RSS Feed
Latest Updates
Apr
6
Things about Passwords you never knew. Number 3 will SHOCK you!
Posted by Rubin Bennett on 06 April 2017 11:32 AM
Passwords:  You hate them.  We hate them.  We make you choose strong ones, and then we make you change them.  You get frustrated.  We get frustrated.  We all agree that passwords, and managing them, suck.

There's an XKCD that we often quote:
https://xkcd.com/936/

It talks about the importance of entropy in passwords, and how what we think of as 'best practice' for passwords, isn't.

In the past year or so, we've done some experimenting around passwords, and as a result of our experimentation, we've adapted the approach in the XKCD comic slightly.

We love passphrases, but the problem with dictionary-word-only passwords is that rainbow tables and other modern password cracking tools are getting better and better.  It's a constant cat-and-mouse game.

Here's our current best-practice for passwords that are strong and easy to remember.  Use a phrase you'll remember, and do some simple letter substitutions.  Sprinkle in some special characters (see footnote about those!). Length trumps complexity, and by extension, complexity is just a tool to stop crackers from compiling lists of common phrases, like "The quick brown fox jumps over the lazy dog".  Here's an example:
"this is my super secret email account"
According to Keepass, that has 96 bits of entropy.  Pretty good! But let's make it more secure.
"This is my super secret email account."
OK, we're up to 105 bits now, and we didn't make it appreciably harder to remember at all.
Now, if you use *consistent* substitutions, it makes it slightly harder to remember, but significantly more secure.
"!Th1s 1s my sup3r s3cr3t 3mail 4cc0unt."

We're now up to 138 entropy bits according to Keepass, which by the XKCD formula would take... well, 2^138/31,536,000 seconds in a year = 1.104924986450535852950582185471e+34, which equates to, roughly, a very long time.  Effectively uncrackable, by today's standards.

Here's what makes the above so hard for crackers: Computers are very good at matching strings.  But entropy is a function of exponents, meaning that the number of possibilities goes up exponentially (squares, to be precise) with each additional character.  There are tools that crackers can use to cut that by a bit, but the simple fact is that unless you use a very common phrase, a long password is exponentially harder to guess than a shorter one.  Add in some special characters to cut down on substitution success, and you're golden.

Unless your password is stored in clear text or with reversible encryption somewhere (LinkedIn, I'm looking at you), and that brings us to our last words of advice for password management and security:

1. NEVER use the same password in multiple places.
2. Use a password manager. Keepass is free, Open Source, and cross platform.  It rocks.
3. Change your password, at least occasionally, particularly on websites where you don't have any way to know how they're being stored.
4. Did we say NEVER use the same password in multiple places?

A footnote about the entropy measures in Keepass: They're imperfect, much like anything that humans are responsible for.  By Keepass' measure, "correct horse battery staple" has 99 bits of entropy, where Randall (the author and artist behind XKCD) only gave it 44 bits of entropy.  I have no opinion on which is right or wrong - in my opinion they're really only useful as comparative scores.  So don't compare Randall's 44 bits to Keepass' 99 bits, they're the same.  But it is useful to compare 99 bits to 138 - there's a significant increase in entropy there.  And if you're really nerdy, we can argue about the effectiveness of case changes and other nuances of randomness somewhere else :)

A word about special characters:  We've decided that referring to the @sign as the 'commercial at' is boooooring.  And no one can agree whether the # is a pound, number sign, or hash.  So we came up with a new nomenclature for them:  @ is a capital 2.  # is a capital 3. etc..  We may or may not have actually invented this convention, but since we've never heard anyone else use it we're going to take credit for it anyway!


Read more »



Sep
6
Nifty 19th annual Open House and Customer Appreciation day!
Posted by Rubin Bennett on 06 September 2016 03:57 PM

 

 

Open House Flyer

It's that time of year again, we hope we'll see you here at the nerd-plex!

September 14th, 2016 from 1:00PM - 4:00PM!


Read more »



Jul
29
Happy Sysadmin day (July 29th)!
Posted by Rubin Bennett on 29 July 2016 10:29 AM

Obligatory IT Crowd referenceThis day 17 years ago was deemed to be the first annual System Administrator Appreciation day!

We have an amazing team of engineers here who do their absolute best every day to ensure that your systems and networks are running smoothly and just get the heck out of the way so you all can do what you do.  I know that I'm unbelievably appreciative of our team and the work they do.

One of the paradoxes of I.T. work is that when everything is running smoothly, our customers wonder what we do all day.  And perversely, when things go wrong our customers wonder... what we do all day.

So today we'll peel back the veil of secrecy around I.T. and admit that several years ago we actually programmed robots to do our work, and most days we sit around the office eating pizza and drinking beer, with the occasional coffee or Frisbee break in the hangar (can't be outside too much or people will catch on!).

If only...

The reality is that our jobs are interesting, demanding, and occasionally deeply frustrating.  We manage ever more complex systems and networks, and our users have more and more complex requirements from a technological perspective.  We spend enormous effort on staying current on our skills, anticipating what's coming, and ensuring that we're consistently delivering the absolute best quality support and customer service that we possibly can.  And while we're human and by definition imperfect, we do a pretty darn good job overall.

So, as a team of nerds and sysadmins, we demand cake.  And Ice Cream.  And gifts, and words of gratitude. But mostly gifts.

 

Further reading if you're so inclined (No links to Amazon wishlists, we promise!)
http://sysadminday.com
http://www.theregister.co.uk/2016/07/29/happy_sysadmin_day/
https://en.wikipedia.org/wiki/System_Administrator_Appreciation_Day

Lastly, the photo above is a screenshot from the BBC sitcom 'The IT Crowd', which is required watching if you have any contact with nerds:
https://en.wikipedia.org/wiki/The_IT_Crowd

 


Read more »



Jun
27
Trouble with Microsoft update KB3161608 for Windows 7 and Server 2008
Posted by Rubin Bennett on 27 June 2016 09:57 AM

Hi folks

We've had a handful of reports of issues with a recent patch (released last week).  It's a Windows 7 and Windows Server 2008 "optional" rollup that includes among other things a fix for the Poodle vulnerability. It's causing issues with Outlook when used with certain mail server software and has also caused issues with credit card processing software.  Removing a patch for a known vulnerability is usually a Bad Idea and we tend to be very reluctant to do it.  However, there have been a handful of sites where the business impact of the update created a critical stoppage, and removing the update was warranted as a temporary fix as we work with outside vendors to update their TLS and SSL handling routines.

If you're experiencing issues like the ones described above, please contact the team.  If you're under our Perception managed services program, we can automatically remove and decline that patch from all of your systems in a matter of minutes, and functionality will be restored.

If you have any questions, please get in touch!
Rubin & the rbTech team

 

Sources:

Technet KB article describing the update: https://support.microsoft.com/en-us/kb/3161608

Microsoft support forums thread about the issues: http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/problems-with-kb-3161608-and-kb-3161639/2cd5ffb3-c203-4080-872f-73de1a96e080

Issues with vSphere inventory service: http://www.techezone.com/question/kb3161608-kb3161639-breaks-vsphere-client-inventory-search-2/

 

Further reading:

Poodle vulnerability CERT posting: https://www.us-cert.gov/ncas/alerts/TA14-290A

Google results about Poodle: https://www.google.com/?q=poodle%20vulnerability


Read more »



Mar
18
"Locky" Virus making the rounds
Posted by Rubin Bennett on 18 March 2016 10:01 AM

It's a new year, and there's a new virus that's making the rounds.

If you receive email, often purporting to be from yourself or someone within your company, that contain invoices as either attachments (usually .zip files) or links to a dropbox URL, be very suspicious. The 'Locky' virus is an relatively new variant of the Cryptolocker, and it encrypts your data using non-reversible ciphers. It encrypts local data and also data that you have shortcuts to on shared folders on the network. Once the files are encrypted, the only recourse is to restore them from a backup once the infected computer is cleaned up.


We're seeing a significant uptick in the number of infections, and awareness is  the most important way to prevent yourself from becoming the next victim. Infections are easy to prevent by using proper email etiquette and being cautious about any messages you receive that contain .zip files or links to websites.


If you have any questions, comments, or concerns, please don't hesitate to contact
your tech team here at the office!Thanks as always for making rbTech your trusted I.T. provider!

Sincerely,

The rbTech team
rbTechnologies, LLC

References:
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/


Read more »