What technologies compromise security/privacy and why

Summary and examples

If anyone can gain frequent access to where a password is stored it can be compromised because they can try many times. As at Oct 2007 (IMHO) the very weakest technologies are: e-mail, Wireless routers and PCs plus any mobile technologies such as 'phones, PDAs, Laptops etc.. That is only my opinion (IMhO) - hackers and their specialist counterparts are in thousands of constant battles on a global basis to tip the balance and there are constantly new winners and losers.

At one extreme:

• Alphanumerics less then 15 characters long - very simple and when run from a hard drive rather than a CD will take less than five minutes. See http://en.wikipedia.org/wiki/LM_hash for a brief description of how bad it is. If that fails...
• Alphanumeric and specials - total less than 15 characters. Depending upon the hacker's PC, Hard Drive space and investment in hacking tools/Databases this would take between an hour and overnight.

If the latter fails they will simply use an Internet service to crack the password for less than 20 dollars if your PC is an attractive target.

The critical factor here is that a PC can try (tens of) thousands of times per second which means that they can use brute force to try every possible combination of increasingly large character sets.

At the other extreme:

Particularly if you have used your account name as an address (very, very bad idea!) that means that anyone who has that address will be able to easily find out how to login ONLINE - i.e. they can take over your e-mail REMOTELY! in terms of a web page at which to try various passwords.

Because each ISP will hopefully have rules about password attempts the hacker may use his PC to automatically try one (password) per minute but in that same minute might try that same password on 1,000 other e-mail addresses that he has access to from the millions available on a CD for 30 dollars. As the speed is so much slower the hacker is much more likely to use dictionary-based guesses with the obvious transpositions of numbers and letters that users assume will make such guesses more difficult. Once a hacker can login to your mail as you then he or she can of course not only see your existing e-mails and what companies you already have relationships with but also they can initiate new interactions and take the small chance that you will access your mail at 2-5am when they can delete any traces without you ever seeing them!

Bear in mind that if an ISP is compromised or your have used a password on a low-grade web site then it is likely that the fate of your password is sealed with the predictability of the former example - i.e. simply a question of when and not if your password can be known.

The range of technologies that are either seriously at risk and/or CREATE RISKs

Expanding the list above (see summary) with the basic aspects of risk:

• e-mail is the classic example of being at risk and creating risk. As my example above demonstrates - anyone with a simple password that is a name or just a common word is severely at risk - especially if their account name is used as an address. The excrutiating double-whammy about e-mail is that so many web sites use it as a means of verifying your identity! That isn't just a problem with existing accounts you may have with retailers but one day you may start receiving bills from twenty more! This is the reason that banks rarely use e-mail for any purpose other than marketing.
• Wireless routers are unfortuately almost as bad! and a double whammy too! Their problems are (at least) twofold:
  1. There is a method of attack which can be launched by simply browsing a web site that is malicious and if the router's login username and password have not been changed from the supplier's defaults then it can be hacked to allow it to be remotely managed after which it is 'game over' for anyone who uses a PC via that router!
  2. Many routers are still set up to use an old method of securing the transmission of your data between PCs and the router even though they MAY be capable of better. If you use the old protocol (or worse still have no protection!) then someone can become part of your local network within 2-3 minutes if they have a laptop with some very basic and available hardware and software.

  The problem with the latter isn't just a problem with stealing bandwidth but they can also elevate themselves to the #1 above and with the same consequences for anyone that uses that router! For anyone wanting to understand why it is 'game over' then consider the fact that almost all router installations give it the job of translating web site addresses to actual Internet numbers (IP addresses). So www.barclays.co.uk et. al.may not be who you think they are! possibly worse - how about downloading your updates to XP from microsoft.com! See Wireless security WPA not WEP for more details about the problem and possible solutions.

• PCs also have immediate double-whammy status because they are the centre of so much of what we do online and if yours is compromised then your problems could even be worse than the router scenario above! The good news is that there are well-established tools and techniques to avoid the problem but the bad news is that they often rely on YOU to actually:
  1. Initiate in a competent manner - maybe employ a professional
  2. Regularly maintain, service and perhaps renew any tools/products
  3. Above all to be vigilant and KNOW enough when a risk is too high to be taken and what and when makes a difference.

  So although someone with physical access to your PC is extremely dangerous (as in the example a long way above) anyone who has Windows XP with Service Pack 2 and all subsequent fixes plus quality firewall and antivirus programs that are also up to date are USUALLY safe! The exceptions - i.e. at higher risk are at least any of the following:

  1. PC has been setup for remote desktop which is very different from remote assistance! Remote desktop doesn't need you to initiate the take-over of the PC!!!
  2. Any user of the PC uses Peer to Peer technolgies such as any flavour of 'Messaging' (e.g. MSN messenger) or file sharing for songs or videos

  One final thought regarding PCs - bear in mind that if your's was stolen or you upgraded your PC and allowed the old hard drive to leave your possession without being profesionally wiped then just consider the problems you could have in either scenario!

• Mobile technologies such as 'phones, PDAs etc. will always give some 'pretence' of security despite them being almost unanimously incapable of anything of substance. Devices that rely on a managed service for most of their operations (such as a mobile 'phone) can easily have those services witheld but the physical devices and of the data that you have stored on them should be regarded as 'freely available' within a few hours or at least days of such a device being stolen.

What are the consequences of your password(s) being compromised?

For most people the highest risk items are those that I highlight above as being a 'double whammy' because of the impact as described. By far the greatest risk is that of escalation through your hierarchy of assets with the most likely and highest prize being your financial dealings with investment companies, banks, building societies et. al.. see How to manage passwords on the topic of keeping your passwords in zones of trust which you keep very much isolated.

That's all for now folks... more when I get time... Brian R

Why low-medium quality web sites and technologies pose so much risk!

The wider aspects of password management are truly expansive because of the constant fight between those that want to secure them versus those that want to crack them and the ever-changing techology as well as the fact that the scenarios of use can be totally different. Computers have to store their own 'key' against which they can check that the password you provide provides a match.

The very weakest approach is that the key that they store IS the password! - e.g. 'beckham99' is stored as-is. This method is in use today but only by very low-medium grade web sites and technologies, however this IS still a BIG EXPOSURE because if anyone uses the same or even very similar password with these sites or technologies as they do with any that have resources at risk then that is a nightmare waiting to happen because all PCs, web servers and even 'quality computers' have some exposure to the copying of their databases of passwords being copied - note that they don't need to be stolen to cause immense damage - just a minute with a memory stick is sufficient!

Unless you are certain to the contrary, the only safe assumptions that you can make are:

1. It is possible for an attacker to copy the database of passwords from any system that your use - PC, web site, 'phone, PDA etc.
2. Apart from the most competent and trusted companies you cannot be sure that the storage of passwords is adequately encrypted - anyone wanting to understand the nuances of the word 'adequate' should read below.

The points above are the primary basis for the adoption of levels which you must keep very, very distinct in terms of the password algorithm and the secrets that go into the password. See http://en.wikipedia.org/wiki/Password_strength for more background information. From that page you will also learn of the advanced techniques that are close to 'unstoppable' in certain scenarios - a hardware key logger in an Internet café for instance.

Encrypted passwords - mathematically uncrackable aren't they?

The basic problem is that if the rewards for hackers are high enough then they will be funded by 'serious' criminals to make cracking possible. The case of XP passwords is a good example - billions of PCs run XP and it has a fundamental flaw that XP doesn't add anything unique to a password (lmhash) before encrypting it with a well known algorithm.

Hackers have spent weeks creating what are called 'Rainbow tables' which are then used to reverse-engineer any alphanumeric XP password (in lmhash) less than 15 characters long in a matter of minutes and worse still it is freely downloadable in a form that can be burnt to a bootable CD which makes it ideal for any PC that you can physically access.

However, on the more serious side if there can be one - the method is really only limited by the size of the tables so criminals or even 'kids' can download the 43GB needed to crack passwords which have the full range of characters from a keyboard with success rates claimed to be 99.9%! To quote:
"If you want to buy my complete set of tables (30 tables, 60Gb !) for 100USD (New price!)"
More modern (than XP lm) encryption methods - are they any better?

Again the drivers are resources, risk and reward because the techniques are now well established. If you restrict yourself to lowercase letters and numbers in a password then the 'industry standard' MD5 encryption alogrithm was crackable for an 8 character password in less than 40 minutes as of October 2005! All that was needed was a 36GB table - not very big even then!

That means that by now (2007) there will be PCs 'out there' with many thousands of GB (mine currently has just 1500) capable of cracking any 'standard' MD5 encrypted database with key lengths of 10-12 for lowercase+numeric and maybe uppercase too for 8 character passwords.

Is this a problem that I need to worry about? you may ask. Unfortunately yes because for the past 4-5 years MD5 has been used at huge numbers of web sites 'as-is' and therefore there is a plethora of encrypted data which is now crackable with relative ease!

Again this is part of the justification for 'levels' of password trust - most banks will have been well-aware of the future problems of MD5 and similar technologies and planned ahead so their data when stored on a hard drive will not be a 'standard' MD5 because at the very minimum they will have introduced something unique to their site / business to the password - adding what is referred to as 'salt' or 'seed' and therefore nullifying the use of generic Rainbow tables. Even better methods to 'harden' password strength as you can see at: http://en.wikipedia.org/wiki/Key_strengthening may well be used at these financial sites BUT the problem is that across all of the web, I doubt that 5% of web sites that store user names and passwords do anything to harden passwords and they will be a plain, unsalted MD5 hash. Hence if you use the same password on multiple sites then you are exposing all of them to compromise, even those that you regard as trustworthy and competent because you ARE the weakest link as that game show says.

So the risk here does not stem from the banks themselves but with the 'ordinary' web sites that are probably regarded by most people as being trustworthy and competent - unfortunately the latter will not be true for a huge number of companies that do business on the Web and therefore YOUR password at their site may become compromised.

Tools you COULD use to see how weak your systems are

The most popular tool by far for 'amateurs' is Cain and Abel, documented at: http://www.oxid.it/ca_um/ because it is free, downloadable and well packaged. If you take a look at what that can do then you have to assume that there are other people and projects that can do a lot, lot more and that is pretty scary.

Links and other information last validated on 27th October 2007. Please use the Contact us page to suggest any additions or revisions. Windows XP Remote Assistance now provides in-work training and assistance, as and when needed to more than a dozen customers

What's Hot

Site Offers: