News Articles

passwordHow many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

There were some great articles on CIO.com this week relating to Data Security. Here they are plus a selection of the best IT Data Security articles in the last week:

  • Heartland CEO: QSAs Let Us Down
    In the review of what led to the Heartland credit card breach, Heartland’s CEO Robert Carr points to the PCI compliance auditors that passed the company before the breach – “PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
  • Opinion: Heartland CEO Must Accept Responsiblity
    A counter point to the previous article. Mike Rothman asserts that by attempting to blame the QSAs for the data breach they are learning nothing, and not addressing the root issue – “To be clear, you cannot outsource thinking. You cannot outsource security.”
  • 8 Dirty Secrets of the IT Security Industry
    Are IT Security vendors really interested in improving your network’s security? Joshua Corman from IBM’s Internet Security Systems division details 8 trends in the IT Security market that help undermine a network’s security.
  • Social Engineers’ 9 Favorite Pick-Up Lines
    Social Engineers leverage the trust people have in the familiar to gain access to facilities and networks. These 9 examples illustrate how easy it is for that trust to be abused. How many would you (or your employees fall for)?
  • Hackers have Social Networking sites in their crosshairs
    In a recent study Breach Security, hackers are attacking Social Networking sites with increased frequency, accounting for 19% of online attacks in 2009.
  • Twitter used to control botnet
    It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance?

In an effort to help parents with the costs of sending their students back to school, Missouri has established this weekend as a Sales Tax Holiday. From 12:01 a.m. on Friday August 7th to midnight on Sunday the 9th, certain back to school items are deemed tax exempt.

Included in these tax exempt back to school items are personal computers and computer peripherals. To enhance this tax holiday, EPC is opening our warehouse to the public for a huge sale. All items will be at least 15% off of our already low prices in addition to the discount from the exempted tax.

On Saturday, August 8th, from 8am to 2pm only, customers can browse through the thousands of laptops, desktops, servers, printers and every other computer-realted hardware and peripherals that can be found in our warehouse – a space that is about the size of two football fields.

For more information about the Missouri Sales Tax Holiday stipulations, you can check out the Department of Revenue’s website.

ghana-dumping-groundThe school district of Philadelphia is launching a probe into how one of their monitors was found in a landfile in Ghana. After the monitor was spotted in a PBS Frontline documentary and repeated inquiries were made by Technically Philly, the school district announced it would launch an investigation.

“The School District of Philadelphia does not encourage or condone the illegal dumping of any school district property anywhere in the world,” read the statement issued by the district. “As a result… [we are] currently investigating the source and disposal record of the equipment found in Ghana.”

The computer was one of many visible in the Frontline report and illustrates the ongoing problem of e-waste dumping into developing countries. Millions of tons of e-waste are dumped into the West African country, China, and others.

The school district has maintained a “green” policy regarding the disposal of electronic equipment since 2006, and is unsure if this is an isolated incident or just one example from the hundreds of pounds disposed by the district each year. The district had partnered with a recycling company that provided pickup and recycling services at no charge to the district.

This report illustrates the trouble many companies have in identifying responsible computer recyclers for their end-of-life hardware.  You owe it to yourself to personally view a companies recycling processes, and ask about their export policies. While your at it, ask if they are a Basel Action Network e-steward. The BAN e-steward pledge is for a zero-landfill, zero-export approach to recycling.

Technically Philly: School District of Philadelphia launches probe into its computer recycling program

electrical-plugThis has been a week of crazy hacking announcements. CIO.com reports that Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path, will demonstrate two new attacks that can be used to record keystrokes entered on a computer at the upcoming Black Hat USA 2009 conference.

The first requires access to a power outlet on the same circuit as the target computer. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical circuit. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. The attacker then filters out other ground signals and is left with the keystrokes entered.

The second attack points cheap lasers at shiny portions of a laptop, like its lid or even the surface of the table near the device and measures the vibration caused by hitting the various keys. The researchers claim that each key has a distinct vibration pattern and by knowing the language used by the typist, the keys entered can be determined. They found the attack works best when pointing at the lid of the laptop, either at a shiny logo or at a spot near the hinges.

The cost of the tools needed for the electrical outlet attack cost around $500 US and the cost of the laser attack cost around $100 US and took about a week to test. While the researchers admit that their tools are currently rudimentary, they feel that given their minimal time committment and relative cheapness of the tools illustrate the potential for expansion by a dedicated team or government entity.

CIO.com – How to Use Electrical Outlets and Cheap Lasers to Steal Data

dot-matrix-printer

It sounds like something out of a bad spy movie, but researchers at Saarland University have published a paper on a new hack targeted at those old trusty dot-matrix printers. These researchers discovered that by recording the sounds the printers made and running them through a speech-recognition algorithm, they were able to extract the words printed on the page.  They were even successful in running their tests inside an actual doctor’s office – with permission of course, so this is not something that only works in the lab.

So what? No one still uses these dinosaurs, right? Not so fast, in a survey conducted by the same university, 30% of the banks, and 58.4% of doctor’s clinics still use them. In many cases, these devices were used to print out semi-sensitive information like receipts and prescription information.

And why do businesses still use dot-matrix printers? Well, for fairly standard reasons – they cost less than more modern printers, are very durable, and work with older hardware and computer systems. One company I talked to about this study said that it was cheaper to keep these old printers working than to upgrade the systems and software that utilized them.

After reading the paper, it seems the attack would have to be tailored to a particular model of printer, but even with that limitation, some interesting possibilities are available. Will the next Mission Impossible movie include a scene with Tom Cruise planting a recording device in a bank to get account numbers of his target? And what will we find out next, that the contents of a CRT or LCD can be replayed by measuring the radiation output? Oh wait….

Original study: How Printers Can Breach Our Privacy: Acoustic Side-Channel Attacks On Printers

palm-pre-webosjpgIs a smartphone really that smart if providers put limits on how its data connection is used? Cellphone tethering, or using your cell phone to access internet services on your computer, is in the news because of recent actions by Apple, Palm, and Google.

Apple is releasing their new OS for their phones, dubbed iPhone 3.0, that includes tethering – unless you live in the US because AT&T tethering support isn’t available yet. Earlier this spring, Google pulled all tethering apps from the Android app store at T-Mobile’s request. Palm has sent a polite cease and desist to the “Pre Dev Wiki” website asking for tethering instructions to be removed because they might upset Sprint, Palm’s exclusive service partner in the US. Given that tethering has been available on phones for several years now, why are cell providers suddenly so concerned? Are they worried that customers would cancel their land based internet connections in favor of cellular based ones? Or that tethering would cut into the USB data card market? (more…)

Be sure to take a moment to add a great “Before Hours” networking event June 23rd, 2009 that we’ll be hosting from 7:30am to 9am. Read on below for more details and don’t forget to use the link below to RSVP with Frank Polstion, our Vice President of Retail Services. We look forward to seeing you there!

Come shake some hands where smart business people come for their computer supplies and data security needs.

Enjoy Yellow-Tie networking with breakfast and coffee, and a back-store tour.

What could be better?

Hosted By….  EPC, Inc.

— http://www.epcusa.com

Host Contact. Frank Polston — 636-443-1999 x1013, frank@epcusa.com

Date……… Tuesday, June 23, 2009
Time……… 7:30 to 9 a.m.
Location….. EPC, Inc.
Address…… 3941 Harry S. Truman Blvd., St. Charles, MO 63301

Cost……… Free

Register now at: http://www.yellow-tie.org/events/stcharlesco/june2009handshakes

employer-of-the-year-certificate-s4At a recent St. Charles Chamber of Commerce luncheon, EPC was awarded the 2009 Employer of the Year in the newly created Energy Efficient category. This award was mainly focused on our environmental commitment and their efforts to reduce energy consumption.
Presenting the award was St. Charles Mayor, Patty York who said in announcing the award, “EPC’s commitment to a clean environment by recycling paper, plastic and computer equipment, refurbishing components and avoiding landfills is excellent.” York added that EPC’s “involvement of your employees in state and national recycling organizations is commendable.”
In addition to the award, EPC was presented with 6 framed proclamations from the St. Charles City and County, the Missouri House and Senate, as well as the US House of Representatives.
President Dan Fuller accepted the award and commented on EPC’s 200+ employees, “While I had the pleasure of receiving the accolades for the award, this is much more about all of you and your commitment to EPC. Without a dedicated, hard working commitment by you none of these awards would be possible.”

I can remember the first time I saw a “large screen TV.”

It was a 36”, gigantic Magnavox CRT (Cathode Ray Tube) television that was in the Electronics department at my local Walmart and had our family name written all over it.  As our first wedding anniversary eased into our crosshairs, along with my wife’s Walmart-based discount, we eventually pulled the trigger on our new, electronically-inclined family member and brought it home – heaved it home was probably more apt.  Going from a 20 inch television to an epic 36” motherload of black plastic and huge CRT tube was literally vision-changing in our house.  Everything was more crisp.  Colors POPPED out from our newly-cornered visual companion. Closed captions were like miniature billboards and life was good as we welcomed our tandem anniversary present and newfound family member home.

That was 1996.

(more…)