Monday, February 25, 2013

Movie / Beautiful Creatures 2013

I loved this movie, which seems to be solidly written, directed, acted, produced, and shot, with a great cast. It's a teen romantic comedy in which the girl is a like member of the "Addams Family" (the 'Caster clan), and the boy is your normal red blooded American kid -- the reverse of the Twilight series, in which the boy is the vampire.

In a small Southern town, the boy (Ethan) longs to escape to the big city, and his deceased mother has instilled in him a love of Beat literature, giving him some intellectual depth. A new girl (Lena) shows up at school, with a troubled past. She's a niece of old man Ravenwood, who lives in a decrepit mansion, and is reputed to be in league with the Devil. The Bible-belting Christians are fervently praying to be saved from him, and want her kicked out of school. Ethan has been dreaming of her, and makes a huge effort to befriend her, leading him into a supernatural romance and numerous weird encounters with her magical family.

Her 16th birthday is coming up in 79 days, on 12-21-12 (coincidentally the End of the Mayan Calendar, although this is never mentioned), at which point her soul will be claimed by either the Light or the Dark. And this is an even bigger deal because her shift will supposedly set the trend for the "New Age" to come.

A bunch of plot lines ensue, involving numerous Southern motifs, a Civil War battle reenactment [of a Confederate victory], supposed events around the battle, an ancestral curse, Voodoo, alligator filled lagoons, nutty Christians, the secret lineage of her magical family, and numerous attempts by its Dark and Light members to influence her decision. All of which the boy Ethan is dragged through.

Yet it retains its teen comedy flavor throughout. It's rated PG-13 for "violence, scary images and some sexual material." However it's mostly just smooching, and the young woman is never exploited. The end sets up a potential sequel, if anyone gets motivated to write one.

Monday, February 18, 2013

Choosing Good Passwords in 2013

Greetings,

Now that we are living in the Cyber War Era, you are a combatant too. Yet while you are armed only with a pitchfork or a sharp stake (your lowly password), there are a number of things you can do to increase your combat-readiness.

Let me say this right off: Stop using short, complex passwords, which no longer work, and switch to much longer ones (at least 10-12 characters) that are more like ungrammatical phrases with misspellings, and start varying your userid's.

Here's what's going on. Crooks, hactivists, and spies (foreign and domestic) are continually trying to break into websites you've signed up to, and are regularly succeeding, because all software has bugs, which can sometimes be exploited, plus website owners often misconfigure their settings, allowing break-ins to occur.

Once inside, the first thing they steal is the password file, which they can either keep secret or else publicly post on the Internet for anyone to download. Worst case this will be unencrypted, allowing anyone to immediately login as you; or it may be one-way hashed, affording some privacy; or best case it is salted (by adding some variable known characters to make it longer) and then one-way hashed.

However, even with salt, a dump of one-way password hashes seems to act like a magnet, drawing hackers to try and break them, which they do by taking the relevant hashing function and inserting all possible passwords till they find one that hashes to the same value as yours. Bingo, they now have your password. And if you've been using the same userid and password on multiple sites, presto, they can sign-in as you on those other sites as well.

This is bad, but what can you do? Learn how password cracking works and defend yourself by making your passwords harder to break.

If some crook has your userid and the hash of your password, there are 3 main things they can try. First is simply look up the hash in a giant pre-computed "rainbow table" of all possible hashes. This has already been done for all Windows® passwords up to 8 characters, including random ones. Thus a random 8-character password is now worthless, since a crook can just look it up in a few seconds.

Second, if there's no table, they can try to break it. The random 8-letter password that former CIA Chief David Petraeus shared with his mistress, which she used on multiple websites, including one that was hacked, was broken in about 16 hours, once someone got the idea to target it. [A head slapping breach of national security.] However by making it longer, say 10, 12, 14, 16 characters, it starts taking months or years rather than hours.

Third, they can try all other known passwords that have ever been disclosed as being passwords, including from massive cleartext dumps of previously stolen passwords. Thus if you see a password somewhere, DON'T use it, since someone may have already copied it into his or her dictionary of known passwords to try.

Because they are just stuffing all possible combinations into a hash function, the attackers do not see ANY of your password until they enter ALL of it exactly. Hence, a long goofy password is much better than a short random one. The longer passwords we recommend need not be painfully random, only hard to guess and never before seen.

The latest innovation for 2013 is grammar-aware password cracking. Knowing that people are now using multi-word phrases, crooks and "security researchers" have developed tools that try to build long passwords to test by combining words into phrases, such as "thelazydog." Thus if you combine some words in a way that follows normal grammar, they'll find that too.

So here's what I suggest, which should work for another 1-2 years:
  • Use a different password for each account, especially important ones.
  • Make all passwords at least 10 characters long, and 12-14 for high value accounts.
  • Don't reuse a password you've seen anywhere before, let alone a dictionary word.
  • Add in some capital letters and numbers, and maybe a special character.
  • Avoid using a grammatical phrase. 
  • Learn the basics of Leet Speak and start doing number-letter substitutions, such as zero for O.
  • Don't use the same userid on all sites; devise a range of userid's.
  • Keep a note of when each password was last changed, and change it at least annually.
Some websites are still stuck in the past, and some of their pointless restrictions include:
  • Max of 8 characters (some reject over 8, others silently take only the first 8!)
  • No numbers or special characters
  • Must include capitals, numbers, AND special -- overly hard to type, and unnecessary
If you hit any of these, send a message to the website owner telling them to get up to speed in the Cyber War Era, and start allowing longer, free-form passwords up to 20 characters ASAP!

So how does all this work together? Let's say your name is John F. Jones. Create multiple user names such as jfj0nes, jjon3s, jjone5, jf-jones, jayeffjay, jay.jo, and so on. In some cases, like if security is turned off by mistake, or if certain other security holes occur, an attacker can login with your userid alone.

When asked to create a new a password, grab a pen and paper and write it down first, before typing it in, so you don't forget it.

Select some unrelated or only vaguely related words, capitalize them, and put some numbers between them, to get up to 10-12 letters, such as Port27Wine [10 do not use], ZoneX357Date [12 do not use], or G!!earth.bread [14 do not use]. Or consider a fractured phrase like Two0ldHou5es [12 do not use].

These are long, never before seen, and ungrammatical, yet not overly hard to remember or type. Don't copy my formats above (which I must now change), inviting crooks to target them. Design your own unique formats for combining multiple words and numbers. One source of memorable non-dictionary words is clever license plates; just be sure to add more characters to them.

If you live alone, there's little risk in keeping a paper list of logins, of which you may have 100s, as long as the data file is not accessible by electronic means. Keep your master file under PGP encryption on a separate machine that rarely accesses the Internet. Then if you're hacked, the file is encrypted, and if you lose the data, you still have the paper, and can scan or retype them, rather than being locked out. Keep the paper in a safe place. For high value logins, never enter or save them into any electronic file; write them on 3x5 cards and stash them. I do not recommend password safes, because local malware could sniff your safe's password when you enter it, and then steal ALL your passwords.

If someone might steal your paper list, protect it by creating a secret PIN, which you do not write down anywhere, such as 1502, and secretly add it to every password, or maybe prefix them all with !2, so the paper list won't work unless the thief also guesses your additional PIN.

Your resulting password file, which has an unrelated file name, and stays encrypted when you're not editing or printing it, looks like this:
  • Name of website or URL
  • Email address you used to register with them
  • Userid, for this site, if not your email address
  • Password (per above guidelines, minus any secret PIN)
  • Month and year password was created or last changed
And don't shred your marked-up paper document until you're sure the new file is saved properly, or you'll spend weeks trying to guess or reset all the new passwords you just lost.

You're still at the mercy of individual website owners, who may scrimp on security and leave your password in the clear or unsalted, as well as malware infecting your PC that can steal your password while you're typing it, but otherwise, if you follow the above guidelines, hopefully your password hash will be one of the ones "left over," that the attackers were unable to crack.

And if you hear that some website you use was compromised, don't wait to be notified to change your password. Hop on and change it right away, to shorten the crooks' potential window of time to use or crack your password.

Happy and Safe Web Surfing!

Frank W. Sudia has worked in information security since 1993, once formed an information security company, has 14 issued patents relating to online security, and has recently done cybersecurity consulting for a major NY bank.

Saturday, February 09, 2013

The Granddaughter’s Tale

The Granddaughter’s Tale

A friend of mine told me this story from her childhood. She grew up in Oklahoma, but her ancestors were from Mississippi, the Deep South. In fact I dated her cousin, also from Mississippi, a true Southern Belle of French descent with a rich accent. She never spoke of these personalities, but must have known them well.

My friend, let’s call her Caroline, was visiting her relatives in Mississippi as a child. Their grandfather had died in the Great Influenza in 1918, and their grandmother had remarried a full blooded Cherokee Indian, who everyone referred to as Paw-Paw.

Of course when Caroline was a little girl, Paw-Paw was an older man, from a bygone era. A man of few words, he rarely if ever spoke. It happened to be July 4th, and everyone else had gone out, leaving the two of them alone. Paw-Paw decided to do something for her. He was going to drive her into town.

Caroline waited out in front of the house (which I picture as a big white house with pillars) for what seemed like an eternity. At least a half an hour later, Paw-Paw came around front with a carriage and a team of horses, which he had been harnessing up and getting ready.

Without saying a word, they rode into town in the horse drawn carriage. Because it was a holiday, she was worried that everything might be closed. And she was right. Each place they visited was closed. Store owners were taking the day off, and getting ready for the fireworks, much later on that evening.

Despite all these disappointments, Paw-Paw remained silent. Then they turned around, still in silence, and rode back out to the house.

I’m not sure why Caroline told me this story, but it must have left an impression on her. The warm summer day, the carriage ride, the string of disappointments, the silent old Indian, must have all combined to produce an indelible childhood memory.

It had an impact on me as well, so I decided to share it with you.