Tag Archive for Password

| December 1, 2012
Comments Off on I Think Therefore I Login

I Think Therefore I Login

I Think Therefore I LoginForgetting a password could become a thing of the past according to the ZDNet article Brainwaves as Passwords; Secure and Near-Reality. John Fontana at Identity Matters says the technology to do so could be here as early as June 2013. Interaxon, which develops thought-controlled computing, is releasing the Muse headband sensor device that is designed to use brainwaves to login.

Brainwave sensors

Muse headband sensor device that is designed to bring brainwaves into computingThe slim plastic Muse headband fits against a person’s forehead and slips over the ears. The band houses four brainwave sensors. There are not any authentication applications that work with Interaxon’s Muse headband yet. The article notes that the company has a software developer’s kit (SDK) for anyone who wants to do it. However, company CEO Ariel Garten says such an app is reasonable and possible.

“The user could create a specific brainwave signature or a password they would never have to say out loud or type into a computer,” said Ms. Garten, who spoke at the Blur Conference in Broomfield, CO. According to Mr. Fontana the CEO demonstrated thought-controlled applications and the Muse headband.

Brainwave login passwords

government can read their pin numberWhile brainwave passwords might conjuror up thoughts of being snatched off the street and having a brain drain, Ms. Garten said the technology isn’t mind reading. “People might think the government can read their pin number, but we can’t read your thoughts or images in your head.” Muse, which talks to devices via Bluetooth, is an electroencephalograph (EEG) that records brainwaves and reads the brain’s overall pattern of activity to detect certain states such as relaxed or alert explains the article.

The brainwaves are turned into binary data and the translated waves are used to control anything electric. Users can learn to manipulate brainwave patterns, like flexing muscles. “This builds your brain like doing bench press reps in the gym, Ms. Garten claims.

laptops can be controlled with the mindApplications that run on smartphones, tablets, or laptops can be controlled with the mind according to the article. Ms. Garten believes the technology is set to take off, she is quoted in the article, “In 25 years, interacting with technology using your mind will be as ubiquitous as a gesture is today.”

rb-

This seems like a cool idea, maybe Sony or Nintendo will take it over. This is not a panacea for passwords.

With the small real-world experience with biometrics in the enterprise (Thinkpad T61p laptop) it worked adequately for local machine access, but what about when you have to scale this to 10s of thousands of users? Just imagine the HR issues involved with obtaining employee’s fingerprints or as the article suggests brainwaves.

In my environment, where I think biometrics makes sense, there is all the political baggage that comes with biometrics and children and the anti-education, anti-efficiency, and religious groups. I wrote here about a Texas school distinct facing the wrath of these groups for RFID cards, not biometrics.

Then there are the technical issues with any password (character string or biometric) system. The hashed password or brainwave needs to be stored somewhere in binary form. If your AD is compromised you still have a problem.

swilson, one of the commenters at ZDNet wrote: “all biometrics are the same! It doesn’t matter what trait they come up with, the same core biometric challenges remain. The challenges he sees are:

  1. How to stop replay attacks?
  2. How to secure centrally stored templates that are needed to support ‘federated’ biometric access control from multiple points?
  3. What is the real-world sensitivity/specificity trade-off i.e. quantified False Positive and False Negative Error Rates? Knowing a bit about brain physiology, I am very skeptical that anyone can measure a highly distinctive brain wave with better than 90-95% accuracy.
  4. Most basic problem: revokeability. What’s to be done in the event of a compromise, when you cannot cancel and reissue a brain wave, or fingerprint, or iris, or genome?”
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| September 20, 2012
2 comments

Students – Insider Threat At K12 Schools

Students - Insider Threat At K12 SchoolsI have spoken to several tech people outside of K-12 lately. When the topic of information security comes around, they talk about how much they are focusing on the “growing insider threat” their employers face. I always smile because those of us in K12 have always faced a hostile internal threat, students. Here are a couple of examples of how students can be an insider threat at school.

student hackers changed gradesAt Colorado’s Jefferson County K12 Schools KUSA reports that administrators are investigating reports that student hackers got into Golden High School’s computer system and changed grades. Investigators are looking into whether students inside the school hacked the campus portal system. A student said, “People started giving themselves A’s.”

Golden High School students told the media that the hackers changed the grades for themselves and others just before winter break and the end of the first semester.

Administrators do not even know how many grades were changed. It could be low as 15 students or as high as 200. The district will not say if any students were caught or how many are suspected of hacking into the system.

do not even know how many grades were changedJefferson County Schools Superintendent Cindy Stevenson told local TV her staff is working hard to find out how it happened. When they do, she says security will be improved.

Berkeley High School

Prestigious Berkeley High School in Berkeley CA succumbed to the student insider threats. The media reports nearly three dozen students were suspended and face expulsion for hacking into the K12 school’s attendance system, an act that could lead to criminal prosecution according to SFGate. At least four students used an administrator’s stolen password to clear tardies and unexcused absences from the permanent records of 50 students, offering the service or the password for a price, Principal Pasquale Scuderi said.

The hackers erased from the system hundreds of cut classes and tardies from October through December, and charged classmates $2 to $20 for the illicit help, Scuderi told the SFGate.

Orange County K12 schools

student insider threatThe student insider threat struck K12 schools in Orange County, California. Omar Khan a former student of Tesoro High School, pled guilty to charges of having installed spyware on his high school’s computers and having used the collected passwords to get access to the grading system and change his grades according to CSO Online.

Khan and another student, Tanvir Singh were arrested for breaking into the school’s assistant principal’s office at night. Khan’s goal was to destroy the evidence that he cheated on a statistics test by stealing it.

Khan had faced a maximum of 38 years in prison on the felony burglary and public-record tampering charges is expected to be sentenced to 30 days in jail, 500 hours of community service, and ordered to pay about $15,000 in restitution.

years in prison on the felony public-record tampering chargesThe article says Khan admitted he was guilty of breaking into school offices and installing spyware on computers and then using the passwords to change some of his grades and that of 12 other students.

He also acknowledged that he changed his transcript grades to appeal rejection letters from the University of Southern California, the University of California, Berkeley, and the University of California, Los Angeles.

Nevada salutation

PC World reports that in Pahrump, Nevada, K12 schools Tyler Coyner, Pahrump Valley High School’s 2010 salutation with a 4.54-grade point average, was arrested as the ringleader in a group of 13 students who have been charged with conspiracy, theft, and computer intrusion. The article states that Coyner somehow obtained a password to the school’s grade system and, over the course of two semesters, offered to change grades in return for cash payments.

salutation arrested as the ringleader in a group of students charged with conspiracy and computer intrusion.According to PC World, ten juveniles have also been arrested for having profited from Coyner’s offer to bump up their grades. It turns out that Coyner, somewhat foolishly – chose to make himself the one that profited most from his scheme. In fact, the 4.54-grade point average that made him the school’s salutation is the result of his own grade manipulation.

rb-

Looks like Coyner is gotten a head start on his dream of becoming a Wall Street hedge fund trader by facing criminal charges as a student insider threat at school.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| July 31, 2012
Comments Off on Mommy Hacker

Mommy Hacker

Mommy HackerTime Magazine reports that a Pennsylvania woman faces six felony charges for hacking the computer system at her kids’ schools. Catherine Venusto, 45, hacked into the Northwestern Lehigh School District computer system and altered the grades of her two children, ABC News reports. Venusto had worked at the district as an administrative office secretary from 2008 through April 2011. A year before she quit, Venusto, of New Tripoli, PA had been accused be being a hacker. She reportedly changed her daughter’s failing grade to a medical exception. And in February 2012, she was accused of changing her son’s 98 to a 99.

Third-degree felonies

Data integrityMs. Venusto was arraigned on three counts of unlawful use of a computer. She was also charged with three counts of computer trespassing and altering data. All six of those charges are third-degree felonies. Pennsylvania State police say Venusto admitted changing the grades, saying she thought her actions were unethical but not illegal.

When ABCNews.com attempted to contact Ms. Venusto at her current job as an event coördinator at Lehigh University, a school employee said her employment ended Wednesday. Venusto’s lawyer, Thomas Carroll, declined to comment.

GradesI’m concerned on numerous levels,” said Jennifer Holman, Northwestern Lehigh School District’s assistant superintendent. “When we say systems, there were three different systems violated…There were 10 different users that at some point had their email violated.

PA State police investigate the hacker

Ms. Holman told ABCNews.com that she first realized something was wrong when a teacher asked why superintendent Mary Ann Wright was in that teacher’s online grade book. Once Wright explained she was never in the grade book the investigation began. Administrators and state police looked for whoever used Wright’s username and password without permission.

Bad passwordsPA State police discovered Venusto used Wright’s credentials 110 times to access the district’s online grading system, according to the District Attorney’s office. Venusto also allegedly accessed nine other faculty members’ email accounts without permission. She also accessed the human resources “H-drive” to view “thousands of files associated with district policy, contract information, employee reports, and personnel issues.

Superintendent Wright released a statement in anticipation of Venusto’s arraignment.

We deeply regret this incident and that this unauthorized access occurred, and we sincerely regret any inconvenience this may cause,” Wright wrote. “We are doing everything we can to prevent this from happening again, and new security procedures are in place to better assure that our systems are protected from such attempts.

The court set bail at $30,000. Venusto will not have to pay the bail unless she does not appear in court for her preliminary hearing. Venusto could face a maximum of 42 years in prison or a $90,000 fine, according to District Attorney’s office spokeswoman Debbie Garlicki, who said the maximum penalty on each count is seven years or a $15,000 fine.

rb-

New sheriff in townThe mommy hacker’s defense is “I thought it was immoral but not illegal”. I will mention in passing the declining parenting standards which are creating a bunch of narcissistic and self-absorbed generation that has no consciousness to what right and wrong is. 

The Administration and IT departments both bear the blame for this intrusion. Some easy-to-implement best practices could have shut the mommy hacker down quicker. They should have required regular password changes. They could have broken the bank and installed an intrusion protection system.

Those of us who work in K-12 understand that security is only important after an incident.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 10, 2012
Comments Off on Are You on the Pwnedlist?

Are You on the Pwnedlist?

Are You on the Pwnedlist? Pwnedlist.com will tell you if your email has compromised. The site checks emails against a collection of nearly 5 million possibly compromised accounts. Brian Krebs at Krebs on Security reports that a user can enter a username or email address into Pwnedlist.com’s search box, and it will check to see if the information was found in any suspicious public data dumps.

PwnedlistAlen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint created Pwnedlist.com. Mr. Puzic said. “… I could create a site that would help the everyday user find if they were compromised.

Pwnedlist.com currently allows users to search through nearly five million emails and usernames found online at sites like Pastebin. The site also often receives large caches of account data that people directly submit to its database. Mr. Puzic told Krebs on Security it is growing at a rate of about 40,000 new compromised accounts each week.

EncryptionThe researcher said information contained in these data donations often makes it simple to learn which organization lost the information. “Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by a hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Mr. Puzic in the article. “Other times it’s really obvious because all the emails come from the same domain.

DVLabs’ Puzic said in the article that Pwnedlist.com doesn’t store the username, email address, and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. According to the blog, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about where the data was leaked from.

Advice from the Pwnedlist developers

If Pwnedlist says your email or user ID is in their database, they offer the following advice:

Shocked woman

  1. “Don’t panic! Just because your email was found in an account dump does not mean it has been compromised.
  2. Immediately change any passwords that might be associated with listed email accounts.
  3. Go through all your accounts and create new passwords for each of them, just in case. “Better safe than sorry.”

The two researchers plan to publish regular updates to their Twitter account (@pwnedlist) when new data dumps are discovered. Longer-term, Mr. Puzic told Krebs that he plans a longitudinal study on password security.

rb-

I have several emails, professional and personal which thankfully Pwnedlist does not have in their databases. Follow password best practices and use an 8 character or longer password with at least one letter, number, and special character. Also, change your passwords regularly.

End-user password best practices:

  1. Passwords should be something you can remember but difficult for others to guess. That means avoid information anyone can pick up from Facebook.
  2. Use at least 8 characters. Some authentication systems will ask for more, but 8 well-chosen characters is usually enough.
  3. Mix letters, numbers, uppercase, lowercase, and even symbols when possible. 1GrdDC@82 is stronger than letter22
  4. Avoid dictionary words. Many brute force attacks are designed to guess them. ”Password” is not a good password.
  5. Use a unique password for each account. Your password at work should be different from your Facebook password.
  6. Do not share your password.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| February 23, 2011
Comments Off on The Value of Stolen Credentials

The Value of Stolen Credentials

The Value of Stolen CredentialsThe evolution of Web 2.0 services and the parallel world of cybercrime is driving up the value of stolen credentials. That is the price that criminals charge each other for stolen user login information. The price of a file of user credentials, aka a `dump’ depends on the Internet service(s) where they can be used, Amichai Shulman, CTO of Imperva told Help Net Security.

Impeva logoImperva CTO Shulman told Net Security, “Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters … there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application and the popularity of the account in question.”

The value of stolen credentials

This is illustrated by the ‘going rate’ of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favor, while Gmail’s all-around flexibility means it is a central service for business users, Mr. Shulman said. The result is that Gmail credentials can also give access to a range of Google cloud services. The vulnerable services including Google Docs and Adword accounts. Mr. Shulman explained that Google Docs can contain valuable additional information on the legitimate owner. Furthermore, an Adwords account can allow criminals to manipulate existing and trusted search engine results.

Twittter logoIt is a similar story with Twitter accounts. The added dimension of the immediacy of a social networking connection said, Mr. Shulman. “Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said. This happens because users are reusing passwords on other sites Some of those other sites turn out to have not been secure.

That’s the thing; as soon as any of the sites you log in to gets compromised, the email address or username and password associated with it can be tried by the bad guy on various other services. Since most people re-use passwords, there’s a high likelihood that they will gain access to your account. From there, who knows what kind of damage they might cause. If you’re lucky, you’ll notice something’s amiss. Twitter advised that people are continuing to use the same email address and password (or a variant) on multiple sites. We strongly suggest that you use different passwords for each service you sign up for.

Stolen online banking credentials

In a related article, Trusteer reports that most online banking customers reuse their login credentials on non-financial websites. Trusteer found that 73% of bank customers use their banking account passwords to access much less secure websites. They also found that 47% use both their online banking user ID and password to log in elsewhere on the Internet.

Cybercriminals are exploiting the widespread reuse of online banking credentials. These criminals have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.

The report’s key findings include:

  • 73% of users share the passwords which they use for online banking, with at least one nonfinancial website.
  • 47% of users share both their user ID and password with at least one nonfinancial website.
  • When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites.
  • When a bank chooses the user ID for its customers, 42% use the bank-issued user ID with at least one other website.

Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.

If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” Shulman told Help Net Security.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »