Security: How much is it worth?

Should you encrypt the data on your computer's hard disk? How many passwords should you have? Is just a software firewall enough or do you need a hardware firewall, too? With increasing instances of identity theft (despite the decreasing rate of credit card fraud) lots of us are concerned about security. A former US counterintelligence agent who has asked that I not identify him any more specifically than that has some interesting thoughts on the issue.

Specifically, the question was “How secure is e-mail?” and most of us know that it's not very secure -- about like sending someone a post card because anyone can read it. In some ways, e-mail isn't that public; in other ways its even more public. Because messages travel in packets and are part of the flood of data on the Internet, the casual observer will never see your message. On the other hand, someone who installs a packet sniffer that's tuned to look for specific data formats (16-digit numbers, for example) might find a lot.

The former agent mentioned his training in one craft required for the job: “During my counterintelligence days, I learned lock picking and related skills to go into places where I wasn't wanted. The first lesson was if you face a locked door, walk around and check for another unlocked door or window. Or if it's just a locked office, try lifting out the acoustic ceiling tile and see if you can climb over the wall through the attic.

“The computer document version of this is no matter how secure you make the e-mail, with encryption and passwords, if you have an unsecured version on your computer, or a printout on your desk or in the trash, or a password lying around -- well, you got bubkus for security. I once had to enter a room locked with a combination lock. A real, US government approved-for-classified lock that couldn't be easily opened (forget the magic gizmos in the movies). Instead of attacking the lock, I used a knife to jimmy open the office door of the guy responsible for the lock. Opened his unlocked desk drawer. First thing I saw was a piece of notepaper with three numbers on it. Guess what. Open sesame.

“A good idea before sinking into total paranoia (an occupational hazard for security workers) it to think about the threat to the information. Who wants it, how much is it worth to them, what efforts are they willing to take to get it, where would they have access to it. Understanding that can help you focus on what you need to do to protect the information while it's in your control.”

A point the agent doesn't mention is this: HOW VALUABLE IS THE DATA? If your computer is nothing more than a store house for music files, digital images, and games, security may not be as big a concern as if you use the computer to run a business and have account numbers, names, business plans, and such that you'd like to keep private.

“Related story: I bought a house in San Antonio. The back door into the garage was easy to open because the locking hardware was sloppily installed. I was fixing it and my neighbor wandered over to see what I was doing. I told him "I'm making it easier to break in to your house than mine." My threat analysis told me that my biggest concern was a low-level thief looking for a quick score of something portable to sell for drugs. So that's what I defended against. If someone really wanted to get in, they would, so I didn't worry about that.”

Protecting passwords

Your e-mail account requires a user ID and a password. So does your computer at the office. In fact, you may have several different user IDs and passwords at the office -- one set for each of several applications. If you do banking on-line, you'll have a user ID and password. Many websites requires a user ID and password for all content or for premium content. And if you buy anything on line, each store will want you to set up an account with a user ID and password. That's a lot to remember and you already know that you shouldn't just write them down and stick them in your wallet. Using the same user ID and password for everything isn't good, either, because if one is compromised, they all are compromised.

	Password strength Passwords can be strong or weak. Any password that consists of a plain English word is weak because it can be determined by a simple "dictionary attack". Examples of weak passwords: ElizabethKatie (two daughters' names) Tangerine (a cat or a fruit) ElephantBook (two unrelated words) No matter how long a weak password is, it's still a weak password. Much stronger passwords can be developed by using two unrelated words, capitalization, and numerals. For example, here are some relatively strong passwords: mEoW227FuzzBALL Joe8Pizza 800kr9v19w9r The first is "meow" with odd capitalization, 227 might be your house number, and "fuzzball" could be a name you call your cat, again with unusual capitalization. Easy to remember, but hard to guess. Likewise Joe8Pizza (Joe ate pizza). And a little modified leet-speak gives us 800kr9v19w9r (book reviewer). Any of these passwords would serve for all but the most demanding situations. The strongest passwords are hard to guess, but they're also (unfortunately) hard to remember. For example: AW0^V8h5^X27N3kic#@ YJoli8!K3MA27XZEcp+ C4j##39w#n]2&r@k1wL These 19-character passwords use upper and lower case, numbers, and symbols. The trouble with strong passwords such as these is that the user must write them down and that makes them weak passwords.

PINs (Windows only) allows you to store any number of user IDs and passwords and encrypts them with 448-bit Blowfish encryption that may be crackable, but not by the average person. Government agencies with massive computing power may be able to decrypt the information.

PINs does not require installation and has no special DLL files that go into the system directory. This means you can copy both the application and the data file onto a floppy disk or a USB drive and safely carry it around. If you put the application and the data file on a USB drive, it means that you'll be able to gain access to your user IDs and passwords from any Windows computer with a USB port.

Click any of the images to see a larger view.

PINs allows you to create as many categories as you want for passwords and IDs. Mine run the gamut from bank and credit card IDs to memberships, travel information, stores, and the miscellaneous catch-all category. Pressing the + sign displays all of the records in the category.

Here I'm looking at the miscellaneous category. PINs displays the user ID and the URL (if there is one) but does not display the password until the user opens the specific record.

At the right is a record for the Mac OSX Hints website. Two interesting security features are present here:

First, the icon with 3 stars and a key to the right of the first password entry box is what PINs uses to generate a random password. You can specify the length of the password, what characters may be used, and how many passwords you want to choose from.

Second, the icon at the far right displays a character map so that the user can create a password by clicking characters from a table instead of typing. This is a feature for the true paranoid.

The data file (you can see a piece of it at the left) is all low-bit characters so it can easily be e-mailed without further encryption, but you could also use WinZip to create a password-protected file if you're at all concerned.

You might be wondering how PINs keeps prying eyes out of your file. It does this with a password. That password had better be a strong one.

And you'd better not forget what it is because, as the author says, "DON'T FORGET YOUR PINs PASSWORD!  I won't be able to recover it for you (nobody will...)"

Technology corner rating for PINs

10 CATS: It's strong. It's easy to use. It's secure. It's free. What else is there? Visit Mirek Wojtowicz's website and take home a copy.

How the Technology Corner rating system works.

Worms in your news, your earth-moving equipment, and your Chrysler

This was not a good week for companies that are still using Windows 2000 and that haven't managed to install all of Microsoft's critical patches. The ABC Evening News staff had to break out typewriters this week when their computers were attacked. The same was true at other networks. Chrysler lost an entire hour of productivity at more than a dozen assembly plants, idling some 50,000 workers.

Chrysler has patched the affected Windows 2000 systems, but remnants of the worm are still out there. Among the others severely affected by the outbreak: The New York Times, SBC Communications, and Cable News Network.

The flaw that allowed this mess to occur involves the Windows Plug and Play (PnP) service that allows the operating system to detect new hardware -- a new keyboard, mouse, or USB drive, for example. The operating system detects the device and loads the software drivers that are needed to use the hardware.

A buffer overflow in Plug and Play could allow a remote attacker to take complete control of Windows 2000 systems, installing their own programs and viewing, changing, or copying data from the computer's hard drive.

Microsoft issued a "critical" fix (MS05-039) and before the week was out code to exploit the flaw began to show up on websites frequented by those who write viruses and worms. By the weekend, the first of at least 19 variants of the worm started circulating.

Is there a lesson here?

I think so: IT departments should give patch deployment top priority. It's important to test patches to ensure that they don't break a mission-critical application, of course, but this testing should have the highest possible priority. As soon as the patch is cleared for installation, automated procedures should be used to distribute the patch.

Nerdly News

Mozilla creates for-profit division just as Firefox loses market share

Net Applications, which monitors some 40,000 websites, says that Firefox's market share has dropped a bit. Earlier in the year, Firefox was gaining about 1% per month and Microsoft's Internet Explorer was losing about an equivalent amaount.

In June, Firefox hit 8.71%, but fell to to 8.07% in July. Internet Explorer advanced to 87.2% in July from 86.56% during June. That's still significantly lower than the 95% or more that IE had commanded previously. The biggest gainer was Safri on the Mac -- increasing its market share to 2.13%.

According to Net Applications, the shares work out this way:

• Internet Explorer 87.20%
• FireFox 8.07%
• Safari 2.13%
• Netscape 1.50%
• Opera 0.49%
• Mozilla 0.52%
• Other 0.09%

The (former) AOL employee who stole 92,000,000 names goes to prison

Jason Smathers, who used to work for AOL, will spend up to 15 months in prison for stealing a database of 92 million e-mail addresses and selling it to spammers.

AOL fired Smathers in 2004 after determining that he was the person who used another employee's ID to steal the names. He sold the 92,000,000 names for $28,000 (that's about 0.03 cents per name -- three hundredths of a cent for those who don't do math) and spammers delivered about 7,000,000,000 (7 billion) spams (that's about 76 spams per address if I got the decimals aligned properly).

A lawyer for Smathers characterized the theft as "dumb", "stupid", and "insane". Smathers at least did not attempt to slide by with an insanity plea.

In case you're wondering, the sentence works out to 1 second of prison time for every 142 stolen e-mail addresses.

Let us know what you think. Write to:
Bill Blinn --
Joe Bradley --

Have a question? Ask it and you might pick up a prize for stumping the chump. Send your question to . And ... good luck!

Privacy Guarantee:

I HATE SPAM and will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.

Is this information useful?
If so, consider making a contribution, please.

Joe

(Photo by Sally)

Bill

(Photo by Scampi)

As if you didn't already get enough weather on the radio!

If you do not see a Weather Underground banner above and you use ad-blocking software, please set your application to allow images from "www.wunderground.com" to appear.

Annoying legal disclaimer
My attorney says I really need to say this: The Technology Corner website is for informational purposes only. Neither Joe nor I assume any responsibility for its accuracy, although we do our best. The information is subject to change without notice. Any actions you take based on information from the radio program or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. Technology Corner cannot provide technical support for products or services mentioned on the air or on the website.