I was having lunch with my buddy Nick the other day talking about this blog. Now Nick isn’t in my target audience – he’s an excellent programmer, very aware of security threats and I’m sure he’s running a great hardware firewall at home.
The thing that caught his attention the most was something I discussed a while back in Mmmm, I love hunny – User Ids are being stolen via rootkits (software that is undetectable by your antivirus program) and are then sold to middlemen who then resell them to people who form attacks.
The part where it really gets interesting – MOST people do not create great username/password combinations to begin with, THEN they re-use that same combination on every site they go to!
So – let’s just say I’m running a really simple rootkit (one I can buy for about $75) that’ll tell me all the websites you visit. If any of them (like y! mail) is running non-secure – I can easily nab your username/ password. Then, referencing my handy dandy list of all your websites, I can try out each one to see where it works! Once I login as you, I’ll change the mailing address, or see if I can get money out --- or in a worse case scenario, I’ll sell your good stocks to buy the penny stocks I’m holding, then I’ll sell out of my account when the time is right! (pump and dump, baby)
It gets better – most people I talk to don’t ever change their passwords. Never. Or if they do, they store them in a file called passwords.txt file on their C drive. Not good. Even better are the folks that put them on a sticky and leave it up on their screen 24x7. (uh, other people might just read that!)
Whaddya do? - there are a lot of good solutions in this area – robo-form is interesting, Password Safe looks really good – but so far I’m using another piece of open source software called KeePass. Install it on a USB stick, and carry your passwords with you. Even better, have it generate new, incredibly complex and unique passwords for you and you’ll never have to worry about remembering them!
I’m still experimenting in this area – if you’re interested in more, email me!
Posts
No comments:
Post a Comment