Saturday, April 26, 2014

Netiquette - Passwords, An Essential Part of Your Email Netiquette IQ


I have stated many times in this blog and in my book, "Netiquette IQ - A Comprehensive Guide to Improve Enhance and Add Power to Your Email", that a security policy with strong password protection is essential to good Netiquette. You can equate this to protecting someone or something in your care. The article below is a good refresher for all in thinking through their password policy.
================================================


Practical IT: Passwords 101 for businesses
From Sophos

by Ross McKerchar on August 17, 2012 
 ===============================================
The human element is often referred to as the weakest link in a secure system. Time and time again studies have demonstrated that we are not good at choosing passwords, nor can we keep them secret.
It’s tempting to give up on passwords entirely. Assuming your users' passwords are always compromised is certainly a sensible starting point. Ensuring that high-value, high-risk assets are protected by more than just a password is no longer just strongly recommended, it’s essential.
Despite this, regular initiatives to shore up password strength are unlikely to be wasted time. Maybe your finance app is well protected but you allow users remote access to a password-protected web-based email portal. If so, don’t underestimate the value of an email account to an attacker. Even a low privileged employee’s account is a great place to learn more about a company and launch a plausible social engineering attack.
Similarly, authenticated staff-only apps are rarely tested as well as the public ones. Once an attacker has a foot in the door, privilege escalation is often trivial. That low-value, password-protected web app could be used as the entry point for a larger, more serious compromise.
The starting point
It isn’t a password policy, nor is it user education. As one of the most visible, user-impacting aspects of information security, passwords are something everyone has an opinion on. The starting point is to don your hard hat, get your facts right and set aside a good chunk of time to handle the inevitable debate. Don’t expect people to thank you either – you’re not going to be very popular for a while.
Hopefully you’ve already got a base password policy for your organisation so it’s probably wise to review it. If you don't have a policy, prepare one.
This is where the contention starts. Understand that commonly-argued points regarding length, complexity, forced changes, etc. do generally have some merit. The tricky part is balancing them.
The balancing act
Sure, enforcing very long passwords will cause people to write them down but allowing 3 letter passwords will clearly make them easily guessable.
Likewise, users hate forced changes but never expiring corporate passwords is a risky approach unless you are very confident they will never be compromised. Be it a phishing attack, a simple mistake (can you honestly say you’ve never typed your password into the wrong window) or an attacker sniffing the network for weak hashes, there are lots of ways for passwords to end up in the wrong hands. For more in this area, Bruce Schneier’s advice is a good read.
Complexity controls (requiring numbers, punctuation, mIxEd cAsE, etc) are another perennial discussion point. They have problems, as famously highlighted on xkcd. Humans are also great at gaming them. I guarantee that given any realistic complexity policy you’ll easily be able to create a weak password which passes. But without complexity controls how do you protect against a trivial dictionary attack? You’ll need to weigh up the risk versus reward for your organisation.
Testing passwords
Although controversial, a solid way of cutting through the debate and assessing which passwords are weak in the real-world is to test them with a controlled attack on the hashes. But make sure you have appropriate authorisation to do this! Performing the test safely and securely can be tricky so it might be a good idea to include it as part of a pentest from a trusted firm. As an added precaution, as soon as the list is generated take steps to keep the cracked password list separate from the associated usernames.
The great thing about this approach is that it will likely use the same common tools and techniques that an actual attacker would employ. Theoretically debating strategies for improving password entropy is one thing but the reality is an attack will likely involve one of a few known tools. If one of those tools, out-the-box, employs a strategy that trivially cracks a password hash then it’s unequivocally and demonstrably weak.
It’s worth noting that given enough time you’ll crack every password, limiting the time spent on an attack ensures you’ll get most value from the result by focusing on worst cases. Telling someone with a password of” that they need to change it isn’t going to help anyone!
After conducting this exercise, you’ll likely spot some clear recurring problems with passwords which will really help you with a policy tailored towards your organisation. Every organisation is different so it’s important to do this yourself.
That said, an almost guaranteed finding is that password length is the most important factor. If you enforce one thing, it should be this.
Just as important as the actual policy are the associated guidelines. Include links to sensible strategies like Graham’s, below, and provide some examples of bad passwords based on known user behaviour (obviously anonymously and only after they’ve been changed).
============================================
 In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
 www.amazon.com/author/paulbabicki
 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County, NJ.

 Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.
===========================================




                                                      





Netiquette IQ Quote of The Day - Internet Neutrality - Via Netiquette IQ



Internet Neutrality is in a dangerous position. For those who espouse its principals and benefits, this is the best time to lend it support. As the structure of the Internet infrstructure evolves, the consolodation of the control of resources, providers and regulations is being controlled by few and fewer entities. The negative consequences are potentially quite profound.



"Net neutrality is a concept that the tech industry rallies around, but it is hypocrisy."
Dave Winer
============================================
 In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
 www.amazon.com/author/paulbabicki
 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County, NJ.

 Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.
===========================================

Friday, April 25, 2014

Netiquette - More Bad News For All Nations - Internet Neutrality Being Dismantled


There have been several blogs form this site regarding Internet Neutrality and the dangers having this practice rescinded, which the United States Federal Courts recently ruled was legal to do by Internet Service Providers. As the article below states, it appears this situation will soon become de facto. Watch this blog for more developments.
FCC planning new Internet rules that will gut Net Neutrality. Get ready to pay more for the stuff you love online.
 Xeni Jardin at 4:31 pm Wed, Apr 23, 2014 Boingboing.net
— FEATURED —
http://media.boingboing.net/wp-content/uploads/2014/04/Swordofthelamb1-198x300.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/fairthmdf.jpg
http://media.boingboing.net/wp-content/uploads/2014/01/afterparty-cover-529x770thumb.jpg
— COMICS —
http://media.boingboing.net/wp-content/uploads/2014/04/lenny-bruce-holding-a-cigarette.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/1185cbTHUMB-lucky-ducky-state-of-denial.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/hip-hop-strip-101-thumbnail.jpg
— RECENTLY —
http://media.boingboing.net/wp-content/uploads/2014/04/hannibal2thumb.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/thrones2.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/ob2.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/IUD1.jpg
http://media.boingboing.net/wp-content/uploads/2014/04/orphan1.jpg
— FOLLOW US —
Find us on Twitter, Google+, IRC, and Facebook. Subscribe to our RSS feed or daily email.
 
— POLICIES —
Please read our Terms of Service, Privacy Policy, and Community Guidelines. Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution
 
— FONTS —
http://media.boingboing.net/wp-content/uploads/2013/04/typekit-logo.jpg-->
http://media.boingboing.net/wp-content/plugins/sendtokindle/media/white-15.pngKindle
 The Wall Street Journal was first to report that The Federal Communications Commission will propose new open Internet rules this Thursday that will allow content companies to pay Internet service providers "for special access to consumers."
Under the new rules, service providers may not block or discriminate against specific websites, but they can charge certain sites or services for preferential traffic treatment if the ISPs' discrimination is "commercially reasonable."
Bye-bye, Net Neutrality, and the internet as we know it. Hello, greater connectivity gap between rich and poor in America.
For what it's worth: The FCC's current Chairman, Tom Wheeler, previously worked as a VC and lobbyist for the cable and wireless industry.
The FCC Commissioners' email addresses, to which concerned citizens might send concerned email: Tom.Wheeler@fcc.gov Mignon.Clyburn@fcc.gov Jessica.Rosenworcel@fcc.gov Ajit.Pai@fcc.gov Mike.O'Rielly@fcc.gov. The FCC's main telephone line is 1-888-225-5322. More contact information and postal mail address here.
The new rules, according to the people briefed on them, will allow a company like Comcast or Verizon to negotiate separately with each content company – like Netflix, Amazon, Disney or Google – and charge different companies different amounts for priority service. That, of course, could increase costs for content companies, which would then have an incentive to pass on those costs to consumers as part of their subscription prices.
Proponents of net neutrality have feared that such a framework would empower large, wealthy companies and prevent small start-ups, which might otherwise be the next Twitter or Facebook, for example, from gaining any traction in the market.
From Mashable, confirmation:
In a statement issued to Mashable, the FCC said the draft rules would propose "that broadband providers would be required to offer a baseline level of service to their subscribers, along with the ability to enter into individual negotiations with content providers." The draft, written by FCC chair Tom Wheeler and his staff, will be circulated within the FCC on Thursday, and the commissioners will vote on a final proposal on May 15.
Michael Weinberg at Public Knowledge:
The FCC is inviting ISPs to pick winners and losers online. The very essence of a "commercial reasonableness" standard is discrimination. And the core of net neutrality is non discrimination. This is not net neutrality. This standard allows ISPs to impose a new price of entry for innovation on the Internet. When the Commission used a commercial reasonableness standard for wireless data roaming, it explicitly found that it may be commercially reasonable for a broadband ISP to charge an edge provider higher rates because its service is competitively threatening. 
============================================
 In addition to this blog, I have authored the premiere book on Netiquette, " Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
 www.amazon.com/author/paulbabicki
 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County, NJ.

 Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.
===========================================