Tag Archive | Password security

New Password Hashing Algorithm in the Works? SHA-3 Discussed

Passwords, after all, are our core security to our identities, personal information, email, bank accounts, etc. After all the countless breaches in the past few years, on databases and leaks, we need better standards on passwords or to use a different type of authentication.

One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?

We reported about companies like Google doing new implementations of password security. It’s time for new methods. Especially when problems such as Twitter being hacked a couple weeks ago, compromising some 250,000 accounts.

We reported on password security changes first back in July, where we talked with recent password studies, it shows that people that are much older in age tend to pick stronger passwords.

Now, hashing algorithms are used to secure passwords in to databases. The current standards are usually SHA-1 and MD5. But, with newer studies on SHA-3, replacing the current SHA algorithms, this should make for better database security for passwords, and prevent hacks in the future.

Now, this isn’t 100% foolproof, but at least it’ll help some and fix password security for a couple more years at least.

“Password hashing is important because it’s where we have a problem. NIST has given us some great standard hashing algorithms. The problem is that these hashes aren’t necessarily designed for the specific problem of password hashing — where you need something that’s fast enough to hash on a server at login time, but slow enough that a GPU can’t crack ten million of them,” Password Hashing Competition‘s Matthew Green said. “We have a few functions for this purpose, but we don’t have a consistent recommendation to give implementers. NIST says to use PBKDF2, which is probably the most vulnerable to GPU cracking. We just learned that Twitter uses bcrypt — a nice algorithm, but designed 11 years ago when FPGAs and GPUs weren’t as common as they are today. Others recommend scrypt because it was explicitly designed to deal with these threats. Unfortunately that claim hasn’t really been reviewed by cryptographers.”

The  National Institute of Standards and Technology (NIST) establishes the standards for cryptographic hash functions and other encryption standards. An update will be available soon on the new standards.

 

How Hackers Find Attack Targets (mini-whitepaper)

Hackers are always searching for ways to target and dismantle security. But, the questions do indeed continue about how hackers find a way in, how they exploit vulnerabilities, and ways to do this dismantling. What is the main answer? Research!

There are many different things that hackers do that gives them the wide open door into vulnerabilities:

  • Hackers study their target well in advance of actual hacking. They do their homework, and figure out how strong the target is, how to exploit the vulnerability, method of attack, backup plan, and anonymity.
  • Hackers commonly use search queries through search engines to create a map of the target’s vulnerabilities. Many different items can be for display when creating a map, such as server statistics (downtime/uptime), platform usage, coding languages, and other miscellaneous unspecific information.
  • The map is configured carefully to build a complete intelligence database (which can be shared for high fees across the hacker community). It compiles a lot of information not only through research as explained above, but also uses government databases, financial filings, court records, etc. Who would’ve thought to check for stuff like that?
  • The hacker’s main purpose after doing the research is to identify any security and technology officers on staff at the company. The hackers needs to know the security architect, how powerful they are, some of the recent meetings, new plans, etc. The hacker reads how the roadmap is for the officer, and whether the time to attack is good soon, or whether the hacking should be held off. (Not really a lot of time to decide, to be honest)
  • The last stage of research before the planning of the attack, the hacker looks for business partners, trusted or strategic customers, suppliers, etc. that are used by the target. It may be easier, sometimes, to attack a smaller business partner than the actual target, some have argued. But, this information is dependent on the information gathered in the search engines and other info.
  • Once this is all compiled, all of the information offers a list of likely points within the target to attack.
  • The attack is usually staged, literally, in efforts to find the target point, nailing it at the right time, and exiting without being caught. This is in hopes of securing the vulnerability exploit well, and knowing the best route to escape.
  • The hacker attacks when ready, and the operation is complete soon after. The idea or methodology for a hacker is to “push in, pull out” or like Facebook would say “Move fast, break things”. What a philosophy!

There is little that can be done, when you have a public company, and all the information on the company is widely available. People will do their research. You can reduce the significance of the threats of hackers by conducting the same research yourself, setting up your own map, and conducting competitive counter-intelligence. This can be a difficult things to learn.

It’s best to take necessary operations to ensure that if a hacker comes nearby, to always be ready using the following methods (some may not apply to your business):

  1. Secure all servers with adequate security protection. Through good amounts of searching on search engines, you can find a wealth of free tips and more whitepapers on good server security. Simply searching for “server security” will result in a lot of good results. Also, it’s good to look for SQL Security, which is a very good, invaluable resource.
  2. Encrypt passwords incoming to your server! When people enter passwords in to your website (for accounts and logins), make sure they get encrypted. If the passwords are being sent in plaintext form, this can make the passwords easy to read while in transmission to the server from the user’s browser.
  3. Always have good passwords at your end. Everyone should have a very good password. It’s best to have a password consisting of at least 8 total characters in the form of at least one capital letter, one small letter, one number, and one symbol. This is the best way, and the only other way to prevent it from being hacked easily. There is no longer 100% protection from your password being stolen. Some of the best passwords can be stolen easily. But, at least having a very good password will protect you while other security methods can be implemented (fingerprint scanners, voice activation, unique ID codes, etc.).
  4. Encourage your users to have good passwords, by forcing them to use the characteristics described above for their password.
  5. Have weekly meetings with your staff about how best to implement security policy, some of the latest threats, the analytics behind your network (server uptime/downtime, security breaches, etc.), and future plans to implement policies.

By following all these simple steps, your company can become widely aware of hackers and be able to implement good security policy that will save a lot of time and money!

Security Awareness at Your Business, What about BYOD? (mini-whitepaper)

What exactly does it take to make your business more secure? You might ask… “Do I need to secure all the computers with antivirus software?”  – or – “Do we have to set up a network security policy?”  – or –  “Is security really necessary? It’s costly, why do we need it?”

It is possible to consider all of those questions, and possibly even answer them in your own mind. It is necessary to have antivirus software and a good security policy. It is also good to keep an eye on all of your employees as necessary to make sure they stay on task. 😉

However, let’s focus on some of the main data here…

  • Security awareness can be determined as the knowledge of how security systems work, and being able to apply them to an object. It matters to the physical and digital assets of the organization…AKA, your money, data, etc. Maybe it matters these days to say “Time is money, data is money, and so on…etc.”
  • Educate your employees on these matters, especially on the types of threats that can be seen in today’s malware world. Many things, especially on smartphones, are easy to spot. It’s good to keep an eye on the latest information about threats.
  • Password security is always important! Therefore, educate everyone on the basis of password security…including executives. Everyone you know in your business needs to be educated and re-educated. It’s so easy to become comfortable with choosing an easy password. Get out of the habit before it costs your company a fortune!
  • Protect your information and develop a policy for social media, BYOD, etc. It is important to educate your employees on how they should post on social networks anything about your company. The last things you need is for a pre-release to be leaked, private data leaked, a controversial issue light up, etc. Also, make sure to keep your employees off of non-work apps on their smartphones, and only focused on work. (BYOD at work says use smartphone for work only)
  • Back up your rules with consequences (honestly enforce them too), to make sure if security policies and procedures are broken, at least the employee will know how much trouble they’re in.
  • To scale this security awareness project further, download NIST’s Special Publication 800-50 – Building an Information Technology Security Awareness and Training Program to learn how to make your own.

 

October is National Cyber Security Awareness Month

NCSAM official image (Department of Homeland Security)

Cyber security awareness is so important, and we’re going to display a few things you should be aware of this month, for you to try to make capable changes to your personal or business security perspective. You will notice some of the information below is linked to different posts here on the blog. This should help you understand each topic better! Please don’t be afraid to use each of the links below to learn more about protecting your system(s).

  • Email is one of the biggest attack methods. Since users are still highly dependent on email, it is so critical that email systems get fixed. Spam can be so cunning that it may disguise itself as your friend, someone you trust, or a bank. The main target in these spam attacks is phishing, which will allow an attacker to trick you into doing something or giving away personally identifiable information.The goal is to also download malware on to your computer, which can be used to take control of your computer and steal much more personal information. Some emails may claim to be a legitimate organization sending you an attachment, but it’s purpose is to distributed malware on your computer. It is best to secure email systems against spam. This can be done using a variety of products whether hardware or software. Make sure to secure your system(s) with the latest spam fighting utilities. Also, securing Outlook or Windows Live Mail is beneficial.
  • Instant Messaging still seems to be a vector for malware attacks. Just when people drop their guard about IM security, a new band of threats affects users. Most IM attacks come in the form of spam, a message from an apparent trusted friend, or a phishing attempt/scam from a legitimate looking company. A lot of the time, when the message appears from a trusted friend, it usually means that person’s IM account or email account has been hacked and the attacker has mined the email addresses or IM addresses in order to send you these attacks. It is important to have a good Internet Security product that protects against IM attacks along with network defense.
  • Exploits are the most common cause of infections on computers these days. Many of the exploits have been caused by out-of-date Java plugins or Adobe Flash Player plugins (or even fake Flash Player), among other types of plugins for your browser. Other exploits come in the form of advertisements that are catered to your interests, by the use of tracking cookies, which when you click on the ads it can lead to a site that will immediately download malware and attempt to take control of your computer.Those are just a couple of examples of why you need Internet Security protection as declared just above in the explanation for IM security. Also, having a second-opinion malware scanner can make sure that things don’t get missed, giving you maximum protection. Working on a defense-in-depth strategy for your computer can be a great way to avoid exploits.
  • Downloading and installing untrusted software products is a good way to get infected with viruses, spyware, and other threats and malware. Using tools such as Web-of-Trust for your browsers is a key idea in managing whether a site is safe. Also, reading reviews for the product you are getting ready to download and purchase will help you make an informed decision. It is important to have Total Internet Security protection, as stated above in IM security. Please refer to the “Internet Security product” link for more information on securing your system(s) with protection mechanisms.

There are many more vectors of cyber security problems. It is important to use the methods described above as well to secure your system(s) from attacks from cybercriminals.

Summary of mitigating most attacks:

LifeLock

%d bloggers like this: