Tag Archive for Imperva

| March 20, 2012
One comment

Spyware Prevention 101

Spyware MalwareSpyware goes by many names, including adware, malware, crimeware, scumware and snoopware. No matter what you call it, spyware’s purpose is still the same: to steal your personal information (PII).

WebrootHelp Net Security says that once hackers have your personal information they can steal your identity, use your credit cards, siphon funds from your bank accounts and more. Simply put: it’s bad news and you want nothing to do with it.

The good news, according to the article, is that spyware prevention is possible and there are many ways to keep these dangerous programs at bay. In addition to installing the right software, users can practice these computer security tips from Broomfield, CO based Internet security firm Webroot:

  • Safe downloadsDownload software directly from the source. The article says a common way to get a spyware infection is to install free or pirated programs from file-sharing sites which have been booby-trapped with malware.
  • Set your browser security settings to “high” and protect yourself from “drive-by” downloads and automatic installations of unwanted programs.
  • Avoid questionable websites, such as those featuring adult material. They’re notorious for spreading spyware threats and causing users Firewallproblems.
  • Use a firewall.
  • Be suspicious of email and IM.
  • Don’t open attachments unless you know the sender and are expecting a file from them.
  • Delete messages you suspect are spam (don’t even open them).
  • Avoid clicking on links within messages.
  • PhishingDo not give personal information to unsolicited requests even if they seem legitimate.
  • If you receive a request for personal information from your bank or credit card company, contact that financial institution directly, but do not click on a link embedded in the email message.

rb-

Amichai Shulman – CTO, Imperva posted that the credentials to a Hotmail account is worth $1.50 and a Gmail account is worth over $80 to cybercriminals. Gmail is more valuable to the attacker because of the wide variety of other Gmail cloud services that can be accessed through Gmail credentials.

It is also likely that credentials used by a person for one application will most work on other applications as well. It is not uncommon for people to have the same username and password used for their Facebook account, their Twitter account, their Airline Frequent Flyer account or any application that uses their Gmail account as the application account name.

That’s why spyware is bad.

Related articles
Category: Security | Tags: , , , , , , , ,
| January 30, 2010
Comments Off

Password Insecurity

The massive Rockyou.com breach reveals the weakness of most passwords.  The Rockyou.com breach provided an opportunity to evaluate the true strength of passwords as a security mechanism. The  California-based security firm Imperva analyzed the stolen cache of 32 million passwords and the results are not pretty.  According to researchers, most passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on) and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

“The problem has changed very little over the past 20 years,” explained Imperva’s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security. It’s important to point out that, the same password “123456” also topped a similar chart based on statistical analysis of 10,000 Hotmail passwords published (Link removed at the request of Acunetix) October, 2009 by Acunetix (Link removed at the request of Acunetix).

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Shulman in a press release.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

The rest of the passwords rated by popularity:

Some of the lessons that firms can lead from the Imperva research are: 1) Most users implement short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute forcing/password recovery application can find in a matter of minutes.  A hacker will typically take 17 minutes to gain access to 1000 accounts. 2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation. 3) Firms should emulate the Twitter’sbanned passwords” list consisting of 370 passwords that are not allowed to be used. The analysis  proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts.  This research shows why firms must take proactive actions to manage their users choices in passwords.

PASSWORD RELATED SECURITY BEST PRACTICES:

• All passwords are to be treated as sensitive, confidential corporate information.
• Don’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account,  etc.).
• If someone demands a password call someone in the Information Security Department.
• Change passwords at least once every four months.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
• If an account or password is suspected to have been compromised, report the incident and change all passwords.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored on-line.

Password  “dont’s”:
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation

OTHER PASSWORD RELATED SECURITY BEST PRACTICES:
• Account Lockout: all systems should be set to “lock out” a user after a maximum of 5 incorrect password or failed login attempts
• Lockout Threshold: all systems should have a minimum “lock out” time of five (5) minutes
• Password History: systems should be configured to require a password that is different from the last ten (10) passwords

Related articles
Category: Security | Tags: , , , , ,
 

Switch to our mobile site