Monday, October 29, 2007

Security

Recently someone I know lost access to her Yahoo account; it was taken over by scammers in Nigeria, and various people (including me) got mails similar to the one described here.

I would hope that nobody who received the mail was fooled. Apart from obvious questions like what this person is doing in Nigeria, there is, as the above article says, "the troubling detail of why their knowledge of grammar and punctuation has forsaken them."

How do you lose access to your account? By someone stealing your password, obviously. How do they do that? There are various ways:


  • First of all, there are dictionary attacks. If you use an English word as your password, you can be sure your password is not safe. Even a straightforward combination of words and numbers, like "Hello123", is not safe.

  • Then, most webmail access is unencrypted, and it is hard for a newcomer to see how to encrypt. This is one of the many disgraceful aspects of how free webmail providers behave. With Google mail, you should go to https://mail.google.com/ (note the "s" at the end of the "http"; you'll also see it in bank gateways and the like.)

    What's wrong if it's unencrypted? Simply this: anyone sitting in your network, or administering a gateway between yours and the server's, can read it. Worse, if you're on an unencrypted wireless connection, or on a WEP-encrypted one (WEP is useless), anyone within range of your access point can read it.

  • There is cached data on your disks. If you throw away an old computer, or give it to the service centre, much compromising information may be readable.

  • Then there are phishing scams. Scammers routinely send out a mail along the lines of "Your hotmail account has administrative problems, please authenticate it here", and send you along to a fake site where you log in and they keep your password. Unfortunately, many people still fall for it.

  • Then there's the most insidious of all: keystroke loggers. These are trojans that sit on your computer and keep track of what you type. Getting one on your computer is as easy as visiting a spyware-infested site, if you use certain operating systems and web browsers that originate in Redmond, WA. So keep your computer clean (I'd say avoid Microsoft Windows totally if it's at all possible for you, and if you must use it, don't use Internet Explorer, and if you absolutely must use IE, disable ActiveX, and if you must use ActiveX, there's no hope left for you); and don't access important sites from cybercafes or computers you don't control.

So what does one do? A colleague pointed me to a very informative article by Bruce Schneier, on how to choose good passwords and keep them safe, which should be required reading for all computer users. He describes the capabilities of dictionary attacks and forensic tools, and how to bypass them.

You should not only choose a secure password, but a different secure password for each website you use: otherwise, if one is compromised, they all are. One problem is that many users can't remember one non-trivial password, let alone a unique one for each site. So here's a trick that I came across some years ago, I can't remember the source. The general idea is as follows, the details can be varied.


  • Choose a word or string that you will remember for sure. It need not be very complex. For example, "MyPassword".

  • Append to it the domain name of the site you are accessing, for example "MyPasswordmail.google.com".

  • Run the resulting string through a hashing program like md5sum. In this case, the output is "0017e27585c50866609a6d41a127555e -"

  • Use the first 8 characters of that output, in this case "0017e275", as your password.

As I said, many obvious variants are possible, and if you pick your own -- or even if you follow the above scheme entirely -- chances are essentially zero that your password will ever be guessed. The disadvantage is that you need access to the md5sum program to recover your password. But this is usually available already on linux and can be installed on windows and other platforms. So, if you follow the injunction above against using untrusted computers, it should not be a problem.

This protects against dictionary attacks; it may also protect to some extent against forensic analysis of a disk (since the password looks like random hex, not like an obvious password, it may be harder to find among all the other junk on your disk). And if you lose your password on one site, the other sites stay secure. But it will not protect against the other attacks mentioned above; you should still use secure HTTP, particularly when on wireless networks, should be vigilant against phishing attacks, and should not let spyware onto your computer.

Caveat emptor: I am not a security professional. If you're in a security-critical situation, don't go by the above; get professional advice.

1 comment:

Anonymous said...

For those who speak a language other than English, especially one with its own script, one way to avoid an dictionary attack is simply to use a non-English word.

Lately, with the proliferation of SMS, the romanization of Hindi has become commonplace and Roman-Hindi word databases may be available to spammers soon. But this might not be forthcoming soon for other Indian languages.