How to secure your data, Rock Solid.  


-  You probably have a folder or a file somewhere containing sensitive data: passwords and login, few documents or scans of things that you want to keep private.

Keeping them accessible to all is not a safe solution, if your computer is gone AWOL, the “new” owner may have access to sensitive data.
If your Mac is protected by a Login password, please remember that it can be easily bypassed (Password reset via Unix command or by inserting the OS X CD )
Keeping your sensitive documents encrypted may prevent Id theft and protects you against unwanted access to files and folders on your Mac.

A solution to encrypt data in a very secure way is to create an Encrypted Disk Image
Encrypting just a file or a folder is not as safe as encrypting the whole image.
The “thief” will need to mount the entire disk to have access to it.
Here is How To, Step by Step

Go to "Applications" >>> "Utilities"

Select Disk Utility


- Select “New Image”
- Select your options
- Volume Name i.e MrWhite
- Select the size, i.e 100 Mb for documents should be plenty enough. Use more if you have pictures, scans or Videos.
- Select the encryption.
 I would suggest the 256-bit or 512-bit, the 128-bit is weaker
- Click Create 



Enter a password, or better, a Passphrase*.




UNCHECK “Remember password in my Keychain” otherwise, if the keychain is cracked you’ll be “SOL”
Please Note: If you forget this password you will not be able to retrieve it. If you have a tendency to forget them, use Keychain...
- Click "OK"

The Encrypted Disk image is now created. To access it, double click the Icon on your Desktop and enter your Passphrase.
The Disk will mount and you'll be able to use it as any disk or storage. Drag & drop your document, folders in it.

To close the Disk Image:
Either Log off
Right Click on the icon and choose "Eject"
or go to Finder, click on ⏏ and "Eject" disk

Passphrase

To generate a good Passphrase, use letters upper and lower case, add numbers and for the sake of yourself, use signs too. As a tip, you can hold the Shift key while typing a number. (1=! 2=@, etc )
If you have any doubts whatsoever why you need a strong and uncommon password, take a minute or two and read the very end of this post.
For the "Geek" of it, a password of 20 ch length, using upper & lower case, numbers and shift signs has 74 possibilities per character or 20^74 pos.
20 Ch length = 24,245,681,433,252,000 billions of billions possibilities. Enough to keep a someone busy for a very long time.

The Yahoo! / Msn / Google Password Heist. 
About 10 to 30,000 passwords, including email,  where put online, as a sample,  probably for someone to sell a much larger list. This list was "the proof" that they were valid.
it's estimated that the full list was well over 300,000 emails & passwords.
This heist was not made by "cracking the passwords, but simply by asking people. A Web page was promising that they could tell you who "blocked you" on MSN, you simply had to enter your email and... password.  Yes.. curiosity killed the cat! just like the famous "I love you" virus
The very interesting part, was in my eyes, the analysis of the passwords.
Often, people will use one for everything, including bank, credit cards, etc ...
The second interesting thing is, Passwords list exist , most used etc ...

I could not access the list on time, but the excellent Reusable Security Blog did
Here is his (Matt Weir) analysis about what you use

Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords Average Password Length: 8.7 characters long
Percentage that contained an UPPERCASE letter: 7.2%
Percentage that contained a special, (aka !@#$), character: 5.2%
Percentage that contained a digit: 51.7%
Percentage that only contained lowercase letters: 43.3%
Percentage that only contained digits: 17.6%
Percentage the started with a digit, (aka '1password'): 25.0%
Percentage that ended with a digit, (aka 'password1'): 44.1%
Percentage that started with a special character: 0.5%   <<  Big hint here
Percentage that ended with a special character: 2.2%    <<  Here too ...
Percentage that started with an uppercase letter: 6.1%

Overall letter frequency analysis:
aeoi1r0ln2st9mc83765u4dbpghyvfkjAzEIOxRLwSNq.MTC_DB-UP*G@H/ZYF+VJK,\amp;amp;X!Q=W?'#")(%^][}< {`>
First character, letter frequency analysis:
a1mbc2sp0lterdjfgn3hi6k759vo48yAwMzBSCuqPLExJRTFDGNV*HOZYKI\W@/-+(.$U&?Q^[,#
Last character, letter frequency analysis:
aos01326e57849nrilydzmtuAhbO.gck*SxpfE@+LvjNRw_-I?/$q!ZX)YKH"UPMDCB#GF'&%}T,]\VJ(

As a repeat, the previous is from Matt Weir, from Reusable Security
So, it tells me that there are still a large number of people using password vulnerable to wordlist attacks.  Furthermore:
40% of users are using the same password for everything.
92.7% did not use an UPPERCASE
94.8% did not use a special character

And the best: Only contained digits: 17.6%
Average length 8.7 >> rounded to 9 Characters

For the 18% (of dummies) that only use digit:
Digit only = 10 possibility per Character
9Ch long = 10^9 = 1,000,000,000 possible combination
Realistic number of test before cracking: 50% (10^4.5)   Time to crack : 0,015 hour = Joke

For those 18%, Read this carefully:
"Neil O'Neil, a digital forensics investigator at secure payments firm The Logic Group, found that "123456" cropped up on the list 64 times. There were 18 uses of the second most popular password, "123456789",
Big surprise!!! Just like the ones mentioned in the 500 most used password.
the 500 most used passwords list is 4 or 5 yrs old, but it seems like it was brand new.

2005 list                     2009 list
password          123456 
12345678          123456789
1234              alejandra
pussy             111111 
12345             alejandro
dragon            tequiero
qwerty            12345678
696969            1234567
mustang           alberto




The snipet was probably listing a sampling from Spanish speaking account, but I'll really curious to see the full list

So, if I had to create a password list, guess what ..
First on the list would be 8 or 9 Ch long, all digit, then all lowercase, then adding a digit or 2 first, then adding a digit or 2 at last.
That list should cover about 80% of all passwords
That would be a big list of 7,518,774,324,736 possibilities, but it would cover 80% of the general public. Not bad.
So, GET A REAL PASSWORD! 

Update Nov 26, 2009
I just received an email from a (well educated) friend of mine.
The email had many known contacts in the "To" field, and was looking genuine. The body was "Is it you in this picture? You look like a goof!  Are you out of your mind?" and had link to a website.
Knowing the guy, it really looked like something he would send.






Just one thing ticked me: No signature. My friend normally use a signature with his name and contact.
Out of curiosity, I just did a quick Reverse IP Tracking, Result: Philadelphia.
Huh? the guy is in Boston.  Quick Google search and bam! This was an Attack site: 5 Browser exploits, Worms and keylogger
Grab the phone, and called him:
- Did you send me an email about me looking like a goof?
- Nope!
- Dude, I have bad news...
I explained to him the situation, and he told me that he had not been able to access his email all day long...
After 15 min explaining to him that his account had been hacked, he slipped out his password for me to try.
Guess what?  This well educated man was using a password ranked #10 in the most used password list.
The result was that it only took them few seconds to crack his account and that "they" accessed all previous emails, including the ones that you receive when you subscribe to a service, including bank, mortgage, etc.
Not only they were trying to scam his contact list too, but they had the time to dig deeper....
His bank called the next day: Are you trying to wire money to Ukraine?
What raised a red flag at the bank was that his password was changed on the bank website, and the money transfer was asked at 2:30 AM US time 
He spent a good portion of his day calling bank, mortgage company, and subscribing to a credit monitoring company.
He scanned his computer many times, but as of today, he does not sleep very tight at night and call his CC company once a day.
So, as a warning, for the third time:
Don't use a weak password, especially one listed as "most used"
Encrypt your sensitive data
If your Email system (Gmail, Yahoo, etc) is Webmail based, Delete & Erase sensitive Emails. Move them into the encrypted folder you have created.
Don't be a potential victim, do it now.  


Because it's raining and I am bored:
Why use a -serious- password

Let 's assume a cluster of 10,000 Macbook Pro, dual core etc, working all together for you (distributed work ):
A Mac Book Pro, on intensive use needs 263 Watt of power and generates 894 BTU/h output of heat
Cracking possibilities : up to 10,000,000 pswd /second/computer
If you do the math, you'll realize that cracking by brute force a 20 characters Full ASCII password will cost you up to 40 million dollars worth of electricity, create enough BTU to generate a heat wave the size of Texas and take you hundred of thousands of years.
You could hit the jackpot and find the pswd within minutes, but generally, it will take 50% of the maximum time possible to break a password.
This is the reason why Keyloggers, Phishing and Clickjacking were invented. That's were, in my opinion, where the real danger is ...




Leopard Password Reset OS X 10.5

This is not a Password Crack, it's a Login Password Reset. Leopard Only, Not Snow Leopard.

Login Password Reset:    - If you do not know what you are doing, don't do it ! -

At Boot, press and hold ⌘ + S (Command + S)
Wait few seconds, a command line will appear
Then type verbatim:
 fsck -fy
(wait, it will take few seconds)
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
dscl . -passwd /Users/UserName newpassword


(The password is now reset, you can login)





0 comments:

Post a Comment

top