Password Security
Show transcript [en]
♪♪ ♪♪ ♪♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪ um network design and implementation, databases, languages like Java and Python, operating systems like Linux and Windows, structured cables, knowledge in fiber optic and JIPON installations, I also have knowledge in computer security and technical knowledge in business administration. I have several certifications in entities like ACTION from the United States, Education IT, which is from Russia and Ecuador, CERT-IN from India, CISA from the United States and Hacking Bolivia from my country, Bolivia, among others. The conference I'm going to give today is about password security and we're going to talk about the security that should be in passwords. How to generate secure passwords? What security measures should be taken into account? We all know that generic passwords
or default passwords such as 1 to 6, 1 to 9, or ABC 1234, or even the code itself as a password are really terrible. Today we are going to touch on this topic, about the bad practices we have when generating a password, the dangers that are generated by being vulnerable, I mean what can happen in the event that an intruder, an attacker, a computer hacker, a cyber-criminal, obtains the password. Then we will talk about what measures we can take to avoid being vulnerable to our passwords and what recommendations should be taken when creating passwords. So, what happens when they manage to obtain your passwords? We are going to talk about three levels: the personal level, the corporate level
and the governmental level. What can happen? Let's explain it at the personal level. What can happen when a person obtains your password? An actor who manages to obtain your password, for example from a social network where they have their personal data, can supplant their identity. can send messages to their friends and try to bully them. They can also perform social engineering with their identity and obtain information from their contacts. And this can be very serious for a person because it can even happen that people see it badly or treat it as a scam. So their reputation will go down. But let's go a little further. What if the password they get is that of your personal code? We
live in an era in which the code has become a tool to, for example, open accounts in banks. If an attacker obtains this information, he will already know which banks you operate in, because no one can know which banks you are registered in or have your accounts there. can see what notifications arrive from the bank, what transactions it made in the bank, it can even see pages where it has its link, such as access to games or access to education platforms, among several things that the attacker can see. So, when you see these examples, you can to think that the password is the key, that it not only opens a door, but opens a world of possibilities,
sorry, a world of things that you can have. Any information about you is considered as your data and any information that you may have in those places is an advantage for cyber criminals or for attackers. At a corporate level, the actor can damage the reputation of the company, he can send phishing messages, he can do his identity exploitation to carry out social engineering or scams. He can also obtain the data of the clients, suppliers, products when bank accounts are launched within the organization. Therefore, once a person is vulnerable within an organization, it is dangerous and causes the risk of suffering losses. At the government level, here we can talk about hackers and cyber terrorists or cyber attackers. One of these attackers can
harm the safety and well-being of citizens. For example, in this time of pandemic, that today we are on December 29, 2021, Imagine that an actor manages to enter the Ministry of Health's servers and can enter the configuration of the COVID certificates. In this transaction, in this world that is being affected by COVID, they are now asking for a vaccination card to travel, to enter certain places. and to move, technically some freedoms have been limited due to the fact that some do not have a vaccination card, but those who have a vaccination card, these attackers can generate discomfort. How? They can give the database or they can modify it to their liking so that there is confusion among people and this can generate discomfort in
people and insecurity. within them, because we know that not only the vaccination certificate certifies that you are vaccinated, but there is also personal data that has linked with that information, what type of blood you have or what is your ID number, very sensitive information that can be stolen by them. What these people are always looking for is well-being within people. Even within web pages, hackers can put the famous "hacketby" or "0ndefacing" within the pages and that also generates a bit of discomfort within the people who navigate within the government pages. So these are the things that can happen if, let's say, passwords can become vulnerable. But well, now we are going to see more examples of how these actors perform these types
of attacks. As we can see here, these are the consequences of a vulnerability to security. The reputation is ruined, there is vandalism, there is theft, loss of income, property damage. All these things that we see here listed can be the consequences of your security being violated. Your reputation is ruined in the case that the criminal wants to do a social engineering or scam in your name. Vandalism, they can do several things with it. One that I know is that they can subscribe to things that you are not interested in or they can get things that you are not interested in. Robbery, this is more related to fraud because they can steal your identity and ask for
your family's money. Losing your income in a company due to the violation of your clients' data. Because imagine this. If you know from an X company with which suppliers or with which clients this information becomes valuable for the attacker and this information can be sold to another company that is in the same group and tell them, you know what, I have the clients who are with the company and I can sell it to you at this cost. And you can offer them better things because they offer you this, they offer you that product that has this advantage, or they offer you this thing. Things like that. And obviously the customers will go to what they are offered cheaper and better. So
that is reflected in income loss. Damaged intellectual property. Sometimes cyber criminals are also looking for the novelties of the products. For example, if a product X has an improvement, that is an advantage over the other competencies, they can sell that information and tell them, you know what, that product is having an X advantage, you see how to improve it and sell this information for a certain amount of money. So what cyber criminals are looking for, as we have seen in the previous slide, is to get money, to get profits, to get benefits that can help them. How do attackers get passwords? And we are going to talk at this point about three ways in which
the attackers get the passwords. One is social engineering, the "Scareware", and the man in the middle, the MIM. Let's start by talking about social engineering. Social engineering is an access attack that tries to manipulate people to perform actions or spread confidential information. This is done through three types of social engineering attacks, as we can see in the pretext, the follow-up and something for something. The pretext refers to The attacker calls a person and lies to me in the attempt to obtain access to their privileged data. An example of this could be me. Well, I'll give you two examples. As an attacker, I can call a person who I know works in X company and I can call him, I can tell him: "Hey, you know, I
need you to give me your account number, the bank you are in and your ID card to deposit the money I owe you." "Pásame urgente o no te pago" and one for fear, for the rush, does not think about it and gives this information because it is urgent information, that is, that they do not pay you already generates a very great susceptibility in oneself, right? Another one they can use is the one that your boss calls you, "I'm your boss, I need access to your computer through remote control or a server, give me the passwords so we can go in and see. If you don't give it to me now, I'll send you a memorandum for not fulfilling
your duties and I'll fire you." Well, in that case, what do you do? I mean, out of fear or intimidation, they can get to know that, but this information is known through social engineering. So, by seeing what behavior the person has, if they answer the phones quickly or if they answer the messages quickly, and the social engineer is doing this task, it is not a task from one day to the next, it is a constant task of realization of how the person behaves in the face of certain circumstances, in the face of certain factors, and it is an attack that que lo han estado realizando durante mucho tiempo, más que todo en este tiempo de
pandemia, debido a que muchos hemos estado encesados. Y es fácil atacar a personas que tengan miedo del trabajo o no sepan qué hacer, qué es lo que tengan, o qué es lo que vayan a obtener de esa información. O navegar en ciertos lugares, ellos son profundos a darle clic a todo lado. and they don't know what they are clicking at the end of the day. They don't know where they are redirecting the pages, if there is a guard that they are unloading and well, things like that. Now let's talk about tracking. This happens when an attacker quickly pursues an authorized person to a safe place. For example, and this is seen in information security. Imagine
a room where you have the servers of a company where you only have a door with a key, like in movies, right? One opens the door, the authorized person enters and people enter from behind, with their computers, with network cables, to enter the servers directly. That would happen if, let's say, physical security is not applied in the place, if you do not have security cameras, if you do not have biometric access or password, this can be applied in this type of place. Algo por algo, el quid pro quo, que está en latín. Eso es cuando un atacante solicita información personal de una parte a cambio de algo, por ejemplo, un obsequio. En este punto podemos abarcar quiénes son
propensos a ser vulnerados, a ser atacados por este tipo de ataque de ingeniería social. Algo muy usual que en este tiempo ha sido, que se ha visto mucho, ha sido de los jugadores online, los gamers. Por ejemplo, Today's games, and we have to be very honest, are mostly pay to win. You pay and win. With this you get, I mean, pay to win, with this you get the latest improvements, not free, but fast, the best skins, advantages over your opponents, and things like that that are ambitious for gamers. In that sense, we can see that they are propitious, because imagine that in an ad or in an electronic ad that they know that you are playing X game they put you:
"receive this amount of money to buy this improvement or this skin" or "get 10 dollars for your games on Google Play" you just have to do or watch ads or comment on a video and one says, "oh yeah, so I have that video, I can watch the ad, I can watch the video, I have time, it's 10 minutes, 15 minutes, an hour for 10 dollars or for what I consider I need from the game, I'm going to do it" and you click on it, they ask you to download some things and in the end, let's say, they ask you for To get your reward, you start a session. You start a session, but most people
use a code for everything. For Facebook, for their games, for the bank. So, usually people are not used to using different electronic code accounts for different things or different passwords. So they are prone to being attacked by this attack, they are prone to this vulnerability. They, because of the ambition that moves them, because of the need, they just put their data on it and they are already vulnerable. It may be that some are more cautious and say, "I put another email, maybe I don't put anything." And maybe the recommendation is that if you get a link that asks you or tells you that you are going to win something, remember, nothing is free in this life, nothing is free. What you are selling them is your information,
information that is valuable. In the world of cybersecurity, any type of information, whatever it is, is gold for the attacker. Also in this type of attack, students are prone to be attacked. or those who are looking for certain information that I don't know, that there is not much documentation of it. For example, let's see, let's say we can look for X information that the teacher has left us, at any level, whether it is in the master's or doctoral, and we don't find that information and we find it in hidden links, that is, in the search engine and we are already on the tenth search of Google and we have just found something about that topic that they have asked us for. And we already, this one
asks me to log in or that "I'm going to give you all my cookies" "It's something reasonable for something I need, urgent" So the cyber attacker takes advantage of this type of vulnerability that for the need, that is, for what you want something and you need it urgently, you can either log in with your account or with an email and know your email and the password that you use for everything and log in or you give something in return, like the personal information you need, I mean, log in and give us your ID, give us your birth certificate, personal information that can serve you in exchange for more information that you need. Now let's talk about the scareware.
The scareware is a type of malware that is designed to persuade the user to perform specific actions in function of fear. Scare, of fear, right? The SQL Word falsifies an emerging window that resembles the dialog windows, as we can see here in the image, with the objective that you perform actions, that you are forced to perform actions, that you download this application so that everything is normal, download this antivirus, or download this program so that you the computer stops being slower, faster, because they have supposedly detected this problem. In reality, what happens in this situation is that the software has not performed any action, it has simply falsified the emergency window and is asking you to download a software that may have malware inside
it. So if you accept to download this type of of executable file, you are already accepting the risk of what they are going to do to you, of what they are going to harm you. What types of malware can infect your device through this type of attack? We have the rootkit, the speedware, virus, or triano. The rootkit, more than anything else, is one of the most dangerous malware. Well, they are all dangerous, but the rootkit in this case is very dangerous because it can modify the operating system. to generate backdoors. This can generate problems because it can open ports on your computer that are not open to the network to be able to vulnerability. Speedware is generally grouped
with legitimate software and this malware is designed to track the user's activity. The virus is a malicious, malicious code that is added to executable files and the Trojan, the most well-known malware, is executed in malicious operations under the appearance of a legitimate operation, of a legitimate operation desired. So this type of malware can be the ones that can infect you if you give the Spearware. And the man in the middle technique. This is a more invasive technique. You need to be inside the victim's network to make this type of attack. That if it can be done, it can be done. It allows the attacker to take control of a device, in this case a modem, a router, without the
knowledge of the user. With this level of access, can intercept and capture information about the user before transmitting it to the network, to their destination. The attackers who use this type of attack to steal information use it to steal financial information. There are many malware techniques to provide these capabilities of men in the middle, as they are called in English, men in the middle, to the attackers. For obvious reasons, we are not going to say any here. Now, what can I do, I mean, how can I see What if I'm infected? Let's say I didn't know about this topic and today I already have knowledge and I want to know what indicators I can have to know that my computer or my
device has been vulnerable. We can see that there is a... The symptoms of malware are that there is an increase in the use of the CPU. You can see this in the administrator of your computer. Decrease in your computer speed, your computer turns slower or doesn't start as it did before. The computer freezes or fails frequently. There is a decrease in the speed of web navigation. There are inexplicable problems in network connection. Files are modified or deleted. There is a loss of files, programs, or there is a presence, sorry, of files, programs or icons of unknown desktop, that is, you have never seen them. It is executed in unknown processes that you can also see
in the Windows administrator. Use of programs, the programs are closed or reconfigured by themselves. Electronic codes are sent without the knowledge or without the consent of the user. So, when you see this type of of situations that can be generated by not having a safe password, by being vulnerable to your data. What can you do? What measures can we take to avoid creating an insecure password? Well, if you are one of those people who at work or in their place, in their home, has passwords stuck in little papers, in stickers, in your desk, on the wall or on your computer, don't do it anymore and destroy those papers, don't throw them in the trash, destroy them. Don't keep the
credentials predetermined. If, let's say, you log in to X place and they give you a default password, change that password, change it immediately. you should always use unique passwords for each online account. We will talk about that later, because I know it is tedious to know how to store, because we are all already in the network world, right? We have educational platforms, our own courses, our social networks, which no longer limit us only to Facebook, but some have Twitch, others have other types of entertainment places which ask you to log in for each of those networks that you have you have to have a password replace the passwords at least twice a year we are already ending
2021 and it would be good to do it now we are going to talk about the rules to generate safe passwords we are going to base ourselves on the in the recommendations that the National Institute of Norms and Technology of the United States gives, the NIST of the United States, which says so, if you want you can enter the NIST page, there are these recommendations, the length that is recommended is from 8 to 64 characters, that is, it cannot be less than 8 or greater than 64. The types of characters, the characters are not standard, like emoticons, they are allowed when possible, that is, they allow us in some pages to put emoticons in the password, little
hearts, happy faces. Construction, long password phrases are recommended, they should not coincide with the entries in the prohibited password dictionary. What do you mean by dictionary? In the world of cybersecurity, When they do a pentesting, they do recognition or they do a technique called user compilation or user enumeration. It is seen what type of people can be in X company and verify the type of logins they have, that is, of authentications. For example, let's say we know that Juan Perez works in X company, so we put Juan Perez. Possible emails or possible logins or possible credentials: jperez, juan.perez and all those that are decided. And within those files that are generated, default passwords are also generated.
that there is a huge dictionary of default passwords, there are about 10,000 passwords, if I remember correctly, that are inside that dictionary. And they are testing one by one, using pen testing techniques, to see if any user of that company has a default password. Restoring, that is, this point is required only if the password is compromised or forgotten. I mean, I don't recommend restoring passwords, but changing them. Animated multifactor in all applications, except the least sensitive ones. I mean, it refers here at this point that the multifactor must be necessary for each login you have, if it is that the authentication of two factors is allowed, because there are accounts that you may have that do not allow the authentication of two factors. So, within those common passwords, for
example, the passwords that you should not use are these, right? All these passwords that are here have been vulnerable. You can check this in iHub.net if they have been vulnerable. You can even check on that page if your password or the password you are going to use has been vulnerable or has been used somewhere. There are also several password verifiers. Kaspersky has its own to verify passwords to see the weakness or hardness of each one. And these are passwords that can be used, that is, they are examples of strong passwords. There we can see between an acceptable, good and better level. What recommendations can we give? As I said a few minutes ago, there are several passwords to remember. and it is
very tedious to remember all the passwords that one generates and we know that using a single password is not recommended for your security, you can use password administrators and use a master password that is strong for this. How does this work for password administrators? Imagine a box, a little box with a key, with a key of those very good, so they have four entries and all that and inside are your passwords, so when you require a password for Facebook, Udemy, Platzi, the same Google, it only requires having the key from that box, open it and look for the password you need, this is how password administrators work. Using temporary passwords like JobMate or have a HoneyPort code, that doesn't have your personal data. I think it's a
good alternative in case you find yourself with some login that needs your authentication that they are demanding, right? I mean, you create a temporary code, the name you like, or if you want you can put the name by default. I'll show you an example when I finish this. And that temporary code is a code that and Yahoo, which you can use as you don't need to put a lot of personal data, you can even put a false name. But the situation is that you use that code to do that kind of thing, to link it to places that you are not going to enter very often or places where they can send you subscriptions or ask you to subscribe. It is important to have a code for it.
Use the authentication of two factors. This is very important because your password can be vulnerable. The attacker can have your password, but with the authentication of two factors, he will require one more step to be able to access your code or the data he wants to obtain. There are several ways, there are several authentication of two factors. One is through SMS. Another is, let's say, through verification of another code, in which you are also linked. Prioritize the information of your accounts where you have personal information. Here it is referred to at this point, where the code that you use for your bank, for your social networks and for everything that can have personal information, put more emphasis on it, that is, instead of changing the password twice
a year, change it three or four times and have that habit of doing it. And you have to remember that no matter how strong your password is, the possibility of an attack is always latent. You can be vulnerable to the site where you have placed your password, Google can be vulnerable, the same browser in which you save your password can be vulnerable. And that's why it's also recommended to always have the browser updated or use uncommon browsers. For example, there are tools that allow you to download the entire history of your browser. If an attacker manages to log in to your team, he can see the pages that have entered, the session cookies, the saved passwords, everything you have stored,
but only from common browsers like Google, Firefox, the previous Internet Explorer, but with little common browsers like Vivaldi, Yandex, the new Microsoft browser, they are browsers that attackers do not have techniques to access them or the history. So to continue with this exhibition, we are going to We are going to put into practice that part of the password manager. To do this I'm going to enter I'm going to stop sharing here. This is LastPass, it's a password manager. That's the login part. I'm going to put it. the link on the screen in the chat so that you can enter we need an email and in this case
