Friday, December 30, 2011

Creating Passwords Using Seed Mapping

Rod Coleman

Passwords are a pain.

Security requirements are becoming more complex just as we need more passwords for new apps, challenging our ability to remember them all.

Here are the requirements for a reasonably secure password:
1. Contain at least 8 characters.
2. Contain upper case letters.
3. Contain lower case letters.
4. Contain numbers.
5. Contain special characters.
6. Appear to be random.
7. Be different for each application.

8. Be easy to remember. 
Unfortunately the first seven requirements make the last almost impossible.  Many just give up and use personal information or typical words which are easily cracked.  Yes, there are software tools to help out, but they mostly add cost, complexity and management.

Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker.  Plus, it costs nothing at all to use.  The trick is, don't REMEMBER your passwords - DERIVE them.  Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping.  It will pseudo-randomize any password.

Start with a seed that's in front of you as you log on to the site, for instance Microsoft.  A simple seed would be the first four letters "micr".  There.  You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way.  Let's use the two keys above the seed key for this example.  "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$".  No, don't try to memorize this mess, just watch your fingers as they move.  

See the pattern?  The visual pattern is the trick.  This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard.  That's one way of including special characters and caps.  If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, memory was not a factor.  It's simply visual.  It's best to not even think about what keys you're hitting - just hit the two above your seed character.  I honestly have no idea what my passwords are, I just know the pattern that produces them.

It's easy once you define a method.  For the above approach:
Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing.  OK, go ahead and use my example method if you like.  It's better than using your dog's name.  And you won't need to read any further.  But remember you'll have the same passwords as every other person who happens to read this blog and goes to the same sites you do.

Or...  You can quickly customize.

Just invent your own method (algorithm).  There are literally millions of ways of doing it.  Here are a few aspects to keep in mind while you think about it:

First, the seed - it should be at least four characters which will produce nearly a half a million unique passwords.  Two characters will only create 676 unique passwords - not enough.  A three character seed is on the border.  And I don't suggest using more than a seven character seed because you'll either be creating very long passwords, or have poor distribution in the mapping phase as described below.  

Since the objective here is to leave the mob behind, it might be best if you mix up your seed a bit.  How about a backward flip - "iamg" for Gmail.  Or better yet, replace the "g" with your dog's middle initial.  Or yours.  It doesn't matter much as long as it's an easy method to remember.  Personalizing with an initial or two will also make your passwords different from most others who visit your sites.  After all, Microsoft or Hotmail will be a common starting point for many.

How about taking every other letter then step back? Gmail could become "gami".  Or ignore the first letter and get "mial".  You get the idea, there are a lot of ways of doing this - make yours unique.  I've only discussed a couple of aspects of seed generation as examples.  It's best to come up with something I haven't even talked about.  Just be consistent so your method is easy to use.

Now as to the keyboard mapping phase.  Our first example was OK, but did you notice how "q1" occurred three times in the last three examples?  That's because each seed contained the letter "a", which is a common letter.  Also these simple examples only have a fair distribution over the key-map.  To produce a good pseudo-random number you need a good distribution across the random field.  The keyboard itself makes for a decent random field, as long as you span it well.  For instance, "mmiiccrr" for Microsoft stays close to (and IS) your seed.  That's poor distribution.

In contrast, an expansion of three or four going up will always capture a number, and often a special character.  Or if you go down instead, then wrap back up, it's almost as good (but no special characters).  Three up will get a number two thirds of the time, and a special character one third of the time.  See how you can control how many and what types of characters are likely to end up in your password?

There are obviously lots of ways of getting similarly distributed results.  Go up for the first seed character, down for the second, capitalize the third and shift the forth to possibly add a special character.  Or expand the first seed character once, the second twice, the third three times, etc.  You choose - that's the beauty.  No one but you knows your method.

Or ignore the first character, right one and three up.  Or one up, two left.  Or skip a couple.  The objective of distribution is to break up patterns of common letters (a, i, e) by applying different directions to different seed letters. This key map phase is where you can really express your unique nature.  Try diagonals.  Or leaps. There is no right or wrong method, just some are better than others.  Scramble your seed.  Scramble your map.  But in a way that's visual to you.

One challenge you'll face are sites that require you to change passwords every few months.  An easy (if less secure) solution is simply to add a number starting with 1 to the end (or beginning).  Increment the number each time you have to change passwords.  In a few tries you'll get it, and have plenty of time before you have to use 1 again.  Or add the last digit of the year to your seed and shift it after June 30th.  Do what works for you.

It's a good idea to have a  backup method for when you encounter other conflicts (such as some sites not allowing special characters).  If your password doesn't work, try your simpler method B.

Also, don't use your method for any password you have to share with anyone else, or they might guess your trick and put all your other passwords at risk.  This is another good reason for a more simple method B or C for shared passwords.

Finally, don't make your method TOO complex.  There's a point of diminishing return.  Other capture or social cracking will make a "perfect" method irrelevant anyway.  Video cameras are common and getting smaller, so even a perfect password can be stolen.  If you're still concerned, add Iris Scan and go multi-factor.  But for most, pseudo-random is good enough.  And FAR better than your dog's name.

By the way, Seed Mapping is just one approach that happens to give a fairly good result.  There are many other methods.  Be creative.

Now go change all your passwords so you can burn that cheat-sheet in your desk drawer.

And let me know how Seed Mapping works for you.

Rod Coleman
General Manager
Sierra Computer Group

Tuesday, December 13, 2011

Zero Access Infection

Recently I encountered a threat that infected a client's computer.    The Client noticed that their Antivirus Program intervened and requested a reboot of the computer to finish the remediation.   Upon Rebooting the user was unable to log on.   Worse yet she had no mouse or keyboard.    Fearing the worst the user pushed the power button to shut down the computer; which responded normally and gracefully shutdown the computer.    Next she tried to get into Safe Mode by pressing f8.   Windows booted into safe mode but again no keyboard or mouse inputs it seemed.

I was able to verify the customers complaint.   Only I noted that system was still alive and I was able to PING it, which to me meant that it was still working.  I remotely accessed the machines registry and enabled remote access to the machine.    When attempting to connect remotely I discovered I did not have the local administrators account password.    After rebooting the computer with a bootable Password Recovery CD I recovered the four letter local administrator password in only 9 seconds.  

Using the recovered password I was able to remotely connect to the computer and was able to determine that the installed and updated Antivirus Software had clobbered the Windows XP PS/2 Driver (i8042prt.sys) used for both PS/2 keyboard and PS/2 Mouse Input.  

I booted from the Windows XP CD and using the repair console manually replaced the i8042prt.sys driver, however I was still unable to have the system use a PS/2 Keyboard or Mouse.    I found an unused USB Keyboard and began to work on the system running some additional virus removal tools.    One of the tools had identified an infection known as Zero Access.    After the tool completed the removal steps the system still did not work with the PS/2 Keyboard and Mouse but did work with the USB Keyboard.

I decided to run a repair install of windows to correct the issue.   The repair install soon reached the point in the setup process where it booted from the hard drive, and disturbingly again I had no PS/2 Mouse and no PS/2 keyboard access.    After a little research  and on a hunch, I aborted the repair install (knowing that it would resume upon reboot) and tried a decidedly different tactic.  

Most of the variants of the Zero Access Rootkit will infect the Master Boot Record of the hard drive which causes the machine to load part of the rootkit while the machine is still vulnerable and unprotected from viruses.    I booted the Windows Recovery Console from the CD and had windows replace the MBR and Boot Sector.

Next I crossed my fingers let windows reboot.  Next Windows setup continued the repair install and voila I now had access via the PS/2 Keyboard and PS/2 Mouse again and the Machine was fully remediated.

The Client was upset that the anti-virus program had disabled their computer, when they should have realized this was a fortunate circuit breaker.  Their real concern should have been that their system and all their activity was almost exposed to some unknown source.    Without the anti-virus program disabling this computer, every single input to the computer would be collected and redirected...and probably not for the forces of good.

Remain vigilant.

Dave Hendricks
System Engineer
Sierra Computer Group

Thursday, October 27, 2011

Big Brother or Big Sister? - Improving Employee Productivity

Improving employee productivity

The internet can be a big employee time waster.  About once or twice a month I get a call from a business owner asking how they can either monitor their employee’s computer usage or prevent them from wasting time on various web sites.  Monitoring and content filtering software are available to do this, but using these solutions should be weighed against your corporate culture.  The costs and benefits of monitoring and managing internet access can be huge, but the problem can also be managed using a human approach, by doing a combination of coaching and leading.  I call content management software the Big Brother approach after the quote “Big brother is watching you” from George Orwell’s book 1984.  Many small business owners like the idea of being able to view their employee’s desktop, but it can lead to employee resentment and lost productivity when implemented without their buy-in.  An alternative is the “Big Sister” approach, which means creating a culture of trust by sitting down with employees and educating them about the conditions or time frames they’re free to use the internet for personal things.  The big sister approach can work well for small groups of professionals. Either way, you should also have a written “acceptable use policy” to cover inappropriate computer use for things like porn and sending jokes that are sexist, racist or could be misinterpreted.  The big brother approach is often needed for schools, large organizations, or those subject to regulatory restrictions like HIPAA.  Big brother is also needed for anyone with a serious need to protect corporate assets.

One of the solutions we use when employee monitoring is needed is Spector 360, a software package that is purchased for about $115 “per seat”.  Multiply this by the number of employees, and figure about an hour of labor per workstation to get the software set up and you’ll have a good idea of the cost.  The software can be installed in stealth mode, providing complete transparency to the user, who is unaware that is on his machine.  This is legal given the machines are owned by the business, but we recommend having employees sign an acceptable use document that states that monitoring may be done. This investment will pay for itself by allowing the manager to centrally monitor and even manage computer use from his desk.  Regular or periodic screen shots can be taken of the employee’s screens, allowing for a security camera Digital Video Recorder (DVR) type playback. Logs can be created and reports produced to answer questions like which employees spend the most time surfing web sites, which is spending time on what sites, who uses chat or anonymous email, and much more.  Other, less expensive packages are also available to install on “problem” machines on a case by case basis.  Tools like this can significantly increase productivity, allow investigation into violations of acceptable use policies, and protect against data theft (studies show 1 in 5 employees will print or copy company data in the days leading up to their resignation).   In one High School the software was configured to create and email reports automatically any time inappropriate words were used.  This included, for example, swear words inside .doc files or in any software on 700 desktops across the school.  Administrators were able to discipline students and word got around, greatly reducing problems.

Content filtering is another class of productivity tool.  Filters will limit access to websites to those needed for business.  We often implement this using a SonicWall router but many other products are available depending on the needs of the client.  The content filter allows us to either create a whitelist of sites that are OK to use, or blacklist specific sites that aren’t.  While effective, this technique sometimes produces employee frustration when they have previously had free access.  In some cases a new site is needed for legitimate business use and yet can’t be accessed until someone with the password has added it to the white list.   The difficulties associated with aggressive filtering came to light when I implemented it in my own house to protect our children.  My teenage daughter came to me complaining that she couldn’t access her favorite swimsuit shopping site.  This shopping site was lumped into one of the unacceptable use categories, probably because of the pictures of scantily clad swimsuit models.  I found myself slowly white listing sites, and then unblocking whole categories (ie shopping, photography etc).  After 6 months of frustration (for both me and the children) we ended up taking the “big sister” approach with our kids.  We basically said “OK if you go to bad places then we’re shutting the whole thing down”.  At least with the content filtering I was able to put a schedule that automatically shut down Internet usage at 10pm each night.  This helped reduce late nights of online gaming.

A third and incredibly important business productivity tool we use is the spam filter.  I’m constantly amazed at the number of small business owners who suffer silently with hundreds of spam messages each day.  Multiply the number of minutes you spend reading and deleting spam by how many employees you have and you realize that attempting to use the free spam filters (that don’t work or integrate with outlook well) are not cost effective.  Like anti-virus software, no spam filter is perfect, but along with regularly unsubscribing to unwanted newsletters, it can help control most of the volume.  Spam filters run about $2-$5 per person per month, but pay for themselves quickly.  The goal is to receive as little email as possible without false positives (which means rejecting customer email that you want to receive).

Each of these three productivity enhancement techniques (Monitoring, website blocking, and spam filtering) can help control wasted employee time.  To the list we should probably add workstation backup, anti-virus, and anti-spyware tools.  The average virus slows a machine down for weeks, causes  8-14 hours of actual down time, and costs another 4 hours for IT staff to fix.  The hard cost of these tools are arguably less than the soft costs associated with lost productivity.  Just make sure employees understand the reason for any changes in their access. 

Darren McBride is CEO of Sierra Computer Group, a Reno based IT and Network Consulting firm

Friday, September 23, 2011

A False Sense of Flight Security

The last 50 years has seen the emergence of passwords (or pass-numbers) to protect access to everything from your front door to your computer.  Cyberlore is has many examples of how poorly we apply this technology, and much of it's true.  There are so many ways these security systems can fail, many of which are social and have nothing to do with technology.  Stories of passwords left as default, written in convenient places and being based on common personal information are often true, and DO put the user at risk.  Even when you use a random password, there are social ways to fail.

Earlier this week in a meeting, I was logging into Windows as one of our techs was watching me type and noted, "At least you don't use a simple password".  He could tell that from my finger movements.  It's part of what our techs do for our clients, and it reminded me of something that happened years ago as I waited at an airport gate for my next flight.

It had been a long day and I was tired of reading.  I also happened to be facing the jet-way access door, but a little off to the side.  It was getting close to boarding time and a flight attendant walked up to the door.  Before she could enter she had to key in a pass-code on the five buttons of the door knob.  OK, I admit it - I was bored.  I couldn't help but notice the pattern of movement her fingers made just before she turned the knob and went through the door.

A few minutes later another attendant did the same thing, verifying the code for me, or at least the required finger movement.  I laughed to myself at how easy it had been to visually crack this important security system, but didn't realize what was to happen next.  I'm still laughing even today.  Here's why:

A couple of minutes later the pilot arrived (or co-pilot - at least he had a scrambled-egg hat).  Anyway, he keyed in his code.  I immediately noticed it was different and wondered if there were multiple valid codes.  But then the door didn't open.  He tried again - no luck.  I smiled to myself.  After a third time he swore quietly.  They had either changed the code, or he simply didn't remember it correctly.

You may have already figured out what happened next.  Yep.  I took pity on him, walked up, entered the code, letting him on the plane.  After all, I wanted to go home without delay.  The look on his face reflected the irony of the situation, but he didn't say anything.  I just smiled and sat back down.

The point is, your security can fail in many ways.  Keep an opened mind.  Cover as many bases as you can, but don't expect any technology to be perfect.  Just good enough.

Rod Coleman
General Manager
Sierra Computer Group

Tuesday, July 19, 2011

Tuesday, June 28, 2011

How Google's Panda Update Changed SEO Best Practices Forever

SEO is not just a moving target, it's a whole new ball game.  If you manage a website, this 11 minutes may be the best investment you make today.


On the upside, our Google searches may begin to improve again.  It seems like the content farms have been winning lately.  If their theories are correct, we should see this Panda dance over the next few months.

How Google's Panda Update Changed SEO Best Practices Forever

Saturday, February 19, 2011

IPv6 Transition

IPv4 to IPv6

It's not likely to be critical for your installation today, but sooner or later it WILL be a factor in your IT plan.

Here is one of the best overview's I've seen on the topic so far:

Ask Ars:  How should my organization approach the IPv6 transition?

And if you think you can simply ignore the topic:

Why the IPv4 to IPv6 transition will be ugly

Let us know if you want help with an IPv6 transition plan.

Thursday, February 17, 2011

How Far Into the Cloud?

More and more technical services and applications are becoming available in the cloud.  But which ones are prudent to use for a small or medium size business?

Every technical solution has it's drawbacks.  Servers in the closet have to be maintained, backed up and refreshed, but they are physically and logically secure and usually the best choice for business critical applications.

But what about those web-apps that have broad public exposure?  Or the ones that need to scale in an instant? Are these not candidates for living in the cloud in some form?  In some cases, yes.  Here's an excellent article that can help you evaluate the alternatives:

The ABCs of virtual private servers, Part 1: Why go virtual?

Thursday, January 20, 2011

5 Signs Your Marketing is Outdated

Each business is different, but EVERY business should at the very least have a web page - it's like being in the Yellow Pages 20 years ago.

And if you have a web page, can you remember what it looks like?  Here's a link to a great review of web marketing practices by Robyn Freye:

5 Signs Your Marketing is Outdated