Monday, November 1, 2010

Strong and weak passwords - What's the difference?

That's a very good question and according to Andrew Dekraker it's not all in the numbers but in the numbers, letters and special characters! If you get mathematics like Andrew does, specifically exponentiation, then you'll understand this next segment about creating strong passwords.


Lets take a very simple 1 letter password and try to guess what it is. Sounds easy right? Well it is. There are 26 letters in the alphabet and 52 if we allow upper case letters in the password. It would probably take me 1 min 30 sec to try all combinations (because I'm a slow typist). A computer program, even the simplest, would take a few seconds to try all 52 possibilities.


Lets expand our password, using only 4 lower case letters (26 to the power of 4) we have 456,976 possible combinations. I'd be dirt before I manually deciphered a 4 digit password but a computer program can decipher a 4 digit alphabetical password in .046 seconds. If you include uppercase letters that number increases but not by much. So now lets add 1 windows special character from your keyboard (!@#$%^&*()~`?><), the time to crack now increases to 1.36 MINUTES! That's still not very long but a huge improvement from a 4 lowercase letter password.


We all know that no one uses a 4 digit password (at least not after reading this!) so lets look at a longer sequence of a combination of upper and lower case letters with characters compared to an equal length lowercase only password. You can see in the chart below how a password using a All Characters (a combination of letters [upper and lowercase], numbers and special characters) would make it virtually impossible to crack with today's affordable technology. Given time even these passwords will be hacked easily but by then controlled access will have evolved as well.

See the chart below:

Weak & Strong Passwords

Special thanks to Andrew Dekraker, an IT Service Tech at www.promediacom.net(that's us!) for helping me to bring to light the differences between weak and strong passwords.

Saturday, May 23, 2009

Phishing for Bucks

My last blog entry on Phacebook Phishing scams generated some questions about Phishing. Phishing is a scam where Internet fraudsters will send seemingly authentic spam or pop-up messages with the intent of luring personal and financial information from unsuspecting victims. Quite often the emails or pop up messages appear official and may contain exact fonts, graphics and other layout items to mimic a real website such as a bank, internet service provider, email account, etc. They typically prompt you to enter in your private information such as account number, password, address, SIN, credit card numbers etc.

Follow these basic steps to avoid getting 'hooked':
  1. Use anti virus/spyware/malware software - remember that some are better than others and you typically get what you pay for! I use Vipre Antivirus from Sunbelt Software because its light, efficient and effective. Keep your subscription and definitions up to date and set an autoscan at a time when your computer is actually on! Malwarebytes is a great free program that has outshone many of the top level malware programs that one would pay good money for. The paid version offers real-time protection and supports the developers on their efforts. If you need asstance with diagnosing or removing an infection you can reach me here.

  2. Use Phishing protection - the top level browsers (IE7, Firefox, Chrome, Safari) and email clients have built in Phishing protection but, to date, the results are inconsistent. An Anti Phishing protection toolbar recieving great praise is freeware from Netcraft. Anti Phishing programs basically exposes the website or links true internet address and in most cases a risk rating is also provided. For example the real facebook website is located here -> Facebook and this link -> 'Click to visit the real Facebook' suggests linking to Facebook but it doesn't. (Links to Datashield website) How would one know which, if either, is the real ink? Anti Phishing programs are designed to give you an added advantage over the internet scammers but, like any security risk/solution area it's constantly evolving and for most users waaaay to complicated. Here's a link to a Wiki on Phishing and other vulnerabilities which I found informative.

  3. Don't email personal or financial information - email is easily read by almost anyone with some basic knowledge and one of many free packet scanners. There are a number of ways to encrypt your data including using Microsoft's Outlook, Mozilla's Thunderbird, PKzip, etc. There are also online secure email providers which provide a secure service. Never send your credit card, banking information or passwords via email!

  4. Don't reply to email or pop-up messages that ask for personal or financial information. Do not click on links in the message even if it seems legit - links can take you to pages where malicious software can download to your system and open the flood gates to all sorts of mischief. Hackers can make links look like they go one place, but that actually send you to a different site. The best way to navigate to a site is by physically typing the address in the browser address bar. (I know...what fun is that!)

  5. Use an aftermarket firewall that monitors both incoming and outgoing connections. Routers and Windows (XP and up) offer good quality firewalls but the default settings are less than informative as to what is coming and going from your system. Trojans can hide on your system quite easily as can key loggers. Trojans can provide access to your system remotely or even transmit personal information to an outside location. Key loggers will monitor your keystrokes and again send that info out to other people. I've had great results with Comodo's Free firewall. Comodo has packaged their highly configurable free firewall with an antivirus addon which can be disabled independently. A good product in my experience.

  6. Don't open email attachments unless you are expecting it! Many scammers will try and gain your confidence by emulating someone you may know. Common email subjects are used such as "Hey, its me!" or "I have a question" or "UPS delivery confirmation - verification required". Recently the Phacebook Phishing scam did just that - they created a dummy facebook logon and grabbed as many facebook emails as possible to get their scam going. Once you attempt to logon to the dummy site the hackers then have access to your Facebook account, personal information and email contact list. Away they go....

  7. Reviewing credit card and bank account statements as soon as you receive them is a good practice. Check for unauthorized charges and if your statement is late by more than a couple of days, call your bank/ credit card company and confirm your billing address. Once a scammer has enough of your personal information they can change billing addresses, increase amounts, apply for additional credit cards etc.

In spite of all the dark stuff, the internet remains a great place for access to information and other resources on almost anything. Unfortunately there are people who use technology to take advantage of the unsuspecting and the best thing anyone can do to keep the internet safe is to educate themselves on the types of risks out there and protect yourself in the event that you are infected with a virus, malware, scareware etc. Backup your data, report phishing attempts and don't pass on emails that are potentially unsafe.

Surf on Dudes!

Thursday, May 21, 2009

Phacebook Phishing....

There's a new threat to you and your friends personal information - courtesy of Facebook. I recieved a facebook email from a friend this morning and it said to check out 'kirgo.at' - so I did. It took me to a page that resembled a Facebook login page and fortunately I stopped there.

Thanks to the quick response of my facebook friend he notified all concerned that his account had been comprimised and an email was sent from his account. I immediately changed my password and passed the information to all my friends just in case. Electronic communication can spread a security breach quickly but it can also be minimized by quickly informing as many people as possible.

These types of attacks are known as 'Phishing'. The offending parties attempt to decieve users into giving up their logon credentials and can quickly change your password thereby locking you out of your own account. If you have personal information kept in your Facebook account it now also belongs to the hackers as well - a scary thought.

It's common sense really but even people in the know can be mislead. In this case the web addresses to avoid are:

  • areps.at
  • nutpic.at
  • bests.at
  • kirgo.at
It’s only a matter a time before similar scams pop-up. Facebook shuts these down as quickly as possible but could provide a better notification system simply by posting alerts on all users accounts. They have the ability to do pretty much anything they choose and this would be a good choice.

Monday, April 20, 2009

Data Security Risk - Mobile Phones are Easy to Hack

Celphones and PDA's are now easily hacked by those in the know. In only a few minutes an experienced hacker can install spyware on your mobile phone and have the capability to listen to your telephone conversations live as well as recieve copies of your text messages as you send or recieve them. Datashield accesses Mobile phones with Windows Mobile or Blackberry Operating Systems to support our clients, if we can access a Mobile phone then so can other people. I think that this area of security really needs a good look and with all the recent publicity I'm sure we'll see some smaller developers entering the Mobile security market with early apps and the big guns to follow once the market takes shape. It's a good thing.


What does that mean to mobile workers and the self employed? Datashield Technologies is a small operation and we provide a host of services and products to clients who rely on us for support. We get calls for usernames and passwords, web addresses, and credentials for stuff I get paranoid about just knowing. Providing fast service is essential for our clients productivity and even though we have our information stored in secure locations with encrypted files and half the Canadian Armed Forces guarding it (ha ha - that was for the criminals reading this) nothing is absolutely hack free. To give you an idea of just what goes on in the world of data loss and hacking visit the Open Security Foundation's Website http://opensecurityfoundation.org/ .
This is a wake up call to anyone who thinks hackers aren't for real and organized. It was for me.

To prevent unauthorized access to your mobile there are a few simple steps to follow:


1) Always keep your mobile in sight, this includes when lending it to others to make calls.


2) Never download or install software unless it is from a reputable source.

3) There is Antivirus for Mobiles available - If you have the speed, its a good idea to scan on a regular basis.

4) Familiarize yourself with the programs/apps installed on your Mobile phone.

If you aren't sure about something contact us at http://www.datashield.biz/support and we can source it for you.

We are researching this area and will be posting information as it becomes available.


Friday, February 27, 2009

Russian hackers hold a casino site hostage!

An Costa Rican internet service provider's servers were recently taken hostage by an organized group of hackers located somewhere in Russia. The servers hosted internet gambling sites and despite all the precautions taken by the ISP, their 5 servers were comprimised and the hard drives encrypted, preventing any further revenue and a guaranteed quick business failure.

The Hackers kindly offered to unencrypt the server hard drives for an undisclosed amount of money (surprise!) and after exploring a few other options (I would too) the Casino owner decided to meet the ne'er do well'rs demands. The hackers did their part with the exception to the fifth server which held all the credit card numbers for the casino members. Apparently the hackers didn't read the encryption software instructions carefully enough and overlooked the required amount of hard disk space needed to encrypt the data! Get this...the hackers even spent about 8 hours trying to fix the problem! I wonder if they called tech support? They couldn't restore the 5th servers drives and I'd put money on it that they didn't apologize or offer a refund.

CBL, a Toronto based data recovery firm, recovered the data and the owner was back on a plane within 72 hours. Here's the video provided by CBL

Frankly I am amazed that an operation earning $135,000.00 per day doesn't have a better disaster recovery plan than the one that didn't work. On the other hand I see thsi quite often and most of the requests we get for backup are after a critical data loss event occurs,

Again, any backup is better than no backup at all and in this case I'm sure the casino is revising their disaster recovery plan to include a secondary server site or at least offsite data backup.

Remember to play the scenario to the end...what do you stand to lose if your Data suddenly becomes unavailable?

Here's the Video:



Saturday, January 31, 2009

Backup Speed and Hard Disk Fragmentation

Recently a long term client called and asked a question about why the Datashield Online Backup seemed to taking longer to complete when the new data was not increasing respectively.

First I tested the server upload speed at http://www.speedtest.net/ and it was normal at 410 kilobytes per second. Then I created a 10 mb test file and initiated a manual backup - the time to backup was just over 40 seconds. Not a significant slowdown considering all the communication going on between the source and destination computers.

At this point I decided to look at the performance of the local server and discovered that the hard drive was significantly fragmented. File fragmentation occurs over time as additional data is written to the disk. The more data written to the disk, the more fragmentation occurs. As file fragmentation increases so does the time to access them. Online backup lives by the same rules - if your disk is fragmented it will take longer to access and upload your files.

Not only do tasks take longer when a disk is fragmented but a disk also has to work harder which increases the potential for early failure. There are a number of automated disk optimization utilities available for home and business. These resource saving utilities can be set to defrag disks on a scheduled basis or when a disk reaches a predefined performance level.

http://www.datashield.biz/

Tuesday, January 20, 2009

Protecting Your Data - The Basics!

Being a father, business owner, outdoor enthusiast and general digital packrat I find that the information I save to my hard drive is steadily increasing. Some of it I need to keep for long periods of time (maybe even for close to ever) and other stuff is project or research based and can be deleted after a period of time.

Why backup? I usually get the call after a client has lost some or all of their important personal or business related data. Data loss can be from accidental deletion, to a hard drive failure, to the loss/theft of a computer system. Yes, data can be recovered from a failed hard disk but sometimes the disk can be scratched and the more difficult it is to recover data the more expensive it gets! Theft usually means that someone else has your information and the chances of recovering it are slim to none. The number one method for ensuring that this doesn't happen to you is to back up your information on a regular basis.

Backing up your information can be in the form of: a portable hard drive, memory stick, CD/DVD, email, tape backup and online data backup. I've tried them all and the number one reason for not backing up is that other things became more important and it simply wasn't done. The solution for me was an automated secure offsite backup solution. Online backup works for me because basically I just set it and forget it. As with any backup its critical to make sure that your data is backing up and that the files you want to backup are selected for backup.

My main categories for backup are : Business and Personal; which include email, documents, pictures and video's, websites (source and current files), client information, web resource information, financial information web resources, favorites and a few other user specific categories.

Get backed up today with Datashield!