Over 50% of Android Users Don't Use Passwords, Pins or Meaningful Swipes

An ad hoc survey conducted by Google's anti-abuse research lead Elie Bursztein has shown that over half of Android users don't lock their phones in any meaningful way. 

Click to enlarge.

After polling 1,500 users, he discovered that 52 percent of those users "open" their device with a simple slide or gesture, 25.5 percent have opted to locking their phones with drawing a pattern on a grid, and 15.1 percent are using a PIN.

Only 3.3 percent have opted for using a password, 2.3 percent for the option where the phone can recognize their face, and 1.8 percent are using other, 3rd party forms of authentication...
 
...no security is perfect. Both lock patterns and PIN codes can be vulnerable to smudge attacks, as a 2010 Usenix paper illustrates. So whether you use a PIN or a pattern you should change it from time to time. You might also want to go to your phone’s options screen and disable the display of the pattern so people can’t “shouldersurf” it. (more)

Kevin's Security Tip of the Day

With all the data breaches in the news recently, you may wonder if your information was plundered. Find out at Have I Been Pawned? Mine has:(

If so, it's time to scurry around and change your on-line passwords.

Need help?
Password generators.
Password managers.
Password strength testers.

Make sure your new passwords are not on this list...
The Top 500 Worst Passwords of All Time

How to Create Easy to Remember Secure Passwords...
You can create a memorable, secure password starting with a simple phrase. We call these "passphrases". For example, let's use a quote from Ogden Nash:

"Happiness is having a scratch for every itch."

If we use the first letter of each word, and substitute 4 for "for", we get:

Hihas4ei

This is a reasonably strong password but we can improve it a bit by adding some special characters:

#Hihas4ei:

Associating Web Sites...
We can use our new password on several different websites by adding a suffix with a mnemonic link to a particular site. Let's use the first letter and the next two consonants in the site name.

Just to add a bit more randomness we'll alternate upper-case and lower case, and if the first character in the site name is a vowel we'll start with upper-case. To mix things up a bit more we'll use the same rule to decide whether to add the site mnemonic to the left side or the right side.
#Hihas4ei:AmZ    for Amazon
fBk#Hihas4ei:    for Facebook
#Hihas4ei:YtB    for YouTube
(more)

High School Football Spying?!?! - Four Destrehan Coaches Accused

LA - Five people, including four Destrehan High School assistant football coaches, were booked with unauthorized use of intellectual property Wednesday after they allegedly used a leaked computer password to get a sneak peek at the game plan of their upcoming opponent, South Lafourche. 

Others could still be charged, said Brennan Matherne, public information officer for the Lafourche Parish Sheriff’s Office...

The criminal charges are the latest fallout stemming from an incident in which the coaches allegedly used computers to spy on South Lafourche’s football practices last week.

The scandal already has resulted in a forfeit for Destrehan and sanctions for the coaches involved. (more)

Citing "Terrifying" Surveillance Tactics, Yet Another U.S. Privacy Service Shuts Down

Yet another American Internet privacy service has bitten the dust, prompted by fears about broad government surveillance demands.

San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service. 

In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data. (more)

Windows Phones Susceptible to Password Theft When Connecting to Rogue Wi-Fi

Smartphones running Microsoft's Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday...

"An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim's encrypted domain credentials," the Microsoft advisory warned. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials." (more)

Turn on certificate requirement before connecting to WPA2 networks. Now.

ISPs Grossed as Feds Net Passwords

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused. (more)

Top 10 iPhone Passwords

Time to change your password.

1. “1234”
2. “0000”
3. “2580”
4. “1111”
5. “5555”
6. “5683”
7. “0852”
8. “2222”
9. “1212”
10. “1998”
(more)

Oh, Number 6, it spells LOVE.

Spybuster Tip # 523: Twitter Password Security Test

WARNING

The link below is a clever gag.
Similar sites are password collection scams.

If you take the test on any of them, don't enter real information.

http://www.ismytwitterpasswordsecure.com/

Yet Another Teleconference Eavesdrop (with recommendations)

Alaska’s largest statewide commercial fishing trade association announced (it will) request Alaska authorities to investigate what they say was unauthorized eavesdropping of their United Fishermen of Alaska private teleconference by the Kenai River Sportfishing Association's office.

According to UFA Interim President Bruce Wallace, on January 17, 2013 the United Fishermen of Alaska, representing 34 member organizations, held a private teleconference. 

In addition to 25 UFA Board members, UFA alleges an individual or individuals at the offices of the Kenai River Sportfishing Association (KRSA) was also on the line during the private teleconference.

This allegation was later confirmed by the teleconference vendor, who provided a phone log, which included a phone number registered to the Kenai River Sportfishing Association (KRSA) office. KRSA is not affiliated with UFA in any way. (more) (REAL Spy Fishing)

A reminder to our clients, and a free sample for potential clients...

Murray's Teleconferencing Checklist

Passcodes...
     • Change all current passcodes, now.
     • Prohibit employees from mass e-mailing or posting passcodes.
 
Switch to a conference call system with accountability features...
     • each participant is given a unique passcode,
     • the passcode is changed for each new conference call,
     • only the pre-authorized number of callers may be admitted,
     • and a record of all call participants is available to the call leader.
 

Man Sends His Computer Security Token to China...

...so he can outsource his job!

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.
 

Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities...

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new Detective Mittens video. (more)

Computer Anti-Virus King Becomes a Spy?!?! ...you decide.

Remember John McAfee? ...the man who, just weeks ago, went on the run from Belize after his neighbor was found murdered, claiming that the police wanted to kill him and frame him for the murder. 

He fled to Guatamala,...arrived in the US shortly after, and now he’s pecking out his tell-all tale via his blog, where he describes himself as the head of his own private spy operation.

According to the post he... purchased 75 laptops, loaded them with “invisible keystroke logging software,” packaged them back up so none would be the wiser, and gave them away to those in positions of power: law enforcement, government employees, etc. The software then sent McAfee text files of what was typed, and he soon had access to a variety of social media and email accounts.

Soon after, he amassed 23 women and six men whom he calls his operatives; eight of the women, he said, were so accomplished at their missions that they ended up living with him...

Of course, it’s important to remember some things: McAfee is known to be involved in drugs, even having had his place in Belize raided at one point on suspicion of meth manufacturing. (more)

Security Alert for Yahoo Voice users.

Hackers posted what appear to be login credentials for more than 453,000 user accounts that they said they retrieved in plaintext from an unidentified service on Yahoo. 

To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names, and 298 MySQL variables, all of which they claim to have obtained in the exploit. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a brief note at the end of the dump stated. (more)

Check here to see if you are on the list. Use your browser's search tool. If so, it's time to change your password... at every place you use it. ~ Kevin

Password Evaluation Program Will Surprise You

Think your password is effective. You might just want to test it and think again.

Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. 

When setting a password, Passfault examines the password, looking for common patterns. Passfault than measures the strength of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength. (more) (test your password)

You might think a password like 123!@#qweQWE would provide excellent protection. Wrongo. It can be cracked in a day according to Passfault. Why? Because it contains a readily identifiable pattern of keystrokes. Now try something easy to remember like ToBeOrNotToBe. Surprised? Thought so. ~Kevin

Spybusters Tip #834 - Singing the Butt-Dialing Blues

Spybusters Tip #834 - Stop butt-dialing by using your phone's password feature.

Here's what happens when you don't...

World's worst butt-dialing story. 

Druggie butt-dials police. Busted.
T-Mobile's Butt Dialing commercial.
"Butt" Dialing Becoming A Problem For 911 Dispatchers.

Brilliant Video Game Thieves Butt-Dial 911 and Brag.
Police bust butt-dialer thanks to a crack in the case.

...and it gets worse.

Two Simple Tips to Prevent Snooping on Your Lost Cell Phone

Anyone who loses their mobile phone should expect the data to be accessed by the person who finds it, and business data is no exception, according to a study released this week by security firm Symantec.

In its Smartphone Honey Stick Project, Symantec "lost" 10 phones in each of five cities, leaving them on top of newspaper boxes, in food courts, and even the ladies restroom of a Chinese restaurant. In all but one instance, people who found the phones accessed the devices, with 83 percent of people accessing one or more of the four business applications, including two human resources files, corporate email, and a remote administration tool. More than 4 out of 10 people even accessed the banking application on the device.

...two simple security measures can protect the data on devices... 

• While complex passcodes are best, using even a simple four-digit code would protect the devices from casual access.

• Installing a remote management tool to remotely track the device can help to quickly recover a lost phone. Most device management tools also allow users to remotely delete the data on the device, a hedge against a more tech-savvy data thief. (more)

14 Counterespionage Tips for Your Next China Trip

via The New York Times...

When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.

He leaves his cellphone(1) and laptop(2) at home and instead brings “loaner” devices(3), which he erases(4) before he leaves the United States and wipes clean the minute he returns(5). In China, he disables Bluetooth(6) and Wi-Fi(7), never lets his phone out of his sight(8) and, in meetings, not only turns off his phone(9) but also removes the battery(10), for fear his microphone could be turned on remotely. 

He connects to the Internet only through an encrypted(11), password-protected(12) channel, and copies and pastes his password from a USB thumb drive(13). He never types in a password directly(14), because, he said, “the Chinese are very good at installing key-logging software on your laptop.” 

What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia... (more)

7 Things You Should Know About Online Passwords

Click to enlarge.

1. You need different passwords for each site.

2. Longer passwords are harder to hack.

3. You shouldn’t use a word from the dictionary.

4. Humans tend to choose passwords with personal meanings.

5. Passwords need to be changed regularly.

6. There are guidelines for creating strong ones.

7. Password managers can help you keep track of them all.

Are Your Passwords Sardonic Humor Fodder? II

After reading the original post about easy to guess passwords, another BB Irregular checked in with this excellent password tip.  

Brilliant, David. 

Thank you!

Via Randall Munroe at xkcd.com. Click to enlarge.

Are Your Passwords Sardonic Humor Fodder?

Click to enlarge

Look for yours in The Top 100 Most Common Passwords list...
123456
password
12345678
1234
puxxy
12345
dragon
qwerty
696969
mustang
letmein
baseball
master
michael
football
shadow
monkey
abc123
pass
fxxkme
6969
jordan
harley
ranger
iwantu
jennifer
hunter
fxxk
2000
test
batman
trustno1
thomas
tigger
robert
access
love
buster
1234567
soccer
hockey
killer
george
sexy
andrew
charlie
superman
axxhole
fxxkyou
dallas
jessica
panties
pepper
1111
austin
william
daniel
golfer
summer
heather
hammer
yankees
joshua
maggie
biteme
enter
ashley
thunder
cowboy
silver
richard
fxxker
orange
merlin
michelle
corvette
bigdog
cheese
matthew
121212
patrick
martin
freedom
ginger
blxxjob
nicole
sparky
yellow
camaro
secret
dick
falcon
taylor
111111
131313
123123
bitch
hello
scooter
please
*xx - edited for email spam filters

Having Trouble Keeping Track of the Phone Hacking Scandal?

The Telegraph key pounds it out.

Click to enlarge.

Below is a list of the alleged victims of phone hacking. This includes public figures, celebrities and others who have accused News International newspapers of hacking, those who are currently bringing legal action and those who brought successful cases in the courts.

Alleged victims
Milly Dowler
Parents of Holly Wells and Jessica Chapman
Families of servicemen and women killed in Iraq and Afghanistan
Relatives of victims and victims of 7/7 bombings
Clarence Mitchell, spokesman for Madeleine McCann’s family
Colin Stagg, accused of Rachel Nickell murder
Elle Macpherson, model
Wayne Rooney, footballer
Hugh Grant, actor
Prince of Wales and Duchess of Cornwall
Simon Hughes, Liberal Democrat deputy leader
Helen Asprey, former royal aide
Michael Mansfield, barrister who represented Mohamed Al Fayed at the Princess Diana inquest
Jamie Lowther-Pinkerton, private secretary to Princes William and Harry
Peter Mandelson, former Labour minister
David Davis, former shadow Home Secretary
Andrew Neil, BBC presenter
Boris Johnson, London Mayor
Sir Ian Blair, former Metropolitan Police commissioner
Paddy Harverson, Prince of Wales’ communication secretary
Vanessa Feltz, presenter
Lembit Opik, former Liberal Democrat MP
Cousin of Jean Charles de Menezes, Brazilian man shot dead by police
Paul O'Grady, presenter and comedian
John Yates, former Metropolitan Police assistant commissioner
David Cook, former Metropolitan Police detective chief superintendent

Seeking legal action
Steve Coogan, actor and comedian
Sky Andrew, former Olympian
Nicola Phillips, assistant to Max Clifford
Andy Gray, broadcaster
Paul Gascoigne, footballer
Sienna Miller, actress
John Prescott, former Labour Deputy Prime Minister
Brian Paddick, former Metropolitan Police assistant commissioner
Brendan Montague, freelance journalist
Chris Bryant, Labour MP
Jude Law, actor
Ryan Giggs, footballer
Chris Tarrant, presenter
Leslie Ash and Lee Chapman, actress and former footballer
Kelly Hoppen, stepmother of Sienna Miller
Kieren Fallon, jockey
George Galloway, former MP

Successful cases
Max Clifford, publicist
Gordon Taylor, chief executive of Professional Footballers’ Association
Jo Armstrong, legal advisor to Gordon Taylor
Tessa Jowell, former culture secretary (offered settlement)
David Mills, lawyer and ex-husband of Tessa Jowell (offered settlement)
Joan Hammell, former aide to John Prescott (offered settlement)

(more)

The Number 1 Spybusters Tip that would have saved most of these people from being hacked...

Make sure your voice mail and cell phone both have decent secret passwords. 

Don't want to see your name on a list like this someday? 

Read more tips from IMCPB)