Stop

now browsing by tag

 
 

How #hackers crack #passwords and why you can’t #stop them

Source: National Cyber Security – Produced By Gregory Evans

Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.

First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.

Breaking passwords from hashed password files

If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.

These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.

Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.

Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”

As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”

This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.

Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.

“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”

Botnets enable mass-market attacks

For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.

According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.

Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.

Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”

They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.

The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.

Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”

The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.

In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.

Is your password already stolen?

To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”

The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.

“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)

Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”

If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.

Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.

Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.

The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.

For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.

How to check the strength of your password

Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.

Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.

But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.

For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?

“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”

Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.

Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”

For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”

The post How #hackers crack #passwords and why you can’t #stop them appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

FIREWALLS DON’T STOP HACKERS. AI MIGHT.

Source: National Cyber Security – Produced By Gregory Evans

The cybersecurity industry has always had a fortress mentality: Firewall the perimeter! Harden the system! But that mindset has failed—miserably, as each new headline-generating hack reminds us. Even if you do patch all your software, the way Equifax didn’t, or you randomize all your passwords, the way most of us…

The post FIREWALLS DON’T STOP HACKERS. AI MIGHT. appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Stop treating users as the enemy when it comes to cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

What are the biggest roadblocks to better cybersecurity? If you look at the major cybersecurity conferences, the usual presentation topics are risk assessment, encryption, zero-day exploits, and insider threats. But there’s no shortage of technical and human challenges to cybersecurity; often these factors are competing against each other for time…

The post Stop treating users as the enemy when it comes to cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Is cybersecurity enough to stop modern-day hackers?

Source: National Cyber Security – Produced By Gregory Evans

Is cybersecurity enough to stop modern-day hackers?

After a global cyberattack hit millions of computers in more than 150 countries, there’s high demand for cybersecurity, and questions over whether there is any defense against modern hackers. It’s a wake up call for world leaders and security experts – the ransomware attack that seized millions of computers and impacted thousands of companies. In the aftermath of the chaos, …

The post Is cybersecurity enough to stop modern-day hackers? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Trucker Personals Becomes Leading Online Dating Stop For Truck Drivers Across The Country

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Not that truckers have time for traditional dating. They spend most of their waking hours on the road and saying that dating is difficult for them would be a huge understatement. …

The post Trucker Personals Becomes Leading Online Dating Stop For Truck Drivers Across The Country appeared first on Become007.com.

View full post on Become007.com

Texas officer’s warning to bullies: ‘Stop it or I’ll see you in court’

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ KAUFMAN, Texas — A Kaufman County Constable disgusted by student bullies, issued a warning to them and their parents on Facebook: Stop it or I’ll see you in court. The constable …

The post Texas officer’s warning to bullies: ‘Stop it or I’ll see you in court’ appeared first on Become007.com.

View full post on Become007.com

Kids more likely to stop bullies when parents tell them to

Youngsters usually tend to step in once they see bullying at college if their mother and father have advised them to become involved than in the event that they’ve been taught it’s higher to remain out of it, a current U.S. research suggests.

About one in 10 youngsters are victims of bullying, and lots of anti-bullying packages are targeted on getting bystanders to intervene, researchers notice within the Journal of Medical Youngster and Adolescent Psychology. Whereas earlier analysis has linked sure parenting practices to greater odds that youngsters shall be victims or perpetrators of bullying, much less is understood about how mother and father impression what youngsters do as bystanders.

Read More

The post Kids more likely to stop bullies when parents tell them to appeared first on Parent Security Online.

View full post on Parent Security Online

Katy ISD didn’t stop teacher sex abuse until parents intervened, lawsuit claims

A lawsuit claims that Katy Independent School District knew about an improper relationship between a teacher and a student and did nothing to intervene until the girl’s parents forced the district to act.

The victim in the case filed the suit via a law firm, claiming “intentional infliction of emotional distress.”

The lawsuit was filed nearly a year after Robert Milton, 42, an art teacher at the school, was arrested after he was accused of having an improper relationship with a female student.

According to court documents, the relationship began while Milton was still employed at the school and before the female student graduated in June 2015.

Read More

The post Katy ISD didn’t stop teacher sex abuse until parents intervened, lawsuit claims appeared first on Parent Security Online.

View full post on Parent Security Online

I’m Addicted To Online Dating & I Don’t Know How To Stop

Online dating hasn’t been taboo in at least a decade; in fact, it’s now a necessity if you’re looking for love. It seems like everyone is on either Tinder, Bumble, OkCupid, Plenty of Fish, or eHarmony (or all of the above), including me. While I’ve never actually met anyone online that I ended up dating long-term, that hasn’t stopped me from becoming downright obsessed with looking. 1. I LOVE THE RUSH OF MATCHING WITH SOMEONE NEW. Read More….

The post I’m Addicted To Online Dating & I Don’t Know How To Stop appeared first on Dating Scams 101.

View full post on Dating Scams 101

Stop Everything And Watch This Baby Running Off With A Recording Phone

It’s one thing to have your cell phone stolen; it’s another to have it done by a laughing baby.

An endearing YouTube video captured a wobbly-legged bandit leading a frantic, giggle-filled chase while running through a home with the recording phone pointed at the baby’s hysterical face.

At one point the baby stumbles and nearly loses the prized possession before getting back up with a smile and taking off again. Trailing close behind is the baby’s presumed mom who can’t help but laugh along.

Read More

The post Stop Everything And Watch This Baby Running Off With A Recording Phone appeared first on Parent Security Online.

View full post on Parent Security Online