by Ross Sivertsen | Nov 29, 2007 | Blog, Information Security
I didn’t quite get to finish my post yesterday, so I took a few
moments to do a bit of homework; here’s what I found, I decided to do a
real world test, and attempt to look up a few commonly occurring
passwords I’ve seen here in my organization; so I took ten proper names
and words and used them as reference material (I won’t list all of them
here, but as examples here are three):
– 72a97fb793d496318518aebc7e9298b2 -> the "serial" number for "cowboys" (I’m a Dallas Cowboys fan).
– dfeaf10390e560aea745ccba53e044ed -> "cisco"
– 9924a057edc46fa6c7ac87a7b1771d4f -> "altoids"
I generated the hash values, entered each of the values into Google
search, and the all knowing google returned the password for each. In
fact, out of the 10 "serial" numbers I entered, I found *7* passwords,
including at least 2 I wasn’t expecting to find because of uniqueness!
I don’t mind saying that this was a little frightening. Now here’s a
tip that will help at least minimize the probability of finding the
passwords in Google.
All of the words I used were proper names or words right out of the
dictionary (randomly selected). When I added a random number or
character, e.g. I added 20071001 to cowboys to come up with
cowboys20071001, (that hash value is 2810ea90c3101fadbaba8748f5b34902,
btw), I didn’t find the password, in fact, when I added random number
numbers or characters to any of the passwords, I didn’t find *ANY* of
them.
Adding randomness to passwords is a technique called "salting," and
is used to strengthen the security of passwords. Typically "salting"
occurs on the system side after the password is stored on the host
system, but you as a user cannot guarantee that the system "salts"
passwords prior to hashing them. Adding the randomness to your
passwords on your own, while not a panacea, goes a long way to
eliminating the risk of the kinds attacks listed in yesterday’s post.
— Excuse me, my password tastes a bit bland, would please pass the salt? —
by Ross Sivertsen | Nov 28, 2007 | Blog, Information Security
Link: Light Blue Touchpaper » Blog Archive » Google as a password cracker.
Just when you think it’s safe to go back in to the water… here’s an post I ran across via Slashdot, about using Google as a password cracker.
The Slashdot writer posts "A security researcher at Cambridge, trying to figure out the password
used by somebody who had hacked his website, ran a dictionary through
the encryption hash function. No dice. Then he pasted the hacker’s
encrypted password into Google, and Shazzam — the all-knowing Google
delivered his answer. Conclusion? Use no password any other human being
is ever likely to use for any purpose, I think."
So let me take a couple of minutes to talk about why this is important, and maybe decrypt (no pun untended) the geek speak.
Ok, so we use passwords to authenticate to systems of all sorts, right? You have ATM PINs, passwords for your Email, passwords for your online banking, right? So how do you know if those passwords are secure, and not stored somewhere where someone can get keys to your kingdom? Well, this is traditionally done like this; the passwords themselves aren’t stored on a typical system, but the "fingerprint" of the password is.
The way this works is through something called a one-way hash routine. This basically is a mathematical formula that creates a unique "serial number" from the text that was given to the formula, something like this:
(My Password as Text) -> (Magical Mathematical Hash Formula) -> (Unique Serial Number)
This is important because there is mathematically very little chance that the password text can be "guessed" from the number produced by the formula. And when I mean "very little chance" it means a 1 in the total number of stars in the universe chance of guessing the password, the formula is THAT secure. That’s why it’s called a one-way hash function, because as a practical matter, it can’t be reversed.
Okey dokey, so what does this mean in terms of this article? Well, we know that this formula is secure, so the only way to "guess" your password is through something called a "brute-force" attack, that basically means that I as a hacker will assume that you’re using a weak password; maybe a word in the dictionary, maybe your child’s name, maybe the name of your favorite football team, anything that can be easily guessed; then I just run through EVERY COMBINATION of EVERY WORD until I get a hit, and the system I’m hacking "unlocks."
Going through this process of guessing passwords can take a VERY LONG time (obviously). But what if I had a database of the most commonly occurring "serial" numbers and a cross-reference of the passwords that belong to them? Well, then I don’t have to try to reverse-engineer the password from the serial number using the hash formula, AND I don’t have to GUESS passwords until I "unlock" the system. I can just look up the "serial" number in a database and viola! suddenly I have the password.
"Wow," you might say, "that’s got to be a REALLY big database to contain the serial numbers and passwords for EVERY combination of common words, names, and phrases." That’s absolutely true, and who would have a collaborative database THAT large? Enter Google. Google is essentially the "Encyclopedia Gallactica" of the ENTIRE Internet web space. If it’s on the web, it’s in Google’s database, including the websites of hackers with this type of published information. The thing that makes Google such a powerful tool for you (presumably the good guys), is the very thing that makes it a powerful tool for the hackers (presumably the bad guys).
This is an interesting point, because the Google database is neutral, it really is, it isn’t "good" or "bad," it’s amoral. And it’s for THAT very reason, that YOUR password security is YOUR responsibility! Just like the FLICKR photos of your drunken adventure from college, Google probably has the serial number for the password you’re using for online banking at Citibank.
So how do we combat this? Well, there are a couple of things we can do:
First, use reasonably complicated passwords, I won’t go in to details here because I don’t want to give anybody any ideas, but using both letters and numbers are key.
Second, use passwords that are the maximum length available, if it’s 10 characters, use 10 characters, if it’s 50, use 50.
Third, change your passwords regularly.
Finally, use different passwords for different systems, this doesn’t eliminate the problem, but if your password is compromised it can help minimize the impact.
I know all of this sounds like a lot of work, but cyber-theft and identity theft is a real threat, and you’re really just protecting yourself. Can we eliminate the threat? No, not really, but with some amount of work, and a little diligence, you can minimize the risk.
"The price of freedom is eternal vigilance." -Thomas Jefferson.
by Ross Sivertsen | Nov 27, 2007 | Blog, Business
Link: Email’s Friendly Fire – WSJ.com.
You know it, I know it, and anybody who works in an organization knows it.
We are organizationally overrun by email. I’m not talking about the spam we get in our gmail or hotmail accounts. I’m talking about the bread and butter communications used to drive business in the modern workplace.
My organization RUNS on its email, it is the communication fuel that drives just about every interaction with coworkers and customers. But I get on the order of 100 emails a day on a variety of subjects, all coming from coworkers, not spam. “That’s not too bad,” you’re saying, “I get 200 messages a day.” Sound absurd? It’s not, I know for a fact that the many of the senior staff in my organization get that many when you count customers as well.
I ran across this article, written by Rebecca Buckman, in today’s Wall Street Journal on organizational software that’s used to sort and filter, not spam, but REAL messages. I’m going to take some commentary license, and change the purpose of the article, because it focuses on some software that helps organize the inbox of the driven down masses.
A couple of things I think are really worth noting here are the messages that are sent out not as messages that require action on the recipients part, but rather as the term “colleague spam” will become known.
You know the messages I’m talking about, you’ve seen them, and you’ve received them and you probably, willingly or not, sent them. They are the messages that have either a superfluous recipient on them because of a CYA factor or a broadcast message to everyone about “I’ll be on vacation tomorrow…”
Here’s the problem, business and our culture is being inundated with hundreds of pieces of information per day, we are exposed to so much, so fast, so often that having Blackberry’s is quickly becoming a requirement in many workplaces.
Buckman writes “Last year, the average corporate email user received 126 messages a day, up 55% from 2003, according to the Radicati Group, a Palo Alto market research firm.”
This all stems from the notion that we’re being more productive. In fact, we are becoming less productive. The fact of the matter is, Buckman quotes “By 2009, workers are expecting to spend 41% of their time just managing emails.”
Holy Cow! Nearly 50% of my time managing the influx of messages I’m receiving?! I have to ask myself in those circumstances am I really being productive and giving quality attention to the issues I address?
Many businesses are declaring an occasional “Email Moratorium Day,” where team members use any other medium to communicate OTHER than email. Where I to mention an “Email Moratorium” to some individuals (especially at my place of business) it would generate a visceral response; much like a crack addict suffering withdrawal (what does THAT say about this subject?).
Ok, so in most places a moratorium isn’t a practical solution, but there are ways to stem the addiction:
- Be really conscious of the when and if a message is REALLY necessary (I’m not talking about limiting communication, I’m talking about whether or not the janitor needs to know you have a dentist appointment and won’t be in until noon when you send it to “everybody”).
- Does the recipient list you have on your message really reflect the true audience of the communication, or are you just trying to CYA, or make a power play by sending false bravado to (among others) your boss.
- Can your message be more effectively communicated through some other means (like getting up from your desk and walking down the hall, apart from the additional exercise, the communication becomes more personal), so often email is used as the de-facto communication method when the communication requires little more than a phone call or a visit.
- Avoid using the “Reply to All” when at all possible, and reply only to the original sender, there’s no need to chime in to everybody just to say “Me too.”
- Know the limits of what email can provide, if a message is going back and forth between two people like a ping-pong ball, it’s time to pick up the phone, or walk down the hall.
- Just as with most things in life, apply the Golden Rule, if you don’t appreciate receiving email, why do you think that others will appreciate your superfluous email.
Here’s an excellent link on Email: Do’s and Don’ts from Stephen Wilburs of the Minneapolis Star Tribune.
Thanks very much to Rebbeca Buckman of the Wall Street Journal, Stephen Willburs of the Minneapolis Star Tribune, and Kristan Arnold, author of Email Basics: Practical Tips To Improve Team Communication.
by Ross Sivertsen | Nov 27, 2007 | Blog, Business
Link: The Office Pessimists May Not Be Lovable, But Are Often Right – WSJ.com.
Ok, I was doing research on another topic when I ran across this article, written by Jared Sandberg, in the Wall Street Journal.
Sandberg’s article asserts, you’ll need to read it for yourself, that "pessimists are more accurate at gauging success and failure rates (than optimists)," and that "evidence shows that pessimism can be highly motivational, as what’s called ‘defensive pessimism’ drives people to achieve their goals."
In my experience, more often than not, this is less of an issue of optimism versus pessimism, and more of a perception of control.
What I mean by that statement is this; I’ve spent an entire career (25 years) in the technology services business in manufacturing. It’s taken me nearly that long to learn the lesson that I don’t CONTROL most of my environment. I might have influence over the people and events around me, but I don’t CONTROL their actions or outcomes.
The ONLY thing I can control in my life is me, and my actions, and more specifically my reactions to people and events. When I don’t trust my intuition, and more spiritually, my faith, that things will work out the way they’re supposed to; and I try to control and manipulate the people and events to achieve outcomes I perceive as RIGHT, I, more often than not, fail… miserably.
I’m NOT saying that I sit around in a “Pollyanna,” self-delusional catatonic state, with my fingers plugged in my ears yelling “nah, nah, nah, nah… I don’t hear you!” I can be, at times, fairly pessimistic (just ask my wife).
The key here, in my humble opinion, is balance. It seems to me that it’s easy, when things get tough, to either ignore them, or run around screaming “the sky is falling!” It’s all about understanding the influence an individual has in a given situation, and acting in balance according to that influence.
For example, in a real life illustration, I have a friend whose organization is restructuring, and he finds himself reporting to a new supervisor, one he apparently didn’t see eye-to-eye with the first time they worked together. My friend in these circumstances had NO control over whether or not he was re-assigned. He DOES, however, have control over how he REACTS to the change.
Look, I’m not saying that change is easy, change is hard. But we as individuals have a choice on the attitude we adopt when reacting to crisis. In a study done by the VA on resiliency, soldiers most likely to survive a traumatic experience like a war time prison camp are those who have certain key characteristics, among that optimism.
So in the end, this is all about balance, and being active participants in our own lives. Inaction, whether it’s fostered by optimism OR pessimism is complacency, and complacency more than anything else will lead to failure.
I’m reminded; again, about the old joke the man sitting on the stoop of his house during a flood…
As the flood waters were rising, another man in a row boat came by.
The man in the row boat told the man on the stoop to get in and he’d save him. The man on the stoop said, no, he had faith in God and would wait for God to save him.
The flood waters kept rising and the man had to go to the second floor of his house.
A man in a motor boat came by and told the man in the house to get in because he had come to rescue him. The man in the house said no thank you. He had perfect faith in God and would wait for God to save him.
The flood waters kept rising. Pretty soon they were up to the man’s roof and he got out on the roof. A helicopter then came by, lowered a rope and the pilot shouted down in the man in the house to climb up the rope because the helicopter had come to rescue him. The man in the house wouldn’t get in. He told the pilot that he had faith in God and would wait for God to rescue him.
The flood waters kept rising and the man in the house drowned.
When he got to heaven, he asked God where he went wrong. He told God that he had perfect faith in God, but God had let him drown.
"What more do you want from me?" asked God. "I sent you two boats and a helicopter."
by Ross Sivertsen | Nov 24, 2007 | Blog, Web/Tech
Link: The Bamboo Project Blog.
I’ve mentioned before that I sit on the board of a couple of non-profit organizations. I have a passion for the organizations I work with, and I have a passion for the type of work I do, that is being a technologist.
I figured, shoot, I have over 25 years of experience being in technology, what better way to use the gifts I was given than by helping organizations understand and apply technology in new and inventive ways? That’s what I get paid to do at my day job.
What I discovered though, as I worked through the process of deploying systems in very small non-profits is that I didn’t understand their requirements nearly as well as I thought I did. I have a thorough understanding of engineering systems and how to apply technology, especially in the private for-profit sector, I do it every day, and I do it well. But I am fortunate enough to work with a team of very talented people that are helping me get to a place of understanding what was necessary for a small start-up non-profit.
I have to thank Kerry P., Karen M., Casie C., and Connie F. all of whom are helping me along this journey; they have a tremendous understanding of the needs for our projects, thanks for all of your guidance.
So, as I was beginning to scour resources on the understanding what it means to apply technology to the non-profit (especially small NPO) sector; I ran across Michele Martin’s blog titled "The Bamboo Project," her blog has, over the last several weeks become a resource for me on my projects in working with these organizations. Her blog centers on the use of technology for the social and non-profit sector.
I have found myself referring back to her site on more than one occasion, with her, through her posts, providing some real, practical, and valuable advice and information. Michele’s writing style is conversational and very approachable.
Thanks very much Michele for the valuable advice, I’ve added you (uh, your blog) to my del.icio.us tags, and certainly in my favorites.