I’m running out of Post-Its to write down my passwords

We all know to use non-dictionary, complex passwords for our email or online banking or online shopping accounts; whether we put that into practice is another issue. Even less in practice is, using a different password for each of our accounts; that is, never use the same password twice.

Why? The online gaming site that you logon to crush candy may not be as prudent in its security as the financial advisor site that is managing your 401K. The gaming site may store your password in cleartext in their database, or use a weak encryption algorithm. They may not be subject to regulations and policies that require them to have a regular vulnerability assessment. Using the same password for both sites will place either of your accounts vulnerable and at risk.

If a breach occurs and a site’s user data and passwords are unscrambled – as with 3.3 million users of a popular gaming site (article here) – then the hacker can try the discovered password on the user’s other accounts – email, bank, company site logon. And if the user uses the same password across the board, bingo.

You might think unlikely, improbable – how will the hacker know which website to try the discovered credentials? If the email harvested from the gaming site is myemailaddress@gmail.com, they could try the credentials to log into gmail. If the email is @mycompany.com, the hacker would look for a login portal into mycompany.com. The attacker could look for social media accounts registered with that email address. Or any other website that may have an account registered with that email address. The last estimate in 2017 is that there are over 300 million Amazon.com users. The attacker could try the discovered credentials on this popular site; if your favorite password is your birthdate – 12250000 – and you use it for all your logons, the attacker would be on an Amazon shopping spree as you read this blog.

This cross-site password use is not a security issue only through an online data breach; you may have misplaced your trust and shared your password, or entered your credentials on someone else’s computer that had a key logger or you accidentally saved your logon, or browsed the internet using an open wireless hotspot where someone was sniffing the traffic, or through any other instance that your password finds its way to the wrong eyes.

OK, so I need a different password for each different account that I have. I’m gonna need a bigger keyboard to stick all the Post-It notes with the passwords to every account I have underneath it. Or, maybe I could use a password manager.

A password manager is a database program that you can use to store information for each of your online accounts, website, username, password, security questions, etc. They are encrypted, requiring one master password to unlock its contents, all your saved passwords; “Ash nazg durbatulûk” – one ring to rule them all.

Remembering one long, strong, complex, impossible-to-brute-force-or-guess password, you can then gain access to all your other impossible to guess passwords. Almost all password managers also have a feature to generate random, complex passwords that you can use for each of your accounts.

There are many password managers out there, some commercial paid-for programs, some free open-source, with varying features. Some store your data in the cloud, some fill-in the login form automatically in the browser with your account credentials, some you can copy and paste the credentials from the program and the data in the clipboard is erased after a specified time period… You should choose a password manager that is both secure and usable.

Secure in that the encryption used to store the saved credentials and data is impossible to crack. Research what level of encryption your organization requires data to be stored with. When using the password manager, is the data self contained or is it exposed or available for use to other programs, and how. Does the password manager program run in secure memory space or written to a pagefile or swap memory that can be dumped by an attacker.

The password manager should be usable so that the user will be more likely to use it on a daily basis. If it slows down the user too much, it will be ignored and old habits die hard, the user will revert to poor password use behaviors.

An example real-world use of a password manager: Desktop and mobile versions of an open-source password manager can be installed on the Mac, Windows, Linux, Android and iOS operating systems with the one database file containing the credentials data saved in a cloud service. The user can access, view and edit the credentials from any of the devices with the installed program.

Password managers can be an an essential tool in securing your credentials. Do your research; research specifications, read reviews, compare functionality and usability. Also look up which managers have had bugs or vulnerabilities, how quick were the patches released, how was the vendor’s response to the flaws.

Using the same password for even only 2 websites should be a no-no. And forget trying to remember unique passwords to over 20 online accounts (recent research found the average US user has 130 online accounts). Plus, many sites force you to change passwords (rightfully so) on a regular basis. What is my current password to xyz.com that I last logged on 18 months ago?

Password managers can help you use a unique, strong password for each account. A data breach at one website (which seems to be reported on a weekly basis now) should not force you to change your password for any other websites. But protect that ONE master password. It is the one ring that rules them all.

Resources:
https://expandedramblings.com/index.php/amazon-statistics/
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

Password Breach Mining is a Major Threat on the Horizon

Just a quick note today to get you thinking about a very big issue that is just over the security horizon.

As machine learning capabilities grow rapidly and mass storage pricing drops to close to zero, we will see a collision that will easily benefit common criminals. That is, they will begin to apply machine learning correlation and prediction capabilities to breach data – particularly passwords, in my opinion.

Millions of passwords are often breached at a time these days. Compiling these stolen password is quite easy, and with each added set, the idea of tracking and tracing individual users and their password selection patterns becomes trivial. Learning systems could be used to turn that raw data into insights about particular user patterns. For example, if a user continually creates passwords based on a season and a number (ex: Summer16) and several breaches show that same pattern as being associated with that particular user (ex: Summer16 on one site, Autumn12 on another and so on…) then the criminals can use prediction algorithms to create a custom dictionary to target that user. The dictionary set will be concise and is likely to be highly effective.

Hopefully, we have been teaching users not to use the same password in multiple locations – but a quick review of breach data sets show that these patterns are common. I believe they may well become the next evolution of bad password choices.

Now might be the time to add this to your awareness programs. Talk to users about password randomization, password vaults and the impacts that machine learning and AI are likely to have on crime. If we can change user behavior today, we may be able to prevent the breaches of tomorrow!

Telnet Passwords Used In Brute Force Attacks

Just a quick post today, but I wanted to give you some insight into the Telnet scans we have been seeing lately. Here are the passwords that have been used to target logins on port 23 on one of our HITME sensors in the United States. This particular system emulates a login, and the probes appear to be automated. We saw no evidence of any manual probes on this sensor in the last month that targeted telnet.

The passwords used in brute force attacks on telnet (used against the usual root/admin/etc users…): 

default
1234
220
428
436
Admin
D-Link
admin
cobr4
dreambox
echo
enable
home-modem
l
password
private
public
root
sh
user

Keep a careful eye on any systems with Telnet exposed to the Internet. They are a common attraction point to attackers.

Oracle CSO Online Interview

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Hooray! An Open-Source Password Analyzer Tool!

 

 

 

 

 

 

 

I’m one of the resident “Password Hawks” in our office. Our techs consistently tell people to create stronger passwords because it is still one of the most common ways a hacker is able to infiltrate a network.

However, we live in an age where it’s not just hackers who are trying to steal an organization’s data. There are also a variety of malcontents who simply want to hack into someone’s account in order to embarrass them, confirm something negative about them, or be a nuisance by sending spam.

This is why it is important to create a strong password; one that will not be easily cracked.

Enter password analyzer tools. Sophos’ “Naked Security” blog posted a great article today about the often misleading security policies of popular online social sites. Developer Cameron Morris discovered that if he followed one social site’s policy, he actually created a more easily “crackable” password than the one they deemed weak.

About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.

Read the rest of the article here.

There is a free analyzer you can use and I strongly suggest you test the strength of your passwords with it.

Passfault Analyzer

Also, Morris created a tool for administrators that would allow them to configure a password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).

OWASP Password Creation Slide-Tool

This is one of the best articles I’ve read on password security, plus it has tools for both the end-user and the administrator. Test them out yourself to see if you have a password that can resist a hacker! 

As for me, I think I need to do a little more strengthening…

Have a great Memorial Day weekend (for our U.S. readers) and stay safe out there!

Twitter Hack! 5 Ways to Avoid Being the Victim of a Phishing Attack

Twitter is downplaying a security breach that exposed tens of thousands of user emails and passwords.

The leaked information, comprising 58,978 username and password combinations, appeared Monday on Pastebin. While Twitter said that it’s investigating the breach, it’s also downplayed the supposed size and severity of the data dump.

“We are currently looking into the situation,” said spokeswoman Rachel Bremer via email. “It’s worth noting that, so far, we’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).”

Information Week Security article

Whenever you read about such breaches, it is always a good idea to change your password, especially if you’ve not changed it for some time.

The compromised Twitter accounts could have been the result of phishing attacks. A phishing attack is when an attacker acquires personal information by duping the user into revealing it through manipulating their emotions.

Remember how one of your wiser friends told you it’s never a good idea to make a big decision while you’re overly-emotional? The same stands true for avoiding phishing attacks.

Here are some ways to stay safe:

  1. Do not give out your financial information ever through an email appeal. I hope we all know now that you haven’t won the Nigerian lottery or that some prince or princess is willing to give you part of their inheritance if only you’ll keep their money in your bank account. Emails of this nature prey upon people who would love to “win” money or worse, may lose money in their account unless they give out their account information. Never give out your personal information. Instead, call your bank to verify that they need the information. You could also have some fun with the hackers like I did.
  2. Don’t call any phone number or visit a website that is linked in the email. There’s a good chance it will connect you directly to the attacker. Look at the URL associated with the link. Does it contain words, letters, or numbers that seem odd? It’s likely an attempt to masquerade as an organization’s true website address, so don’t click it. You can see the URL by hovering over it or highlighting it with your mouse. Again, if you think it may be a legitimate request for information, verify it by contacting your financial institution directly.
  3. Never fill out forms in an email that asks for personal information. Most organizations like PayPal notify their customers but do not ask for personal information to be placed into forms. Again, verify, verify, verify.
  4. Regularly check your online banking accounts. Don’t allow months to go by before checking in. By frequently monitoring your account, you’ll be able to immediately see suspicious activity.
  5. Patch it! When that annoying “Software Updates Available Now” window pops up, don’t ignore it. (I’m talking mainly to myself, now.) Click to install. Patches fix vulnerabilities and many attackers will jump on the opportunity to hit an un-patched machine. If you’re in doubt about whether your browser system is up-to-date, check by clicking your browser’s info link or your system’s and click “Software Update” or “Check for updates.” (In Firefox, it’s in the “Tools” section.)

Finally, you can report phishing attacks to the following organizations:

  • The Federal Trade Commission at spam@uce.gov.
  • Forward the email to the “abuse” email address to the company that is being spoofed (i.e. “abuse@XYZcompany.com” or “spam@XYZcompany.com”). Make sure to forward the complete email message with the original email header.
  • Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: http://www.ic3.gov/default.aspx There is an excellent selection of tips on the FBI site to help you avoid fraud, so make sure to check it out.

The key to avoid becoming a victim is to stay alert, stay suspicious, and stay on top of changing your passwords.

Stay safe!

Disagreement on Password Vault Software Findings

Recently, some researchers have been working on comparing password vault software products and have justifiably found some issues. However, many of the vendors are quickly moving to remediate the identified issues, many of which were simply improper use of proprietary cryptography schemes.

I agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password vault tool.

Regardless of OS, platform or device, I fail to see how depending on simple OS embedded tools versus OS embedded tools, plus the additional layers of whatever mechanisms a password vault adds, reduces risk to the user. It would seem that the additional layers of control (regardless of their specific vulnerability to nuanced attacks against each control surface), would still add overall security for the user and complexity for the attacker to manage in a compromise.
 
I would love to see a model on this scenario where the additional controls reduce the overall security of the data. I could be wrong (it happens), but in the models I have run, they all point to the idea that even a flawed password vault wrapped in the OS controls are stronger and safer than the bare OS controls alone.
 
In the meantime, while the vendors work on patching their password vaults and embracing common crypto mechanisms, I’ll continue to use my password vault as is, wrapped in the additional layers of OS controls and added detection mechanisms my systems enjoy. I would suggest you and your organization’s users continue to do the same.

All Your Creds Are Belong To Us? How To Harden Your Passwords and Protect Your ‘Base.’

In an article published some time ago, a project led by a computer science professor at Columbia University had done some preliminary scanning of some of the largest Internet Service Providers (ISPs) in North America, Europe, and Asia and uncovered thousands of embedded devices susceptible to attack, thanks to default credentials and remote administration panels being available to the Internet.

This is amazing to us here at MSI. It is astounding that such a number of people (and possibly organizations) who don’t take into account the security implications of not changing these credentials on outward facing devices, exists! This goes beyond patching systems and having strong password policies. It’s highly unlikely you’re developing strong passwords internally if you’re not even changing what attackers know is true externally.

The fact that these devices are available is quite scary. It becomes trivial for an attacker to take over control of what is likely the only gateway in a residential network. The average user has little need to access these devices on a regular basis, so hardening the password and recording it on paper or even using a password vault like TrueCrypt is a good option for reducing the threat level. More importantly, how many home users need outside access to their gateway?

This all goes back to the common theme of being an easy target. If you let attackers see you as the low hanging fruit, you’re just asking to become a statistic. This is the digital equivalent to walking down a dangerous street at night with your head down, shoulders slumped, avoiding eye contact, and having hundred dollar bills popping out of your pockets! We can’t make it easy for them. It’s important that we make them think twice about attacking us- and simple things like changing default passwords or patching our machines (automatic updates, anyone?) allow us to take advantage of that 80% result with only 20% effort!

How to Avoid Falling For Social Engineering Attacks

I am one of the “end-users” in our organization. I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data. My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me. So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.

QUESTION EVERYTHING.

And follow some of these tips:

  1. If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  2. Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  3. Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  4. Check to make sure a site is secure before passing on confidential information. Usually this information is either available under a “Privacy” link or an icon (like a lock) is visible in the address bar.
  5. At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company. These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks. Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

All Your Data Are Belong To Us!

My last post discussed some tactics for realizing what’s happening under the hood of our browsers when we’re surfing the web, and hopefully generated some thoughts for novice and intermediate users who want to browse the Internet safely. This week, we’re going to look a step beyond that and focus on steps to protect our passwords and data from unwanted visitors.

Passwords are the bane of every system administrator’s existence. Policies are created to secure organizations, but when enforced they cause people to have trouble coming up with (and keeping track of) the multitude of passwords necessary. As a result, people commonly use the same passwords in multiple places. This makes it easier on us as users because we can remember puppy123 a lot easier than we can those passwords that attackers can’t or don’t guess. Doing so also makes it easier on attackers to find a foot hold, and what’s worse is that if they are able to brute force your Yahoo! email account then they now have the password to your online banking, paypal, or insurance company login as well.

Hopefully some of you are thinking to yourselves “Is this guy telling me I shouldn’t be using the same password for everything?” If you are, you get a gold star and you’re half-way toward a solution. For those of you who are not, either you have mastered the password problem or still don’t care- in which case I’ll see you when our Incident Response Team is called to clean up the mess.

To solve this problem, find your favorite password manager (Google will help with this), or use what our team uses- KeePass. This is a fast, light, secure password manager that allows users to sort and store all their passwords under one master password. This enables you to use puppies123 to access your other passwords, which can be copied and pasted so you have no need to memorize those long, complex passwords. KeePass also includes a password generator. This tool lets users decide how long and what characters will make up their passwords. So you’re able to tailor passwords to meet any policy needs (whitespace, special characters, caps, etc) and not have to think about creating something different than the last password created- the tool handles this for you.

In addition to password composition, this tool lets you decide when and if the password should expire so you can force yourself to change this on a regular basis- this is an invaluable feature that helps minimize damage if and when a breach DOES occur. Once passwords are created, they are saved into a database file that is encrypted- so if your computer is lost, stolen, or breeched in some other manner, the attacker will have a harder time getting to your protected password data. There are many of these solutions available for varying price ranges, but I highly recommend KeePass as a free solution that has worked really well for me for quite some time. It’s amazing how nice it is to not have to remember passwords any longer!

Okay, so our passwords are now safe, what about the rest of our files? Local hard drive storage is a great convenience that allows us to save files to our hard drive at will. The downside to this is that upon breaking into our PC an attacker has access to any file within their permission scope, which means a root user can access ALL files on a compromised file system! While full disk encryption is still gaining popularity, “On the fly encryption” products are making their mark by offering strog and flexible encryption tools that create encrypted containers for data that can be accessed when given the appropriate password.

I have used the tool TrueCrypt for years and it has proven to be invaluable in this arena! TrueCrypt allows users to create containers of any size which becomes an encrypted drive that can be accessed once unlocked. After being locked, it is highly unlikely that an attacker will successfully break the encryption to decipher the data, so if you’re using a strong password, your data is as “safe” as it can be. This tool is one of the best out there in that it offers on the fly and total disk encryption, as well as allowing for encryption of individual disk partitions including the partition where Windows is installed (along with pre-boot authentication), and even allows these containers to be hidden at will.

Wow, we’ve gone through a lot together! You’re managing passwords, protecting stored data, learning what’s going on when your browsing the web, and becoming a human intrusion detection/prevention system by recognizing anomalies that occur in regular online activities! Visit next time as I explorer updates with you to round out this series on basic user guidelines.