Upload File

how to keep passwords secret

1
news on user’s seasonal sensibilities in order to propagate itself. The Sophos charts do show that script viruses are the most malignant: accounting for only 6% of viruses but a mas- sive one in three infections. 2000 also saw some hit and miss virus-related prosecutions: the author of Melissa is still awaiting a resolution in his case, despite having pleaded guilty, while the writer of the Love Bug has walked free in the Philippines, due to the lack of legislation in his country. W2K Prolin worm recommends Linux An Outlook worm, Prolin, carries a payload which moves files and changes their names by adding the string, “change at least now to LINUX”. It masquerades as a Shockwave Flash movie called CREATIVE.EXE. Prolin runs best on the Windows 2000 operating system, where MSVBVM60. DLL is switched on as a default. It can run in 95/98 if this file (a Visual Basic 6.0 run-time library) is manually switched on. The worm’s payload is to move all ZIP, MP3 and JPG files which are stored on the hard drive to C:\, and adds to their filename. Kaspersky Labs has classified it as medium risk because it makes no irreversible changes to files. However, sometimes the files can be lost — through lack of hard disk space or by exceeding the amount of files allowed in the C:\ directory, for example — so if encountered it is best to treat this worm with caution. Prolin hails from Poland. Its author goes by the handle of ‘the penguin’. Users taught facts of life online Safe computing seems to have become the new safe sex. Groups including security firms, anti-virus vendors and governments are promoting protection through education and the use of common sense. Such tactics are spelled out in a guide from F-Secure aimed at PC users. F-Secure’s research and development labs have recently discovered many new viruses, particularly worms. There has also been a spate of attacks involving worms such as Navidad and Hybris which propagate themselves using MS Outlook or Outlook Express. F-Secure advises users to download a security patch from Microsoft to stop this happening, and to configure Windows to always show file extensions in order to prevent corrupted programs from pretending to be innocent file-types. Other advice was to avoid: Attachments with double file-types (FILE.TXT.EXE) VBS, SHS or PIF files as there is rarely a legitimate reason for sending such files as attachments Unsolicited E-mail with Web links or attachments Attachments with sexual names (PORN.PIF) Downloading anything from strangers in a chat- room or on public news- groups It is to be hoped that F-Secure’s common sense advice will be heeded and that users will become aware of some of the common tricks that virus writers use to sucker people into allowing the propagation of malicious code. See www.f-secure.com. How to keep passwords secret A recent report from Signify spells out the five main methods used to crack traditional password authentication. The problem with passwords, it seems, is that authenticating solely by ‘some- thing you know’ is flawed because if you know it, then oth- ers may be able to find it out. The top five malicious means, according to Signify’s guide, “Cracking the password problem”, are: 1. Shoulder snooping Modern manners dictate that colleagues should look away when login is occurring. Airbus has gone as far as to ban its executives from working on projects while travelling by air, after one manager admitted to being able to snoop on sen- sitive information on the laptop of someone sitting next to him! 2. Guessing Human nature is to pick a password which is easy to remember — often this is also easy to guess. Also, tools called dictionaries can be used to try all common passwords. Dictionary search attacks can be combated by forcing users to select alpha- numeric passwords. 3. Cracking — Even if your password policy is well administrated, a network sniffing tool such as L0phtCrack is still likely to break about 90% of passwords. Network man- agers should use these tools to audit their system — and use the results to persuade management to invest in strong two-factor authen- tication. 4. Keyboard tapping Again, this is achieved using a tool. PC Anywhere, NetBus and Back Orifice are popular tools for gain- ing remote access across a LAN or WAN. Intrusion detection coupled with anti-virus software is the best protection, say Signify. 5. Virus infection — Trojan horses are the most popular method of stealing pass- words. Anti-virus software is the best line of defence. As Signify is an authentication service provider, it is hardly surprising that they should issue such warnings. However, the points they make are valid — the information seems to be necessary to decision mak- ers. According to a survey by consultants, Barron McCann, 92% of IT managers favoured passwords as the best protec- tion against data thieves. Graham Welch from RSA commented, “Everyone knows internal thieves are the largest risk to any company. IT direc- tors should take responsibility over security and implement strong protection against crooks.” Analysts have stated that tokens and smart cards will become more common once the hardware is in place. See www.signify.com. 3 Management News

Post on 19-Sep-2016

220 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: How to keep passwords secret

news

on user’s seasonal sensibilitiesin order to propagate itself.

The Sophos charts do showthat script viruses are the mostmalignant: accounting foronly 6% of viruses but a mas-sive one in three infections.

2000 also saw some hit andmiss virus-related prosecutions:the author of Melissa is stillawaiting a resolution in his case,despite having pleaded guilty,while the writer of the Love Bughas walked free in thePhilippines, due to the lack oflegislation in his country.

W2K Prolin wormrecommendsLinux

An Outlook worm, Prolin,carries a payload whichmoves files and changes theirnames by adding the string,“change at least now toLINUX”. It masquerades as aShockwave Flash movie called CREATIVE.EXE.

Prolin runs best on theWindows 2000 operating system, where MSVBVM60.DLL is switched on as adefault. It can run in 95/98 ifthis file (a Visual Basic 6.0run-time library) is manuallyswitched on.

The worm’s payload is tomove all ZIP, MP3 and JPGfiles which are stored on thehard drive to C:\, and adds totheir filename.

Kaspersky Labs has classified it as medium riskbecause it makes no irreversible changes to files.

However, sometimes the filescan be lost — through lack ofhard disk space or by exceedingthe amount of files allowed inthe C:\ directory, for example— so if encountered it is best totreat this worm with caution.

Prolin hails from Poland. Itsauthor goes by the handle of‘the penguin’.

Users taught factsof life online

Safe computing seems to havebecome the new safe sex.Groups including securityfirms, anti-virus vendors andgovernments are promotingprotection through educationand the use of common sense.

Such tactics are spelled out ina guide from F-Secure aimed atPC users. F-Secure’s researchand development labs haverecently discovered many newviruses, particularly worms.

There has also been a spateof attacks involving wormssuch as Navidad and Hybriswhich propagate themselvesusing MS Outlook orOutlook Express. F-Secureadvises users to download asecurity patch from Microsoftto stop this happening, and toconfigure Windows to alwaysshow file extensions in orderto prevent corrupted programsfrom pretending to be innocent file-types.

Other advice was to avoid:• Attachments with double

file-types (FILE.TXT.EXE)• VBS, SHS or PIF files as

there is rarely a legitimatereason for sending such filesas attachments

• Unsolicited E-mail withWeb links or attachments

• Attachments with sexualnames (PORN.PIF)

• Downloading anythingfrom strangers in a chat-room or on public news-groups

It is to be hoped that F-Secure’s common sense

advice will be heeded and thatusers will become aware ofsome of the common tricksthat virus writers use to suckerpeople into allowing the propagation of maliciouscode.

See www.f-secure.com.

How to keeppasswords secret

A recent report from Signify spells out the fivemain methods used tocrack traditional passwordauthentication.

The problem with passwords, it seems, is thatauthenticating solely by ‘some-thing you know’ is flawedbecause if you know it, then oth-ers may be able to find it out.

The top five maliciousmeans, according to Signify’sguide, “Cracking the passwordproblem”, are:1. Shoulder snooping —

Modern manners dictatethat colleagues should look away when login is occurring. Airbus has goneas far as to ban its executivesfrom working on projectswhile travelling by air, afterone manager admitted tobeing able to snoop on sen-sitive information on thelaptop of someone sittingnext to him!

2. Guessing — Humannature is to pick a password which is easy to remember— often this is also easy toguess. Also, tools calleddictionaries can be used totry all common passwords.Dictionary search attackscan be combated by forcingusers to select alpha-numeric passwords.

3. Cracking — Even if yourpassword policy is welladministrated, a networksniffing tool such asL0phtCrack is still likely tobreak about 90% of passwords. Network man-agers should use these toolsto audit their system — anduse the results to persuademanagement to invest in strong two-factor authen-tication.

4. Keyboard tapping —Again, this is achievedusing a tool. PC Anywhere,NetBus and Back Orificeare popular tools for gain-ing remote access across aLAN or WAN. Intrusiondetection coupled withanti-virus software is thebest protection, say Signify.

5. Virus infection — Trojanhorses are the most popularmethod of stealing pass-words. Anti-virus software isthe best line of defence.

As Signify is an authenticationservice provider, it is hardlysurprising that they shouldissue such warnings. However,the points they make are valid— the information seems tobe necessary to decision mak-ers. According to a survey byconsultants, Barron McCann,92% of IT managers favouredpasswords as the best protec-tion against data thieves.

Graham Welch from RSAcommented, “Everyone knowsinternal thieves are the largestrisk to any company. IT direc-tors should take responsibilityover security and implementstrong protection againstcrooks.”

Analysts have stated thattokens and smart cards willbecome more common oncethe hardware is in place.

See www.signify.com.

3

Management News

JanCFSB 1/11/01 10:17 AM Page 3

Dieting this secret tip will keep you sane and trim

How to Create Ultra-Secure Passwords That Keep Hackers Away · But there are steps you can take to make your . passwords secure and keep the hackers out. Password Don’ts • Avoid

PROTECT YOURSELF. - OACP · Keep your passwords secret, because you never know who might give it away or use it in ways you don’t want. Only let your parents have your passwords

What's It Worth to Keep a Secret? - Duke University

Can you keep a secret? (XP Days 2017)

Can a Public Blockchain Keep a Secret? · 1.1 Using Proactive Secret Sharing Our solution relies on proactive secret sharing (PSS) techniques [OY91,CH94,HJKY95], using well-coordinated

KEEP: Fast Secret Key Extraction Protocol for D2D Communication

Passwords, Passwords and more Passwords

Ethics in the Marketplace - Can You Keep a Trade Secret?

HOW TO KEEP A SECRET WHILE DISMANTLING AN …aglaser/IT070-Glaser-Philippe-CITP.pdf · how to keep a secret while dismantling an atomic bomb ... nuclear notebook, ... (areas of complete

Can Your Web Browser Keep a Secret? - University …ist.uwaterloo.ca/~tlabach/browser-secret/can your Web browser keep... · CAN YOUR WEB BROWSER KEEP A SECRET? NO ... •We know

GENERAL TERMS & CONDITIONS - origin.avatrades.net · GENERAL TERMS & CONDITIONS Page 1 of 34 ... IN FOREX, CFDs, OPTIONS AND ... Customer is obligated to keep passwords secret and

How to Keep a Secret Key Securely - cs.technion.ac.ilcs236506/04/slides/crypto-slides-17-secret...How to Keep a Secret Key Securely Information can be secured by encryption under a

Three may keep a secret if two of them are dead. Benjamin Franklin

Non-metadata Methods to Keep Passwords and … · Non-metadata methods to keep encryption keys out ... setVersion=9.4&locale=ja ... previously published and presented at the 2017

Paper Shredding & Document Destruction Services ......secure disposal Create strong passwords and keep them private D’Ts Keep confidential info longer than required by law Store

One Secret to Many Passwords

Can You Keep a Secret? Reputation and Secret Diplomacy in ... · 22.01.2018  · model highlights a novel mechanism by which secret diplomacy can effectively promote cooperation:

The Redistricting Documents The Florida GOP Fought To Keep Secret

“Three may keep a secret, if two of them are dead”

Secret, Can you keep it?

Can you keep a secret? This Single Irish Chain quilt

05/17/051 “When Not to Keep A Secret” American Psychiatric Association Alliance

Passwords are not able to keep user safe

2017 Your body won’t replace your passwords · PDF filepasswords: they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose,

Secret Masonic Handshakes, Passwords, Signs and Grips for the Entered Apprentice, Fellow Craft and Master Mason Degrees of Blue Lodge Freemasonry

InEight "Keep Your Secret Sauce" Leverage, Don't Replace, Your Spreadsheets

How to Master Secret Work - sahistory.org.za Party of... · Most people know from films and books that secret work involves the use of codes, passwords, safe houses and hiding places

Communications. Are you going to keep the secret or spread the word?

How to Keep a Secret – The Decisive Advantage of Corporations

Creating Secret Messages. 2 Why do we need to keep things secret? Historically, secret messages were used in wars and battles For example, the Enigma

Print Spec Looking after I&A Guides are always your money · 2019-07-02 · If you manage your finances yourself • Keep your personal identification number (PIN) and passwords secret

Protecting Yourself from Cybercrimeeffective ways to protect yourself against fraud and identity theft. Here are some tips to keep your passwords safe: • Don’t share your passwords

Every superhero needs to keep their identity a secret… Mask design:

The Secret Me, The One I Tried To Keep Hidden