteer fire department. He recognized that Philadelphia’s fire department was struggling to put out fires in a timely manner, which was very troubling to him and he looked at the situation and thought there was room for improvement.

In 1733 he addressed this problem and a new concept to the city in the newspaper the Pennsylvania Gazette.

"Soon after it [a fire] is seen and cry'd out, the Place is crowded by active Men of different Ages, Professions and Titles who, as of one Mind and Rank, apply themselves with all Vigilance and Resolution, according to their Abilities, to the hard Work of conquering the increasing fire."

This action of civic hacking took a concept that existed and through innovation, improved on it to the point that it ended up revolutionizing the way we fight fires in America today. Growing up in a small town, we did not have a full time fire department; we had a volunteer fire department made up of men and women from all walks of life that would go into action when called upon.

The theory that Bracy presented of a hacker simply being someone who simply looks at something and makes improvements, it raised a question in my mind, who else could be considered a hacker? Henry Ford, Nikola Tesla, John D. Rockefeller, Andrew Carnegie, and so many leaders of industry took a concept and improved it to make a better system. What do all of these men have in common beyond implementing improvements? They were all around before the internet and computers were ever conceived.

Current day civic hackers

The civic hacker, in modern times, can actually be seen all around us. For example authentication companies that provide two-factor authentication solutions to protect not only the company’s information and assets, but their customer’s personal information as well. Companies like PortalGuard and others understand the importance providing a secure way to login and protect information from getting into the wrong hands. Although two-factor authentication is not the end-all-be-all answer for protecting data from the black hat hackers of the world, it is a secure step in the right direction. 

Benjamin Franklin was a hacker, who knew?

The Hackers Cookbook

The title suggests that this posting may have some delicious recipes that hackers might enjoy, but I am thinking more like the classic book The Anarchist Cookbook, by Steven Schragis. However, I will provide you with a link with directions on how to be a white hat hacker!

A little history lesson: The Anarchist Cookbook

“The Anarchist Cookbook, first published in 1971, is a book that contains instructions for the manufacture of explosives, rudimentary telecommunications phreaking devices, and other items. The book also includes instructions for home manufacturing of illicit drugs, including LSD. It was written by William Powell at the apex of the counterculture era in order to protest against United States involvement in the Vietnam War.” -Wikipedia

For those of you who were not around when this book was published, this book caused a lot of controversy when it was published and of course grabbed the attention of the Feds at the FBI. One FBI memo called the book “one of the crudest, low-brow, paranoiac writing efforts ever attempted.”

The lack of a Hackers Cookbook

When considering that The Anarchist Cookbook was written as a proverbial middle finger to the government and an exercise in freedom of speech, how has there not been a similar book written about hacking? Hackers are known to rage against the machine and expose the corruption in either a corporation or government, wait didn’t Ralph Nader do a similar type of thing? More on Ralph ahead.

What I see the hackers cook book containing is not just tips on how to crack into a network or take down a website, but how to successfully protest and plan a movement that can make a statement. Because at the end of the day, isn’t that what hacking is all about? Beyond those who hack for either personal gain or to support an organization, we forget that even these brilliant computer geniuses serve a purpose. They can keep the checks and balances of society online.

The Ralph Nader Effect

Ralph Nader, beyond having a few unsuccessful Presidential runs over the years, started life as a protector of the people. Not in the sense of a member of a police department or military movement, he was interested in exposing safety problems that affect the average Joe. In 1965, he claimed that many US made automobiles were simply not safe and even published a book Unsafe at Any Speed. The internet was not around back then, but I am willing to bet he would have taken his research online if he had the opportunity. Specifically, Nader took aim at the Chevrolet Corvair, a rear engine compact car that had been involved in many accidents that resulted in lawsuits against Chevy’s parent company General Motors.

In typical corporate fashion, GM took to the streets and tried to discredit the claims and even went as far as to hire prostitutes to try and trap him into compromising positions, look it up on Wikipedia, it is interesting stuff. Nonetheless they could not stop him, and his efforts made the government take notice and instate a new division of government: the National Highway Traffic Safety Administration.

Making the Connection

Nader was an activist, plain and simple. Many did not agree with his stance at the time, but like Schragis, he took his view of corruption and put his ideas out there, publishing them to make a difference. Even though The Anarchist Cookbook took a totally different angle of protest, are these two authors any different than White Hat and Black Hat hackers?

Nader being a White Hat hacker in the sense that he took his opinions of corruptions and wanted to put them to work in a positive light by publishing a book that spawned the development of a consumer safety organization, Schragis being a Black Hat of sorts by compiling a book of instructions to overthrow harm and cause chaos.

Perhaps I am far off here, what are your thoughts?

Oh yeah, here is the white hat instructions I promised you!  

Happy Holidays!  

How to Be a Hacker and Not Get Caught!

Now you may think that this is going to be a step-by-step guide with tips on how to skate the long arm of the law… eh, not so much. While researching to write this article, I Googled “How to be a hacker” of course and there were so many sites out there with step-by-step guides, even a wikiHow page with suggestions. Side note on this wikiHow page, there was a very interesting ad placed in the middle of this posting; “Ready to be a Pastor?” (See below)

 It seems that either the advertising traffic director has a sense of humor or it is the internet’s way of telling me “don’t do it!”

As mentioned before, the internet is littered with tons of websites that give you the direction you need to be a hacker, and a few of the steps are no brainers. Step one: get a good computer. Step two: learn how to write code. Step three: think like a hacker. Step four: learn to hate authority. Step five: join a hacktivist group. Step six: be smart and don’t get caught.

There you go, that is how you become a hacker.

I found it very funny that most of the sites came with a disclaimer, “Hacking is a serious crime and can result in major penalties, even jail time.” This disclaimer reminded me of the old disclaimers at the beginning of the classic MTV show Beavis and Butthead. (see below)

It is amusing to me that there are websites out there that give directions to do anything malicious like how to build a bomb. Can someone please tell me how this is helpful to the society? Outside of knowing how to take down an enemy James Bond style, I do not see the point in these sites and moreover how these sites exist. I am not suggesting that we censor the internet, but something’s should just not be easily available to consume on the internet.  

To quote Snoop Doggy Dog, “Back to the lecture at hand.”

Learning how to become a hacker and not get caught is much like learning how to become a bank robber and not get caught. Looking at any successful criminal from history, most show power in numbers is a good thing, so that is something to consider. Let’s look at Bonnie and Clyde, according to Wikipedia these outlaws were suspects in 12 successful bank robberies between 1931-1934, several small store robberies, and the slaying of at least nine police officers. Granted they were brought down in a shootout with the police, They had a very successful run as criminals and people are still talking about them 80 plus years later.

What we can learn from stories like this is, it is very likely that criminals end up getting caught one way or another. Even the infamous Boston Irish Mobster James “Whitey” Bulger, who was on the run for nearly 20 years and was living under a complete alias on the other side of the country, was caught and brought to justice. Some reports even suggest that Whitey was an FBI informant that helped bring down the Italian Mob in Boston while he knowingly was running amuck of the City’s South Shore.

My suggestion… don’t become a hacker. If you are interested in coding and are a problem solver, put those interests to good use, take some classes at your local college or community college, and build a name for yourself in a positive light. Become a hacker attacker, instead of joining the dark hackers of the world.

5 Ways to Combat a Hacker Attack

Security crackers are an inevitable part of the cyber world. Whether we like it or not, security crackers will crack. Although we cannot stop these people from trying, we can however provide you with some tools and tips to help combat security crackers.

#1 Password Power:

Password power is a crucial first step to preventing security crackers from stealing your information. A combination of letters, numbers, and symbols is needed to reduce the chances of your password being stolen. In addition to this, the use of a password manager has also been proven to be helpful. This will generate random passwords, and also warn you when you are using the same password on multiple sites.  This way, if a security cracker were to guess your password, they would only gain access to that one account, not your entire life.

#2 Password Lock all Devices:

This is one of the initial steps to protect against security crackers.  Most of us own a tablet, computer, or smartphone.  These electronic devices house a lot of personal information.  These devices need to be locked, as they are key to your identity.  Even the simplest task of accessing one’s contacts can lead to a possible phishing attack against you and your friends.

#3 Two-Factor Authentication (2FA):

Initializing a two-factor authentication system is a good idea to protect against a security cracker. PortalGuard, a five layer user authentication solution-set, offers contextual authentication that creates transparent barriers to prevent unauthorized access and confirms user identities by validating multiple aspects of each user. The transparent barriers can validate something the user knows, has, does, etc. By using these transparent barriers, the authorized user is now allowed in, but the unauthorized user is kept out.

#4 Use a Secure Internet Connection:

Security crackers love to gain access to personal accounts through rogue Wi-Fi access points. This means that all one’s computer traffic will go through these fake access points. To prevent this from occurring, take some time to make sure you are entering a secure connection. Your Wi-Fi network, wherever you are, must be locked with a long, secure password and have a good encryption standard such as WPA/WPA2. Here is a link that shows you how to secure your home Wi-Fi.

#5 Don’t Link Accounts:

In this day in age, it is very hard to keep accounts separated on the Internet.  For example, numerous apps force you to use your Facebook login credentials to gain access to their webpage’s. If possible, use a separate account for each application.  This will decrease the chance of a security cracker gaining access to your entire cyber profile.

Cyber crimes are real and can happen to anyone. Take the precautions now to prevent your family, your friends, and yourself from a possible cracker attack.

 http://thenextweb.com/apps/2013/10/06/10-of-the-best-multi-platform-password-managers-for-ios-android-and-the-desktop/

https://blog.malwarebytes.org/privacy-2/2013/04/safeguarding-your-online-accounts-against-hackers/

http://www.labnol.org/internet/secure-your-wireless-wifi-network/10549/

Would You Hire a Hacker?

 

This is a tricky question and is best answered with an “it depends.” Looking at the different perspectives on this can bring many questions to mind: Are they just here to gain knowledge for a competitor? Will they turn against my company and hack into our own system? Are they still hacking into other companies? Are they hacking while they are at work?

All of these questions and more are very valid points that should be considered when looking at candidates for a tech position within your company.

But that raises another question, how many “straight laced” employees are actually hackers in disguise?

The guy or girl in the next cubicle could be a serial hacker, working in the dead of the night stealing secrets, taking down company and government websites, or even worse. So you never know who you are dealing with these days. When watching the news, what is the one thing you hear over and over again about criminals that get caught; “He was just a regular guy. Kind of kept to himself, but was always friendly and even helped me with…” This image that a criminal, especially a cyber-criminal, like a hacker is hunkered down in a shack in the woods Unabomber style may be true for a small percentage of this subculture, but is unlikely for the masses.

Paranoid yet?

Let’s go back to the thesis and one theory; let’s say you are a technology firm, and you are looking to protect your proprietary project that will be ground breaking bringing your company to the next level. You are concerned about the security of your company and protecting the front door, so you deploy a solid two-factor authentication solution, secure the network with a strong firewall, and buy the best anti-malware software on the market. But the thought of someone hacking in and stealing your life’s work is still keeping you up at night.

So what do you do?

Hire a hacker to protect your castle. Crazy? Not so much. Who understands a hacker better than someone woven from the same wool; they speak the language, and can see holes within a security system better than most. Sometimes when you are so close to the trees it is hard to see the forest; there may be vulnerability right in front of your face that you have missed. That tree that is right in front of you is blocking you from seeing a backdoor entrance that a hacker can just walk right in and gain access to the whole company and suck it dry.

Like mentioned in a previous article, the FBI has been hiring criminals for years to catch other criminals and fight crime. Heck if they are doing it successfully, why not follow suit?

Keep your hacker happy, pay the hacker a very healthy salary, get them the most high-tech everything that they ask for, and let them do their job. You take care of them, and they will protect you; they will not bite the hand that feeds.

There are even companies, like Neighborhoodhacker.com that offer the services of hiring an ethical hacker to handle cleaning up after a hacker attack. Hackers are smart people who have a very select set of skills that can be used for good if channeled correctly.

Now the flip side of this question and the true catch 22 of the question. Say you do hire a hacker, get them set up in your company and they are still hacking on the side. Like a junkie trying to get clean they just cannot seem to break the ties and get the monkey off their back. They love the rush of breaking into a company and bringing them to their knees, a real evil dude.

They come into your company and protect your castle, but they are breaking into other castles while at home or even worse… while at work. They get caught, the FBI raids your company looking for all of the machines they were working on and confiscates it for evidence. What are you to do? You not only just lost your defense department, you also lost company hardware, and now have to testify in court. Wow, that escalated quickly!

Although the second scenario is less likely it could happen, unlikely but still a possibility. So would you roll the dice and hire a hacker?

 

Hacker Attacked: Behind the Bars

“In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organized computer fraud attacks ever conducted,” according to a release published by the FBI.

Sentenced. Slammed. Served.

Back in 2008, RBS WorldPay, an electronic payment processing service had fallen victim to a data breach.  An unauthorized user gained access into the companies computer system and obtained personal information of 1.5 million gift card and payroll cardholders. This included names, addresses, dates of birth, and social security numbers. A critical amount of personal data was compromised.

These cyber criminals used highly sophisticated hacking techniques to compromise the data encryption that was used to protect customers against potential hackers. Officials were determined to sentence the leader of this cyber attack, and eventually did, 6 years later.

An Estonian man, Sergei Tsurikov, has been sentenced to 11 years in prison for the role he played in the 9.4 million dollar data breach. The FBI has detailed the hacker’s involvement in this breach in a press release they published.

“A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced,” said United States Attorney Sally Quillian Yates.

Thanks to the corporation of various law enforcement agencies worldwide, this prosecution was successful. The FBI informs the public that on top of the 11-year sentence that Tsurikov must complete, he must top it off with three years of supervised release, as well as pay out a restitution fee of $8.4 million.

Let this be a lesson that Security cracking does not pay always pay off . . . sometimes you get caught.

http://www.scmagazine.com/an-estonian-man-who-hacked-rbs-worldplay-received-11-years/article/379555/

http://www.scmagazine.com/an-estonian-man-who-hacked-rbs-worldplay-received-11-years/article/379555/

http://www.fbi.gov/atlanta/press-releases/2014/international-hacker-sentenced