now browsing by tag
Fueled by automation, the adoption of DevOps processes and more, the role of the developer has become increasingly important and widespread for enterprises going through digital transformation. Developers need access to privileged credentials in order to access key developer tools like Kubernetes or Jenkins admin console. These credentials can be saved locally, making developers’ workstations — whether they are Macs or PCs — high-value targets for hackers.
These workstations are often vulnerable to something as simple as a phishing email, which attackers can use as an entry point to get access to the developer’s credentials. Because of these vulnerabilities, developers’ workstations are extremely important to secure. However, developers are famous for prizing speed above all else — and seeing security as little more than a speed bump. So how to ensure that developers take security seriously?
Securing privileged access through the principle of least privilege needs to be a top security priority. It is no secret that no-one should have full-time admin rights. But, what does that mean for developers?
Security teams face a difficult dilemma. They need to better secure developer workstations while still providing them the elevated permissions and privileges—and freedom—they need to get their job done. And they need to do all that without impacting velocity.
I recently encountered this comment on the Stackoverflow forum:
“There is almost no legitimate operational reason for restricting admin access to local PCs for staff that need it to do their job.”
Is that true?
Developers, DevOps and other engineers all perform administrative tasks as part of their job responsibilities, so they also have “full control” of their environment. Furthermore, because of the work developers do, there are extra challenges involved in hardening and restraining their workstations regardless of whether they are using Windows or macOS.
Developers install and uninstall software, drivers and system updates. They change operating system internals and use debugging programs on a regular basis. Without full control, developers often can’t do their jobs.
However, developers have access to source code, API keys and other shared secrets – usually more access than the standard user. Compromising a developer is a quick way for attackers to gain immediate elevated access to the most essential, mission-critical information an organization has. Consequently, developers have the kind of access that attackers want, which makes them the type of user who needs the highest levels of protection – whether they like it or not.
Want to take over a company or cause reputational damage quickly? Compromise a developer endpoint.
There are even specific types of attacks designed to target developers. For instance, “watering hole” attacks where cyber attackers will compromise common, popular developer web sites known to be good places to share code and get help troubleshooting programming issues. For example, four of the largest software developer companies in the world were compromised during a single cyber attack campaign that placed a zero-day Java exploit on an iOS developer web site.
Rights and Responsibilities
One way to deal with developers’ requests for full admin rights would be to provide them with virtual machines dedicated to programming, which could be perfectly patched and thoroughly hardened. This is doable with the right amount of monitoring and alerting, antimalware and IPS.
However, a workaround like this has a huge management overhead. It requires more budget, additional machines and another user to manage those machines. It’s not a comfortable situation for the IT team or the developer – and let’s not forget the cost of such a solution.
Additionally, while using their development tools, developers consume a lot of computer resources (e.g. generating millions of temporary files during code compilation). This leaves the security team with the job of ensuring that no significant performance impact occurs while implementing endpoint security products – not an easy task.
Conventional attempts to counter this typically require system administrators or security staff to perform manual inspections and craft security policies in response. As application complexity and development velocity increase, it becomes impractical to determine least privilege ahead of time manually. Furthermore, a central policy gatekeeper won’t scale efficiently and is likely to negatively impact delivery velocity.
Cutting the Gordian Knot
There has to be a better way to balance the needs of the developer with security concerns. Organizations need to be able to remove administrative privileges from developers without preventing them from doing their jobs, reducing velocity or overburdening security teams.
CyberArk Endpoint Privilege Manager can overcome these obstacles, allowing organizations to remove privileged credential rights on Windows workstations, servers and MacOS. It provides privileged access management (PAM), allowing enterprises to easily remove local Admin users – including developers. For instance, CyberArk Endpoint Privilege Manager can elevate specific applications used by the developer on a day-to-day basis or provide just-in-time user elevation for a specified time while recording and logging all user activity.
In addition, since developers may save credentials to their development environments, Endpoint Privilege Manager protects those repositories from credential theft while allowing trusted applications to use the credential stores.
Another key feature for the developers use-case is the out-of-the-box predefined policies for different developer tools like visual studio, Eclipse, Git and others.
Final Thought – The Developer Resistance
Each new security-driven restriction impacts the developer productivity throughout the entire software development process. Consequently, developers may fight the rules and restrictions necessary to maintain a strong security posture. What makes Endpoint Privilege Manager any different?
Endpoint Privilege Manager minimizes interference in the developer workflow. Developers – and other users – don’t need to go through the extra step of involving an administrator when they need access to certain applications. For a predefined, approved set of applications, users can seamlessly gain access through an automated process.
Furthermore, Endpoint Privilege Manager allows users to elevate privileges to access these approved applications while continuing to access other, unapproved applications as non-privileged users. This means that developers can continue to access the majority of the applications they use on a daily basis without having to slow down – without losing out on the benefits of application security.
Developers are like builders constructing a house on an empty lot. They need to be armed with the best tools to do their best work. If you give them old equipment, they will spend more time working around it than actually building. Endpoint Privilege Manager lets developers do what they do best – without interrupting their workflow with compliance and security requirements – so that they can write code faster.
Developers don’t need to be the last hold out for administrator rights within an organization. Learn how this is possible today.
The post Secure Developer Workstations Without Slowing Them Down appeared first on CyberArk.
*** This is a Security Bloggers Network syndicated blog from CyberArk authored by Vadim Sedletsky. Read the original post at: https://www.cyberark.com/blog/secure-developer-workstations-without-slowing-them-down/
View full post on National Cyber Security
Apple iPhone users are being warned to check their devices against a list of malicious apps disclosed in a new report. The exposure of such dangers on Google’s Play Store has become a theme this year, with apps laced with adware, subscription fraud and worse exposed and removed. Now Apple is taking its turn in the spotlight. A new report from the research team at Wandera claims that 17 apps from one developer load a malicious clicker trojan module on an iOS device.
Apple says that the apps in question have been removed from the App Store, and upon examination did not contain the trojan malware as claimed. Instead, the apps were removed for including code that enabled the artificial click-through of ads. A spokesperson for Apple confirmed the removal of the apps and that the App Store’s protective tools have been updated to detect similar apps in the future.
According to Wandera, the trojan focused on ad fraud, but also sent data from the infected device to an external command and control server. Wandera told me that an even more worrying element of the malware, one not included in the write-up, is a set of devious techniques to evade detection. The malware triggered only when loaded with an active SIM and left running for two days. We have seen this before on Android—an attempt to hide from security researchers in lab conditions.
“We were amazed with this one,” Wandera VP Michael Covington told me ahead of the report’s release. “We’ve seen a couple of issues creep into the Apple App Store over the last few months—and it always seems to be the network element.” In his view, Apple misses the runtime element of an app’s behaviour when scanned before approval. “They don’t have a deep threat research expertise,” he explained, “but to find malicious network traffic, you have to watch live apps and see how they perform.”
When I talked with Wandera ahead of the report being released, they provided links and said the apps were still available to install. Apple has since confirmed their removal. The fact they gained access to the store remains a concern. Wandera says it discovered the malicious apps when its monitoring platform detected network traffic back to the external C&C server. “That forced us to work backwards,” Covington told me, “we found one of those apps, and from there we found the developer and then the other indicators of compromise that led to the other apps.”
Each of the apps contain the “malicious” clicker trojan module. “Malicious,” Covington claimed, because the module can do more than just generate fraudulent ads. “It could potentially steal information, or open a backdoor,” he said. “Any time I see an app opening a connection to the outside, I think we may have more than just bad ads, we have some malicious functionality that’s being introduced.”
All of the apps will “carry out ad fraud-related tasks in the background,” the report claims, “such as continuously opening web pages or clicking links without any user interaction.” The module generated revenue for the operators “on a pay-per-click basis by inflating website traffic.” The evasive behaviour, which is not in the report, points to a level of sophistication beyond simple ad fraud. To design malware specifically to outwit a security research lab is a level beyond.
Covington takes the view that an outside connection means a high risk of data compromise—at least to some extent. The malware sends device and location information, some user data as well potentially. The apps are not games. “One managed contacts, another travel information, another had access to accelerometer and location—even without special permissions for the camera or microphone, the apps likely accessed contacts and location, with privacy implications.”
For its part, Apple disputes that any such compromise took place here—there was no danger beyond isolated click fraud, it says, emphasising that the company patrols the App Store to identify and remove any apps that represent a danger to users.
Any C&C server clearly represents some form of risk, though—an external link opens a door to further threats. “Certain information about the device and the user is used to determine what ads to deliver,” Covington said. “But we have seen C&C servers deliver other types of commands—to change configurations or trigger phishing attacks, to deliver legitimate-looking login pages to steal credentials. Or to deliver malicious payloads to bulk ups apps or install others. Once you open a connection to the outside, bad things can happen.”
In this instance, Wandera says it has seen performance degradation, battery drain, heavy bandwidth use—one ad runs a video stream for more than five minutes, others contain large images. The same C&C server was disclosed by Dr. Web as part of an Android malware campaign. Dr. Web reported that the server could target ads, load websites, alter the configuration of devices, fraudulently subscribe users to premium content. None of these additional issues have been claimed for the iOS malware.
The developer is AppAspect Technologies, based in India, an operator with apps for both iOS and Android. Wandera says it examined the Android apps—none contained the clicker trojan module, but they used to, they were pulled from the store, the module removed, the apps republished. Perhaps the heat being turned up on the Play Store forced a retreat? Perhaps the operator turned its focus to iOS where there is less expectation of such compromises? Covington thinks this is a real possibility.
Apple has confirmed that the apps have been removed, and the good news is that deleting the apps solve any problems, no remnants are left behind. “There is no access to special frameworks that might have left something behind,” Covington explained.
For Apple, in light of other security challenges in recent months, including a targeted WhatsApp hack, the Chinese malware attack on the Uighurs, new jailbreak options, this is an awkward story. The fast removal of the apps is to be applauded, as it the enhancement of protective tools, but the fact that harmful apps found their way onto the store obviously remains a worry.
Here is the list of infected apps:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio PRO – Internet Radio
- My Train Info – IRCTC & PNR (not listed under developer profile)
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019 Pro
- Restaurant Finder – Find Food
- BMI Calculator PRO – BMR Calc
- Dual Accounts Pro
- Video Editor – Mute Video
- Islamic World PRO – Qibla
- Smart Video Compressor
Updated later on October 24 with feedback from Apple, including confirmation of removal of the apps.
The post #deepweb | <p> These 17 ‘Trojan’ Apps May Be On Your Device—Delete Them Now <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Imagine the havoc wreaked on your company’s servers if they were infected by a distributed denial of service (DDoS) bot that is bundled with a ransomware payload, or the damage to your brand if a phishing attack targeting your users and customers resulted in the theft of personal information.
Whatever the kind of cyberattack, there can be serious consequences for the company. It could be forced to pay big money to rescue its systems from the clutches of cybercriminals, lose the trust and confidence of customers and users, and even be liable to pay fines and penalties for failing to comply with data privacy laws such as the EU’s Global Data Protection Regulation (GDPR).
As the size and type of cyberattacks continue to exand, many organizations struggle to focus their efforts on what matters most to their unique business. Here are some of today’s top global cybersecurity challenges and how companies can overcome them to strengthen their cyber defense:
Managing both content security and performance
Customer data is one of your company’s most important assets and is a significant investment for your business. When there’s a breach, you’ll lose customer trust because they’ll start to worry about other vulnerabilities in your network.
To protect against such an attack, companies must ensure their security solutions and software are always up to date. However, with so many types of new attacks cropping up every day, it’s best to use a comprehensive, cloud-based suite vs. a one-off solution. Doing so will help protect your business against new and emerging threats and allow you to employ preventive mitigation measures without adding latency to the delivery experience.
Safeguarding against DDoS attacks
A DDoS attack is one where a network of zombie computers sabotage a specific website or server by fictitiously boosting the volume of traffic causing it to shut down. Such attacks cause businesses to lose millions in revenues.
Another reason for DDoS to be a growing concern is the frequency and sophistication of attacks along with their duration and size, which has increased over the past few years.
To protect yourself against the financial and reputational damages caused by such an attack, you could use a product that can proactively intercept and mitigate a DDoS attack.
This provides much faster scrubbing performance since traffic isn’t moved off your Content Delivery Network (CDN), the network of proxy servers and data centers that distributes your data, for cleaning.
Limelight Network’s solution is effective because when it detects an attack, it passes the traffic to one of several globally distributed scrubbing centers to filter it before passing it back to your origin.
Protecting web applications
As a business, the idea behind launching a web application is usually to improve the customer experience. However, unless you protect your web applications appropriately, they’ll just expose you and your customer to unwarranted cyberthreats.
According to Limelight Networks, retail and financial sectors in Southeast Asia suffered the most from web app attacks. Over the past year alone, there has been a significant increase in attack incidents, with websites containing consumer data being the target of 60 percent of attacks.
To combat such threats effectively, business leaders are now turning to cloud-based security solutions instead of on-premise equipment.
Using a Web Application Firewall (WAF) to secure your web-apps as it inserts its nodes between origin servers and the CDN does the heavy work of content caching, web acceleration, and delivery of static content.
Web app attacks are dynamic, so if your WAF only accepts traffic from your CDN, it can minimize the performance impact of WAF protection and lock down IP traffic.
When a new vulnerability is identified, a new security rule should be created and pushed to all WAF nodes. Doing so makes the solution so secure that it can even close “zero-day” attacks prior to app vendor patches being deployed.
You should also make sure your chosen security solution offers protection against malicious bots. They’re the ones that crawl the internet looking for vulnerabilities for cyberattacks.
Staying ahead of the curve
If you’re a business that aims to empower customers through your digital presence, you’ll need to implement (and update) cybersecurity measures at your organization immediately.
Failing to do so puts a lot at risk on your business – including your reputation and the future prospects of your company.
Implementing a cybersecurity solution created and backed by a company such as Limelight Networks, for example, helps you secure your business on all fronts.
The company’s DDoS Attack Interceptor combines a global CDN with in-network detection and attack mitigation to facilitate situation-aware detection and mitigation via on network scrubbing centers.
Its CDN protection offers several features such as geo-fencing, IP whitelisting and blacklisting, which help you fend off even the most seasoned cybercriminals. The same is also true for its DDoS protection and WAF solution, both of which give you the best-in-class cyber protection.
The company’s scalable cloud-based architecture also allows you to reduce the total cost of protection by leveraging its massive global private infrastructure.
Limelight Networks also boasts world-class features such as a dedicated global network, proactive, intelligent threat detection using behavior-based analysis, and cloud-based scrubbing of traffic – which reassures even the most concerned consumer. Act now, because hackers won’t spare your systems while you’re still wondering what to do next.
The post Top #global #cybersecurity #challenges and #how to #overcome #them appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A woman said her email account was hacked. She told Lee County Sheriff’s Office that she is not being threatened by an unknown suspect with her own photographs.
The woman believed the person found her email address on Facebook.
“Revenge porn is a form of harassment. It’s a form of abuse,” Elizete Velado said. Velado is an attorney at Goldberg and Noone in Downtown Fort Myers.
Velado’s firm is not involved with this particular case. However, she told 4 In Your Corner revenge porn has been a problem for years.
“It’s really important for people to remember it’s not the victim’s fault when someone breaks into their computer,” Velado said. “Breaking into your computer is like breaking into your home,” she added.
The victim told investigators she was bombarded with messages. The unknown person wanted her to pay up. She told the deputy that the person would post the nude pictures of her.
Hackers like the one in this case have stayed slightly ahead of the laws.
“It’s very difficult for the law to keep up with emerging technology and sexual cyber stalking takes many forms,” Velado added.
Florida has laws against sexual cyber stalking. It allows victims to get compensated.
Arrests are few and far between because hackers hide behind IP addresses and proxy servers.
Velado hopes future laws will bring about justice.
“It’s great that we finally got national attention on this. It is an issue that needs to be dealt with. The people that are doing this need to be held accountable,” Velado said.
The woman in this case plans to press charges if and when the suspect is found. She submitted screenshots of the messages to investigators.
The post Hacker gets #woman’s #nude pics, #threatens to #post them #online appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
When news broke last week of a hacking attack on Baltimore’s 911 system, Chad Howard felt a rush of nightmarish memories.
Howard, the information technology manager for Henry County, Tennessee, faced a similar intrusion in June 2016, in one of the country’s first so-called ransomware attacks on a 911 call center. The hackers shut down the center’s computerized dispatch system and demanded more than $2,000 in bitcoin to turn it back on. Refusing payment, Howard’s staff tracked emergency calls with pencil and paper for three days as the system was rebuilt.
“It basically brought us to our knees,” Howard recalled.
Nearly two years later, the March 25 ransomware attack on Baltimore served as another reminder that America’s emergency-response networks remain dangerously vulnerable to criminals bent on crippling the country’s critical infrastructure ─ either for money, or something more nefarious.
There have been 184 cyberattacks on public safety agencies and local governments in the past 24 months, according to a compilation of publicly reported incidents by the cybersecurity firm SecuLore Solutions. That includes Atlanta, which fell victim to a ransomware attack a couple days before the one on Baltimore, scrambling the operations of many agencies, but not the 911 system.
911 centers have been directly or indirectly attacked in 42 of the 184 cases on SecuLore’s list, the company says. Two dozen involved ransomware attacks, in which hackers use a virus to remotely seize control of a computer system and hold it hostage for payment.
Most of the other attacks involve “denial of service,” in which centers are immobilized by a flood of automated bogus calls. One of the first occurred in October 2016, when Meetkumar Desai, then 18, of Arizona, distributed a computer bug on Twitter that overwhelmed 911 centers in 12 states. The motivations for such attacks are often less about the money than doing damage — sometimes as a form of protest, as when the “hacktivist” group Anonymous took down Baltimore’s city website after the death of Freddie Gray while in police custody, experts say. Desai reportedly told authorities he meant his attack more as a prank.
“911 is the perfect [target] because it can’t afford to be down,” said Tim Lorello, SecuLore’s president and CEO.
This is how 911 works: When someone dials for help ─ typically from a mobile phone ─ the call gets routed from a cell tower to a 911 center, where a “telecommunicator” answers the phone and gathers basic information. The telecommunicator enters that information into a computer-aided dispatch system, where a dispatcher picks it up and coordinates a response from firefighters, police officers or ambulances.
This 911 system relies on redundancy, meaning that call centers that are taken out of service by a hacking attack can work around the disruption by shutting down the computer-aided dispatch system and sharing information person-to-person, or by sending calls to a nearby center. But depending on the type of attack and a 911 center’s resources, those disruptions can make it more difficult for people to reach someone in case of an emergency. A July 2017 investigation by Scripps News on the vulnerabilities of 911 systems noted the case of a 6-month-old Dallas boy who died after his babysitter’s 911 calls were delayed during an apparent denial-of-service attack.
J.J. Guy, chief technology officer at the cybersecurity firm Jask, said that the spread of ransomware attacks on public safety agencies and other key government operations shows the potential for cyberterrorists to target the country’s critical infrastructure.
Last month, the Department of Homeland Security outlined in a report how Russian hackers have gained access to American power plants. The hackers did not cause service interruptions, but the fact that they could gain access at all is troubling to security experts.
“To date, if you don’t have credit cards or lots of personal information, attackers had little motivation and thus you were mostly safe,” Guy said in an email. “This will change those dynamics. Manufacturing, logistics, etc — any field with an operations mindset that loses money when ‘the line is down’ will be targeted.”
The attack on Baltimore was discovered March 25, after a morning breach of its computer-aided dispatch system, officials said. The city’s cybersecurity unit took the system down, forcing support staff to pass 911 calls to dispatchers using paper rather than electronically. Call-center operations returned to normal early the next day, officials said. Investigators later determined that the intrusion was an attempted ransomware attack, but “no ransom was demanded or paid,” a city spokesman James Bentley said. He declined to explain further, saying that “could compromise the investigation.”
Most ransomware cases end similarly, with governments refusing to pay hackers, choosing instead to switch to a more primitive version of 911 services while they rebuild their systems. Governments have caved at times, however, although officials decline to say much about those incidents, out of concern that it will encourage more attacks.
Another problem with the current 911 system is that it doesn’t accommodate the ways people communicate in the modern world ─ through texts, photos, videos, etc. That is why the 911 industry is pushing telecommunication companies and state and local governments to adopt what it calls Next Generation 911, which allows callers to send data through approved telecommunications carriers and internet service providers (while still taking calls from landlines).
Adoption of Next Generation 911 has been slow and costly, said Brian Fontes, CEO of the National Emergency Number Association, or NENA. A tiny fraction of America is on Next Generation 911; the short list includes Maine and Vermont, with Indiana, Washington state’s King County and part of Texas getting close, Fontes said.
The Next Generation 911 systems will have advanced security baked into their foundations, including the ability to instantly identify suspicious activity, immediately shut down in response to intrusions, and simultaneously move incoming calls to other centers in a way that is undetectable to someone dialing for help, officials say.
But the increased connectivity also opens the modern systems to new potential modes of attack, experts say. No matter how sophisticated a defense, all it takes is one overlooked vulnerability to let hackers in, experts say.
That makes it essential to develop sophisticated defense systems run by in-house cybersecurity teams, they say.
In Baltimore’s case, the ransomware attack was discovered and repelled by Baltimore City Information Technology, which maintains defenses across the local government. It determined that the hackers had found access after a technician troubleshooting the computer-aided dispatch system made a change to a firewall and mistakenly left an opening, the city’s chief information officer, Frank Johnson, said in a statement. The FBI is now helping the city investigate.
Howard, in Tennessee, knows how his attacker obtained access to the 911 center — by finding a weak password left by a deceased former system administrator. The FBI told him it looked as if the attack came from Russia. But he still isn’t sure.
Howard cleaned and rebuilt his system, but struggles to maintain patches for his outdated CAD system. “It’s been a nightmare,” he said.
No one has been caught or prosecuted in the Tennessee or Baltimore attack.
The post Hackers have #taken down #dozens of #911 #centers. Why is it so #hard to stop #them? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Experts agree that it’s long past time for companies to stop relying on traditional passwords. They should switch to more secure access methods like multi-factor authentication (MFA), biometrics, and single sign-on (SSO) systems. According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches involved either stolen or weak passwords.
First, let’s talk about password hacking techniques. The story is different when the target is a company, an individual, or the general public, but the end result is usually the same. The hacker wins.
Breaking passwords from hashed password files
If all a company’s passwords are cracked at once, it’s usually because a password file was stolen. Some companies have lists of plain-text passwords, while security-conscious enterprises generally keep their password files in hashed form. Hashed files are used to protect passwords for domain controllers, enterprise authentication platforms like LDAP and Active Directory, and many other systems, says Brian Contos, CISO at Verodin, Inc.
These hashes, including salted hashes, are no longer very secure. Hashes scramble passwords in such a way that they can’t be unscrambled again. To check if a password is valid, the login system scrambles the password a user enters and compares it to the previously hashed password already on file.
Attackers who get their hands on a hashed password file use something called “rainbow tables” to decipher the hashes using simple searches. They can also buy special-built hardware designed for password cracking, rent space from public cloud providers like Amazon or Microsoft, or build or rent botnets to do the processing.
Attackers who aren’t password-cracking experts themselves can outsource. “I can rent these services for a couple of hours, couple of days, or a couple of weeks — and usually that comes with support, as well,” Contos says. “You see a lot of specialization in this space.”
As a result, the times it takes to break hashed passwords, even ones previously thought of as secure, is no longer millions of years. “Based on my experience of how people create passwords, you’ll usually crack 80 to 90 percent in less than 24 hours,” he says. “Given enough time and resources, you can crack any password. The difference is whether it takes hours, days, or weeks.”
This is especially true of any password that is created by humans, instead of randomly generated by computer. A longer password, such as a passphrase, is good practice when users need something they can remember, he says, but it’s no replacement for strong MFA.
Stolen hash files are particularly vulnerable because all the work is done on the attacker’s computer. There’s no need to send a trial password to a website or application to see if it works.
“We at Coalfire Labs prefer Hashcat and have a dedicated cracking machine supplemented with multiple graphics processing units that are used to crunch those password lists through the cryptographic hashing algorithms,” says Justin Angel, security researcher at Coalfire Labs. “It isn’t uncommon for us to recover thousands of passwords overnight using this approach.”
Botnets enable mass-market attacks
For attacks against large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use.
According to Philip Lieberman, president at Lieberman Software Corp., these lists are available for free, or at low cost, and include login information on about 40 percent of all internet users. “Past breaches of companies like Yahoo have created massive databases that criminals can use,” he says.
Often, those passwords stay valid for a long time. “Even post-breach, many users will not change their already breached password,” says Roman Blachman, CTO at Preempt Security.
Say, for example, a hacker wants to get into bank accounts. Logging into the same account several times will trigger alerts, lock-outs, or other security measures. So, they start with a giant list of known email address and then grab a list of the most common passwords that people use, says Lance Cottrell, chief scientist at Ntrepid Corp. “They try logging into every single one of the email addresses with the most common password,” he says. “So each account only gets one failure.”
They wait a couple of days and then try each of those email address with the next most common password. “They can use their botnet of a million compromised computers, so the target website doesn’t see all the attempts coming in from a single source, either,” he added.
The industry is beginning to address the problem. The use of third-party authentication services like LinkedIn, Facebook, or Google helps reduce the number of passwords that users have to remember. Two-factor authentication (2FA) is becoming common with the major cloud vendors as well with financial services sites and major retailers.
Standards setting bodies are stepping up, as well, says James Bettke, security researcher at SecureWorks. In June, NIST released a set of updated Digital Identity Guidelines that specifically address the issue. “It acknowledges that password complexity requirements and periodic resets actually lead to weaker passwords,” he says. “Password fatigue causes users to reuse passwords and recycle predictable patterns.”
The FIDO alliance is also working to promote strong authentication standards, says Michael Magrath, director of global regulations and standards at VASCO Data Security. “Static passwords are not safe nor are they secure,” he says.
In addition to the standards, there are also new “frictionless” technologies such as behavioral biometrics and facial recognition that can help improve security on consumer websites and mobile apps.
Is your password already stolen?
To target an individual, attackers check if that user’s credentials have already been stolen from other sites on the likely chance that the same password, or a similar password, was used. “The LinkedIn breach a few years back is a good example,” says Gary Weiss, senior vice president and general manager for security, analytics, and discovery at OpenText Corp. “Hackers nabbed Mark Zuckerberg’s LinkedIn password and were able to access other platforms because he apparently re-used it across other social media.”
The average person has 150 accounts that require passwords, according to research from Dashlane, a company that offers a password management tool. That’s too many passwords to remember, so most people use just one or two passwords, with some simple variations. That’s a problem.
“There is a common misconception asserting that if you have one very complicated password, you can use it everywhere and remain protected,” says Emmanuel Schalit, CEO at Dashlane Inc. “This is categorically false. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.” (You can see if your password-protected accounts have been compromised at have I been pwned?.)
Once any one site is hacked and that password stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. “You might have a very good password on your bank or investment account, but if your gmail account doesn’t have a good password on it, and they can break into that, and that’s your password recovery email, they’ll own you,” Cottrell says. “There’s a number of high profile people who have been taken down by password reset attacks.”
If they find a site or an internal enterprise application that doesn’t limit login attempts, the will also try to brute-force the password by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.
Commercial services are available in the criminal underground that use more sophisticated algorithms to crack passwords. These services have been greatly helped by the continued leaks of password files, says Abbas Haider Ali, CTO at xMatters, Inc.
Anything a human being can think of — replacing letters with symbols, using tricky abbreviations or keyboard patterns or unusual names from science fiction novels — someone else has already thought of. “It doesn’t matter how smart you are, human-generated passwords are completely pointless,” he says.
The password-cracker apps and tools have become very sophisticated over the years, says Ntrepid’s Cottrell. “But humans haven’t gotten much better at picking passwords,” he says.
For a high-value target, the attackers will also research them to find information that can help them answer security recovery questions. User accounts are typically just email addresses, he added, and corporate email addresses in particular are very easy to guess because they are standardized.
How to check the strength of your password
Most websites do a very poor job of telling users whether their chosen password is strong or not. They are usually several years out of date, and look for things like a length of at least eight characters, a mix of upper- and lowercase letters, and symbols and numbers.
Third-party sites will gauge the strength of your password, but users should be careful about which sites they use. “The worst thing in the world to do is go to a random website and type in a password to have it test it,” says Cottrell.
But if you’re curious about how long a password would take to crack, one website you can try is Dashlane’s HowSecureIsMyPassword.net. Another site that measures password strength, checking for dictionary words, leet-speak, and common patterns, is the Entropy Testing Meter by software engineer Aaron Toponce. He recommends choosing a password with at least 70 bits of entropy. Again, he recommends not typing your actual passwords into the site.
For most users — and for the websites and applications they log into — this creates a problem. How are users expected to come up with unique passwords for each site, and change them every three months, long enough to be secure, and still remember them?
“A rule of thumb is, if you can remember it, it isn’t a good password,” says Cottrell. “Certainly, if you can remember more than one or two of them, it isn’t a good password — it’s always a couple of words and the name of the website.”
Instead, he says, use a randomly generated password of the longest length the website allows and store them using a secure password management system. “I have more than 1,000 passwords in my password vault, and they’re almost all over 20 characters,” he says.
Then, for the master password for the vault, he uses a long passphrase. “It should not be a quote, or something from any book, but still memorable to you,” he says. “My recommendation for memorability is that it should be extraordinarily obscene — which also make it less likely that you’ll go and tell anyone. If you’ve got a 30-character phrase, that’s effectively impossible to brute force. The combinatorics just explode.”
For individual passwords for websites or applications, 20 characters is a reasonable length, according to Cyril Leclerc, Dashlane’s head of security — but only if they’re random. “Crackers will be able to crack a human-generated password of 20 characters,” he says, “but not for a randomly generated password. Even if someone had computers from the future with unlimited power, the hacker would potentially only be able to crack a single password, and only after spending an astronomical amount of time on the task.”
The post How #hackers crack #passwords and why you can’t #stop them appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Avast solutions help users control who can access their webcam to prevent unwanted spying.
In October, we conducted an online survey around webcam security awareness and found that 61% of Americans are concerned hackers could spy on them through their computer’s camera.
They have every reason to be concerned.
Tools that can hack a computer’s webcam are available on the regular web, as well as the darknet, in some cases even for free. Although many computers come with a light that indicates the webcam has been activated, tools can circumvent the light from being triggered.
The survey reveals that Americans are more aware that hackers can spy on them without activating their webcam’s indicator light compared to the global results. Globally, two in every five (40%) respondents are unaware of the threat, while two-thirds of Americans claim they know of the possibility.
Many people, like former FBI Director, James Comey, and Facebook CEO, Mark Zuckerburg, cover their webcam to prevent unwanted spies from watching them. However, despite concerns being high, only 52 percent of Americans have physically covered up their computer’s webcam.
Covering webcams is a good start, but can be an inconvenience if you frequently need to use your webcam. We at Avast understand this inconvenience, which is why we give our users complete control over who can use their camera, without having to physically cover it up. – Ondrej Vlcek, CTO of Avast
Avast’s new feature, Avast Webcam Shield, which comes with Avast Premier, ends webcam spying for good by blocking malware and untrusted apps from hijacking webcams. Furthermore, users have the option of forcing all apps to ask their permission before they can access the computer’s webcam. The same feature is offered in AVG Internet Security, under a different name, Webcam Protection.
The post Three out of five #Americans concerned #hackers could #spy on them via their #webcam appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Hackers are a lot like the rest of us, a new study by Israeli cybersecurity firm Imperva shows. Just as some honest computer users are quick to respond to phishing messages – email scams designed to steal personal information – so do hackers respond to documents and files with titles…
The post Israeli firm hacks the hackers, and has advice how to beat them appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
There are many reasons behind why hackers target websites. Years ago, hackers did it out sheer vanity. To prove that they can hack websites, to boost their egos. But as technology improved, so have the reasons for hacking. In this blog, let’s try to understand why hackers target websites and…
The post Why do Hackers Hack Websites? And How do You Protect Yourself From them? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans Barely a month passes in 2017 without some kind of IT failure hitting the headlines, but the hacks, leaks and breaches that make the news may represent just the tip of the iceberg. An investigation by the i newspaper has revealed that public bodies such as […] View full post on AmIHackerProof.com | Can You Be Hacked?