Rossander’s Security Reader

If you have a home network or wireless router, it can add a layer of security to your computer. But if you haven’t changed the default password on your home router, that can be worse than doing nothing. Hackers have recently developed some new tricks to automatically attack your computer’s router just because you were at an infected site. It might not even be the primary site you were visiting – it could be the site hosting one of the ads on the page.

In this attack, hackers use small bits of code that automatically try to log in to the router using the default password. The default password is the one that came on the router when you got it from the manufacturer. It’s usually something like “admin”, “password”, “1234” or sometimes blank. Default passwords are printed in the user manual (which is also available online). An online search for “default password list” turned up over 60,000 sites sharing this information, most of them hacker sites.

In a variation, some local hackers will try the same default password against your wireless router as they drive through your neighborhood.

Once the bit of code has successfully logged into the router, it opens a port. The hacker will later come back to your computer and attack it through that port. One common attack is to send false directions to the computer so that when you attempt to log in to your bank’s website, the compromised router instead sends your request to a fraudulent site designed to look and feel like your bank’s website. Read this CSOonline article for more.

If you haven’t changed the default password, do it today! Follow the router manufacturer’s instructions to change the password. Make sure you pick a strong password when you change it.

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer – the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That’s an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

Resolve to pick stronger passwords for the New Year.

A surprising number of people still think that January07 is a good password. Admittedly, it does pass the Microsoft password-complexity rules. It has an upper-case letter, several lower-case letters and two numbers. The problem is that it’s an English word with the capital letter at the front and the numbers at the end. English-speakers have a natural tendency to follow this pattern. We know it – and the hackers know it too. That password can be cracked in under 30 seconds.

Pick whole sentences for your password. A whole sentence (including spaces and punctuation) makes a very strong password that is easy to remember and to type. Windows accepts any key on the keyboard in your password (and some that aren’t on your keyboard) and allows it to be up to 127 characters long. You only need a 4 or 5 word sentence to make a very strong passphrase. I particularly like sentences from children’s counting books.

For systems with limits on password length or allowable characters (like mainframe accounts), you can keep your passwords in synch by using rules to transform your sentence into a shorter code. For example, you could start with the number of words in the sentence, then take the second and last letters of each word in the sentence, capitalizing each third letter. As long as you follow the same rules each time, you can consistently convert your easy-to-remember passphrase into a strong random-looking password.

Remember – your password is the key to all of your electronic defenses. Keep it safe, never share it and pick them strong enough that they can not be easily cracked.

If you have your internet browser set to store your usernames and passwords, disable it immediately.

A vulnerability was just discovered in the both Microsoft’s Internet Explorer and Mozilla’s Firefox browsers which allows a hacker to create a fake login page. When your browser auto-fills the username and password into the form, the data is passed off to the hacker.

This vulnerability has been named a "reverse cross-site request" vulnerability by its discoverer, Robert Chapin. It has been found on at least one MySpace.com page and is a risk to any user who goes to forum or blog websites.

So far, there is no known fix except to disable the password fill-in feature.

• In Microsoft Internet Explorer, use the menu to go to Tools/Internet Options. On the Content tab, select AutoComplete and make sure that "Usernames and passwords on forms" is not checked. (If the entire line is grayed out or "ghosted", you are okay.) You might want to click the "Clear Passwords" button while you’re here just in case there were some in history.
• In Firefox, use the menu to go to Tools/Options. On the Security tab, make sure that "Remember passwords for sites" is not checked. Click on the "Show Passwords" button to remove any that have been saved previously.

For years, security professionals said "Never write down your password." In many situations, that’s still good advice. Anything you write down can be lost or stolen. But when you have dozens of passwords, PINs and other security codes – some work-related, many personal, some static, some changing regularly, some simple, some complex, some used daily, others that go weeks between uses – it’s hard not to. If you cannot memorize your passwords and must write them down, here are the ways for doing it at reduced risk.

• Don’t store your passwords on your computer. It doesn’t matter how well you hide the file, hackers know how to search the contents of your computer to find likely password files.
• Don’t record the complete password. Write down just enough to remind yourself of the rest of it.
• Keep the password hints with you at all times. Your wallet is a good place. Don’t leave the list in your desk or under your keyboard. Hackers and thieves know where to look.
• If you have a PDA or Blackberry, use a secure, approved password vault on the device. These applications use strong encryption to protect your password list.
• If the list is out of your control even briefly, quickly change your passwords to maintain their security.