Rossander’s Security Reader

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer – the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That’s an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

Resolve to pick stronger passwords for the New Year.

A surprising number of people still think that January07 is a good password. Admittedly, it does pass the Microsoft password-complexity rules. It has an upper-case letter, several lower-case letters and two numbers. The problem is that it’s an English word with the capital letter at the front and the numbers at the end. English-speakers have a natural tendency to follow this pattern. We know it – and the hackers know it too. That password can be cracked in under 30 seconds.

Pick whole sentences for your password. A whole sentence (including spaces and punctuation) makes a very strong password that is easy to remember and to type. Windows accepts any key on the keyboard in your password (and some that aren’t on your keyboard) and allows it to be up to 127 characters long. You only need a 4 or 5 word sentence to make a very strong passphrase. I particularly like sentences from children’s counting books.

For systems with limits on password length or allowable characters (like mainframe accounts), you can keep your passwords in synch by using rules to transform your sentence into a shorter code. For example, you could start with the number of words in the sentence, then take the second and last letters of each word in the sentence, capitalizing each third letter. As long as you follow the same rules each time, you can consistently convert your easy-to-remember passphrase into a strong random-looking password.

Remember – your password is the key to all of your electronic defenses. Keep it safe, never share it and pick them strong enough that they can not be easily cracked.

If you have your internet browser set to store your usernames and passwords, disable it immediately.

A vulnerability was just discovered in the both Microsoft’s Internet Explorer and Mozilla’s Firefox browsers which allows a hacker to create a fake login page. When your browser auto-fills the username and password into the form, the data is passed off to the hacker.

This vulnerability has been named a "reverse cross-site request" vulnerability by its discoverer, Robert Chapin. It has been found on at least one MySpace.com page and is a risk to any user who goes to forum or blog websites.

So far, there is no known fix except to disable the password fill-in feature.

• In Microsoft Internet Explorer, use the menu to go to Tools/Internet Options. On the Content tab, select AutoComplete and make sure that "Usernames and passwords on forms" is not checked. (If the entire line is grayed out or "ghosted", you are okay.) You might want to click the "Clear Passwords" button while you’re here just in case there were some in history.
• In Firefox, use the menu to go to Tools/Options. On the Security tab, make sure that "Remember passwords for sites" is not checked. Click on the "Show Passwords" button to remove any that have been saved previously.

For years, security professionals said "Never write down your password." In many situations, that’s still good advice. Anything you write down can be lost or stolen. But when you have dozens of passwords, PINs and other security codes – some work-related, many personal, some static, some changing regularly, some simple, some complex, some used daily, others that go weeks between uses – it’s hard not to. If you cannot memorize your passwords and must write them down, here are the ways for doing it at reduced risk.

• Don’t store your passwords on your computer. It doesn’t matter how well you hide the file, hackers know how to search the contents of your computer to find likely password files.
• Don’t record the complete password. Write down just enough to remind yourself of the rest of it.
• Keep the password hints with you at all times. Your wallet is a good place. Don’t leave the list in your desk or under your keyboard. Hackers and thieves know where to look.
• If you have a PDA or Blackberry, use a secure, approved password vault on the device. These applications use strong encryption to protect your password list.
• If the list is out of your control even briefly, quickly change your passwords to maintain their security.

This article was originally published in the Oct/Nov 2005 edition of The Agent Newsline, a publication of Westfield Insurance.

Based on recent identity theft events, it is clear that U.S. businesses are operating in an increasingly hostile environment. Identity theft remains the fastest growing category of crime in the U.S. Criminals are getting more creative and more technologically adept every day. In this age of rapidly rising threats, every company needs to take serious steps to ensure the security of the private information in their custody.

What does Westfield do to keep your information safe?
Westfield holds private infromation in trust for you and our policy holders. Rest assured, we take our responsibilities seriously. We have never suffered a serious compromise of our data or systems and work hard to keep it that way. Here’s how:

• Dedicated security team. In early 2005, Westfield created and filled new roles dedicated specifically to information security. These people are charged with the coordination and continuous improvement of information security. We also formed a corporate security response cabinet with responsibility for all security-related issues. This group was formed in recognition of the increasingly blurry distinction between the physical and the electronic perimeters.
• Password protection. Westfield has password complexity standards and requires our employees to change passwords every 60 days. We continuously upgrade hardware and software in order to make sure our systems are patched for security vulnerabilities.
• External defense. We also commission external vulnerability scans and penetration tests. With your interests in mind, we regularly conduct internal scans of our systems and defenses and use that information to improve our systems.
• Disaster plan. Westfield also has moved aggressively to guarantee our ability to operate even after a potential physical disaster. Mainframe data is mirrored real-time to an off-site facility. In addition, we conduct semi-annual tests of our business continuity plans.
• Mandatory shredding policy. All office paper must be shredded. Even in this electronic age, most identity theft occurs as a result of access to physical copies of the information.

We want you to know that we take precautions to protect the private informaiton you’ve entrusted to us.

Shredding… It’s now the law

The Federal Trade Commission’s regulation on the disposal of information went into effect on June 1, 2005. According to the regulation, any information about an individual that is derived from a consumer report or is a compilation of such records must be properly destroyed. Much of the information routinely used in insurance operations has some connection to a consumer report and is covered under this regulation.

Failure to comply with the regulation could result in fines and/or in lawsuits if the information is misused to commit identity theft. This law implements the "disposal provision" of the Fair and Accurate Credit Transaction Act of 2003 (FACTA).

For more information on the FTC regulation, visit www.ftc.gov and search on "disposal".

The regulation includes several examples of ways to comply and to ensure that the consumer’s private information remains protected during the disposal process. Westfield requires that all papers be secured until they are ready for disposal and has contracted with an accredited shredding company to make sure that the papers are thoroughly and properly destroyed.