Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

Posted on April 10, 2010 by Colin J. Zick

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

Tags: , , , , ,

Incident of the Week: Free iPhone Password Breaker Released

Posted on February 5, 2010 by Gabriel M. Helmer

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while the program is in beta testing, Elcomsoft is even giving the program away for free

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files.  This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it.  With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems). 

Tags: , , , , , , , ,

Is Your Password Still "123456"? If So, It's Time for a Change

Posted on January 21, 2010 by Colin J. Zick

If you or your co-workers use any of the passwords listed below, you are asking to be hacked.  According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites.  Somewhat shockingly, the password "123456" was used by nearly 1% of all RockYou users; the "top 20" RockYou passwords are reproduced below:   

1.    123456
2.    12345
3.    123456789
4.     Password
5.     iloveyou
6.    princess
7.    rockyou
8.    1234567
9.    12345678
10.   abc123
11.   Nicole
12.   Daniel
13.   babygirl
14.   monkey
15.   Jessica
16.   Lovely
17.   michael
18.   Ashley
19.   654321
20.   Qwerty

Hackers around the world now have this list of 32 million passwords and are using it to make brute force attacks on accounts and networks.  How can you defend yourself?  Change and toughen your passwords, lengthening them and adding a mix of letters and numbers.  If you are trying to defend your company's network, you need to adopt and enforce more rigorous password policies.  Tougher passwords will not make you or your networks hack-proof, but they will put you ahead of the thousands of people who still use "123456."

Tags: , , , , , ,

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

 

Tags: , , , , , , , , , , ,

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,