Personal Internet Security System or "PISS" doesn't exist. It's a mindset that comes from knowledge. Stop looking for someone else's and handle your own. You have an Antivirus? Firewall? Great! But the real threat comes from YOU! The user. That takes knowledge. I attached briefing slides for the typical user with minimal IT knowledge. Sometimes we all need a reminder that we are the ones who is the greatest threat to our networks. It's not a country states or actor. But we are the ones who inadvertently let them walk in.
2. ERROR!
THE SYSTEM DOESN’T EXSIST!!!!!!!!
Change your mindset.
You are the only protection for yourself on the Internet.
3. Password = Encrypted Hash Stored
Example: Fluffy = 3d5ddc7000ad649a950c279fd559147c
What is a Password?
Definition: a sequence of
characters required for
access to a computer
system. Stored on
systems as an encrypted
hash to prevent
unauthorized access.
4. 3d5ddc7000ad649a950c279fd559147c
A906449d5769fa7361d7ecc6aa3f6d28 == 123abc
E10adc3949ba59abbe56e057f20f883e == 123456
8bd7a1153a88761ad9d37e2f2394c947 == Love
3d5ddc7000ad649a950c279fd559147c == Fluffy
4ad6c928711328d1cf0167bc87079a14 == Hate
a870ca58701c25b7f210a4964f31ceae == airforce
5b9ea0931b3da1aa543ed41a03cacbd2 == Hairy
31ba6d3619a6d70c983151afa0764de4 == Military
How do password crackers work?
JTR Password ListTarget Password Hash
-- Password Lists can be 10TB or greater!!!
-- Usually common passwords and words
-- Lists can be made for specific hobbies, careers, religion, etc.
-- More than one list can be ran with JTR
5. Types of Passwords
#ofChar Lower Case letters and digits mixed case letters single case letters with digits,
symbols and punctuation
all the displayable ASCII characters
including mixed case letters
3 0.02 seconds 04.7 seconds 0.14 seconds 0.33 seconds 0.86 seconds
4 0.46 seconds 1.68 seconds 7.31 seconds 22.7 seconds 1.36 minutes
5 11.9 seconds 1.01 minutes 6.34 minutes 26.1 minutes 2.15 hours
6 5.15 minutes 36.3 minutes 5.59 hours 1.25 days 8.51 days
7 2.23 hours 21.8 hours 11.9 days 2.83 months 2.21 years
8 2.42 days 1.07 months 1.70 years 16.3 years 2.10 centuries
9 2.07 months 3.22 years 88.2 years 1.12 millennia 20 millennia
10 4.48 years 1.16 centuries 4.58 millennia 77.6 millennia 1,899 millennia
11 1.16 centuries 4.17 millennia 238 millennia 5,352 millennia 180,365 millennia
12 3.03 millennia 150 millennia 12,395 millennia 369,303 millennia 17,184,705 millennia
13 78.7 millennia 5,410 millennia 644,521 millennia 25,481,886 millennia 1,627,797,068 millennia
14 2,046 millennia 194,728 millennia 33,515,076 millennia 1,758,250,151 millennia 154,640,721,434 millennia
The table below is calculated by assuming 1,000,000
encryption operations per second (or password guesses);
this is a plausible number for a desktop PC in early 2007.
Every 18 months the average PC will double it’s processing
power which would increase password guesses per second.
The speed of PC-based password guessing will increase
100% every decade.
Is your Password Crack-able?
6. · Don't use passwords that are based on personal information that can be
easily accessed or guessed. (SSN, phone, name, job)
· Don't use words that can be found in any dictionary of any language.
Password crackers use dictionary words to crack your passwords. It
doesn’t matter if you use “P@ssword” or “passw0rd”.
· Develop a mnemonic for remembering complex passwords. ( i.e.
keyboard pattern )
· Use both lowercase and capital letters.
· Use a combination of letters, numbers, and special characters.
· Use passphrases when you can. “i.e: a sentence from you favorite book.”
Do NOT use ‘password hints’ at all. Example “The color of Bart
Simpson’s hair”. – umm…really?
Use 10 or more characters for passwords.
· Use different passwords on different systems. If the hacker gets one,
they’ll have it all.
Keep in mind that if a Hacker gets your Username, they are already
halfway in your account.
7. Why secure your home network?
-- Crackers will ‘pivot’ with your network, placing all blame on you
-- Crackers use the easiest targets without security updates and weak passwords
-- Crackers work with stolen credentials, usernames, passwords. How do you
think they get them? They use yours.
-- Crackers are funded by your bank account.
“Cracker”
Definition: Criminal Hacker.
A person who illegally gains access to
and sometimes tampers with
information in a computer system
8. How do Crackers gets in?…
…very easily…
…if you’re not protected.
9. To explain how to protect yourself, you need to learn
‘what’ to protect. Within one internet connection, there
are 65,635 transmission ports to send and receive
different services on your computer. Think of it like
65,635 straws inside of one large pipe. This is how you
can send and receive email as you simultaneously surf
the web and listen to online music. Listed below are
some of the common standard ports:
So how do you protect yourself?
Service Transmission Port
Internet Explorer/Firefox/HTTP/HTML/unsecure web surfing 80
Internet Explorer/Firefox/HTTP/HTML/Secure web surfing 443
Download Email/Post Office Protocol 3 (POP3) 110
Send Email/Simple Mail Transfer Protocol (SMTP) 25
Music streaming/Pandora 5000 or 6000
Network File Sharing 139 and 445
10. So how do you protect yourself?
Typical Firewall Setup
Definition: a firewall is a device or set of devices
designed to permit or deny network transmissions
based upon a set of rules and is frequently used to
protect networks from unauthorized access while
permitting legitimate communications to pass.
-- Most commercial home routers have a standard built-in firewall included.
However they may not be turned on and require the user to activate.
11. WIFI Security: Why you should never use WEP
This is my WIFI with WEP security. I broke into it
after 5 mins of setup time and 30 seconds to crack
the WEP key. There are youtube videos on how to
crack WEP that are open to the public.
Wardriving is the act of
searching for Wi-Fi
wireless networks by a
person in a moving vehicle,
using a portable computer,
smartphone or personal
digital assistant (PDA).
Sometimes used for
malicious activity. Open
WIFI and WEP encryption
are the top targets.
12. Do’s
Use a firewall or router for your private network
Only open ports in firewall if absolutely needed. (I.E. : if running your own website or public service from home).
Be sure you know what you are doing with this. If unsure, block everything.
Install antivirus on all computers within your private network. This is free through the DoD Home-Use Program.
Only go to trusted websites. Usually .com, .mil, .gov, .org. This is usually a ‘judgment call’.
Install operating system security updates at least once a week. These close vulnerabilities that can allow a Cracker
remote access to your computer either with a virus or directly. Sometimes even with an active firewall installed.
Use WPA or WPA2 for WIFI security with a complex 10+ char password. Never use WEP security or an open WIFI
since these can be an open door for “wardrivers” which will allow them to use your network for malicious activity.
This can place all blame on you if your ISP happens to audit your network traffic.
Be aware that some multiplayer games and internet software have little or no security and can open your network
to Crackers.
Don’ts
Never go to websites that are vectors for viruses like porn sites, hacker sites, crack sites, game sites and file sharing
programs. Most infected websites will install viruses and Trojans straight from the webpage itself. Installs will be
invisible to the user. Antivirus software doesn’t catch everything. Some viruses use “zero-day” exploits which are
exploits that are currently unknown to antivirus companies. If it seems ‘dark’ in nature, then it’s probably a vector
for viruses.
Stop using your windows built-in administrator to log in. Disable login privileges on this account. Enable a user
account on windows computers with limited install privileges and only invoke the admin account when installing
software. This will allow the user to know if software is being installed without approval. This can stop most
viruses and Trojans from being installed.
Never activate remote access to your router from the Internet. Why would you? This is just dumb.
Bottom-line: If you are not sure, don’t do it.
Do’s and Don’ts for Private Networks
13.
14. Review:
Personal Internet Security System doesn’t exist!
Password Etiquette
Private Network Security
Use WPA2 Only!
Google Hacking