News and information about Data Privacy, Computer Forensics, or anything techie-related.

A recent report showed that in an analysis of 32 million passwords, 5 of the top 10 passwords were a sequence of numbers from 1 to 9 (i.e., “123456″, “12345″, “123456789″, etc.).  Furthermore, studies showed that nearly half of all passwords are considered “weak” or “trivial” by most password systems (in other words, easy to guess or crack).  Considering that many people use the same password for everything (email, subscriptions, banking, bills, etc.), the key point here is to make sure your passwords are as strong as possible, to protect your data.

Among the interesting recommendations from the report:

• Passwords should contain at least eight characters. While this seems like a no-brainer, the analysis of the 32 million passwords showed that 50% were seven characters or less, and 30% were six characters or less!  Shorter passwords are much easier to crack– computers are fast enough where a hacker could  “brute force” crack a short password in just a few minutes.
• Passwords should not be a name, a slang word, or any word in the dictionary. Also, it should not include any part of your name or your e-mail address. This is a variation on the point above — every word in the dictionary fits into a relatively small file that a hacker could run your password against.  These “dictionary attacks” would be the first plan of attack when trying to crack your password. And while using two words combined into one password is a good start, the hacker dictionaries have already taken that into account, literally taking all word combinations in the English language up to fourteen characters!
• Passwords should contain a mix of four different character types – upper case letters, lower case letters, numbers, and special characters (symbols or punctuation). This is the best advice I can give– any password that appears to be gibberish will be nearly impossible to crack. And just like locking your car or setting your house alarm, you want your password to be such a deterrent to crack that it would take too long for a hacker to bother. Think about it– if a hacker used just a list of the top passwords, they could compromise 1000 user accounts in only 17 minutes! So don’t be the “low hanging fruit” by choosing a simple password.
• If there is only one letter or special character, it should not be either the first or last character in the password. This is more of a “human” tendency than a computer one — studies have shown that when people have a special character, they usually put it either first or last. It’s just a tendency, but recent password-cracking programs take that into account. So if you just mix it up a bit, it’ll take longer to crack your password… if ever!!

There are more recommendations from this report (and my own personal advice), which will be coming in a future post.  In the meantime, go change your passwords!!!

I was just reading an article about how easy a reporter could enter some large buildings in downtown Orlando. While this particular article is a bit “fluffy”, it does raise an important issue in that security usually fails at the human level, not the technical level. For example, most major “hacks” are the result of social engineering or some oversight.

I am reminded of a former employer of mine many years ago– all employees had keycards, but most of the time if I was carrying a large box or something, someone would always open the door from the inside and hold it for me. These people had no idea who I was, or whether I even needed to enter those buildings.

So even if you have an “impenetrable” system set up,  if you have inept people in charge of security then you always run the risk of a breach.

How private are your text messages? Looks like the Supreme Court is going to decide…

http://www.cnn.com/2009/CRIME/12/14/scotus.messaging/index.html

Hi everybody. I just wanted to announce that my team “Barely Legal” recently finished First Place in the Civilian category (5th overall) at the 2009 DC3 Digital Forensics Challenge. This competition, conducted by the US Department of Defense Cyber Crime Center, had over 1150 entries from 49 states and 30 countries, and is one of the major tests of the digital forensics community for investigative skills, tools, techniques and methodologies. This is our second Top 10 finish in the past two years (last year we finished 2nd Civilian, 6th overall) so we are very proud of our continued improvement in this global competition.

This year’s challenge presented a fictional scenario re-creating what an actual examiner might face in a Digital Forensics Lab. It included sections on Image Analysis, Suspicious Software, File Signatures, Hashing Metadata, Steganography (Data Hiding), File Encryption, File Headers, Password Recovery, Registry Analysis, Log File Recovery, and more. For information on the actual competition, go to http://www.dc3.mil/2009_challenge

I’d like to thank my teammates Mark Liphardt and Kevin Cohen for their support and teamwork throughout the competition, and we look forward to “winning it all” next year! And feel free to call and/or email if you have any questions about the competition (or would like to peek at our answer sheet).

Very hilarious, and (unfortunately) not too far from the truth!

New product release from Sony