It all started in 1964 with a guy who called himself Captain Crunch after the cereal he got an invaluable toy boatswain’s whistle from.
As a US Air Force airman based in Alaska, John Draper discovered that the whistle emitted its sound at the same pitch used by AT&T exchange systems for dialling and by using it correctly he could get himself and his comrades free long-distance calls. Years later he and other counterculture followers created a “Blue box” that could generate enough multi-frequency tones to allow them access to the AT&T system.
They called it “phone feaking”. But the idea caught on and was later dubbed “hacking” or “cracking” – gaining unauthorized access to systems using a variety of methods to various ends.
Passwords have been around for millennia in security contexts for the obvious reasons, so when computer networks were created it was a no-brainer that passwords would have to be used along with logins.
But, little by little, various methods have been used by hackers to break them. One of the originals was invented by Captain Crunch and his merry band.
“Social engineering” was basically calling up a company pretending to be the proper user and using enough of that person’s details to convince the firm that you are them and thereby gain access to their account and/or reset the password etc.
It’s one of the techniques still used today by hackers and detailed in Mat Honan’s excellent article on the weakness of the password system in the January issue of Wired UK.
Long story short, passwords are vulnerable because they have to be easy enough for us to remember and the reset systems need to allow us to do that without too many hurdles. But their ease is their greatest vulnerability.
So how do ensure that you don’t end up having all your accounts cracked by hackers, as happened to him? Here are the key password take-aways from his article:
DON’T
- Reuse passwords for several accounts
- Use a dictionary word, or at least use more than one in a phrase
- Use standard number substitutions – i.e. 1 for l - cracking tools have these built in
- Use a short password – they’re quickly crackable
DO
- Enable two-factor authentication when it’s offered – this allows the system to send you a text to confirm it’s really you if you log in from a non-usual location.
- Give bogus answers to the standard security questions – it’s like a secondary password as many of the answers to standard questions will be accessible online – you may have chatted about your first school/pet etc on Facebook and parental details are on public record.
- Use a unique, secure email address for password recovery – If a hacker knows which account your password reset goes to, that’s a line of attack for them. So set up a special email account you don’t use for regular communications and ensure you don’t create a username linked to your name.
- Scrub your online presence – Sites like 123 people allow you to remove your info from databases.
6 comments:
Really interesting stuff Alan...
Thanks Jim!
Hi Alan
Great advice, thanks
What sites though for online presence in UK/EU rather than US - ie Spokeo and White Pages?
Steve
Hi Steve. Sorry to say I'm not aware of any (probably should have researched that a bit more before posting!), but will have a look and let you know if I find any.
Updated with UK site which offers similar service to Spokeo.com and Whitepages.com, whoich were the ones quoted on the original Wired article.
Thanks for pointing that out Steve!
If the Internet brought benefits, it undoubtedly also brought problems in its wake. Frankly leave alone your passwords on www, one now has to worry about the vulnerability of phones too, particularly cell phones.
Post a Comment