fbpx

Malware called Gooligan breached the security of more than 1 million Google accounts, initially spreading through “tens of fake apps”, according to security firm Check Point.

Gooligan potentially affects devices using older (but still common) versions of Android, including Jelly Bean, KitKat and Lollipop. The majority of such devices (57 per cent) are in Asia, with 9 per cent in Europe.

Check Point added that the campaign is attacking 13,000 additional devices each day.

The firm found that every day Gooligan installs at least 30,000 apps fraudulently on breached devices, totalling more than 2 million apps since it began.

According to Adrian Ludwig, director of Android security at Google, the tech giant has investigated the case and found no evidence of user data access.

He said Google is working to strengthen the Android ecosystem security and recommends users update their devices to ones that support newer Android software.

Google is also working with the internet service providers that provide infrastructure used to host and control the malware.

“Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts,” Ludwig said.

How it works

Gooligan roots infected devices and steals authentication tokens that can be used to access data from services including Google Play, Gmail, Google Photos, and Google Docs.

It uses Google credentials to generate fraudulent installs of other apps.

CheckPoint explained it found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores, which are an “attractive alternative” to Google Play because many of their apps are free, or offer free versions of paid apps.

However, the security of these stores and the apps they sell aren’t always verified. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

Source : https://www.mobileworldlive.com

Categorized in Internet Privacy

From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election -- 2016's been a hell of a year in cybersecurity, and it's not over yet.

There's no reason to believe 2017 will be any better. If anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals.

We asked two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, what to expect in 2017.

1. Passwords 'grow up'

The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don't think you're immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.

"I used to do a party trick where I'd go to someone's house and hack their router. There are so many purpose-built, 'dumb' devices out there like the routers used to facilitate the DDoS attack a few months ago, that it's making hackers' jobs easy," Dircks says.

Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it's not just external threats that are a problem.

Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.

"What we're talking about is credential vaults. In an ideal world, a user would never actually know what their password was -- it would be automatically populated by the vault, and rotated and changed every week. Look -- hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they'll go elsewhere rather than invest the energy to chip away," Dircks says.

2. Privilege gains power

Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren't enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don't need.

"We've had some clients who say, 'Well, I just stick my users or outside vendors on the VPN and they're fine,' but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you're malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone," Dircks says.

Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.

"Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information -- this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they're safe and secure. That's dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it's a perfect storm. We think it's just going to get worse before it gets better," Dircks says.

3. The security blame game will heat up

"When we talk to our clients, one trend we're seeing that is really horrifying is that they don't even say 'if' an attack occurs anymore, they say 'when.' It's like, at this point they are just throwing up their hands and saying, 'Well, I'm gonna get hit, how bad is it going to be?' and that, to me, is just terrifying," Dircks says.

The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can't yet be patched? A number of IoT devices are often overlooked because they fall outside of IT's traditional purview, but that means exposure to threats.

"With the integration of IoT, automation and the cloud, no one seems entirely sure who's actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You're only as secure as the least-secure device or relationship," Dircks says.

When a breach occurs, even with layers of security, the question of who "owns" it and who had or has power to do something about it will create intense reactions and finger-pointing, he says.

Companies can head off this blame game by ensuring open communication between IT and business leadership to understand the potential threats, options for security and safety and the challenges and constraints that exist within the organization, Dircks says.

"Part of the problem is that, as a CSO, a CISO or even a CIO -- anyone with security responsibility -- you're either invisible, if you're doing your job right, or you're on the hot seat. If you come up with great policies, procedures and security measures, then you often leave those to IT to operationalize. But if those fail because you didn't understand the business needs, the budgets, the requirements, then you're not really helping," he says.

4. Ransomware will spin out of control

Since January 1, 2016, Symantec's Security Response group has seen an average of more than 4,000 ransomware attacks per day: a 300 percent increase over 2015, according to its 2016 Internet Security Threat Report.

Most organizations rely on low-overhead prevention techniques, such as firewall and antivirus solutions or intrusion prevention to mitigate threats like these, says Cyber adAPT's Scott Millis. However, these tools are insufficient, and breach data shows that detection and incident response must be improved.

And as attackers continue to use social engineering and social networks to target sensitive roles or individuals within an organization to get to data, the need for comprehensive security education becomes even more critical, he says.

"If security policies and technologies don't take these vectors into account, ransomware will continue to seep in. There's also the issue of detection. Some attackers can reside within a company's environments for months, often moving laterally within environments, and silos between network, edge, endpoint and data security systems and processes can restrict an organization's ability to prevent, detect and respond to advanced attacks," Millis says.

Finally, new attack surfaces -- for example, IaaS, SaaS and IoT -- are still so new that organizations haven't yet figure out the best way to secure them, he says.

5. Dwell times will see no significant improvement

Dwell time, or the interval between a successful attack and its discovery by the victim, will see zero significant improvement in 2017, Millis says. In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.

"Why so long? In my view, this is annoyingly simple -- there's little or no focus on true attack activity detection. At the advent of the 'malware era', companies, vendors and individuals were rightly concerned about 'keeping out the bad guys', and a whole industry grew quickly to focus on two basic themes: 'Defense-in-depth', which I view as layering prevention tactics in-line to make penetration from the outside more difficult; and 'Malware identification', which manifested itself as an arms race towards 100-percent-reliable identification of malware," Millis says.

While response technologies and remediation capabilities, improved, victims were able to isolate and repair damage very quickly. The problem is these technologies didn't help reduce dwell time; unless response teams stumbled upon something malicious or randomly discovered an anomaly, Millis says.

Nowadays, security pros are using network device log files to search for clues as to whether an attack has been attempted or has succeeded, but storing and sorting through the massive amounts of data needed for this approach is costly and inefficient, Millis says.

"The need for huge data stores and massive analytics engines drove the new security information and event management (SIEM) industry. While SIEM is a great after-the-fact forensics tool for investigators, it still isn't effective in identifying attacks in progress. What we -- and some other companies -- are doing now is developing products that focus on analyzing raw network traffic to identify attack indicators. Finding attackers as soon as possible after they have beaten the edge or device prevention gauntlet, or circumvented it entirely as an innocent or malicious insider, will dramatically shorten dwell time," he says.

6. Mobile will continue to rise as a point of entry

At least one, if not more, major enterprise breaches will be attributed to mobile devices in 2017, Millis predicts. A Ponemon Institute report found that for an enterprise, the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company's sensitive and confidential information.

People and their mobile devices are now moving around way too much, and much too fast, for old-fashioned cybersecurity strategies to be effective, Millis says. Add to that an increasing sense of entitlement by users with regards to the devices they choose to use, and you have a situation ripe for exploitation.

"Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around 'security' to improve their user experiences, they will. CISOs, CIOs and CEOs view this as a complex challenge to the implementation of their enterprise security strategies, and one that won't be solved by having email and calendar data delivered over SSL to a single, approved OS," Millis says.

Mobile payments, too, will become a liability. MasterCard's 'selfie pay' and Intel's True Key are just the tip of the iceberg, he says. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training, he says.

"Wouldn't it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, 'Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'" Millis says.

7. Internet of threats?

IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures -- hackers at this year's Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.

And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government's sites -- was reportedly powered by the Mirai botnet made up of insecure IoT devices.

"A lot of attention is focused on 'smart devices' as proof of IoT's growing influence. The reality is a connected device doesn't make it a smart device. The 'things' that are being connected often 'fire-and-forget' in their simplicity, or are built-in features and tools we may not even know are there -- like the routers used in the Mirai botnet. This leads to a mindset of ignoring these 'dumb' devices without paying attention to the fact that these devices, while inherently 'dumb', are connected to the biggest party-line ever made: the internet," says Bomgar's Matt Dircks.

This isn't just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn't even particularly focused on the possibility of another DDoS attack. What's more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.

"I'm not worried about things like, if my connected showerhead turns on hot or cold. I think there's a fairly significant chance we'll see a major hack on power grids or on transportation systems like rail in 2017. This is the 'dumb' IoT that's still out there -- the technology from the 1950s and 1960s that's powering these critical infrastructure systems that is almost totally unsecured," he says.

This is a perception problem; the general public doesn't tend to see these systems as being similar to the IoT devices they use with increasing frequency -- even mobile phones can fall into that category, says Millis.

"Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It's nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence," Millis says.

Source : http://www.cio.com.au/

Auhtor : Sharon Florentine 

Categorized in Internet Privacy

Looming behind the excitement at SC16 around new digital enterprise strategies is the growing menace of cyber-attacks. But in spite of these worries, the state of cybersecurity readiness at too many companies is woefully inadequate. 

That’s the finding of Bob Sorensen, research vice president, HPC Group, at industry watcher IDC delivered at the analyst group’s annual HPC Update breakfast at SC16 this week in Salt Lake City. Sorensen’s message: If your company has the characteristics of a cybersecurity “worst practitioner” (which tends to be among public utilities, hospitals and universities – manufacturers are generally “middle of the pack”), the time to adopt new cybersecurity strategies is now.

IDC conducted a study of cybersecurity at 62 large industries in the U.S. and Europeacross the financial services, technology, manufacturing, retail, hospital and academic sectors. Here are excerpts of his comments:

The State of Cybersecurity

The key concerns that came out in our study: Most US companies are underprepared to deal with cybersecurity threats. Even though there are lots of good best practices, they’re only being conducted by a small number of leading-edge firms. On average, firms are not availing themselves of what’s readily available, and that’s a cause for concern.

Detecting a breach can take up to two years. That’s really a disturbing concept, that someone could be nosing around corporate data that’s not only unprotected, not just to steal data, but to change it. Data integrity is a concern, the idea that the data you’re using to make critical decisions in research or business process environments may not be the right data, it may have been changed for nefarious reasons. It’s one of the silent concerns.

idc-security-2-sc16

The Big Fear: Reputation Damage

One of the things we found with the Target breach, a very public intrusion, is that Target really didn’t take a huge financial hit on the actual intrusion itself. There was insurance in place, there was pushing off losses to the finance companies that Target deals with.

What we found, what really scares companies, isn’t the loss of dollars, it’s the loss of reputation, which brings with it a future loss of income that you simply cannot determine. Companies…can buy insurance for a particular hit, that’s a known quantity, but what they can’t do is figure out how that affects their line of business down the line. Which speaks in some sense to the idea that there’s probably a lot of cyber-attacks we’re not finding out about simply because it benefits these companies greatly to keep attacks under wraps as long as possible.

Malware Manners

We heard this time and again: malware people are conducing themselves in a very proper and organized manner. The thinking with a lot of them is…they don’t charge too much because they don’t want to kill the goose that laid the golden egg. (Malware practitioners think of it as) a very refined, respectable business to be in. You come in and say: ‘Give us some money and we’ll go away.’ You give them money and they do go away because if they don’t, no one’s going to give them more money. And if they ask for too much money there are going to be problems. So right now it’s a very genteel world out there for malware.

Conflicting Priorities: Security and Access

IDC's Bob Sorensen

IDC’s Bob Sorensen

There’s a major tradeoff between security and easy access (to the network and to data). It’s something every business has to deal with. We asked questions about balancing security and processes, and the underlying goal is: ‘We have to do both, we can’t sacrifice our business plan for our cybersecurity.’ We found time and again even among the best practitioners in data security: Job 1 is conducting business, and that process is king. This is handed down from the board of directors of the company, and then they tell cybersecurity teams, ‘Make us secure under this realm.’

Proliferating Points of Attack

Heterogeneity is a problem: the idea of ‘bring your own device,’ multiple operating systems, clouds. There are lots and lots of end points out there, lots of way to enter a network, and these are things cybersecurity folks are definitely worried about.

We talked to the cybersecurity chief at Nike, he said he has 59 (network) access points to worry about every day because he has to make everyone who gets on the Nike website, who wants to look at the new and latest sneaker, has access, can order, can conduct business. That’s his job, and he has to work within those confines.

There is increasing access from the network edges. The one I would point out is suppliers. Supply chain issues I think are really interesting. More and more large industrial companies are increasingly tied electronically to their supply chain, and that is a real vulnerability….

Worst Practices: Wait and See

A lot of the worst practitioners really just buy insurance…. The worst practitioners time after time said, ‘We have the best tools, life has got to be good.’ The story we like to repeat: the companies that seem to be most sanguine with their cybersecurity infrastructure say: ‘We’ve never been hit before so we must be doing something right.’ They weren’t terribly forward looking when it came to actually making sure they were more secure….

Everybody (in the survey) had data breach plans, but… a lot of them were not IT-related. The thinking wasn’t to gather up forensics and figure out how to plug holes. It was how to deal with the publicity aspect, the legal aspects, the privacy concerns, the possibility of getting sued. This surprised us….

Best Practices: People vs. People

One thing we found is that the best practitioners see this as a people vs people battle. This is not a tool war where as long as you have the best software, as long as you roll out the patches when you’re supposed to, then life is good. It’s really about finding, hiring and retaining the best people to go after the people who are trying to get at you.

Best Practices: Be Proactive

An interesting concept that we see is that proactive cybersecurity team think in terms of educating the user base within their companies. They’re not just sitting back and making sure the patches are installed and making sure everyone changes their password every six months. It’s really more about reaching out…to the individual people within firms and making sure they understand their roles.

For example, one company closely watches social media. And they look for key events that they think could trigger a phishing attack. When it became known that Prince had died, they sent out an email to their entire company saying there’s a good chance you’re going to get an email in the next 24 hours asking if you want to see the Prince tribute video. So the idea is to proactively get employees to be aware of what their responsibilities are.

Another story we heard is about companies buying stolen credit card numbers. Not because they want to get involved in law enforcement but because it’s cheaper to buy stolen credit card numbers and put them in your database. So if someone tries to buy something with a stolen number you can kick them out. It’s an interesting, proactive way to do this.

So the good cybersecurity team isn’t waiting for problems, it’s going after solving them before they happen.

idc-security-best-practices-sc16

Data Scientists and Cybersecurity

Most companies aren’t using Big Data (for cybersecurity purposes) in the sense that we in the HPC community think about Big Data… When we asked companies why they weren’t using Big Data, they said they can’t find Big Data scientists who know how to do cybersecurity.

And when we went to companies that have lines of business that use smart data scientists, they said, ‘Yeah, they’re over there contributing to the bottom line of the company. We can’t bring them over to cybersecurity, they’re going to stay over there making money for the company.’

Virtual Cybersecurity Data Science

What I see in the future is really where HPC comes into play here. The goal for a lot of cybersecurity teams is real-time intrusion detection. They want to have a dashboard that tells them something odd has happened in the network. And a lot of folks think that deep learning – the idea that you have a system that monitors the steady state of the network and rises to the attention of humans where something has gone awry.

We’re going to see more efforts for high powered systems and deep learning to do real-time monitoring…almost as a way to get companies out of having to find data scientists. This might be an ultimate method toward dealing with cybersecurity… It’s something the HPC world is going to be involved in much more going forward.

Author:  Doug Black

Source:  https://www.hpcwire.com

Categorized in Internet Privacy

Choosing and managing passwords is the fundamental security measure in client’s control. Even if the application and it’s server is impenetrable, it means absolutely nothing if your password can be cracked by an average Joe.

You would think that all security conscious people would know how to protect themselves, but I frequently see cases like this:

CaliConnect’s Private PGP Key & Account Password Was “asshole209

Twitter– Launched & Hacked in 2 Hours (Password was: 123123123…)

Cantina Marketplace PWND: Admin Password was: “Password1” ?!

This tutorial contains explanations of password cracking when the server and client side are protected. These methods’ effectiveness highly depend on attacker’s processing power which we’ll analyze after attack methods.

If you just want to know easy way to be safe, jump to the ‘Easy way to manage strong passwords’.

Brute Force Attack

Brute-force attack is a technique of enumerating all possible password candidates and checking each one. This is no elegant attacking method, but sometimes it’s all that’s needed. This attack is feasible only for very weak passwords.

Dictionary Attack

Dictionary attack is a variant of brute force attack in which the attacker gathers all information about targeted password(s) and creates a ‘dictionary’. Dictionary is a customized list of password candidates, typically including a list of most common passwords first, dictionary words that are frequently used and some combinations. Next, the dictionary often contains all those words with common prefixes and suffixes such as numbers and punctuation signs.

Dictionary attacks are relatively easy to defeat by choosing a password that is not a simple variant of a word found in any dictionary. Many password cracking tools have built-in dictionaries. This page contains information on most popular tools, their dictionaries and collections of leaked password for analysis in one place.

fQnT1d0c{E}+p[;

Rainbow Tables

This attack is used when attacker owns the password database. It’s worth mentioning here because the complexity of your password will protect you even if the server is compromised. Protection wise, it’s enough to know that a strong password will do the trick here as well.

Skip this part if you just want to secure yourself without bothering with hashing, rainbow tables and salting.

Databases don’t contain plaintext passwords, but password hashes. Hash is the result of time-consuming function that obfuscates the input. When you enter your password, server calculates the hash of the entered value and compares it to the one stored in the database for the confirmation.

Very simple hash function example: take number 4 as the input: square it (16), take natural log (2.7725), multiply by pi (8.7103) and take factorial (gamma function) -> 189843.119. Now ask your friend how is 189843.119 related to 4. Chances are, no one can figure it out.

Password hashes often look like this one: qiyh4XPJGsOZ2MEAyLkfWqeQ

So, when an attacker compromises the password database he won’t be able to figure out your password (or will he?, read on). Here’s when rainbow table comes in – it’s a pre-computed table of passwords and their hashes. Attacker then compares the rainbow table hashes to those in the database. If hashes match, the password is discovered. Here’s a short example:

This is what we can find in a database:

User Password
RegularUser1 HgkHJgKHgKhKGhjfhgKvkGjKG
Administrator qiyh4XPJGsOZ2MEAyLkfWqeQ

Lets try to find this hash in the rainbow table:

Password Hash
password asdh4DFGsOZ2MEAyLkfWqES
qwerty qi8H8R7OM4xMfdMPuRAZxlY
pass1234 GsOZ2MEAM4xPuRAZxlqiyAFiy
passw0rd qiyh4XPJGsOZ2MEAyLkfWqeQ
abcdefgh nKv3LvrdAVtOcE5EcsGIpYBtniN


That’s why some servers ‘salt’ the hash by adding random value into the equation so the attacker can’t just download finished rainbow table, he needs to create a custom one for that salt and that requires a lot of time because hash functions are time-consuming. If different salt is used for each password, attacker needs to create a custom table for each password which is not feasible. Salt is stored next to the password, it’s no secret since it’s just making the attacker’s computer do a lot of ‘work’.

There’s only that much server side can do for you, it’s up to you to choose a strong password. If the attacker targets you specifically, he may create a rainbow table for your salt. It’s up to you to have a password that will not be in his table.

I’m surprised how many sensitive web services allow having weak password.

Practical analysis of these attacks

Analyzed time represents offline attack speed, online attacks are much slower than this, but it’s logical to seek for a password strong enough for offline attacks because it’s the maximum speed and it’s just a few characters away.

Password complexity depends on 2 characteristics: length and number of different characters. For example, if you use 8 digit password (only numbers – 10 characters): _ _ _ _ _ _ _ _ each field can contain 10 different characters, so there are 10*10*10*10*10*10*10*10 = 108 possible combinations. If attacker has a Pentium 4D, 3.2 Ghz processor he can try 2 million passwords per second. That means the password can be broken in 108 / (2*106) = 50 seconds.

Formula for the number of combinations the attacker need to try:

Awhere: A – number of different possible characters

B – password length

If password length is unknown, the attacker will usually try only the shortest ones. Let’s say he wants to try all 8,9,10 characters long passwords, the number of combinations is: A+ A9 + A10 .

Exponential growth

Luckily for us, password complexity rises exponentially when length increases. In the example above (only 10 digits) each extra character adds 10 times more possible combinations.

Here’s a table for passwords that contain only lower-case letters from English alphabet and digits – 36 different characters (Combinations = 36 ^ length):

Length (B) Combinations (36B) Individual capability 5000x individual
1 34 < 1 second < 1 second
2 1 296 < 1 second < 1 second
3 46 656 < 1 second < 1 second
4 1 679 616 < 1 second < 1 second
5 60 466 176 30 seconds < 1 second
6 21 76 782 336 18 minutes 1 second
7 78 364 164 096 10 hours 55 seconds
8 2 821 109 907 456 16 days 33 minutes
9 101 559 956 668 416 1 year 20 hours
10 3 656 158 440 062 976 60 years 30 days
11 131 621 703 842 267 136 2140 years 3 years
12 4 738 381 338 321 616 896 77025 years 110 years


X axis – password length in for 36 charset (letters and numbers)

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

We can see length 12 is sweet, it’s even more safe if we expand the character set to uppercase and lowercase letters, numbers and punctuation signs. Number of possible characters is 126:

Length (B) Combinations (126B) Individual capability 5000x individual
1 126 < 1 second < 1 second
2 15 876 < 1 second < 1 second
3 20 00 376 1 second < 1 second
4 252 047 376 2 minutes < 1 second
5 31 757 969 376 4 hours 22 seconds
6 4 001 504 141 376 23 days 47 minutes
7 504 189 521 813 376 8 years 4 days
8 63 527 879 748 485 376 1 032 years 2 years
9 8 004 512 848 309 157 376 130 000+years 184 years


X axis – password length in 126 charset

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

Conclusion

Using only lowercase or only uppercase letters and numbers, you need 11 characters long password.

If you’re using both lowercase and uppercase letters, numbers and punctuation signs you need 8 characters long password.

Neither should be predictable enough to be part of a dictionary attack list. I would recommend using 12 characters long password and wide charset.

Easy way to Manage Strong Passwords

Different password should be used for each sensitive account because attackers often check all your accounts for password they compromised.

Password should be at least 12 characters long and include uppercase and lowercase letter, number and a punctuation sign. You can easily meet those requirements by rambling on the keyboard, but it would be difficult to remember passwords.

Password Manager

Password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere).

Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.

To generate 1 strong password that’s easy to remember you can use a great source of entropy – your mind. Think of a sentence or two. Something like: ‘any sentence will do the trick, Just Make Sure It’s Over 12 Words’. Password would be: aswdtt,JMSIO12W (first letters in each word). You can remember the sentence easily and recreate the password later. Ideally, the sentence would include a sign and number.

There are many similar tricks out there if you don’t like this one.

Pattern

So you don’t like installing a manager? Think of a good pattern that will not be obvious. An example would be: pick 2 numbers: 6,7 and surround your password with 67 and shift+6 = &, shift+7 = /. Also, uppercase 6thand 7th letter. If your password right now is password -> 67passwORd&/ is easy to remember and strong. The word can be something you can remember for each site, but stay away from obvious like domain name.

Avoid common letter-number substitutions like o – 0, I – 1. Here’s the same link once again, I highly recommend taking a look at common dictionaries and tools attackers may try to use against you.

Source:  deepdotweb.com

Categorized in News & Politics

A responsibility that Facebook has with its users is that it needs to ensure that your account is not easily hackable. This means creating security systems, but there is always a problem: the most vulnerable point of any online system is the user who does not care right to their own information.

This usually comes in the form of insecure and repeated passwords. Then, no matter if the company built the Fort Knox; if someone has your email address and the password is "123456", your only chance of not being hacked is to have two-step authentication enabled. Face it: if your password really is "123456", you probably also have not activated the second verification step.

However, Facebook has taken a very unorthodox place to deal with this problem. Alex Stamos, chief security officer in the company, told CNET today the company negotiates directly with cybercrime in the deep web to buy databases with passwords stolen by hackers.

The fact is that these databases stolen end up revealing enough of human behavior on the Internet. By analyzing a huge amount of passwords, you can see patterns of which are those most recurrent, and therefore more fragile. On a bench 1 million keywords, imagine how many "123456" will not arise. Suddenly, you can see that many people are using the password "kittens", and it became dangerous.

By purchasing these stolen banks, Facebook can do this analysis and compare it with your own database (encrypted, it is true) passwords. Stamos reveals that to make this work, which is quite heavy for company computers, the social network was able to alert tens of millions of users that their passwords were not safe.

The executive explains that Facebook has the tools to offer more security to users, such as the aforementioned two-step authentication. It is the person's prerogative to use these tools or not, but the company says it is his responsibility to take care of those who choose not to activate the features.

Source:  olhardigital.uol.com.br

Categorized in Science & Tech

Over the past few years, there have been a lot of changes affecting the key technologies that power the internet.

HTML is the dominant web language and its new version, HTML5 provides impressive web enhancements for new web applications.

However, when this fifth version of HTML was released way back 2014, it became really popular to web and app developers, the issues surrounding its internet security risks also take hold.

Just like every new technology, HTML5 is bound to have defects and pitfalls. Internet security experts and commenters had also predicted this, long before its release.

HTML5 AND ITS IMPORTANCE

HTML5 is the 5th revision of the HTML standard developed by W3C. While it was approved as a standard in October 2014, its adoption began several years earlier.

This language mainly describes the contents and appearance of web pages. Due to its many new features, it makes web pages more interactive and dynamic.

Among these features include messaging enhancements, new parsing rules to enhance flexibility, elimination of redundant attributes and native multimedia support.

W3C developed HTML5 mainly to address the compatibility issues with the previous HTML version.

The main reasons why this version has become so popular is the essential elimination of browser plugins, reduction of web development time and mobile friendliness.

HTML5 is also supported by all the authority browser vendors including Google, Apple, Opera, Microsoft, and Firefox.

THE INTERNET SECURITY RISKS ASSOCIATED WIH HTML5

html5

As HTML5 approved as a standard in 2014 becomes more popular among developers, it introduces new internet security threat due to the new features and attribute.

As HTML5 becomes adopted on a very large scale with a large percentage of browsers. Mobile applications are now based on this language.

It is also important for developers and users to know about the internet security risks involved in order to be able to tackle them.

The security problems that affected the older version are still present.

More importantly, the new features in HTML5 present further internet security issues.

Below are some of the attacks made possible by HTML5.

1. CROSS ORIGIN RESOURCE SHARING (CORS ATTACK)

Cross-Origin Resource Sharing (CORS) is a feature that allows a resource to gain access to data from domains outside itself.

Using this feature, web pages can load resources including scripts, CSS style sheets, and images from different domains.

As such, a remote cyber attacker can inject codes on the web pages.

An API called XMLHttpRequest makes this possible. Basically, this is an API that facilitates the transfer of data between a server and a client.

Before the introduction of HTML5, a site could not make direct requests to another site using this API.

Now, HTTP requests can be made, provided the requested sites grants permission.

This is the point where vulnerability that can be exploited. Access can be granted through the following header in the responses; Access-Control-Allow-Origin.

If a website has wrongly defined this header or based on a wrong assumption, access control can easily be bypassed.

A similar threat called Cross-Site-Request-Forgery (CSRF) was present in HTML4. However, with HTML5 this is possible without user interaction.

 

2. HTML5 TAG ABUSE

The new attributes and tags introduced by HTML5 present in an internet security threats to cross-site scripting attacks. XSS attacks where attackers run malicious scripts through unencoded or unvalidated user inputs have been around for a while.

Developers often avoid them by filtering user inputs. This is basically not allowing users to input certain character sequences.

Some of the new attributes and tags in HTML5 can be employed to run scripts by bypassing input filters. With HTML5, any object can associate itself with any form regardless of its position on the web page.

This can be exploited for malicious purposes. Attackers can also modify web page forms using attributes in HTML5 such as formaction, fromenctype, formmetod, form target and formnonvalidate.

3. LOCAL STORAGE

Prior to HTML5, browser data was stored through web cookies. The local storage feature in HTML5 was developed to improve internet security and enable storage of more web data.

It allows browsers to store and delete data based on name-value pairs. The good news is that the origin-specific, meaning sites from different origins cannot access applications on local databases.

 

Unfortunately, it is vulnerable to the aforementioned XSS attacks.

XSS flaws resulting from developer errors, this can allow the execution of JavaScript codes leading them to the access of local variables.

Attackers can also redirect target site requests to different sites using DNS cache poisoning.

There are other internet security issues with HTML5 including Cross Document Messaging, Offline Web Applications, and the middleware framework.

Most of these internet security problems fall into the hands of the web developers.

As such, they can be mitigated by safe coding practices, regular code testing, education on the possible internet security threats, data sanitization and access restriction for untrusted code.

Source:  darkwebnews.com

Categorized in Science & Tech

The iPhone 7 is already out on the market and many think it may be Apple’s best iPhone yet with only one flaw. There is no support for one-hand typing.

The mere fact that iPhones are already following the smartphone trend of increasing display sizes means that Apple should also work on making texting or typing important documents on the devices easier for their consumers.

While there has been no official announcement yet, it seems as though Apple was actually working on a one-handed keyboard and an IT expert recently discovered it hidden under the iOS code.

iPhone 7 Worst Features

Since it was launched last month, the iPhone 7 received a lot of attention especially during the beginning of the rapid descent of the Samsung Galaxy Note 7 (RIP).

While there are those who loved the new iPhone and dubbed it the best in Apple’s infamous smartphone line, there are those who gave bad reviews if only because of a couple missed expectations.

One of the worst and probably the most cited bad features of the iPhone 7 is the lack of a headphone jack. In fact, it had been repeatedly mocked and compared with competing devices such as Google’s Pixel that some people might actually be convinced to switch sides.

Others criticize the device’s lack of improvements in terms of display resolution even as its screen size increased.

While Apple devices had a reputation for clear display a couple of years ago, it seems like the Cupertino-based company has neglected that part of their flagship device that competitors are beginning to take the title from them.

Finally, another bad thing about having a supersized Apple phone is the lack of one-hand typing support.

Just imagine, corporate employees and professionals opt for iPhone because of its sleek and elegant look only to discover it will make their work even more difficult as they will need to use both hands only to send messages or type in a couple of sentences on their phones. What a bummer, right?

Apple’s Secret One-Handed Keyboard

Fortunately, Steve Troughton-Smith, a game developer and IT expert, recently shared a discovery that could probably change all that.

In a Tweet, Troughton-Smith explained that Apple has actually been secretly working on one-hand typing support but has evidently left it to rot hidden under codes since they launched the iOS 8 in 2014.

At the time, Apple may have decided it was the right time to develop the feature. iPhones are beginning to increase in sizes that cannot be handled with one hand, with the iPhone 6 as proof to that point.

What is mind boggling about this is why Apple decided to keep the keyboard buried under code and not make it official which means iPhone users cannot use it.

That is, unless they decide to Jailbreak their devices with the following activation tweak on the codes.

Microsoft’s WordFlow

Of course, iPhone users also have the option to download Microsoft’s one-handed keyboard app WordFlow which is exclusively available for iPhone users.

According to the Wall Street Journal, this app has features that allow users to use their photos as the background image of their keyboards and curve their smart keypad to make one-hand typing a whole lot easier as WordFlow can lock on either left or right depending on the user’s preference.

Source : inquisitr

Categorized in Internet Privacy

Thanks to fake Gmail sign-in pages, hackers were able to dupe John Podesta and the entire Clinton campaign.

According to Naked Security, a technique known as spear phishing was used to hack into John Podesta and the entire Clinton campaign’s account. This hacking technique involves using fake Gmail sign-in pages and security alerts to trick the owner of the email into revealing his or her password to the person attempting to hack into the Gmail account. 

The Smoking Gun reports that when it came to John Podesta’s Gmail account, he received an email alert telling him that someone was trying to access his account from an unusual location. Basically, the email he received was asking him to change his password to secure his account.

With this hacking technique, John and the entire Clinton campaign was duped into believing the fake security alert and using the fake Gmail sign-in pages to give their login information directly to the hacker. From there, the hackers were able to log in to the Gmail accounts of anyone who used the fake Gmail sign-in page and do whatever they wanted to with the account.

Townhall reports that government officials using their private emails in order to avoid their emails becoming public record has become a very common occurrence. The hacking of Hillary Clinton and John Podesta’s private Gmail accounts put these two in the spotlight, but a former top State Department official acknowledges the fact that this is something nearly every government official does in order to avoid their conversations being a matter of public record.

Townhall goes on to report that the former State Department official claims that if something would be done to stop government officials from using their private email accounts for work-related matters, the issues with hacking wouldn’t have been a problem to begin with.

Nashville Chatter reports the same group of Russian hackers that was believed to have developed the fake Gmail sign-in pages and security alerts that hacked the Clinton campaign is responsible for a recent Microsoft bug as well. Microsoft was given a grace period of a week before Google’s Threat Analysis group made a public announcement about the vulnerability that was exposing people to malware attacks.

Terry Myerson, the executive VP of Microsoft Windows, claims a sophisticated group of hackers was exploiting a Microsoft bug. This group of hackers has since been identified as the same group who caused the DNC and Clinton campaign data breaches. Microsoft is currently working on fixing the bug, but Terry Myerson is urging Windows users to upgrade their operating systems to Windows 10 in order to protect their devices from this potential threat.

Microsoft is currently working with Adobe and Google in order to create security patches to protect the lower levels of Windows. There are several versions of the security patches currently being tested. These patches will be released on November 7 for Windows users.

Do you find it embarrassing that government officials were hacked by nothing more than fake Gmail sign-in pages and security alerts? More importantly, do you think government officials should be able to use their private Gmail accounts in order to avoid their conversations becoming public record? Share your answers to these two questions in the comments section below.

Source : inquisitr

Categorized in Internet Privacy

Watch out for weak in-house code, data in the cloud and the Internet of things 

Forward looking IT security pros need to better address known risks, monitor closely the value of shadow IT devices and solve the inherent weaknesses introduced by the internet of things, Gartner says.

The consulting firm has taken a look at five key areas of security concern that businesses face this year and issued predictions on and recommendations about protecting networks and data from threats that will likely arise in each.

The areas are threat and vulnerability management, application and data security, network and mobile security, identity and access management, and Internet of Things security. Gartner’s findings were revealed at its recent Security and Risk Management Summit by analyst Earl Perkins.

One overriding recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business can be a false economy.

He recommends that security pros should make decisions about protecting networks and resources based on the range of risks that known weaknesses represent to the business and its goals. Rather than thinking about their role purely as protecting, they should look at it as facilitating successful business outcomes. 

Here are the predictions and recommendations:

Threat and vulnerability management

Prediction: “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

With attackers looking for vulnerabilities in applications as well as exploitable configurations, it’s important for businesses to patch vulnerabilities in a timely fashion. If they don’t, they stand to lose money through damage to systems and theft of data.

Prediction: “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”

An area of growing concern is the introduction of new technologies by business units without vetting by the security team, Perkins says. Avoiding that review and the fact that many of these technologies are new and still contain vulnerabilities makes them susceptible to attacks.

Application and data security

Prediction: “By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.”

Data security governance will be promoted by insurance companies that will set cyber premiums based on whether businesses have these programs in place. 

Prediction: “By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.”

Here Perkins looks to maturing technology called runtime application self-protection (RASP) as a way to avoid vulnerabilities in applications that might result from problems overlooked due to the rapid pace at which DevOps teams work. RASP does its work rapidly and accurately to provide protection against vulnerabilities that might be exploited, he says.

Network and Mobile Security

Prediction: “By 2020, 80% of new deals for cloud-based cloud-access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.”

Vendors of traditional network security products such as firewalls, SWGs and WAFs want to be in on their customers protecting their SaaS applications, which is effectively accomplished via CASBs, he says. Businesses should evaluate whether CASB services are warranted based on their plans for application deployment, and should consider offers by their current vendors of these traditional technologies, he says.

Identity and Access Management

Prediction: “By 2019, 40% of identity as a service (IDaaS) implementations will replace on-premises IAM implementations, up from 10% today.”

This increase in use of IDaaS will in part stem from the difficulty and expense of running on-premises IAM infrastructure, and the growing use of other something-as-a-service offerings will make the decision more comfortable. The ongoing introduction of more and more Web and mobile applications will create a natural opportunity for the transition from in-house IAM to IDaaS, he says. 

Prediction: “By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.”

With the cost and accuracy of biometrics, they become a good option for continuously authenticating. In combination with use-r and entity-behavior analysis, this technology can make a difference when applied to cases that call for a medium level of trust, Perkins says.

Security for the internet of things (IoT)

Prediction: “Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.”

IoT devices are still being made without much consideration being given to security, and yet some are located in networks so that, if exploited, they could expose networks to harm and data to breaches, Perkins says. Businesses need a framework for determining the risks each IoT device type represents and the appropriate controls for dealing with them.

Prediction: “By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.”

Since security pros won’t be able to determine the importance that IoT devices represent to the organization, the business unit that uses them should determine what risk they represent. Security pros should set aside 5% to 10% of IT security spending for monitoring and protecting these devices as needed, he says.

Source  : http://www.networkworld.com/article/3088084/security/gartner-s-top-10-security-predictions.html

Categorized in Internet Privacy

ONE OF THE most important laws protecting online speech is also one of the worst. You’ve probably heard of it. In 1998, President Bill Clinton passed the Digital Millennium Copyright Act, or DMCA. It’s the law that, for example, makes it all too easy for companies to have embarrassing content removed from sites like YouTube by issuing bogus takedown requests, claiming that the content violates their copyright—no presumption of innocence required. But the DMCA also contains one incredibly important section: the so-called safe harbor provision. Thanks to safe harbor, companies can’t be held liable for copyright violations committed by their users, so long as the companies take reasonable steps to ensure that repeat offenders are banned from their services. Post a pirated copy of Ghostbusters to YouTube via your Comcast Internet connection? That’s on you, the DMCA says, not on YouTube or Comcast.


Companies fearing they’ll lose their safe harbor might start policing the content posted by their users.

But after a recent court decision, that safe harbor doesn’t look so safe anymore.

Last week a federal judge ruled that cable Internet provider Cox Communications must pay $25 million in damages to BMG Rights Management, which controls the rights to the music of some of the world’s most popular artists. The court found that Cox was liable for the alleged copyright infringement carried out by its customers, safe harbor or not. The decision might not rattle the giants of the Internet business, like Comcast, Verizon, Google and Facebook–at least not yet. But it could be bad news for smaller companies that can’t afford such costly legal battles. And if companies start fearing they’ll lose their safe harbor, they might have to start more carefully policing the content posted by their users.

Turning Off Notifications

It’s hard to overstate the importance of the DMCA’s safe harbor provision to the growth of the early Internet. Had providers and platforms faced liability for what users published, far fewer social networks and web hosts would have existed because of the legal risk. Those that did exist would have had to carefully screen what users posted to ensure no copyright violations were taking place. In short, the DMCA, for all its problems, enabled the explosion of online speech over the past two decades.

But that explosion has not been kind to some businesses, such as the music industry, which has seen its margins erode since the 1990s due to peer-to-peer file sharing. To fight back, BMG in 2011 hired a company called Rightscorp to monitor file sharing networks and catch people illegally sharing music that belonged to BMG. Whenever Rightscorp believed it had detected a copyright violation, it would forward notifications to the offending user’s Internet provider. The twist was that Rightscorp added a bit of language to its letters offering to settle the copyright dispute if the user was willing to pay a fee of around $20 to $30 per infraction. Cox refused to forward these letters on to its users because it believed the settlement offers were misleading, arguing the notifications of infringement were not in and of themselves proof that a user had actually broken the law.

Rightscorp refused to alter the language of the letters, so Cox refused to process any further notifications from the company. In 2014, BMG sued Cox.

Last year, US District Court Judge Liam O’Grady judge found that by refusing to process Rightscorp’s requests, Cox had failed to live up to its responsibilities under the safe harbor provision, and therefore was not eligible for its protections. A jury found Cox liable for $25 million in damages. Cox filed for a new trial but O’Grady denied the request last week, allowing the previous decision to stand.

Just a Pipe

While the decision does not set a binding precedent, some open Internet advocates worry the decision could embolden copyright holders to sue smaller companies. A company like Google can afford expensive lawyers. It can invest in multi-million-dollar digital rights management software to keep offending content off its sites. But smaller ISPs or web sites can’t. “If safe harbor is for anyone, it’s for Internet service providers that do nothing but carry information from sites to specific homes,” says Charles Duan, staff attorney at Public Knowledge.

Safe harbor issues aside, BMG’s argument also depends on the idea that users should be denied Internet access because of the mere accusation of copyright infringement, even if the accuser has never proven in court that those users had actually broken the law.

“It doesn’t take into account all the things people use the Internet for,” says Mitch Stolz, a staff attorney with the Electronic Frontier Foundation. “People use it for their jobs, to interact with government. The circumstances in which it’s reasonable to cut someone off are narrower now than 20 years ago.”

However flawed it is, the DMCA enables online speech to flourish. But if the BMG case does become a precedent, online service providers of all types will have to crack down on their users—even if no one has proven in court that those users committed a crime. If you don’t like what someone has to say, you could accuse them of copyright violations and not only have a video banned from YouTube, but have that person kicked off the Internet entirely. That’s not a future in which the Internet flourishes.

Source : http://www.wired.com/2016/08/internets-safe-harbor-just-got-little-less-safe/

Categorized in Internet Privacy
Page 5 of 7

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media