Internet Safety

Forum for admin topics, member introductions and general non-hifi chitchat.
User avatar
terrybooth
Posts: 4396
Joined: Wed Jul 11, 2012 6:49 pm
Location: West Yorkshire
Has thanked: 499 times
Been thanked: 246 times
Great Britain

Internet Safety

Unread post by terrybooth »

This post is prompted by the plight a friend of mine is in. There is an attack specifically targetting people with eBay accounts. The attacker gets hold of your eBay account (more on how that happens later), and signs you up for a load of legitimate eMail notifications - the effect of this is that you are spammed by ebay - the attacker then orders a pile of stuff - the idea being that the victim cannot spot the messages about this in the snow of spam. The attacker then attempts to cover his tracks by hiding all of the bought items.

So how is this possible?

Passwords are passed over the internet as a 'hash'. This obfuscates the password so it cannot be read but this isn't, strictly speaking, encryption.

Since the username for most internet sites is your eMail address, the attacker knows that your user account for, say, eBay is the same as the one you set up for freindlytimbersupplies.co.uk which is a local firm just down the road. However, the security on the local site is not good - the attacker collects email addresses and hashes from the site.

The attacker can then do a 'pass the hash' attack. He doesn't need to know your password because he has the 'hash' value of it which is what is used to log you on. The attacker fires these at eBay (or Amazon) to see if it lets him in. If it does, then, he's got your account. eBay doesn't tell you that you've just logged in (some other systems do just that). So the attacker can harvest 'good' eBay accounts which he can then use in the attack.

The other way that the 'hash' can be used is to look it up in what are called 'rainbow tables'. There are tables of cracked passwords together with their hash. Bingo, the attacker has your user name and password and will try that on all the 'eCommerce' sites to find the ones it works on.

So.
  • Do not use the same password for all the internet sites you log on to
  • At the minimum, use the 'remember password' facility in your web browser to remember passwords for you. But better, find a password manager - search 'password manager free', install it and use it. These will provide extra tools to help like telling you where you have used the same password, generating complex passwords, which passwords you have are weak, which websites have been compromised and such like
  • If you have to manually set a password, don't use a password which is based on a word, even if you use letter substitutions - password, password01, p@ssw0rd, p@$$word1 are the sorts of things the attacker will try first - after checking that the username and the password are not the same. Either use a random combination of upper and lower case letters, numbers and symbols or - if it is one you have to remember, user a phrase you will remember - juke joints jive with me is less easily cracked than $jI9sklu
Pioneer PL71/DL103/ Phono2/HiFiPi/P90SA/TIS/CubixPro

George Hincapie
Has thanked: 0
Been thanked: 0

Re: Internet Safety

Unread post by George Hincapie »

The rainbow tables aren't tables of cracked passwords, the rainbow tables are every possible combination of characters for a given key length. Otherwise, good post.

There is nothing wrong with using an e-mail address as a user name, but as regards passwords, I encourage you all to use Last Pass or a similar product. What it does is it generates complicated alpha numeric password strings (including special characters you can designate from the ASCII table) and it stores those passwords in a vault. It integrates with your web browser, so in use you open your browser, use the master password to open your Last Pass vault, then select your web links as normal. It automatically enters your user name and password and logs you in.

You will need to spend a little time re-visiting each site to change to the passwords that Last Pass generates for you, but it works brilliantly. I love it.

P.S. There is no excuse for poor password discipline

User avatar
slinger
Posts: 9234
Joined: Wed Aug 22, 2012 4:30 pm
Location: The Garden of England
Has thanked: 4569 times
Been thanked: 3118 times
EUROPEAN_UNION

Re: Internet Safety

Unread post by slinger »

I don't have much to add to that other than to echo and underline what's already been said and add another vote for Last Pass. There is no such thing as too much internet security.
Amps - NVA P50, AP30, A40, Stanislav Palo Tube Headphone Amp BB 85
Speakers - Monitor Audio Silver RX2
Cables - NVA LS1+LS3, SSC, Gotham S/PDIF, IBRA Optical
Digital - NAD C516BEE, SONY ST-SDB900 DAB TUNER, TEAC UD-H01 DAC
Analogue - Pro-Ject Debut Carbon Esprit SB, Graham Slee Gram Amp 2 Phono
Cans - Grado SR80, ATH-M50X

User avatar
Fretless
Posts: 9294
Joined: Wed Nov 12, 2014 12:15 pm
Location: Somewhere in Holland
Has thanked: 1488 times
Been thanked: 2281 times
Netherlands

Re: Internet Safety

Unread post by Fretless »

Thankyou all for this - I'll be checking out Last Pass ASAP. :guiness;

Upstairs:
Vinyl
Pro-Ject 1.2 + Grado Sig Jr + Cambridge Alva Duo
DigiVolumio PC + Kiss DP-500 + Sabaj A20d
NVA: P50sa - Cube2 - SSP - LS6+ Sabaj A10a (x2)
Downstairs:
Vinyl
Logic DM101 + Syrinx LE1 + Grado Sig MCX
DigiDenafrips Ares II + Volumio PC + Cambridge CXC
NVA: P50 - BMU+ Aiyima A07 MAX (x2) + Arcam One
HP: HifiBerry Digi+ PRO + Sabaj A10d
Office:
Allo DigiOne SIG + SMSL M300se + Douk G4 (x2)
Mission 760 + Monolith THX AAA 887
Headphones: German Maestro & AudioQuest

User avatar
terrybooth
Posts: 4396
Joined: Wed Jul 11, 2012 6:49 pm
Location: West Yorkshire
Has thanked: 499 times
Been thanked: 246 times
Great Britain

Re: Internet Safety

Unread post by terrybooth »

Resurrecting this one.

Passwords - hated by everyone - the users because they are hard and the admins because they are basically insecure.

The reason they are hard is because the received wisdom is that you make them 'complicated' by adding mixed case, numbers, and special characters. However, that makes it hard for people, especially when you need to have a different password for every site you go on.

Current thinking about passwords is a bit mixed. On the one hand you have this Password strength. and Cyberaware. Amd then you have the advice to use a password manager.

There are pros and cons. If you have a lot of passwords to look after, a password manager does that for you and it will usually generate long 'complex' passwords for you. Many sites enforce 'password complexity' and there is no consistency in the way they do it: some demand 'special characters' others don't; some allows spaces, others don't (a unix thing). Some impose quite a short upper limit. Office 365 won't let you have a password longer than 16 characters.

So, my approach is horses for courses - if I can use a password manger, I do and I set a long complex password generated by the password manager. Where I can'ts I use a three of four word random phrase. (and because it's an ingrained habit I use some letter substitutions and capitalisation. But mostly, where I can, I use two factor authentication. Google does it, Office 365 does it, Amazon does it, Yahoo does it. If you can do it, do it. You'll get a one-time token (usually a series of numbers) which is unique plus you will have had to register a device (typically a mobile phone - i.e. something you have, personal to you and only you) to do it.

An eight letter password based on a dictionary word or a common sequence (like on a keyboard) can be cracked easily by someone motivated to do it - doesn't need any skill because all the tools are on the internet. If you use one of these http://www.telegraph.co.uk/technology/2 ... led-using/, the hacker doesn't even need a tool, they just try the common ones first to see if it works.

While I'm at it, check your email. Plenty of tools on t'interweb todo it. Checktls will tell you if your eMail provider will encrypt eMail. Most do. But it has to match the capability of the receiver. Try checking a btinternet.com address - it can't encrypt, so, unless you deploy something else to encrypt messages, everything will flow across the internet as plain text. There are other tools too which will tell you if the mail address is protected from spoofing - a common form of attack.
Pioneer PL71/DL103/ Phono2/HiFiPi/P90SA/TIS/CubixPro

Post Reply