Welcome to my Week 2 blog post!
Last week we discussed passwords, which their importance is often overlooked. This week, I want to take a look at something that we are all probably doing, but might not know why: Patches.
Security patches are written and distributed by software vendors to correct a previously unknown vulnerability. These vulnerabilities are discovered using a method called fuzzing. At a VERY basic level, fuzzing is inputting unexpected data into a program, and watching how it reacts. For example:
Enter a number between 1 and 10:
Now, a typical user would enter a number between 1 and 10, but a fuzzer might enter a 'q', just to see what happens. If the software is coded correctly, the response would look something like this:
Invalid input, enter a number between 1 and 10:
However, if the software isn't written to validate input, you might see this:
The Blue Screen of Death is something we've all dealt with at some point, and it is the result of improperly coded software. The reaction we have when this happens is usually one of frustration and anger, but we accept it and reboot.
What if the result is something more malicious, like administrative (root), or even SYSTEM access? Now, the fuzzer just discovered a way to gain permissions that a standard user should never have.
If the fuzzer who discovered the vulnerability wears a White Hat, they report it to the software developer who then starts creating the patch to correct the vulnerability.
Now that the patch has been written, it's ready for distribution. While you're working on your system, you get this notification:
I know when I see this, my inner-procrastinator wants to click the 'X'. However, knowing what it might fix, I click on it, run the installer, and hope I don't need to reboot.
Security patches are distributed by the software vendor who created the software. You should only download and install patches from them, and not from a third party. Any developer, Microsoft, Adobe, Apple, etc. should periodically send notice of patches. To help protect your system, set it to automatically download and install the patches. If you choose not to do this, you will need to make sure you check for updates at least weekly. Do this for all of your software to ensure maximum protection.
Patches, and now you know...
Thanks for reading!
Here are a few references:
https://www.owasp.org/index.php/Fuzzing
https://www.cert.org/vulnerability-analysis/research/discovery.cfm?
https://en.wikipedia.org/wiki/Blue_Screen_of_Death
https://www.cert.org/vulnerability-analysis/research/discovery.cfm?
https://en.wikipedia.org/wiki/White_hat_(computer_security)
https://en.wikipedia.org/wiki/Grey_hat
https://en.wikipedia.org/wiki/Black_hat
https://social.technet.microsoft.com/Forums/en-US/6259994a-80e9-4e2c-9fa8-4df6b614d641/no-windows-update-notifications?forum=W8ITProPreRel
Sunday, March 27, 2016
Sunday, March 20, 2016
Pesky Passwords
Since this blog is in support of my MS in
Cybersecurity program, I thought the perfect way to start it off would be to
talk about something each of us have, but might neglect: passwords.
If you're reading this, chances are you have an account with a password that you created...hopefully none of these look familiar:
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
These are the 10 most popular passwords in 2015. If you are using any one of these (or the other 15 of the top 25), pay special attention to the next three words: CHANGE YOUR PASSWORD!
Creating a password that is easy to remember and also complex enough to avoid being cracked is easier than you think. We need to establish some guidelines before we get started:
1. Length - your password should be at least 8 characters, but I recommend 12 or more
2. Character variance - use a mix of upper and lower case letters, numbers, and special characters
3. Avoid keyboard walks - this is a password that looks like this: qwertyuiop OR 1qw23er45ty6
4. Avoid dictionary words - at least avoid them as they appear in the dictionary
All set? Let's get started! One easy method is to pull a quote or lyric from your favorite movie or song...because I'm a nerd, let's use Star Wars - May the Force be with you.
Right away, we have 20 characters, excluding the spaces, which looks like this - MaytheForcebewithyou
We already have a couple different upper and lower case letters, so let's add some numbers and special characters. Since we will be swapping out some of our letters, we need to look at other characters that look like them. Here are a few that look similar:
I = 1
i = !
s = 5
E = 3
B = %
b = & (okay, the 'B's' might be a stretch but they work, right?)
Alright, time for the numbers!
MaytheForcebewithyou turns into Mayth3Forc3b3withy0u
Let's add some crazy special characters!
Mayth3Forc3b3withy0u turns into M@yth3Forc3&3w!thy0u
Right now, it's pretty good. But we're breaking the 4th guideline. One more change.
M@yth3Forc3&3w!thy0u turns into M@yth3Forc3&3w!t#y0u
The last change probably isn't necessary, since it would take a desktop computer 425 quintillion years to crack either way. But, you get the idea.
If you're reading this, chances are you have an account with a password that you created...hopefully none of these look familiar:
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
These are the 10 most popular passwords in 2015. If you are using any one of these (or the other 15 of the top 25), pay special attention to the next three words: CHANGE YOUR PASSWORD!
Creating a password that is easy to remember and also complex enough to avoid being cracked is easier than you think. We need to establish some guidelines before we get started:
1. Length - your password should be at least 8 characters, but I recommend 12 or more
2. Character variance - use a mix of upper and lower case letters, numbers, and special characters
3. Avoid keyboard walks - this is a password that looks like this: qwertyuiop OR 1qw23er45ty6
4. Avoid dictionary words - at least avoid them as they appear in the dictionary
All set? Let's get started! One easy method is to pull a quote or lyric from your favorite movie or song...because I'm a nerd, let's use Star Wars - May the Force be with you.
Right away, we have 20 characters, excluding the spaces, which looks like this - MaytheForcebewithyou
We already have a couple different upper and lower case letters, so let's add some numbers and special characters. Since we will be swapping out some of our letters, we need to look at other characters that look like them. Here are a few that look similar:
I = 1
i = !
s = 5
E = 3
B = %
b = & (okay, the 'B's' might be a stretch but they work, right?)
Alright, time for the numbers!
MaytheForcebewithyou turns into Mayth3Forc3b3withy0u
Let's add some crazy special characters!
Mayth3Forc3b3withy0u turns into M@yth3Forc3&3w!thy0u
Right now, it's pretty good. But we're breaking the 4th guideline. One more change.
M@yth3Forc3&3w!thy0u turns into M@yth3Forc3&3w!t#y0u
The last change probably isn't necessary, since it would take a desktop computer 425 quintillion years to crack either way. But, you get the idea.
In addition to creating a good password, don't use the same password for everything. Use a variety of passwords for your accounts. In the event your password is compromised, the same key will open all doors.
One final thought. You should change your password periodically. Every 90 days is a good baseline, just make sure you create something hard to guess each time.
Thanks to these links below as reference:
http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
https://uit.stanford.edu/service/accounts/passwords/quickguide
http://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
https://howsecureismypassword.net/
About Me
My name is Nick, and I have worked in as a system administrator and security operator for the past 16 years in the US Air Force. I have a variety of certifications from GIAC, CompTIA, and LPI. This blog is part of the curriculum for my MS in Cybersecurity program at Bellevue University. Also, this is my first blogging experience, so I'll gladly take any constructive criticism to make it better.
Subscribe to:
Posts (Atom)