now browsing by tag
Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.
First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.
Breaking passwords from hashed password files
If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.
These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.
Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.
Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”
As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”
This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.
Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.
“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”
Botnets enable mass-market attacks
For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.
According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.
Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.
Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”
They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.
The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.
Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”
The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.
In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.
Is your password already stolen?
To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”
The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.
“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)
Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”
If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.
Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.
Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.
The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.
For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.
How to check the strength of your password
Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.
Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.
But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.
For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?
“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”
Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.
Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”
For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”
The post How #hackers crack #passwords and why you can’t #stop them appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Most (54%) cybersecurity professionals believe the threat landscape is evolving faster than they can respond, with a lack of preparation and strategic thinking endemic, according to RedSeal.
The network resilience vendor polled 600 IT and security decision makers in the UK and US to compile its RedSeal Resilience Report 2017.
It revealed that most respondents feel they are under-resourced (54%), can’t react quickly enough when an incident strikes (55%) and can’t access insight to prioritize incident response (79%).
Just 20% said they’re extremely confident their organization will be able to function as normal in the event of a breach or attack.
What’s more, there seems to be a dangerous disconnect between perceived strengths and reality.
Some 40% of respondents claimed ‘detection’ is their strongest capability, stating it takes an average of just six hours to spot an incident.
However, this flies in the face of many other industry reports, compiled by the likes of Mandiant (99 days) and Trustwave (49 days).
RedSeal also claimed that only a quarter of respondents test their cybersecurity incident response annually, with many saying it’s too resource intensive (29%), outside their budget (27%) or takes too long (26%).
“Their data networks are dynamic. This dynamic nature creates a risk,” RedSeal CEO Ray Rothrock told Infosecurity.
“Given that they report in our research that they last created a map of their entire network on average nine months ago, there’s no way to know precisely if their most valuable assets are accessible to bad actors at the present time. The lag in knowing what the network looks like and where data lives is a crucial factor in being ready for the inevitable.”
The report also revealed that compliance rather than strategy is driving IT security planning for the vast majority (97%) of organizations.
“On the cyber front, digital resilience — the ability to contain the bad guys when they’re inside your network, and protect high value assets like customer data and content from exfiltration — will protect your networks and your vital financial assets,” concluded Rothrock.
“So, it’s important to know your network inside out. Know what is important to your business and your customers, where it is, and make sure it’s secure. Operational resilience means not only being ready, but having a plan and procedures and then rehearsing that action plan.”
The post Cybersecurity #Pros Can’t Keep #Pace with #Threat #Landscape appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
As a bona fide cryptocurrency skeptic, I’m of two minds on Bitcoin and other cryptos. One, I don’t think we know enough about them to invest in them as if they were stocks and bonds. The transparency isn’t there.
But I also think that the tide of technology and investors isn’t going to be stopped any time soon.
Regulators, of course, are concerned about cryptos. Vehicles are started up every day to invest and speculate in them. According to the Financial Times, the U.K.’s Financial Conduct Authority is eyeing new trading platforms that allow you to bet on crypto movements with as much as 30:1 leverage on derivative contracts linked to Bitcoin.
Where is this all going? As Bitcoin prices blow past $6,000 a share, millions of investors want a piece of the action. Yet there are far too many questions to answer before cryptos become mainstream investments.
In an insightful piece by Karen Webster of pymnts.com, she poses the kinds of questions all investors should be asking:
— Will Bitcoin Actually Replace Traditional Currencies? “No one believes in the merits of a global cryptocurrency, except bitcoin zealots.
The notion that central banks will give up monetary control of their fiat currencies for a global cryptocurrency, especially bitcoin, is just not happening, so we should stop talking about it. Even economists who never agree on anything, agree on that.
Besides, a currency that swings between $1,000 and $5,000 over the course of two years, and between $3,000 and $5,000 in the course of a few weeks, isn’t exactly a good basis for operating a strong and stable foundation for a global financial system.”
— Is Bitcoin A Legitimate Exchange Of Value?“Bitcoin has only two proven use cases after eight years: criminal activity and speculation.
I honestly don’t understand why this continues to be dismissed in the face of mountains of evidence to the contrary. In the eight years since bitcoin has been a currency, transaction volume in the support of legitimate commerce is virtually nil.”
— Is Bitcoin Really Free? “Bitcoin is anything but free. Miners now expect a fee for their work and won’t process transactions for which they are not paid.
That means that those costs are passed down the ecosystem to end users. There’s no such thing as a free lunch, even in the land of bitcoin.”
— Is Bitcoin Immune From Hacking And Fraud?“The rising value of bitcoin has made exchanges prime targets for hacking, and thus has made hacks there quite lucrative.
The Mt. Gox hack netted $500 million, Bitfinex $72 million, Bitcoinica $460,000, Bitfloor $250,000 and Bitstamp $5.2 million. South Korea’s Bithumb hack last summer — the exchange that serves 75 percent of the South Korean market for bitcoin — resulted in tens of millions of dollars lost for the 30,000 customers affected. Even the wallets that store bitcoin are vulnerable.
The FBI reports that some $28 million in losses were reported to them in 2016, triple what they saw in 2015. But that’s only what’s reported.
It’s hard to imagine a money launderer or terrorist emailing the FBI to let them know they were hacked and lost money. That means that no one actually knows how much money has been lost to hacking, but the anonymity and irrevocability associated with bitcoin transactions means that the money lost is also irrecoverable.”
— Is It Too Soon For Crypto Derivatives And Margin Trading? With futures contracts on T-bills and corn, you know exactly what you’re buying. The markets are backed up by regulated exchanges that have been around for 100 years or more.
But with Bitcoin, are you buying bits of computer code or somebody’s wildly irrational idea of what those bits and bytes are worth?
“There’s a lot of interest from active traders and investors,” Claus Nielsen, head of markets at Denmark’s Saxo Bank, which has no immediate plans to offer crypto-CFDs, told The Financial Times.
“But this is not a liquid trading product yet. It’s premature, and not professional, to offer margin trading on cryptocurrencies to the retail segment yet.”
View full post on National Cyber Security Ventures
To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ You can’t keep changing men, so you settle for changing your lipstick. Heather Locklear The post You can’t keep changing men, so ………. appeared first on Dating Scams 101. View full post on Dating Scams 101
View full post on Become007.com
It was only two months ago that the WannaCry ransomware attack hit global computers, creating headlines that warned everyone to update their computers and avoid risky online behaviour. Anyone, and that included companies, who failed to do so was at risk of losing any data stored on their computers. Panic…
View full post on National Cyber Security Ventures
To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ We know about the saying ‘first impression is the last impression’ and with the blurred lines between virtual reality and reality, it’s important that you have the best image online. Especially, … View full post on Become007.com
Justice Dept. officials say that details of a hacking tool used to access a terrorist’s iPhone should not be released because it may still be “useful” to federal investigators. The government is fighting a case against three news organizations, including …
The post FBI says it can’t release iPhone hacking tool because it might still be useful appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
View full post on Education Week: Bullying
#pso #htcs #b4inc
The post Official: Ky. schools can’t use Aikido to restrain students – Education Week appeared first on Parent Security Online.
View full post on Parent Security Online