*Keeping secrets from web spies*
BBC Click's Dan Simmons
By Dan Simmons
Reporter, BBC Click Online
===== ===== ===== ===== ===== ===== =====
Picking a password is a tricky business. And the temptation is to go for
something that is easy to remember like our partner's birthday, a pet's
name, or a film star. The trouble is, given just a few attempts it also
makes it pretty easy to crack.
"Hackers today will often use a dictionary style attack. This means they
can very quickly use all of the words in the dictionary as well as
common celebrity or sports names," explained McAfee security analyst
Greg Day.
"For example, many people still use what they think is a smart technique
of switching out some of those characters for numbers, for example
changing an A into a 4. But that's a very commonly known technique."
"I think what worries us more these days is we use online communities,
like MySpace or Bebo, to meet and chat with other people, and people are
so willing to hand over this information - favourite film star, etc. As
a password stealer I only need to chat to you for a few minutes and I
can probably commonly guess your password."
The ideal password is used for one site only, it uses letters in both
upper and lower case, numbers, and other characters. Something like
this: EAJst9s74*$D!2 - but the problem is that it is just not easy to
remember.
Password storage
In fact, with the average number of passwords estimated to be around 20
per person, and that number growing at 20% each year, it is no wonder
that many of us cannot keep track of the one we might need.
So if we are not to lapse into using the same password for all our
accounts - we need a safe place to store them - somewhere we can access
wherever we are.
You can go and use internet search tools like Google and you'll find
lots of free tools that allow you to listen in to someone else's PC
Greg Day, McAfee
One answer is to lock them up online. There are many choices available
but a new service from BoxKnox is specifically designed to store
passwords, offering encrypted storage, at no cost, while protecting
anonymity.
You do not need to leave any personal details - just set a username and
password. Of course this is a password you really do not want to forget.
But complicated passwords, securely stored, do not mean you are safe. To
fully protect yourself you need to be aware of how hackers might try to
gain access to your accounts.
"Nowadays it's become incredibly easy for anybody to set up and use
something like a keylogger," said Mr Day.
"You can go and use internet search tools like Google and you'll find
lots of free tools that allow you to listen in to someone else's PC."
Keyloggers record every keystroke we make and send it on to the hacker.
And although they can be used for legitimate tracking - like checking
what your children do online - they can be used to spy on anyone.
It took me five minutes to find and download one such program. I then
got our security expert to see if he could find out what I'd been up to.
He very quickly established that I'd been to Hotmail, and could easily
identify my username and password, date of birth, postcode.
"You'd be amazed," he said, "at what an attacker could do with that."
Criminal activity
Many keyloggers and spyware programs take screenshots of the sites you
visit and can copy files from your PC.
These may include any passwords you have asked your computer to remember
for you to speed up logging in. These are held as cookies on your machine.
Keyloggers are not illegal to own. It is how they are used which can be
criminal.
Nordea branch sign
Nordea says it has refunded the affected account holders
Last month keylogging software found its way onto hundreds of PCs
belonging to account holders at Sweden's largest Bank, Nordea.
In the biggest heist of customer accounts on record more than $1m
(£513,000) was stolen.
The Metropolitan Police say thousands of customers in the UK have also
been hit by this software.
So what can we do to protect ourselves: firstly - a well configured and
up-to-date anti-virus programme should pick most of this type of spyware
- especially if it is trying to use our internet connection to send out
information.
There are many to choose from, some of which are free. We were using
McAfee's Security Suite 2006 but it failed to pick up the keylogger
while we were offline.
It is not clear why, but its labs say the software would normally warn
users they are being tracked.
Of course one way to beat keyloggers is to not touch the keyboard at all
when logging in.
There are several USB devices you can use to automatically log on. We
used the Codemeter USB device which holds all my login names and passwords.
It automatically detects when I need them and fills in the necessary
boxes for me. I do not have to remember all my passwords which are
encrypted on the key.
I just need to remember one master password to make it work - and I must
make sure I do not leave the USB device behind.
And the security industry is starting to look at more pre-emptive ways
to protect us - before any spyware can get in.
"The security industry has turned to a proactive approach," explained
Yuval Ben-Itzhak, chief technology officer at security firm Finjan.
"We no longer need to wait for anti-virus updates in order to find out
if something is bad. You can actually analyse it as you run the program,
see what it is about to do, and make a decision based on that."
Finjan's internet-browser tool auditions or dry-runs the pagelinks
before we click on them to check for any nasty surprises.
It claims this live testing of links has never been beaten by hackers.
It is making this software available to the public to download at no
cost from next month.
Ditching passwords
But let us face it, most of us are simply too lazy to go the extra mile
to protect ourselves, which is why some of the biggest names in banking
want to ditch the traditional password altogether.
All of HSBCs customers in Hong Kong are already using a token or fob
system - which offers up a constantly changing number that forms part of
their online password access.
It is being trialled by some banks in the UK, but may prove too
expensive to roll out millions of customers, some of whom may not want
to use them.
An alternative being considered by HSBC and the Alliance and Leicester
bank in the UK would have us run an application on our mobile phones
generating a second pass code - again changing each time we log in.
If, we can be persuaded to use them - the ever-changing password may be
the key to keeping our secrets - secret
--
When modern people always involved in crime
There's no case can't be solved
Sinichi Kudo
--
Adi D. Jayanto
"A Brand New Life of... Me"
