If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

Source

Facebook is employing aggressive legal means in combination with technical measures in order to stop hackers from abusing its social-networking site, according to its chief security officer, Max Kelly.

The company is constantly under fire from hackers trying to spam its 400 million registered users, harvest their data or run other scams.

Facebook’s security team started off with just a few people, said Kelly, who began working at Facebook in 2005 after a stint as a computer forensic analyst for the U.S. Federal Bureau of Investigation. He gave a keynote presentation at the Black Hat security conference on Tuesday.

Now, as many as 10 percent of Facebook’s 1,200 employees are involved in security-related functions for the site, Kelly said. Its core security team consists of 20 people, a site integrity team of around 15 people and 200 others that are part of a user operations team that monitors illegal activity.

With the right data, it is relatively easy to identity where the attacks are coming from, even if a specific individual can’t be identified. If an attack is under way, it’s important to understand the person’s motivation, Kelly said.

“We diligently go after attackers on this site,” Kelly said. “We want to know what people are attacking us and why.”

Facebook has integrated its security incident response team with its law enforcement team, which allows both groups to use some of the same tools in order to respond to a security incident, Kelly said.

On the technical side, Facebook has automated systems that detect when someone is using the site in a way that is different from the normal user. Those systems can then employ countermeasures, such as limiting the number of messages a user can send, employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) and disabling accounts, Kelly said.

Facebook’s security teams tends to worry less about vulnerabilities, focusing instead on the actual attacks, Kelly said. It allows Facebook to focus on the individuals behind the attacks and trying to frustrate those attackers.

The site is also rewarding individuals who responsibly disclose security problems by giving them credit on its security page. “If it’s a really good hack, we’ll probably end up hiring you,” Kelly said.

Facebook has pursued a variety of criminal and civil penalties against those who abuse the site, using laws such as the U.S. CAN-SPAM act, which levies penalties of as much as $100 per spam message, Kelly said. Facebook has “dozens” of lawsuits in the works, he said.

The company has had some notable successes with this strategy.

In November 2008, it was awarded one of the largest judgments ever, winning statutory damages of US$1.3 billion (later reduced to $873 million). That suit charged Adam Guerbuez of Canada, Atlantis Blue Capital and 25 other unnamed people for falsely obtaining login information for Facebook users and then sending spam to those users’ friends. Although the individuals charged are in Canada, Facebook could still pursue the money. Even if it doesn’t, the judgement still has an impact, Kelly said.

“It means that any asset that goes through the United States, we have a claim,” Kelly said. “It makes the cost of doing business in the U.S. much more prohibitive.”

Source

Silicon Valley police are investigating what appears to be a lost Apple iPhone prototype purchased by a gadget blog, a transaction that may have violated criminal laws, a law enforcement official told CNET on Friday.

Apple has spoken to local police about the incident and the investigation is believed to be headed by a computer crime task force led by the Santa Clara County district attorney’s office, the source said. Apple’s Cupertino headquarters is in Santa Clara County, about 40 miles south of San Francisco.

Editors at Gizmodo.com, part of Gawker Media’s blog network, said in an article posted Monday that they paid $5,000 for what they believed to be a prototype of an impending iPhone 4G. The story said the phone was accidentally left at a bar in Redwood City, Calif., last month by an Apple software engineer and found by someone who contacted Gizmodo, which had previously indicated it was willing to pay significant sums for unreleased Apple products.

The purpose of an investigation is to determine whether sufficient evidence exists to file criminal charges. Spokesmen for Santa Clara County and San Mateo County–home to the Redwood City bar–declined to comment. Representatives for Apple and Gawker Media did not immediately respond to interview requests.

CNET has not been able to confirm whether the investigation is targeting Gizmodo.com, its source who reportedly found the iPhone in a bar, or both. Apple acknowledged that the lost device is their property and asked for its return; Gizmodo has since said that it has returned the device.

Late Friday, Bloomberg reported that it spoke to Gaby Darbyshire, Gawker’s chief operating officer, and she said that law enforcement officials had not spoken with anyone at the company. The wire service also reported that a San Mateo County prosecutor would not confirm an investigation but said that, “if there is a case that is investigated and able to be submitted for prosecution, it will be handled by this office.”

The tale of a lost iPhone may sound trivial, but Apple goes to great lengths to protect the secrecy of its products, and the company has not been afraid to take aggressive legal measures in the past. It filed a lawsuit against a Mac enthusiast Web site, for instance, to unearth information about a leak. A state appeals court ruled in favor of the Web sites.

Apple argued in that case that information published about unreleased products causes it significant harm. “If these trade secrets are revealed, competitors can anticipate and counter Apple’s business strategy, and Apple loses control over the timing and publicity for its product launches,” Apple wrote in a brief.

Under a California law dating back to 1872, any person who finds lost property and knows who the owner is likely to be but “appropriates such property to his own use” is guilty of theft. If the value of the property exceeds $400, more serious charges of grand theft can be filed. In addition, a second state law says that any person who knowingly receives property that has been obtained illegally can be imprisoned for up to one year.

Any prosecution would be complicated because of the First Amendment’s guarantee of freedom of the press: the U.S. Supreme Court ruled in 2001 that confidential information leaked to a news organization could be legally broadcast, although that case did not deal with physical property and the radio station did not pay its source.

The computer crime task force is called REACT, which stands for Rapid Enforcement Allied Computer Team, and was established in 1997 with a goal of working closely with Bay Area technology companies. In the past, for instance, Apple has contacted REACT to report an employee who sold over $100,000 worth of computers on eBay. REACT also has investigated denial-of-service attacks targeting local firms.

Source

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign’s iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn’t know if Kirllos’ accounts are legitimate, and Facebook didn’t respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while — VeriSign has seen a brisk trade in names and passwords for Russia’s VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account’s owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it’s a hilarious or sensationalistic video.

“People will follow it because they believe it was a friend that told them to go to this link,” said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. “There’s just a plethora of things that people can do if they can trick people into installing their software,” he said.

Kirllos’ Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account — Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

Source

UT Dallas computer scientist Yang Liu has received a three-year, $350,000 grant from the highly competitive Air Force Office of Scientific Research’s Young Investigator Research Program to explore emotion recognition and modeling in speech processing.

“The next-generation human-computer interaction interfaces will be more human-centered and socially intelligent,” Liu said. “They’ll have the ability to detect changes in the user’s affective behavior and thus initiate interactions accordingly. Automatic recognition of emotion plays an important role in developing future intelligent systems.”

Emotion is associated with various physical indicators, including facial expression, posture, tone of voice, word usage and movement. Liu and a team of graduate students will focus primarily on emotion recognition and modeling in speech.

They’ll study features such as pitch, intonation patterns and word usage and then associate those with emotions such as anger, sadness, happiness, surprise and frustration. Other efforts to gauge emotion from speech have achieved an accuracy rate of 60 to 80 percent. Liu hopes to improve upon those numbers.

“Automatic recognition of emotions with high accuracy still remains an elusive goal,” she said.

But her research adds a cultural component.

“We’re interested in studying the cross-lingual aspects of emotion in English and other languages, such as Chinese,” Liu said. “This way we can look for the influence of culture and language in emotions.”

She’s doing the research in collaboration with several other UT Dallas faculty who are working in similar areas.

The research could drive a virtually unlimited range of applications. A tutoring system, for example, could detect frustration or boredom in a student – a sure sign the student is not learning and a different approach is needed – perhaps triggering the application to slow down the lesson or load a different one. An interactive voice-response system that detects anger or frustration in a customer might transfer that person to a human operator. An emotion component could be added to a polygraph or lie-detector system used by law enforcement. And such technology could assist in non-pharmacological treatment of social anxiety disorders.

Liu first became interested in speech and language processing as an electrical engineering undergrad at Tsinghua University in Beijing. She joined UT Dallas in 2005 as an assistant professor in the Erik Jonsson School of Engineering and Computer Science after completing postdoctoral work at the International Computer Science Institute (where she also conducted most of her PhD research) in Berkeley, Calif. She received her PhD in electrical and computer engineering from Purdue University in 2004. Her other research interests include speech summarization of meetings, spoken dialogue systems, natural language processing, and machine learning and data mining.

Source

Beryl Zyskind, an authority internet watchdog agency, concluded it’s 2009 internet report by suggesting that Ecommerce, Digital TV, and Mobile Search Engines are on the rise while technologies like p2p, VoIP, and selling music online are at a record low.

Based on the Dept. of Commerce’s Quarterly E-Commerce Sales report – online retail ecommerce rose to $32.4 billion – which accounts for 3.6% of all US sales during the second quarter of 2009.

According to Zyskind’s Report, websites like eBay.com, Faljo.com, & Amazon are expected to increase their sales margins by as much as 18% in 2010.  ”Going to Walmart or Target – often costs more than just money.  It costs time and honestly, you’re never really sure if you got the best deal for your money,” says Didi Ehrlich, an international marketing consultant while explaining “The consumer’s ability to locate, access, and compare products in real-time to get the best possible deal is what makes these ecommerce sites so lucrative”

In 1995, 0.04% of the world’s population connected to the internet.  Today, over 26.5% of the world is connected online, hence 1.8 billion people.  Additional research cited by the Zyskind report refers to online user behavior.  The report cites a recent survey of 7,000 university students conducted at the University of Reading concluding that over 82% of the students watch TV/Movie/Video via the internet for an average of 7hrs per week.  At least 78% of the students claim they had visited Youtube.com, and 42% of the students have used DigitalTV software to access international TV channels via the web.

Mobile internet usage was also covered in the report.  In 2006, Globalist, reported there we’re over 2.4 billion active cellular phones worldwide.  According to Zyskind, by the end of 2010, that number will have doubled to 4.5 billion cellphones.  ”Today, there are more cellphones on earth than computers & TV’s put together – which has opened up a vacuum of marketing potential,” says SEO Expert, Daniel Cohen who suggests, “we should all be on the lookout for wifi search engines.”

Editorial Note:  Google’s first page result for the query “Mobile Search Engine” and “Wifi Search Engine” currently reveals Frompo.com to be the only relative result for cellular search engine technology.  In lack of additional competition, Frompo could potentially compete as a legitimate mainstream alternative.

Source

For all you iPad fanboys or haters out there, The New York Times is reporting a Google tablet that uses Android is imminent.

Via Wired:

Google is almost ready to start selling its own tablet. The device, according to the New York Times, will be “an e-reader that would function like a computer.” So close is it that Eric Schmidt, CEO at Google, was describing it to friends at “a recent party in Los Angeles.”

A Google tablet wouldn’t be the only other tablet released this year besides the Job’s god machine. Among the companies planning 2010 releases include: Hewlett-Packard, Microsoft and Nokia. There’s also the German-made WePad, by Neofonie, which will also run on Android and Linux. It apparently will feature Flash, Adobe Air and Java script (plus a Web cam), unlike the iPad.

And all this development can only mean one thing: Consumers will benefit.

Via the NYT:

For consumers, it could all be good, as more companies offer their version of the slate, a new breed of consumer electronics, in a design free-for-all. The products, which will generally cost less than $600, provide different, and in some cases unusual, features that reflect the companies’ visions of what matters most to people.

“We’re living in extremely exciting times right now,” said Olli-Pekka Kallasvuo, the chief executive of Nokia. “It’s quite challenging to define what industry we are in because everything is changing.”

Source

Percento Technologies is happy to announce that we have been retained by another Houston based law firm! The firm has additional offices in Dallas and San Antonio.

The firm retained Percento Technologies for assistance in updating their computers and network.  Additionally, a large custom programming project of new software that they hope to take to market this year are being discussed with the Percento Team.

For more information on Percento’s service areas, please visit www.PercentoTech.com

In a direct attack on Silicon Valley rival Google Inc., Apple Inc. unveiled its new mobile advertising system Thursday and promised to deliver a new generation of compelling interactive ads to its devices.

Chief Executive Steve Jobs announced Apple’s iAd advertising network as one of a raft of features coming later this year to its iPhone, iPad and iPod Touch line.

By building an advertising system into its products, Jobs said, Apple is hoping to tap into a nascent but potentially lucrative market: the growing number of consumers who are picking up a cellphone when they want to access the Internet.

Analysts predict that within five years, more users will access the Internet from mobile devices than personal computers, which could translate into billions of dollars in sales of phones, software and services.

Spending on mobile advertising in the U.S. last year was about $416 million, and it is expected to climb to more than $1.5 billion by 2013, according to research firm EMarketer. Online advertising generated $24 billion last year, the firm said.

That has led to Apple and Google racing against one another to build competing mobile advertising platforms. Their goal is simple: Whether people are reading on computer tablets at home, talking on cellphones in the car or listening to music players while walking down the street, advertisers can always reach them.

What such marketing campaigns will look like, or how they will let people interact with media-rich ads, is still in the early stages. At Apple headquarters in Cupertino, Calif., Jobs showed some examples of what was possible with ads for the upcoming “Toy Story” movie, Nike Air sneakers and Target: The ads more closely resembled small, touchable multimedia games than traditional static Web ads.

Even before the launch of iAd, Apple had a substantial head start in the mobile marketplace: The company sold more than 85 million iPhones and iPod Touch players in the last three years. That success has attracted an army of software developers, who have built 185,000 applications for Apple’s hand-held devices.

Users have performed 4 billion application downloads since the earliest became available in 2008, Jobs said.

“Search is not happening on phones,” Jobs said, in a direct jab at Google.

“People are using apps, and this is where the opportunity is to deliver advertising.”

WASHINGTON (AP) — A federal appeals court has ruled that the Federal Communications Commission lacks the authority to require broadband providers to give equal treatment to all Internet traffic flowing over their networks.

Tuesday’s ruling by the U.S. Court of Appeals for the District of Columbia is a big victory for Comcast Corp., the nation’s largest cable company. It had challenged the FCC’s authority to impose so called “net neutrality” obligations.

It marks a serious setback for the FCC, which needs authority to regulate the Internet in order to push ahead with key parts of its massive national broadband plan.

Source