No doubt you have often heard consultants, security people and experts of various flavors expounding on the importance of “good” passwords. There is very good reason for their concern, because easily guessed or easily cracked passwords are the #1 reason for various forms of identity theft online.

So why is it that literally millions upon millions of people don’t heed the advice?

I have a theory that if people understand the basic reasoning behind any particular recommendation, they are more likely to appreciate its importance and actually act on it.

So, putting that theory to the test, I’d like to demonstrate at a very basic level just how easy it would be for almost anyone to start reading your e-mail without your knowledge and without having to gain entry to your PC to do so.

Oh, and please note that whenever I use the word “hacker”, I’m using it very loosely indeed. In the context of this article a “hacker” could be a work colleague, nosy spouse, boy/girl friend (or ex) or the kid next door, not necessarily some shadowy code-genius holed up in a Moldovan basement. While young Percy’s proud mom might like to boast that her clever son & heir “knows all about computers”, more often than not his real knowledge is fairly elementary. Living on Facebook and Twitter and being a hotshot games player does not an expert make. And that’s the whole point — genius not required.

As I will demonstrate momentarily, weak passwords put you at the mercy of anyone with basic knowledge and the will to persevere.

There are many types of information that you would prefer not to share with the world at large, and many ways for a hacker to attempt to access that information. We’ll look at just one way, because access to your e-mail will reveal a lot about you to an intruder with larceny on his mind. So, as an example, I’m going to show you how to hack yourself.

Basic Elements

If they have ever given it any thought at all, most people would assume that for someone to read their e-mail the miscreant would need to have access to their computer, either physically or by “hacking in”.

Wrong!

They can get access to your mail the same way you do — from your service provider’s mail server. Whatever your e-mail client program (e.g. Microsoft Outlook), if you’ve ever set up an e-mail account yourself or taken a look at one that is already set up for you, you will know that just three pieces of information are required for mail access:

1. Mail-server name
2. Username
3. Password

Let’s take a brief look at each of those three pieces of information.

Mail Server: I don’t want to get buried in jargon here, so let’s just say that incoming mail comes from something called a POP3 server. POP3 is an acronym for Post Office Protocol version 3. The acronym is all you need to know, and then only because outgoing mail is handled by a different type of server: SMTP for Simple Mail Transfer Protocol. POP3 in — SMTP out. But the really important thing is that there is nothing secret about the names of mail-servers. Anyone who knows your e-mail address can easily determine the name of your mail-server. Just Google for:

provider-name POP3 server

Example: verizon POP3 server

As you can plainly see, very easily discovered.

Username: In the vast majority of cases the Username (a.k.a. User ID or Login Name) is also very easy to determine, because more often than not it will be either the full e-mail address or the first part of the e-mail address before the “@”. Often you will not be given the option (when establishing the account in the first place) to make the User ID different to the e-mail address. More often than not your service provider’s system will automatically allocate the e-mail address as the User ID.

Password: With most accounts this is the only part of the puzzle that the would-be hacker won’t know in advance, so this is really the only factor that protects your privacy. Are you starting to see why it’s so important?

OK, let’s leave the theory behind and get into a little practical work.

Mounting the Attack

For this demonstration to be effective you will need to have at least one e-mail message sitting on your provider’s mail server awaiting collection by you. It might be an idea to send yourself an e-mail, then quickly close your e-mail program so the messages isn’t downloaded automatically by your Outlook or whatever e-mail program you use.

The next thing you need to do is write down those three items of information I mentioned above. In the following examples I will use these fictional account details:

1. POP3 SERVER: mail.mailserver.com

2. USERID: me@mydomain.com

3. PASSWORD: secret

Now open a Command window (a.k.a. DOS shell). You should find it somewhere under your Windows Start menu, maybe somewhere like:

Start –> Programs –> Accessories –> Command prompt

If you can’t find it, click on Start –> Run, type in the word “command” (without the quotes) and click the OK button (see image below).

Now at the prompt in the DOS window, type this…

telnet mail.mailserver.com 110

…pressing the enter key after the “110″. There is a space after “telnet” and another before “110″. Of course in place of “mail.mailserver.com” you will type the name of your own mail server. 110 is the port number typically assigned to the POP3 service. Only very rarely will you ever find the port number to be different.

By the way, in these examples only your password is case-sensitive. The commands themselves can be upper or lower case.

After you press enter you may briefly see a “Connecting to…” response as shown above, then the screen clears and displays a welcome message, the wording of which may be slightly different to that shown below.

Now type each of the following lines in turn, pressing the Enter key at the end of each line. Again, you will of course be using your own actual login credentials that you have written down:

USER me@mydomain.com

The mail server responds with an OK message

PASS secret

Again the mail server responds with an OK message

Here’s what it should look like on the screen:

If any of your entries are incorrect you will get error messages, but if all is OK to this point, type the word STAT followed by a press of the Enter key.

In the screen-shot above STAT has returned the STATistic that there are 37 messages awaiting collection, with a total size of 9,159 bytes (approx 9k).

Now type this, again followed by the Enter key:

RETR 1

That’s an instruction to RETRieve message #1. If the STAT command has reported the presence of more than one message then you can type a higher number after RETR.

In the screenshot below I have commented out some information in the interests of privacy, but there it is — e-mail message #1 laid bare for the hackers inspection, and he never had to go anywhere near your PC.

Each message retrieved is terminated with a dot as circled in the bottom left.

If you type STAT again you’ll see that the message count is the same (or higher if new messages arrived in the meantime). Thus you know that although the message has been displayed it was not deleted after display, so the owner of the e-mail account will never be any the wiser that someone else has already read the message.

To terminate the telnet session type QUIT followed by the Enter key, and to close the DOS window type EXIT followed by the Enter key.

How At-risk Are You?

So to summarize, two thirds of the information that an intruder needs in order to be able to read your e-mail is public knowledge, so the only thing keeping his nose out of your e-mail is your password.

Are you now thinking: “well nobody knows my password so I’m safe“?

Well, even if there weren’t special programs readily available for cracking away at passwords, there is still the fact that so many people use unsafe words and phrases. Just go to Google and search on this phrase:

most common passwords

Is your password on one of those lists? If so, you are a sitting duck just waiting to be plucked, as every would-be hacker has a list of the most common passwords.

And further, anyone who knows you personally can extend the list with personal details about you,.  Using such details for passwords is equally irresponsible, yet so often used:

• Name of mother/father/child/significant-other/etc
• Name of favorite pet.
• Some part of your address — street/suburb/etc.
• Favorite celebrity, sport/sports team, etc.
• And so on…

But even if you don’t find your password on one of those lists, if your password is a real word or a sensible phrase you are still at high risk. There are any number of programs readily available that can mount what is called a “brute force dictionary attack”. To such programs any passwords comprised of real words, sensible phrases or even common misspellings are a breeze to crack.

You might want to make a mental note that security researchers have determined that the inclusion of punctuation characters in a password makes it significantly harder to crack, but that addition alone may not be enough.

A Couple of Problems

There are two fairly obvious problems with using long secure passwords:

1. You should never use the same password over and over again, so coming up with new, random and reliable variations can become tiresome;
   
2. The longer and more complex a password, the better from a security perspective, but remembering such passwords is practically impossible.

And a Simple Solution

An excellent solution to both of these problems, and one I have relied on for many years and continue to recommend to anyone who will listen, is a browser add-in called RoboForm. If you have already heard of it but aren’t using it then you have completely missed the point.

It would take a rather lengthy article to do full justice to RoboForm, but in the context of this topic it provides two features which are especially useful.

Password Generator

The first of those two features is password generation. A button on the browser’s RoboForm toolbar pops up a small dialog which generates passwords that conform to any limitations you may have preset.

Clicking the Generate button on the RoboForm toolbar pops up a window like that in the screen-shot below.

In the password generator example above, RoboForm has automatically generated this very complex password:

83Gc#@*8bF3ET7Zt

As you can see, that password conforms to the format in the lower half of the window — 16 characters long, a mixture of upper and lower case letters, plus numbers and some special characters thrown in for good measure. The option to “Exclude similar characters” means that RoboForm will not use characters that are visually similar and could thus be confused with one another, such as I or O (the letters) with 1 or 0 (the numbers).

Now obviously that’s a very safe password, but how on earth would you remember it? And just as obvious is the fact that entering it would soon become very tiresome. No problem, because RoboForm has…

A Long Memory

The second RoboForm feature that aids us with complex passwords is its ability to remember what password you used on which website. See the Save button on the toolbar in the diagram above? Each time you re-visit a web page where a password is required, RoboForm will offer to fill in the User ID and Password fields. It can also fill in entire forms of information, but that’s another story.

The only password you have to remember is one you assign to RoboForm itself, which keeps all your stored passwords safe.

For anyone who ventures onto the Internet and who is concerned about safety and security online, secure passwords are absolutely essential. And that in turn makes RoboForm a must-have security tool with great productivity benefits as well.

Don’t offer up your e-mail account for open inspection — or your net banking credentials or any other.

Click Now for a Free Trial of RoboForm

Comments welcome…

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Several times each year I receive rather disturbing correspondence, usually from women, who believe they are being electronically stalked and harassed by (usually) an ex-boyfriend/husband/lover, a rejected suitor, or (less often) by some other disgruntled person such as ex-friend/co-worker/employer/etc.

While I sometimes can’t help but think that some of these people are giving their tormentors credit for a skill level they probably don’t possess, there is rarely any doubt that “something nasty” is going on.

A common claim is that the stalker “is inside my computer” and/or “inside my e-mail”. For a stalker who once was close to the victim (boyfriend/husband/lover) and had physical access to their computer, this level of intrusion is not too difficult to achieve. There are any number of spy programs available on the Internet that can be installed and operated by any reasonably competent computer user.

To achieve the same level of intrusion from outside is more difficult, but far from insurmountable. The degree of difficulty depends a lot on the security level of the PC being attacked, which, unfortunately, is usually low to non-existent, because…

Few people are aware that their new PC comes to them virtually completely unprotected and is a sitting duck the moment they hook it up to their broadband Internet connection.

Getting help from officialdom

Another common thread in this sort of correspondence is that the victim has been unable to get the police or FBI interested in their plight.

With the possible exception of special departments in major jurisdictions, in most countries the police are usually a waste of time in matters of computer crime. However I would think that it shouldn’t be too hard to find someone to take an interest in, say, a public servant who is abusing his position of authority. Be aware that the higher up any public totem pole your attacker may be, the more vulnerable they are themselves to exposure.

For my American readers, as to what the FBI can and can’t do and what they may be interested in, I do get conflicting reports on the type of responses people get from that agency. I’m not an American resident so I’d appreciate any informed advice on this but, according to information I’ve received in the past, the FBI doesn’t need proof of an actual “threat” in order to take an interest. This video tends to support that information. Hacking into a computer without authorization is in itself a federal/national offense in most Western countries, including, I believe, the United States of America.

Probably the best place for information about the various FBI departments is at: http://www.fbi.gov/cyberinvest/cyberhome.htm

You might also want to take a look at the US-CERT website at: http://www.us-cert.gov/ and in particular the reporting form at: https://forms.us-cert.gov/report/

Make them WANT to help you!

Whether you are submitting a complaint to the local police or to a national agency, or just reporting problems to an IT professional, for goodness sake be thorough, logical and explicit.

Your first aim is to get someone to want to help you, and you can’t expect a positive response to a rambling report with only vague references and few hard facts.

If you know your own writing is not particularly articulate, prepare all the facts in note form and get someone to help you write the letter of complaint. Depending on the type of harassment you are facing, it may be one of the most important pieces of correspondence you will ever prepare, so make every effort to make it count.

Why me?

So why do these unhappy and often frightened people write to me with their problems?

Often they have tried officialdom without success, and they want to ask if my security e-book The Hacker’s Nightmare will be of help to them.

My answer is always along these lines…

The Hacker’s Nightmare will definitely help you to configure a very secure system. However, there is little point in trying to secure a computer that is already compromised. For the techniques in The Hacker’s Nightmare to be effective you must start with a clean computer that is free of malware.

And that’s the very reason that I subsequently wrote “Seven Steps to a Clean PC”, which is also available free of charge from the members’ download area for any owner of The Hacker’s Nightmare. 7Steps has helped a lot of people clean up their systems, but there is no such thing as a universal cure for all situations. More on 7Steps in a moment, but first…

If a reasonably competent hacker is already “in” your computer, the remedy will probably be too complex for the average casual PC user to attempt themselves. In such cases I would have to recommend that you call in a professional consultant, preferably someone who is experienced in security issues.

Seeking professional help

Now I’ve heard plenty of stories about people calling in “the local computer guy” to solve security related problems and being disappointed with the outcome. You need to be aware that not all IT support people have as much experience in security matters as you may need. I think it would be quite reasonable for you to ask a consultant to work on a “no fix, no fee” basis. Anyone confident in their own ability should be willing to accept those terms.

Anyway…

When a victim has cause to believe that someone is “inside the computer” it’s usually the case that, by one means or another, a trojan of some description has become installed on the computer and the intruder is gaining access via it.

The fastest and surest way to clean out a badly compromised computer is a reformat and reinstall of Windows. No malware will survive that. However, if you then reconnect to the Internet without taking certain other precautions, you immediately put yourself at risk again. The best precaution you can take is to install an inexpensive router. The topic of routers is well covered in The Hacker’s Nightmare.

Another thing you should probably do is contact your Internet service provider and tell them you need a change of IP address. Like the street address of your home, your IP address is your identity on the Internet. As long as a hacker has your IP he can start probing you again to find a way in. But you need to change your IP address while your computer is clean, otherwise the trojan can simply report the new IP back to the hacker. Obviously any such changes you make should be arranged offline (e.g. by phone), or at the very least via another computer known to be clean.

The tricky part comes when you prepare to reconnect your clean PC to the Internet again, because unless your router is correctly configured to be secure, you could soon end up being compromised again. Depending on your router type and your own level of experience, you may find the task of properly securing your router a little daunting. However “Chapter 10: Wireless Security” from The Hacker’s Nightmare will give you quite a bit of insight in this regard.

Again, a competent consultant should be able to do all this for you in a few hours. If the person you’ve called on is more into general IT support than security issues, it may be necessary for you to give him/her specific directives. For example, rather than ask for a “clean up” of the existing installation, perhaps ask him to:

• Take backups of your most important files
• Reformat the hard disk
• Reinstall Windows
• Install and configure your router to WPA2 standard
• Install the latest Windows Service Pack
• Apply all relevant Windows Patches & Updates
• Install & configure Online Armor software firewall
• Install & configure Webroot SpySweeper — just the plain WebRoot SpySweeper, not one of the versions with other bells and whistles
  
• Install & configure AVG Anti-Virus — the commercial version (there’s too much important stuff missing from the free version), anti-virus only (not anti-virus+firewall and not the Security Suite)
• Reinstall the backups of your important files
• Run full scans from Online Armor, Webroot Spysweeper and AVG Anti-Virus
• Reinstall your main applications programs

The sequence should be followed in that order. A consultant experienced in security issues will have a few other tricks up his sleeve as well, but any reasonably competent support person should be able to execute the items on that list.

Yes, I know you can probably do some of those things yourself, but if you’re going to call in a consultant at all I strongly recommend that you have them do the lot.

The consultant may want to install different software than Online Armor, Webroot SpySweeper and AVG Anti-Virus. My suggestion to you is that, if you are going to then follow The Hacker’s Nightmare to really secure your system for the future, that you insist on those particular programs. The Hacker’s Nightmare will be a lot easier to follow if you are running the programs it recommends. However make sure the consultant properly CONFIGURES each of those programs, not just install them.

A self-help alternative

A complete re-installation of Windows as above is by far the most certain way of eliminating all malware threats and intrusions, but if you want to try a cleanup without doing a reformat/reinstall of Windows, you can try this…

As already mentioned, owners of The Hacker’s Nightmare can download the companion e-book “Seven Steps to a Clean PC” from the members’ area. I suggest you download it and browse it on another computer, and if you decide you want a try the process yourself, print it out and take the printed copy to the computer that is compromised.

The important thing to keep in mind about 7Steps is that it is essential that each step be followed in order. There are no optional steps, and skipping one for whatever reason is a fatal mistake. Then there is the possibility that, if a hacker is actually watching you do this, he may interfere with your attempts to follow the 7Steps process.

Conclusion

In the final analysis these are your best options:

1. If you believe your computer is compromised and it’s just (!!!) a matter of run-of-the-mill malware, work through “Seven Steps to a Clean PC”.
2. If you believe your computer is compromised and there is a hacker involved, call a competent consultant.
3. If you’re not sure which of the above applies, and if your time is more important than the cost, go with #2 straight off. Otherwise try #1 first.
4. When you are sure you are working with a clean computer, ensure that it stays that way into the future by working through The Hacker’s Nightmare and following the recommendations therein, because…

Staying clean and secure is a lot cheaper, a lot more efficient and requires a lot less time than having to periodically get clean again. Not to mention the risks to your data,  privacy, finances and general peace of mind.

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

In Part 2 of this series I want to talk about protecting your social networking account, and it all boils down to…

PASSWORDS

And No… you probably don’t already know everything you need to know about passwords, so you really need to keep reading. I’m going to show you exactly some of the ways the bad guys get at your passwords.

If you missed it please first read
 Social Networking Self-Defense: Part I

So it’s pretty obvious that anyone who gets hold of your login credentials, most importantly your password, can modify your personal pages to their heart’s content.

Now, you might be thinking something like “OK, I’ll memorize my password, never write it down, and never tell anyone”.

Well, good, that at least that would be a step in the right direction, but unless you clearly understand how vulnerable passwords are, it won’t be a big enough step. Not by a long shot.

Let’s take a look at password cracking itself…

How to Crack Passwords

Something that very few computer users realize is just how easily common passwords can be cracked. There are all sorts of special password cracking programs readily available to those who take the trouble to look. None of those programs are infallible, but one thing is certain: passwords made up of common words, or common words with a few numbers appended, are usually cracked fairly quickly.

In the past, when writing on this topic, I have always avoided giving any details on password cracking programs. I just didn’t want to be responsible for encouraging anyone to seek out and use such tools.

However, search engines such as Google, Bing, Yahoo etc have become so accurate and all-inclusive as to make these things fairly easy to find. So now I think I can probably achieve more by actually proving their existence to you.

Here’s a list of the 10 top password crackers, according to the Security Tools [http://sectools.org/crackers.html] website, with their descriptions slightly edited for this article.

|
All of those programs work on Windows, and many of them on other operating systems as well. Obviously not all are suitable for cracking all types of passwords under all circumstances, but in the hands of even a reasonably competent person any of several can be a serious threat to your security.

Still not convinced?

A recent Computerworld article describes the massive market for usernames and passwords or social network accounts. One hacker alone has 1.5 million Facebook accounts on offer!

Seriously, you REALLY need to click here and read that article.

And hey! If you aren’t already calling up your Facebook account to change the password (in line with the suggestions here-in) then I’m afraid you’re a sucker just waiting to be sucked dry.

What NOT to do

As a result of a major phishing attack in late 2006 approximately 34,000 MySpace passwords became available for download. Some researchers saw this as an opportunity to analyze what sort of passwords people were using. Here’s a list of the 20 most popular passwords:

|
Not one of those passwords would present the slightest problem to a decent cracking program. Here are some more statistics from the analysis of those 34,000 passwords:

• Numbers were used in well over half the passwords.
• When used, numbers were most often appended to the end of the password.
• Almost 1% of users had the word “password” as all or part of their password.
• Words, colors, years, names, sports, hobbies and music groups were very popular.
• Other popular words include: angel, baby, boy, girl, big, me, the.
• Cuss words were very popular. Because these are common and well known they should be considered as dictionary words, whether they appear in any “real” dictionary or not.
• Also popular were the names of sports (golf, football, soccer, etc.), professional sports teams and college team nicknames.

Again, all very easy stuff for a good cracking program.

I’ll be going into some detail here because I want you to understand very clearly the extreme importance of using good strong passwords if you are serious about protecting yourself.

So let’s look now at exactly what makes for a strong password, from the password cracker’s point of view.

What you SHOULD do

The most important aspects of a password are its length and composition, but there is an apparent catch involved. If length and composition are right for a strong password, then it’s very unlikely you’ll be able to remember even one password, let alone the many that most people need to use. But don’t worry, we’ll solve that dilemma in a moment. First let’s look at the password itself.

The length aspect is simple: the longer a password, the harder it is to derive using special password cracking tools.

Composition is a bit more complex. To be truly effective, the characters that make up the password should consist of a mixture of upper and lower case alphabetic characters (A-Z, a-z), numerals (0-9), plus punctuation and special characters (!@#$%^&*). In addition, repetition of characters should be kept to a minimum and the password should not contain any real names or dictionary words. Here is an example of a 20 character password that conforms nicely to those rules:

Mu49#SLQ&p5^eh!6M9B2

Yes, I know what you’re thinking:

“How on earth could I ever remember something like that?”

And the answer is…

For PC users  : RoboForm
For Mac users : 1Password

Now, I’m a PC user, so I don’t use 1Password, but I have read their material, watched a video on the product and asked some Mac users whose opinions I respect. What I can tell you is that it works very much like RoboForm, performing much the same tasks, and is highly regarded by those Mac users I consulted. For all practical purposes any mention of RoboForm features that follows applies also to 1Password.

When installed, both RoboForm and 1Password take up residence on your browser toolbar.

Secure password generation is a handy feature, but the real power of RoboForm, and the thing that makes it so indispensable to security minded people, is that it can remember the complex passwords that it generates, and also remember which website or login form each password relates to. This is a massively significant feature.

On visiting a web page that contains login fields, RoboForm provides you with a one-click prompt that will fill in all the necessary fields with login information that is specific to that page only.

Similarly, when you manually fill in login fields for a site that you haven’t visited before, you can quickly and easily store those login credentials for one-click retrieval on future visits to that site.

In other words, the longer and more complex a password the better, because you’ll never have to remember it. Nor do you need to be tempted to use the same password on multiple websites, because with RoboForm having five, 25 or 50 long, complex, meaningless passwords is no more of a load on your brain than having just one.

RoboForm offers another extremely useful feature not directly related to passwords but worthy of mention if it will entice you to use this excellent utility.

One-click filling out of forms with any number of personal details can be a real time saver. Name, address, landline phone number, mobile number, fax, date of birth, credit card details — virtually any sort of information required on a form can be intelligently provided with a single click. That’s one click for the whole form, not one click for each field! RoboForm knows what’s being asked for and provides just that.

Both RoboForm and 1Password offer free 30-day trials, after which each application will continue to operate but with a reduced feature set. Here’s the situation was RoboForm:

|
By all means trial the product first, but believe me, purchasing the full version is a very easy decision. Most people will definitely need many more than 10 pass cards alone, not to mention how useful multiple identities and profiles can be, and the ability to create numerous custom fields.

Again, here’s where to get‘em:

For PC users  : RoboForm

For Mac users : 1Password

And remember…

The first line of defense is the human brain.
Keep it engaged when online.

Related articles

• SSD tools crack passwords 100 times faster

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Recently I posted a couple of articles (Article 1 – Article 2) discussing security of websites. Of necessity those articles were relatively superficial and didn’t go into any technical depth about the ways that websites can be compromised.

A recent development, which I’ll get to shortly, has inspired me to briefly revisit the topic of website security, this time in relation to a specific type of website and type of vulnerability. But first a little background…

Many websites are supported by a database in which is stored pretty much any information relating to the functionality of the website that the programmer decides should be stored there. While simpler designs may just store something like member information — for example UserID, password, e-mail address, etc — more complex arrangements may even store the website’s design components (such as screen colors, page dimensions, number of columns, etc) in the database.

Obviously regardless of what sort of information is stored in the database, any destruction, corruption or malicious manipulation of the database will almost certainly have serious adverse repercussions for the functionality of the website itself.

Another consideration is that there are different brands of databases, and each has its own design requirements, peculiarities and potential vulnerabilities. Microsoft SQL Server is generally considered to be the industry Big Gun, but it is considerably outnumbered in instances of use by the open source product mySQL, by far the most popular database used on websites.

In order to extract specific information from a database it is necessary to execute a piece of code called a Query. Queries must be written in a standard format which complies with the syntax of the “standard” Structured Query Language (SQL). Don’t be thrown by that — it just means that there are strict rules governing how you can ask a database to return information; you must use the right words in the right order in the right way. This is the province of the programmer, and should be completely invisible to the website visitor, but it never hurts to understand a little of what goes on behind the scenes. So, a simple example of an SQL query might look like this:

“SELECT * FROM users WHERE name = ‘” + UserName + “‘;”

That will make more sense if we consider a hypothetical website where the visitor must login to get access to the site’s content.

When a visitor to our password-protected Website enters their UserName into a login form, the programming code behind the form would call something like that SQL query above in order to extract the records of the specified UserName from its table of registered users.

Now, one of the vulnerabilities that can be used to attack a database-supported website is called “SQL injection”. An example of attempting to use SQL injection against our hypothetical website would be to provide a UserName that is in fact a command or query that the Query Language would understand and act on.

Obviously it would be very undesirable to have a situation where a knowledgeable hacker could somehow “inject” into the UserName a standard SQL command to delete a table from the database, or to reveal the e-mail addresses of all the registered users.

You don’t need to know anything about programming or databases or query languages to appreciate that there absolutely must be provision in the design and coding to prevent that sort of thing from happening.

Some database systems have such a safeguard built in, an example being the Parameterized Statements feature of the open source H2 database system. However the enforcement of Parameterised Statements is not a feature of Microsoft SQL Server or mySQL. With those databases the onus is on the programmers and designers to anticipate possible SQL injection exploits and circumvent them with careful design and coding.

Now, with that little bit of background out of the way, let’s return to the “recent development” that instigated this article in the first place.

Kaspersky Labs is one of the largest security companies online, and develops various anti-virus and security suite products and services for home and business. Far from being a newcomer, the company has been an established player in the computer and online security niche for a dozen years now, and their products are well regarded.

But despite the security expertise and know-how that you would expect from such an entity, a hacker recently posted proof that he had infiltrated their online database using SQL injection as his method of entry.

Fortunately for Kaspersky and their many customers, this interloper was apparently a benign hacker who was only interested in exposing a security weakness. As far as anyone is aware he didn’t cause any damage or reveal any sensitive information — something that it is obvious from his expose’ he could have done quite easily.

The reason I put you through that background lesson is to reinforce a point I made in my earlier Website Security articles. Some people criticized those posts for not going into enough specific detail, and my response was that the range of potential exploits is just too great. What I want you to take away from the Kaspersky incursion is that there are certain measures that the average Webmaster can take and there are things he should keep an eye on. But unless he is himself an expert in all aspects of website design, programming and hosting, there are many aspects of website security for which you are compelled to rely on your Host. This is why it’s so important to do your research and due diligence before choosing a Host for your website.

It would be easy to sit back and point a derisive finger at Kaspersky and be aghast at how a security company could be so easily compromised. To a degree you would have every right to do so, because the Kaspersky Web developers certainly missed blocking a well-known type of exploit.

But while you’re scoffing, at least appreciate just how vast is the number of possible vulnerabilities and the many thousands of hackers who are constantly probing for a way to get in.

It doesn’t take a lot of expertise to put up your own Web form, whether it be for the purpose of logging-in or allowing a site visit to send you a message. Would it surprise you to know that, unless specific steps are taken to counter it, almost all Web forms are open to SQL injection or to similar exploits such as SMTP Header Injection (used against e-mail forms)?

If in doubt, talk to your Host.

The post by the hacker who cracked the Kaspersky website can be found here:
Kaspersky Website Hacked

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

What’s the first thing that pops into your head when you hear/read/see a news item about someone being caught with child pornography on their computer?

In all probability your immediate reaction is one of distaste and condemnation.

But is that fair? Perhaps you shouldn’t be quite so hasty.

The more you know about how vulnerable the average computer is, the more likely you are to wonder first of all who really put the offending material there. Especially if the “perpetrator” steadfastly maintains a claim of innocence to the bitter end.

Mostly when we hear about computers being compromised, the attack is designed to cause damage, steal information or harness the machine as a spambot.

But computer malware has other, much darker uses…

The same malicious software used to perform acts of theft and vandalism can be used — perhaps much more devastatingly — to frame someone for all manner of  antisocial and even criminal activity.

I mean, if you really want to destroy someone’s life and reputation, what better way than to “arrange” for them to be accused of something really heinous like the possession of child pornography?

The simple fact is that, due to a myriad of factors, the average person cannot be held responsible for every file found stored on their computer. This is a reality that law enforcement agencies are going to have to consider safeguards for, if innocent people aren’t to be pilloried – something which has already happened too often.

For quite some time now it has concerned me the way suspects are almost immediately identified and exposed to public condemnation and humiliation for material found on their computer, which may be related to pornography, hate/racism, terrorism, child abuse, plans for a criminal enterprise, and so on. As far as the various media are concerned, the more socially unacceptable the better!

But surely we now know enough about computer vulnerabilities to warrant being very cautious when it comes to public naming and shaming before a thorough forensic examination has been conducted. And such examinations must be performed by qualified people capable of doing it properly.

The average law enforcement officers and prosecutors do not have the necessary skills, yet their on-the-spot decisions based on circumstantial evidence can ruin lives forever.

While I have no problem with the severest punishments for the likes of paedophilia, I do have a real problem with unqualified law enforcement agencies destroying someone’s reputation forever (there’s no recovering from some accusations) based purely on circumstantial evidence. And until thoroughly investigated the mere existence of files on a computer is nothing more than circumstantial.

I’ve long had it in the back of my mind to research this topic and perhaps produce an article or two, but I just discovered that the job has already been done quite admirably by technology journalist Jordan Robertson for Associated Press.

As if you don’t already have enough reasons to be concerned about your computer and online security, click the link below for even more worries. It’s a revealing story illustrating just how easily good people can be crucified and ruined because of inadequate investigation.

Framed for child porn _ by a PC virus
Opens in a new window

I hope that story has opened your eyes to yet another reason for paying proper attention to your computer and online security?

Please help spread this warning by sharing it
on your favorite social media network
(see buttons below)

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

I recently received a question from a reader asking how thieves were apparently able to detect laptops out of view in locked cars, say either covered up or in the trunk (or “boot”, depending on where you live).

This is a topic that’s seen batted around for some time and has attained the status of urban myth, with its share of believers and disbelievers and little in the way of hard facts or proof.

It’s a question I started to look into some time back, but for one reason or another I got sidetracked and never followed through to a conclusion.

Having the question raised again prompts me to present what little I know and request input from anyone who may have definite knowledge, particularly from any technicians who have experience with the types of devices I’ll mention hearing.

I’ll start with what I consider to be the most unlikely method of laptop detection.

Inductive Amplifiers

Now this is just something I’ve pieced together from bits and pieces here and there, so in mentioning it all I’m trying to do is open the discussion. I’m definitely not suggesting this is possible or practical — because I simply don’t know — but frankly I doubt it.

Proponents of this “myth” claim that it is possible to detect the presence of a laptop computer using a device called an inductive amplifier.

There have been quite a few unsupported and unsubstantiated reports that police in Selangor, Malaysia caught thieves red-handed with one version of an inductive amplifier, called a Model 200EP Tone Probe, that particular device being manufactured by Tempo-Textron, but there are of course many others. [Note: I found the Tempo-Textron site to be out of service a lot. Sorry, but nothing I can do about it.]

Personally I’m more inclined to think that any thief in possession of an inductive amplifier would be using it to disable car alarms.

Battery Detectors

Another fairly common suggestion is that the presence of a laptop can be detected by use of a so-called “battery detector”. Various types of battery detectors do exist, but to my knowledge their effective range is very small, and there would be myriad problems using such a device to detect a laptop in a car. For one thing I would expect that the metal enclosure of a car boot would provide a very effective barrier, not to mention all the other power sources that are constantly active in a vehicle.

As to the electrical properties of a laptop, there is ALWAYS some power present, whether the laptop is shut down or not, even if you remove the main battery. On the computer’s motherboard is a small battery much like that which runs your electronic watch. For historical reasons it is generally referred to as a CMOS battery. At the very least this battery maintains the real time clock, and it may maintain other settings as well. I believe voltages range from 3 volts to 4.5 volts, depending on make/model/brand/etc. There may even be more than one such board-mounted power source.

But detecting a laptop in a motor vehicle with a battery detector? I’m sceptical.

Bluetooth Scanning

The more obvious danger is leaving your laptop on or in sleep mode, such that its Bluetooth capabilities (if any) are active. Bluetooth scanning will reveal not only the presence of a laptop or high-end phone, but also its make/model. And such identification opens up the possibility of “steal to order”, allowing high-end devices to be specifically targeted. There’s plenty of information available on Bluetooth detection so I won’t belabor the point further here. Anyone wishing to research this further could try some of these keywords:

• Bluetooth Scanning
• BlueBugging
• BlueJacking
• BlueSnarfing

I don’t think rehashing unsupported myths and suppositions serves any purpose, but if you have any definitive information on how laptops and/or high end mobile phones might be detected inside a locked car I’d certainly like to hear about it. Please use the comments box below…

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

We all know that data theft, credit card theft, etc. And we know that spyware, viruses, Trojans and other cyber nasties are a threat. But have we been underestimating the real effect?

As regular readers will know, I’m not a fan of Norton/Symantec or McAfee anti-malware products. I believe you can do a lot better for less money and consequently experience far fewer “system problems”. However, there is no disputing the fact that the big companies like those two certainly have the resources necessary to conduct, collate and analyze large global surveys. Hence they are certainly worth listening to when they publish such information.

In January of this year Symantec conducted a survey of 2,100 businesses and government agencies located in 27 different countries, and the revelations concerning the extent of data theft were quite sobering.

Now, the part of the survey I’m interested in asked those entities if they had ever suffered a cyber loss in the preceding 12 months.

Guess how many replied in the affirmative?

100% !!!

Yes, every single one of those 2,100 businesses or government agencies had been the victims of some sort of data loss: credit card info, financial data, intellectual property theft, and so on.

What is loss?

Loss of data is very different to loss of a physical item. If your actual physical credit card is lost or stolen, then it’s gone and that’s it. At the latest you’ll know that it’s missing the next time you go to use it.

But if someone steals the information about that credit card — your name, card number and pin — you still have the card itself and you’ll probably be none the wiser until your next statement arrives with a few thousand dollars missing.

Now, getting back to that survey…

The thing you need to keep in mind here is that pretty much all of those organizations have IT departments staffed by qualified people who are constantly on the watch for any sort of incursion. If they weren’t on constant watch for such things then there would be many instances of loss/theft that would go unnoticed, at least for a time.

For example, the survey quotes an IT project manager at a federal agency as saying “You can sit and watch our monitors and see people try to attack us”. It is an indisputable fact that right across the globe IT security people are seeing new viruses, spyware and back-doors EVERY SINGLE DAY.

What I’m getting at here is that it’s very unlikely that you, as an individual without all those costly and sophisticated corporate resources, will have the time, capability or knowledge to be constantly monitoring for attempts at data theft.

And don’t think for a moment that you are a lesser target because you are an individual. Most data theft is completely automated, with malicious programs searching out ANY computer anywhere that they can gain access to.

Even with all their resources, 92% of the survey respondents admitted that the cyber theft they had suffered had resulted in significant costs. And if you are a business one of the most significant losses you can suffer is loss of customer trust, which inevitably leads to reduced revenue.

So if the big players with all the resources are getting hit, what are your chances?

Well, if you read this blog on a regular basis, your chances are probably at least a bit better than the average. The two-line subscription form that ensures you don’t miss any posts is at the top right of this page.

Related articles

• Symantec’s “State of Enterprise Security 2010″ report (PDF)
• Cyber attacks cost businesses an ‘average of £1.2 million’ a year
• Who lost business to cyber-weaknesses?
• Cyber security tops IT priority list
• Data Thefts Cost Firms $2 Million Each a Year
  

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

We’re all well aware that all sorts of shenanigans goes on in the murky world of bureaucracy and politics. Always has been so, always will be. No matter where you live. The protagonists themselves, by their very actions, have conditioned us not to expect much of them.

But surely we’re entitled to expect a certain level of alertness and perspicacity in the elite few who have reached the top echelon of their calling. People like, say, the director of the FBI.

You agree? Hmmmm…

A couple of days ago our American friends were treated to the story of how FBI director Robert Mueller had been banned by his wife from using Internet banking.

Why? Get this…

Mueller, whom you might expect would be at least reasonably well schooled in shams and scams, and on full alert for them, was (by his own admission) within a click or two of delivering his net banking password to a cyber-crim, courtesy of a phishing e-mail. Only at the last moment did it dawn on him that this “might not be a good idea”.

Huh!

If Mr Mueller subscribed to this blog, the merest thought of responding to a phishing e-mail would not have entered his mind for a moment.

Look, if there’s any reader of this site who is still in doubt about how this works, I’ll distil it down for you right here, short and to the point…

NO FINANCIAL INSTITUTION WILL EVER
ASK YOU TO CLICK A LINK IN AN E-MAIL.
NONE.
EVER.

All financial institutions, and that includes payment processors such as PayPal and Clickbank as well as banks etc, are very well aware of the dangers and the potential for abuse.

If your bank ever really does want you to change your password or confirm your account details or anything like that, they will tell you to login to your account and do such and such.

They will NOT say “click here”.

They will NOT provide you with any sort of a link.

They will expect you to know how to login to your account and they will expect you to do that of your own volition, without any links or other help from them.

ANY link in ANY e-mail is a potential threat until you have given it conscious consideration.

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Password selection and personality? A couple of days ago I read a book review in one of our local newspapers, in which the authors (of the book) suggested that the computer passwords you select can reveal a lot about your personality. Let me say right up front that if that’s the case — if your passwords do reveal a lot about your personality — then you are sadly, even dangerously, off track in the way you select passwords.

For more on passwords you might want to take a look at this earlier article of mine, but first let’s look at this personality thing.

The authors nominated eight password categories and assigned specific personality types to each…

1. A lover’s name. You are a loyal type likely to stray, but can also indicate obsession or lack of imagination.

2. Work-related. A dull or career-obsessed workhorse who lack the imagination necessary to climb the corporate ladder.

3. Numerical passwords. Logical to the point of humorlessness.

4. Your own name or nickname. Self-obsessed and egotistical, but also over-confident, driven and desperate to achieve.

5. Fantasist. Using passwords like “sexy”, “stud” or “goddess” is similar to using your own name/nickname, but you’re also likely to be a risk taker and thrill-seeker away from work.

6. Names of pets. The nostalgic type. You believe that other people just don’t understand you so you reserve your sensitive side and innermost thoughts for “Fluffy” or “Spot”.

7. Favourite band, sports team, etc. You’re a romantic, and life is one long, determined fight to stay happy and positive. People either admire your upbeat attitude or see you as a gullible sucker.

8. The Cryptic. You “agonize” over concocting passwords that are an intricate mix of letters, numbers and punctuation marks. In the author’s words: “This air of intellectual mystery defines you as pretentious, arrogant and more than a little paranoid”.

What do you think? See yourself in any of categories 1 to 7? If so, I’d really like to get you headed in the right direction.

The category that bothers me the most is #8. The purpose of a password is to protect something, and an easily guessed password is little or no protection. If it is your habit to choose passwords that are an “intricate mix of letters, numbers and punctuation marks”, then I don’t really care about the psychology behind your reasoning because, from a security standpoint, you are way ahead of everyone else.

On the other hand, if you don’t use passwords that are an “intricate mix of letters, numbers and punctuation marks” then I strongly suggest you forget the pop-psychology and start doing just that.

The Solution

Fortunately you don’t have to “agonize” over coming up with good, reliable, secure passwords. There is an excellent — I’ll go so far as to say indispensable — application that will not only create truly arcane passwords quickly whenever you need one, but it will even remember them for you. After all, one of the reasons that many people don’t use truly appropriate passwords is that they can’t remember them.

I’ve mentioned it before, and no doubt this won’t be the last time you’ll hear me extolling its virtues, because I see this little tool as a very important part of your security arsenal. It’s called RoboForm. There is a free version which you can use to get a feel for the product, but anyone serious about their online safety will want the full version.

Finally, I haven’t read the book that prompted this article, and to be honest I’m not likely to, although I admit to a passing interest in the study of body language. But if it’s the sort of thing that takes your fancy you can find “The You Code” on Amazon.com

Related articles:

• Most users don’t change password often enough, report says
• Please Hack Me. My Password is 123456

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Yes, you can be spied on through your own webcam! Let this true story be a lesson in how otherwise fun and useful technology can be turned against you if you don’t stay constantly alert.

A Philadelphia School district is facing a class-action lawsuit bought by parents of its high school students.

In 2009 the Lower Merion School District issued  laptop computers — all factory-fitted with webcams — to its high school students. Commendable and progressive, no argument there.

Now for the “What what on earth were they thinking?” part of the story…

The computers were configured so that the webcams could be activated remotely by the school. See where this is going?

When I say “the school”, obviously I mean one or more persons at the school. As far as I know the individuals directly responsible haven’t been named yet, but lawyers representing the incensed parents have aimed their class-action suit at the school district, members of the Board of Directors and the Superintendent. Not specifically named, as far as I know, is the person who, by an act of sheer stupidity, let the cat out of the bag.

How Dumb Do They Come?

Apparently the Assistant Principal of Harrington High reprimanded a student for “improper behavior in his home” and presented a screen-shot from the WebCam built into the boy’s laptop.

Now, quite apart from the legal and security breaches, should anyone with an IQ low enough to try a stunt like that be entrusted with the education of children?

You would literally have to be as thick as a brick to think that (a) such action would be viewed as acceptable by the law and the community, and (b) that you would have any chance at all of getting away with it.

The school district has placed a response on its website, but their reasoning doesn’t stand up to inspection. Quote:

“The tracking-security feature was limited to taking a still image of the operator and the operator’s screen. This feature has only been used for the limited purpose of locating a lost, stolen or missing laptop. The District has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever.”

Apparently the last sentence is completely false, hence the lawsuit. And as for the rest, well, a mugshot of the operator might be of use in prosecuting a thief if he could be identified and apprehended, but neither a screen-shot nor a photo of the operator is going to be of much assistance in actually locating a stolen computer.

This revelation raises another question…

Just how widespread is computer surveillance by schools?

On the surface the video below is a feel-good story about how the application of available technologies has been life changing for the students at one particular school.

But pay careful attention at the point starting at 4 minutes 37 seconds into the video. That teacher is using a remote desktop facility to eavesdrop on the screen of a student’s computer, including what the webcam sees because she has it running. Don’t you find the potential for misuse just a little bit disturbing?

Protecting yourself

As you might expect I’m extremely careful about all aspects of my computer security, and I believe the likelihood of anyone being able to take remote control of my webcams is very low.

Even so, when they’re not in use my desktop WebCam is turned to face a blank wall and the camera lens on my Netbook is covered by a strip of paper.

Now you might well ask “Why not just disable the webcam”? Good question.

Most webcam software is configured to load ready for use on Windows start up, then you or some appropriate applications software actually starts the webcam running when required. And as I’m sure you can see, therein lies the potential for abuse.

Even if the webcam software is not loaded ready for use during Windows start-up, there is always the possibility that an interloper or some malicious software could initialize it. So the best precaution is to not load the webcam software during the Windows start-up, and also to ensure it can’t see anything “of interest” if it is running, until you want it to. It’s a simple matter to click a menu item or double click an icon to load the software when you need to use it.

Related articles

• Full text of the class-action suite case filing (PDF)

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.