passwords

now browsing by tag

 
 

SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE

A search engine showing 1.4 billion of leaked or hacked passwords, including those of some 3.3 million Dutch, is officially online. On Gotcha.pw Dutch people can now check whether their password was stolen by searching for their email address. If there is a leaked password associated with that email address, the site shows the first two characters of the password, NU.nl reports.

You can also search domain names on the site. In this way organizations can see which of their employees’ email addresses and passwords are on the street. Passwords from the National Coordinator for Counter-terrorism and Security, among others, can be found on the site, according to the newspaper. It is not clear whether these are old or current passwords.

The Gotcha.pw site administrator collected these passwords from previous data leaks and bundled them into a search engine. Such search engines have existed for some time. The Dutch police offer a similar service, and people can also use Have I Been Pwned to find out if their password is not safe.

The arrival of the Gotcha.pw search engine was announced with great fanfare last week – in a front page story on AD. The search engine was online for a short time last week Friday, but was taken down again. It initially showed the full hacked password, which is illegal. The administrator therefore adjusted the site to only show the first two letters of the passwords, according to NU.nl.

advertisement:

The post SEARCH #ENGINE WITH #MILLIONS OF #HACKED DUTCH #PASSWORDS #ONLINE appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

1.4 #billion #hacked #passwords leaked #online, now you’re at #risk

Source: National Cyber Security – Produced By Gregory Evans

Staying protected from cybercriminals is something everyone needs to stay on top of now that we’re living in a digital world. New data breaches, malware and phishing scams are popping up constantly.

Having sensitive information fall into the hands of criminals is the last thing that we need. You definitely don’t want your identity stolen or hackers having access to your bank accounts.

Unfortunately, a massive archive of stolen credentials was recently discovered online that could put you at risk.

Have your credentials been exposed?

Security researchers at 4iQ recently discovered a 41GB archive that contains more than 1.4 billion stolen user credentials. The credentials, including passwords, are unencrypted on the Dark Web.

The database includes email addresses, passwords and usernames. This isn’t actually a new data breach, it’s a collection of information that had been stolen in previous data breaches.

Researchers who discovered the file said, “While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials–the largest aggregate database found in the dark web to date.”

More than 250 previous data breaches contributed to this collection of stolen credentials. The stolen information was well organized, even indexed alphabetically by the criminal who put it together.

Anytime there is a massive data breach, there are steps that you need to take to make sure your information is secure. Keep reading for suggestions.

Change your password

Whenever you hear news of a data breach, it’s a good idea to change your account passwords. This is especially true if you use the same credentials for multiple websites, which is a bad idea.

If your credentials are stolen from a breach, criminals can test them on other sites to log into those accounts as well.

Keep an eye on your bank accounts 

You should already be frequently checking your bank statements, looking for suspicious activity. It’s even more critical when sensitive information has been exposed through a data breach.

If you see anything that seems strange, report it immediately. It’s the best way to keep your financial accounts safe.

Set up two-factor authentication 

Two-factor authentication, also known as two-step verification, means that to log into your account, you need two ways to prove you are who you say you are. This is an extra layer of security that will help keep your accounts safe.

Investigate your email address 

This is a critical step and it will only take a few seconds of your time. You need to find out if your credentials are part of any recent data breach. The best way to find out if you’re impacted is with the Have I Been Pwned website. 

It’s an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest breaches. You can even set up alerts to be notified if your email address is impacted in the future.

Beware of phishing scams 

Scammers will try and piggyback on data breaches like this. They will create phishing emails, hoping to get victims to click on malicious links that could lead to more problems. You need to familiarize yourself with what phishing scams look like so you can avoid falling victim to one.

FROM WEBCAMS, SIGN-INS, TO ALEXA, DON’T MAKE THESE MISTAKES

When our PCs work normally, we sometimes take them for granted. We recklessly fill up our hard drives with data, download files, install applications and browse the web as we please. But of course, all it takes is one installation of a malicious application to ruin your PC and worse, have all your information stolen.

The post 1.4 #billion #hacked #passwords leaked #online, now you’re at #risk appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cash #Converters is #HACKED: Cyber #criminals hold UK #customer #credit card numbers, addresses and #passwords to #ransom after major #security breach

Source: National Cyber Security – Produced By Gregory Evans

Hackers who attacked the now defunct website of second hand goods store Cash Converters may have access to the account details of thousands of customers.

Usernames, passwords, delivery addresses and potentially partial credit card numbers are among the data believed to have been stolen.

The culprits are said to be holding the information to ransom while the firm works with law enforcement authorities to investigate the incident.

It is not known exactly how many customers were impacted in the hack or when it happened.

 

Cash Converters operates high street stores where customers can trade items like jewellery and electronics for money.

The affected website, which was put out of action in September 2017 and replaced with an updated version, lets people purchase these products online.

As well as cash trade ins, the company offers small financial loans to its customers.

The data breech is only believed to affect customers of the Perth-founded firm who are based in the UK.

In a breach notification email sent to customers, a Cash Converters spokesman said: ‘Please be reassured that, alongside the relevant authorities, we are investigating this as a matter of urgency and priority.

‘We are also actively implementing measures to ensure that this cannot happen again.

‘Although some details relating to the cybersecurity breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.

‘The current webshop site was independently and thoroughly security tested as part of its development process.

‘We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.

‘Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected.

‘We apologise for this situation.’

Cash Converts reportedly received an email from hackers who claiming to have gained access to the data.

They threatened to release the data if they were not paid, which means anyone who used the old site before September 22 could be at risk.

Customers have been to advised to change their passwords and the firm has forced a reset for all UK webshop users.

Speaking about the breach, Jon Topper, CEO of UK webhosting firm The Scale Factory, said: ‘When migrating away from old solutions it’s important to bear in mind that old digital assets will still be running and available online until such time as they are fully decommissioned.

‘As a result they should still be treated as ‘live” which means maintaining a good security posture around them, keeping up with patching and so forth.

‘In their customer notification, Cash Converters were quick to point out that the old site was operated by a third party, possibly intending to deflect responsibility for this breach.

‘This definitely won’t fly under General Data Protection Regulation regulations coming into force next year.

‘Companies running server infrastructure that handles customer data should be engaging with experts to review their security posture ahead of that, in order to avoid being slapped with a large fine.’

The post Cash #Converters is #HACKED: Cyber #criminals hold UK #customer #credit card numbers, addresses and #passwords to #ransom after major #security breach appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How #hackers crack #passwords and why you can’t #stop them

Source: National Cyber Security – Produced By Gregory Evans

Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.

First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.

Breaking passwords from hashed password files

If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.

These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.

Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.

Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”

As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”

This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.

Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.

“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”

Botnets enable mass-market attacks

For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.

According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.

Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.

Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”

They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.

The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.

Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”

The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.

In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.

Is your password already stolen?

To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”

The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.

“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)

Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”

If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.

Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.

Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.

The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.

For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.

How to check the strength of your password

Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.

Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.

But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.

For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?

“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”

Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.

Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”

For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”

The post How #hackers crack #passwords and why you can’t #stop them appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers could gain access to passwords through USB sticks, cyber experts warn

Source: National Cyber Security – Produced By Gregory Evans

Using a USB stick that’s been left lying around is something many, if not most, of us have done — probably without thinking twice about it. But cybersecurity experts are warning against the practice after showing hackers can access personal information through malicious USB sticks which then transmit that information…

The post Hackers could gain access to passwords through USB sticks, cyber experts warn appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Problem Passwords And Burgeoning Biometrics

Source: National Cyber Security – Produced By Gregory Evans

Over the last 20 years identity has gone through a lot of change. Paper processes have evolved to electronic data, and consequently, paper documents are used less often in the verification process people have to go through when interacting with regulation and authority. This change has stemmed from organisations like…

The post Problem Passwords And Burgeoning Biometrics appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Elaborate computer passwords don’t keep hackers away; Guideline creator says

Source: National Cyber Security – Produced By Gregory Evans

Think your password is safe with all those special characters and symbols? You might want to think again. The man responsible for creating password security guidelines has gone back on his word. We do it all day every day; logging onto our computers, emails, apps, racking our brains to remember…

The post Elaborate computer passwords don’t keep hackers away; Guideline creator says appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Study finds hackers could use brainwaves to steal passwords

Source: National Cyber Security – Produced By Gregory Evans

Researchers at the University of Alabama at Birmingham suggest that brainwave-sensing headsets, also known as EEG or electroencephalograph headsets, need better security after a study reveals hackers could guess a user’s passwords by monitoring their brainwaves. EEG headsets are advertised as allowing users to use only their brains to control…

The post Study finds hackers could use brainwaves to steal passwords appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Ever re-use your passwords? You’re a hacker’s dream

Source: National Cyber Security – Produced By Gregory Evans

Ever re-use your passwords? You’re a hacker’s dream

With so much of life lived online, it can be hard to remember passwords for every app and platform you’re on, but re-using them is putting people at an ever-increasing risk of being hacked. The recent data breach of food and restaurant search engine Zomato saw hackers steal 17 million…

The post Ever re-use your passwords? You’re a hacker’s dream appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Passwords at centre of latest cyber security campaign

Source: National Cyber Security – Produced By Gregory Evans

Passwords at centre of latest cyber security campaign

A new cyber security campaign has been launched to help improve the ‘password hygiene’ of the Brock community.

Brock ITS Services is reminding people to change their passwords regularly and to make them strong by including numbers, symbols and characters.

In order to keep information protected, passwords should never be shared or made visible.

Tips from ITS:

Pick a strong password that is difficult to guess and contains a mixture of letters, numbers and special characters. One method is to pick a memorable sentence to convert into a password. For instance, “The best university in the world is Brock University!” could be used as “TbuinwiBU!” by using the first letter of each word. An entire sentence can also be used with special characters in a pattern. For example, “My cat has furry feet” could be used as “My, cat,has,furry,feet!”
Use different passwords for different services.
Do not share your passwords or make them visible to anyone.
Change your password every four months.
Use a password management program or service.

Source:

The post Passwords at centre of latest cyber security campaign appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures