Lazy passwords and MySpace

A post from the Guardian Technology Blog last week on a breakdown by Bruce Schneier of "typical" MySpace passwords. Typical here is in the context of the 34,000 accounts that were phished from the social networking site – but are these representative ?

From the analysis

The top 20 passwords are (in order):
password1, abc123, myspace1, password, blink182, qwerty1, fuckyou,
123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1,
princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

Amazing –  password has been overtaken by password1. Looking at the examples, at least some comfort might be taken from the fact that the most basic alphanumeric combinations are seeping through…

Update : regarding my naive final comment – MySpace requires a password at least 6 characters long, including a number/punctuation.

Tags: , , ,

People – not products – are most important to security

A surprise or not? Reporting from The Register, and based on a study carried out by the IDC that the most important factors in security systems were

"management support of security policies; users
following security policy; qualified security staff; software solutions
and hardware solutions"

According to the study

more than 40 percent of information security
budgets is spent on personnel, education and training, up around 5 per
cent on previous years. Information security risk management is seen as
a particular training priority.

It is becoming apparent that many of the security consultancy companies are now beginning to focus more on services relating to risk management, in conjunction with the bread and butter of selling software and hardware kit.

The survey was sponsored by (ISC)2

Call to action for Security Administrators

Bruce Schneier nicely summarises a recent McAfee study in Europe about employee attitudes to corporate IT resources

  • One in five workers (21%) let family and friends use company laptops and PCs to access the Internet.
  • More than half (51%) connect their own devices or gadgets to their work PC.
  • A quarter of these do so every day.
  • Around 60% admit to storing personal content on their work PC.
  • One in ten confessed to downloading content at work they shouldn’t.
  • Two thirds (62%) admitted they have a very limited knowledge of IT Security.
  • More than half (51%) had no idea how to update the anti-virus protection on their company PC.
  • Five percent say they have accessed areas of their IT system they shouldn’t have.

I think the first one is the scariest, quickly followed by point 6 – 62% admitting they have limited knowledge of IT security. If I was a security administrator, this would concern me greatly. When you think about it though, the basic points which any employee using IT resources in an organisation should be aware of – anti-virus/OS updates and  monitoring of  internet  usage –  should be introduced at orientation or training days.

Employees should definitely not have the opportunity to say "I didn’t know about that" if something unexpected happens as a result of their tinkering or negligence.

Privacy for phone calls, privacy for medical consultations

Boing Boing recently wrote about Babble, a piece of hardware that can be used in open office situations where levels of privacy are useful. It plugs into your desk phone and can be configured in about 10 minutes. It takes samples of the users voice, and interweaves these with actual conversations that are taking place, to ensure that  "nonsense" is what any would-be eavesdroppers can hear.

It’s currently retailing in the US for $395 – and sounds like a real possibility for cubicle farms or for offices where colleageus are constantly on the phone. Many readers will be familiar with the difficulty in attempting to concentrate on any tasks while nearby colleagues or constantly on the phone or worse – having meetings.

For the cost though, this is definitely the type of product that you would actually like to sample or better still get first hand accounts of how effective it actually is. A few google searches for babble+audio+samples and variations of, didn’t find anything. Is anybody out there using this product and if so, how do you find it?

Most interesting from a health care perspective, are the developments of new versions that are currently in play. According to CNN, Sonare already working on a newer incarnation of Babble exclusively
for the hospital and pharmacy environments, so that patients and
doctors exchanging sensitive information about a patient’s medical
condition cannot be overheard. The new device would not have to be
tethered to a telephone and would be able to mask more than one
person’s voice at a time….

When I initially heard about this product, this was the basis on which I understood it to actually work; This version would be ripe for usage in a wide variety of situations.

Fact Checking and prospective employees

The RTE News website reports  this evening that the Irish Governments Chief Scientific Advisor – Barry McSweeney –  is to take up a new appointment. A controversy arose last week when it became known that his doctorate had been awarded by an "unrecognised US institution".

As part of an ongoing project, I have been researching security policies in a healthcare environment. I came across this sample policy for the recruitment of staff that may have access to electronic patient records in a hospital environment. The first section in sample policy is verification checks.

  • Character references
  • Confirmation of claimed academic and professional qualifications
  • Professional license validation
  • etc, etc.

Why is it that the first item in the check list is often the only one that is followed up ?

Patient details on a USB drive

The HIPAA Advisory reports that a Hawaiian hospital has managed to mislay a data drive containing details of up to 130,000 patients.

What’s make this case remarkable and probably the first of its’ kind is that the information was all contained on a bog standard unencrypted USB drive.

Incidents like this are particularly damaging, but kudos to the hospital however for informing those affected.

The piece is here.

What is your mothers maiden name?

The title of this post is still one of the most common question asked by banks and credit card companies while you get telephone support.

Bruce Schneier writes about the curse of the secret question. I thought I was the only one that typed in junk to these questions when prompted. Of course the paradox of this is succintly pointed out by the author..

The result is the normal security protocol (passwords) falls back to a
much less secure protocol (secret questions). And the security of the
entire system suffers.

…So all of the good work done by many sites in terms of password quality (minimum length, alpha numeric combo, etc) is knackered by the details requested by such secret questions and  eloquently mapped by  family details, hobbies and personal characteristics.