How To

RSS feed

Prevent Online Banking Fraud with a ROBAM

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from http://unetbootin.sourceforge.net/
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.

0

“psyb0t” Worm Infects Routers

Two router options, both of which I’ve said are security risks (see This Router Configuration Option Can Be Dangerous), can now be exploited to turn routers into zombie botnet members. My latest post at Security Corner, Worm Targets Home Networking Equipment, gives details and references to more news items. You can read those if you want, but for now, here’s what you should immediately do:

  1. Power cycle your router.
  2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
  3. Change the passwords to something unguessable (see this article).
  4. Upgrade to the latest firmware.

If you’re not sure how to handle this, find a geek who can. While the hacker who wrote this worm appears to have disabled the botnet’s control center, others will follow and it could get ugly.

You should also read and apply the Safe Computing Tips available as a free PDF download. Just click on the link to the right.

As always, I’m looking out for you.

Cheers!

The Geek

0

How to Write Down Your Passwords and Not Worry About Someone Stealing Them

I sometimes enjoy playing with codes and ciphers. In fact, a long time ago (eighth grade, 1966), I got my introduction to cryptography from a book aptly named Codes and Ciphers written by Alexander d’Agapeyeff. My friends and I had some good laughs getting caught passing encoded notes in class; the nun couldn’t decipher them. Being an Edgar Allen Poe fan, I was fascinated by his story “The Gold Bug,” which centers on the solution to a cipher that turns out to be a map to hidden pirate treasure. And then there’s that bit with Ralphie, the hero in the classic holiday hit movie, A Christmas Story, where he anxiously awaits the arrival of his “Little Orphan Annie Secret Decoder Ring.”

But I digress.

I know this isn’t a new concept by any means, but the application of simple cryptographic principles can allow you to generate passwords using patterns that you can safely write down. One of the key elements of authentication is “something only you know” and you can use this to generate secure passwords with simple substitution and transposition ciphers. (WARNING: playing around with this stuff can be habit-forming!)

Let’s take a simple example of a substitution cipher based on a date. This one uses two levels of secret “keys”: 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use “BDAbe.” This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.)

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the “something only you know,” with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern). Anyone who sees BDAbe%x# will have your keys, but it’s likely they won’t have a clue as to what to do with them. Write it down. Post it all over the place. Buy an ad in the newspaper. Tell everyone you know. Who cares? It isn’t your password and only you know what it means; but, it looks like a password and serves as an effective deception.

Finally, we generate the actual password using our cipher pattern of alternating shifted and lowercase characters, so 02121809 becomes our ciphertext of )2!2!8)9: eight characters, each having one of 96 possible choices. In a brute force attack, a modern PC, capable of guessing 10 million passwords per second, would take 23 years to go through all possible combinations of an eight-character password with a 96 character selection space. Not too shabby, eh?

For website logins where high security isn’t a concern, you can drop the “www.” and use the rest of the URL as your plaintext. In this case, you only need to write down the password length and encoding pattern. Let’s say I have a login on the site www.nytimes.com. I don’t care if someone reads the news using my password, so tight security isn’t a concern. I decide on a pattern of lowercase-shift-shift and decide to use a six-character password. The encoding pattern is x%^, so I can write that down as nytimes.com/x%^. Who’s going to know what that means? The password would be nYTiME. At only six characters and despite being based on the URL itself, that password is still relatively secure: it would take a hacker 33 minutes to crack your password; he’d be able to set up his own account in less than 2 minutes. And why would anyone want to crack your password? NYTimes.com doesn’t ask for any personal information other than your birth year and zip code, nothing that’s worth anything to a criminal hacker.

I encourage you to come up with your own method of applying this to your passwords, and of course, I welcome your comments and questions.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a former research scientist, currently works as a Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Filed in: Answers, How To, Security, Tips
0

How to Secure Your Computer: Maxim #4

In How to Secure Your Computer: Maxim #3, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password at all.

For example, if you use a password that conforms to common patterns that most people tend to use, it can be easily guessed. According to Wikepedia,

Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:

  • blank (none)
  • the word “password”, “passcode”, “admin” and their derivates
  • the user’s name or login name
  • the name of their significant other or another relative
  • their birthplace or date of birth
  • a pet’s name
  • automobile licence plate number
  • a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
  • a row of letters from a standard keyboard layout (eg, the qwerty keyboardqwerty itself, asdf, or qwertyuiop)

So, the lesson here is simple, and becomes Maxim #4:

Use an unguessable, or difficult-to-guess password always.

What’s an unguessable password? I’ll cover that in a future post.

Cheers!
The Geek

Technorati tags: , , , , ,

Filed in: Computers, How To, Security, Tips
0
© 2017 Ask the Geek. All rights reserved.