AMERICA

AMERICA
ONE NATION UNDER GOD!

Wednesday, September 2, 2009

Information Security Specialist

After a lifetime of distrust, a career in the military and a bachelors degree in computer science security is my current profession. I have spent my life trying to find my way around the rules. Couple that with my love of computers and my intense curiosity and you have a hacker waiting for a place to happen. The old saying goes "it takes a thief to catch a thief". Exchange the word "thief" with the word "hacker" and you understand why I am successful. I am not now or ever was a thief or a criminal computer hacker. I knew I could get into systems. But I never felt a need to prove my skills. It doesn't take an Einstein to be a hacker. It might help. But it is really a way of living. Pushing the envelope. Looking for ways around the rules, without breaking them. Loop-holes in the system. The best way to never get caught breaking in; is to never break-in. It just takes an incredible amount of self confidence. Something the Lord filled me with.
For 10 years I was a security expert for a large Southern California city. I was responsible for protecting a computer network of immense proportions. It covered a metropolitan area 372.1 Sq. miles(963.6 Km2) in geographical size. With 10,000 users and literally thousands of servers and more printers than anyone could count. During that time we only suffered one breach of security. And it was an insider job. Our perimeter was under constant probing and entry attempts. 1.7 million per day, on average. I would watch intrusion attempts from places like, South Korea, France, Germany, The peoples Republic of China and various universities located in ther USA. It got to the point where I could guess the source location, just by the sequence of intrusion methods attempted. So I have felt a need to help others know what I know. And today's lesson is "PASSWORDS"
Every one has a password. Some good. Some not so much. Hacker groups will try everything to gain your password. Brute force guessing, Dictionary, lexicons, and rainbow file comparators. The list goes on forever. The single most recognized hacker is Kevin Mitnick. A little known fact is that Kevin had no real computer hacking skills. He was, what we call in the business, a Social Engineer. He would call the CEO's Secretary and pretend to be someone in the It department that needed the bosses password to fix a problem that the boss had called in about. He knew the boss was out of the office because his/her email was set to auto reply that the CEO was on vacation. How did he find out the CEO's email address? Good question. It shows you are paying attention. The CEO's address was posted along with a phone number on the corporate web-site. If the admin assistant protested, he would just make a subtle threat saying "Well you tell the boss why he/she can't read their email while out of state." This was all he ever needed. You don't need any computer hacking skills if you know the password.
So, How do you make a password the can't be cracked, guessed or brute forced and still easy to remember? Easy! Don't use a pass-WORD. Use pass-PHRASE. For example; pick your favorite biblepassage. Mine is the 23rd Psalm. But you can't use the whole psalm. it won't fit. Pick a part of it. "Shadowofdeath". (Since I have posted this on the Internet I highly recommend not using this exact phrase). This is an easy to remember, hard to crack, but still easy to guess password. Now lets make it impenetrable. Change a vowel to a number! lets change the "o" for "0". That's change the oh's for zero's. Shadowofdeath, becomes Shad0w0fdeath. If you want to be trickier, change all of the vowels. Shadowofdeath, now becomes Sh@d0w0fd3@th.
Easy to remember. Impossible to crack. And completely unguessable. But if you tell it to anyone even your assistant, it is not "YOUR" passphrase anymore. change it every 90 days just to be sure, and compliant with most corporate security policies (Yes, I said comply with the rules). And when you change it you may have to find a new favorite bible verse. And reading the bible, for any reason, is a good thing.
.

10 comments:

Heart2Heart said...

Kurt,

After working as a corporate trainer in a communications company, one of the top three, we had to train the importance of guarding your passwords. We even had videos similar to what you described here as to how easy it is to get them. You just have to have a way with words.

I love your ideas for suggestions and even how to change it subtly while still keeping it intact.

This is vitally important especially in this age where people are doing all their online banking from home.

I would also recommend if you are using a wireless network, you make sure that it is locked as well. You just never know who is parked on your block using your network server.

Love and Hugs ~ Kat

Amber said...

Good info. Thanks

KrippledWarrior said...

Kat, Thanks for the input. I enjoy knowing I'm not alone in the security war. But explaining the mechanics of Triple DES encryption, adhoc networking and radio telemetry may be a little advanced for this forum. So I will warn "If you don't know how to secure a wireless network! Don't install one. Or find someone who does."
Fight the good fight KAT.

Amber, The pleasure is all mine.
KW

SusanD said...

Hey KW, Mandatory PW change here is 90 days. The rules are: must be at least 8 characters with 1 capital letter, 1 number, and one "special" character, i.e., #@$%&*!

I like your pass-phrase much better. These rules can be incorporated and it will definitely be easier to remember.

Blessings, SusanD

AmyK. said...

That is excellent information...now I feel the need to go change all my passwords.

I do hate the fact that I have to have so many of them. I love getting locked out of something because I can't remember my password du jour....sucks!!

Kelly Combs said...

very good information. You are a brainiac! That is a compliment. :-)

My ADHD Me said...

"the mechanics of Triple DES encryption, adhoc networking and radio telemetry...." You MUST be talking to me.

I am 98.352% computer illiterate. Luckily, my 13 year old is like a little computer genius and has been since he was about 8 or 9 years old. Of course that also makes it difficult for me as I have to watch him almost constantly while he is on the computer. He showed me (as he laughed) how easy it was to get around all those parental blocks etc. At least he let me know.

Says he's going to be a hacker for the FBI when he grows up, (I think he used a more technical term). That's ok as long as he is hacking FOR the FBI and not into it!

The password thing is a great idea. I suppose one should have different passwords for different things too, eh? I guess I'll go start changing mine right now. It's probably been about 7 or 8 years.

OK, I'm off....bet you already knew that!

Edie said...

ADHD-Jo's opening comment made me LOL!

Are you reading my mind? I was going to ask you about the Information Security Specialist. lol.

I love your password idea. I have a system that I use so that I don't have to use the same password everywhere but if I forget a password, I can *guess* it because of the system. Something like this but probably not quite as good.

Interestingly, I have security on my mind too. Am planning to do a couple of posts on internet and email security due to running across a blog that is a scam. (http://thatssogod.blogspot.com)

Next to you I am not even a novice. If you have any advice or thoughts on the subject, I'm all ears.

Anonymous said...

Hi there,

This is a message for the webmaster/admin here at krippledwarrior.blogspot.com.

May I use part of the information from your post above if I provide a backlink back to this website?

Thanks,
Peter

KrippledWarrior said...

You have permission to use the info on this post.