now browsing by tag
Robocalls are an annoying epidemic for both consumers and businesses. The Federal Communications Commission (FCC) cracked down on the scam callers, and creative, tech-savvy individuals are coming up with ways to block […] View full post on National Cyber Security
From what used to be a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere – at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.
When dealing with APIs, security should not be an afterthought
In a world where digital information is one of the “crown jewels” of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring or a multitude of other purposes.
As it often happens in such scenarios, security quickly becomes an afterthought at best or, even worse, it is seen as a nuisance and an obstacle on the road to success. The success of an API is measured by its adoption and security mechanisms are seen as friction that limits this adoption. There are also several common misconceptions around the very notion of API security, notably the idea that existing security products like web application firewalls are perfectly capable of addressing API-related risks.
An integrated API security strategy is indispensable
Creating a well-planned strategy and reliable infrastructure to expose their business functionality securely to be consumed by partners, customers, and developers is a significant challenge that has to be addressed not just at the gateway level, but along the whole information chain from backend systems to endpoint applications. It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term.
Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based and actionable automation for security analysts one can ensure consistent management, governance and security of corporate APIs and thus the continuity of business processes depending on them.
Security challenges often remain underestimated
We have long recognized API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.
Unfortunately, many organizations tend to underestimate potential security challenges of opening up their APIs without a security strategy and infrastructure in place. Such popular emerging technologies as the Internet of Things or Software Defined Computing Infrastructure (SDCI), which rely significantly on API ecosystems, are also bringing new security challenges with them. New distributed application architectures like those based on microservices, are introducing their own share of technical and business problems as well.
KuppingerCole’s analysis is primarily looking at integrated API management platforms, but with a strong focus on security features either embedded directly into these solutions or provided by specialized third party tools closely integrated with them.
The API market has changed dramatically within just a few years
When we started following the API security market over 5 years ago, the industry was still in a rather early emerging stage, with most large vendors focusing primarily on operational capabilities, with very rudimentary threat protection functions built into API management platforms and dedicated API security solutions almost non-existent. In just a few years, the market has changed dramatically.
On one hand, the core API management capabilities are quickly becoming almost a commodity, with, for example, every cloud service provider offering at least some basic API gateway functionality built into their cloud platforms utilizing their native identity management, monitoring, and analytics capabilities. Enterprise-focused API management vendors are therefore looking into expanding the coverage of their solutions to address new business, security or compliance challenges. Some, more future-minded vendors are even no longer considering API management a separate discipline within IT and offer their existing tools as a part of a larger enterprise integration platforms.
On the other hand, the growing awareness of the general public about API security challenges has dramatically increased the demand for specialized tools for securing existing APIs. This has led to the emergence of numerous security-focused startups, offering their innovative solutions, usually within a single area of the API security discipline.
Despite consolidation, there is no “one stop shop” for API security yet
Unfortunately, the field of API security is very broad and complicated, and very few (if any) vendors are currently capable of delivering a comprehensive security solution that could cover all required functional areas. Although the market is already showing signs of undergoing consolidation, with larger vendors acquiring these startups and incorporating their technologies into existing products, expecting to find a “one stop shop” for API security is still a bit premature.
Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall developments are extremely positive, indicating growing demand for more universal and convenient tools and increasing quality of available solutions, it is yet to reach anything resembling the stage of maturity. Thus, it’s even more important for companies developing their API strategies to be aware of the current developments and to look for solutions that implement the required capabilities and integrate well with other existing tools and processes.
Hybrid deployment model is the only flexible and future-proof security option
Since most API management solutions are expected to provide management and protection for APIs regardless of where they are deployed – on-premises, in any cloud or within containerized or serverless environments – the very notion of the delivery model becomes complicated.
Most API management platforms are designed to be loosely coupled, flexible, scalable and environment-agnostic, with a goal to provide consistent functional coverage for all types of APIs and other services. While the gateway-based deployment model remains the most widespread, with API gateways deployed either closer to existing backends or to API consumers, modern application architectures may require alternative deployment scenarios like service meshes for microservices.
Dedicated API security solutions that rely on real-time monitoring and analytics may be deployed either in-line, intercepting API traffic or rely on out-of-band communications with API management platforms. However, management consoles, developer portals, analytics platforms and many other components are usually deployed in the cloud to enable a single pane of glass view across heterogeneous deployments. A growing number of additional capabilities are now being offered as Software-as-a-Service with consumption-based licensing.
In short, for a comprehensive API management and security architecture a hybrid deployment model is the only flexible and future-proof option. Still, for highly sensitive or regulated environments customers may opt for a fully on-premises deployment.
In our upcoming Leadership Compass on API Management and Security, we evaluate products according to multiple key functional areas of API management and security solutions. These include API Lifecycle Management core capabilities, flexibility of Deployment and Integration, developer engagement with Developer Portal and Tools, strength and flexibility of Identity and Access Control, API Vulnerability Management for proactive hardening of APIs, Real-time Security Intelligence for detecting ongoing attacks, Integrity and Threat Protection means for securing the data processed by APIs, and, last but not least, each solution’s Scalability and Performance.
Alexei Balaganski is lead analyst at KuppingerCole. Read more KuppingerCole blogs here.
View full post on National Cyber Security
#hacking | Hacking should be taught in schools ‘like sport’ to stop children becoming criminals, says Lauri Love
Hacking and other cybersecurity skills should be taught in schools in a similar way to sports, said alleged hacker Lauri Love.
The activist, who won a legal battle in 2018 to block his extradition to the US over allegations that he hacked into computer networks including NASA, the Federal Reserve and the US Army, said schools in the UK need to be more sophisticated in the way they teach technical skills to students.
“We need to treat this a bit like we treat sport,” Mr Love said at an event in London run by cybersecurity business Redscan.
Mr Love said that students should be given a “structured, controlled environment” to learn cybersecurity skills in order to stop them engaging in criminal behaviour….
View full post on National Cyber Security
When news broke last week of a hacking attack on Baltimore’s 911 system, Chad Howard felt a rush of nightmarish memories.
Howard, the information technology manager for Henry County, Tennessee, faced a similar intrusion in June 2016, in one of the country’s first so-called ransomware attacks on a 911 call center. The hackers shut down the center’s computerized dispatch system and demanded more than $2,000 in bitcoin to turn it back on. Refusing payment, Howard’s staff tracked emergency calls with pencil and paper for three days as the system was rebuilt.
“It basically brought us to our knees,” Howard recalled.
Nearly two years later, the March 25 ransomware attack on Baltimore served as another reminder that America’s emergency-response networks remain dangerously vulnerable to criminals bent on crippling the country’s critical infrastructure ─ either for money, or something more nefarious.
There have been 184 cyberattacks on public safety agencies and local governments in the past 24 months, according to a compilation of publicly reported incidents by the cybersecurity firm SecuLore Solutions. That includes Atlanta, which fell victim to a ransomware attack a couple days before the one on Baltimore, scrambling the operations of many agencies, but not the 911 system.
911 centers have been directly or indirectly attacked in 42 of the 184 cases on SecuLore’s list, the company says. Two dozen involved ransomware attacks, in which hackers use a virus to remotely seize control of a computer system and hold it hostage for payment.
Most of the other attacks involve “denial of service,” in which centers are immobilized by a flood of automated bogus calls. One of the first occurred in October 2016, when Meetkumar Desai, then 18, of Arizona, distributed a computer bug on Twitter that overwhelmed 911 centers in 12 states. The motivations for such attacks are often less about the money than doing damage — sometimes as a form of protest, as when the “hacktivist” group Anonymous took down Baltimore’s city website after the death of Freddie Gray while in police custody, experts say. Desai reportedly told authorities he meant his attack more as a prank.
“911 is the perfect [target] because it can’t afford to be down,” said Tim Lorello, SecuLore’s president and CEO.
This is how 911 works: When someone dials for help ─ typically from a mobile phone ─ the call gets routed from a cell tower to a 911 center, where a “telecommunicator” answers the phone and gathers basic information. The telecommunicator enters that information into a computer-aided dispatch system, where a dispatcher picks it up and coordinates a response from firefighters, police officers or ambulances.
This 911 system relies on redundancy, meaning that call centers that are taken out of service by a hacking attack can work around the disruption by shutting down the computer-aided dispatch system and sharing information person-to-person, or by sending calls to a nearby center. But depending on the type of attack and a 911 center’s resources, those disruptions can make it more difficult for people to reach someone in case of an emergency. A July 2017 investigation by Scripps News on the vulnerabilities of 911 systems noted the case of a 6-month-old Dallas boy who died after his babysitter’s 911 calls were delayed during an apparent denial-of-service attack.
J.J. Guy, chief technology officer at the cybersecurity firm Jask, said that the spread of ransomware attacks on public safety agencies and other key government operations shows the potential for cyberterrorists to target the country’s critical infrastructure.
Last month, the Department of Homeland Security outlined in a report how Russian hackers have gained access to American power plants. The hackers did not cause service interruptions, but the fact that they could gain access at all is troubling to security experts.
“To date, if you don’t have credit cards or lots of personal information, attackers had little motivation and thus you were mostly safe,” Guy said in an email. “This will change those dynamics. Manufacturing, logistics, etc — any field with an operations mindset that loses money when ‘the line is down’ will be targeted.”
The attack on Baltimore was discovered March 25, after a morning breach of its computer-aided dispatch system, officials said. The city’s cybersecurity unit took the system down, forcing support staff to pass 911 calls to dispatchers using paper rather than electronically. Call-center operations returned to normal early the next day, officials said. Investigators later determined that the intrusion was an attempted ransomware attack, but “no ransom was demanded or paid,” a city spokesman James Bentley said. He declined to explain further, saying that “could compromise the investigation.”
Most ransomware cases end similarly, with governments refusing to pay hackers, choosing instead to switch to a more primitive version of 911 services while they rebuild their systems. Governments have caved at times, however, although officials decline to say much about those incidents, out of concern that it will encourage more attacks.
Another problem with the current 911 system is that it doesn’t accommodate the ways people communicate in the modern world ─ through texts, photos, videos, etc. That is why the 911 industry is pushing telecommunication companies and state and local governments to adopt what it calls Next Generation 911, which allows callers to send data through approved telecommunications carriers and internet service providers (while still taking calls from landlines).
Adoption of Next Generation 911 has been slow and costly, said Brian Fontes, CEO of the National Emergency Number Association, or NENA. A tiny fraction of America is on Next Generation 911; the short list includes Maine and Vermont, with Indiana, Washington state’s King County and part of Texas getting close, Fontes said.
The Next Generation 911 systems will have advanced security baked into their foundations, including the ability to instantly identify suspicious activity, immediately shut down in response to intrusions, and simultaneously move incoming calls to other centers in a way that is undetectable to someone dialing for help, officials say.
But the increased connectivity also opens the modern systems to new potential modes of attack, experts say. No matter how sophisticated a defense, all it takes is one overlooked vulnerability to let hackers in, experts say.
That makes it essential to develop sophisticated defense systems run by in-house cybersecurity teams, they say.
In Baltimore’s case, the ransomware attack was discovered and repelled by Baltimore City Information Technology, which maintains defenses across the local government. It determined that the hackers had found access after a technician troubleshooting the computer-aided dispatch system made a change to a firewall and mistakenly left an opening, the city’s chief information officer, Frank Johnson, said in a statement. The FBI is now helping the city investigate.
Howard, in Tennessee, knows how his attacker obtained access to the 911 center — by finding a weak password left by a deceased former system administrator. The FBI told him it looked as if the attack came from Russia. But he still isn’t sure.
Howard cleaned and rebuilt his system, but struggles to maintain patches for his outdated CAD system. “It’s been a nightmare,” he said.
No one has been caught or prosecuted in the Tennessee or Baltimore attack.
The post Hackers have #taken down #dozens of #911 #centers. Why is it so #hard to stop #them? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Source: National Cyber Security News
Based on interviews with nearly 1,500 cybersecurity professionals over three years, Haystax Technology released a study that makes it clear that organizations are feeling the pressure from insider threats and are ramping up detection, prevention and remediation.
“One consistent message we heard in all of these interviews was that cybersecurity professionals don’t feel equipped to stop insider attacks, despite an increase in funding for things like better controls and training,” said Haystax CEO Bryan Ware. “I’m not surprised that so many are now using analytics, as they need actionable intelligence to proactively identify and defend against threats from both malicious insiders and negligent users.”
In 2017, 90 percent of organizations reported feeling vulnerable to insider attacks, up from 64 percent in 2015. Haystax predicts 99 percent of organizations will feel vulnerable this year as they struggle with excessive access privileges and an increasing number of devices with access to sensitive data.
Privileged users were cited as the biggest insider threat concern for 55 percent of organizations in 2017. Haystax predicts that 2018 will be the year when regular employees surpass trusted insiders as the greater risk.
Just 19 percent of organizations deployed user behavior analytics (UBA) solutions in 2016 to proactively monitor employee populations, a figure that jumped to nearly 30 percent last year.
View full post on National Cyber Security Ventures
In grading terms the cybersecurity efforts of Yahoo, TalkTalk, Equifax and many others would earn them an “F”.
Cyber threats have become so commoditised today that no organisation should assume they are invulnerable.
A perfect storm of highly motivated attackers, poor organisational security and
expansive digital systems has led to breaches, data theft and service outages on an unprecedented scale. Yet these attacks can and should be caught much earlier on in the kill chain. In many cases, organisations don’t even know they’ve been breached until a third-party steps in.
In grading terms the cybersecurity efforts of Yahoo, TalkTalk, Equifax and many others would earn them an “F”. IT departments need to get the message and start following industry best practices. That means effective incident response, and ditching the cybersecurity car crash that is the username and password. With new EU regulations set to land next May, there’s no time to lose.
What will surprise and concern many looking at these big-name breaches is just how long it took the affected organisations to come clean to their customers. In Yahoo’s case, the firm was hit all the way back in 2013, yet it took until October this year to reveal the full extent of the breach: three billion accounts. Equifax has also come under heavy criticism for its response to a breach of 145.5m US and 700,000 UK customers it discovered in July. The attack went undetected for over two-and-a-half months and came as the result of a known software vulnerability that wasn’t patched up properly.
When it finally informed customers – over a month after it detected the breach and after senior execs had sold over $1.8 million in shares – things didn’t get any better. It directed victims desperate for more information to a separate domain – equifaxsecurity2017.com – which looked to many like a phishing domain and itself contained security vulnerabilities. The firm then compounded its problems by tweeting an incorrect link out several times.
Given the goldmine of personal and financial information Equifax was sitting on, this kind of shoddy incident response is inexcusable. That’s not even to mention the half-hearted apology issued by now departed CEO Richard Smith. But it’s by no means alone in its poor handling of the incident.
The Department of Health (DoH) has also been recently heavily criticisedfor its handling of the WannaCry ransomware incident which caused thousands of cancelled operations and appointments in May. Although the DoH had developed a plan, it had not been tested at a local level. As a result, it wasn’t clear who should lead the response, and communications broke down because email was unavailable, the National Audit Office said.
It’s not a case of “if” but “when” your organisation is hit by a serious cyber attack: according to the government, almost half (46%) of UK firms have suffered an attack or breach in the past 12 months. That makes it essential to craft and test a comprehensive incident or breach response plan – involving representatives from all across the organisation: HR, legal, IT, finance and so on.
The first 24-hours following an attack are particularly crucial. Firms should be as transparent as possible with the details they have to hand and how the incident impacts customers and employees. Senior management needs to take the lead here and customers want to see evidence they’re putting steps in place to prevent a similar incident happening again.
The weakest link
Let’s be clear about the cause of most of these incidents: password-based authentication systems. According to Verizon, 81% of hacking-related breaches are made possible by exploiting stolen or weak passwords. They can be phished, cracked and even guessed by attackers – giving them the virtual keys to walk through the cyber front door to your organisation. Privileged account passwords are even more dangerous in the wrong hands, helping attackers get straight to those customer databases and stores of sensitive IP.
In a recent survey of IT decision makers we conducted, 86% of those with sysadmin-level access rights said they used only basic username and password authentication to access IT systems. What’s more, over half (54%) said they rely on the same credential-based systems to access accounts when off-site. It’s more than a little concerning that only half of those surveyed admitted that the business user accounts in their organisations are “not very secure.” What will it take before these companies, who are supposed to be the bastions of consumer data, realise they are treading on thin ice by relying on frankly inadequate and insecure methods of security?
This isn’t just a theoretical problem. Even an organisation as cyber-savvy and well-resourced as Deloitte can be found wanting. A serious breach of client data in September came after an attacker compromised a global email server via an admin account protected by a single password. Even more recently, cryptocurrency miner Coinhive was hacked after hackers compromised an insecure password for a corporate Cloudflare account – allowing them to divert funds from the firm.
It all adds up to one thing: password-based systems are the weakest link in your cybersecurity chain. They should be replaced both internally and for customers, who are themselves exposed to a greater risk of fraud and financial loss which could ultimately come back to bite your brand.
A new approach
What’s the answer? Stronger authentication built on the three pillars of possession, knowledge and inherence: that is, something you have (like a smartphone); something you know (like a PIN); and something unique to you (like a fingerprint). This type of security method is much more robust and verifies that the person accessing the service is exactly who say they are.
Passwords are simply no longer fit-for-purpose in our always-on, digital-centric world. There’s too much at stake in persisting with them and it’s time this stale method of authentication is shunned by all. If the cautionary tales listed above aren’t enough to persuade companies, then maybe fines of up to 4% of global annual turnover, or £17m, will. They’ll be handed out by regulators of the EU GDPR and the NIS Directive from May next year. The former will apply to any firm managing EU customer data while the latter covers providers of “essential services.” Both mandate strict best practice security requirements which will include multi-factor authentication and effective incident response.
The clock’s ticking.
The post Cybersecurity #shambles: Why a new #approach is #vital to stop #breaches appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.
First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.
Breaking passwords from hashed password files
If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.
These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.
Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.
Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”
As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”
This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.
Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.
“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”
Botnets enable mass-market attacks
For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.
According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.
Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.
Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”
They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.
The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.
Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”
The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.
In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.
Is your password already stolen?
To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”
The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.
“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)
Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”
If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.
Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.
Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.
The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.
For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.
How to check the strength of your password
Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.
Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.
But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.
For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?
“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”
Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.
Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”
For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”
The post How #hackers crack #passwords and why you can’t #stop them appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
The cybersecurity industry has always had a fortress mentality: Firewall the perimeter! Harden the system! But that mindset has failed—miserably, as each new headline-generating hack reminds us. Even if you do patch all your software, the way Equifax didn’t, or you randomize all your passwords, the way most of us…
View full post on National Cyber Security Ventures
What are the biggest roadblocks to better cybersecurity? If you look at the major cybersecurity conferences, the usual presentation topics are risk assessment, encryption, zero-day exploits, and insider threats. But there’s no shortage of technical and human challenges to cybersecurity; often these factors are competing against each other for time…
The post Stop treating users as the enemy when it comes to cybersecurity appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
After a global cyberattack hit millions of computers in more than 150 countries, there’s high demand for cybersecurity, and questions over whether there is any defense against modern hackers. It’s a wake up call for world leaders and security experts – the ransomware attack that seized millions of computers and impacted thousands of companies. In the aftermath of the chaos, …
The post Is cybersecurity enough to stop modern-day hackers? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures