Archive for January 30, 2010

| January 30, 2010
Comments Off on Password Insecurity

Password Insecurity

password The massive Rockyou.com breach reveals the weakness of the password. The Rockyou.com breach provided an opportunity to evaluate the true strength of passwords as a security mechanism. California-based security firm Imperva analyzed the stolen cache of 32 million passwords and the results are not pretty. According to researchers, most passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

Imperva“The problem has changed very little over the past 20 years,” explained Imperva’s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security. It’s important to point out that, the same password “123456” also topped a similar chart based on a statistical analysis of 10,000 Hotmail passwords published (Link removed at the request of Acunetix) October 2009 by Acunetix (Link removed at the request of Acunetix).

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Shulman in a press release.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

The rest of the passwords rated by popularity:

Imperva passwords

Some of the lessons that firms can lead from the Imperva research are:

1) Most users use short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute-forcing/password recovery application can find in a matter of minutes.  A hacker will typically take 17 minutes to gain access to 1000 accounts.

2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation.

3) Firms should emulate Twitter’sbanned passwords” list consisting of 370 passwords that are not allowed to be used.

The analysis proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts.  This research shows why firms must take proactive actions to manage their users’ choices in passwords.

PASSWORD RELATED SECURITY BEST PRACTICES:

• All passwords are to be treated as sensitive, confidential corporate information.
• Don’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account,  etc.).
• If someone demands a password call someone in the Information Security Department.
• Change passwords at least once every four months.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
• If an account or password is suspected to have been compromised, report the incident and change all passwords.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Password  “dont’s”:
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation

OTHER PASSWORD-RELATED SECURITY BEST PRACTICES:
• Account Lockout: all systems should be set to “lockout” a user after a maximum of 5 incorrect passwords or failed login attempts
• Lockout Threshold: all systems should have a minimum “lockout” time of five (5) minutes
• Password History: systems should be configured to require a password that is different from the last ten (10) passwords

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 28, 2010
Comments Off on Privacy Day 2010

Privacy Day 2010

Privacy Day 2010Data Privacy Day is January 28, 2010.  Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information according to its sponsors. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it?

For its part, Google (GOOG) has released a video highlighting the ways it uses some of that personal data it collects about you to make your life easier and then explains that you can opt-out of some of Google’s data collection policies.

Nicrosoft logoMicrosoft (MSFT) has released the results of a study on data privacy.  According to the Microsoft survey, the results illustrate how we, as a society, are still grappling with the intersection of privacy and online life. For example, 63 percent of consumers surveyed are concerned that online reputation might affect their personal and/or professional life, yet, less than half even consider their reputations when they post online content.

Finally, Fewer than 15%  of consumers in any of the countries surveyed believe that information found online would have an impact on their getting a job.  The Microsoft study found 70% of surveyed HR professionals in the U.S. have rejected a candidate based on online reputation information. Reputation can also have a positive effect as in the United States, 86% of HR professionals stated that a positive online reputation influences the candidate’s application to some extent; almost half stated that it does so to a great extent.

Electronic Frontier FoundationFor its part, the Electronic Frontier Foundation (EFF) has published, “The E-Book Buyer’s Guide to Privacy ” which outlines six elements of Ebook readers’ privacy policies:

The EFF surveyed the policies and found that Google Books and Amazon Kindle will monitor what you’re reading. The EFF also found that all the E-book readers will keep track of book searches and book purchases.  The Kindle, Nook, and Reader shared information collected on your book selections, searches, and purchases is shared outside the company without your consent. The good news is that the a free, open-source FBReader (for Windows/Linux) does not collect data on your book selections or searches.

Google Books and Amazon Kindle will monitor what you're readingThese privacy issues are important for citizens and businesses. Firms have to consider whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , , , , ,
| January 21, 2010
Comments Off on SPAM Decline?

SPAM Decline?

SPAM Decline? PC World chronicles how analysts at the California-based security company FireEye executed a plan to shut down the Mega-D botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak point. The Mega-D malware infecting PCs was directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of other destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would need a carefully coordinated attack.

To set up the coordinated attack the FireEye team first contacted Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with one in Turkey and another in Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The Mushtaq team took down the U.S.-based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that bots would use to reach Mega-D-affiliated C&C servers overseas ISPs.

As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. After, FireEye’s action Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful. Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Rb-

The Daily Average SPAM Received (DASR) index reached an all-time low in December 2009. The DASR for December 2009 was 29.4. The trend was on the decline since its all-time high in May 2008 of 77.5, but this seems different.

The impacts of the Fire-Eye operations seem longer lasting. The DASR stayed down through December and into the New Year. The month-to-date DASR index for January 2010 is a paltry 15.

Even after the McColo takedown in November 2008, the DASR never reached this low level.  Hopefully, Spammers have seen the error in their ways, repented, and found something else to do, but more likely is they have reloaded with new ammo as they exploit social networks, Adobe, IE, and Google.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| January 19, 2010
Comments Off on Zeus Raids School

Zeus Raids School

Zeus Raids SchoolA New York school district was a victim of an apparent Zeus trojan attack which appears to have netted nearly $500,000. InformationWeek is reporting that the FBI and New York State Police Cyber Crime and Critical Infrastructure Unit are investigating an attempt last month to steal about $3.8 million from the Duanesburg Central School District near Schenectady, New York.

According to the January 6 article, online thieves made a series of unauthorized funds transfers from the school district’s NBT Bank account to an overseas bank between December 18 and 22, 2009. The third transfer during this period was flagged as abnormal activity by the bank, which began blocking pending transactions after the school district confirmed the transfers had not been authorized. Working with foreign banks, NBT Bank recovered about $2.5 million out of $3 million stolen during the four-day period, but two previous unauthorized transactions were discovered.

Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered,” wrote Superintendent Christine Crowley in a letter on Monday to district parents and community members. “However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds.

The district website says, “At this time, we do not have any more information on how this happened and do not expect to have any more information to share until the investigation concludes.

Security researchers at Trusteer point out in a recent DarkReading article that Zeus is detected only 23 percent of the time by up-to-date anti-virus applications. The massive Zbot botnet is made up of 3.6 million PCs in the U.S., according to Damballa data  The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to display its own content mimicking, for instance, a bank’s Web page.

Zeus’ infection rate is higher than that of any other financial Trojan. We are seeing actual fraud linked to Zeus — accounts being compromised, [and] money transferred from accounts of customers infected with Zeus,Mickey Boodaei, founder and CEO of Trusteer told DarkReading. “When we investigate some of our banking customers’ [machines infected by it], we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.

The security blog says that organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 17, 2010
Comments Off on AT&T Asks to Drop POTS

AT&T Asks to Drop POTS

EweekAT&T Asks to Drop POTS is reporting that in order to extend broadband access to all Americans AT&T has told the FCC that it needs to get out of the land-line business. AT&T wants to get out of the land-line business so it can focus funds on broadband and IP-based communications. In the 32 page report, in response to a FCC Request for Comment on Transition form Circuit-Switched to All IP Network.

ATT logoAT&T called Congress’ 100 percent broadband goal “auspicious,” writing, “Broadband is dramatically changing the way Americans live, work, obtain health care and interact with the government. Congress and the Commission have rightly made universal broadband access a core national priority.” AT&T said this goal would be within reach if the resources of the FCC and its stakeholders were put toward developing and executing a strategy that included an “orderly transition away from, and retirement of, the PSTN.

AT&T wants to shut down its analog PSTN

AT&T has asked the FCC to create a timetable that would allow the company to shut down its analog public switched telephone network (PSTN) so more investment would flow to its IP-based initiatives.  “That transition is underway already,” AT&T wrote to the FCC in the Dec. 21, 2009 communication. “With each passing day, more and more communications services migrate to broadband and IP-based services, leaving the public switched telephone network (PSTN) and plain-old telephone service (POTS) as relics of a bygone era.” AT&T also said that less than 20 percent of Americans rely exclusively on POTS for voice service, while 25 percent of households have abandoned POTS. It noted that some 700,000 lines are being turned off each month.

Federal Communications CommissionThe telecommunications giant argues that having to maintain and invest in two networks broadband and the PSTN means Congress’ goal “will not be met in a timely or efficient manner.” The company said that while 90 percent of Americans have access to broadband services, reaching that last 10 percent would require an investment of about $350 billion. “Due to technological advances, changes in consumer preference, and market forces, the question is when, not if, POTS service and the PSTN over which it is provided will become obsolete,” AT&T wrote to the FCC.

AT&T outlined steps for shutting down the PSTN and wants the FCC to swiftly follow them.

rb-

Some of the issues that AT&T’s plan raises are life-safety issues. A POTS line maintains a dial tone and the ability to make and receive calls during catastrophes and emergencies. When large catastrophes strike, there can be no power for days, or even weeks in some areas. No power means no broadband Internet, which means VoIP phone services don’t work. No power to cell towers means no bars on your cell signal and no wireless service.

The ability to place 911 calls will also be an issue under an all IP system. With a POTS land-line, it is easy to match a phone number with a physical address, but with broadband VoIP, the 911 operators can’t tell where the call originates from.

Most importantly, as DSLReports points out, it is important to realize that AT&T’s objective is to move all broadband regulation to the more-easily lobbied federal level, revamping the Universal Service Fund so it works more in AT&T’s favor, and whatever other regulatory perks they can squeeze out of the FCC.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
« Older Entries