Tagged: Browser

Simplifying Password Complexity

T y p e w r i t e r ⏎Let’s be honest. Passwords are a pain. We all know that it’s important to have different passwords for different places and we all know that they need to be fairly complex. We also know that remembering numerous passwords, especially strong passwords, can be a challenge. So what’s the best strategy?

In this article, I’ll talk about how to create memorable (but strong) passwords and suggest a tool that will make constructing and remembering strong passwords easier.

In general, the strength of a password depends on two factors: length and complexity. Although there’s some disagreement, length is more important than complexity. (For a humorous illustration of password complexity, read the XKCD comic at http://xkcd.com/936/)

Increased complexity makes it more difficult to create a password that you can remember.  The idea of a long complex password may be overwhelming. However, increasing password length alone can result in a password that’s memorable and stronger. Because of the way Windows stores some passwords, the “magic number” is 15 characters or more. A traditional complex password of 15 characters might look like this: “qV0m$$#owc2h0X5”. I don’t know about you, but there’s no way I’m going to remember a password like that. You COULD write it down and store it securely, but it’s not the easiest password to enter on a keyboard, and storing passwords in a browser or in a desktop application is insecure.

Here are a couple of strategies for strong passwords.

Strategy One: Use Passphrases

Because length is more important than complexity, using a passphrase, even if it’s relative simple, provides a sufficiently strong password.

For example, you may have heard of the Bulwer-Lytton Fiction Contest (bulwer-lytton.com). Bulwer-Lytton was a novelist whose opening sentence, “It was a dark and stormy night,” was immortalized in a Charles Schulz Peanuts cartoon where Snoopy was typing a novel. With a few modifications, that phrase makes a pretty strong password: “ItwasaDark2&StormyNight” That’s a 23-character passphrase that most of us could remember. If you need to change the password, you could do it by incrementing the number. I recommend choosing the first line of a book or song and turning that into a passphrase.

Strategy Two: Use a Password Safe/Vault

You’ll find that you may need quite a few different passwords. Creating different passphrases is a great way to create strong passwords, but you would still need to remember quite a few different ones. A good way to manage multiple passwords is by using a password safe or vault. A password safe stores multiple passwords and may be configured to prompt you with the needed password when you visit a password-protected website. You may want to use a password safe called LastPass. LastPass provides browser plugins for multiple browsers and there’s a version that will work with smartphones. LastPass will generate one of those long complex impossible-to-remember passwords on command and store that password for you. You should protect your password safe with a long passphrase constructed as described above. LastPass is just one example of good password safes. Other popular password safes include Password Gorilla, KeePass, and RoboForm.

A strong password is a key component in protecting information and unauthorized access. I hope you find these recommendations helpful.

This article was submitted for publication in the RIT IACA Quaestor Newsletter.

Enhanced by Zemanta
Advertisements

Updated: Choosing the Safest Browser, Part One

Swim safe!

This post provides an update to last year’s Choosing the Safest Browser post. Let’s take a look at what’s changed since June 2010.

Browsers

Last year, we looked at the following browsers to discuss which would be the safest:

Number of Vulnerabilities

How do you decide which browser is the safest? One way is to look at the vulnerabilities that were disclosed for each one. Attackers may exploit these vulnerabilities to place malicious code onto your computer.

In Spring 2010, my Cyber Self Defense class ranked the browsers in the order below according to which ones they thought had the most vulnerabilities:

  1. Internet Explorer
  2. Safari
  3. Opera
  4. Firefox
  5. Chrome

According to the  Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

  1. Firefox
  2. Internet Explorer
  3. Safari
  4. Opera
  5. Chrome

The class was really surprised by this ranking.

June 2011

Let’s see how the rankings look from the Symantec 2010 Internet Threat Report. Here’s the 2010 list of browsers and number of vulnerabilities:

  1. Google Chrome–191 vulnerabilities
  2. Apple Safari–119
  3. Mozilla Firefox–100
  4. Microsoft Internet Explorer–59
  5. Opera–31

I was surprised by this order. Ranking browsers by vulnerabilities reported, Chrome appears to be the worst and Opera the best. (In the 2008 report, Chrome had the fewest vulnerabilities!)

Average Time to Fix a Vulnerability

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

In the 2010 report, Internet Explorer had an average patch time of 4 days. Opera, Safari, and Chrome were each one day or less. (In the 2008 report, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.)

Patch time alone doesn’t appear to be a factor when choosing the worst browser.

Safe browsing is important because the majority of attacks are web-based, peaking at  almost 40 million per day in September 2010.

Does Your Browser Choice Really Matter?

In my opinion, not so much. Internet Explorer vulnerabilities are targeted more because it’s the biggest target. However, all of the browsers mentioned have vulnerabilities and all are patched relatively quickly. Many attacks actually target applications such as Adobe Flash, QuickTime, and the like. Malicious PDFs have also become a huge problem in the last year. What matters are safe practices!

Enhanced by Zemanta

Choosing the Safest Browser, Part 2

Safe Practices

Check your Browser Security Settings

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Use Security Software

Your security software should include an antivirus, anti-spyware, and a firewall.

Update Regularly

Keep your browser and applications up to date. If you’re prompted for an update, accept it.

Use Strong Passwords

Use a strong complex password or passphrase. Consider using a password vault such as LastPass to generate and store your passwords.

Install Browser Tools/Add-ons

Current browsers all provide some protection against phishing. There are also browser tools that you’ll find helpful.

  • The Netcraft Toolbar is a browser plug-in available for Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.
  • The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.
  • WoT (Web of Trust) provides color-coded ratings of the safety and reputation of websites.

Limited Account Privileges

Limiting account privileges (WindowsXP) provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Threats have doubled since 2009 and the threat vectors have increased. Vigilance is even more important.

One thing hasn’t changed. The key to safe browsing is not which browser you choose. It’s following safe practices.

Please comment on the post and let us know some safe practices you recommend.

Enhanced by Zemanta

Avoiding Phishing

phishing

What’s the easiest way to break into a computer account?

Cracking the password? Putting a trojan on the computer? Hacking? Unfortunately, it’s simply tricking you into giving up your password through a technique known as phishing.

Computers have vulnerabilities that can be exploited by attackers using different types of malware. However, your attacker is as likely to come after you through “social engineering” as they are through malware. Just as our computers have vulnerabilities, we too are susceptible to attack!

Social Engineering Attacks

Social engineering attacks are attempts to trick you into revealing private information. Successful attacks may result in identity theft and loss of funds. Social engineering attacks take a number of different forms, including phishing attempts, work at home scams, and Nigerian 419 schemes. Attackers often take advantage of current events, such as the tsunami that hit Japan.

Phishing

This article deals with one type of online scam—phishing attempts. Phishing is a common technique in identity theft. We’ve all received phishing emails or instant messages that appear to link to a legitimate site. These emails and web sites are designed to capture personal information, such as bank account passwords, social security numbers and credit card numbers. Losses to phishing attempts are estimated to be as high as $500M every year.

How Phishing Works

  1. Phishers send out millions of emails disguised as official correspondence from a financial institution, e-tailer, ISP, etc.
  2. You receive the phishing attempt in your email.
  3. After opening the email, you click on the link to access your financial account.
  4. Clicking on the link takes you to a web site that looks just like a legitimate site.
  5. At this point, you enter your account and password information, which is captured by the person who sent out the phishing attempt.

Phishing emails used to be easy to recognize because of their poor spelling and grammar. Now, phishing emails are often indistinguishable from official correspondence. Anyone can put together a phishing attack using resources (or kits) purchased on the Internet.

Practice Safe Computing

Safe computing practices are the best defense against phishing. Here are a few safety tips:

  • Never click on links directly from an email. Type the address into the address bar or go to the institution’s web site and navigate to the correct location.
  • Use File/Properties to find out which website you’re really on. You can check the properties from the file menu or by right-clicking on the web page and selecting Properties.
  • Look for the proper symbol to indicate you’re on a secure web site. Secure web sites use a technique called SSL (Secure Socket Layer) that ensures the connection between you and the web site is private. This is indicated by “https://” instead of “http://” at the beginning of the address AND by a padlock icon which must be found either at the right end of the address bar or in the bottom right-hand corner of your browser window. A padlock appearing anywhere else on the page does not represent a secure site.

Browser Helpers and other Software Solutions

Although avoiding phishing attempts is typically a matter of following safe practices, there are a number of browser helpers available to help warn you of suspicious web sites. Browser helpers normally work as another toolbar in your browser. Use one or more for your protection:

  • The Netcraft Toolbar displays information about a web site including whether it is a new site (typical of phishing) and which country hosts it. If you’re visiting a United States banking site and the Netcraft Toolbar displays a Russian flag, you’re probably at a phishing site. The Netcraft Toolbar also works like a neighborhood watch community, blocking access to member-reported phishing sites.
  • McAfee Site Advisor adds icons to your search results indicating the relative safety of sites you’re visiting.
  • Internet Explorer and Firefox also provide limited protection by denying access to many known phishing sites. Firefox and Chrome integrate Google Safe Browsing technology.
Enhanced by Zemanta

Higher Ed, Where’s the Mobile Content?

In general, the pace of change far exceeds the ability of any large organization to adapt and adopt, be it a professional organization, an educational institution, or many companies. Mobile content is a good example. Although we’ve know that the rate of adoption is high, in a recent Chronicle of Higher Education Wired blog posting,  Kelly Truong stated that a research study at Ball State University found that about 90% of students were using their smartphones to access the internet.

At the Rochester Institute of Technology, we’re seeing some movement towards providing mobile content, including online coursework. The E. Philip Saunders College of Business has also designed a smartphone app for their students.

Do you use a smartphone to access the internet? Are you happy with the experience? Are any of your companies/colleges, etc. designing web pages for mobile users? Are you designing coursework for mobile users? Developing any corporate apps for iPhone, Android, Blackberry, etc.?

Enhanced by Zemanta

Choosing the Safest Browser

There’s always discussion among techies about which internet browser is better. Most of them end up bashing Internet Explorer. Does it really matter which browser you use?

Maybe, but not for the reasons you might think. Here’s a list of the five most common browsers, in no particular order:

  • Opera
  • Firefox
  • Safari
  • Internet Explorer
  • Google Chrome

Which of these browsers is the safest? The one with the fewest number of reported vulnerabilities? I asked my Cyber Self Defense class last quarter to guess which browser had the most vulnerabilities.

Here’s the order they came up with:

  1. Internet Explorer
  2. Safari
  3. Opera
  4. Firefox
  5. Chrome

According to the  Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

  1. Firefox
  2. Internet Explorer
  3. Safari
  4. Opera
  5. Chrome

Is this the order you expected? Did you think that Internet Explorer would have the highest number? If we go strictly by number of vulnerabilities reported, Google Chrome would be the safest browser to use and Firefox the worst.

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

Again, the class assumed the worst browser would be Internet Explorer. However, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.

Internet Explorer is attacked the most. Why? Because it’s used by the most people and provides a higher ROI for cyber criminals. Because it’s attacked the most, it MAY be safer to use a different browser. However,  safer Internet browsing has as much to do with safe practice as it does browser choice. If you browse unsafe sites, you’re more likely to be attacked.

Here’s what we’re telling students, faculty, and staff at the Rochester Institute of Technology about safer internet browsing.

Browser Security

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

 

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing.

The Netcraft Toolbar is a browser plug-in available for Internet Explorer and Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.

The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

 

Limited Account Privileges

Limiting account privileges provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Ben

Postscript: I’ve included links below to my 6/30/11 posts updating this article.

Enhanced by Zemanta