06-01-2003, 01:00 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Is Your Data Secure?
I read an article today that just left me shaking my head. It was an article by Rob Pegoraro called No Passport Out of Password Prison and talks about how Microsoft's Passport won't save us from the plethora of passwords we now have for various online sites. Keep in mind the last time I read one of his articles I wrote a mini book on it. Something about his stuff just throws me off of the deep end sometimes. :roll: Based on that previous article, it is pretty clear Rob uses a Palm, which is fine. Whatever works for you best. Hey, I use a Symbian 60 Nokia 3650 cell phone and love every minute of it.
So how does Rob keep his data secure? "The second is to store your passwords someplace where you can look them up. That's what I did: After forgetting my bank-card PIN -- one of the most embarrassing forms of forgetfulness possible in the modern world -- I typed those digits, along with every other password I could remember, into a text file and encrypted it with the Pretty Good Privacy program. That's worked well for me . . . except when I've had to go home to log in to a site."
Huh? Come on. Sure that data is secure but in a text file? Use eWallet or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable. I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.
Then there was this article that talked about professional hackers that hacked to gain sensitive data from corporate systems so they could turn around and blackmail the company. How sophisticated are these hackers? Not very. They don't have to be. They steal from morons, which is much easier to do. That is what I would do.
"The Russian hackers referenced in the Post articles [see articles here, here and here] said that the first thing they always tried when breaking into a computer system was to use the default passwords, and that most of the time they worked. After that, they tried known and proven vulnerabilities within Windows, and that worked the rest of the time. More obscure attacks were rarely needed, mainly because so many companies yielded to their first two tactics so easily." Double AAAARRRRGGGGHHH!!!!
All people need to do is be sensible. Keep passwords secure and throw some numbers and symbols in them so dictionary attacks don't work, keep them with you in an encrypted format and stay up to date on security fixes. Did you know that two of the most wide spread security issues on the internet (Code Red and Slammer) exploited bugs that Microsoft had patched no less than 6 months before the attacks began? Oh, and do you run Microsoft's SQL Server? Is your default password for the "sa" account still blank? Just go shoot yourself now. 
Personally, I keep my critical info in eWallet, encrypt the data with eWallet's 128 bit security, then lock that behind the Pocket PCs power-on security. Am I 100% safe? No, there is no such thing. However, the effort required to get at my data is too high for most thieves. Thieves are smarter than that. The guy behind me might just be a moron.  Are you behind me?
|
| |
|
|
|
06-01-2003, 03:55 PM
|
|
Swami
Join Date: May 2004
Posts: 4,396
|
|
Re: Is Your Data Secure?
Quote:
|
Originally Posted by Ed Hansberry
Huh? Come on. Sure that data is secure but in a text file? Use eWallet or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable. |
Maybe the reporter doesn't have as many passwords as you do. If it works for him, why criticize that? He has encrypted it, after all.
Quote:
|
Originally Posted by Ed Hansberry
I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.<!>
|
Let's keep the exaggeration down to moderate levels :-) If your PDA is password protected, you're pretty safe. Sure, someone could take your PDA before the password timed out, but it's not like the data is as visible as the Post-It notes.
Let's assume somebody got ahold of your unlocked PDA. They'd still have to look through your files to find the passwords. While that's certainly possible, it's not really something I'd worry about.
For example, before I got eWallet, I used to have records for each credit card provider I had in Contacts. On the Notes page, I'd save the credit card numbers for that provider (as most providers want that number if you contact them). I never had a problem with that set up.
Steve
|
| |
|
|
|
06-01-2003, 04:36 PM
|
|
Ponderer
Join Date: Dec 2002
Posts: 58
|
|
I tend to not put much in the way of valuable info on my Axim because I find most solutions, like encrypting a txt file to cumbersome. I need a solution that is fast and nearly invisible so to speak or I won't end up using it.
Glisson
|
| |
|
|
|
06-01-2003, 05:12 PM
|
|
Intellectual
Join Date: Feb 2003
Posts: 206
|
|
Re: Is Your Data Secure?
Quote:
|
Originally Posted by Ed Hansberry
Huh? Come on. Sure that data is secure but in a text file? Use eWallet or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable. I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.<!> |
Text file in PGP is sure far more secure than eWallet RC4
PGP is stronger than RC4.
Cracking RC4 is a sport on the net, last report is 56bits, but report on cracking PGP so far has been pretty scant. RC4 is basically broken.
http://www.cl.cam.ac.uk/users/rnc1/brute.html
Just because something is payware doesn't make it automagically better.
|
| |
|
|
|
06-01-2003, 05:55 PM
|
|
Pupil
Join Date: Sep 2002
Posts: 38
|
|
TawnerX is absolutely correct. So far as I can see, the PPC progrms use encryption algorithms that are easy on the programmer. And to make matters worse, must of them use "modofied" or "similar to" algorithms that are probably worthless if faced with a serious cryptographic attack.
Of course, there may be little chance that your PPC will be the subject of a serious attack, because there's not enough value to attract a serious attacker. So the PPC programs might not have to do much more than keep out the ametures and casual hackers.
PGP can be secure, depending on the key type and length that you select. Beyond that, even with a very good key, it might not be as secure as you think. Where did you store that private key -- on your laptop? Then at best the security is no better than the strength of your password. We have a serious security requirement where I work. We use PGP. We have restrictions on the type and length of keys. And we NEVER place private keys on laptops, PPCs, or any other device that leaves our very secure room in our very secure building (which is protected by locks, passcards, cameras, etc.) If somebody at work wants to use PGP with a laptop, they have to keep their private key on external media that stays in the secured room (CD, zip, floppy, etc.) Needless to say, our building also does not have WiFi, we have multiple levels of network security, etc. ad nauseum.
Security is available, but it is not easy and it is not convenient. You have to select the level of security to match the value of what you are protecting and the likelyhood of attack. For many people, PPC programs with "modified RC4" encryption is probably fine.
BTW - PGP can encrypt data bases and spread sheets as well as flat files.
|
| |
|
|
|
06-01-2003, 06:24 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Re: Is Your Data Secure?
Quote:
|
Originally Posted by Pony99CA
Maybe the reporter doesn't have as many passwords as you do. If it works for him, why criticize that? He has encrypted it, after all.
|
Well, it doesn't work. He said he didn't have his data with him.
As to the RC4/PGP comments, you quys are dead on. I know what I am doing isn't 100% secure, but it is secure enough that few would bother cracking it. Trust me, what they got out of my file wouldn't be worth thier effort. :lol:
I'm just asking people to use a bit of common sense. If they did, cracks/hacks/DOS attacks would be much les frequent and effective.
|
| |
|
|
|
06-01-2003, 07:16 PM
|
|
Pupil
Join Date: Nov 2002
Posts: 14
|
|
If you are someone who needs the data on you Pocket PC 100% secure, then you need to use software that fully encrypts the device and memory cards. There are products from PointSec, Movian, BeCrypt and New Media Security that offer this. The later New Media Security is available in the UK from www.pocketpc-solutions.co.uk
|
| |
|
|
|
06-01-2003, 07:24 PM
|
|
Intellectual
Join Date: Feb 2003
Posts: 206
|
|
Re: Is Your Data Secure?
Quote:
|
Originally Posted by Ed Hansberry
As to the RC4/PGP comments, you quys are dead on. I know what I am doing isn't 100% secure, but it is secure enough that few would bother cracking it. Trust me, what they got out of my file wouldn't be worth thier effort. :lol:
.
|
at question is your opinion that textfile using PGP is less secure then payware eWallet using RC4.
you can say eWallet is more convinient and has better looing interface, but you cannot say it's more secure or cheaper than properly implemented PGP.
|
| |
|
|
|
06-01-2003, 07:43 PM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Re: Is Your Data Secure?
Quote:
|
Originally Posted by TawnerX
at question is your opinion that textfile using PGP is less secure then payware eWallet using RC4.
|
Please show me where I said that because I will correct it instantly. As I reread my post I think the two points were made:
1) The author of the article keeps his data in a text file. I said it was secure but was not convenient, a point he himself made.
Quote:
|
I typed those digits, along with every other password I could remember, into a text file and encrypted it with the Pretty Good Privacy program. That's worked well for me . . . except when I've had to go home to log in to a site.
|
2) Knowing he has a Palm, I simply suggested using a product that could be used on both the desktop and PDA that would also keep his data secure, yet be more convenient. I used eWallet as an example because I use it and I happen to know they have a Palm version. There are other excellent Pocket PC apps like Code Wallet and I am sure there are half a dozen PalmOS only variants.
Now, everyone throws 128bit RC4 encryption around as if you could crack it on your PC in a few hours. I know in January 1999, RC4-40 was cracked in 8 hrs. Since RC4-128 keys are approximately 309,485,009,821,345,068,724,781,056 times harder to crack, it would take 1 trillion X 1 trillion (that is 1,000,000,000,000^2) years using the same computing power. Computing power has probably risen by a factor of 10 to 20 since that time. So I still think my data is safe. Is it as secure as PGP? No. But whether it takes you 1 trillion years squared or 1 billion trillion years squared to crack it, I could care less. All my info will be worthless by then anyway.
If anyone has data to show these numbers are invalid and you could crack a 128bit RC4 key in a few hrs, days or weeks, please post links. And no links to the articles a few months ago whereby 128bit SSL was "cracked" by having internal access to the network and sniffers in place watching the SSL connection being established and getting the key that way. Thanks.
|
| |
|
|
|
06-01-2003, 07:44 PM
|
|
Pupil
Join Date: Apr 2002
Posts: 26
|
|
Quote:
|
Originally Posted by Glisson
...I find most solutions, like encrypting a txt file to cumbersome.
I need a solution that is fast and nearly invisible so to speak
or I won't end up using it.
|
Sentry 2020 ( www.softwinter.com) does exactly that. I have been using it for a few years now. Works like a charm.
|
| |
|
|
|
|
|
Linear Mode
