Results 1 to 14 of 14
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Hey you, cyber thief: Get off of my Cloud!




    IN THE WILD

    Hey you, cyber thief: Get off of my Cloud!

    By Robert Vamosi

    Recent exploits show that Cloud services can easily be attacked and often lead to crippling secondary attacks as well. Here's how to protect yourself.

    The full text of this column is posted at windowssecrets.com/in-the-wild/hey-you-cyber-thief-get-off-my-cloud/ (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by Tracey Capen; 2012-08-22 at 19:22.

  2. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    lesotho
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The problem with Google´s 2-way authentication is if you work in different countries and swap your sim card. Bye bye to your Google account... because you cannot be reached on your number. Also, try and explain this conundrum to a Live Human Being at Google... Good luck!

  3. #3
    New Lounger
    Join Date
    Sep 2011
    Location
    Las Vegas, NV
    Posts
    8
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Key Scrambler

    Very good article. I have been using a key scrambler for some time now to hopefully prevent someone from monitoring key strokes should a piece of malware get on my system that can read keystrokes. I have never read any comments on or articles that describe how effective a key scrambler really is. Any comments would be appreciated.

    Thanks for your great articles.

  4. #4
    Star Lounger
    Join Date
    Dec 2009
    Location
    Sydney, Australia
    Posts
    73
    Thanks
    6
    Thanked 6 Times in 6 Posts
    I still don't get it. Apart from Office passwords, where you can use a brute force attack, how is anyone going to crack my 10 digit password from a 96 character set. Totally impossible, unless they steal it from Linkedin or someone, then it doesn't matter if it is 30 characters. For sites, like tech blogs that no-one would want to hack and I wouldn't care if they did, I often use and 8 digit password from the 36 character set.

  5. #5
    New Lounger
    Join Date
    Mar 2010
    Location
    Vancouver, BC
    Posts
    3
    Thanks
    1
    Thanked 0 Times in 0 Posts
    This is a typical security article:
    1. Present a hacking incident that actually didn't involve guessing or cracking passwords AT ALL.
    2. Proceed to the stress the need for strong passwords.

    This hacker wouldn't care if your password was 200 characters long, he just requested a password reset via companies' lax policies.

    Also, you need to run John the Ripper on the computer you're hacking or he has to have access to the encrypted password files. If the hacker has that kind of access, he probably doesn't need the password anyway! You're not going to be able to use John the Ripper to crack a web account password.

  6. #6
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by franky5 View Post
    Very good article. I have been using a key scrambler for some time now to hopefully prevent someone from monitoring key strokes should a piece of malware get on my system that can read keystrokes. I have never read any comments on or articles that describe how effective a key scrambler really is. Any comments would be appreciated.

    Thanks for your great articles.
    Modern keyloggers intercept keystrokes earlier in the process than any key scrambler can protect you. These Apps or browser plugins are totally useless from a security standpoint. And they do not provide two-factor authentication.
    -- Bob Primak --

  7. #7
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by clarkg888 View Post
    This is a typical security article:
    1. Present a hacking incident that actually didn't involve guessing or cracking passwords AT ALL.
    2. Proceed to the stress the need for strong passwords.

    This hacker wouldn't care if your password was 200 characters long, he just requested a password reset via companies' lax policies.

    Also, you need to run John the Ripper on the computer you're hacking or he has to have access to the encrypted password files. If the hacker has that kind of access, he probably doesn't need the password anyway! You're not going to be able to use John the Ripper to crack a web account password.
    Yep, that's a valid observation. My Yahoo email account contacts were hijacked by a spambot twice in one month, in spite of my effort to change my login password. Yahoo said I must have a virus on my computer. That was the end of that support call!

    John the Ripper may also be capable of cracking passwords transmitted through a browser. If any signals are intercepted (Man in the Middle), John the Ripper can be used on the intercepted data. Amazingly, not all Internet logins are encrypted or SSL prtoected. Windows Secrets Lounge logins are not encrypted.
    Last edited by bobprimak; 2012-08-27 at 04:01. Reason: clarify my point
    -- Bob Primak --

  8. #8
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by jonrichco View Post
    I still don't get it. Apart from Office passwords, where you can use a brute force attack, how is anyone going to crack my 10 digit password from a 96 character set. Totally impossible, unless they steal it from Linkedin or someone, then it doesn't matter if it is 30 characters. For sites, like tech blogs that no-one would want to hack and I wouldn't care if they did, I often use and 8 digit password from the 36 character set.
    You clearly did not read the article.
    -- Bob Primak --

  9. #9
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by boymalawi View Post
    The problem with Google´s 2-way authentication is if you work in different countries and swap your sim card. Bye bye to your Google account... because you cannot be reached on your number. Also, try and explain this conundrum to a Live Human Being at Google... Good luck!
    Poor me! I don't even own a smartphone or tablet. (Seriously, I really don't own either type of device.)
    -- Bob Primak --

  10. #10
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA, USA
    Posts
    116
    Thanks
    7
    Thanked 4 Times in 4 Posts
    I recommend this article: http://arstechnica.com/security/2012...der-assault/4/ Explains how lots of sites using common but poor encryption schemes can have their passwords tried at billions of combinations per second on a single desktop computer. You have no control over what any site uses so if that site is compromised your short password is going to be cracked. Very interesting graph showing how adding just a character or two to your random password is immensely helpful to ward off brute force attacks. Here's the last paragraph:
    The whole password-cracking scene has changed drastically in the last couple years," said Weir, the Florida State University post-doctoral student. "You can look online and you can generally find passwords for just about everyone at some point. I've found my own username and passwords on several different sites. If you think every single website you have an account on is secure and has never been hacked, you're a much more optimistic person than I am.
    Last edited by buggsy2; 2012-08-25 at 00:16.

  11. #11
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA, USA
    Posts
    116
    Thanks
    7
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by boymalawi View Post
    The problem with Google´s 2-way authentication is if you work in different countries and swap your sim card. Bye bye to your Google account... because you cannot be reached on your number. Also, try and explain this conundrum to a Live Human Being at Google... Good luck!
    Bzzzt. Google offers a second way of getting the 6-digit number, via an SMS to another phone or maybe an email.

  12. #12
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Quote Originally Posted by bobprimak View Post
    Modern keyloggers intercept keystrokes earlier in the process than any key scrambler can protect you. These Apps or browser plugins are totally useless from a security standpoint.
    How can you possibly know that ANY key scrambler can't intercept earlier in the process than any keylogger?

    As powerful as Elite Keylogger 5 is, I am glad to give everyone a confirmation that Elite Keylogger still captures the scrambled encrypted keystrokes by KeyScrambler Premium, protecting the sensitive information such as your password from being stolen. You can view the video below as a proof.
    Protection against Elite Keylogger 5


    Quote Originally Posted by bobprimak View Post
    And they do not provide two-factor authentication.
    Totally irrelevant.


    Quote Originally Posted by bobprimak View Post
    John the Ripper may also be capable of cracking passwords online.
    How?


    Quote Originally Posted by bobprimak View Post
    You clearly did not read the article.
    It's clear to me that he did. What's your point?


    Bruce

  13. #13
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts

    Originally Posted by bobprimak
    Modern keyloggers intercept keystrokes earlier in the process than any key scrambler can protect you. These Apps or browser plugins are totally useless from a security standpoint.

    How can you possibly know that ANY key scrambler can't intercept earlier in the process than any keylogger?

    As powerful as Elite Keylogger 5 is, I am glad to give everyone a confirmation that Elite Keylogger still captures the scrambled encrypted keystrokes byKeyScrambler Premium, protecting the sensitive information such as your password from being stolen. You can view the video below as a proof.
    Protection against Elite Keylogger 5

    Originally Posted by bobprimak
    And they do not provide two-factor authentication.

    Totally irrelevant.

    Originally Posted by bobprimak
    John the Ripper may also be capable of cracking passwords online.



    How?
    Originally Posted by bobprimak
    You clearly did not read the article.





    It's clear to me that he did. What's your point?


    Bruce
    Wrong on all points. Elite Keylogger 5 is not the most sophisticated keylogger out there. It isn't even malicious, but is a commercial product designed to let employers monitor employee computer and network use. And your comments get farther and farther off the mark from there. Some aren't even valid points worth responding to.


    The fact that key scramblers do not provide two-factor authentication is very relevant, as this exact point about login security (the need for two-factor authentication ) was directly addressed in the article. No amount of scrambling will offer the benefits of two-factor authentication.


    That key scramblers are not effective enough is well known. Key scramblers offer poor security, if any at all. For an example of the limitations of Keyscrambler, check out this thread at Wilders Security Forums, especially Post#51-Post#57 (Post #56 says it most clearly):
    _____________________________
    KS was not able to block anything in the banking malware test done by MRG, against malware like Zeus that is able to capture what you sent in your browser (of course KS is not designed to block that but still is a way to steal passwords), anyway as you can see in the raymon test is able to pass any real time capture software/malware.
    I just want to make you sure about the limitations of KS, it's protects against "real time" capture, if the capture is not done on "real time" it will not protect
    _____________________________


    What I'm saying about this is that key scrambling is no longer effective when using banking sites or other places where secure logins and password security are of greatest importance.


    The jonrichco comment "how is anyone going to crack my 10 digit password from a 96 character set" is dangerously outdated and naive. The article says enough to make it clear that this is not the current state of the art of password cracking. jonricho must not have read the article to still insist on something which the article debunks directly.


    One more point about John the Ripper and transmitted data. If poorly encrypted or unencrypted data are intercepted by a Man in the Middle, the data are available on the interceptor's computer for his/her use. This includes running a cracking program. Perhaps not specifically John the Ripper, but something at least as effective.


    Any other wise-cracks you would care to offer, Bruce? I thought this was a serious tech discussion.
    Last edited by bobprimak; 2012-08-27 at 04:08.
    -- Bob Primak --

  14. #14
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    In reading about keyloggers and how they work, I was amazed to find that they actually inject themselves inside the operating system kernel. That's an area which in 64-bit Windows is supposed to be off-limits to third-party software. How do they avoid triggering major system instability or deactivating Windows? How do they bypass Patch Guard and other system kernel lockout technologies? How do they avoid interfering with system kernel Windows Updates and Service Pack installations?


    ANYWAY...


    This whole side-issue of the effectiveness of Keyscrambler and similar evasion techniques ignores an important security consideration. Unless you know that your employer has compelled you to keep a keylogger on your personal computer, you have acquired any keylogger as a malicious payload which was downloaded and installed without your permission.


    This means that if you are trying to live with a malicious keylogger, you almost certainly have other malicious software on your computer. If this is the case, you really need to address the issue of detecting and removing malicious software from your computer. Just living with malicious software is simply not an option. You need to revise your security strategy.


    This is the real security danger in relying on evasion after infection, instead of preventing infections in the first place, or absent that, detecting and removing unwanted programs once they have become embedded into your operating system or legitimate programs. It is simply not accceptable to allow your computer to remain infected, by keyloggers or anything else malicious.


    By the way, passwords are much more likely to be stolen directly out of a browser or browser extension, than to be acquired through the installation of a malicious keylogger. While Firefox 14 has pretty good saved password security, Internet Explorer 9 and Chrome 21 are not so good about saved password security, according to this recent article. Among password managers, there are also security issues. For example, LastPass has had recent security breaches, including the one mentioned in this article. The Zeus family of banking Trojan Horses do not behave the way keyloggers do, and these malicious programs have been very effective at stealing banking passwords recently. Alureon is another example of a malicious program which is not a keylogger but has stolen passwords and data and gone undetected on many personal computers until it did interfere with MS Updates and Service Pack installations. Again, Keyscrambler does not protect against anything which happens at the browser level, according to the Wilders Security Forums post I have already cited in this thread. Nor does Keyscrambler effectively evade Alureon and similar infections operating inside the Windows system kernel.

    Finally, REMEMBER: If your underlying password is weak, reused or is not changed regularly, nothing can mask this weakness.

    False security is worse than no security at all.
    Last edited by bobprimak; 2012-08-27 at 04:11.
    -- Bob Primak --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •