Computer Security: the value of your password
Of course, your passwords have a value to you as they allow you to access your computer and your Facebook page, to buy on Amazon, to create a Twitter feed, and to use a multitude of computing services provided by CERN. But have you ever thought of their value to the malicious people of this world?
With your account password, I can take over your computer. I can install software allowing me to enable your microphone and listen to your communications and what is happening around you as long as your computer is turned on. I can take regular screenshots and monitor you while you work. With that, I can try to determine your working habits, your online behaviour, the way you write e-mails… Useful, if I want to impersonate you believably (e.g. to attack CERN and the systems you are working on at CERN). What’s more, with access to your computer, I can install a keylogger to record your every keystroke – including when you type all your other passwords: Amazon, Paypal, Facebook, Twitter. Of course, with those passwords, I can go on a nice shopping spree with your money…
So, what is the value of your password to those malicious people? A few bucks? A bit more or a bit less, depending on the type of account. There are black market websites where they can buy and sell account names and passwords in bulk. Think of what an attacker could do with your CERN password. For example, they could access your mailbox and send spam to people all over the world, which could earn them some money if people respond. By sending phishing emails, they can harvest even more passwords. They could access CERN’s software repositories or our online journal library; downloading them in bulk and selling them on the black market would definitely create revenue – at CERN’s expense!
They could access your computer and manipulate your work: if you work in finance, the attackers might try to siphon money out of CERN. If you have access to computing resources, the attackers might misuse them, by blackmailing third-party web services and threatening to bring their sites down or by running dedicated computing jobs to mine BitCoins or crack hashed password files. If you have access to control systems, targeted attackers might even misuse your power to grind your system to a halt…
So, is your password already on sale? Hopefully not. Just follow a few simple steps to keep your password yours – both at home and at CERN: keep your PCs and laptops up to date and run antivirus software. Do not install software downloaded from dubious sites. Browse responsibly – stop and think before you click. Make use of browser extensions and plugins that can help you. Keep your password to yourself, do not share it and do not type it into webpages you are not sure of. Do not use the same password for multiple sites. And finally, make your password complex: for example, you could use the title and artist of a song you like (“Money4Nothing---DireStraits”), a mathematical formula (“DeltaX*DeltaP>=h/4pi”), or a poem (“3quarksforMusterMark!”). Recall what is at stake: lose your password and you are digitally naked…
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team
