So far I don't think I have touched one of my favorite songs, informatic security, and I believe that this will be the topic that I am going to tell you about today 🙂 I hope that after this short article you can have a better idea of what can help you to have a better control of your risks and how to mitigate many at the same time.
Risks everywhere
It is inevitable, in this year alone, we have already more than 15000 vulnerabilities discovered and assigned in a way act. How do I know? Because part of my job is to check CVEs in the programs we use in Gentoo to see if we run vulnerable software, this way we can update it and ensure that everyone in the distribution has safe equipment.
CVE
Common Vulnerabilities and Exposures For its acronym in English, they are the unique identifiers that are assigned to each existing vulnerability. I can say with great joy that several Gentoo Developers support the good of humanity, researching and publishing their findings so that they can be corrected and fixed. One of the last cases that I had the pleasure of reading was that of optionsbleed; a vulnerability that affected Apache servers worldwide. Why do I say that I am proud of this? Because they do the world good, keeping vulnerabilities a secret only benefits a few, and the consequences of this can be catastrophic depending on the objective.
CNA
CNAs are entities in charge of requesting and / or assigning CVEs, for example, we have Microsoft's CNA, in charge of grouping their vulnerabilities, solving them and assigning them a CVE for later registration over time.
Types of measures
Let's start by clarifying that no equipment is or will be 100% safe, and as a fairly common saying used to say:
The only 100% secure computer is one that is locked in a vault, disconnected from the internet and turned off.
Because it is true, the risks will always be there, known or unknown, it is only a matter of time so in the face of risk we can do the following:
Mitigate it
Mitigating a risk is nothing more than reducing it (DO NOT cancel it). This is quite an important and crucial point both on a business and personal level, one does not want to be "hacked", but to tell the truth the weakest point in the chain is not the equipment, nor the program, not even the process, it is the human.
We all have the habit of blaming others, be they people or things, but in computer security, the responsibility is and will always be the human's, it may not be you directly, but if you do not follow the right path, you will be part of the problem. Later I will give you a little trick to stay a little more secure 😉
Transfer it
This is a well-known principle, we have to imagine it as a booth. When you need to take care of your money (I mean physically) the safest thing is to leave it with someone who has the ability to safeguard it much better than you. You don't need to have your own vault (although it would be much better) to be able to take care of things, you only need to have someone (you trust) to keep something better than you.
Accept it
But when the first and second don't apply, well that's where the really important question comes in. How much is this resource / data / etc worth to me? If the answer is a lot, then you should think about the first two. But if the answer is a Not that muchMaybe you just have to accept the risk.
You have to face it, not everything is mitigable, and some mitigable things would cost so many resources that it would be practically impossible to apply a real solution without having to change and invest a lot of time and money. But if you can analyze what you are trying to protect, and it does not find its place in the first or second step, then simply take it in the third step in the best way, do not give it more value than it has, and do not mix it with things that really they have value.
To keep up to date
This is a truth that escapes hundreds of people and businesses. Computer security is not about complying with your audit 3 times a year and expecting nothing to happen in the other 350 days. And this is true for many system administrators. I was finally able to certify myself as LFCS (I leave it to you to find where I did it 🙂) and this is a critical point during the course. Keeping your equipment and its programs up to date is vital, crucial, to avoid most risks. Sure many here will tell me, but the program we use does not work in the next version or something similar, because the truth is that your program is a time bomb if it does not work in the latest version. And that brings us to the previous section, Can you mitigate it ?, can you transfer it ?, can you accept it? ...
Truth be told, just to keep in mind, statistically 75% of computer security attacks originate from within. This may be because you have unsuspecting or malicious users in the company. Or that their security processes have not made it difficult for a hacker break into your premises or networks. And almost more than 90% of attacks are caused by outdated software, No. due to vulnerabilities of day zero.
Think like a machine, not like a human
This will be a little advice that I leave you from here on:
Think like machines
For those who do not understand, now I give you an example.
I introduce you John. Among security lovers it is one of the best starting points when you start in the world of ethicla hacking. John he gets along wonderfully with our friend crunch. And basically he grabs a list that is handed to him and starts testing the combinations until he finds a key that solves the password he is looking for.
Crunch is a generator of combinations. This means that you can tell crunch that you want a password that is 6 characters long, containing upper and lower case letters and crunch will start testing one by one ... something like:
aaaaaa,aaaaab,aaaaac,aaaaad,....
And they wonder how long it takes to go through the whole list for sure ... it doesn't take more than a few minutes. For those who were left with their mouths open, let me explain. As we discussed earlier, the weakest link in the chain is man, and his way of thinking. For a computer it is not difficult to try combinations, it is something extremely repetitive, and over the years the processors have become so powerful that it does not take more than a second to make a thousand attempts, or even more.
But now the good thing, the previous example is with the human thinking, now we go for it machine thinking:
If we tell crunch to start generating a password with just 8 digits, under the same previous requirements, we have gone from minutes to hours. And guess what happens if we tell you to use more than 10, they become days. For more than 12 we are already in monthsIn addition to the fact that the list would be of proportions that could not be stored on a normal computer. If we get to 20 we talk about things that a computer will not be able to decipher in hundreds of years (with current processors of course). This has its mathematical explanation, but for reasons of space I am not going to explain it here, but for the most curious it has a lot to do with the permutation, combinatorial and combinations. To be more exact, with the fact that for each letter that we add to the length we have almost 50 possibilities, so we will have something like:
20^50 possible combinations for our last password. Enter that number into your calculator to see how many possibilities there are with a key length of 20 symbols.
How can I think like a machine?
It is not easy, more than one person will tell me to think of a password of 20 letters in a row, especially with the old concept that passwords are words key. But let's see an example:
dXfwHd
This is difficult for a human to remember, but extremely easy for a machine.
caballoconpatasdehormiga
This on the other hand is extremely easy for a human to remember (even funny) but it's hell for crunch. And now more than one will tell me, but isn't it advisable to also change the keys in a row? Yes, it is recommended, so now we can kill two birds with one stone. Suppose this month I am reading Don Quixote de la Mancha, volume I. In my password I will put something like:
ElQuijoteDeLaMancha1
20 symbols, something quite difficult to discover without knowing me, and the best thing is that when I finish the book (assuming that they read constantly 🙂) they will know that they must change their password, even changing to:
ElQuijoteDeLaMancha2
This is progress 🙂 and it will surely help you keep your passwords safe and at the same time remind you to finish your book.
What I have written is enough, and although I would love to be able to talk about many more security issues, we will leave it for another time 🙂 Greetings
Very interesting!!
I hope you can upload tutorials on hardening on Linux, it would be wonderful.
Regards!
Hello 🙂 well, could you give me some time, but I also share a resource that I find extremely interesting 🙂
https://wiki.gentoo.org/wiki/Security_Handbook
This one is not translated into Spanish 🙁 but if someone dares to give a hand with that and help it would be great 🙂
regards
Very interesting, but in my point of view brute force attacks are becoming obsolete, and the generation of passwords such as "ElQuijoteDeLaMancha1" does not seem like a viable solution either, this is because with a little social engineering it is possible to find the Passwords of this type, it is only a matter of superficially investigating the person and she will reveal it to us, either in her social networks, to her acquaintances or at work, is part of human nature.
In my point of view, the best solution is to use a password manager, because it is safer to use a 100-digit password than a 20-digit one, in addition there is the advantage that by only knowing the master password, it is not possible to reveal even west the passwords generated because they are not known.
This is my password manager, it is open source and by emulating a keyboard, it is immune to keylogers.
https://www.themooltipass.com
Well, I don't pretend to give a totally safe solution (remembering that nothing is 100% impenetrable) in just 1500 words 🙂 (I don't want to write more than that unless it is absolutely necessary) but just as you say that 100 is better than 20, well 20 is definitely better than 8 🙂 and well, as we said at the beginning, the weakest link is the man, so that is where the attention is always going to be. I know several "social engineers" who don't know much about technology, but only enough to do safety consulting work. Much more difficult is to find true hackers who find flaws in programs (the well-known zero-day).
If we talk about "better" solutions we are already entering a topic for people with expertise in the field, and I am sharing with any type of user 🙂 but if you like we can talk about "better" solutions at another time. And thanks for the link, sure its pros and cons, but it would not do much to a password manager either, you would be surprised by the ease and desire with which they attack them, after all ... a single victory implies many keys revealed.
regards
Interesting article, ChrisADR. As a Linux system administrator, this is a good reminder not to get caught up in not giving it the utmost importance required today to keep passwords up to date and with the security required by today's times. Even this is an article that would be very helpful to ordinary people who think that a password is not the cause of 90% of headaches. I would like to see more articles on computer security and how to maintain the highest possible security within our beloved operating system. I believe that there is always something more to learn beyond the knowledge that one acquires through courses and trainings.
Beyond that I always consult this blog to find out about a new program for Gnu Linux to get my hands on it.
Regards!
Could you explain a bit in detail, with numbers and quantities, why "DonQuijoteDeLaMancha1" ("DonQuijote de La Mancha" does not exist; p) is safer than "• M¡ ¢ 0nt®a $ 3Ñ @ •"?
I don't know anything about combinatorial math, but I'm still not convinced by the often-repeated idea that a long password with a simple character set is better than a shorter one with a much larger character set. Is the number of possible combinations really greater just using Latin letters and numbers than using all UTF-8?
Greetings.
Hello Dani, let's go in parts to make it clear ... have you ever had one of those suitcases with number combinations as a lock? Let's see the following case ... assuming they reach nine we have something like:
| 10 | | 10 | | 10 |
Each one has diaz possibilities, so if you want to know the number of possible combinations, you just have to do a simple multiplication, 10³ to be exact or 1000.
The ASCII table contains 255 essential characters, of which we normally use numbers, lower case, upper case and some punctuation marks. Suppose that now we are going to have a 6-digit password with approximately 70 options (uppercase, lowercase, numbers and some symbols)
| 70 | | 70 | | 70 | | 70 | | 70 | | 70 |
As you can imagine, that's a pretty big number, 117 to be exact. And those are all the possible combinations that exist for a 649 digit key space. Now we are going to reduce the spectrum of possibilities much more, let's continue that we are only going to use 000 (lowercase, numbers and the occasional symbol perhaps) but with a much longer password, let's say maybe 000 digits (That which the example has like 6).
| 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 | | 45 |
The number of possibilities becomes… 1 159 445 329 576 199 417 209 625 244 140 625… I don't know how to count that number, but for me it is a bit longer :), but we are going to reduce it even more, we will only use numbers 0 to 9, and let's see what happens to the quantity
| 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 | | 10 |
With this simple rule you can come up with a staggering 100 combinations :). This is because each digit added to the equation increases the number of possibilities exponentially, while adding possibilities within a single box increases it linearly.
But now we go to what is "best" for us humans.
How long does it take you to write “• M¡ ¢ 0nt®a $ 3Ñ @ •” in practical terms? Let's assume for a second that you have to write it down every day, because you don't like saving it to the computer. This becomes tedious work if you have to do hand contractions in unusual ways. Much faster (in my point of view) is to write words that you can write naturally, since another important factor is to change the keys regularly.
And last but not least ... It depends a lot on the mood of the person who has developed your system, application, program, being able to calmly use all ALL UTF-8 characters, in some cases it may even disable the use of the It counts because the application "converts" some of your password and makes it unusable ... So maybe it's better to play it safe with the characters that you always know are available.
Hope this helps with doubts 🙂 Greetings