Here’s Why Your Password is Hackable

Over the past two decades, password rules have become more complicated and burdensome upon users. Users have coped with arbitrary, byzantine password rules by creating the most easily remembered passwords that comply with the rules, changing them when required in minor, predictable ways, and reusing compliant passwords on multiple online accounts. The results include lots of frustration and LESS security. Here’s how to do it right…

Everything You Know About Passwords is Wrong

A typical site now requires you to create a password at least 8 characters long that includes at least three or four types of characters: upper-case, lower-case, numeral, and special characters such as !, @, #, etc. In most cases, the resulting password is exactly 8 characters long, begins with an upper-case character, and ends with an exclamation point or the numeral “1.” Often it’s a recognizable name associated with the user, such as a child’s or pet’s name. If a password needs to be changed, it’s often only the last character that’s changed, and in a predictable fashion, i. e., “1” becomes “2,” “!” becomes “@,” etc.

Hackers know these official rules, and the de facto rules that users have created to comply with the least effort. They have hundred of billions of stolen passwords from which to figure out the rules, and they incorporate the rules in password-cracking software to make it more efficient. They also have massive computing power that can try billions of possible passwords per hour. The upshot is that most passwords actually in use can be cracked in a matter of hours.

One solution to human predictability is password-generating software that produces longer, more random passwords, and password-management software that remembers what site a password goes with. These functions may be combined in one software package, such as Roboform, Dashlane or LastPass.

But many sites deliberately thwart the use of password managers, either by forcing users to enter usernames and passwords on two separate screens or by adding code that blocks auto-filling of passwords. Apparently, the admins of such sites think a password encrypted and stored on a hard drive is as insecure as one written on a Post-It Note.

Another solution to remembering strong passwords is mnemonic – a sentence that’s easily remembered because it makes grammatical sense, and which contains the characters of a password that can be extracted by applying a simple rule. For instance, a password might be the first letters of the sentence, “My horse knows how to use 2 pink staple guns.” In fact, that whole sentence would make a virtually impenetrable password, if the official rules allowed spaces.

This geeky cartoon from XKCD.com illustrates the difference between passwords as they are and as they could be, if sysadmins allowed it. Following the official rules results in a password that’s easily cracked in 3 days, while the phrase, “correct horse battery staple” takes 550 years, far longer than any hacker cares to spend.

What About Those Password Strength Meters?

Research has found that users will create stronger passwords if they receive feedback about password strength as they create a password. But so-called “strength meters” often measure only compliance with rules instead of statistical strength, according to researchers at Carnegie-Mellon University. The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:

  • At least 12 characters per password
  • Capitalized and special characters in the middle of the password, not at ends
  • No names associated with pets or sports teams
  • No song lyrics
  • Avoid the word “love” in any language
  • Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)

I advise using a password generator/manager wherever possible. They’re getting better at circumventing the security-limiting roadblocks that some website owners think are important. If you prefer not to use password software, a memorable phrase is the next best thing. In the past, I’ve used the first sentence from the first paragraph of a certain page in an old book. For example, on page 67 of “The Autobiography of Benjamin Franklin,” I found the phrase “There are Croakers in every country.” It’s memorable, and it makes for a strong password. Or as mentioned above, you can apply a formula of your choosing to such a phrase.

What’s your password strategy? Do you use a password manager, a sticky note, or keep it in your head?

Have A Great Week

Deuce Marjeta and the ZI Team

Exciting Newness in the Works for Second Life from Linden Lab

So today upon doing my daily email check I noticed a new one from Second Life, it looks like some exciting changes are in the works for this new along with added support from our friends at Linden Lab.

 

Dear Second Life Residents,

It’s been an exciting summer at Linden Lab. Second Life celebrated its 14th anniversary, and shortly thereafter we also opened Sansar’s creator beta to the world. In addition, we are thrilled to announce a set of investments into Second Life and its communities that will include enhancements to our engineering support, customer support, billing systems and upgrades, and customer acquisition outreach. In all, we’ve budgeted many millions (USD, not L$…) in the coming year to make SL even better, and we’ll keep everyone up to date on improvements as they roll out (or sooner).

This summer’s milestones have given us all another opportunity to reflect on just how strong the Second Life community is, what an incredible history SL has had so far, and what an amazing future lies ahead for the virtual world and its Residents.

For more than 14 years, you’ve created memorable experiences, diverse communities, close relationships, thriving economies, engaging art, exciting events, and amazing creations of all kinds. You’ve made the world, and we’re proud to provide the platform and tools that help you to do so. We at Linden continue to be impressed by what we witness from Residents every day, and we want you to know that we share that commitment to and love for Second Life.
Here are a few of the things you can look forward to soon:

• We are hard at work upgrading all of the SL infrastructure and moving it to the cloud, which will bring a wealth of opportunities to Residents near and far, and allow us, among many other things, to make SL more performant for Residents across the world from us. It may also allow us to introduce new products with more flexible pricing.
• We’re working on several features to increase the value of Premium subscriptions. Most recently we gave Premium members priority access to near-full events, and shortly, we’ll be ready to unveil another bit of exciting news for subscribers.
• We’re building out a series of great extensions to Windlight (code name: EEP!), which will give value, flexibility, and new marketability to land, and will make Windlight settings tradeable assets.
• We have an extension to the animation system in the works (code name: Animesh) that will allow non-avatar objects to use more powerful and efficient skeletal animations the way avatars can today, and even more changes planned for creators and merchants later in the year.
• We’ve also got new experiences and events coming. An exciting new grid-wide gaming experience is coming soon! The team can’t wait to share the details with you in just a few days. Also in the works for this fall is an updated Halloween Haunted Tour, with new spooktacular events to celebrate. Not to mention, we’re turning 15 next year – SL15B, baby! That’s an incredible milestone and we are looking forward to collaborating with you to produce an amazing celebration.

Long live Second Life and long live the creative process in the amazing worlds that you’ve trail-blazed! Thank you for filling SL with your creations and communities all of these past 14+ years, and here’s to many, many more together.

Best,
Ebbe Linden, CEO & the Second Life Team

Arcade ~ September 2017 Is Almost HERE!

Arcade is just around the corner – you know what that means….save those Lindens and get that tier paid up in advance for the carnage your SL wallet is about to endure!

Here is your preview of what is available this quarterly round at The Arcade!

ABOUT THE EVENT (credit: The Arcade Event site)

The Arcade was founded in September of 2012 by Second Life residents, Octagons Yazimoto, Katharine McGinnis, Emery Milneaux and Umberto Giano. Currently, the quarterly gacha event features 100 of the grid’s best designers and builders, each whom offer a collection of high-quality prizes sold at random from gacha machines within The Arcade’s build.

Set in a seaside build that evokes the whimsical feel of the penny arcades of early 1900’s Coney Island and Brighton Pier, The Arcade strives to present a nostalgic atmosphere that welcomes an audience seeking great gacha prizes, and continues to be a favorite destination for photographers and enthusiasts of vintage architecture.

With events planned in June, September, December and March, The Arcade features an eclectic mix of designers with proven quality. Content creators are invited because of their demonstrated commitment to the quality of their merchandise and unique perspectives as artists. The result is a well-rounded collection of must-have attire, goods and novelties to delight and enthrall shoppers. Guests will discover there’s something special for everyone at The Arcade.

Linden Lab TOS Updates Effective July 21st – 2017

 

On Tuesday, July 11th, Linden Lab issued an updated Terms of Service, which is due to come into effect on July 31st, 2017. As is the Lab’s usual practice, anyone logging-in to one of the Lab’s services for the first time after the new Terms have come into force will be required to accept them. As such, a read through is advisable beforehand.

The summary of the changes indicate them to be:

  • A restructuring of the Terms to include terms and conditions that apply to all Linden Lab products, with separate product-specific references (such as Linden Dollar and LindeX for SL) now contained within product-specific policies. The new Second Life Terms and Conditions contains all the Second Life-specific references that were previously in the Terms of Service.
  • Reference to the Lab’s wholly owned subsidiaries, Tilia Inc. and Tilia Branch UK Ltd., have been added. These companies will be handling payment services on our behalf under certain circumstances. I first wrote (albeit somewhat speculatively) about Tilia Inc in November 2015.
  • Minor text revisions to clarify that Linden Lab has discretion to undertake certain account actions.
  • An updated the arbitration provision in accordance with applicable law.

In addition to the updated ToS there is a new Intellectual Property Infringement Notification Policy and a new Content Guidelines document; both of which also take effect from July 31st.

The first of these bullet points sees the most extensive changes to the ToS, with the removal off sections formerly specific to SL, and the removal of references related to the Second Life (e.g. “inworld”) to more generic terms. These are all clearly part-and-parcel of adopting the ToS to encompass Sansar, and some of the amendments make for interesting reading – such as the definition of terms.

While the blog post refers to “the Second Life Terms and Conditions”, there is no actual link to such a document at present. There is a link to the Community Standards – which are still specific to Second Life. However, it is unclear if this is what is meant by “the Second Life Terms and Conditions” – and if so, they have not as yet been updated to reflect elements of the ToS specific to SL – such as the operation of “bots” or to Skill Gaming / for profit games of chance, Linden Dollars, the LindeX, etc. Nor are the ancillary policies to Second Life listed (e.g. the Machinima policy, Mainland Policy, etc.).

Excluding the changes specific to Second Life (i.e. removal of references and clauses). The most extensive changes to the ToS can be found in the following sections:

  • 1.1 – updates to defined terms
  • 2.2 – licences granted, specifically the section on “Linden Content”
  • 3 Eligibility To Use the Service
  • 4.3 – payment service providers (including Tilia Branch in the UK)
  • 7 – Infringement Notifications – now dealt with via the Intellectual Property Infringement Notification Policy
  • 9.6 – Unsolicited Ideas and Materials Prohibited; No Confidential or Special Relationship with Linden Lab
  • 10.2 – Exceptions to Requirement to Arbitrate (dispute resolution).

 

New Family Orientated HUB Shopping & Activities Community – Introducing Bitty Bazaar

Bitty Bazaar is located on one of ZoHa Islands Region “Marbella Bay” and is a new up and coming family orientated community full of vendors, activities, places to explore and visit as well as club events, story times and classes for all.   There is a creators lab for builders and creators to utilize as well. We spoke to owner Delilah Greyson (amoralie.triellis) about the event and this is what she had to say:

“Bitty Bazaar is a 24/7 collection of over 200 shops that cater to the kid community. While we’re not an event, we do host frequent festivities in our Kids Hangout and all around our sim! We opened our doors just a few weeks ago – on July 1st, 2017. We’ve been so excited to hear so many positive things about our little world.

The kid community is full of so many talented, awesome people that we wanted to create a place that brought us all together. There aren’t many dance clubs or hangouts like the adult community has – so we thought it was time to fix that. Our sim consists of 6 separate islands surrounding Town Square, which hold over 200 shops – all kid related! Not just kid creators are welcome, adult stores that have furniture or hair that kids can use are welcome to be a part of our collective.

Not just kids are allowed either – its a place for babies, kids, teens, and families to spend time together and meet others while finding new creators to love!”

6 Themed Locations Include: 

Bittipop Candy Shop, Bitty Carnival, Bitty Bay, BittyBrook Forest, IttyBitty Unicorn City and Bitty Beyond.

Creators Lab for Builders and Designers:

A space for creating and idea sharing, teaching, sharing and just building with people with like interests.  So many people build alone on their platforms why not be around people who do the same as you?

A Unique Shopping Hud Experience:

When you arrive at Bitty Bazaar (after July 1st, 2017) you can pick up a
FREE shopping HUD. Over 200 designers, events, communities, and
creators are waiting for you to discover them!

You’ll no doubt find many stores that you’ll want to visit. But instead of
gathering an inventory full of LMs, you’ll simply click on their save box to
save their LM to your Shopping HUD!

After you’re done browsing at Bitty Bazaar, you can begin teleporting to
all of the places you saved. You can even shop while you’re at home! The
Bitty Bazaar HUD has a full directory of shops that you can save straight
from your HUD.

DoublePulsar: The Undetectable Backdoor

Second Life as we know seems to be hard to hack, But is becoming more evident it’s an open source for hacks and Malware as much as just surfing the Interwebs. Our advice is, NEVER EVER click on links sent to you In World! Sure your friends could send you a seemingly harmless link they found and just have to have you see it, and BAM! you are now paying a ransom to get your computer back.! So folk’s just DON’T!

While everyone was preoccupied with the Wannacry ransomware epidemic that began in mid-May, a bigger threat was secretly spreading through tens of thousands of computers. It locks up files and demands a ransom, too, but that’s just a smoke screen designed to distract victims from what this sneaky malware is really up to. Here’s what you need to know about DoublePulsar…

What is DoublePulsar?

There are lots of movies that deal with the theme of “lab experiment gone wrong.” In Jurassic Park, for example, the dinosaurs created by well-meaning scientists escape from the lab and wreak havoc on the outside world. A similar thing has recently happened, but in the digital world this time.   

The U.S. government’s premier spy agency created a program called DoublePulsar that enables undetectable infiltration of a target computer. Then someone stole DoublePulsar and a bunch of other NSA spying tools. A hacker group known as the Shadow Brokers posted the NSA tools online, and they were immediately exploited.

Before encrypting an infected computer’s data, this malware scans documents, email, browser histories, and other targets looking for login credentials. With credentials, hackers can infiltrate an entire enterprise network and work all sorts of mischief. Data can be stolen; operations disrupted; and computers turned into slaves to hackers’ other projects.

NSA DoublePulsar hacking tool

For consumers on home networks, being enslaved as part of a botnet is the most serious danger. Some bots are being used to launch spam campaigns. Others are being exploited to “mine” cryptocurrency like Bitcoin, creating wealth for hackers from the computing resources of others.

The galling thing about this malware is that it uses a sophisticated hacking tool developed by the National Security Agency (NSA). DoublePulsar allows malware to enter target systems undetected by 99% of commercial security software. The malware can be injected into the kernel, the heart of an operating system, where the malware will have the highest system privileges.

Conscientious consumers can protect themselves. Microsoft has issued two sets of Windows patches designed to ward off the stolen NSA hacking tools. But the NSA has not been forthcoming about all of the Windows vulnerabilities it has discovered, prompting Microsoft president Brad Smith to blast the NSA and other government agencies that don’t share knowledge that could improve everyone’s security.

Undetectable malware is on the rise. In mid-June, 2017, a new technique called “fileless malware” was used to infect the point-of-sale systems of several hundred restaurants. This type of malware is never written to a disk; it is injected into RAM and does its dirty work there. Most anti-malware software scans for “signatures” in executable files, and overlooks fileless malware.

In the past, only governments had sophisticated hacking tools like these. But now, Shadow Brokers is offering subscription access to NSA tools, and a user interface called Metasploit that makes child’s play of plotting and executing a global ransomware or credential-stealing attack. Anyone with a few hundred bucks can wreak global havoc.

The biggest fear among security experts is that DoublePulsar and other NSA tools have been used to compromise the computers that run critical infrastructure such as power grids, hospitals, railroad systems, traffic lights, and so on. Lives could be at risk.

The best that consumers can do is keep their systems up to date with security patches. I mentioned earlier that Microsoft has issued Windows patches designed to ward off the stolen NSA hacking tools. Those patches were released back in March. So it was failure to apply security patches in a timely manner that allowed WannaCry and DoublePulsar to attack and spread widely.

If you’re not already configured for automatic Windows updates, you really should be. Here’s how to do it:

In Windows 7, click the Start button and enter “windows update” in the search box. Open Windows Update from the search results list. In the left sidebar, select “change settings.” Under “Important updates,” select “Install automatically” from the drop-down menu. Pick a convenient time for Windows to install updates and restart your PC, if necessary. The default is 3:00 a.m.

Windows 10 installs updates automatically by default. To fine-tune Win 10 updates, enter “windows update settings” in the search box on the taskbar, and click on that phrase in the search results. Next, click the Advanced link, and check the box next to “Use my sign-in…”. This allows Windows 10 to complete the installation of updates that require a restart. When this option is checked, Win 10 will log you out, restart and install updates, then log you back in.

If you use Microsoft products such as Office, check the box that enables updating of those as well as Windows. The rest of the options should be left as they are unless you have a compelling reason to change them.

I’d like to Thank Bob Rankin for Sharing his expertise in computer security and how to stay safe.

Have a Happy And Safe 4th of July

Deuce Marjeta