Zoiz Blog

Tips for Your Account’s Safety – Part II

Heya, it’s me again! Instead of Tuesday, well I’m going to post today. And this is more tips for you as I promised. Motivated by the new book, “Hacker’s Biggest Secret: Zero-Knowledge Password” by Th0R and Zoiz, and inspired by. I’m changing the title to this, because now we aren’t focusing in password choosing anymore. Let us do these workout, and now I’m going to write in more specific and let’s start!

1. Delete your passwords notification e-mails from your inbox.
You know what, when you register an account, the site gives your an e-mail with the password or the activation link. So OK, you have followed my (and Zoiz and Th0R’s) instruction by setting different passwords for each of your accounts. But if one of your e-mail hacked, either by social engineering or by brute, don’t let your other passwords be known by the cracker. Anticipate by deleting them. Remember them in your mind, delete the files after you finish remembering them and nailing those passwords in your head. This is what is dangerous for password remember programs using. Don’t try use papaers, it’s worse. Even you have shredded them, it would be easy as a pie to arrange it like little kids’ puzzle, even eazier. And, this is what Kevin Mitnick good at.
Here is my tips for another reason if your really and still can’t remember all your passwords. First, if your main password is x9x3f16 you may want to use it as a suffix, so it will be: x9x3f16tyaho0, x9x3f16t6m41l, and some sort of that. Just to minimize. Means this x9x3f16 password is to (for) my yahoo account (yaho0). And so on. Second you may do this: prepare lots of password reminders. Now the usage then, if you have 10 pw reminders, pw reminder no. 1 contains password to open pw reminder no. 2, pw reminder no. 2 has the password for pw reminder no. 3, and so on. Until pw reminder no. 9 has the password for pw reminder no. 1. And I don’t know how but if you combine and arrange all your passwod for your pw reminders, it will be the password for your pw reminder no. 10. pw reminder no. 10, containing all your passwords. Well you can also use more pw reminders. Well this will only make the cracker busy. Yet I still do not recommend this.

2. Beware of your password, don’t ever have a password what phrase recorded by a crawler.
And this consists for your personal information posted in the internet. Don’t use a password searchable by a crawler. Don’t use a password what phrase known by others, like, your ex-girlfriend’s name added by 666 for example Annameé666.

3. Watch your hands.
If there is a words “Watch your mouth”, then this words in IT will useful only if you use computer’s speech recocnization. Don’t be fool, keep your mind on in what you type. Don’t let your password be exposed because of your bad, clearly. and will be paid dearly, I assure you. Your mouth is your tiger, your hands is your claws. So, just use SMS (just joking, this isn’t an intermezzo nor a ad by Telkomsel). And as for your password. Once again, watch your hands.

4. Change your password(s) periodically.
May minimalize if you fall into phishing attack. That’s if you know it. But if you don’t know? And other reasons, maybe hundreds. I truly recommend this. Microsoft has a good example. In Windows, there is a feature for you to set the password will be expired in 30 days and in 14 days you must change it (or some sort of that). In Windows Live service, 72 days. This is like the A-Check and C-Check for airplanes. But you don’t have to wait a month to change your password(s). Per 2 weeks is recommended. Go extreme with change it every 3 days.

5. Password length is important, make it long enough.
After I heard there is a rainbow table can crack a MD5 for 14 characters phrase, so then, if previously I recommend at least 8, now I increase it to a minimal 12, and the safe is 15-17 characters. 18 isn’t safe for your head, and if you’re remembering so much passwords. Go on, protest Friendster and boleh-hacking for making a password character limitation.

6. Use Process Explorer (procexp) and Process Monitor (procmon) made by Sysinternals.
These are better than Microsoft’s Windows Task Manager for Windows. Of course, procexp have a tree view for each process and more specific than taskmgr. And it provides you icons for the application. Allowing you and make easier to identify suspicious processes. Malwares, that is, viruses, trojan horses, adwares, worms, and keyloggers.

7. Watch out for binded keyloggers.
Don’t accept programs from untrusted source. A keylogger may have attached to it. Much wares may have been sticked by malwares. Say, a setup for Flash 9.02 in phazeddl, but binded with keyloggers. As demonstrated in S’to’s book with the Fearless Keylogger.

8. Eyes on the address bar and the source code page.
It may help you to avoid phishing. Like posted by me in my blog or by Th0R and Idoenk in the book Friendster Hacking or in HackingForte.

9. Use NoScript plugin for Firefox or just disable JavaScript.
Just to avoid malicious script. For example, back then D-Cracker in IF a.k.a. Putra Langit in SATE, once wrote a Friendster Phishing page tutorial. In the end, he provided a fake 404 error page, it contains a VBScript that installs his virus in your computer. And what if, it isn’t virus, it’s keylogger, just like Th0R did in his new book? So just beware. OK?

10. Beware of CSRF.
CSRF, or sometimes XSRF (according to XSS), is an old technique but yet dangerous enough. No, really dangerous. A demo in hackingforte of CSRF, can log you out from gmail.com. And another demo here: http://th0r.info/?p=15. And this, I don’t have much idea to avoid this kind of attack. But yes, again, NoScript plugin is the best I think the best to anticipate several sites to mute the scripts. OK, well a some sort of CSRF attack done by the attacker can change someone’s password, last night Th0R demonstrate it to me the result. Haha, can’t wait his 4th book. About Web 2.0 Security? http://en.wikipedia.org/wiki/CSRF has a good reference below.

That’s all for today. 10 for you. I’m going to search more for next week. I hope your account will be safer.

Greetz and waves flies to:
- Th0R and Zoiz for the book
- SATE and HackingForte members
- Larvas in IndoForum.org
- Gastrote members

Cheers,
Cl551C4G3163n

Link to attach: http://gastrote.110mb.com/~cl4551c4g3163n/wordpress/?p=24