Search This Blog

Friday, December 24, 2010

OK, this is just a serious kewl Do Dad for Vulnerable and Pen Tests

Feel free to send me one! The PlugBot is one clever idea. Just plug it into an outlet and let it connect WiFi or plug it into an Ethernet jack and let err rip....

Great idea to see if your organization can detect nefarious activity by unknown ne'er-do-wellers.
The PlugBot

Monday, December 20, 2010

(F) More on Passwords for websites

The recent Gawker password and account breach shows us that all these 'cloud' service sites like Gizmodo and Gawker Blog comment sites expose us if or when their security fails. Many websites like Gawker/Gizmodo where you have to register to leave a comment and be notified when someone comments on the same thread you did, leaves us with the question:

'How do we structure our passwords for the InterWebings'?

Users of the no longer optional Internet must have a set of rules that will allow you to use the Internet safely and able to withstand a major breach where our email address, which is our Internet login for most websites, along with our password has structure and rules we apply to keep us safe and isolate types of websites from others. If a breach occurs, like Gawker showed us, many other cloud sites like Facebook, Twitter, LinkedIn, Yahoo and others locked all the accounts from the Gawker breach that match their users.

Why? Because too many of us use the same password for sites like Gawker for other sites like Facebook, Twitter and even our Banking. If you are one of these users, who have one password for every type of website, you ARE at extreme risk of getting your access compromised on other websites when a breach like Gawker occurs and why many websites locked your account if the emails used matched the Gawker breach list.

With this in mind... Let's craft some recommendations.

1. Create a formula for at least four (4) passwords for types of websites.
2. Use some type of password manager solution
3. Optimally use a password manager that you can use random passwords for eve website.

Four password formula:

Using of course a terrible example to make it easy to understand, let's say your password is, well 'password', something you should never use, but will work for the example. Minimum length is 8, the best length is 12 or more.

Password - easy for blogs and things you just don't care if it got breached
Passw0rd - you care a little more or some sites require 3 out of 4 items (upper, lower, number, special), not long enough
P@55w0rd - more secure using all items, but not long enough to be secure, use for Facebook or Twitter
S3(urep@55w0rd - Secure password as it is long and uses all items. Use this for financials or setup SuperGenPass or LastPass to generate one for you.

Of course having a different password for each website is best which you can get with SuperGenPass and LastPass that can generate a unique password for each website and all you have to remember is your long pass phrase instead of a bunch of passwords that are probably not that secure.

I recommend SuperGenPass and LastPass for truly secure, random and easy to remember passwords. Not to mention if a site got Gawked, LastPass let's me change the password quickly.

Thursday, December 16, 2010

(F) Kids and passwords... Adults too

Ever wonder what are children know about usernames and passwords? Who taught them! Did you as their parent provide them guidance and follow up with them to verify what and how they surf the InterWebbings?

You might be surprised that most children, Tweens and Teens use weak or no password at all. Actually close to 70% of children ( and yes many adults too) leave passwords that are not required to be changed 'blank' or something weak like their name or password1.


Random Password Statistics

Number of online accounts that an average user has: 25
Number of passwords that an average user has: 6.5
% of US consumers that use 1-2 password across all sites: 66%
Number of times an average user login per day: 8
Average password length: 8
Most commonly used password: password1
% of users that use personally meaningful words: 54.9%
% of users that use the ‘Remember my password’ function: 28.6%
% of users that write down their password: 15%
Average time users maintain the same password: 31 months.

The following image says it better than anything I will write in this Blog post!

So talk to your children about passwords and help them understand what makes a good password and how to protect it and use different passwords for different websites. Come up with a formula to use different passwords for email than you use for gaming sites, than you use for Facebook.

Use things like SuperGenPass or LastPass for more control and to help randomize your passwords.

If you use the same username (email address) which we generally have to on the Internet and you also use the same password on all your websites, when something like the Gawker breach occurs, all your logins are subject to being taken over by a person looking to steal information or worse, your financial or person information which can include your identity.

Don't get "Gawked"... Use different passwords for different websites.

Wednesday, December 15, 2010

(W) Warning for anyone that has a Gawker / LifeHacker account, your password has been stolen ,

For those that use and read any of the Gawker websites like one of my favorites LifeHacker, if you have an account to post comments or other login, your account password has been compromised!!!!

The websites affected include:

Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.

The threat?

Many people, i'm not one of them, use the same password for multiple website accounts, yes we call this 'The Cloud'. This means if you use the same password for a Gawker website as your Facebook or Twitter account... The bad guys are already logging into to these stolen accounts and trying to steal or gain data from your other sites and accounts that you used the same password for.

How do I avoid this threat?

My last post was on passwords and either SuperGenPass or LastPass have a random generator that allows each website to have a unique password and you only have to remember your main passphrase which either generates the real password (SuperGenPass) or enters the remembered password like LastPass.

How do I know if I have a Gawker account?

The are a couple websites that allow you to lookup your Email that was used as your account and see if Gawker reports it. If your email address does show up, your password and Gawker account are now well know to the Ne'er-do-wellers and no longer under your control or private.

Look them up now !!!

ComputerWorld article with instructions

Slate website with simple email address check

Saturday, December 11, 2010

(F)(U) Best bookmark sync tool now with best password management tool

I could not be happier to read that the best Tool to synchronize bookmarks was acquired by the best tool to manage passwords.

Xmarks is an Add-On for FireFox, Chrome, IE and Safari that allows you to use one browser on one PC or Mac, add a bookmark and then go to a different PC or Mac, yes iPad too and see the synchronized bookmarks. Now any browser you use will have all your bookmarks in sync. Also it is the best way to backup your bookmarks if you get a new system or have to rebuild your computer, the power of the cloud will store your bookmarks on the Xmarks server, which also allows you to access your bookmarks from any computer, say your friends, work or parents system. You just login to your Xmarks account and poof.. There are all your bookmarks. Xmarks synchronizes your bookmarks each time you open or close your browser or as needed. Xmarks also lets you save your passwords for logins, but they are not stored as secure as I would like them to be. The only issue with Xmarks is the lack of encryption at rest, on the Xmarks server and options to additionally secure them with two-factor authentication.

LastPass is a tool that is used to save and store all your website logins and also secure notes. Browser based Add-on as well and iDevice too, LastPass encrypts your password file locally with AES 256 encryption, so as good as it gets as well as stores them on the LastPass server, yup, the cloud, again with AES 256 encryption. So if some Ne'er-do-well breaks into the LastPass cloud servers, they would only get encrypted data that is worthless without the master password only you have.

In addition, you can add, yet another best thing, a Yubikey to add a 2nd factor 'something I have' token that you plug into your USB and touch to add a one-time and/or static password option for $25 USD that now protects your website logins and passwords with not only your username and password, but with the option of 2 factor authentication with a Yubikey, which of course I use to protect my website logins...

With LastPass acquiring Xmarks, this means we will now have a bookmark sync tool that now stores your bookmarks securely, very secure with AES 256 and with Yubikey as an option, your bookmarks, usernames, passwords and secure notes will all now be securely stored locally and in 'the cloud'.

Xmarks website

LastPass website

Yubikey website

Wednesday, December 8, 2010

(W) Use your browser to store passwords? Bad surfer bad...

If you didn't already know why you should NEVER use your browsers "remember passwords" option, tools like this are why... Store your password in a browser, get it broken and stolen by a tool like this, and no, a ne'er-do-well would do it from a java script on a website you visit.

Use something more secure like LastPass or SuperGenPass...