WHETHER IT WAS a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.

It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.

Consumer Drones Get Weaponized

Given how frequently the US has used massive flying robots to kill people, perhaps it’s no surprise that smaller drones are now turning deadly, too—this time in the hands of America’s enemies. In October the New York Times reportedthat in the first known case, US-allied Kurdish soldiers were killed by a small drone the size of a model airplane, rigged with explosives. As drones become smaller, cheaper, and more powerful, the next year will see that experiment widened into a full-blown tactic for guerrilla warfare and terrorism. What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator? The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse.

Another iPhone Encryption Clash

When the FBI earlier this year demanded that Apple write new software to help crack its own device—the iPhone 5c of dead San Bernadino terrorist Rizwan Farook—it fired the first shots in a new chapter of the decades-long war between law enforcement and encryption. And when it backed off that request, saying it had found its own technique to crack the phone, it only delayed any resolution. It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again. In fact, in October the FBI revealed in October that another ISIS-linked terrorist, the man who stabbed ten people in a Minnesota mall, used an iPhone. Depending on what model iPhone it is, that locked device could spark Apple vs. FBI, round two, if the bureau is determined enough to access the terrorist’s data. (It took three months after the San Bernadino attack for the FBI’s conflict with Apple to become public, and that window hasn’t passed in the Minnesota case.) Sooner or later, expect another crypto clash.

Russian Hackers Run Amok

Two months have passed since the Office of the Director of National Intelligence and the Department of Homeland Security stated what most of the private sector cybersecurity world already believed: That the Kremlin hacked the American election, breaching the Democratic National Committee and Democratic Congressional Campaign Committee and spilling their guts to WikiLeaks. Since then, the White House has promised a response to put Russia back in check, but none has surfaced. And with less than a month until the inauguration of Putin’s preferred candidate—one who has buddied up to the Russian government at every opportunity and promised to weaken America’s NATO commitments—any deterrent effect of a retaliation would be temporary at best. In fact, the apparent success of Russia’s efforts—if, as CIA and FBI officials have now both told the Washington Post, Trump’s election was the hackers’ goal—will only embolden Russia’s digital intruders to try new targets and techniques. Expect them to replicate their influence operations ahead of elections next year in Germany, the Netherlands, and France, and potentially to even try new tricks like data sabotage or attacks on physical infrastructure.

A Growing Rift Between the President and the Intelligence Community

Though the US intelligence community—including the FBI, NSA, and CIA—has unanimously attributed multiple incidents of political hacking to Russian government-sponsored attackers, President-elect Donald Trump has remained skeptical. Furthermore, he has repeatedly cast doubt on digital forensics as an intelligence discipline, saying things like, “Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody.” Trump has also caused a stir by declining daily intelligence briefings. Beyond just the current situation with Russia, Trump’s casual dismissal of intelligence agency findings is creating an unprecedented dissonance between the Office of the President and the groups that bring it vital information about the world. Current and former members of the intelligence community told WIRED in mid-December that they find Trump’s attitude disturbing and deeply concerning. If the President-elect permanently adopts this posture, it could irrevocably hinder the role of intelligence agencies in government. President Obama, for one, says he is hopeful that the situation is temporary, since Trump has not yet felt the full responsibility of the presidency. “I think there is a sobering process when you walk into the Oval Office,” Obama said recently in a press conference. “There is just a whole different attitude and vibe when you’re not in power as when you are in power.” If Trump does eventually embrace the intelligence community more fully, the next question will be whether it can move on from what has already transpired.

DDoS Attacks Will Crash the Internet Again (And Again, And Again)

This was the year of Internet of Things botnets, in which malware infects inconspicuous devices like routers and DVRs and then coordinates them to overwhelm an online target with a glut of internet traffic, in what’s known as a disrupted denial of service attack (DDoS). Botnets have traditionally been built with compromised PCs, but poor IoT security has made embedded devices an appealing next frontier for hackers, who have been building massive IoT botnets. The most well-known example in 2016, called Mirai, was used this fall to attack and temporarily bring down individual websites, but was also turned on Internet Service Providers and internet-backbone companies, causing connectivity interruptions around the world. DDoS attacks are used by script kiddies and nation states alike, and as long as the pool of unsecured computing devices endlessly grows, a diverse array of attackers will have no disincentive from turning their DDoS cannons on internet infrastructure. And it’s not just internet connectivity itself. Hackers already used a DDoS attack to knock out central heating in some buildings in Finland in November. The versatility of DDoS attacks is precisely what makes them so dangerous. In 2017, they’ll be more prevalent than ever.

Ransomware Expands Its Targets

Ransomware attacks have become a billion-dollar business for cybercriminals and are on the rise for individuals and institutions alike. Attackers already use ransomware to extort money from hospitals and corporations that need to regain control of their systems quickly, and the more success attackers have, the more they are willing to invest in development of new techniques. A recent ransomware version called Popcorn Time, for example, was experimenting with offering victims an alternative to paying up—if they could successfully infect two other devices with the ransomware. And more innovation, plus more disruption, will come in 2017. Ransomware attacks on financial firms have already been rising, and attackers may be emboldened to take on large banks and central financial institutions. And IoT ransomware could crop up in 2017, too. It may not make sense for a surveillance camera, which might not even have an interface for users to pay the ransom, but could be effective for devices that sync with smartphones or tie in to a corporate network. Attackers could also demand money in exchange for ceasing an IoT botnet-driven DDoS attack. In other words, ransomware attacks are going to get bigger in every possible sense of the word.

Source: https://www.wired.com/2017/01/biggest-security-threats-coming-2017

Categorized in Internet Privacy


Why hack Android devices one at a time when you can infect local Wi-Fi access points with an Android Trojan and use DNS hijacking to hack every device connected to that network?

Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call "Trojan.AndroidOS.Switcher" and which is doing almost exactly that: Once it wakes up and determines it's on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password. If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network.

"Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network," wrote Nikita Buchka, mobile malware analyst at Kaspersky, in a blog post. The new Android Trojan gains access to the router by a brute-force password-guessing attack on the router's admin web interface. "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals -- such an attack is also known as DNS hijacking."

Because devices usually reset their default DNS server configuration to reflect the defaults configured in the local Wi-Fi router, this new Android Trojan can force devices connected through the router to point to rogue DNS servers under the control of the attacker. The result, Buchka wrote, is that "after gaining access to a router's DNS settings, one can control almost all the traffic in the network served by this router."

If successfully installed on a router, Buchka wrote, the Switcher malware can expose users to "a wide range of attacks" such as phishing schemes. "The main danger of such tampering with routers' [settings] is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked," he wrote. "Even if the rogue DNS servers are disabled for some time, the secondary DNS, which was set to, will be used, so users and/or IT will not be alerted."

By setting the secondary DNS server to Google's DNS service, located at IP address, the attackers ensure that even if their own malicious DNS server is unavailable, users won't experience any outage.

Once in place on a user's Android device, Switcher checks for the local wireless network's basic service set identifier -- the MAC address of the local network's access point -- and reports it to the Trojan's command and control network before going to work on brute-forcing, and reconfiguring, the router. The malware also attempts to identify which internet service provider is being used so that it can reconfigure the router to use one of three rogue DNS servers, and then it runs the brute-force attack on the router's web interface for system administration.

The Kaspersky researchers reported two versions of the Android Trojan: One masquerading as a mobile client for the Chinese search engine Baidu, and the other a fake version of another popular Chinese app used to share Wi-Fi access information. Based on its analysis of input field names hardcoded in the malware, as well as the structure of HTML files the Android Trojan attempts to access, Kaspersky judged that Switcher affects only TP-LINK Wi-Fi routers.

The actor responsible for Switcher piggybacked its command and control system on top of a website it set up to promote its fake Wi-Fi access app; according to Kaspersky, the site also includes an infection counter for Switcher. Kaspersky reported that 1,280 Wi-Fi networks had been successfully infiltrated. Kaspersky recommended users check their DNS configurations to see if any of the rogue DNS servers (, and have been configured. If a network has been infected, the attack can be mitigated by resetting the DNS server configuration and resetting the default router administration password; the attack can also be prevented by changing the default user ID and password for administering vulnerable routers.


Author: Peter Loshin
Source: http://searchsecurity.techtarget.com/news/450410127/Switcher-Android-Trojan-targets-routers-with-rogue-DNS-servers



Categorized in Internet Privacy

What do you see as the major security threats in the coming 5-10 yrs as PC sales have declined and mobile nodes or IOT devices will explode? originally appeared on Quora – the knowledge sharing network where compelling questions are answered by people with unique insights.

Answer by Mikko Hypponen, CRO at F-Secure, on Quora:

Smartphones are actually much more secure than computers. They have fairly bad privacy problems, but from a security point of view, they are clearly superior to computers. This is mostly because of the app store model, as you can’t just run random programs.

We have seen security problems and malware on smartphones, but they are typically related to users sideloading apps from third party sources or rooting their devices by themselves.

IoT headaches have already started. One thing we are forecasting is that home IoT devices will more and more become “the way in”, or the weak link in the chain. Attackers might not be able to break into your home network via your computers, but they might be able to break in via your IoT coffee machine.And, one day we will see IoT ransomware. Imagine ransomware on your smart car: “Pay 2 Bitcoins if you want to pick up the kids from the daycare in time.”

Source : http://www.forbes.com/sites/quora/2016/12/27/the-internet-of-things-is-coming-and-its-bringing-security-headaches/#3d13bc17d468

Categorized in Internet of Things

2016 was the banner year for cyber security – and not in a good way. But what does 2017 have in store?

There is no denying that 2016 was a big year for cybercrime. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, there was plenty of proof that hackers are getting smarter and their innovation is on a growth trajectory.

If there is one good thing derived from these hacks, it is that they have made alarm bells ring loud and true for consumers and organisations alike. This is the starting point for five cyber security predictions for the year ahead.

1. Consumers will prioritise security when deciding which companies to do business with

Following high-profile data breaches in 2016, including Yahoo and Three Mobile, consumers are more anxious than ever about the downstream financial crime that follows a cyber attack.

As the realisation of what a criminal can achieve once they have taken our data sinks in, consumers are beginning to demand guarantees that their services providers are safe.

In 2017, a trend will emerge around customers wanting to understand more about the security of the organisations they do business with.

Just as companies promote ‘seals of approval’ for accomplishments like being ‘green’, promoting gender equality or having accident-free workplaces, customers will look for some sort of seal of assurance that the companies they do business with have a strong cybersecurity posture.

In fact, Ofcom has recently highlighted that broadband providers such as BT are worse at customer service than financial services providers and must do more to deliver a reliable internet connection.

2. Consumers will take ownership of their own cybersecurity

The great doorbell hack of 2016 kicked off the year with a loud ding-dong. Hackers have figured out that smart home devices, such as doorbells and refrigerators, are gateways to home Wi-Fi networks and email logins.

Similarly, to how they developed new and more inventive scams to get hold of consumers’ data in the ‘90s, this is just the beginning of consumer-targeted cybercrime.

As people add more Internet of Things (IoT) devices to their smart homes and take more of their daily affairs online, the security of their online environment will become even more important.

In 2017, new services will emerge that allow consumers to evaluate their own cyber security as they work to protect their data and savings from criminals, and strive to take ownership of our cybersecurity.

3. Consumers and businesses will acknowledge the threat potential of IoT devices

Beyond hacked doorbells and refrigerators, certain IoT devices, like self-driving cars, can present serious security threats. Expect more attacks to follow, especially as it is currently easier for a hacker to create an IoT botnet to compromise a device than it is to phish for data in traditional ways. There is a serious lack of security features in the code developed for IoT devices which needs to be addressed.

Due to the risk some of these devices pose to human life, it should be no surprise to hear that the security of IoT coding will come under stricter scrutiny than ever before.

As IoT devices become widely used by businesses and individuals alike, people and organisations will make security considerations a priority in their decisions to use smart devices, not an afterthought.

4. Businesses will assess the cyber security of their own and partners’ networks

Led by the Office of the Comptroller of the Currency (OCC) directive requiring banks to manage risks – including cybersecurity risk – in their third-party relationships, companies in all industries will start paying a lot more attention to their business partners’ cybersecurity posture in 2017.


Most businesses have large and complex networks of partners, suppliers, vendors and other stakeholders with whom they exchange information on a regular basis. This means that the web of risk is incredibly wide, and a security breach in any link of the chain can expose the entire network.

Boardrooms across all industries have brought concerns about partner network security to the top of their agenda, so in 2017 we will see growth in the adoption of tools that assess risk across the entire network and bring a company’s security status to the forefront for partners, enterprises, and insurers.

5. Biometric security data may become the biggest security vulnerability of all

It started with the innovative Apple TouchID, developed to make it easier for consumers to unlock their phones. But, in 2016, we have seen biometric identification go mainstream – even three year old kids’ fingerprints are being captured when they visit Disney World.

Many believe that biometric security data is safer than digit-based passwords and, if used correctly, it may be so. However, in the wrong hands, biometric security data also has explosive potential.

In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future.

This is especially the case if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

Author:  Ben Rossi

Source:  http://www.information-age.com/5-cyber-security-predictions-2017-123463528

Categorized in Internet Privacy

NOT SO LONG ago, the internet represented a force for subversion, and WIRED’s list of the most dangerous people on the internet mostly consisted of rebellious individuals using the online world’s disruptive potential to take on the world’s power structures. But as the internet has entered every facet of our lives, and governments and political figures have learned to exploit it, the most dangerous people on the internet today often are the most powerful people.

A Russian dictator has evolved his tactics from suppressing internet dissent to using online media for strategic leaks and disinformation. A media mogul who rose to prominence on a wave of hateful bile now sits at the right hand of the president. And a man who a year ago was a reality television star and Twitter troll is now the leader of the free world.

Vladimir Putin

Since experts pinned the Democratic National Committee breach in July on two teams of hackers with Russian-state ties, the cybersecurity and US intelligence community’s consensus has only grown: Russia is using the internet to screw with America’s electoral politics. The Russian hack of the Democratic National Committee and the Democratic Congressional Campaign Committee, followed by the leak of those groups’ private communications, injected chaos and distraction into the Democratic party at a crucial moment in the electoral season, and may have even helped tip the scales for Trump.

Even before those Russian hackers’ handiwork came to light, Putin’s government was already hard at work poisoning political discourse online. Its armies of paid trolls have been busy injecting false stories into online discussion forums, attacking the Kremlin’s critics on Twitter and in the comments of news sites. Taken together, that hacking and trolling makes Putin’s government one of the world’s most malevolent forces for disinformation and disruption online. And if anything, recent events have only emboldened them.

Donald Trump

When WIRED compiled its list of the internet’s most dangerous people in 2015, we called Trump a “demagogue, more interested in inciting backward fears and playing to Americans’ worst prejudices than addressing global problems.” None of that has changed. Trump still hasn’t officially renounced his promises of a ban on Muslim immigration or apologized for calling Mexican immigrants rapists. Now, he’s weeks away from becoming President of the United States.

As President-elect, Trump has continued to act as the world’s most powerful internet troll, telling his 17.6 million Twitter followers that anyone who burns the American flag should be unconstitutionally imprisoned and have their citizenship revoked, and arguing, with no evidence, that millions of fraudulent votes were cast in an election that he won. Trump’s Twitter account telegraphs his apparent disregard for the Constitution, spreads disinformation on a massive scale, and has baselessly called America’s electoral process into question.

Steve Bannon

Before Steve Bannon joined Donald Trump’s campaign as CEO, he was already in Trump’s corner as the publisher of the righter-than-right wing news site Breitbart.com. During his tenure running that site, Breitbart published the racist, anti-semitic and overtly misogynist content that made it the paper of record for the bigoted new political fringe known as the alt-right. Now, as the chief strategist for Trump’s transition team coming presidency, he stands to bring that fascist agitprop perspective into the White House itself.

James Comey

In the weeks before November’s election, FBI Director James Comey cemented his already controversial reputation by revealing that his agents would continue the investigation into Hillary Clinton’s private email server, after previously setting it aside in July. He did not explain anything about what a newly found trove of emails entailed, or why they might be significant (they weren’t). That half-clue was all the Trump campaign and its surrogates needed to start a wildfire of speculation, and even to claim that Clinton would be imminently indicted (she wasn’t).

But even before Comey’s unwarranted insertion of the FBI into the most sensitive political moment of a tense election, the FBI head had led the federal government’s war on encryption to a dangerous standoff: demanding that Apple write code to help the bureau crack its own device, the locked iPhone 5c of San Bernadino killer Rizwan Farook. That six-week battle, which finally ended in the FBI finding its own method of breaking into the phone, showed Comey’s willingness to compromise Americans’ cybersecurity and privacy in the interests of surveillance, and put a lasting strain on Silicon Valley’s relationship with the FBI.


The pseudo-religious apocalyptic cult known as the Islamic State may be losing money, resources, and ground on its home turf in Iraq and Syria. But its tendrils still extend throughout the web and social media. The group showed in 2016 that it can still reach lone, disaffected, and even mentally ill people to inspire tragic acts of violence. Even as its direct power crumbles, ISIS’s propaganda this year contributed to horrific massacres from the Bastille Day truck attack in Nice to the Pulse night club shootings in Orlando. And unlike the rest of the individuals on this list, ISIS’ danger comes from what social media extremism expert Humera Khan calls “the ISIS Borg collective.” The deaths of dozens of top ISIS commanders in 2016, in other words, hasn’t dulled the group’s message.

Milo Yiannopoulos

The Breitbart columnist Milo Yiannpoulos in 2016 illustrated everything that’s wrong with Twitter. Not simply his role as an “alt-right troll”—a polite term for a race-baiting, misogynistic, immoral fame-monger. Yiannopoulos graduated from awful ideas to actual targeted abuse, gleefully turning his hordes of followers on targets like actress and comedian Leslie Jones, who thanks to Yiannopolous was drowned in so much nakedly racist, sexist abuse that she temporarily quit the site. Twitter eventually banned him, a decision Yiannopolous lauded as only increasing his fame. And there are plenty more people who still espouse his ideas on the platform. But it will at least keep his vile statements confined to the darker corners of the internet, where they belong.

Recep Tayyip Erdoğan

For a brief moment this summer, the world feared that a military coup would topple Turkey’s elected president Recep Tayyip Erdoğan. Then it watched in horror as Erdoğan used that failed coup to justify a internet and media crackdown rarely, if ever, seen in modern democracies. More than a hundred Turkish journalists have since been jailed, and access has been intermittently throttled or cut to Twitter, Facebook, YouTube, and WhatsApp. In response to protests that have since embroiled the country, Erdoğan’s regime has at times cut off internet access entirely to millions of Turks, denying them both the means to assemble and spread dissident information, as well as basic services.

Julian Assange

Julian Assange proved in 2016 that even from the two-room de facto prison of London’s Ecuadorean embassy, it’s possible to upend the powers-that-be. In WikiLeaks’ most influential and controversial moves since it first rose to national attention in 2010, Assange masterminded the leaks of emails from the Democratic National Committee and the email account of Hillary Clinton campaign staffer John Podesta. Never mind that those leaks appeared to come not from internal whistleblowers but from external hackers, believed by US intelligence agencies to be on Russia’s payroll. Assange has denied that his source is Russian. But it’s a curious claim: WikiLeaks is designed to guarantee sources’ anonymity, so that even he can’t identify them. He also promises those sources he’ll “maximize the impact” of their leaks. And in this election, he kept his promise.

Peter Thiel

After supporting Donald Trump’s campaign financially and vocally, Peter Thiel ended this year as arguably the most influential person in Silicon Valley, literally sitting at the left hand of the president-elect in the tech industry’s meeting with him earlier this month. The intelligence contractor Palantir, which he co-founded, will no doubt rise with him, and its powers for privacy-piercing analysis could become more broadly applied within America’s intelligence and law enforcement agencies than ever before.

But we’ll leave all that for next year’s “most dangerous” list. Thiel’s real demonstration of his power in 2016 came in the form of Hulk Hogan’s lawsuit against Gawker, which the tech billionaire was revealed to have funded. The suit effectively wiped one of his personal enemies off the internet—which, as Thiel has calmly explained, was his goal. Given that win for censorship, his role on the Trump transition team, and Trump’s promise to “open up” libel laws, Gawker may just be the canary in the First Amendment coal mine.1

Source : https://www.wired.com/2016/12/dangerous-people-internet-2016/

Categorized in News & Politics

No security posture is absolute. Rather than attempting to prevent a security breach, organisations should implementing strong plans for what to do when one takes place

These days, data breaches are an all too common occurrence. Barely a week goes by without another high-profile attack taking place. With increasing legislation and regulatory requirements coming into play, these announcements are likely to become more prominent.

There’s much advice given about how to reduce the risk of an attack and the different preventative measures that organisations can put in place. However, with new technologies and routes of entry for attackers, preventive measures alone are not enough.

In order to ensure all bases are covered, organisations need to be prepared with a solid security incident response plan. When an incident occurs, it will ensure everyone knows exactly what to do to minimise the impact to their organisation.

Many organisations lack incident response plans for the same reason most people don’t get travel insurance before going on holiday, or check their tyre pressure before driving long distances.

Most people don’t think about these things until it’s too late. Developing and implementing a security incident response plan can be time consuming and often costly – two things most organisations do not have.

Without a response plan, incidents can escalate quickly and the impact can be severe. An incident response plan gives organisations a much better chance of isolating and controlling an incident in a timely and cost effective manner.

A recent incident response survey uncovered concerns by IT professionals about their organisation’s security incident response plans. A quarter of respondents were not confident in their organisation’s security response plan.

Despite this continued lack of confidence, respondents understood the significant impact of a breach upon their organisations, with reputational damage topping the list at 56%.

When asked why they thought an organisation would not have a response plan in place, lack of awareness within organisations came out on top with 38% of respondents highlighting this as an issue.

This was followed by a lack of resources (23%), lack of skills or expertise (18%), lack of budget (12%), other (nine%) and lack of time (five%). Coming from IT professionals, the perceived lack of awareness when it comes to incident response plans is worrying.

So, the worst has happened and your organisation has suffered a security breach. What are the first things you need to do to ensure that your risk is minimised?

1. Triage

Don’t panic – it may be a natural reaction, but it doesn’t solve anything. Avoid the temptation to simply pull the plug or turn the machines off. Directly after a breach, things often seem worse than they are. Your main goal should be business continuity.

To do this, it’s important to establish the nature and extent of the incident. Is it something that has been seen before, such as a common ant-virus incident? If so what steps need to be taken to control the impact of the incident?

It’s crucial to closely manage any communication about the security breach to customers and beyond. Many security breaches are broken by news outlets watching social media feeds.

Make sure you have a dedicated team in place for crisis communications and keep track of all customer interactions. This will help you better manage public relations following the incident.

2. Data analysis

Carefully analysing the data involved in the incident is crucial to understanding what actually happened. It may sound simple too many security breaches are misdiagnosed early on, resulting in incorrect remedial actions. For example, diagnosing a DDOS attack when a completely different failure has occurred or prepping for a data corruption incident when it’s actually ransomware.

Understand what happened and how. If this is something that you don’t have the time or resources to manage in your organisation, call in cyber security experts to help you figure out what happened.

By assigning an expert to handle the incident, you can be sure the responsibility of incident management and coordination is taken care of, so that you can focus on getting your organisation back to its normal state of operation.

3. Communication

One of the biggest issues we see with incident response is a lack of internal communication – from board level down. Depending on the type of incident, it may be that communication with the rest of the organisation and external bodies such as third-party agencies, customers and regulatory authorities is necessary.

If that is the case, it’s important to ensure communication only occurs through the pre-planned and established channels.

Communication cannot just take place after the incident. It needs to be an on-going process throughout the organisation.

Regardless of their job function, when a security incident occurs, everyone needs to be fully trained and aware of their role and responsibilities.

Putting security incident playbooks in place for each department can be one way to keep staff aware of what they are and are not allowed to do in the wake of a breach.

As outlined in step one, taking charge of your communication channels is crucial. You should be the one to decide when and how news of the breach is disseminated to various parties. This will help minimise the impact of the incident and fan any flames.

4. Resolve and recover

Assuming the incident handler and the technical team assigned to the incident has control, you should be on the way to resolving the issue and heading towards recovery.

The road to recovery may involve rolling back disaster recovery (DR) applications, beginning to restore data from backups or simply closing the incident. Whatever the situation, the incident will not be properly resolved until all recovery actions are complete.

5. Lessons learned

Following an incident, organisations can be quick to fall back into routine. It’s important that you learn from every security incident to minimise the risk of it taking place in the future.

Ask yourself; what can we implement to better protect ourselves? If this happens again, have we done enough to minimise the risk and disruption? Does everyone know their role and are they aware of the role they play in keeping the organisation secure?

Source : http://www.information-age.com/7-ways-cyber-attacks-will-evolve-2017-123463538/

Categorized in Business Research

APPLE EMERGED AS a guardian of user privacy this year after fighting FBI demands to help crack into San Bernardino shooter Syed Rizwan Farook’s iPhone. The company has gone to great lengths to secure customer data in recent years, by implementing better encryption for all phones and refusing to undermine that encryption.

But private information still escapes from Apple products under some circumstances. The latest involves the company’s online syncing service iCloud.

Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification.

“You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft.

The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user’s phone, if it’s encrypted with an unbreakable passcode, or from the carrier. Although large carriers in the U.S. retain call logs for a year or more, this may not be the case with carrier outside the US.

It’s not just regular call logs that get sent to Apple’s servers. FaceTime, which is used to make audio and video calls on iOS devices, also syncs call history to iCloud automatically, according to Elcomsoft. The company believes syncing of both regular calls and FaceTime call logs goes back to at least iOS 8.2, which Apple released in March 2015.

And beginning with Apple’s latest operating system, iOS 10, incoming missed calls that are made through third-party VoIP applications like Skype, WhatsApp, and Viber, and that use Apple CallKit to make the calls, also get logged to the cloud, Katalov said.

Because Apple possesses the keys to unlock iCloud accounts, U.S. law enforcement agencies can obtain direct access to the logs with a court order. But they still need a tool to extract and parse it.

Elcomsoft said it’s releasing an update to its Phone Breaker software tool today that can be used to extract the call histories from iCloud accounts, using the account holder’s credentials. Elcomsoft’s forensic tools are used by law enforcement, corporate security departments, and even consumers. The company also leases some of its extraction code to Cellebrite, the Israeli firm the FBI regularly uses to get into seized phones and iCloud data.

In some cases, Elcomsoft’s tool can help customers access iCloud even without account credentials, if they can obtain an authentication token for the account from the account holder’s computer, allowing them to get iCloud data without Apple’s help. The use of authentication tokens also bypasses two-factor authentication if the account holder has set this up to prevent a hacker from getting into their account, Elcomsoft notes on its website.

Apple’s collection of call logs potentially puts sensitive information at the disposal of people other than law enforcement and other Elcomsoft customers. Anyone else who might be able to obtain the user’s iCloud credentials, like hackers, could potentially get at it too. In 2014, more than 100 celebrities fell victim to a phishing attack that allowed a hacker to obtain their iCloud credentials and steal nude photos of them from their iCloud accounts. The perpetrator reportedly used Elcomsoft’s software to harvest the celebrity photos once the accounts were unlocked.

Generally, if someone were to attempt to download data in an iCloud account, the system would email a notification to the account owner. But Katalov said no notification occurs when someone downloads synced call logs from iCloud.

Apple acknowledged that the call logs are being synced and said it’s intentional.

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

The syncing of iCloud call logs would not be the first time Apple has been found collecting data secretly. A few months ago, The Intercept reported about similar activity occurring with iMessage logs.

Chris Soghoian, chief technologist for the American Civil Liberties Union, said he’s not surprised that Apple is collecting the information.

“It’s arguably not even the worst thing about iCloud,” he told The Intercept. “The fact that iCloud backs up what would otherwise be end-to-end encrypted iMessages is far worse in my mind. There are other ways the government can obtain [call logs]. But without the backup of iMessages, there may be no other way for them to get those messages.”

Still, he said it’s further proof that “iCloud really is the Achilles heel of the privacy of the iPhone platform. The two biggest privacy problems associated with iCloud don’t have check boxes [for users to opt out], nor do they require that you opt in either.”

Jonathan Zdziarski, an iOS forensics expert and security researcher, said he doesn’t think Apple is doing anything nefarious in syncing the call logs. But he said that Apple needs to be clear to users that the data is being collected and stored in the cloud.

Authorized and Unauthorized iCloud Collection

iCloud is Apple’s cloud service that allows users to sync data across multiple Apple devices, including iPhones, iPads, iPods, and Macs. The iPhone menu corresponding to the service gives users the option of syncing mail, contacts, calendars, reminders, browser history, and notes and wallet data. But even though call logs are automatically getting synced as well, the menu does not list them among the items users can choose to sync. Because there’s no way to opt in to sync call logs, there is also no way to opt out — other than turning off iCloud completely, but this can cause other issues, like preventing apps from storing documents and data (such as WhatsApp backups) in the cloud.

“You can only disable uploading/syncing notes, contacts, calendars, and web history, but the calls are always there,” Katalov said. One way call logs will disappear from the cloud is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization.

Katalov said they’re still researching the issue but it appears that in some cases the call logs sync almost instantly to iCloud, while other times it happens only after a few hours.

In addition to syncing data among their devices, users can also configure their iCloud account to automatically back up and store their data. Katalov said that call logs get sent to the cloud with these backups as well, but this is separate from the trafficking his company discovered: Even if users disable the backups, their call logs will still get synced to Apple’s servers.

“I would suggest Apple to add a simple option to disable call log syncing, as they do that for calendars and other things,” Katalov told The Intercept, though he acknowledges this would likely take some re-architecting on Apple’s part. Nonetheless, he says, “They should allow people to disable that if they want to.”

Even as Apple has increased the security of its mobile devices in recent years, the company has been moving more and more data to the cloud, where it is less protected. Although iCloud data is encrypted on Apple’s server, Apple retains the encryption keys in almost every instance and can therefore unlock the accounts and access data for its own purposes or for law enforcement.

“All of your [iCloud] data is encrypted with keys that are controlled by Apple, but the average user isn’t going to understand that,” Zdziarski said. “You and I are well aware that Apple can read any of your iCloud data when they want to.”

A report in the Financial Times nine months ago indicated Apple plans to re-architect iCloud to resolve this issue and better protect customer data, but that has yet to occur.

Apple discusses the privacy implications of iCloud collection on its website and does say that implementing backups will send to iCloud “nearly all data and settings stored on your device.” A 63-page white paper on the site discloses more clearly that call logs get uploaded to Apple servers when iCloud backups are enabled. But neither document mentions that the logs still get uploaded even if backups aren’t enabled.

Even in an online document about handling legal requests from law enforcement, Apple never mentions that call logs are available through iCloud. It says that it possesses subscriber information that customers provide, including name, physical address, email address, and telephone number. It also says it retains IP connection logs (for up to 30 days), email metadata (for up to 60 days), and content that the user chooses to upload, such as photos, email, documents, contacts, calendars, and bookmarks. The law enforcement document also says that Apple’s servers have iOS device backups, which may include photos and videos in the user’s camera roll, device settings, application data, iMessages, SMS and MMS messages, and voicemail.

The only time it mentions call logs is to say that iCloud stores call histories associated with FaceTime, but it says it maintains only FaceTime call invitation logs, which indicate when a subscriber has sent an invitation to someone to participate in a FaceTime call. Apple says the logs “do not indicate that any communication between users actually took place.” It also says it only retains these logs for “up to 30 days.”

But Elcomsoft said this is not true. Katalov said the FaceTime logs contain full information about the call, including the identification of both parties to the call and the call duration. He said his researchers also found that the FaceTime call logs were retained for as long as four months.

Early Clues From Frustrated Apple Customers

Some users are aware that their call logs are being synced to Apple’s servers, because a byproduct of the automatic syncing means that if they have the same Apple ID as someone with a different device — for example, spouses who have different phones but use the same Apple ID — they will see calls from one device getting synced automatically to the device of the other person who is using the same ID.

“It’s very irritating,” one user complained in a forum about the issue. “My wife and I both have iPhones, we are both on the same apple ID. When she gets a call my phone doesn’t ring but when she misses that call my phone shows a missed call icon on the phone app and when I go to the phone app it’s pretty clearly someone who wasn’t calling my phone. Any way to fix this so it stops?”

Another user expressed frustration at not knowing how to stop the syncing. “I use my phone for business and we have noticed in the last few days that all of the calls I make and receive are appearing in my wife’s iPhone recent call history? I have hunted high and low in settings on both phones but with no joy.”

There’s no indication, however, that these customers realized the full implications of their logs being synced — that the same data is being sent to and stored on Apple’s servers for months.

Apple isn’t the only company syncing call logs to the cloud. Android phones do it as well, and Windows 10 mobile devices also sync call logs by default with other Windows 10 devices that use the same Microsoft account. Katalov said there are too many Android smartphone versions to test, but his company’s research indicates that call log syncing occurs only with Android 6.x and newer versions. As with Apple devices, the only way for a user to disable the call history syncing is to disable syncing completely.

“In ‘pure’ [stock versions of] Android such as one installed on Nexus and Pixel devices, there is no way to select categories to sync,” Katalov said. “For some reason, that is only able on some third-party Android versions running on Sony, HTC, Samsung, etc.” The company already produces a tool for harvesting call logs associated with Android devices.

There’s little that subscribers can do to prevent law enforcement from obtaining their iCloud call logs. But to protect against hackers who might obtain their Apple ID from doing the same, they can use two-factor authentication. But Zdziarski said there’s another solution.

“The takeaway really is don’t ever use iCloud. I won’t use it myself until I can be in control of the encryption keys,” he said.

Source : https://theintercept.com

Auhtor : 

Categorized in Social

The Security preference pane allows you to control the security level of the user accounts on your Mac. In addition, the Security preference pane is where you configure your Mac's firewall, as well as turn data encryption on or off for your user account.

The Security preference pane is divided into three sections.

General: Controls password usage, specifically, whether passwords are required for certain activities. Controls automatic log-out of a user account. Lets you specify whether location-based services have access to your Mac's location data.

FileVault: Controls data encryption for your home folder, and all of your user data.

Firewall: Allows you to enable or disable your Mac's built-in firewall, as well as configure the various firewall settings.

Let's get started with configuring the security settings for your Mac.

Launch the Security Preference Pane

Click the System Preferences icon in the Dock or select 'System Preferences' from the Apple menu.

Click the Security icon in the Personal section of the System Preferences window.

Proceed to the next page to learn about the General configuration options.

2 Using the Mac Security Preference Pane - General Mac Security Settings

Using the Mac Security Preference Pane - General Mac Security Settings

The Mac Security preference pane has three tabs along the top of the window. Select the General tab to get started with configuring your Mac's general security settings.

The General section of the Security preference pane controls a number of basic but important security settings for your Mac. In this guide, we will show you what each setting does, and how to make changes to the settings. You can then decide if you need the security enhancements available from the Security preference pane.

If you share your Mac with others, or your Mac is located in a place where others can easily gain access to it, you may wish to make some changes to these settings.

General Mac Security Settings

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Require password: If you place a check mark here, then you (or anyone who attempts to use your Mac) will be required to provide the password for the currently account in order to exit sleep or an active screen saver. This is a good basic security measure that can keep prying eyes from seeing what you're currently working on, or accessing your user account data.

If you select this option, you can then use the dropdown menu to select a time interval before the password is required. I suggest selecting an interval long enough that you can exit a sleep or screen saver session that starts unexpectedly, without needing to provide a password. Five seconds or 1 minute are good choices.

Disable automatic login: This option requires users to authenticate their identity with their password any time they log on.

Require a password to unlock each System Preferences pane: With this option selected, users must provide their account ID and password any time they attempt to make a change to any secure system preference. Normally, the first authentication unlocks all secure system preferences.

Log out after xx minutes of inactivity: This option lets you select a set amount of idle time after which the currently logged-in account will be automatically logged out.

Use secure virtual memory: Selecting this option will force any RAM data written to your hard drive to be first encrypted. This applies to both virtual memory usage and Sleep mode, when the contents of RAM are written to your hard drive.

Disable Location Services: Selecting this option will prevent your Mac from providing location data to any application that requests the information.

Click the Reset Warnings button to remove location data already in use by applications.

Disable remote control infrared receiver: If your Mac is equipped with an IR receiver, this option will turn the receiver off, preventing any IR device from sending commands to your Mac.

3  Using the Mac Security Preference Pane - FileVault Settings

Using the Mac Security Preference Pane - FileVault Settings

FileVault uses a 128-bit (AES-128) encryption scheme to protect your user data from prying eyes. Encrypting your home folder makes it nearly impossible for anyone to access any user data on your Mac without your account name and password.

FileVault can be very handy for those with portable Macs who are concerned about loss or theft. When FileVault is enabled, your home folder becomes an encrypted disk image that is mounted for access after you log in. When you log off, shut down, or sleep, the home folder image is unmounted and is no longer available.

When you first enable FileVault, you may find the encryption process can take a very long time. Your Mac is converting all of your home folder data into the encrypted disk image. Once the encryption process is complete, your Mac will encrypt and decrypt individual files as needed, on the fly. This results in only a very slight performance penalty, one that you will rarely notice except when accessing very large files.

To change FileVault's settings, select the FileVault tab in the Security Preferences pane.

Configuring FileVault

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Set Master Password: The master password is a fail-safe. It allows you to reset your user password in the event you forget your login information. However, if you forget both your user account password and the master password, you will not be able to access your user data.

Turn On FileVault: This will enable the FileVault encryption system for your user account. You will be asked for your account password and then given the following options:

Use secure erase: This option overwrites the data when you empty the trash. This ensures that the trashed data is not easily recoverable.

Use secure virtual memory: Selecting this option will force any RAM data written to your hard drive to be first encrypted.

When you turn FileVault on, you will be logged out while your Mac encrypts your home folder's data. This can take quite a while, depending on the size of your home folder.

Once the encryption process is complete, your Mac will display the login screen, where you can provide your account password to log in.

4  Using the Mac Security Preference Pane - Configuring Your Mac's Firewall

Using the Mac Security Preference Pane - Configuring Your Macs Firewall

Your Mac includes a personal firewall you can use to prevent network or Internet connections. The Mac's firewall is based on a standard UNIX firewall called ipfw. This is a good, though basic, packet-filtering firewall. To this basic firewall Apple adds a socket-filtering system, also known as an application firewall. The application firewall makes it easier to configure the firewall settings. Instead of needing to know which ports and protocols are necessary, you can just specify which applications have the right to make incoming or outgoing connections.

To begin, select the Firewall tab in the Security preference pane.

Configuring the Mac's Firewall

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Start: This button will start the Mac's firewall. Once the firewall has been started, the Start button will change to a Stop button.

Advanced: Clicking this button will allow you to set the options for the Mac's firewall. The Advanced button is only enabled when the firewall is turned on.

Advanced Options

Block all incoming connections: Selecting this option will cause the firewall to prevent any incoming connections to non-essential services. Essential services as defined by Apple are:

Configd: Allows DHCP and other network configuration services to occur.

mDNSResponder: Allows the Bonjour protocol to function.

raccoon: Allows IPSec (Internet Protocol Security) to function.

If you choose to block all incoming connections, then most file, screen, and print sharing services will no longer function.

Automatically allow signed software to receive incoming connections: When selected, this option will automatically add securely signed software applications to the list of applications that are allowed to accept connections from an external network, including the Internet.

You can manually add applications to the firewall's application filter list using the plus (+) button. Likewise, you can remove applications from the list using the minus (-) button.

Enable stealth mode: When enabled, this setting will prevent your Mac from responding to traffic queries from the network. This will make your Mac appear to be non-existent on a network.

Author:  Tom Nelson

Source:  https://www.lifewire.com

Categorized in Online Research

Looming behind the excitement at SC16 around new digital enterprise strategies is the growing menace of cyber-attacks. But in spite of these worries, the state of cybersecurity readiness at too many companies is woefully inadequate. 

That’s the finding of Bob Sorensen, research vice president, HPC Group, at industry watcher IDC delivered at the analyst group’s annual HPC Update breakfast at SC16 this week in Salt Lake City. Sorensen’s message: If your company has the characteristics of a cybersecurity “worst practitioner” (which tends to be among public utilities, hospitals and universities – manufacturers are generally “middle of the pack”), the time to adopt new cybersecurity strategies is now.

IDC conducted a study of cybersecurity at 62 large industries in the U.S. and Europeacross the financial services, technology, manufacturing, retail, hospital and academic sectors. Here are excerpts of his comments:

The State of Cybersecurity

The key concerns that came out in our study: Most US companies are underprepared to deal with cybersecurity threats. Even though there are lots of good best practices, they’re only being conducted by a small number of leading-edge firms. On average, firms are not availing themselves of what’s readily available, and that’s a cause for concern.

Detecting a breach can take up to two years. That’s really a disturbing concept, that someone could be nosing around corporate data that’s not only unprotected, not just to steal data, but to change it. Data integrity is a concern, the idea that the data you’re using to make critical decisions in research or business process environments may not be the right data, it may have been changed for nefarious reasons. It’s one of the silent concerns.


The Big Fear: Reputation Damage

One of the things we found with the Target breach, a very public intrusion, is that Target really didn’t take a huge financial hit on the actual intrusion itself. There was insurance in place, there was pushing off losses to the finance companies that Target deals with.

What we found, what really scares companies, isn’t the loss of dollars, it’s the loss of reputation, which brings with it a future loss of income that you simply cannot determine. Companies…can buy insurance for a particular hit, that’s a known quantity, but what they can’t do is figure out how that affects their line of business down the line. Which speaks in some sense to the idea that there’s probably a lot of cyber-attacks we’re not finding out about simply because it benefits these companies greatly to keep attacks under wraps as long as possible.

Malware Manners

We heard this time and again: malware people are conducing themselves in a very proper and organized manner. The thinking with a lot of them is…they don’t charge too much because they don’t want to kill the goose that laid the golden egg. (Malware practitioners think of it as) a very refined, respectable business to be in. You come in and say: ‘Give us some money and we’ll go away.’ You give them money and they do go away because if they don’t, no one’s going to give them more money. And if they ask for too much money there are going to be problems. So right now it’s a very genteel world out there for malware.

Conflicting Priorities: Security and Access

IDC's Bob Sorensen

IDC’s Bob Sorensen

There’s a major tradeoff between security and easy access (to the network and to data). It’s something every business has to deal with. We asked questions about balancing security and processes, and the underlying goal is: ‘We have to do both, we can’t sacrifice our business plan for our cybersecurity.’ We found time and again even among the best practitioners in data security: Job 1 is conducting business, and that process is king. This is handed down from the board of directors of the company, and then they tell cybersecurity teams, ‘Make us secure under this realm.’

Proliferating Points of Attack

Heterogeneity is a problem: the idea of ‘bring your own device,’ multiple operating systems, clouds. There are lots and lots of end points out there, lots of way to enter a network, and these are things cybersecurity folks are definitely worried about.

We talked to the cybersecurity chief at Nike, he said he has 59 (network) access points to worry about every day because he has to make everyone who gets on the Nike website, who wants to look at the new and latest sneaker, has access, can order, can conduct business. That’s his job, and he has to work within those confines.

There is increasing access from the network edges. The one I would point out is suppliers. Supply chain issues I think are really interesting. More and more large industrial companies are increasingly tied electronically to their supply chain, and that is a real vulnerability….

Worst Practices: Wait and See

A lot of the worst practitioners really just buy insurance…. The worst practitioners time after time said, ‘We have the best tools, life has got to be good.’ The story we like to repeat: the companies that seem to be most sanguine with their cybersecurity infrastructure say: ‘We’ve never been hit before so we must be doing something right.’ They weren’t terribly forward looking when it came to actually making sure they were more secure….

Everybody (in the survey) had data breach plans, but… a lot of them were not IT-related. The thinking wasn’t to gather up forensics and figure out how to plug holes. It was how to deal with the publicity aspect, the legal aspects, the privacy concerns, the possibility of getting sued. This surprised us….

Best Practices: People vs. People

One thing we found is that the best practitioners see this as a people vs people battle. This is not a tool war where as long as you have the best software, as long as you roll out the patches when you’re supposed to, then life is good. It’s really about finding, hiring and retaining the best people to go after the people who are trying to get at you.

Best Practices: Be Proactive

An interesting concept that we see is that proactive cybersecurity team think in terms of educating the user base within their companies. They’re not just sitting back and making sure the patches are installed and making sure everyone changes their password every six months. It’s really more about reaching out…to the individual people within firms and making sure they understand their roles.

For example, one company closely watches social media. And they look for key events that they think could trigger a phishing attack. When it became known that Prince had died, they sent out an email to their entire company saying there’s a good chance you’re going to get an email in the next 24 hours asking if you want to see the Prince tribute video. So the idea is to proactively get employees to be aware of what their responsibilities are.

Another story we heard is about companies buying stolen credit card numbers. Not because they want to get involved in law enforcement but because it’s cheaper to buy stolen credit card numbers and put them in your database. So if someone tries to buy something with a stolen number you can kick them out. It’s an interesting, proactive way to do this.

So the good cybersecurity team isn’t waiting for problems, it’s going after solving them before they happen.


Data Scientists and Cybersecurity

Most companies aren’t using Big Data (for cybersecurity purposes) in the sense that we in the HPC community think about Big Data… When we asked companies why they weren’t using Big Data, they said they can’t find Big Data scientists who know how to do cybersecurity.

And when we went to companies that have lines of business that use smart data scientists, they said, ‘Yeah, they’re over there contributing to the bottom line of the company. We can’t bring them over to cybersecurity, they’re going to stay over there making money for the company.’

Virtual Cybersecurity Data Science

What I see in the future is really where HPC comes into play here. The goal for a lot of cybersecurity teams is real-time intrusion detection. They want to have a dashboard that tells them something odd has happened in the network. And a lot of folks think that deep learning – the idea that you have a system that monitors the steady state of the network and rises to the attention of humans where something has gone awry.

We’re going to see more efforts for high powered systems and deep learning to do real-time monitoring…almost as a way to get companies out of having to find data scientists. This might be an ultimate method toward dealing with cybersecurity… It’s something the HPC world is going to be involved in much more going forward.

Author:  Doug Black

Source:  https://www.hpcwire.com

Categorized in Internet Privacy

Choosing and managing passwords is the fundamental security measure in client’s control. Even if the application and it’s server is impenetrable, it means absolutely nothing if your password can be cracked by an average Joe.

You would think that all security conscious people would know how to protect themselves, but I frequently see cases like this:

CaliConnect’s Private PGP Key & Account Password Was “asshole209

Twitter– Launched & Hacked in 2 Hours (Password was: 123123123…)

Cantina Marketplace PWND: Admin Password was: “Password1” ?!

This tutorial contains explanations of password cracking when the server and client side are protected. These methods’ effectiveness highly depend on attacker’s processing power which we’ll analyze after attack methods.

If you just want to know easy way to be safe, jump to the ‘Easy way to manage strong passwords’.

Brute Force Attack

Brute-force attack is a technique of enumerating all possible password candidates and checking each one. This is no elegant attacking method, but sometimes it’s all that’s needed. This attack is feasible only for very weak passwords.

Dictionary Attack

Dictionary attack is a variant of brute force attack in which the attacker gathers all information about targeted password(s) and creates a ‘dictionary’. Dictionary is a customized list of password candidates, typically including a list of most common passwords first, dictionary words that are frequently used and some combinations. Next, the dictionary often contains all those words with common prefixes and suffixes such as numbers and punctuation signs.

Dictionary attacks are relatively easy to defeat by choosing a password that is not a simple variant of a word found in any dictionary. Many password cracking tools have built-in dictionaries. This page contains information on most popular tools, their dictionaries and collections of leaked password for analysis in one place.


Rainbow Tables

This attack is used when attacker owns the password database. It’s worth mentioning here because the complexity of your password will protect you even if the server is compromised. Protection wise, it’s enough to know that a strong password will do the trick here as well.

Skip this part if you just want to secure yourself without bothering with hashing, rainbow tables and salting.

Databases don’t contain plaintext passwords, but password hashes. Hash is the result of time-consuming function that obfuscates the input. When you enter your password, server calculates the hash of the entered value and compares it to the one stored in the database for the confirmation.

Very simple hash function example: take number 4 as the input: square it (16), take natural log (2.7725), multiply by pi (8.7103) and take factorial (gamma function) -> 189843.119. Now ask your friend how is 189843.119 related to 4. Chances are, no one can figure it out.

Password hashes often look like this one: qiyh4XPJGsOZ2MEAyLkfWqeQ

So, when an attacker compromises the password database he won’t be able to figure out your password (or will he?, read on). Here’s when rainbow table comes in – it’s a pre-computed table of passwords and their hashes. Attacker then compares the rainbow table hashes to those in the database. If hashes match, the password is discovered. Here’s a short example:

This is what we can find in a database:

User Password
RegularUser1 HgkHJgKHgKhKGhjfhgKvkGjKG
Administrator qiyh4XPJGsOZ2MEAyLkfWqeQ

Lets try to find this hash in the rainbow table:

Password Hash
password asdh4DFGsOZ2MEAyLkfWqES
qwerty qi8H8R7OM4xMfdMPuRAZxlY
pass1234 GsOZ2MEAM4xPuRAZxlqiyAFiy
passw0rd qiyh4XPJGsOZ2MEAyLkfWqeQ
abcdefgh nKv3LvrdAVtOcE5EcsGIpYBtniN

That’s why some servers ‘salt’ the hash by adding random value into the equation so the attacker can’t just download finished rainbow table, he needs to create a custom one for that salt and that requires a lot of time because hash functions are time-consuming. If different salt is used for each password, attacker needs to create a custom table for each password which is not feasible. Salt is stored next to the password, it’s no secret since it’s just making the attacker’s computer do a lot of ‘work’.

There’s only that much server side can do for you, it’s up to you to choose a strong password. If the attacker targets you specifically, he may create a rainbow table for your salt. It’s up to you to have a password that will not be in his table.

I’m surprised how many sensitive web services allow having weak password.

Practical analysis of these attacks

Analyzed time represents offline attack speed, online attacks are much slower than this, but it’s logical to seek for a password strong enough for offline attacks because it’s the maximum speed and it’s just a few characters away.

Password complexity depends on 2 characteristics: length and number of different characters. For example, if you use 8 digit password (only numbers – 10 characters): _ _ _ _ _ _ _ _ each field can contain 10 different characters, so there are 10*10*10*10*10*10*10*10 = 108 possible combinations. If attacker has a Pentium 4D, 3.2 Ghz processor he can try 2 million passwords per second. That means the password can be broken in 108 / (2*106) = 50 seconds.

Formula for the number of combinations the attacker need to try:

Awhere: A – number of different possible characters

B – password length

If password length is unknown, the attacker will usually try only the shortest ones. Let’s say he wants to try all 8,9,10 characters long passwords, the number of combinations is: A+ A9 + A10 .

Exponential growth

Luckily for us, password complexity rises exponentially when length increases. In the example above (only 10 digits) each extra character adds 10 times more possible combinations.

Here’s a table for passwords that contain only lower-case letters from English alphabet and digits – 36 different characters (Combinations = 36 ^ length):

Length (B) Combinations (36B) Individual capability 5000x individual
1 34 < 1 second < 1 second
2 1 296 < 1 second < 1 second
3 46 656 < 1 second < 1 second
4 1 679 616 < 1 second < 1 second
5 60 466 176 30 seconds < 1 second
6 21 76 782 336 18 minutes 1 second
7 78 364 164 096 10 hours 55 seconds
8 2 821 109 907 456 16 days 33 minutes
9 101 559 956 668 416 1 year 20 hours
10 3 656 158 440 062 976 60 years 30 days
11 131 621 703 842 267 136 2140 years 3 years
12 4 738 381 338 321 616 896 77025 years 110 years

X axis – password length in for 36 charset (letters and numbers)

Y axis – days to crack

Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

We can see length 12 is sweet, it’s even more safe if we expand the character set to uppercase and lowercase letters, numbers and punctuation signs. Number of possible characters is 126:

Length (B) Combinations (126B) Individual capability 5000x individual
1 126 < 1 second < 1 second
2 15 876 < 1 second < 1 second
3 20 00 376 1 second < 1 second
4 252 047 376 2 minutes < 1 second
5 31 757 969 376 4 hours 22 seconds
6 4 001 504 141 376 23 days 47 minutes
7 504 189 521 813 376 8 years 4 days
8 63 527 879 748 485 376 1 032 years 2 years
9 8 004 512 848 309 157 376 130 000+years 184 years

X axis – password length in 126 charset

Y axis – days to crack

Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.


Using only lowercase or only uppercase letters and numbers, you need 11 characters long password.

If you’re using both lowercase and uppercase letters, numbers and punctuation signs you need 8 characters long password.

Neither should be predictable enough to be part of a dictionary attack list. I would recommend using 12 characters long password and wide charset.

Easy way to Manage Strong Passwords

Different password should be used for each sensitive account because attackers often check all your accounts for password they compromised.

Password should be at least 12 characters long and include uppercase and lowercase letter, number and a punctuation sign. You can easily meet those requirements by rambling on the keyboard, but it would be difficult to remember passwords.

Password Manager

Password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere).

Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.

To generate 1 strong password that’s easy to remember you can use a great source of entropy – your mind. Think of a sentence or two. Something like: ‘any sentence will do the trick, Just Make Sure It’s Over 12 Words’. Password would be: aswdtt,JMSIO12W (first letters in each word). You can remember the sentence easily and recreate the password later. Ideally, the sentence would include a sign and number.

There are many similar tricks out there if you don’t like this one.


So you don’t like installing a manager? Think of a good pattern that will not be obvious. An example would be: pick 2 numbers: 6,7 and surround your password with 67 and shift+6 = &, shift+7 = /. Also, uppercase 6thand 7th letter. If your password right now is password -> 67passwORd&/ is easy to remember and strong. The word can be something you can remember for each site, but stay away from obvious like domain name.

Avoid common letter-number substitutions like o – 0, I – 1. Here’s the same link once again, I highly recommend taking a look at common dictionaries and tools attackers may try to use against you.

Source:  deepdotweb.com

Categorized in News & Politics
Page 4 of 5

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media