Information Technology, Thank You Sir May I Have Another

So Secure You Are Insecure

Recently I had to change my password for a Jeep owners forum. It didn’t expire or anything like that, I simply couldn’t remember the one I had used. Well, they had “new rules.” Keep in mind this is a user forum for owners of both new and beater Jeeps to exchange info. The crawler sections talk endlessly about mods to their Jeeps and events. Those of us who tend to buy beater Jeeps talk about tricks to fix the aging rides and where to find reasonably priced parts or rare parts.

That “reasonably priced” thing is massively important. When I needed a new electric fan for a 1990 Wagoneer Ltd. I had I found many of the “specialty” places wanting upwards of $400 for a drop in replacement with shroud but a few questions here and a bit more poking around on-line found a source selling a brand new fan with shroud for $35 + shipping.

User/owner forums generally don’t have any credit card information. Yes, if you happen to use the same password for your on-line banking they might be able to log in and do damage, but first they would have to find your bank then they would have to be lucky enough for you to have actually opened an on-line account. Besides that, all they could get is your name and general location . . . assuming there really are places like Full Size Jeep, NJ.

What do you think the “new rules” were for passwords?

  • Minimum of 12 characters
  • Must contain upper and lower case letters
  • Must use symbols
  • Must contain numbers

Oh, by the way the _ is not considered a valid character so a password like Your_Rules_Suck_A_Big_1 were invalid.

Far too many sites are adopting various onerous rules. Few, if any, of the sites have the same rules so you cannot even have variations of the same password. In the zeal to “become more secure” sites have become even less secure. Admit it, every one of you keeps a list somewhere of the sites you use, the passwords for them as well as both the security questions and answers you provided. Why? Because if you actually log into more than one site it becomes physically impossible for the average person to remember all of it, especially when security question answers are case sensitive AND you have to enter your answers in password mode so you cannot see what you type.

Don’t you love those security questions? What was your best friend in grammar school? Well, first off, it was never called grammar school for most of us. Second you have to remember if you called him Ken, kenny, Kenneth or some other variation. Oh &^(*^( 3 characters was too short, but you didn’t remember that and they didn’t say “minimum of N characters” when you were typing your answer.

So, most of you have a list. If you still have only a home computer and no smart phone you might be secure enough to have that list on a sheet of paper in a desk drawer, but, it is probably stuck to the side of your computer or edge of your monitor. If you have a lot of sites it is also in a text or word processing document so as soon as you get a Trojan Horse virus the bad people have it. Millenials with idiot phones are even worse off. They have it on the most insecure device ever made. Just walking through any place with free wifi to which their phone automatically finds to save their overpriced data plan exposes them to a multitude of sniffing and penetration software. Encryption doesn’t matter. Once the file is pulled it will be in an environment where a program can try endlessly without fear of the file being wiped to crack the encryption.

Encryption isn’t impervious. It is like that fire resistant safe bolted to the concrete floor of your basement. It only buys you time when a person wants in. Anyone who has watched an episode of Storage Wars knows just how long it takes them to open a safe so you really aren’t buying much time. Encryption buys you a bit more time, but time doesn’t matter if you don’t know someone has the file. If they want it bad enough, they will eventually get it.

Yes, I have worked with people and for entities which had “unhackable” encryption certified by various companies which certify such things. Even that is only a point in time certification. Why? Because the algorithm is not yet known. Eventually the algorithm will be known. The best you can hope for is that the pain of hacking through it exceeds the perceived value of the data within.

There are many different forms of encryption in use today. Some systems exchanging data over the Internet use randomly generated and exchanged one time keys. Some use a different key for every packet. Most personal encryption uses single pass encryption. One key, one algorithm and one pass through the data. I’m old enough to remember when 256-bit encryption was considered the pinnacle of security, now, even 1024-bit is considered weak and 2048-bit is in use. Less than 2 years from now even this will be considered weak. If you want to read up a bit on people still championing 1024-bit you can do so here.

One thing most people overlook is vast amount of computing power already stolen. Thanks to Microsoft most people are leaving their computers on all of the time. They do this so updates can happen while they sleep. Sadly, if they are infected with a zombie bot type virus this gives all of the idle computing power to bad people. Most of you remember hear about Denial of Service (DOS) attacks some years ago. Huge farms of zombie bots were used without their owners knowledge to bring down a target. They still happen, they just don’t make the news often.

Criminal organizations intent on stealing information have instead moved their zombie bots into the world of encryption cracking. Pass out the right zombie bot via a porn or other site and you can have millions of computers waiting for work around the world within a few short months. They won’t be reliable, but the farm will be sizable. Now you simply have to have a zombie bot which is well behaved. Basically it needs to work like BOINC does. People sign up for BOINC projects to do good, but the code is OpenSource so someone can create their own perverse version which hides in the background, never using more than 20% of the computer and never transferring data during normal waking hours. Remember, most home firewalls are designed to keep others out, not keep you in.

So, they take these tasks which would take years on a super computer or university cluster and parcel a few hundred attempts to each of their million plus zombie bots and wait for results to be transmitted back. If one report doesn’t happen within the chosen response time they pass it out to a machine which did report. These huge computing tasks which would take years on a super computer now take a few months or even just a few days depending on the size of the farm and the luck of the choices in the early packets.

Now we get to the human nature part of things. Unless a site, like your bank, has a randomly generated rotating key which changes with each transmission, bad people now have a key for the site. They can apply that key to every packet to/from that site until the key changes.

I would not be surprised to learn that criminal organizations already have a list of the most often successful keys and that is what gets used in the first pass of attempts via the zombie bot farms. Were I not to scared to connect to “the dark Web” I would be willing to bet such a list probably exists in one corner or the other of it.

Did you ever wonder how it is “security” places were able to publish lists of the most commonly used passwords? I did.  At some point it boils down to someone providing all of the passwords for their site. It won’t be long before documents like this become sites like the password site listing the most commonly used values.