InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘Facebook’

Password Tips for Websites

Posted by Jaime Raphael Licauco, CISSP, GSEC on June 19, 2009

Revised 06/22/2009 (V1.1)

I’ve been thinking about passwords lately due to recent cybercrime that involved default passwords, and phishing attacks on Facebook which stole passwords from users.

Stronger passwords have been repeatedly talked about by InfoSec personnel since time immemorial.  We have repeatedly asked users to make stronger passwords, to the point that users are probably sick and tired of hearing the same thing. However, recent incidents show that we haven’t been effective enough since people still use simple or default passwords, probably because it’s thought to be inconvenient to make one — It isn’t — All it takes is a few extra minutes of your time and creativity.

Lockdown.co.uk** gives the following example of how long it takes to crack the following passwords using a dual processor PC:
darren = 30 seconds
Land3rz = 4 days
B33r&Mug = 23 years

Until two-factor authentication costs become less prohibitive — hopefully sooner than later (i.e. PhoneFactor is a new service which unfortunately charges $.14 per transaction for the Philippines) — we will have to rely on passwords for authentication.

I try not to rely on password programs which reside on my computer (i.e. Password Safe), but instead try to have strong passwords for each site.

Since the number one site in the Philippines is a Social Networking site, this will have a Social Networking slant (specifically Facebook).

Here are a couple of Tips:

First of all, DO NOT SHARE YOUR PASSWORDS, PUT IT ON A STICKY NOTE ON YOUR MONITOR (UNDER YOUR KEYBOARD, SEAT, ETC)

Now that the common sense ones are out of the way, on with the tips…

Use EV-SSL (Extended Validation SSL)

How: Mozilla Firefox address bar turns green on the left side. For IE, the whole address bar turns green.

Reason: Users who just click through warnings can actually be on a fake https site. EV-SSL makes it more difficult for phishers to fake a site. Also, the strongest passwords are useless if you’re already on a fake site.

EV-SSL

Bookmark your favorite site, and use the keyword feature (for Firefox) or equivalent.

How: On your bookmark, right click on it and then left click on “Properties”. Type a few letters or a word in the “Keyword” category. For this example I used “fb” so that all I need type on the address bar are the letters “f” and “b” to access https://www.facebook.com.

Reason: This mitigates your risk of user error and saves you time. The 2nd reason stated for EV-SSL, also applies here.

Bookmark and keyword

Change some Browser Settings to not remember what are in forms, and not remember passwords for sites.

How: Mozilla Firefox: Go to Tools, Options, Privacy then uncheck, “Remember what I enter in forms and the search bar”; Go to Tools, Options, Security and uncheck, “Remember passwords for sites”. Additionally you might want to click on “Saved Passwords” in case there are already saved passwords in your browser that you may wish to delete.

Reason: Not showing your “Username” to any user on a particular computer is another layer of defense. There have also been some hacks in the past (though already mitigated) on how browsers store passwords.

Uncheck Save Password for Sites

Use Best Password Practice, which is typically composed of the following:

– Must be at least 8 characters.

– Must not be a dictionary word.

– Must be complex – (thank Microsoft for making this popular) at least 3 of 4 of the following: Uppercase character, lowercase character, number, special character)… my take is that use all 4.

– Change your password at least every 60 days.

– Do not re-use any of your passwords for at least a year.

– Do not have the same word or character/number order in your subsequent passwords.

– Use different passwords for different applications and different sites.

All of the above “Best Practices” can be a pain. Security Professionals are human and we also get annoyed by some or all of the above. So I’ll break this down on how this could be easier.

Must be at least 8 characters, Must not be a dictionary word*, Must be complex:

How: You can deliberately misspell words, or use a phrase then shortcut that phrase. For example, the sentence, “Jekyll is a big lying bastard with no integrity whatsoever” can become “jIaBlBwNiW”. Yes, I do realize that this is not complex, but bear with me. As you can see, uppercase and lowercase takes turns here so that it makes it easier for me to remember.

To include numbers, I will change “B” to “8” therefore making it, “jIa8l8wNiW”. You can also change numbers to letters (e.g. 06/19/2009 can be Og/Ip/Zoop) but of course you will have to come up with your own formula on what numbers and letters you can interchange.

And to put special characters in our shortened phrase, you can put a comma or a period somewhere there and you can make the big letter “I” to “!” to make it “j!a8l8,wNiW”. As with the above opinion on numbers and letters, you have to come up with your own formula for what special characters can be interchanged for letters and numbers (e.g. 06/19/2009 can be )^/!(/@))( which really looks nuts but that’s how it can look like).

I would personally not use the above examples since I don’t know a person named Jekyll, nor would I recommend leaving one finger pressed on the Shift key as one types what is essentially an all special character password that a shoulder surfer might easily be able to see — I have only given the above and below examples to show the thought process on how to make strong passwords.

Reasons: The unrelenting increases in processing power, also means it’s becoming faster and faster to break passwords. A PC Mag list from back in 2007 of the most common passwords are all woefully lacking in complexity. Aside from having a password that takes longer to break, being able to type complex passwords fast, with your fingers in the correct typing position and having to use the Shift key once every few characters, can actually mitigate the threat of shoulder surfing.

Change your password at least every 60 days, Do not re-use any of your passwords for at least a year, Do not have the same word or character/number order in your subsequent passwords:

How: Now this is definitely a bone-of-contention. To mitigate risk some Security Professionals would rather use long passphrases instead of passwords, than have to change their passwords every 60 days. I however, would rather change it. This totally depends on you because this is a much bigger pain that the one above. I would actually suggest writing down your password then putting it in a secure physical space, or if not, put a part of it in your phone or in your wallet. Emphasize on “a part” since if someone steals your phone or wallet, and knows your username, then bye bye to privacy in your account.

Use different passwords for different applications and different sites:

How: What some InfoSec people do, is use something site specific built into their password. For example one can use a complex iteration of their birthday (I’ll use Jose Rizal’s) “June 19, 1861” to “dYun!9,eS1”; and then append it to what one may change the word “Facebook” to, “p@c3sbuks” — to have the really long password of “dYun!9,eS1p@c3sbuks”. You could also of course put “p@c3sbuks” in the middle or in front of your password.

Reason: I included this because a Sophos report states that about 33 percent of people in their survey use one password for everything they have. A Gartner survey done in September 2008 says that 2/3 (66%) of their survey respondents use only 1 or 2 passwords for all the websites they use.

Other things NOT TO DO:

– Don’t use your name or part of your username in your password.

– Don’t use multiple spaces, multiple repeating characters or numbers that are beside each other

– Don’t use any information that is readily identifiable (i.e. name of kids, spouse, girlfriend, etc)

– Don’t use letters or numbers beside or near each other on the keyboard

So that does it for Passwords.

A note on Security Questions:

Deliberately give something false that you can always remember. One wouldn’t want to be the victim of a Sarah Palin like attack wherein the attacker just searched for publicly available information about her to answer the security question that enabled him to access her e-mail. An example would be, “What is your Mother’s Maiden Name?” Your answer could be, “Sorry but I don’t talk to strangers” or some other phrase or sentence that doesn’t make sense but you won’t easily forget.

So those are my tips. I’ll be the first to admit that I don’t know everything, so if you would happen to know any great password tips that I have failed to mention, please do share in the comments section or write me an e-mail if you would like to remain anonymous. Thanks in advance.

* Most Filipinos know at least two different languages/dialects (English-Tagalog, English-Bisaya, English-Waray, etc) so I won’t even tackle that here, just put a (your other language here)-English word together or if you’re Conyo, go put your complex iteration of the the word, “Pare” or “Tol” before, in the middle or after your English word, or put your iteration of “Dude” or “Bro” before, in the middle or after your Tagalog word. Peace to the Conyos out there 🙂

** Many many thanks to a Security Mentor of mine (who may wish to remain anonymous) for sending this link on passwords.

Posted in Opinion, Philippines, Social Networking | Tagged: , , | 9 Comments »

Opinion: On Tolentino’s CONfidence

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 22, 2009

I was chatting with an IT Security expert (who wishes to remain anonymous) the other day regarding Comelec’s Executive Director Jose Tolentino’s views about the coming implementation of PCOS machines as being un-hackable… yes, Tolentino’s views come even BEFORE its implemented. The reason why I’m posting it here is because I agree with the IT Security expert’s views.

Excerpts from the chat:

IT Sec Expert: such a display of confidence seems to be borderline misinformation
Me: true, i wonder what machine they used and if its possible to play around with it
IT Sec Expert: wel, they should worry more about organized crime, not hackers
Me: organized crime with hackers
IT Sec Expert: would the people handling such a new technology, na foreign made pa, be competent enough?
IT Sec Expert: that system would be closed circuit
Me: wires can easily be tapped, i wonder what encryption they’ll be using
IT Sec Expert: they’ll probably have dialup
Me: inside job na lang
IT Sec Expert: it would have been better had they had it publicly assessed and offer a bounty for the successful hacker
Me: why don’t you put your comments?
IT Sec Expert: you know how people are in the philippines, they always take things personally

I personally think that it’s great that the Comelec is trying something new regarding minimizing election fraud. However, time and again, its been shown that computers can be hacked, and challenging hackers is typically the first sign that a system will be hacked. Tolentino’s statements make me feel all so warm and fuzzy that the Comelec’s system is probably more secure than NASA, the US Pentagon, Royal Dutch Shell and hundreds of supposedly secure systems that have all been hacked. Maybe the Comelec’s people can consult for the Pentagon and teach them how to secure a system. No, really… seriously….

Our country’s history has shown that our own people are easier to hack (Social Engineering), which begs the question regarding not just the competency of the operators, but their integrity… will the Comelec be conducting background checks? I now wonder if the Comelec has had their system assessed, and if so by who and how was it assessed? I also hope that there will be transparency in the assessment.

Bernie Lopez wrote an insightful article which came out in PDI today entitled, “Computers can be hacked.” No, duh. Unfortunately Director Tolentino, one of the main people in the Philippines entrusted with keeping the sanctity of the ballot, thinks otherwise.


Social Networking
I was planning on writing about Facebook privacy, however PDI’s Bianca Consunji wrote a good article on it in “Knowing about privacy on Facebook.”


Botnets
BBC’s Click programme for Mar 13 was about botnets. They acquired control of over 20,000 infected computers all over the world (yes, you can now buy time on other people’s computers without their knowing it). Top botnets have more than a few hundred thousand computers under their control – up to an estimated million. They also talk about how to protect your computer here (warning tiny video, slightly muffled sound… they should’ve just used You Tube). They actually got in hot water because of this.

Posted in Philippines, Privacy | Tagged: , , , , , , , , | Leave a Comment »

Social Networking Articles about the Philippines

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 4, 2008

A couple of interesting articles about Social Networking in the Philippines have come out in the past few months.

  • (Inquirer.net) Friendster fame, magnet for ads,
  • (Inquirer.net) Filipinos still make up big chunk of Friendster users,
  • (Inquirer.net) RP has highest percentage of social network users.
  • Wikipedia even has an article on Social Networking in the Philippines.

    1to1Media published an article regarding social networking sites such as Facebook and Multiply in Photo Tagging Portends New Frontier for Privacy Pros.

    If you’re interested in Social Networking and Social Engineering attacks using them, you might want to check out ENISA’s podcast on Locking Down Social Networking Vulnerabilities, this was given in Infosecurity Europe 2008 earlier this year. Enisa also has a Position Paper on Security Issues and Recommendations for Online Social Networks which was presented at the echallenges conference in the Hague on Oct 25, 2007. You can download the 36 page pdf from the above link.

    Posted in News, Philippines, Privacy, Social Networking | Tagged: , , , , , , , | Leave a Comment »