Friday, 2 July 2010

Tips to Secure Your Password

Salam readers...
"Oooppsssie~ I saw your password tadie jeng~ It was ****** a.k.a semua bintang 6 kali hahaha baik ko tukar password baru jeng..." - Less educated shoulder surfer
Today I would like to share tips on securing or "hardening" your password... I will also list out certain techniques of password stealing... First, you need to know what are activities to be done by the password stealer in order to steal your password... Here are some common activities done by the password stealer:
  • Shoulder Surfing - just like in the picture above, someone is watching things you do with your machine including when entering your password on your keyboard
  • Key-logger - Click here to know more about hardware keylogger and you are advised to read this article as well (only if you haven't). Keylogger basically RECORDS everything that you type on your keyboard including your password
  • Physical access to your computer's surrounding - some people will have their passwords written everywhere nearby their computers so that they don't have to memorise them. But if that password is physically accessible by other people, it would be a disaster...
  • Man-in-the middle attack - as how it sounds like, a man "sitting" in the middle to "READ" any data passed THROUGH including confidential data like passwords
  • Protocol Analyzer - Works just like Man-In-The-Middile but it is more towards an application which reads any packets of data going through a network interface and is able to "catch" any clear text including unencrypted passwords
  • Web Phishing Attack - A fake site which looks similar to the original site which requires you to type in your username and password which will then saying that your password is incorrect and redirect you to the original site where your username and password is already being sent to the fake site's owner
  • Dictionary Attack - Guessing the password with common words found in the prebuilt dictionary
  • Brute Force Attack - It will try every valid combination of words, characters, numbers and even symbols in order to create a string of text which is then to be tested whether it is valid or not. Usually it takes time but with the help of today's high-end machine, it is then another disaster
So now you already have basic ideas on how password stealers will do their mission. It is time for you to learn some tips on how to protect and secure your passwords. Some of these might be useful to you:
  • When creating password, never use a simple word which can be found in any universal dictionary such as "computer" or even "password" itself...
  • Try to put CAPITAL letters instead of making it all in small letters...
  • Use numbers as well!
  • If possible, try to use symbols as well such as !@#$%^&*()_+ dan yang sewaktu dengannya...
  • When you are going to type your password on your keyboard, try to look at your surrounding and make sure there is no one nearby...
  • Know your own machine! Always make sure that your machine is not running any malicious program in order to prevent keylogger (software type) being implemented by other people...
  • Never write your password on a post-it paper or even scrap paper and leave it insecure...
  • Know your physical network! Make sure that you are not connecting to any anonymous internet connectivity...
  • Checking email at cyber cafe is a bad, bad and baaaadddd idea... Not only email... Any activity which requires you to type in your password...
  • If you are surfing the net, make sure that you are entering the valid domain name. For example, if you want to log into you yahoo mail account, make sure you go to yahoo.com, not y4h00.com...
  • Use different password for different accounts...
  • Remember this one last important point... "Easy to remember" is also another meaning of "Easy to be guessed"...
There you go... Simple tips on how to secure and protect your password... Hopefully berguna untuk kitani semua...
If you have questions or opinions, kindly post your comments =) thank you...
Sekian, until next time~
Salam Anak IT.
How less valuable data may become a threat... In other words, cemana bulih data yang "kurang mendapat perhatian" or nya urang kitani "inda kana care" akan menjadi security threat arah kitani...
On this "lesson", I will show you how people with extra-ordinary thinking may use the "scrap" data into something useful. "Something useful" which will be demonstrated here are:
  1. Finding vulnerabilities on web application
  2. Password guessing
DISCLAIMER: Before you do or follow any activities written on this article, please note that any activity that you are going to do next is your own responsibility. This article is just for demonstration. Anak IT will not responsible for any activities that you are going to do based on this article. Do it at your own risk.
So first, we will start with "Finding vulnerabilities on web application"... The most basic step is, find out what application is being used... THEN we can easily find the vulnerabilities with the help of "GOOGLE".
For this example, I choose http://mail.gov.bn, not really a "web application" but more into "mail application" with web-based front-end... How to find what application is used?...

Next... Find any "less valuable" data... What can you find on the page itself?
  • Icon ada tangan "STOP" or our teenagers prefer calling it "talk-to-my-hand" sign hahaha
  • Panji-panji negara...
  • "User name"
  • "Password"
  • "Sign In"
Thats it?... We can't really use the listed data for something... Alright... How about, we see the page's source code? Errr... That might be helping us out... But how?
Since I use Mozilla Firefox, go to View>Page Source or simply press CTRL+U keys at a time... The following window will appear...

There are lots of "less valuable" data you could find in there especially HTML Tags... But there is something which I "think" might be used for the activity... As you can see on the image above, I highlighted the area and copy it into clipboard... Then you might guess what I would do next! Obviously...

Yuuup~ That's right~ I googled it... And as you can see, there is a word which really catched my eyes in instant... A word "domino"... But, apakan tue?... Nevermind... Just continue browsing through the page...

Ok... Another "domino" but now it is "Lotus Domino".... Lotus... Macam pernah mendangar... Oh... Now I remembered... "Lotus Symphony", an office application by IBM. But... Does it mean this "Lotus Domino" is also part of IBM's products? Maybe yes... Meybe not... So next step is to directly google "Lotus Domino"... I found out that it is also one of the IBM's products... Other than google it up, I also google for its image... Surprisingly, I encountered that there is a common about this "Lotus Domino" image that I found through Google with the demonstrated page... Apanah?...

It is the icon used on the page or also known as page's "favourite icon"... From there we know that the demonstrated page uses IBM's "Lotus Domino" mail application. Good thing is now we know such application exists and might want to try it out next time...
Other than the icon, I also found the following image:

It looks way much similiar with the demonstrated page and so no doubt about application that is being used by the page...
Now we move on into how bad people uses "less valuable" data for Password Guessing...
I will use "pisbuk" profile page as an example to this demonstration...
Imagine there is this one buajah namanya "Hjh Lintuk"... Ia tedapat pisbuk... Her information is as follows:

For us, we might just think that the information listed on her profile page is just an ordinary info and so we DON'T CARE... But bear in mind that for bad people, it is TOO VALUABLE for them to trigger an activity...
As you can see from the information given on her profile page, it is easy for the bad people to guess her passsword... IF I am the bad people, here is the list of possible passwords I might guess:
  • lintuk107
  • lkuncang
  • 1071962
  • neverold
  • imyouth
  • 987654
  • 00987654
  • l987654k
  • babylintuk
  • babylintuk107
  • 107babylintuk
  • baby107lintuk
  • nyubarang
  • sgnyubarang
  • dan yang sewaktu dengannya...
Can you imagine if one of the passwords listed is actually her valid password?... =) sama-sama tane fikirkan...
So I guess that is it for today, semoga dapat pengajaran bersama serta dapat menimbulkan rasa "alert" dikalangan kitani...
Sekian, wabillahittaufiq walhidayah, wassalam...