🔐 How vulnerable are you: review in security
The weakest link in a security system is most often not the system itself but the implementation of it. WEP is a classic example, and so is human behaviour.
Every day you place more and more trust in the confidentiality and security of technology. Every day you commit a little more of yourself unto the invisible hands and confer responsibility for an increasing portfolio of facets of your life, your photographs, your important engagements, your secrets, most recently inclusive of your financial assets. Every day the ranks of such individuals swells.
It's disturbing the sheer proportion of people who do so with absolute faith that everything they invest (or divest) in digital systems is perfectly safe and secure because something, something, something... technology, without taking the most basic of measures and advice of how to do so.
Security and Ease of Access are a trade off, you can't have 100% of both 100% of the time, one must be compromised for the other.
A few days ago a person I work with charged into my office spouting accusations that the email server I manage was perpetrating a bulk send from their mailbox of an unauthorised email containing a Google Drive file sharing link they knew nothing about. Within moments I confirmed that in fact the point of origin was another mail account the user had outside our organisation that had sent the email to all addresses and distribution lists known by their account. Their credentials had obviously been compromised, and the act was unnervingly similar to Petya/Eternal Blue patient-zero methodology.
Petya lockscreen image source: Janus Cybercrime Solutions
No hack. No virus. No Solid Snake hiding under a cardboard box in their office waiting for them to leave in order to gain unrestricted physical access to their system and accounts.
It was simply a case of a weak password that had been brute forced, guessed, or otherwise discerned, that had facilitated an unauthorised party to authenticate against the mail service remotely and thus send the offending mail.
Needless to say, I immediately advised the person to change their password and suggested a method for creating a password both stronger and more easily recalled (see below). I also contacted the administrators of the mail service and asked that they attempt recall of all outbound instances of that particular item, a feat only possible for mail delivered internal to a domain but not once the mail has traversed the domain boundary. Next was the task of generating a list all recipients so they could be contacted and advised of precautionary steps (a tedious tale I will spare you from).
Before you feel too much sympathy for this individual consider the fact that by their lack of respect towards security risks and standards they exposed every other related individual or entity, internal and external, to an unacceptable level of threat. Like a Roman phalanx, one breach of the shield can prove disastrous for the united defensive front.
The Point Of This?
Why am I sharing all this with you? Yesterday I came across an article by @hamzaoui demonstrating the built-in method to access passwords stored by the Google Chrome browser, which may come as a revelation to some, but I'm glad the topic was raised all the same because it opens discussion on system security and that is a dialogue that needs to be ongoing, strong, and healthy, particularly now that so many people are committing most, if not all aspects of their life, including their money, into digital form.
If you haven't already read the article mentioned above I'll quote the most important points of the comment I left there for your consideration:
...passwords are stored in either an encrypted file under the browser or under some form of system 'keyring' like certain flavours of 'nix. This file is unlocked when the user runs the browser...
...I've been showing this to users myself for around a decade now, but it does serve to illustrate the risk of storing sensitive information or secrets in an unprotected environment, the top 3 classic scenarios being:
- A publicly accessible system (library, school, etc)
- A shared workplace system (front desk, task specific hot-seat)
- A system with no user logon password requirement - this is common at home, in SOHO and small business situations
And the all-time rookie error of account security is (drumroll)....
- Using the same password everywhere
If access to one account or service is verified for a particular compromised password you can bet your boots that password will be blindly tried everywhere else you may or may not have an account. With a few minutes work you can guess or determine usernames for a whole raft of sites & services.
You wouldn't believe just how prevalent are those last two points (no system password, same password used on most/all accounts) - it's really quite concerning.
Security Is A Practice, Not A Feature
I would love to make a pop culture reference here to a scenario wherein a certain young, yellow haired girl demonstrates, using her fathers own specious reasoning, that "correlation does not imply causation" by implying the mere presence a rock is the reason there are no tigers in their town. But I don't posses said rock and so have naught otherwise to deter a cheetah, so I will abstain.
If you do not practice safe and secure use of technology you cannot assume any level of protection no matter how many safety and security mechanisms you employ.
Remember those weak points of implementation and human behaviour? They trump all. You're giving yourself a false sense of security and confidence if your response to potential threats is something along the lines of "Oh but I own a Brand X™ 2000+Plus+Plus Integra® system" or "No problem, I use Browza" or "There's a lock on my smartphone" if your password for every single account and service you have is incorrect (yeah, that's actually a real password that far too many think is witty).
The first rule of password club is: use a strong password
My methodology for creating strong yet memorable passwords is this:
- Think of a short phrase that is very memorable to you, such as:
- the activity you most look forward to each day
- a favourite song lyric or rhyme
- a private memory
- Remove the spaces between the words
- Capitalise the FirstLetterOfEachWord
- Substitute AL3tt3rForANumb3r &/or add a symbol!
- Now you have a Compl3xY3tUnforg3tt@bl3Pwd!
That example may be a little long and complicated for some but there's nothing wrong with H0rseRideL8r! or iMakeTyp0?
Or you could use the XKCD method ;)
All the examples above are greater than 8 characters (that's 1-Byte of data, by the way) and use elements from the 26 Latin characters x2 (upper & lowercase), as well as numbers and symbols, and are definitely not susceptible to dictionary attacks.
To get an idea of the total number of combinations that must be tried to brute force such a password, considering the attacker does not know the length or types of characters to try in combination, review this basic calculation of characters indexed to the power of the number of possible values for each:
32 (keyboard) symbols + 10 digits + 26 lower case Latin + 26 UPPER CASE LATIN = 94 characters, therefore
length^94
So an 8 character password using elements from each of alpha-num-symbol would potentially require this many attempted combinations to brute force:
8^94 = 7770675568902916283677847627294075626569627356208558085007249638955617140820833992704
The second rule of password club is: never reuse a password
Yes, you should use a unique, complex password for every single account you have, and you should change them occasionally, if not regularly.
Whoah! Whoah. Whoahhhh. Whoahhhhhhh....
I know, I know. It's a quite a burden for a human to carry. That's why you don't rely on yourself for this task, instead you should leverage the awesome computational power of computers to compute large, complex, cryptographic computations.
I'm going to show you how to do this, easily, and share the results across multiple devices, in my next post.
In the mean time here are some security guidelines and tips from reputable sources for you to consider.
Sage advice from US DHS:
https://www.dhs.gov/stopthinkconnect-cyber-tips
- Set strong passwords, change them regularly, and don’t share them with anyone.
- Do not include your name, your kids' or pets' names, or other well-known information about yourself in your password;
- Avoid using common words in your passwords or passphrases. Instead, break up words with numbers and punctuation marks or symbols. For example, @ can replace the letter "A" and an exclamation point (!) can replace the letters "I" and "L"; and
- Use a combination of upper and lower case letters.
- Keep your operating system, browser, and other critical software optimized by installing updates.
- Maintain an open dialogue with your friends, family, colleagues and community about Internet safety.
- Use privacy settings and limit the amount of personal information you post online.
- Be cautious about offers online – if it sounds too good to be true, it probably is.
Sage advice from Cisco:
https://umbrella.cisco.com/blog/2013/10/08/top-ten-important-cyber-security-tips-users/
Be safe, and as always, STEEM ON!
^vote, resteem, and comment below. Considerable effort has gone into researching, testing, and formatting for this article.
Full upvote with love from #TheUnmentionables
If you are looking for a great place to meet incredible people, create amazing content, earn more for your posts, and just generally be awesome, then come check out our Discord channel and join us!
UPVOTE THIS POST TO HELP US GROW AND HELP US REWARD GREAT CONTENT EVEN FURTHER!
Great post! I know I'm guilty of some of these issues, but I've been working on changing my passwords and making everything more secure.
One thing I would encourage you to add or think about for a future article would be two-factor identification. Most people don't realize that they have this as an option for many of the accounts they currently use. It adds a great extra layer of security to an account, especially a main Google account or a cryptocurrency exchange account. Any thoughts on this?
Thanks for sharing!
2FA is coming, it's on the roadmap for this series of articles, kudos to you for being ahead of the play.
Nice. Looking forward to it.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by neuromancer from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews/crimsonclad, and netuoso. The goal is to help Steemit grow by supporting Minnows and creating a social network. Please find us in the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
Security online is a very important issue. Especially with how much money is now flowing in and out of the crypto world. Good write up
Thanks for your support & comment jasonschick, I couldn't agree more, my motivation for writing the article were those points coupled with anecdotal and professional experience of how common is the misplaced confidence that owning a certain brand or using a particular software negates threat regardless of risky or lax practice.
The behaviour equates to belief that ownership of a lock ensures you will never be robbed or mugged, irrespective of conduct, diligence, or proper lock use. Or that the mere presence of a rock is directly causal of the absence of tigers in town... ;)
I'll be publishing another post shortly exploring means for managing all those nice, unique, complex passwords.
Feel free to resteem if you think it will help spread the awareness of the doubts and questions everyone should raise regularly.