/* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */ /* Menu creation problem '1959-475', Bok=0, Snm=0, Omen=) */
Contact us
Let us put you in the driving seat of your new Web Site

Putting technology in ITs place:
Business and People first!

Click on link to rightWhy Business before Technology
Call us now
Maintain your own site
Click on link to rightSelf Maintenance Sites
[Home]   [Site Map]   [Privacy]   [Toggle Print]   [Contact]   [Bottom of Page]

What technologies compromise security/privacy and why

Summary and examples

If anyone can gain frequent access to where a password is stored it can be compromised because they can try many times. As at Oct 2007 (IMHO) the very weakest technologies are: e-mail, Wireless routers and PCs plus any mobile technologies such as 'phones, PDAs, Laptops etc.. That is only my opinion (IMhO) - hackers and their specialist counterparts are in thousands of constant battles on a global basis to tip the balance and there are constantly new winners and losers.

At one extreme:
1. Your PC. If anyone has physical access they only need 5 minutes to boot the PC from a CD and extract the stored password which they can then process either 'there and then' or when they have access to their own cracking facilities. The former takes just 15-20 minutes (of your PC time) for alphanumeric passwords less than 15 characters long! The latter is only a question of how much the hacker wants the password. Their first 2 attempts are likely to be:
  • Alphanumerics less then 15 characters long - very simple and when run from a hard drive rather than a CD will take less than five minutes. See http://en.wikipedia.org/wiki/LM_hash for a brief description of how bad it is. If that fails...
  • Alphanumeric and specials - total less than 15 characters. Depending upon the hacker's PC, Hard Drive space and investment in hacking tools/Databases this would take between an hour and overnight.

If the latter fails they will simply use an Internet service to crack the password for less than 20 dollars if your PC is an attractive target.

The critical factor here is that a PC can try (tens of) thousands of times per second which means that they can use brute force to try every possible combination of increasingly large character sets.

At the other extreme:
2. Your e-mail address. Internet Service Providers (ISPs) should have tools and procedures in place to stop login attempts that are too frequent but they don't want to alienate real customers and may well allow 10 attempts in 10 minutes. Bear in mind that they will almost always offer e-mail as a FREE service and you can pretty well guarantee that on that basis they almost certainly offer NO WARRANTY that they will safeguard your e-mail service and all of it's contents!.

Particularly if you have used your account name as an address (very, very bad idea!) that means that anyone who has that address will be able to easily find out how to login ONLINE - i.e. they can take over your e-mail REMOTELY! in terms of a web page at which to try various passwords.

Because each ISP will hopefully have rules about password attempts the hacker may use his PC to automatically try one (password) per minute but in that same minute might try that same password on 1,000 other e-mail addresses that he has access to from the millions available on a CD for 30 dollars. As the speed is so much slower the hacker is much more likely to use dictionary-based guesses with the obvious transpositions of numbers and letters that users assume will make such guesses more difficult. Once a hacker can login to your mail as you then he or she can of course not only see your existing e-mails and what companies you already have relationships with but also they can initiate new interactions and take the small chance that you will access your mail at 2-5am when they can delete any traces without you ever seeing them!

Bear in mind that if an ISP is compromised or your have used a password on a low-grade web site then it is likely that the fate of your password is sealed with the predictability of the former example - i.e. simply a question of when and not if your password can be known.

The range of technologies that are either seriously at risk and/or CREATE RISKs

Expanding the list above (see summary) with the basic aspects of risk:

  • e-mail is the classic example of being at risk and creating risk. As my example above demonstrates - anyone with a simple password that is a name or just a common word is severely at risk - especially if their account name is used as an address. The excrutiating double-whammy about e-mail is that so many web sites use it as a means of verifying your identity! That isn't just a problem with existing accounts you may have with retailers but one day you may start receiving bills from twenty more! This is the reason that banks rarely use e-mail for any purpose other than marketing.
  • Wireless routers are unfortuately almost as bad! and a double whammy too! Their problems are (at least) twofold:
    1. There is a method of attack which can be launched by simply browsing a web site that is malicious and if the router's login username and password have not been changed from the supplier's defaults then it can be hacked to allow it to be remotely managed after which it is 'game over' for anyone who uses a PC via that router!
    2. Many routers are still set up to use an old method of securing the transmission of your data between PCs and the router even though they MAY be capable of better. If you use the old protocol (or worse still have no protection!) then someone can become part of your local network within 2-3 minutes if they have a laptop with some very basic and available hardware and software.

    The problem with the latter isn't just a problem with stealing bandwidth but they can also elevate themselves to the #1 above and with the same consequences for anyone that uses that router! For anyone wanting to understand why it is 'game over' then consider the fact that almost all router installations give it the job of translating web site addresses to actual Internet numbers (IP addresses). So www.barclays.co.uk et. al.may not be who you think they are! possibly worse - how about downloading your updates to XP from microsoft.com! See Wireless security WPA not WEP for more details about the problem and possible solutions.

  • PCs also have immediate double-whammy status because they are the centre of so much of what we do online and if yours is compromised then your problems could even be worse than the router scenario above! The good news is that there are well-established tools and techniques to avoid the problem but the bad news is that they often rely on YOU to actually:
    1. Initiate in a competent manner - maybe employ a professional
    2. Regularly maintain, service and perhaps renew any tools/products
    3. Above all to be vigilant and KNOW enough when a risk is too high to be taken and what and when makes a difference.

    So although someone with physical access to your PC is extremely dangerous (as in the example a long way above) anyone who has Windows XP with Service Pack 2 and all subsequent fixes plus quality firewall and antivirus programs that are also up to date are USUALLY safe! The exceptions - i.e. at higher risk are at least any of the following:

    1. PC has been setup for remote desktop which is very different from remote assistance! Remote desktop doesn't need you to initiate the take-over of the PC!!!
    2. Any user of the PC uses Peer to Peer technolgies such as any flavour of 'Messaging' (e.g. MSN messenger) or file sharing for songs or videos

    One final thought regarding PCs - bear in mind that if your's was stolen or you upgraded your PC and allowed the old hard drive to leave your possession without being profesionally wiped then just consider the problems you could have in either scenario!

  • Mobile technologies such as 'phones, PDAs etc. will always give some 'pretence' of security despite them being almost unanimously incapable of anything of substance. Devices that rely on a managed service for most of their operations (such as a mobile 'phone) can easily have those services witheld but the physical devices and of the data that you have stored on them should be regarded as 'freely available' within a few hours or at least days of such a device being stolen.

What are the consequences of your password(s) being compromised?

For most people the highest risk items are those that I highlight above as being a 'double whammy' because of the impact as described. By far the greatest risk is that of escalation through your hierarchy of assets with the most likely and highest prize being your financial dealings with investment companies, banks, building societies et. al.. see How to manage passwords on the topic of keeping your passwords in zones of trust which you keep very much isolated.

That's all for now folks... more when I get time... Brian R


Some detail below on various topics - maybe they need a different page...

Why low-medium quality web sites and technologies pose so much risk!

The wider aspects of password management are truly expansive because of the constant fight between those that want to secure them versus those that want to crack them and the ever-changing techology as well as the fact that the scenarios of use can be totally different. Computers have to store their own 'key' against which they can check that the password you provide provides a match.

The very weakest approach is that the key that they store IS the password! - e.g. 'beckham99' is stored as-is. This method is in use today but only by very low-medium grade web sites and technologies, however this IS still a BIG EXPOSURE because if anyone uses the same or even very similar password with these sites or technologies as they do with any that have resources at risk then that is a nightmare waiting to happen because all PCs, web servers and even 'quality computers' have some exposure to the copying of their databases of passwords being copied - note that they don't need to be stolen to cause immense damage - just a minute with a memory stick is sufficient!

Unless you are certain to the contrary, the only safe assumptions that you can make are:

  1. It is possible for an attacker to copy the database of passwords from any system that your use - PC, web site, 'phone, PDA etc.
  2. Apart from the most competent and trusted companies you cannot be sure that the storage of passwords is adequately encrypted - anyone wanting to understand the nuances of the word 'adequate' should read below.

The points above are the primary basis for the adoption of levels which you must keep very, very distinct in terms of the password algorithm and the secrets that go into the password. See http://en.wikipedia.org/wiki/Password_strength for more background information. From that page you will also learn of the advanced techniques that are close to 'unstoppable' in certain scenarios - a hardware key logger in an Internet café for instance.

Encrypted passwords - mathematically uncrackable aren't they?

The basic problem is that if the rewards for hackers are high enough then they will be funded by 'serious' criminals to make cracking possible. The case of XP passwords is a good example - billions of PCs run XP and it has a fundamental flaw that XP doesn't add anything unique to a password (lmhash) before encrypting it with a well known algorithm.

Hackers have spent weeks creating what are called 'Rainbow tables' which are then used to reverse-engineer any alphanumeric XP password (in lmhash) less than 15 characters long in a matter of minutes and worse still it is freely downloadable in a form that can be burnt to a bootable CD which makes it ideal for any PC that you can physically access.

However, on the more serious side if there can be one - the method is really only limited by the size of the tables so criminals or even 'kids' can download the 43GB needed to crack passwords which have the full range of characters from a keyboard with success rates claimed to be 99.9%! To quote:
"If you want to buy my complete set of tables (30 tables, 60Gb !) for 100USD (New price!)"
More modern (than XP lm) encryption methods - are they any better?

Again the drivers are resources, risk and reward because the techniques are now well established. If you restrict yourself to lowercase letters and numbers in a password then the 'industry standard' MD5 encryption alogrithm was crackable for an 8 character password in less than 40 minutes as of October 2005! All that was needed was a 36GB table - not very big even then!

That means that by now (2007) there will be PCs 'out there' with many thousands of GB (mine currently has just 1500) capable of cracking any 'standard' MD5 encrypted database with key lengths of 10-12 for lowercase+numeric and maybe uppercase too for 8 character passwords.

Is this a problem that I need to worry about? you may ask. Unfortunately yes because for the past 4-5 years MD5 has been used at huge numbers of web sites 'as-is' and therefore there is a plethora of encrypted data which is now crackable with relative ease!

Again this is part of the justification for 'levels' of password trust - most banks will have been well-aware of the future problems of MD5 and similar technologies and planned ahead so their data when stored on a hard drive will not be a 'standard' MD5 because at the very minimum they will have introduced something unique to their site / business to the password - adding what is referred to as 'salt' or 'seed' and therefore nullifying the use of generic Rainbow tables. Even better methods to 'harden' password strength as you can see at: http://en.wikipedia.org/wiki/Key_strengthening may well be used at these financial sites BUT the problem is that across all of the web, I doubt that 5% of web sites that store user names and passwords do anything to harden passwords and they will be a plain, unsalted MD5 hash. Hence if you use the same password on multiple sites then you are exposing all of them to compromise, even those that you regard as trustworthy and competent because you ARE the weakest link as that game show says.

So the risk here does not stem from the banks themselves but with the 'ordinary' web sites that are probably regarded by most people as being trustworthy and competent - unfortunately the latter will not be true for a huge number of companies that do business on the Web and therefore YOUR password at their site may become compromised.

Tools you COULD use to see how weak your systems are

The most popular tool by far for 'amateurs' is Cain and Abel, documented at: http://www.oxid.it/ca_um/ because it is free, downloadable and well packaged. If you take a look at what that can do then you have to assume that there are other people and projects that can do a lot, lot more and that is pretty scary.

Links and other information last validated on 27th October 2007. Please use the Contact us page to suggest any additions or revisions.


Like the site?

Site Construction by usiness
before Technology
Click on link to rightClick here
[Top of Page]   [Home]   [Site Map]   [Toggle Print]   [Privacy]   [Contact]

© Business before Technology - All Rights Reserved 2003

Business before Technology Limited, Company number: 4969011.
151 Chester Road, Norbury Moor, Hazel Grove, Cheshire SK7 6HD
*¹¹ Note that calls to 0844 884 2244*¹¹ will cost 7p per a minute, your telephone provider (including mobile providers) may add an additional access charge.
 
Messages:
23May15: Suppress Msg2U when cannot analyse/react to them 0 or 0 or 34.237.51.159 SoLL /home/sa4ssu/public_html/cgi-bin/LLsHere.34.237.51.159

News and Information

Your access to this site:


We will attempt to give you perfect access to this site but this may be impaired by the fact that as far as we can tell you are either:
  • Accessing the Internet from behind a FireWall (Personal or Company) which is disabling cookies OR
  • You have made a technical change to your browser in that you have disabled cookies - perhaps only for this site.

If this was unintentional and you can enable temporary (session) cookies there is a brief description at the bottom of the page. If you don't understand a word of this gobble-D-guk or you don't want to!: leave everything as-is and report any problems via the `LinkTSNo_Cookie_pagenoc1'>Technical feedback facility.

For the technical user

We attempt to set 2 temporary cookies at each interaction you have with this site. The names and typical values are:

NaviSessID=12345 and NaviLastID=erTh1J68SnkK0

The fact they are temporary means that when you close down your browser they will simply disappear. For the paranoic - they are not even written to the cookie folder.

The purpose of these two cookies is to allow you to navigate our site across what is a "connectionless" Internet with security and privacy appropriate to the content and usage of the site.

This notice will disappear from the end of the site Web pages when you have interacted with the site 3-4 times - more than once just in case you miss it at the end of the Home Page.

The only downside that we cannot avoid is caused by us putting the same information in the "Location" or "Address" area towards the top of your browser. You will notice that even though you visit pages more than once that your browser will not recognise them as "visited" because this address changes with each interaction.

Changing browser settings
  • NetScape: Edit->Preferences & select the Advanced Tab (not one of the sub-options). You only need to set cookies that are sent back to their own site but we would recommend that you do not select the 'prompt' option as this will cause an irritating pop-up at each interaction.

  • MicroSoft IE: click on Tools->Internet Options & select Security Tab.

    You could select Local Internet, then Advanced and then add our site address. This assumes that you have got cookies enabled for that zone.

    Another option would be change the "Custom level" for the zone that we are currently in - the Setting to be changed is called "Allow per-session cookies (not stored)" - select Enable then OK)

News and Information