July 2011 Q&A
Introduction: Before we take questions, I want to discuss some research on passwords. Most of you have heard about the Sony hack, which resulted in the release of information of about 120,000 accounts that were stored as unencrypted plain text. Information that was found included log-in names, email addresses and, in some cases, online ID and password information. The hackers determined that many people used the same user ID and password for their online email accounts as they did for the Sony account. They hacked accounts and sent email to all those accounts that appeared to be from friends saying that the senders were vacationing in a foreign country, had been mugged and had lost all their cash and credit cards and asked that money be sent to them. They then changed the password and deleted the contacts and messages making it impossible for users who regained their accounts to send warnings to everyone in their address books unless they had backed up the address book elsewhere.
I don't want to see a show of hands because I don't want to embarrass anyone, but how many of you use the same password on more than one account? That's dangerous because hackers who break one account will try the same user name and password on other accounts if they find any. User names and passwords are the highest targets for hackers, and if they find them they can leave your life in ruins but emptying your bank accounts, maxing out your credit cards, hack your email accounts and impersonate you using other information they find. This is especially true when the username is your email account. They can log into your email account, find out what banks are sending you notices and attempt to log onto the bank with the same credentials.
We've been told for some time that long passwords with a mix of capital letters, lowercase letters, numbers and special characters are the hardest to crack, but they're also the hardest to remember, so people don't tend use them on their accounts. But it turns out that the usual rules aren't necessarily true.
Steve Gibson, a computer security expert, posted these two passwords at https://www.grc.com/Haystack.htm and asked which is most secure:
It turns out that the first one - with a capital D, a zero rather than a capital "o" and the 21 periods - is the hardest to crack and the easiest to remember.
The concept behind this is that cryptographers generally have the full text of the message they're trying to crack so they can search for characters to represent the most commonly used letters and use other techniques to slowly work toward reading the entire message. But passwords are a simple yes/no. Someone trying to guess a password has no idea how long it is, what characters you've used or any other information, so the first approach is to check commonly used passwords or running every word in the dictionary. Before computers, such searches might takes months or longer, but now computers can try passwords 24 hours a day - unless a business has put some limits on the number of attempts allowed before an account is blocked to everyone.
Michael Shalkey: The only way to guess a password is to get it all at once. The TV shows and movies you see where one character at a time pops up on the screen just doesn't happen. "That's just fiction."
Toby Scott: All the hacker knows is that he got it right or he did not. He does not know if got any part of it correct. The best password is a line from a third-grade play you were in or some similar phrase that you will remember but that no one else is likely to relate to you. Mixing in a couple of special characters, including spaces, numbers and capital and lowercase letters makes it even harder to crack. For instance a well-known line from "Hamlet" could become "To be or not 2 b."
Studies of the 120,000 hacked Sony passwords showed that only 2 percent of computer users have a special character in their passwords, so putting even one in makes the password more difficult to crack - and using unusual characters (i.e., <, >, /) adds to the difficulty. You could probably have a relatively short password with a special character that would be almost impossible to hack because most hackers aren't testing special characters because so few people use them. Some passwords that use such mixes are so commonly used they're easily found. Samples include the number of the Starship Enterprise, and thx1138, a George Lucas film.
All of this is defeated, however, if you use the same password on several accounts, although variations can work. The "Hamlet" phrase could be used on several accounts by adding some unique to the site: FB for Facebook, B for your bank and so on. Adding the date you set the password can work but becomes more and more difficult to remember as you keep creating passwords.
Q: Schwab gives a person three chances to get the right password. After that, you're locked out. Wouldn't it help if all businesses and sites did that?
A: Michael Shalkey: Some are setting policies that extend the time you must wait between tries. Again, the key is not to use a password for more than one site.
Q: How do hackers get into Sony's files with the passwords?
A: Remember that Sony staff members have to have access to the information, so if a hacker can gain one person's log-in name and password he has access, too.
Q: AT&T gives its employees a fob that we must use to log in, and the number changes every 30 seconds or so. We also have to use our own PIN.
A: Those have been cracked (see http://bit.ly/k0GDtC)
Q: What about keystroke loggers?
A: They probably would not be an issue at Sony but they're a good reason to use a software password program for sites you visit. The Freeware Flash drive has Keepass, which works quite well. You store the password in the program and when you need it you press a hotkey. All the keylogger sees is the hotkey.
Q: If I copy and paste the user ID and password can they be captured by keystroke loggrs?
A: No. That's a safe approach. It's easier with a password program, though.
Q: If your email program automatically logs you in, is it safe from keystroke logers?
The Top 500 Worst Passwords of All Times list can be found at http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time. The top two are 123456 and password. The list contains several words generally considered offensive so be warned before you check it.
VPN (Virtual Private Network)
Q: Can you discuss using a Virtual Private Network (VPN)? I found software to create one and I've used it successfully at WiFi sites.
A: Michael Shalkey: If you were here for the Social Media SIG, you saw us using a VPN to get to Facebook. We were using TeamViewer, which is free (http://www.teamviewer.com).
Toby Scott: That was a little different than what he's talking about. You were connecting to a different computer to bypass the firewall at the Boys & Girls Club. He's talking about going to another server so he can't be seen by others. It's an encrypted path between you and the server and people who are listening in can't get any of your information or see the screen you're saying. Data has been massaged in such a way that it can't be intercepted. The server sends you the key to use and asks your computer for a response key that was placed on your computer when you established the account. The cryptographic code shifts every 30 seconds or so. People trying to see what you're sending see only garble. Your computer downloads the information, but it's encrypted while being downloaded.
Blocking children from websites
Q: How can I prevent children using my computer from going to specific sites?
A: Use Open DNS (opendns.com), which is free. If you have kids who are smart enough to change it, they can get around it, but you can find out if they do. If they undo it, they'll probably forget to change it back or will forget your password so they can't change it back. You just want to know if they're doing it.
Michael Shalkey: One client I know in Leisure Village with an older computer kept a floppy disk in the drive when the kids use it. Many of them aren't familiar with floppies and don't understand why the computer won't boot. (This solution requires setting the CMOS so it first tries to boot from a floppy drive.)
Q: What about proxy servers?
Toby Scott: Proxy servers don't protect you from intercepts because the information is transmitted unencrypted. Big users of proxy servers are people who aren't supposed to go to certain sites so they go to the proxy server and go to the site from there. Dissidents in many countries use them, as do hackers. They have both legitimate and illegitimate uses.
Q: How do you create groups in Gmail?
A: (From Michael and Toby) If you don't already have all the email addresses, you'll need a CSV (comma separated values) list of them. Users of Outlook Express can export the list as a CSV file. If you have a list of addresses, just put a comma after each one (data containing commas can sometimes work if you put the field in quotes, but as commas aren't legal in email addresses, this will work here). Then import the list to your contacts. At Gmail, go to Mail > Contacts > More Actions > Import. To create a group if you have all the contacts, open the contacts and use Groups to add the names individually. You will be asked to provide a name for the group.
Q: How can I share Outlook calendars in a company?
A: It's easiest if you're running Microsoft Exchange Server and much more complicated if you're not. You need a common account, not used for email but that will take the calendars. There are many third-party programs that will allow it, but I don't know of any free ones.