Tag Archives: passwords

Password Security: How to Defeat Credential Stuffing

Troy Hunt, operator of the infamous ‘Have I Been Pwned’ service, is providing a massive list of compromised passwords to help organizations provide better security for users.

The issue Hunt is addressing is a common hacker tactic called ‘credential stuffing.’ This process involves hackers using lists of compromised account credentials to unlock an account on a separate website or service. For example, using a compromised social media login to attempt to access the user’s email account.

This tactic has become increasingly more successful with the recent mega breaches at MySpace, LinkedIn, etc. Just ask cybersecurity company FireEye…

FireEye Cybersecurity Analyst Hacked

A group of attackers calling themselves 31337 targeted FireEye, a well-known cybersecurity company and owner of Mandiant. The group used credential stuffing tactics to hack into personal online accounts of Adi Peretz, a senior threat intelligence analyst of Mandiant’s consulting services unit.

From there, they found and released three corporate documents from those accounts on Pastebin – a 32 MB file labeled “Mandiant Leak: Op. #LeakTheAnalyst.” FireEye’s investigation also found Peretz’s LinkedIn account defaced along with compromised Hotmail and OneDrive accounts.

Peretz was just one of the tens of millions of other victims who had their login credentials breached over the past few years, including in the LinkedIn breach last year.

The breach of this analyst’s account illustrates the potential dangers of credential stuffing, even for a company solely focused on cybersecurity.

Employees are often found using personal accounts for work-related activities. This activity extends an organization’s cyber risk to the personal security practices of employees outside of the work environment.

Pwned Passwords

To help remedy this problem, Troy Hunt launched a service called Pwned Passwords. The service provides SHA1 hashes for the 320 million passwords collected by Hunt from previous data breaches.

NIST recently released updated guidance regarding passwords and authentication practices. One new recommendation was that user-provided passwords be checked against those from previous data breaches.

Organizations and online service providers can download the list of password hashes to use in their online systems to boost their users’ password security. According to the Pwned Passwords web page, the list can be integrated and used to verify whether a password has previously appeared in a data breach. Systems can then be prompted to warn users, or even block the password outright.

Hunt’s original post noting the service highlights several use cases and actions where the list could be valuable: registration, password change, login, and others.

The Pwned Passwords service could provide organizations with a valuable tool to help boost their authentication practices.

Mega-Breaches are the New Trend

Millions of account usernames and passwords were leaked in the past month. What are the chances yours were in the list?

The news has been littered with data leaks from some household names – LinkedIn, MySpace, Twitter, to name a few. Apparently, the seller by the name “peace_of_mind” is low on funds and selling these large troves of data that were compiled years ago.

Here’s a quick synopsis of each data leak:

LinkedIn

The story is that LinkedIn was hacked in June 2012. The data being sold includes information for 165 million accounts. In response, LinkedIn is resetting all passwords that haven’t been changed since 2012.

LinkedIn was using SHA-1 to hash the passwords. Basically, they were using encryption that’s known to be vulnerable to low level attacks for over a decade.

The bundle of data from the LinkedIn breach is selling for 2 bitcoin ($1,100) on the dark web.

The fun game of “Guess that Password” shows us that the top three passwords obtained in the data dump were “123456”, “linkedin”, and “password”.

MySpace

When was the last time you thought about MySpace? That was so 10 years ago… literally.

The MySpace data dump involves the information for a whopping 360 million accounts, and is being touted by some as the largest data breach of all time.

Accounts created on MySpace’s old platform, prior to July 2013, were compromised. The early indication is the breach occurred in late 2008 or early 2009.

Passwords on the MySpace’s old platform were also hashed with SHA-1 and reflect the poor security practices of old.

The trove of information from the MySpace breach is selling for 6 bitcoin ($3,200) on the dark web.

Twitter

The Twitter incident is the most recent to take over the headlines. Apparently, a database of 33 million accounts is being sold for 10 bitcoin ($6,000).

This case is a little different as it doesn’t look like Twitter is the cause of the incident. Experts are pointing to users as the victim of attack. The information was acquired starting at the beginning of last year. Browsers infected with malware sent hackers the login credentials as users entered them on the Twitter site.

Key Takeaways

These are all part of a recent pattern of large breaches from several years ago being uncovered. The breaches all seem to be from an era where security measures – especially with stored passwords – were not as strong.

The common response is “Why would old login information be valuable? I haven’t even logged into MySpace in 10 years. Let hackers have that account.”

The value in the information being sold apples to account takeover in other areas – i.e. email accounts, bank accounts, etc. Many people reuse the same login information for multiple sites, and the data from these breaches could give access to those more sensitive accounts.

The number is probably pretty high of those that haven’t updated their passwords since these breaches several years ago, or still use the same passwords for their email accounts. Others, like Facebook, Netflix, and Reddit, are taking a proactive approach and resetting passwords to mitigate the risk of users’ accounts being hacked.

Security 101:

The safe strategy is to just change passwords for any accounts you don’t want hacked. And if you haven’t changed your password since these hacks years ago – shame on you. Stop reading and go change your password.

The other best practice to note is don’t use the same password across multiple accounts. We know this gets harped on a lot, but when users complain about their accounts being hacked, it needs to be repeated.

***Note: Spammers will probably be keen on the volume of available email addresses released from these data breaches. If you’re still using the same email from several years ago, you might see an uptick in the emails sitting in your spam or junk folder.

Top 25 Worst Passwords of 2015

Every year, SplashData releases a list of the most popular passwords discovered in data breaches over the past year. Once again, the worst passwords that topped the list were… drum roll please… “123456” and “password.”

Sports were popular choices with “football” and “baseball” making the list. Also, with all the hype around the new movie, “starwars” made its way onto the list this year. Security experts are beating a dead horse when trying to preach password best practices. Having a strong, unique password for every account is without a doubt a pain.

Various companies, including Google, Yahoo, and Apple have been exploring different ways to eliminate the need for a password to authenticate a user. Google and Yahoo have implemented techniques to allow users to authenticate themselves using their mobile phones. And Apple’s iPhones have become infamous for their fingerprint scanners to unlock the device. However, each of these methods have its own set of flaws – from lost mobile devices to replicated fingerprints.

Two-factor authentication seems like the best method at the moment. Usually, that requires users to type in their password along with a one-time code that is sent to their phone.

So without further ado, here is the list of the 25 most popular passwords in 2015:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. Dlogin
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

HTTPS Bicycle Attack Can Reveal Sensitive Data

What is the HTTPS Bicycle Attack?

The HTTPS Bicycle Attack can discover the length of sensitive data, such as a user’s passwords. This attack forces security professionals to once again consider the notion of password security. Something as simple as knowing the length of a password can narrow down the range of possibilities and make brute force attacks much more targeted and effective.

HTTPS is an encrypted protocol for secure communication over a computer network which is widely used on the Internet. Recently, security researcher Guido Vranken published a paper detailing a new attack method on TLS/SSL-encrypted traffic, allowing attackers to extract some information from HTTPS data streams.

Best Practices

To protect against HTTPS Bicycle Attacks, it’s recommended that webmasters turn off support for TLS stream-ciphers, always use the latest version of the TLS protocol (currently 1.2), and add padding to any sensitive data sent via HTTPS to mask its actual length. Implementing and enforcing strong password policies and taking advantage of two-factor authentication are becoming a necessary foundation for an information security program.

Wifatch Malware Improves Security?

Symantec has reported on an interesting piece of malware that aims to increase the security of the devices it infects. The name of this malware is Linux.Wifatch, and it has been infecting Internet of Things (IoT) devices since 2014. The Wifatch network has infected more than 300,000 devices so far.

Attackers have found IoT devices particularly useful and have taken advantage of the common vulnerabilities that many still deploy – out of date software and default passwords. IoT devices can be very functional to attackers when they have access control over the device. Many times the attacker will use a botnet – collection of infected devices – to launch Distributed Denial of Service attacks on larger servers or networks.

The average user is usually oblivious to their device being infected. Like the DDoS example, there are many instances in which the attacker isn’t looking to hurt the device or steal information from it. They simply utilize its functionality in the background for larger attacks. And because of the stealthy nature of the attack, attackers can maintain their control of the device for long periods of time without being detected.

What does Linux.Wifatch do?

So how does Linux.Wifatch compare to the other malware in the wild infecting countless devices? Wifatch infects the device much like other remote access malware using common vulnerabilities. But that’s where Wifatch starts to differ from other malicious software.

Wifatch starts to distribute threat updates to the infected device. It seeks out and removes existing malware on the device. If successful, Wifatch will leave behind a warning message that encourages the user to change the passwords for the device and update the firmware. Wifatch also configures the device to reboot automatically on a regular basis to reset the device to a clean state and get rid of any active malware.

The hackers’ original plan was to quietly secure devices with poor security hygiene behind the scenes. Being hidden allowed the hackers to stay off the radars of other malware authors they are trying to protect against. The device users are usually unaware their routers are being used to attack other hosts on the Internet.

The hackers released part of the code for the Wifatch malware and made it free to use under the General Public License. The goal is to get people to take security more seriously and adopt better security practices on their devices.

Best Practices:

The team behind Linux.Wifatch responded to questions by saying that they don’t use any elaborate backdoors or zero-day exploits to hack into devices. Instead they rely on telnet and other simple protocols, then try several remedial passwords – like password – or default passwords to gain access. In effect, the team is only infecting devices that aren’t protected at all in the first place.

It seems like the goal of Linux.Wifatch is to get users adopting security best practices with their devices. So with that in mind, the best way to protect against malware – like Linux.Wifatch and other malicious software – is to stay current with any updates and change default or weak passwords.

How Security Experts Stay Safe Online

experts vs non experts security practicesWith the many security “best practices” floating around for online activity, it can be daunting to recognize what the most effective practices really are to increasing your security. Google Online Security Blog published an article based on two surveys that compares the top security practices from security experts as well as non-experts. The surveys asked both groups what actions they take to maximize safety online.

The good news is that all of the top practices mentioned makes a user less secure. It’s refreshing to see proper password management show up on both lists. Experts rely more on password managers that protect and store a user’s passwords in one place. The reasoning for non-experts using password managers less frequently seems to be the lack of education about the benefits of the tool.

The key difference lies in the non-expert reliance on antivirus programs and the expert usage of software updates. Antivirus programs have benefits, but also leave gaps for malware that hasn’t been detected in the wild. On the other hand, software updates are the “seatbelts of online security, they make you safer, period.”

Take note of the experts’ top security practices and how you can implement them into your organization’s online activities.

You can find the full research paper here.

Ten Easy Ways To Protect Yourself Online

The Oxford Club recently published an article article that eloquently reiterates 10 of the easiest ways for Internet users to best protect themselves.

  1. Use Strong Passwords. The more complex and long a password, is the better. Use a combination of letters, numbers, uppercase, lowercase and special characters. This blog has good recommendations for creating strong passwords.
  2. Change Passwords. Regularly change passwords on your accounts to keep out any unauthorized access.
  3. Use Different Passwords for Each Site. If all of your passwords are uniform across your online accounts, and an attacker gets the password for any one of them, then they can compromise the rest of your accounts.
  4. Ensure Social Sites are Secure. Check privacy settings on your social media accounts. Don’t publicly post sensitive information, like your phone number, or accept random friend requests. Social engineering scams are increasingly moving to the social media sphere.
  5. Update. Update your critical applications regularly. Attackers often take advantage of old, common vulnerabilities in common applications like Adobe or browsers like Internet Explorer.
  6. Secure Wireless Networks. Don’t leave your wireless networks open or with default credentials. This opens the door for attackers to snoop for sensitive information going out to the Internet – credit card numbers, Social Security numbers, etc.
  7. Click Carefully.  If in doubt, don’t click. Don’t click on any attachments or links that you are not expecting or are not from a trusted source. This is the traditional approach for attackers to install malware on your devices.
  8. Use One Card. Only use one credit card online for purchases. If your information is compromised, you will know which card number is breached.
  9. Anti-Virus Software. This is the first layer of defense against malware that might be trying to compromise the network via your device.
  10. Guard Information like Your Wallet. Phishing is the most prevalent way attackers gain access to your information. Always be on alert and don’t reveal any sensitive or personal information to unknown sources.

Warning – Change Default Passwords for Webcams

The dangers that come with weak passwords were shown again last month with the launch of a website that hosts live webcam feeds across the world. As reported by the UK Information Commissioner’s Office (ICO), the Russian website provided live streams from webcams which had no password protection, or used default passwords.

“The footage is being collected from security cameras used by businesses and members of the public, ranging from CCTV networks used to keep large premises secure, down to built-in cameras on baby monitors,” said Simon Rice, ICO group technology officer.

Key Takeaways: Some preventative measures:

  • Change default passwords, or create new password
  • Disable remote access (if it’s not needed) in the device’s security settings

LinkedIn’s Proposed Breach Settlement Pays Premium Users

According to a report in MediaPost, social networking service LinkedIn has agreed to pay $1.25 million to settle a class-action lawsuit stemming from a 2012 data breach in which hackers accessed and posted 6.4 million users’ passwords online. The proposed settlement calls for LinkedIn to pay up to $50 to qualifying users who purchased premium memberships. If approved, the settlement will resolve a class-action lawsuit brought by Virginia resident Khalilah Gilmore-Wright, a paid LinkedIn subscriber. Wright alleged that she wouldn’t have purchased a premium LinkedIn membership if she had known the company used “obsolete” security measures.

LinkedIn’s paid users can submit a claim if they declare that they read the privacy policy and were influenced by the company’s statements about security. Lawyers for Wright estimate 20,000 to 50,000 subscribers will qualify for payments from the settlement fund.