The need for security.....

[\/IP3R]

Hi everybody,

here is an opinion why everybody really need security, based on my own research. I know this probably debated here for death, but once in a while we guys should bring that discussion on board and should discuss it to failure. So here is some security vulnerability and how you can increase the chances to make your self safe. Please do tell me how you feel.


The Need for Security

Objectives
-type of information and data sought by hackers.
-several ways that hackers can break into your system(s)
-some basic steps to prevent them breaking in


So why do we need all this security?

Well, you don’t. If you don’t connect to any network and your computer is locked in the safe and you lost the keys. But that is not the case here. Your computer security is as important to you as your computer and that important data inside it. As we started to share data and information, operating systems become more complicated and have added more information sharing tools. You can pay your bills online; you can do your income tax, shop online and keep your important business transactions and so on. As you do these things, you are transferring personal information across the Internet, information that can possibly allow someone else to borrow your financial and personal secrets, or even steal your identity. So did you get the picture, what will happen if some one is getting all the information you are putting through your computer?

Hacker’s attraction:

What attracts a hacker? It is a question, which only can be answered by hacker. But I will try here to list some common motives.

Passwords and Account logins: Stealing your passwords and logins is like stealing your keys. Once a hacker has your keys, they can do whatever they want inside your system. This is often just the first step in a larger plan. There are programs available in market you can officially buy them and crack any account password. And yes including yahoo messenger, aol messenger, msn messenger, icq account, at&t netmeeting…. And so on.
(we will talk about some safeguards later)

Credit Card Numbers: Everyone need money, and these numbers are like cash to hacker. Once you lost your credit card or become an individual of identity theft, your account can be emptied and you get to fix the damage.

Identification Information: All of us heard about identity theft, where not only someone steals your credit card numbers, but also your social security, driver’s license, and bank account numbers. With this information, attackers can open new bank account, new loans, new loans can be received without your knowledge. Down the road after some years later you will end up with a lot of damage and hacker is gone by that time with money.

It is true, the risk, that some one is stealing your personal information is low, but not myth. The newspapers are full of these kind of thefts, and clearly some criminals are successful for a while. If you are careful with your vitals, your risks are limited.

Businesses and corporations face similar risks, with one significant difference: most hackers might want to hack into a large corporation because of some personal issues or in order to get competitive information, or to just cause trouble. The list is very huge, but here are some of the common information targets favored by hackers:

Customer Information: Again credit card numbers highly attracts attacker, including their buying habits are extremely valuable to competitors. Some targets can be big shopping malls and grocery stores. Hackers also will sell this data to the competitor, or to embarrass the company by making this information public. Some of these companies keep maintain more personal information than you imagine.

Source Codes: Remember the hack of Microsoft in 2000; someone stole the whole source code of windows 2000. So this could be very profitable theft too, hacker can sell those source code to competitor for big amount of money or hacker can just keep it to him/her self and can design the whole new operating system to counter Microsoft new OS, and can make a lot of money by selling that new invented OS.

Free bees: Hackers are looking for ways to get free Internet access. If they can hack into a company’s dial-up connection. They will use it as free utility and then of course they will not stop there but all the damage done by them to others will be blamed on company whose system was used by the hacker.

Some basic steps to prevent them break in:

1) Never open any email attachment even if it is .PDF or .txt because by default windows hides last extension of any file for example: if you will get an email which would say hey here is your e-book requested by you and you will see the file name is ebook.pdf or ebook.txt. This is not true because actually it can be ebook.pdf.exe or ebook.txt.exe because by default the exe part is hidden in windows and you are now opening the document which is in reality a Trojan. There are programs available over the net which can join two files together and can be easily attach any important document or file with Trojan.
2) Always update your virus definition, everyday, because what if virus is been written tonight and then sent to you and by vary nature of antivirus, it only detects viruses which are known to it. Other than that, newly written virus is just another program running in your machine like other. It won’t pick it up. Always update your virus definition every day or every other day. Some leave their updates to automatic in every two weeks. This is a worse thing you can do about updates.
3) Firewall, this is very important tool you possess. Just to install firewall will not ease your tension, learn how to configure it. I will cover some more points about firewall in my next article. Most firewalls comes with basic tutorial or help documents, please read them. You will learn more than you know about your firewall now. It will help you to close open ports without getting disconnected and will increase your security.
4) Change your passwords everyday and there is nothing wrong in writing them down on post it, but then put them in some secure place like your safe. You can find Password generators software in market for free. An dictionary word or your own name or any of your friend name or your car license plate number or your birthday or any thing related to you can be the worse choice. Because hacker will look here first. The idea of changing your password everyday is based on my own research, LC4 takes some times whole one day to crack an password in that case if you don’t change it everyday, and if attacker is using l0pht, you are done with your security.
5) This could not be the scene all the time, your hard drive could be fail and all of your data is gone now. In that case please have some backup plans. Keep your data backed up. Just in case.
6) If you are not using some programs in your computer please disable them or un-install them . If you are not sharing any files and folders and printers please disable those features.
7) A lot of windows NT workstation connected to LAN are configured to get in by simply type administrator as an user and you can just leave the password section blank, and it will let you login. Make sure you are not the case.

[TidaLphasE23]

G'day \/IP3R, you say

Never open any email attachment even if it is .PDF or .txt because by default windows hides last extension of any file

Cant you

1. Open any folder and select Folder Options from the View menu (in Windows 98) or from the Tools menu (in Windows Me and later). 2. Click the view tab. 3. Remove the tick beside 'Hide file extensions for known file types'.

Also

While you're at it, in the 'hidden files and folders' section, click ' Show hidden files and folders', then click o.k.

Would'nt this solve the problem? If i am wrong
feel free to correct me. cheers....TidaLphasE23............

[tekno]

It is true, the risk, that some one is stealing your personal information is low, but not myth. The newspapers are full of these kind of thefts, and clearly some criminals are successful for a while. If you are careful with your vitals, your risks are limited.

ummm....the risk is certainly not low. Personal Identity theft is one of the biggest crimes going around.

The U.S. Federal Trade Commission says that identity theft is its number one source of consumer complaints - 42 percent of all complaints, in 2001.


" Every 79 seconds, a thief steals someone's identity, opens accounts in the victim's name and goes on a buying spree."

-CBSnews.com, 1/25/2001

Change your passwords everyday and there is nothing wrong in writing them down on post it, but then put them in some secure place like your safe.

I don't agree with this for a few reasons, granted this might just be my OCD and paranoid talking, but I think in a large corporation, changing passwords everyday would be an administrative nightmare, you're best best would be to use SecureID or one-time passwords if security is that tight, I do recommend changing passwords frequently (every 30 days or so), but everyday is a bit too much, that is if you are manually changing passwords and not using some sort of token or the like.

Writing them down.....I never write any of my passwords down...i have root access into many systems all over the world, many routers and switches and other devices as well. I remember all the passwords and IP addresses. (writing IP addresses down is alright, but definately not passwords.) Let's say you write the password down on a piece of paper, you tear that paper off the pad, fold it up and put it in your safe. I happen to be sitting near you and see you write the password on that pad. when you're away..I take a pencil, and lightly shade the area where you wrote....you'll be able to faintly see what hte password was.

Granted..it's sort of a long and maybe even over-paranoid hypothesis, but I was thinking outside of the box

[slarty]

Originally posted here by \/IP3R
[B]Stealing your passwords and logins is like stealing your keys. Once a hacker has your keys, they can do whatever they want inside your system.

Ignoring the fact here, that quite a lot of attacks involve bypassing these passwords.

This is often just the first step in a larger plan.

Well, sometimes maybe, but probably not usually.

There are programs available in market you can officially buy them and crack any account password.

Now that's just scare-mongering. And totally untrue.

Credit Card Numbers: Everyone need money, and these numbers are like cash to hacker.

Even though you can only generally get stuff delivered to your own address these days?

Source Codes: Remember the hack of Microsoft in 2000; someone stole the whole source code of windows 2000. So this could be very profitable theft too, hacker can sell those source code to competitor for big amount of money...

Despite the fact that nobody would want to buy it.

or hacker can just keep it to him/her self and can design the whole new operating system to counter Microsoft new OS, and can make a lot of money by selling that new invented OS.

But if it was ever shown to be based on stolen code, selling it would be illegal.

1) Never open any email attachment even if it is .PDF or .txt because by default windows hides last extension of any file for example...

How about use a sensible email client instead; examine attachments before using the default action

2) Always update your virus definition, everyday

Ignoring the fact that it is feasible for a worm to spread in 15 minutes.

4) Change your passwords everyday

Rediculous.

7) A lot of windows NT workstation connected to LAN are configured to get in by simply type administrator as an user and you can just leave the password section blank...

A sensible network policy and regular vulnerabilitiy scans should detect this. If you do leave it like this, you are an idiot.

Your essay was full of dubious assumptions, not very accurate, not very well researched, incomplete and had poor grammar.

Slarty

[\/IP3R]

ya you are one of those known security expert, who happen to land here on antionline, lol, where else?

Now that's just scare-mongering. And totally untrue.

You sounds like, you never used JTR or l0pht, you might be an senior member here, but you are still a newbee. Now go ahead and press that neg neg. I didn't ask how my grammer was, as you are perfect. Why open your mouth, if you doesn't know **** about cracking passwords. Tell me something, if you will, how would you locate the key of an password you are about to install from cd-rom and you lost the key numbers. Don't tell me you will look at google or call tech support. How would you locate in that very cd you are holding in your hand?

[AlkAzAA]

Hi there. Just wanted to add a few more reasons for minding your security. This was written by some intelligent guy (yea, yea, it was me )

in this thread here

A lot of people claim that they have nothing worth protecting but what about their e-mail? Sure, some people may not send their credit card codes or something like that with mail but they may send a mail to a friend saying that they will be away for the weekend. If the wrong person reads this he knows that the house will be empty for a few days which will give him plenty of time to break in and steal what he want without risking that someone walks in on him.
Someone might keep some important files from work on his/hers home pc and maybe, just maybe, that information can be sold to another company in the same line of work rendering the first company a great loss of income.
And, let’s not forget those private pics of the little misses you took the night before...

And one more thing. Let's not stare ourselves blind on all the fancy technical solutions. The biggest threath to your companys security is the staff on that very company. Between 70 and 80% of all security incidents are caused by the employees, may it be based on curiousity, bad intent or just plain ignorance. The best way to get around this is to educate your staff in security issues and get them to be interested in security.
Why not hold a contest where you, as a network adimn, try to crack the network passwords using some common program like john the ripper or whatever you like. Tell the employees about this and make the first price a bottle of whisky that goes to the person who's password takes the longest time to crack.
Make your employees understand the great risks of a low security and the great costs that may result if you ignore the dangers.
For home users it's not all that different. Try to keep up to date with security, dont get sloppy with protecting your home system. You dont have to spend 5 hours a day reading your internet logs, just try to learn more about strange things happening on your system. I'm sure your sys admin or someone else from your work can tell you more about security if you just ask them.

Ooh, and slarty, if my grammar is somehow unsatisfactory it's because English isn't my native language

[S3cur|ty4ng31]

Not a bad overall explanation. There can be more interperetations to this but I think its good to see how the mindset of one individual can preceive the possibiliities and ramifications of hacking.

Some things may have been questionable. And I am a stickler for not changing a password that often. Let say your the CSO and you implement a new security policy requiring users to change passwords everyday. Your IT dept. would be flooded with lost passwords. But you are 100% right about lc4 by lopht, I brute forced so passwords I thought would take a long time and it was done in less than a day on a dual Xeon machine. My recoomnedation on the password issue is to require passwords at least 8 characters in length that have no form of dictionary work and that must include upper,lower and digit. If you extended this to 12 chars or random numbers and letters LC4 would take about a year.


Good Luck with the new school.

Oh and once again thanks Slarty for doing his best to put down people who are trying to bring in an educated topic that the community can participate in. Oh and you can neg me too Im sure I made typo's.