2011 December 26 Monday
Thinking About Better Passwords

With identity theft and account hijacking a rampant problem think about raising the toughness of your online passwords to a higher level of obscurity. At home this is especially difficult for some of us due to the much larger number of home passwords (multiple financial accounts, multiple email addresses, multiple online store accounts, home utility accounts, and more - dozens for me). How to do this? Dennis O'Reilly has a useful article "How to master the art of passwords" with some controversial advice:

Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.

Likewise, computer expert Bruce Schneier reiterated on his Schneier on Security blog the advice of Microsoft executive Jesper Johansson to record your passwords on paper to encourage use of strong passwords.

Without writing down full passwords at home I use a system where I write down hints. I can apply some personal rules for password generation to those hints and come up with the passwords I use. The little hints aren't even words in my case. They are very obscure letter combinations that trigger thoughts in my head. For very frequently used passwords on a few key accounts I've got the passwords well memorized and not written anywhere.

O'Reilly points to a site HowSecureIsMyPassword.net which I suggest you pay a visit. You don't have to type in your real passwords. You could just type in assorted ideas you have for passwords and watch how it rates each password for crackability. Try mixed case, special characters (other than A-Za-z0-9), and words versus non-words. See how the ratings change.

You can base your passwords around words since words are easier to remember. But then you can add camouflage. For example, you can substitute special characters for letters in words. Sometimes this is done with obvious substitutions such as '@' in place of 'a' and '3' in place of 'E'. But you could make up your own substitutions that are not obvious to others as long as you can remember them.

Other games to play with words: misspell words, spell words backward, add suffixes and prefixes that a word normally never gets, interleave 2 words every other letter. You can also use first letters from words in a sentence that you think you'll remember. Or even use last letters from words in a sentence.

Update: To be clear, common substitutions to words (e.g. @ in place of a) help some but not a lot. You would be better off making up your own substitution rules that are unlikely to be guessed. Also, another idea: mix words from different languages so that a dictionary attack has to cut across languages. Makes the search space much larger. Also, longer passwords are better. Go over 10 letters. The more the better.

Update II: Some more password rating sites: Microsoft's, Gibson Research's, Tyler Akins of Rumkin, and PasswordMeter. The problem is that if you apply common transformations to words you can fool most (all?) of these password checkers into rating your password as stronger than it really is. That's why you've got to use uncommon transformations on words or do not use words as your starting point.

Still, a password rated highly by the sites above is probably going to better than what 90+% of the people reading this are currently using. So at least use a password that is rated highly by some of these sites.

Also see: Report: Analysis of the Stratfor Password List. Are you making any of those mistakes?

By Randall Parker    2011 December 26 06:39 PM   Entry Permalink | Comments (17)
2011 August 07 Sunday
Security Risk Of Hacked Computer Chips

The US Defense Advanced Research Projects Agency is spending money to come up with counters to the threat that chips in servers, PCs, routers, and other computer equipment could contain Trojans.

The Pentagon’s top research division is trying, however. Over the past two months, Darpa, has awarded nine contracts totaling $49 million for its Integrity and Reliability of Integrated Circuits (IRIS) program to check for compromised chips. Seven companies and two universities received the awards.

This problem has non-defense dimensions that are far more pedestrian. Companies create clones of chips made by other companies. Some unethical companies even make counterfeit memory cards which have prompted the development of software to test USB memory sticks for fakes which perform worse than the real thing and which fail at higher rates. There's even a Fake Flash News blog reporting on it.

More complex electronic devices get cloned by counterfeiters, especially in China. While existing known cloners make the fakes in order to make profit from the designs of others it isn't that big a step to make clones that appear to be functionally identical but which have monitoring circuitry that patches into the OS of, say, a router or server and then sends information back to some spy server for analysis. This is what the US military and intelligence agencies fear.

One can imagine the US and NATO allies agreeing to strike deals with computer equipment makers for the manufacture of certain categories of chips or equipment aimed for use in military and other government facilities and in government contractors to get built in NATO countries. Anyone heard of cases where this is done?

By Randall Parker    2011 August 07 11:25 PM   Entry Permalink | Comments (12)
2010 February 03 Wednesday
Advanced Persistent Threats In Computer Networks

What you can not hear is the massive silent sucking sound of Western corporate secrets flowing into servers in China.

“The scope of this is much larger than anybody has every conveyed,” says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. “There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now.”

Mandia claims these intrusions are persistent and used for industrial espionage on a massive scale.

Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

I do not know whether the threat is this large. Are Chinese hackers really sucking massive amounts of proprietary design and business plan data from American, Japanese, and European corporations?

If the infiltrations really are persistent and on a large scale I have some practical suggestions on how to cut them down by orders of magnitude. Analogies with biological systems come to mind. Biological RNA and DNA viruses can only work because they use the same DNA codon mappings to amino acids. The same 3 letter DNA sequences and RNA sequences map in just about all living organisms on this planet. An organism that used a very different set of mappings would likely be immune to existing viruses.

This description is about to get too technical for most people who aren't computer architects or software developers. Sorry about that.

In computing the problem stems from the universal use of the same operating systems, scripting languages, networking protocols, and CPU op codes. The obvious solution: generate custom instruction set with different orderings of bits in op codes. The same compilers (e.g. gcc) could be used with back-end code generators that would read in tables for how to map to specialized bit orderings of existing processor instruction sets.

Take a microprocessor instruction set like some level of the ARM instruction set. Create a description of an ARM processor in, say, VHDL. Enhance the description so that as instructions get fetched their op code bits will get swapped around from the ordering out in memory to the ordering that the CPU understands. The CPU could execute op codes laid out like any conventional ARM processor. But it could fetch from memory in a secret format which the secret version of the gcc back-end would know how to generate for.

Alternatively, the CPU could execute the secret op code layout. At each site the VHDL (or Verilog or other logic description language) could be transformed into a different unique op code layout. Then the compiled processor architecture could be loaded into an FPGA for execution.

Each super-secure site would generate a different secret bit ordering. The odds of a binary code virus getting into the facility and invading servers would be extremely low because the virus writers wouldn't know how to generate legal op codes.

This same approach could be applied to interpreted scripting languages. Developers could still write and debug in, say, Python or Ruby or Perl. But their source code could be translated into a very different looking interpreted language using a secure (not on a network) computer that would read in, say, Python and split out a different secret scripting language whose interpreter could actually be derived from the open source public Python interpreter engine.

The key to this approach is to develop microprocessor descriptions and interpreted languages that lend themselves to automated transformation into functionally equivalent but different looking instruction execution machines.

In a nutshell: automate the generation of obscure execution languages and op code architectures.

Desktops are a harder nut to crack. One way to do it is to just make desktops as akin to X servers. Run the real word processor, spreadsheet, or browser on the secret server's instruction set architecture. Of course, then Open Office and Mozilla Firefox would need to be compiled for each server. This approach is easier to do with open source.

By Randall Parker    2010 February 03 10:15 PM   Entry Permalink | Comments (13)
Site Traffic Info