How exposed are your passwords, therefore your business?

June 8th, 2016

2016June7__MicrosoftWindowsNewsAndTips_APassword “brett1” would take 54 milliseconds’ to crack, “brett123” a minute and “brett2016” only 42 minutes.

Password scams are real, here is a real life example…

Every IT technician gets the call at some time…

A good friend of 10 years called me after his wife had been victim to a telephone scam. A Telstra user, she received a call from “Telstra” to say their PC was infected – a pretty standard scam for those of us involved with digital security.

The result was that the scammer had locked the PC using Window’s own SYSKEY security program.

My friend dropped off his PC and install disks, the scammers had cleared his restore points, so there was no way of restoring the PC back to its original state before the social engineering attack.

I found a program designed to crack passwords – a legitimate program designed to help people who had forgotten their passwords or had been scammed.

The password utility was free up to 5 or 6 characters in length. A few seconds later, the password 4123 was cracked. Actually, it was probably less than 2 seconds.

I immediately thought of how easy some of the passwords I’d seen used in the workplace could be cracked by even the most unskilled hacker with this program.

Passwords are one of the biggest problems in digital security at the moment. Several companies are making moves to reduce or eliminate them, but until other methods are simple, reliable and easy enough for widespread implementation we are stuck with the old passwords.

In the past few years I’ve seen some terribly concerning passwords – a three letter word (all lower case), simple names, Password1 etc. Some of the worst offenders have been company directors, financial managers, and therefore putting their entire business at risk.

Whenever somebody wants access to your bank account, personal information, identity etc… they will start with your less secure accounts. The jackpot for them is the account that your other accounts use for verification, such as an email account…

Here are some tips on how you can pick the most secure password:

  1. Passwords in 2016 really should be 16 characters in length or more, with triple complexity – that’s three of the four following – lower and upper case letters, numbers or punctuation.
  2. Avoid repetition, dictionary words, phone numbers, any part of the corresponding username/account name, or simple number/letter sequences.

Brute force attacks start with “rainbow tables” – passwords organised by popularity from lists stolen from other sources. Often these passwords include “Password1”, “qwerty”, “asdfjkl;”, “Sarah”, “abc123” and even common phrases such as “let me in”.

The trick is to find methods that provide enough complexity to make your password too hard to bother for a brute-force attack, without making it too hard to live with.

One suggested method is using the first letter from a favourite phrase.

An example of this I saw several years ago was the line from Gone with the Wind – “Frankly my dear I don’t give a damn” was turned into the password “Fmdidgad”. “How secure is my password” site at http://howsecureismypassword.net gives it 22 minutes to survive a brute force attack.

By adding numbers and characters – “Fmdidgad12#%” will take 34 thousand years!

CNET suggest the same method is very effective when more complex and longer. A password of 15 characters can take 16 billion years to crack. However, the Holy Grail in passwords is to find something simple to remember, something you can increment a few times before starting a new password model, and of course something terribly difficult to guess/brute force.

Here are a few suggestions-

  1. Break the password into two or three segments- The most random segment could be shared by all employees in a department, or small business. If each user in a business has a password that starts with “#$8! ” and then is followed by a password of another 6 characters, it becomes hard to crack. “big1dog” is evaluated as a two second crack, but “$#8! big1dog” is rated at 11000 years of brute force.
    Employees can keep the second segment of the password secret, providing local security.
  2. Include a letter or number- A good password could be incremented by a letter or number, so the above password could be incremented to “$#8! big1dogA” and “$#8! big1dogB”. Don’t do this too often or you risk an old password being discovered and the new one being deduced through the simple pattern used.
  3. Utilise Password programs- Password programs such as KeePass are another method, allowing a completely random string to be saved, and allowing a user to require only a single difficult password to remember.

For more help on password security, visit the following websites or have a chat to us today!

https://howsecureismypassword.net/
http://www.cnet.com/how-to/how-to-master-the-art-of-passwords/
http://www.cnet.com/how-to/the-guide-to-password-security-and-why-you-should-care/

September 23rd, 2015

Diamond’s RansomBlocker

infosec28-crop-600x338

Today the rates of internet security risks are the highest they’ve ever been and increasingly on the rise. Ransomware variants such as ‘Crypto’ have been in the spotlight for several years now and we’re continuing to see cunning new variants of ransomware every day. Each variant is becoming more advanced and more intelligent in its behaviour, often being able to remain completely invisible until it’s too late.

In response to these threats and our commitment to always being on the look-out for new and innovative ways to help make our customers lives safer, we’ve focused our development efforts toward designing a highly advanced solution that further enhances our customers IT security.

Introducing RansomBlocker.

RansomBlocker is like a bullet-proof vest designed to protect your businesses important documents against ransomware and cyber criminals. It’s an innovative solution designed by our expert development architects that detects the presence of ransomware on the system, isolates the infection preventing it from spreading across the network, and then sounds an alarm that ransomware has been detected to our advanced monitoring systems.

While ransomware is always evolving, RansomBlocker correlates suspicious behaviours and activities using real time threat intelligence that can often fly undetected in the presence of anti-virus protection. This essentially gives us a head start against a malicious attack.

RansomBlocker has recently been rolled out to all of our Diamond Managed Service customers and we’ve already detected and prevented the spread of several serious ransomware infections. While RansomBlocker may not be completely fool proof, it adds another layer of defence that your business needs in today’s threat landscape. If you’re not a Diamond customer we strongly suggest talking to your current IT provider about what ransomware protection they’re currently providing your business.

RansomBlocker is always alert and ready to protect your businesses sensitive data. It is the innovative protection for today’s businesses against tomorrow’s threats.

If you’d like some further information on RansomBlocker call us today!