Password awareness


Wow, my selections on topics about Google was on fire this morning with stories about the new extension designed to keep your access to accounts safe.

Password Checkup is an extension for Google Chrome designed to:

Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

Like many people, I have supposedly had my credentials taken in a breach somewhere along the line. This, determined from this website.

It was a wakeup call to me that all these warnings about not using the same password all the time actually made sense. I’m now far more cautious and use very unique passwords everywhere along with two factor authentication wherever possible. I’ve switched to a password manager on my computer to make difficult and unique passwords possible. I’m still not necessarily feeling 100% secure and, until something that comes along to make things more secure, will probably never feel that way. I don’t think it’s necessarily a bad idea either.

I do a spring cleaning periodically and close down accounts that I created at the spur of the moment and then kind of forgot about them. Having had an employer who had a payroll data breach makes the possibilities of problems very real. I think I’ve become a better user as a result.

The irony of using a plugin and browser from a company that relies on personal information isn’t lost on me either.

When was the last time you did a personal security checkup? Would you use a utility like this one? According to the extension site, 568 people are currently using it. Will you be 569?

Advertisements

Good Passwords


Check out the following page.

http://www.cbsnews.com/8301-205_162-57539366/the-25-most-common-passwords-of-2012/

This will take you to the 25 most commonly used online passwords in 2012.  Are you using any of them?  Hmm?

@bgrasley and I still marvel that “monkey” is still on the list!  I do know some people who have used those in the past.  It’s always a piece of good advice to tell them to change it to something more difficult to guess.

Why is it important?  Well, your password is the only thing that keeps hackers from your accounts, and ultimately your privacy and your money.  Biometrics may be on the horizon but we’re not there yet.  A person who guesses your password is, in effect, you online and is able to do things that you can.  Knowing how to protect an account is an important skill that all students should acquire.  I’d start by taking a list of popular ones and realize the damage that can be done.  I just noticed recently a well known individual from MIT end up being hacked on Facebook.  In this case, the hacker posted some information about a weight loss program.  Not good.  Having that password allows you to do all sorts of things.  Consider the following…

Name of the hacked person is hidden to protect them and the actual URL which is probably the destination for some phish website has been over written with red to hide it.

Intel has a great utility website to give you an idea as to just how strong your password is.  It’s located at:

http://www.intel.com/content/www/us/en/security/passwordwin.html

and it’s worth spending some time at.  Note the warning that your password doesn’t actually leave your computer but it’s a good idea not to use any real password anyway.  Maybe something close would give you a good enough idea of how good your password is.  So, how good is “monkey”?

Not good!  That advice is good for anything that’s found in a dictionary.

The nice thing to pass along to students is the information that Intel provides under the results.  It’s a really good summary of some of the ways to make your password difficult to guess.

The website is well worth the bookmark and a great idea to have students test potential passwords whenever new accounts are created.  Surely, you’re not about to use the same password on every site, are you?  are they?

So, how do you generate a good password?  Well, one way is to use this website.

http://strongpasswordgenerator.com/

(I’d add a character or two to the suggestions that it generates just to be sure…)

I generated one.

How good is it?

I think I’d be a great deal more comfortable with that security.  You just then need to find some way to remember it!  Contemporary browsers have the ability to remember passwords.  (Just make sure that you have a secondary control over the passwords in case someone sits down at your computer!)  Or, addons like LastPass do a terrific job.

Just don’t write your passwords down on paper!

 

Determining What Calls Home


I’ve done some thinking about computer security and privacy over the past while.  It’s been precipitated by conversations with Gust Mees.  It’s good thinking.

We’re all in the same boat.  Just think of the number of times you’ve clicked the checkbox beside this.

  • My team of lawyers and I have read and studied your terms and conditions and we’re cool with agreeing to your rules and the fact that you’ll be accessing some of my private information on this device.  

I know that you’ve done it because you’re using a computer with an operating system and a web browser so you’ve already done the above twice.  (Unless, of course, you’re using someone else’s computer and they’ve already given permission on your behalf.)

This morning’s reading led me to a free application called “Permissions Explorer“.  Of course, my lawyers and I looked through the individual applications as they were being installed but once installed, they’ve got a little out of mind.

I installed it this morning and liked its legal terms –

“/* No permission required to use this app, no ads. Does only what you want it to do */”

So, I decided to put it through its paces.  I was quite impressed with its completeness.

Upon first launch, a menu indicates just what areas of privacy/security it will investigate.

2013-02-02 14.29.37

Ever curious, I decided to work my way through them.  For example, what 61 applications do I have that have access to my contacts?

2013-02-02 14.30.03

As I looked through them, I can see why.  After all, FirstClass and Gmail are the two email systems that I use on a daily basis.  It only makes sense that they have access to my contacts.  It was through exploring the rest of the applications that I became intrigued and really immersed in the exercise.

The next step is to ascertain what resources the applications have permission to use.

2013-02-02 14.40.29

Interesting!  I’ve got 66 ways to vibrate this device.

Look at the number that have access to the internet.  They will all have their purpose – Internet browsers, of course.  Email clients, for sure.  FourSquare?  That’s how you’ll know that I’m walking the dog at the Navy Yard.  It’s interesting to go through the list and  wonder about some of the less obvious ones.

There were a few surprises in the exercise but, for the most part, the results made a great deal of sense.  I’d really like to lay my hands on similar applications for all the major devices.

In the classroom, I think that they could be used very successfully to generate an awareness and a discussion about how students are connected and just what that means.

It would even be an enlightening exercise to generate a report and then look at all the applications that are on school or home provided computers and classify them as “necessary”, “unnecessary”, or “I wonder why”.

It might even generate more interest in looking at the legal terms and conditions the next time you install an application or sign up for a web service.

Learn Computer Security in a Week!


That’s the claim from Gust Mees who has devoted a great deal of effort putting together an online course for those desiring to know more about what they can do to keep their computer safe and their online browsing experiences happy.

On his blog, Gust has put together a week’s worth of activities that will take you to the secure side of computing.  Each day has a number of activities pointing you to some of the best of the web in terms of security.  If your computer is not sporting best of breed software, then you need to take a run through his activities.

Gust has selected great Windows and Macintosh software titles as part of is course.  Even if you’re using another product, it’s worth the time to check out the opposition; the more you read and understand about computer security, the better off you’ll be.

Gust is also a curator of related resources.  Check the top of his page for security stories in both English and French.  He’s always tucking away the best of what he reads.

If that’s not enough, check out his Scoopit! resources for collections dealing with security and education.  He curates nice collections there.  In fact, we’ve been known to share each others’ scoops at times!

You can follow Gust on Twitter at @knolinfos

Powered by Qumana

 

Dangers in Public Browsing


I think that we’ve all heard about the dangers of connecting to open networks.  It’s the stuff that spy stories thrive on.  You’re at your local coffee store doing some internet activity and a bad guy attaches to the same network and steals your identity.  After all, you’re both sharing the same wireless connection.  Futuristic, eh?

Not any more.

If you have the Firefox browser and an appropriate add-on, you can do it yourself.  A great deal has been written about the Firesheep add-on lately.  It’s reportedly a proof of concept utility that Mozilla allows to be downloaded and installed to hijack http connections.  Once installed, the curious can monitor the connection for logins and passwords so that you might assume someone else’s account.

In this day and age, I think many of us are quite comfortable with online banking or shopping.  We’ve all been trained to “look for the lock” or whatever the equivalent is for your browser.  That is a visual that you have a secure connection with the other end for the purposes of doing these sorts of things.  You may notice that increasingly more websites are using the same technology for just regular use.  If you head to the Mozilla web presence, it’s all presented securely for you.  So, what’s the issue?

Check out this story.  Watch the CBC report here.

Increasingly, we’re using social networking sites that do require a logon and a password.  The issue becomes one of security.  Is the connection secure or is your logon/password combination open to anyone who happens to be listening.  An article that I read yesterday from the Digital Report Card provides a nice summary of some popular services like Facebook, Twitter, Gmail, Hotmail, Yahoo! Mail, etc.  The report card is an eye opener and the descriptions about SSL and hijacking are important reads for anyone who wants to go online and use these services.  You need to open the link about and read the article, focussing on your own online habits.

Thankfully, the online services involved are responding.  Here’s a report on Facebook‘s concerns.  The claim of over 500,000 downloads is kind of scary.  Especially, if one of the downloaders enjoys the same coffee as I do.

What can you do about it?  FireShepherd (and a tip of the hat to the humour of programmers) is a utility designed to jam Firesheep with random data to make it useless.  But, a better solution is to be aware of the type of connection that you’re making with these services.  More and more of them are offering secure options which you should always opt for.  To help the cause, the Electronic Frontier Foundation offers its own solution – an add-on called https Everywhere which should take the guessing out of the process and force a secure solution when you access the services thereby protecting your credentials.  There is a startup switch that you can apply to Google Chrome to force https connections as well.  That’s been around for a while.

It’s not just coffee shops that you should be concerned about these things happening.  How about a school network where you invite guests to attach?  Not necessarily related, but this report from London should give some pause for thought. Can we ensure that everyone who is attaching to the network is playing nice?  How about a hotel with complimentary internet access?  How about a conference centre like you’d find at an ISTE Conference?

Do we take our online sessions seriously enough?

Stay ahead of the bad guys


It’s a shame but the number of people who would attack your computer and compromise your data is on the rise.  Is it healthy to be paranoid?  After all, what are the chances that someone is going to exploit a weakness in your computer?

It would be difficult to arrive at a figure, but all that it would take is one exploit to attack you and you and your information could be toast.  Or, worse than that, your identity stolen.

How do you stay on top of things?

There’s the common knowledge that you need to patch your operating system, patch all of your applications, run anti-virus, run anti-spyware, …

How do you know where to start?  How do you know if and when your applications need patching or attention?

For me, it’s Secunia, a Danish security firm.  This firm stays on top of rumours, announcements, and does their own research about the status of software packages.  Yes, there are advantages to having automatic updates turned on.  But, do you have them all turned on?  What about software that doesn’t auto-update?  What if your software hasn’t polled to get the latest patch as you download that attachment that arrived by email?  (btw, shame on you…)

Secunia offers an email subscription service.  As soon as they know of it, you will be notified by email.  If you are fascinated by this whole area of computing as am I, check out the Secunia blog.

This will keep you on top of the breaking security stories, and most importantly, keep your computer and your data safe.

Social Bookmarks:
Blogged with the Flock Browser