Welcome to the first part of Minimal Security. In this series of articles I’m gonna give you some pointers on how to make your system more secure, and also hopefully show that it is no rocket science – It’s just a matter of thinking one step ahead! So, let’s get started!
Passwords – What are they?
A password is basically an authentication token, something that is used to identify you and give you access to something, for example your system, your e-mail, or your Internet banking web page. Normally this token consists of not only a password, but also a user name (or your e-mail address).
So, passwords are secure, right? Well, they can be. Passwords are mostly compromised due to them being easy to guess, too simple, by the use of social engineering or irresponsible users. For example, having the password “fluffy”, after your dog, is probably not a good idea. Neither is your phone number, girlfriends name, birth date etcetera. I think you get the idea here.
So what is a safe password then? Well, for the passwords I use, I tend to settle for no less than 10 characters. They also consist of both uppercase and lowercase letters as well as numbers, and no words that can be found in a dictionary. The easiest way to make the “fluffy” password a little bit more secure is to add something else to it, for example “fluf13fy”. Your dogs name have now been split in two parts and had a number added somewhere in the middle, and, obviously it’s not that easy to guess any more.
You can also use a third party application to keep track of your user name and password, like for example PasswordSafe which is also able to generate random passwords for you. Your credentials are saved in an encrypted file with a master password, and in order to log in to f.ex. a website you just enter your user name, double-click the entry in password safe, and paste it in the password box. When you close PasswordSafe, the clipboard is automatically wiped.
Irresponsible users
I mentioned social engineering and irresponsible users earlier. These two go hand in hand, and both of these are actually related to the huge amount of credit card and Internet banking frauds lately. Your password should never ever be shared with anyone else. The banks explicitly state this in the security information etcetera, and yet people still hand out this information to “bank employees” over the phone in order to sort out some complications with their checking account. Here comes another part I mentioned, think one step ahead. The bank will never need your password. The bank runs the system. If they need to access your details, they can do so without your password.
The same goes for e-mails received from the bank with the proper bank logotype etcetera, and included is an attachment said to be a “anti-virus software” or similar. You can be pretty certain that your bank will never ever send you an anti-virus program or any other program for that matter via e-mail.
It is just as irresponsible to hand your password over to your friend, your family etc. As a general rule of thumb, don’t give your password to anyone you would not trust with your keys and your wallet.
Saved Passwords
Saved passwords are excellent. I admit that I use them too. You know, that fancy box that pops up when you log on to a web site; “Would you like Firefox to remember this password”. It’s an awesome feature, but these passwords are saved and made accessible to anybody that is using your computer, and not only to you. The simple remedy to this problem is to enable the master password. In Firefox, this can be done in the options dialog in the tab “Security”. Check the box “Use a master password”, and use the command button next to it to change the master password. The next time Firefox feels an urge to auto fill a login box with your user name and password, it will prompt you for your master password (if you haven’t entered it during the session, that is).
Your saved passwords are now available to you, and only you.
Security on your Workstation
All operating systems based on the 2000/XP kernel have got a pretty sophisticated security layer running under the hood. This security layer, or subsystem, validates every request made and ensures that you have access to the object or the function that is requested. These credentials are validated during the login, and are then used every time a file is accessed or another file system or registry operation is taking place.
It also offers the excellent ability to lock the workstation, either by hitting Ctrl-Alt-Delete and selecting “Lock Workstation” (for this to work, you have to disable the “Fast user switching” in the control panel), by hitting Win-L (if you’re using Windows Explorer) or by hitting Win-Space (if you’re using bbLean). Screen savers can also be set to prompt you for your password before allowing you access to your system after the screen saver has closed. This is an excellent feature to keep nosy people away from your system, protecting your sensitive data and making sure things are still the the way you left them when you return.
If you are using NTFS as your file system, you can also encrypt your files in order to make sure that they are safe from curious eyes and nosy people. To protect a file or a folder, right-click it and select “Properties”. Then click “Advanced” on the first property page, and check the box next to “Encrypt”. This file (or folder) is now a little bit more secure if your hard drive would ever be lost or compromised.
You can also use virtual encrypted drives to protect your sensitive data, the best one I have found so far is TrueCrypt, which is also open source and 100% free. It works by creating a file on your hard drive of a specific size, and then “mounting” this file as a virtual drive. You could for example create a 2 GB virtual drive as C:\myfiles.tc and have it appear as D: when the password has been properly entered. This file is in turn protected by strong encryption based on your password, and a possible key file (for example an image, a mp3-file, or just a random text file stored on your hard drive or on a USB memory stick).
Virtual Identities
Wow. That’s a fancy word for sure. What is a virtual identity then? Basically, a virtual identity is something that identifies you in the virtual world. Very often this is associated with your e-mail address or similar information, for example your yahoo username “johndoe123″ which has a corresponding e-mail address “johndoe123@yahoo.com”. The same is valid for MSN messenger, where your virtual identity actually is your e-mail address.
Here in Sweden it has become more or less of a trend to have fancy web pages where you can win stuff, such as a plasma television or the latest cellphone, if you just recruit enough people to the website. Basically, the one who makes the most friends sign up will win the grand prize.
Who wants to enter all their friends e-mail addresses? Nobody. Instead they offer a box to allow the web page to sign in to your messenger account and automatically inform your friends of the ongoing competition. I am not 100% certain, but I am pretty sure that there are no grand prices in the end. At least not for the users. The thing is that when you share your virtual identity like this, you are first and foremost sharing your password with a third party that you don’t really trust. This is bad. But what’s even worse is that you are also exposing your friends virtual identities to the website. These sites mostly harvest e-mail addresses, that are then sold to spam networks, and what you end up with in the end is not a new fancy big screen television, but instead a flooded inbox. Once again, think one step ahead.
Summary
Security doesn’t have to be hard. It just requires you to think a little extra, just like you do when you swipe your credit card in the store and is about to enter your pin-code. You won’t pound in those magical 4 digits with someone looking over your shoulder. Or in a terminal that’s been glued together with a clerk looking more than suspicious. Yet, most people think it’s okay to recommend contests to their friends by giving up their user names and passwords. And honestly, isn’t your IM password the same as the one for your e-mail? And for your computer?
Think one step further.
