Blog.Privatei.com.au

Network security is something big businesses spend big money on. It's something you hear about on the news, read about in the paper, and it's something your workplace worries about, but not something you need to worry about as an individual, right?

On Passwords...

What makes a good password? Firstly, it shouldn't be a word at all. When someone tries to crack a password, one of the standard methods is a 'dictionary' attack, which basically fires every word in the dictionary at a system to see which one works. If your password is a word, and it's in the dictionary, then you'll be hacked - it's that simple.

A random set of letters, numbers and symbols is the best password, and the longer it is, the better it will work. 200 or more characters arranged bit like like this is ideal; sMkms!Psw2uU3$zaaTAQa^rApnt_). For most people, however, a password like that is unusable. You'd have to write it down, save it in a file, or have an incredible memory to use it on a day-to-day basis. Writing it down or saving it defeats the whole purpose of it being so strong, so you might as well use something you can remember.

A usable alternative is to create a pass-phrase which has multiple words stitched together. Ideally you'd throw in a number or two and some punctuation as well. For example, something like browN.doG-bluE.birD is going to be difficult to crack, but not too hard to remember. The first letter or two of each word of a sentence can also be a good option. For example, "One Flew Over The Cookoo's Nest" could become onflovthcone.

Bare in mind that now that I've given these as examples, they will probably show up in the larger password dictionaries available for download and used by hackers all over the world, so don't use the examples I've given, be sure to invent your own.

Save This Password?
How many passwords have you used today? A moderate user might enter a dozen passwords into various websites in an hour or two of internet use.

Accessing secure sites such as online email, paid subscription services, social networking and financial sites, most browsers (eg. Internet Explorer, FireFox, Chrome and Safari) will offer to save your passwords for you. This is certainly more convenient than entering the username and password every time, especially if you have different details for different services and have trouble keeping track of them all.

The downside is that anyone who has access to your computer has these passwords in their hands. For the novice intruder, surfing their way to the target site using your machine may be enough to get them access to your information. When your browser is helpfully remembering your username and password for you, logging out is of limited value. For the better organised intruder, 15 seconds on your computer is plenty of time to strip out every username and password that you have conveniently stored and save them for later use.

The Same Password

It's not unusual for people to come up with a good secure passphrase, and then use it everywhere. You might have it on your email, use it at work to login to your computer, use it for facebook, and use it to encrypt an important document.

Let's say one of these locations is compromised. For example, your work network is hacked and your password is discovered. The issue you now face is that the offender who hacked your work network can now also access every other account you have, and not only do they have a head start, but can probably also do it faster than you can.

It may not be feasible to use a different passphrase everywhere, but there are half-solutions I'd recommend. Using several different passphrases for different purposes can be a workable method. For example, you might have a long, highly secure passphrase you use for internet banking and only in a few other places, then a second-tier passphrase, perhaps shorter and quicker to type, which you use for work purposes, and a third passphrase you use at home, on facebook, and for your personal email. If you need to create an account on a message board or some other site where you're worried might not be very secure, you could have another password you only use on things that really don't matter very much.

I always recommend you keep home and work separate; don't use the same password for your email at work as you do on facebook or on your personal email.

Can I borrow your computer for a minute?

Sounds harmless enough - would could he do in a minute? The answer, unfortunately, could be anything and everything. It takes seconds to harvest all your saved passwords, or to install a keylogger or a back-door into your system. The process can appear completely benign; a well crafted piece of software might look exactly like a word processor or an email client, but in the background could be doing 10 different things you don't want it to!

Your Wireless Network

Most people have a wireless ('WiFi') network at their home and/or workplace. Wifi offers a simple and cheap way to share internet access, printers and files within a fairly short distance.

There are a couple of open wireless networks near my office, though fewer than there once were. With the rise of the smartphone, and the common-enough feature where the phone helpfully offers to attach itself to any open wireless network it can see, most people have implemented some kind of security on their wifi network.

There are a number of ways to 'secure' your wifi. The old standard was to use 'WEP' encryption, and many people still use this today; in my own street there are over a dozen WEP-secured networks visible to me as I drive past with my phone tasked to 'listen' for them. All WEP networks, no matter how tricky or how long their password (or 'key') is, are basically open-access to me. WEP encryption is so insecure that I can literally crack it with software running on my phone. DO NOT think you're secure if you're running a WEP encrypted network.

Your MAC address is a bit like the licence plate on your car - it is a unique identifier for your wireless adapter; this could be a USB device hanging out the back of your machine, or a tiny chip build into the middle of it. Some people 'secure' their wireless network by configuring it to only allow certain MAC addresses to connect. This would be pretty secure, if it weren't so painfully easy to change your MAC address with a few keystrokes. There is even free software for smartphones which can do the same thing in seconds. So if your network is secured through only allowing a certain set of MAC addresses to connect, it's not really secure at all.

WPA, or WPA2 is a much more secure method for securing your network. If you have a home or work wireless connection, get into it and change it to WPA or WPA2 as soon as you can. Ideally, your passphrase should be long and random, and definitely not be single word or name. With a WPA network and a good passphrase, you can feel reasonably secure that your wifi won't be hacked directly.

Be wary of 'free wireless'. With less than $100 worth of equipment, unscrupulous characters can create a free wireless hotspot and allow anyone to connect and have internet access, and use this connection to tunnel into your computer to extract information, or simply to 'listen in' to your internet traffic, stealing passwords as you use them. Remember that if someone was to access your computer, even for a few seconds, any of your data, including the key to your own wifi network, can be extracted.

Location tracking, iPhone, android phone, various software. encrypt iphone backup

Documents with Passwords

The pervasive Microsoft Office, including the commonly used Word and Excel, includes a password protection option as a built-in feature. PDF documents can be password protected so that they can only be viewed by those in-the-know, and then placed on websites or intranets, making them available to everyone.

As much as it pains me to shatter your illusions of security, a Microsoft Word (or Excel, etc) password can be cracked in somewhere between 20 seconds and 10 minutes, depending on the method and the computing power applied, and a password-protected PDF is similarly insecure.

If you want to secure a document, use a third part encryption tool like truecrypt. As with any tool, your encryption is only as secure as your password, so a good passphrase is still important.

Lost or Stolen Computer

Most people don't encrypt their hard drive. If you use the built-in encryption that comes with your operating system, then it's only as safe as your password, which takes less than 5 minutes for a specialized tool to crack.

If you're serious about security, I recommend encrypting your whole hard drive with a tool like truecrypt. It will allow you to encrypt the entire disk, making it inaccessible to all but a professional hacker with a lot of equipment and lot of time on their hands.

Email Security

If you're using an online email provider like GMail, Hotmail or Yahoo, the server itself is pretty well secured. The most likely method for someone to get into your online email is to obtain your password. The easiest way to get someone's password is to ask them for it. This is the principle used in phishing attacks, where you are usually tricked into entering your username and password in an imitation site. When visiting your email site, you should get to the site directly rather than using a link provided in an email.

Another way your email may be accessed is by catching it during the transmission. For example, a packet sniffer may 'listen' to your network traffic and put all the pieces together to reconstruct an email as it passes through the network. One way to safeguard information during transmission is to encrypt it using PGP (or OpenPGP). A free software package like Thunderbird can be combined with a free OpenPGP plugin to give you secure encryption and decryption capabilities, right on your desktop. In this way, you're safe from losing data by sending email to the wrong address, or leaving email in your inbox and having someone else access it there

As long as your computer is secure, you use a secure passphrase, it isn't compromised by having been used somewhere else where it can be harvested, you're not tricked by a phishing attack, and your data isn't captured unencrypted en-route, your email should fairly secure.

The Bottom Line

As one of our services, we often perform Penetration Testing for clients. We crack their wifi, sniff their packets, phish their staff, decrypt protected documents, and as a part of that, as often as not, we harvest valuable information from staff computers.

One of the easiest ways into a secure corporate network is to penetrate the home network of a staff member first, so it should be remembered that when it comes to data security, securing your home is as important as securing your workplace.

Related Stories

Password cracking http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Browser fingerprinting http://panopticlick.eff.org/

SecurID Tokens breached http://www.net-security.org/secworld.php?id=11122

This information is provided for Private Investigators such as myself; not for lawyers, police or other law enforcement, so it will not cover warrants, emergency interception or other similar topics. As a professional investigator, these questions come up fairly often – Can I make a call to someone and record it? Can I record incoming calls? Can these calls be used as evidence? 

Relevant Legislation

There are two kinds of legislation which you'll need to understand when it comes to recording phone calls; telecommunications interception legislation (Commonwealth or ‘Federal’ law), and listening devices legislation (State law). You will need to understand both, and due to the latter, the resulting legality of call recording varies between states, even though telecommunications are generally a Commonwealth responsibility.

Telecommunications Interception Legislation

Under Section 7 of the Telecommunications (Interception and Access) Act 1979, you cannot lawfully intercept a communication passing over a telecommunications system. If that looks pretty clear, then you’ve probably not read much legislation in the past.

Breaking it down:  

1. Intercept includes listening to or recording, without the knowledge of the parties
2. A communication means a conversation or message and can include data, images, sound, video, speech, etc.
3. Passing over covers the time between when it is sent or transmitted at one end, and when it is accessible to the recipient at the other end.
   a) Accessible to the recipient means it has been delivered, or it is under the control of the recipient, or it has been received
4. A telecommunications system ... is one which transmits communications electrically, but not solely by radio. (Ie. a phone network, but not CB radio)

The first option should be apparent from point (1) above – if you have the knowledge of the parties, then this section does not apply to you, so (subject to Listening Devices legislation in your state) you can lawfully record the call. You should note that it doesn’t say anything about consent, but instead uses the word knowledge. 

Knowledge vs. Consent - What difference does it make?  

Knowledge and Consent are quite different things. In this case, once you tell the other party to the conversation that the call is being recorded, then under this legislation it lawfully can be – even if they say “no” or tell you to stop*. (*Check the Listening Devices legislation in your state, which may, in effect, overrule this.) In the case of interception, you’re not asking them for their permission or consent – you’re just making them aware of the recording – and this is what makes it lawful.

If you’ve ever tried having an open conversation with someone after you just told them it’s being recorded, you’ll realise that it either takes a while for them to forget, and so open up to you, or they don’t forget, they remain guarded, and you never get the whole story.

What if you don’t want them to know the call is being recorded?

From the breakdown of section 7 above, you can see this section only applies to interceptions passing over a telecommunications system. This is a key point, because if a phone conversation is recorded after it is accessible to the recipient, then it’s not passing over a telecommunications system, so it’s not covered by section 7.

Passing over? How does that help?

It's probably easiest to explain by using some examples of ways you might record a phone conversation:

• Using a speakerphone and making a recording in same room. As soon as the sound exits the speaker, it is available to you, and is therefore no longer passing over the telecommunications system, so it’s no longer covered by Section 7. 
• Using a software device on your own computer, a digital recording of the call is made within your computer. Once the call enters your computer it is under your control, so it is no longer passing over the telecommunications system. Even if you hear the sound slightly after the recording is made, it was under your control from the moment it entered your system, which was obviously before you recorded it. 
• Using recorder plugged into a phone such that the sound is diverted both to your ear and to the recorder – once the sound was under your control (after all, you had control enough control to divert it to your recorder), it's no longer passing over a telecommunication system.  

Note that these examples only apply when you're a party to the conversation (ie. when you are the intended recipient of the message which is being recorded) and do not apply if you are recording a call between other people which you're not a party to.

Why does my insurance company warn me that the call is being recorded?

Codes of practice (eg. Industry Guideline - Participant Monitoring of  Voice Communications) guide organisations such as phone and insurance companies to alert people before recording calls. They are even told to allow people to opt-out of call recording (effectively setting up implied consent), while the legislation clearly doesn't require this.

Listening Devices Laws

Beware: satisfying the federal legislative requirements so that you’re not ‘intercepting’ your own phone call could still leave you illegally recording it in your state.

Once you’re past the telecommunications interception legislation, you’re effectively in the same situation as someone recording a conversation on the street, or in a meeting room – you’re subject to relevant State and Territory based Listening Devices laws.

These laws vary from state to state:

• in some states when you’re a party to the conversation you can record it even without telling the other party (eg. Victoria) 
• in other states, parties to the conversation need to consent to the recording (eg. NSW) 

To check out your state and the rules which apply, you’ll need to check out this post:  Listening Devices Laws in Australia.

Victoria

You can't use an optical surveillance device to view or record a Private Activity. Whether the place is a 'public place' or a 'private place', or whether public or private property, is not relevant in Victoria.