InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Opinion’ Category

Password Tips for Websites

Posted by Jaime Raphael Licauco, CISSP, GSEC on June 19, 2009

Revised 06/22/2009 (V1.1)

I’ve been thinking about passwords lately due to recent cybercrime that involved default passwords, and phishing attacks on Facebook which stole passwords from users.

Stronger passwords have been repeatedly talked about by InfoSec personnel since time immemorial.  We have repeatedly asked users to make stronger passwords, to the point that users are probably sick and tired of hearing the same thing. However, recent incidents show that we haven’t been effective enough since people still use simple or default passwords, probably because it’s thought to be inconvenient to make one — It isn’t — All it takes is a few extra minutes of your time and creativity.

Lockdown.co.uk** gives the following example of how long it takes to crack the following passwords using a dual processor PC:
darren = 30 seconds
Land3rz = 4 days
B33r&Mug = 23 years

Until two-factor authentication costs become less prohibitive — hopefully sooner than later (i.e. PhoneFactor is a new service which unfortunately charges $.14 per transaction for the Philippines) — we will have to rely on passwords for authentication.

I try not to rely on password programs which reside on my computer (i.e. Password Safe), but instead try to have strong passwords for each site.

Since the number one site in the Philippines is a Social Networking site, this will have a Social Networking slant (specifically Facebook).

Here are a couple of Tips:

First of all, DO NOT SHARE YOUR PASSWORDS, PUT IT ON A STICKY NOTE ON YOUR MONITOR (UNDER YOUR KEYBOARD, SEAT, ETC)

Now that the common sense ones are out of the way, on with the tips…

Use EV-SSL (Extended Validation SSL)

How: Mozilla Firefox address bar turns green on the left side. For IE, the whole address bar turns green.

Reason: Users who just click through warnings can actually be on a fake https site. EV-SSL makes it more difficult for phishers to fake a site. Also, the strongest passwords are useless if you’re already on a fake site.

EV-SSL

Bookmark your favorite site, and use the keyword feature (for Firefox) or equivalent.

How: On your bookmark, right click on it and then left click on “Properties”. Type a few letters or a word in the “Keyword” category. For this example I used “fb” so that all I need type on the address bar are the letters “f” and “b” to access https://www.facebook.com.

Reason: This mitigates your risk of user error and saves you time. The 2nd reason stated for EV-SSL, also applies here.

Bookmark and keyword

Change some Browser Settings to not remember what are in forms, and not remember passwords for sites.

How: Mozilla Firefox: Go to Tools, Options, Privacy then uncheck, “Remember what I enter in forms and the search bar”; Go to Tools, Options, Security and uncheck, “Remember passwords for sites”. Additionally you might want to click on “Saved Passwords” in case there are already saved passwords in your browser that you may wish to delete.

Reason: Not showing your “Username” to any user on a particular computer is another layer of defense. There have also been some hacks in the past (though already mitigated) on how browsers store passwords.

Uncheck Save Password for Sites

Use Best Password Practice, which is typically composed of the following:

– Must be at least 8 characters.

– Must not be a dictionary word.

– Must be complex – (thank Microsoft for making this popular) at least 3 of 4 of the following: Uppercase character, lowercase character, number, special character)… my take is that use all 4.

– Change your password at least every 60 days.

– Do not re-use any of your passwords for at least a year.

– Do not have the same word or character/number order in your subsequent passwords.

– Use different passwords for different applications and different sites.

All of the above “Best Practices” can be a pain. Security Professionals are human and we also get annoyed by some or all of the above. So I’ll break this down on how this could be easier.

Must be at least 8 characters, Must not be a dictionary word*, Must be complex:

How: You can deliberately misspell words, or use a phrase then shortcut that phrase. For example, the sentence, “Jekyll is a big lying bastard with no integrity whatsoever” can become “jIaBlBwNiW”. Yes, I do realize that this is not complex, but bear with me. As you can see, uppercase and lowercase takes turns here so that it makes it easier for me to remember.

To include numbers, I will change “B” to “8” therefore making it, “jIa8l8wNiW”. You can also change numbers to letters (e.g. 06/19/2009 can be Og/Ip/Zoop) but of course you will have to come up with your own formula on what numbers and letters you can interchange.

And to put special characters in our shortened phrase, you can put a comma or a period somewhere there and you can make the big letter “I” to “!” to make it “j!a8l8,wNiW”. As with the above opinion on numbers and letters, you have to come up with your own formula for what special characters can be interchanged for letters and numbers (e.g. 06/19/2009 can be )^/!(/@))( which really looks nuts but that’s how it can look like).

I would personally not use the above examples since I don’t know a person named Jekyll, nor would I recommend leaving one finger pressed on the Shift key as one types what is essentially an all special character password that a shoulder surfer might easily be able to see — I have only given the above and below examples to show the thought process on how to make strong passwords.

Reasons: The unrelenting increases in processing power, also means it’s becoming faster and faster to break passwords. A PC Mag list from back in 2007 of the most common passwords are all woefully lacking in complexity. Aside from having a password that takes longer to break, being able to type complex passwords fast, with your fingers in the correct typing position and having to use the Shift key once every few characters, can actually mitigate the threat of shoulder surfing.

Change your password at least every 60 days, Do not re-use any of your passwords for at least a year, Do not have the same word or character/number order in your subsequent passwords:

How: Now this is definitely a bone-of-contention. To mitigate risk some Security Professionals would rather use long passphrases instead of passwords, than have to change their passwords every 60 days. I however, would rather change it. This totally depends on you because this is a much bigger pain that the one above. I would actually suggest writing down your password then putting it in a secure physical space, or if not, put a part of it in your phone or in your wallet. Emphasize on “a part” since if someone steals your phone or wallet, and knows your username, then bye bye to privacy in your account.

Use different passwords for different applications and different sites:

How: What some InfoSec people do, is use something site specific built into their password. For example one can use a complex iteration of their birthday (I’ll use Jose Rizal’s) “June 19, 1861” to “dYun!9,eS1”; and then append it to what one may change the word “Facebook” to, “p@c3sbuks” — to have the really long password of “dYun!9,eS1p@c3sbuks”. You could also of course put “p@c3sbuks” in the middle or in front of your password.

Reason: I included this because a Sophos report states that about 33 percent of people in their survey use one password for everything they have. A Gartner survey done in September 2008 says that 2/3 (66%) of their survey respondents use only 1 or 2 passwords for all the websites they use.

Other things NOT TO DO:

– Don’t use your name or part of your username in your password.

– Don’t use multiple spaces, multiple repeating characters or numbers that are beside each other

– Don’t use any information that is readily identifiable (i.e. name of kids, spouse, girlfriend, etc)

– Don’t use letters or numbers beside or near each other on the keyboard

So that does it for Passwords.

A note on Security Questions:

Deliberately give something false that you can always remember. One wouldn’t want to be the victim of a Sarah Palin like attack wherein the attacker just searched for publicly available information about her to answer the security question that enabled him to access her e-mail. An example would be, “What is your Mother’s Maiden Name?” Your answer could be, “Sorry but I don’t talk to strangers” or some other phrase or sentence that doesn’t make sense but you won’t easily forget.

So those are my tips. I’ll be the first to admit that I don’t know everything, so if you would happen to know any great password tips that I have failed to mention, please do share in the comments section or write me an e-mail if you would like to remain anonymous. Thanks in advance.

* Most Filipinos know at least two different languages/dialects (English-Tagalog, English-Bisaya, English-Waray, etc) so I won’t even tackle that here, just put a (your other language here)-English word together or if you’re Conyo, go put your complex iteration of the the word, “Pare” or “Tol” before, in the middle or after your English word, or put your iteration of “Dude” or “Bro” before, in the middle or after your Tagalog word. Peace to the Conyos out there 🙂

** Many many thanks to a Security Mentor of mine (who may wish to remain anonymous) for sending this link on passwords.

Posted in Opinion, Philippines, Social Networking | Tagged: , , | 9 Comments »

More on Poll Automation and some Tools

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 24, 2009

Readers of this blog may be getting bored about poll automation, however there are news articles that are pertinent and give good arguments that I believe ought to be posted here.

Dennis Posadas, the Deputy Executive Director of the Philippine Congressional Commission on Science, Technology and Engineering, wrote an article entitled, “Computers can be hacked, so what?” The article details that we take a lot of technology based risks everyday, but it doesn’t mean that we shouldn’t use them. In other words, we make dozens of cost-benefit analyses each day but in the end we mostly benefit.

I am all for the automation of elections, there’s a possibility of it being a game changer and we may actually have a lot less fraud at the polls… something unheard of in my generation. However, I believe that it should be correctly implemented to minimize fraud, because if not, all those billions of pesos in taxpayer money might not go to the pockets of our corrupt officials… oops I mean, all that money will be for nought, and we’ll have the same or even more problems than we do with the un-automated version. The length of time for implementation and the logistical challenges full poll automation presents just strenghthens the case that maybe partial automation may be better.

Technology is an enabler, it can enable poll fraud to be harder, or it can actually make it easier. It all depends on the process.

Intelligent, competent and honest people should run the show (poll automation in this case). Leaders that put too much confidence and give statements that a yet implemented system cannot be hacked, borderline on ignorance, and shouldn’t be there at all… unless of course they have technical advisors that are the best the country can offer.


Re-post of earlier Comments

I am re-posting an earlier comment by dts, made by Patrick Dailey since its in the comments section and may not be seen by people who don’t check the comments.

dts said
March 21, 2009 at 10:14 am e

Comments made by
Patrick Dailey CISSP, GCFA, IT Audit and Security Consultant – Managing Director at DigiThreat Solutions
[http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=29343049&gid=1851931]

From an IT project management point of view, 80,000 machines with source code, voter information data, vote data, and other information will be installed throughout the country. Additionally, the provision of transmission of data to a centralized location (presumably via Internet) will have to be procured from each location where the machines are installed. Supplies of ballot paper, training, technical support, and warehousing are all part of this project, and all aspects of this project need to be completed by May 10th, 2010 (417 days from now). The winning bidder is announced on April 27th, 2009, giving the bidder 378 days to complete all tasks.

To say that this project is ambitious would be an understatement – let’s do the math. It will require that the winning bidder install the machines, the software, and (hopefully) test an average of over 200 machines a day, travel not included. This does not account for machines that are dead on arrival. Internet access will need to be procured at locations throughout the country. Ever tried to get an Internet connection procured in a remote province? It can take months to get a reliable connection even in Metro Manila. What about remote islands that offer no Internet service whatsoever?

Logistics will also play a major role – while slightly less than 2000 mothballed counting machines from the 2004 election are sitting in four floors of storage (costing taxpayers P30 million a year), how much storage will 80,000 counting machines require? If the same size of machines and stacking capability is utilized as is the current storage, it will require 160 floors, or roughly 40 hectares, of storage space. Phasing the storage of equipment in warehouses will add to the complexity of the project, and delivery of machines and other materials to the end location to install (and coordinating with the installers) would almost require a Ph.D. in logistics, if there was such a degree. Add training and technical support to the equation, and you have an extremely difficult project. I have no reason to doubt Mr. Tolentino when he has confidence in the bidders capabilities, but this type of project would stretch many large multi-national companies. Simply put, whoever wins this project has their hands very full, and I do wish them the best of luck.

Assuming the bidder can survive the project demands and logistics, they will then have to contend with the security risks that are involved with this undertaking. While “hackers” are the “in” thing to talk about, they are a very small subset of the overall security risks. Here are some very basic IT security questions the winning bidder should be asking before even bidding on the project:

-Are there a defined information security policies and procedures for this project?
-What is the overall network architecture of this project, including systems, ports, data transmission, data locations, and other pertinent information? Where are its weak points?
-Will firewalls be a part of the architecture? What is blocked? What is allowed? What is needed?
-Are wireless technologies utilized? If so, is it secured, or can someone sit outside the precinct offices and modify the votes?
-Is SMS an option being considered, and if so, what is being done to secure SMS?
-How does the transmission of data occur? Is it encrypted? If so, how?
-Is data transmission from one location to another vulnerable to man-in-the-middle or other attacks? If you do not know what a man-in-the-middle attack is, it is probably recommended that you not bid on this project.
-What happens if there is no electricity, or there is an outage during the middle of the election? What happens if there is an Internet/telco outage? Is there a detailed continuity and/or recovery program? If so, does the introduction of people handling the data provide added risk?
-How is the centralized data secured? Is it centralized on a SQL database? If so, how secure is your SA password and how vulnerable are you to SQL injection attacks?
-What if there are discrepencies between the vote tallies at the precinct, and the vote tallies that ends up being stored at the centralized location? What happens?

Many more IT questions could and will be asked, but the IT questions go well beyond the source code of the application. The source code could be absolutely fine, but if the underlying architecture has problems, then there are significant risks. It’s like building a mansion on an unstable slope – it might look good, but will crumble at the first sign of stress.

In a case such as elections, people pose an additional risk. Some questions to ask include:

-Will all programmers, installers, and other employees undergo background checks to help ensure that they cannot be compromised by third parties?
-How are devices physically secured from being compromised? Are guards watching them? If so, do they know what to look for? Or are they part of the problem?
-What if it weren’t typical “hackers”, but a foreign government trying to ensure that their preferred candidate gets elected? If you think that is far-fetched, then why were both the campaigns of John McCain and Barack Obama hacked by a foreign entity last year while leading up to the election? Why is the Chinese government repeatedly alleged to be hacking into foreign government systems?

The project scope, risks, and huge budget make this an extremely difficult endeavor. While Mr. Tolentino makes some pretty bold statements, it’s ultimately up to the winning bidder to follow through on the assertions he has made. Our company, as I am sure many other information security companies, would love to see the finished product. However, the source code is only a small component of the overall product and project, and will not give an overall picture of the security of the 2010 elections.


Seminars and Conventions

DEFCON Philippines BeerTalk II will be on April 24, 2009 7PM at Grilla, Paseo De Roxas Avenue Branch (near Greenbelt), Makati City, Philippines

THE 2ND SOCIAL NETWORKING AND E-BUSINESS CONFERENCE 2009 will be on April 23 – 24, 2009 at the Grand Ballroom, Hotel Intercontinental, Makati City, Philippines


Tools for Man in the Middle Attacks

Middler by Jay Beale
sslstrip by Moxie Marlinspike


Tips

(The H Security) The right way to handle encryption with Firefox 3


Other InfoSec News


(SC Magazine US) Internet Explorer 8 “critical” flaw in final version

(Computerworld Philippines) New IE8 still the slowest browser
(SearchSecurity) Internet Explorer 8 includes a bevy of security features
(Computerworld) IE8 best at blocking malware sites, says Microsoft sponsored study
(The Register) A grim day for browser security at hacker contest
(The H Security) Pwn2Own 2009 ends: Smartphones & Chrome unbroken

(The Register) Newfangled rootkits survive hard disk wiping
(Security Focus) Researchers aim low to root hardware

(SC Magazine US) OWASP Security Spending Benchmarks Report published
(Computerworld Philippines) Asia’s top infocomm event continues to chart region’s IT direction
(Security Focus) China more friend than foe, says white hat
(Computerworld) In poor economy, IT pros could turn to e-crime

(Security Focus) Cybercriminals optimize search for cash
(The Register) Scareware affiliates playing search engines
(Washington Post – Security Fix) Web Fraud 2.0: Data Search Tools for ID Thieves
(The Register) Cybercrime server exposed through Google cache

(The Register) Worm breeds botnet from home routers, modems
(The H Security) Botnet based on home network routers
(The H Security) An Analysis of Conficker-C
(Computerworld) Conficker’s next move a mystery to researchers

(The H Security) Twitter XSS vulnerability
(SecurityFocus) No more bugs for free, researchers say
(The H Security) HP publishes free security tool for Flash developers

(Computerworld) Start-up unveils hybrid cloud/on-site backup service

(SearchSecurity) Diebold ATMs in Russia targeted with malware
(The H Security) Windows Trojan on Diebold ATMs

(SearchSecurity) Firms muddle security breach response, expert says

(SearchSecurity) Microsoft Threat Management Gateway has some drawbacks

Posted in News, Opinion, Philippines, seminars, Social Networking, tools | Tagged: , , , , , , , | Leave a Comment »

Opinion: Philippine Cybercrime Bill, wherefore art thou?

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 12, 2009

For around two years now, Information Security Professionals have been saying that cybercrime is on the rise because of the change from ego-centric (i.e. malware that begs for attention) to financial motivation (i.e. malware that accumulates/sends data, silently evading detection). This financial motivation has led to cyber markets/exchanges wherein hackers and their cohorts transact, and in a more recent development, now specialize on a certain aspect of their trade, which in turn has increased efficiency. For example, some specialize on retrieving credit card numbers and other personal information, others specialize on printing the fake cards, while others use the cards, whether they be an ATM (Citibank hack in NYC) or a credit card (Malaysian’s arrested in Australia for fake credit card use). The current worldwide economic environment has only made matters worse.

The question here is, where is the Philippine version of the Cybercrime bill? Around two months ago, it was still on its second reading in Congress. It’s already taken more than eight years, I could be wrong, but I doubt its finally passed.

From what I’ve seen and experienced, I find it hard to believe that barely any cybercrime happens here. There are far too many good Filipino hackers and scammers, for nothing to be happening. Maybe audit logs aren’t turned on, maybe no one regularly checks the logs, maybe when people get scammed, they just let it go (feel free to blame the culture). UK’s BERR and PWC InfoSec Breaches Survey of 2008 states that there are fewer incidents reported in 2008 than 2004, however it may be because they’ve been understated since they found out that “companies that carry out risk assessment are four times as likely to detect identity theft as those that do not.” Which begs the question, do Philippine organizations with confidential information actually undertake risk assessments and take appropriate actions and implement controls to protect their assets? Just because an organization doesn’t have “incidents” doesn’t mean that confidential information doesn’t leak. How does one report an information security incident when one isn’t aware on how to identify it? Secondly, would the company in question have a process in place to accommodate what an employee finds suspicious? Third, would that company then have a process and resources (i.e. competence in IT Forensics) to investigate the report? I’m sure that if it happens to more security conscious countries, it must be happening here, we just aren’t aware of it or it isn’t reported… especially with all the useless WEP encryption found in coffee shops, keyloggers found in internet cafes, surreptitious card reader machines used to read credit card information, to stories of scammers at Philippine online auction sites.

Maybe it will take a high profile hacking on one of our few promising industries that is heavily dependent on IT: one of our BPOs. Or maybe even the hacking of private files of one of our lawmakers (Obama, Palin, and McCain got hacked last year) for there to be any progress on this bill. Whether that happens or not, I find it indefensible to wait for something bad to happen to impel lawmakers to do what’s right, and give the country and its people what there’s obviously a need for.

References:
(InfoSec Philippines) Nov 11, 2008 (note: has links to Philippine Cybercime bill news articles)
(TechRepublic, Sep 2007) Cybercrime tools market maturing, and crimes are on the rise
(Newsweek, Dec 2008) The Rise of Black Market Data
(Univ of Mannheim, Germany, Dec 2008) Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
(Wired, Oct 2008) Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm
(Symantec, Nov 2008) New Symantec Report Reveals Booming Underground Economy
(ihotdesk Outsourcing News, Dec 2007) Cyber crime market threatens data
(ContactCenterWorld.com, Feb 2009) Japanese Cybercrime at Record Levels as Hackers Crack Web sites
(Computer Crime Research Center, Oct 2008) Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High
(CBCNews Canada, Mar 2009) Fraud artists, security experts fight sophisticated battle
(ArticSoft, 2004) How Do You Deal With Internet Fraud
(Credit Cards Web UK, Mar 2009) Card fraud refunds being refused by more banks

Posted in Awareness, Compliance, ISMS, Legal, Opinion, Philippines | Tagged: , , , , , , , , | Leave a Comment »