How can Internet security be stepped up?

How can Internet security be stepped up?

Summary: The state of Internet security nowadays has reached its worst it has ever seen. With botnets attacking Mac's (which was almost unheard of before last week) and password thefts, eBay and Twitter scams to identity and data theft which breached the Pentagon.

SHARE:
TOPICS: Browser, Security
12

The state of Internet security nowadays has reached its worst it has ever seen. With botnets attacking Mac's (which was almost unheard of before last week) and password thefts, eBay and Twitter scams to identity and data theft which breached the Pentagon.

One of the main reasons why security is being breached is not necessarily down to exploiting weaknesses in the system through attacking firewalls; instead, it is the exploitation of humans and human nature.

Passwords are the main issue here, with profanities and spouse and siblings names being used to secure computers. Whilst I don't (thankfully) have a Wikipedia page, Sarah Palin, the one vice-president candidate, had her email account hacked into using data from the site.

Biometrics is one of the ways used to secure computers, because fingerprints are more unique to people than passwords are. You can't generate a fingerprint or iris details using a computer, whereas you can with a password.

I spoke to Dr. Guy Bunker, chief scientist at Symantec, about security, biometrics and passwords.

My Hotmail account was hacked into last week and spam messages sent as a result. How secure is a standard username and password?

Usernames and passwords are not that secure; they can be made more secure in several ways. Usernames, especially, should not be a person's name. A number is better (eg. employee ID) but a mixture of numbers and letters is better still.

Are passwords on their way out, due to the increase of dictionary and brute force attacks?

Passwords, again, not names. Longer passwords are better and a mix of numbers letters and punctuation is best. 10+ characters is (obviously) better that the standard eight. Education on what makes a good password is essential, however, some draconian policies can make it tough for individuals to find one that works.

Replacing numbers with characters and vice-versa, eg. p4ssw0rd is well known and most password crackers try these - so don't rely on that as your way to create a strong password.

If passwords are not secure, then how can existing systems be made secure using the legacy password approach?

An additional factor is useful in that case. For example, picking out characters at random from a pass phrase (a key-logger will not get all the characters in one go, and its different every time, so even if they have the username and password they won't get access.) The other factor is often a hardware key or flash drive which are also good.

But consumers don't want to carry lots of them around with them. There are a number of solutions which use the mobile phone as the third factor - which also works well, provided you have your phone of course!)

Biometrics are very secure, but transmitting the inputted fingerprint across the web could still be an issue. How is this being solved?

Biometrics are also useful - but the data should be transformed algorithmically before use, else you will need to get new thumbs if it is compromised.

Universities can be a major target for theft of data and suchlike; should biometrics be the primary source of authentication for user accounts and internal web services?

Relying solely on biometrics is not good. While chopping someones thumbs off is unlikely (except in films), the back end database could be hacked and someone else's fingerprint could replace yours... and then they would, as far as the system knows, be you!

As an aside, chip and PIN makes it easy to impersonate someone. All you need is their four-digit PIN and then the cashpoint and traders 'know' its you. They don't look at 'you', just that the PIN was entered OK!

What's your thoughts? Are your usernames and passwords secure enough? Have your employers or universities put in more secure measures to reduce hacking and industrial espionage? Are biometrics the way forwards or if anything, a step back by trivialising security? TalkBack and share your thoughts.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • A better password strategy...

    Use a mix of symbols that are found in computer math.

    1/3!=func(x);

    One divided 3 not equal to function(x) is both long enough and filled with punctuation and filled with characters and numbers.

    1.3/X==4589();

    One point 3 divided by X equals 4589(); is long enough and can be your pin number. The problem with passwords is that nobody can remember them and the best solution is to move to passwords that are math function based but nonsense functions like the above.
    progon
    • RE: A better password strategy

      3/95.2*3+7/sin(y+8)*cos(xy)==sin(xy*xz*yz)/cos(x^2y^2*x^2z^2*y^2z^2)

      :D


      ^o^
      Grayson Peddie
      • RE: RE: A better password strategy

        I love it; but getting someone to remember it; will be a different thing!

        Sheeple like things simple.
        fatman65535
  • Make the penalties SEVER.

    Hack a system, no you don't get a nice job, you go to prison for a decade or two. Take the "fun" out of it.
    No_Ax_to_Grind
    • SEVER works

      ...punishment fits the crime.
      computer_chick
      • RE: SEVER works

        Yes, especially when it is

        [b]SEVER the head[/b].

        No more life of crime. (And no more life!)
        fatman65535
  • ... or even severe (nt)

    ...
    BanjoPaterson
  • RE: How can Internet security be stepped up?

    Eliminating windows would be a good start.
    ator1940
    • Would it?

      I've already said in the article, it's not so much to do with the breaking in of a computer via exploits and worms, it's easier to break passwords. Didn't you read or are you a Linux fanboy?
      zwhittaker
  • RE: How can Internet security be stepped up?

    Use image based verification.
    Initially the user supplies a set number their most memorable images (250x250 pixel approx.)to the server verifier database. When logging in one of these images is shown with many others user images as one HTML page (says 36 images total displayed). The user clicks on their memorable image. The image pixel information and user name makes an encryption key seed number that is used to verify user.
    Agnostic_OS
  • RE: How can Internet security be stepped up?

    The information on passwords is fairly intuitive but a good reminder. It's been suggested by those wiser than I that just getting people to use worthy passwords would help significantly. I learned a lot about passwords in relation to digital security here: http://www.justaskgemalto.com/en/search/node/password. It expands on what the gentleman discussed above.
    Steve KTG
  • RE: How can Internet security be stepped up?

    End users only have permission to use the net if they use it intellegently... traffic would surely go down

    Cut countries connection to the net if they do not stop psycho cyber criminals!!! Bye Bye Putin
    bricur@...