Basic Rules of Working with Secret Information

By | October 28, 2009

Due to the fact that free operating systems are designed with the modern conceptions of data security in mind, users should know that the main reason of the most “cracking” and data-stealing cases is their lack of attention, and not bugs or errors in the software they are using.

Let’s start with such an understandable and well known notion as password. By entering password user authentication, i.e. confirmation that the account will be used by its owner, occurs.

Users should know that operating systems are generally well secured to prevent unauthorized use. That’s why for a violator it’s much easier to get somehow user’s password and login into system pretending to be an authorized user. So instead of cracking security systems that become more and more complicated, violators tend to use methods of social engineering, manipulating users for the only purpose of gathering the information they need.

Kevin Mitnick (former hacker, current security consultant) emphasizes that “it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system.” He argues that it was the single most effective method in his arsenal.

To prevent such kind of situations follow the below mentioned recommendations:

  1. Do not write your password on the display of you PC and do not attach any stickers with passwords to it. Anyone can see them!
  2. Do not save your passwords in text files, unless you’re sure that those files cannot be read by someone else.
  3. Do not store corporative secret information in the common folders (such as Documents, Pictures and etc.), which can be accessed by anyone
  4. Create strong passwords (at least 8 characters, digits and letters, different letter case).Violators use different kind of software that allows them to enumerate all the possible passwords in order to get the right one. Given process is generally known as brutal force. Thus the shorter and the more “typical” (violators use special dictionaries that include all the frequently used passwords like “12345”, “password”, “iloveyou” and the combination of users’ last names, first names, and birthdays) your password is, the faster it will be detected. You can check most common passwords and brutal force analytics here.Let’s discuss given point a little bit more.

    You should know that the weakest passwords are short or are words, names, or derivations of words or names. If you simply change an “A” to a “4” or an “s” to a “$”, it won’t significantly increase the security of a password. The password crackers generally have customizable sets of rules that they uses to try various permutations on supplied dictionary words and user information as possible passwords.

    There are three main properties that define the security of a password: length, character set, and randomization. Strength in one of these properties can make up for weaknesses in the others (at least to a certain degree).

    If passwords are not limited to seven or eight characters, length is probably the easiest way to increase the security of a password. No doubt it is easier to choose a very long password than a very random one. Thus, a 40-character password that uses only lowercase letters and spaces will be extremely difficult to break.. However it’s not a great idea to pick a password from a popular text such as one of Shakespeare’s plays or sonnets.

    As for the characters used in a password, they have a major effect on the security of the password, especially when the length of a password is limited. An eight-character password with lowercase letters and punctuation is over 800 times (!!!) harder to break than a password of the same length with just lowercase letters. When considering the characters used in a password it is useful to break the character set into groups: uppercase and lowercase letters each account for 26 characters, numbers account for only 10, and special characters account for 34. Strong passwords should have at least one character from each of three different groups.

    Although truly random passwords are pretty hard to remember, they are very strong as well. It’s more logical to generate a password from a pattern that is meaningful only to you. For example, “NwtfcIuf2y”    is meaningful only for me, because I know that it stands for “Nokia was the first cellphone I used for 2 years”. Remember that adding a number to a random password would make it even better.

    In addition to that we would recommend you to use password managers which help you to generate strong passwords and store them in an encrypted form. As an example, you can check KeePass that is available for various operating system including Linux.

  5. Сhange your passwords on a regular basis. Software used to crack passwords tries to discover passwords using the data trapped in the Net or snatched from the system files of your operating system. Remember that violators may try to discover your password for years, in case it’s of great value for them.Though some may say that you need to change your passwords every week, there is no need to do this so often. For a usual user it’s recommended to change passwords once in 90-120 days. As far as Microsoft policy is concerned it’s 42 days by default.
  6. Scan you computer for malware software (in particular for the software that can track the sequences of key presses) on a regular basis and take appropriate measures to prevent their appearance (check the post “Choosing an Antivirus for Linux“).
  7. Do not open suspicious letters and do not run unknown programs.
  8. In case you are really concerned about the security of your data, you should use multifactor authentication, which at the moment is available for all Linux users and represents the most reliable and modern solution. In comparison with the usual authentication that is based on the fact that you know the password, multifactor authentication includes several principles, such as: “you know” (the password or PIN code), “you are” (biometric data – fingerprints and iris scan), and “you have” (hardware keys). Hardware keys, being effective protection devices that are plugged into the serial, parallel or mostly used USB port, ensure that only authorize individuals access your sensitive information. Using them you can significantly strengthen Virtual Private Network security for remote access, protect data on laptops and PCs, improve network access security and simplify password management and protection. They include such devices as smartcards, USB authenticators, hybrid authenticators and etc. Linux users can use a broad spectrum of authentication devices from well-known manufacturers, such as Aladdin, Safenet (Rainbow), Bestoken (the information about other devices can be checked on the website of OpenCT project), there is even a solution that allows you to use a usual USB Flash for authentication.

Of course, all the above mentioned recommendations should be used simultaneously as a system; otherwise they will hardly bring the result you want.

One of the most characteristic features of secret information is a strictly restricted amount of people who have access to it. To prevent the acquisition of secret data by outsiders you need:

  • to use capabilities provided by operating system for differentiation of access between users
  • not to install and use unrelated services on workstations, where secret information is stored or used. In case of great data importance it’s better to disconnect the workstation form the network and physically not to allow someone to use it, except the intended ones.
  • to use data encryption facilities. This is the only way to protect data from administrators who have unlimited access to the system.It should be mentioned that there are a lot of different types of encryption, both for individual files (PGP, GnuPG), and disk partitions (TrueCrypt). All those programs ensure extremely high level of security being at the same time free software.

One of the free software features consists in the fact that its source code is generally free to access. Some security experts consider that the opportunity for violators to scrutiny the algorithms of your OS represents potential threat. However more often free access of the algorithms is considered to be an advantage, because security experts have the opportunity to analyze code and satisfy with it if it’s enough secure, or to inform developers if there are any mistakes.

You should know that at the moment all the widespread encryption algorithms, including the ones presenting state standards, are published to be studied and examined by experts and the ones who are interested in them.

Another great thing about the open software is that users do not depend on vendors as far as security policy, updates, support and security patches are concerned. Given fact allows them to prolong the life of software for ever and ever. Moreover having the full access to the specifications and the source code of the software even a small company can improve and change it according to their certain needs.

That’s why we strongly recommend you to use software with open source code for data security; because it’s well examined by experts and does not have any loopholes to be used by violators. In addition to that you should always check if there are any vulnerabilities found in the OS and install updates.