Blog

Mobile About Slide

Protect your passwords

13.11.15

A point of vulnerability

protect your password from attackTalk Talk, Experian and Ashley Madison are high profile victims of cyber crime but the hackers target individuals directly too.  One major area of vulnerability is the reliance for security on a simple collection of letters, numbers and symbols: the password.

Those in the know use the phrase “password cracking” to describe the penetration of a computer, network or system to unlock a resource that has been locked with a password. People using password cracking are sometimes defined as being in one of two groups, hackers or attackers.

A hacker is any person with an inherent interest in computer technology. Hackers are not necessarily someone who wants to do harm, just someone who wants to ‘beat a system’.  They have been know to gain access to a website simply to post a picture of a cat but in gaining access they may damage an individual or organisation by, for instance, making confidential data visible.

Attackers , on the other hand, gain access to cause damage. Motivations for Attackers can range from disgruntled employees trying to get revenge on a former company, a student simply trying to exploit large organisations with their computer systems, or simply a criminal attempt to gain financially by accessing confidential data or through blackmail.

Whether they are hackers or attackers the initial attention is on finding a vulnerability in the computer system they are targetting, corporate or domestic. And the most vulnerable point is the password.

So how do the attackers attack?

There are many ways of attacking a network including:

1.  Bin, (or dumpster), diving – literally going through the rubbish to find possible information that could be a password.

2. Finding a Post-It note on a monitor or underneath a keyboard.

3. Looking at Social Media profiles for details like birth dates, schools, children’s names that are often used in log-in processes.

4. Contacting an IT or customer service department, using relevant facts gained from the above, to fool staff in to providing extra details or password resets.

5. Direct contact via email or phone asking people for details or getting them to log-on to a site (a dummy site) which means they expose their details.

6. A “dictionary attack” where a dictionary file of common words is loaded into a password cracking application, such as PRTK or LC4. The applications then attempt multiple logins at very high speed exploiting the fact that most common passwords are simplistic.

7. A “hybrid attack”combining the dictionary attack with the use of numbers to simulate common password set-up.

8. A “brute force attack”, which abandons the subtlety of the dictionary to target a massive number of short password.

What can you do to prevent password attacks

1.Shred office paper waste and consider doing the same for official documents, receipts etc. at home.

2. Check that passwords or ancillary information is not displayed anywhere.

3. Change passwords frequently.  At work change passwords when employees leave.

4. Use difficult to guess passwords – At least 8 characters including numbers, symbols, uppercase and lowercase characters.

5. Consider using free password generator software such as LastPass.

6. Don’t use the same password for more multiple accounts.

7. Enable two step verification where offered on websites.

8. Be aware that there are people out there who want your passwords and never give details away to callers, email contacts or on social media sites…ever.

9. Use dummy accounts rather than administrator accounts for computer systems and websites.

Disklabs has an experienced team of consultants who can advise you on improving your digital security.  We also run one of the UK’s leading digital forensics laboratories that can help you track down the perpetrators of malicious password attacks and bring them to justice.

Call us today on +44(0)1827 50000 or use our contact form to discuss your digital security requirements.

 

Disklabs - Experts in the extraction and analysis of mobile phone data