Zimmer And Associates

Your password is a lot weaker than you think

Bryan — Thu, 16 Feb 2012 23:58:57 +0000

Today I was looking for a password strength calculator to estimate how long it would take to break your typical 8 character “strong” password, which most people say would take years to break. After I found a decent one I realized most of them are based on the speed of the CPUs found in your average computer. However, thanks to advances in password cracking utilities you can now use the GPUs found in graphics cards, which are much faster than CPUs. An 8 character password that would take a year to crack with a computer’s CPU only takes 19 hours with the GPU in a graphics card. When people tell you your data is safe because you have a strong password, think again.

How can you protect yourself? The two most popular options these days are a longer password (think 32 characters), or two-factor authentication. A longer password is the easiest option, just use a sentence for a password instead of a single word. Two-factor authentication typically isn’t easy to set up and is aimed and larger businesses, but Google, Facebook, and a number of banks now support two-factor authentication for clients. If you have the option for two-factor authentication I definitely recommend enabling it.

http://hackaday.com/2011/06/01/gpu-password-cracking-made-easy/

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Bank funds stolen via electronic transfer. Protect the computer you use for online banking.

Bryan — Thu, 26 Jan 2012 22:52:11 +0000

$19,000 was stolen recently from a bank in New Jersey via electronic transfer. These incidents occur more often than you’d think, and affect both businesses and individuals. The end of the article talks about measures they’re taking to prevent this in the future, mainly using an dedicated computer for banking that isn’t used for web surfing, email, file transfers, or anything other than banking. A few years ago people would have laughed at air-gaping a system like the Department Of Defense does, but it’s becoming a more popular way to protect ultra-sensitive data. I’ve recommended similar solutions (including virtual machines) in situations where the cost of stolen data or computer downtime greatly outweighs the inconvenience or price of the solution.

http://www.nj.com/salem/index.ssf/2012/01/computer_hackers_tap_into_sale.html

Teenagers share passwords as a sign of affection, and an infographic on passwords

Bryan — Mon, 23 Jan 2012 22:46:24 +0000

Here’s an interesting article from the New York Times showing that the future of our workforce (The Millennial generation) views sharing passwords as a sign of affection. Here’s to hoping that changes as they grow up, both for their sake and the companies they work for.

http://www.nytimes.com/2012/01/18/us/teenagers-sharing-passwords-as-show-of-affection.html

On a similar note, this is a nice infographic with tips on creating and keeping strong passwords, and some interesting password statistics.

http://cache.gawkerassets.com/assets/images/17/2012/01/09c4f2162f6a3f9cd9f55d091f48b615.jpg

The profitability of scareware and social engineering

Bryan — Tue, 03 Jan 2012 21:04:32 +0000

Here’s a good article that Wired had a while back on scareware, those ads that pop up saying you’ve been infected with a virus and you should buy their product to remove it. It’s amazing what an empire you can build by exploiting people’s trust. They’re the same tricks that have been around for thousands of years, just adapted to the Internet.

http://www.wired.com/magazine/2011/09/mf_scareware/all/1

Secret app on Android phones collects data

Bryan — Thu, 01 Dec 2011 17:38:33 +0000

A developer published details yesterday of a hidden application that’s installed on millions of Android phones. The application, written by Carrier IQ, records keystrokes, text messages, location, and data that has been sent over encrypted SSL connections. Carrier IQ says its application is installed by cellular network providers to track dropped calls and other performance issues. I can understand some data being recorded and anonymized for troubleshooting issues, but it seems like most of the data collected by Carrier IQ really isn’t necessary and opens up the provider for huge lawsuits.

http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/

Security hole causes printers to smoke, crash, and/or steal data

Bryan — Tue, 29 Nov 2011 22:49:29 +0000

A security hole was announced today in HP LaserJet printers allows attacker to make the printer smoke and shut down, erase the firmware, replace the firmware, and/or use the printer to steal sensitive data. The attack may also work on other manufacturers’ printers as well, but has not been tested.

Unfortunately there aren’t any good technical details in the article or methods of preventing the attack, other than protecting your printer from the Internet. If your printer is attacked it’s possible that there will be no way to fix the firmware. For now it’s a matter of waiting for HP to realize this is a problem and releasing a firmware update, and putting your printers behind a firewall.

http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say

http://www.infoworld.com/t/hacking/security-researchers-say-hp-printers-vulnerable-hackers-180253

CalCPA Presentation

Bryan — Wed, 23 Nov 2011 19:18:46 +0000

Many thanks to the California Society of CPAs and Paul Freed for inviting me to talk about IT security and The Cloud. There were a number of great questions and I gained some insight into the world of CPAs and their security needs. Feel free to use our contact form to schedule a similar talk at your organization.

Report on industrial espionage shows attacks come through channels you wouldn’t expect

Bryan — Wed, 16 Nov 2011 20:44:59 +0000

The Office of the National Counterintelligence Executive has released a report to Congress (publicly available below) that details threats US companies face from foreign agencies. I found it interesting that a large percentage of attacks are conducted through seemingly normal requests for information rather than outright hacking. It shows yet again that people can be a weak link not considered in many security programs. Don’t forget that after you invest all that money improving your IT security you also need to educate your users about security threats, both technological and social.

http://www.ncix.gov/publications/reports/fecie_all/

iCloud and Apple ID warning

Bryan — Wed, 02 Nov 2011 19:20:59 +0000

My good friend @dillweed just brought up an excellent point about iCloud and Apple IDs. Everyone needs to be much more careful with their Apple IDs now that they’re tied to their iCloud data. So far people have been lax about protecting their Apple ID passwords, typically sharing them to trade iOS applications. The rationalization is “What’s the worst that could happen, it only allows access to my apps.” Now with iCloud anyone who has your Apple ID password can also do the following:

Remotely lock and erase your iPhone, iPad, or computer via Find My iPhone.
See real time iMessages and email, as well as all past iMessages and email.
Track your location in real time via Find My iPhone.
Log in to your computer and network via Back To My Mac. This will bypass many corporate and home firewalls.
Access other iCloud data such as your calendar, notes, documents, and bookmarks.
Access all data on your iPhone or iPad by restoring from your iCloud backup.

While the risk associated with giving out your password is nothing new, the issue here is that currently people don’t see their Apple ID as a high value account, there’s a large amount of sensitive data an attacker could gain access to, and one password is the only thing protecting access to the data. Sites such as Google and Facebook now allow you to use two factor authentication, where you need both your password and a code sent to your phone to access your account. They also allow you to see what other computers are logged in to your account and let you disconnect them remotely. Customers should pressure Apple into adding the same protection to their accounts sooner rather than later. In the mean time use a strong Apple ID password, don’t share it, and let your friends and customers know about the increased risk of sharing their Apple ID passwords.

Who else was hit by the RSA attacks?

Bryan — Thu, 27 Oct 2011 18:11:03 +0000

About a fifth of the Fortune 500 was hit by the RSA attacks from earlier this year. A total of 760 companies of all sizes are on the list, with possibly more to be found in the future. It’s disconcerting to note that companies whose primary business is security are on the list. No matter how big or small, companies are constantly under attack. Just because your company doesn’t have valuable assets such as Social Security numbers and banking credentials doesn’t mean attackers will leave you alone. They’ll often attack indiscriminately, gather other sensitive data, take your systems offline, or use your network to launch an attack against someone else.

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/