Archive for RB

| May 26, 2016
Comments Off on Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data BreachReaders of the Bach Seat know that passwords suck and that people are awful at picking passwords. The Business Insider offers more proof. According to a recent article, the 2012 LinkedIn data breach exposed a whopping 167 million accounts that were compromised, including 117 million passwords.

The article says the passwords were hashed or encrypted so they can’t be read, but researchers at LeakedSource have been able to decrypt them. Their findings should be no surprise to Bach Seat followers. The results show just how much the same passwords get used over and over (and over and over and over and over) again.

Most often used passwords

92% of the top leaked LinkedIn passwords were identified as the top 25 most often used passwords in 2011 or 2012. Nearly half of the passwords listed were the most commonly used password in 2011, 2012, or 2013. The top 5 bad passwords were used to “secure” over 1.2 million accounts.

PasswordsThe LeakedSource data says the most popular password for LinkedIn in 2012 was 123456. That password was used by more than 750,000 accounts. Data the Bach Seat has collected says that 123456 has been the top 1 or 2 passwords every year used since 2011.

The remarkably unstealthy password ’linkedin’ is the second most used password on these breached LinkedIn accounts with 172,523 users. That is just so wrong on so many levels.

The password ‘password’ is number three with 144,458 hacked LinkedIn users relying on it to secure their professional profile. Our historical data says that ‘password’ has swapped the top ranking with ‘123456’ since 2011.

password is ‘password’12345678’ is the fourth most popular bad LinkedIn password with 94,214 users according to LeakedSource. This password has been a consistent #3 in my data.

The data for the top 49 passwords is below. You can search for your user name here  Fix your passwords.

RankPasswordFrequencyNotes
1123456753,305#2 in 2012
2linkedin172,523
3password144,458#1 In 2012
412345678994,314#6 in 2012
51234567863,769#3 in 2012
611111157,210#12 in 2011
7123456749,652#7 in 2011
8sunshine39,118#15 in 2011
9qwerty37,538#4 in 2011
1065432133,854#21 in 2011
1100000032,490#25 in 2013
12password130,981#21 in 2013
13abc12330,398#5 in 2011
14charlie28,049
15linked25,334
16maggie23,892
17michael23,075#16 in 2012
1866666622,888
19princess22,122#22 in 2013
2012312321,826#11 in 2013
21iloveyou20,251#9 in 2013
22123456789019,575#13 in 2013
23Linkedin119,441
24daniel19,184
25bailey18,805#17 in 2011
26welcome18,504
27buster18,395
28Passw0rd18,208#18 in 2011
29baseball17,858#9 in 2012
30shadow17,781#17 in 2011
3112121217,134
32hannah17,040
33monkey16,958#6 in 2011
34thomas16,789
35summer16,652
36george16,620
37harley16,275
3822222216,165
39jessica16,088
40GINGER16,040
41michelle16,024
42abcdef15,938
43sophie15,884
44jordan15,839#22 in 2012
45freedom15,793
4655555515,664
47tigger15,658
48joshua15,628
49pepper15,610

rb-

The advice remains the same as I wrote about in 2010.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| May 8, 2016
Comments Off on Wearables – Growing Enterprise Risk

Wearables – Growing Enterprise Risk

Wearables - Growing Enterprise RiskMarket research firm Tractica predicts that the high levels of interest will drive worldwide shipments of wearable computing devices for enterprise and industrial from 2.3 million in 2015 to 66.4 million units by 2021 and could reach 75.4 billion by 2025. This means there will be a total of 171.9 million wearables in the wild by 2021.

The report at FierceMobileIT cites a large number of trials or deployments with a diverse set of wearables across a variety of industry sectors for the growth.  Tractica research director Aditya Kaul explained the prediction,

diverse set of wearablesIn the past year, the enterprise and industrial wearables market has moved into an implementation phase, with the focus shifting from public announcements to the hard work that needs to be done behind the scenes to get wearables rolled out at commercial scale.

Tractica noted a range of new IoT use cases are emerging for workplace wearables. The new uses are focused on application markets like; retail, manufacturing, healthcare, corporate wellness, warehousing and logistics, workplace authentication and security, and field services.Estiamted wearbable device shipments

The market research firm believes the primary wearable device categories will be; smartwatches, fitness trackers, body sensors, and smartglasses, There will also be other niche categories that will play a role for specialized use cases.

Internet of ThingsThe report does concede that in terms of unit volumes and revenue, enterprise and industrial wearables are still a very small part of the IoT overall market. Wearable’s share of the total market will grow over time, according to Tractica.

Wearables proliferation does not bode well for IoT or enterprise security. A recent survey of 440 IT pros by IT networking company Spiceworks found that enterprise wearables are most likely to be the cause of a data breach out of all Internet of Things devices connected to a workplace network.

IoT most likely to be source of a security threatAccording to FierceMobileIT, the survey found that 53% of IT pros believe wearables are the least secure of all IoT devices. Overall, 90% of those surveyed think IoT makes workplace security more difficult. Spiceworks also found that only one in three of those surveyed are preparing for the tidal wave of these devices.

IoT security threatThe number of companies allowing wearables on the network has jumped from 13% in 2014 to 24% in the current Spiceworks survey. That’s a significant jump, and especially worrisome for the two-thirds of organizations putting off a proper security protocol. 41% of those surveyed said that their organizations have a separate network for connected devices, 39% allow them on the corporate network and 11% don’t allow IoT in any capacity.

Enterprise IoT devices aren’t the only reason IT pros should worry, as Andrew Hay, CISO of DataGravity, told FierceMobileIT at the RSA conference this year. Workers are bringing consumer-grade IoT devices into enterprise environments, too. In other words, IT pros don’t have a choice at this point but to seriously consider security measures for IoT.

rb-

I first covered IoT security holes in 2011. In 2014, I wrote about HP research which found on average 25 security flaws per device tested. If these stats are right, there will be almost 4.3 billion security flaws in the wild.

Some of the security flaws HP pinpointed in wearables during 2015 included:

  • Mobile interfaces lack two-factor authentication or the ability to lock out accounts after login failed attempts.
  • Watch communications to be easily intercepted.
    • Firmware is transmitted without encryption.
    • Half of the tested devices lacked the ability to add a screen lock, which could hinder access if lost or stolen.
    •40% were still vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| May 1, 2016
Comments Off on How Much Cash Do Tech Firms Stash Overseas

How Much Cash Do Tech Firms Stash Overseas

How Much Cash Do Tech Firms Stash OverseasA new report (PDF) from charity Oxfam says American companies stash a significant part of their cash overseas to take advantage of more favorable tax laws in other countries. They claim that tech companies take particular advantage of this practice, also known as “tax havens.” Oxfam which is crusading to get the U.S. government to crack down on this practice says tax havens costs the United States more than $100 billion a year in lost tax revenue.

Tech firms are hoarding nearly $500 Billion overseasThe Business Insider brought us this Statista chart, based on the Oxfam report. Tech firms are hoarding nearly $500 Billion in cash overseas. The chart shows how much money major US tech companies have stashed overseas, and how many subsidiaries they have set up in countries that Oxfam defines as tax havens, “which can be characterized by secrecy, low- or zero-tax rates, and the almost complete lack of disclosure of any relevant business information.

U.S. tech firms with most cash held overseas

While tech is the most prominent sector on Oxfam’s list, the article claims tech is not alone — large companies in other sectors like General Electric ($119 billion), Pfizer ($74 billion), Merck ($60 billion), and Exxon Mobile ($51 billion) also have lots of cash stashed overseas.

There’s nothing illegal about this practice. But Oxfam believes it contributes to income inequality. They are urging U.S. lawmakers to make it harder for companies to use international tax laws to their advantage in this way.

money stashed overseasOverseas tax havens have been the focus of recent revelations about tax scams by wealthy people, based on the leak of the “Panama Papers,” documents from a single Panama-based law firm, Mossack Fonseca, involving 214,000 offshore shell companies. The firm’s clients included 29 billionaires and 140 top politicians worldwide, among them a dozen heads of government.

rb-

This list looks a lot like the one for the top lobbying spender firms. I wrote about the tech titans lobbying efforts just a couple of weeks ago here.

RankFirmCash $ held off shoreLobbying rankLobbying $ spending
1Apple181.1B104.5M
2Microsoft108.3B78.5M
3IBM61.4B114.6M
4Cisco52.7B142.7M
5Alphabet/Google47.4B116.6M
6HP42.9B
7Oracle38.0B134.5M
Related articles
  • Obama urges Congress to take action on corporate tax reform (bnn.ca)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| April 23, 2016
Comments Off on Prince – Internet Pioneer

Prince – Internet Pioneer

PPrince - Internet Pioneerrince‘s musical legacy is uncontested. TMZ summarized his career. Prince became an international superstar in 1982 after his breakthrough album “1999.” He went on to churn out a ton of hits — and racking up 7 Grammy’s in the process. He also performed at the Super Bowl in 2007, in one of the greatest live performances of all time.

Prince sold more than 100 million records during his career … and won the Academy Award for Best Original Song Score for Purple Rain in 1985. He penned hits for other artists like Nothing Compares 2 U for Sinéad O’Connor, the Bangles’ Manic Monday, Chaka Khan’s I Feel For You, and Stevie Nicks’sStand Back.”

In addition to his musical legacy, Prince was also an unheralded pioneer in the digital music world according to Twice. The article details five ways Prince helped shape the online music world.

Prince embraced the Internet before most

Prince‘s “Crystal Ball” album, a three-CD set he put out in 1998, was initially only available over the phone and via Internet pre-orders, making it one of the first-ever e-commerce music launches. The author recalls that those who ordered the album online got a fourth disc of previously unreleased acoustic material, “The Truth,” and a fifth disc of instrumental music by his New Power Generation Orchestra.

He helped invent e-commerce.

Prince helped invent e-commercePrince launched his own NPG Music Club to sell select albums exclusively online according to Twice. He even won a Webby Lifetime Achievement Award in 2006, identifying him as an e-commerce pioneer.

Prince was an early Internet troll

After record label Warner decided to take him on over money and creative control of his music in the early ’90s, Prince took to the Internet to fight back. The author writes that he made a number of appearances with the word “Slave” written on his face. When Warner fought back, informing him it even owned the name Prince, he changed his name to an unpronounceable symbol, forcing the world to ID him as “the Artist Formerly Known as Prince.”

One of the first to give his music away

Prince was one of the first artists to give his music awayIn 2007, Prince released “Planet Earth” and played an unprecedented 21 nights at the brand new O2 Arena in London. While in London, Princehatched a deal with The Mail to give the album for free to the newspaper’s 2 million readers. The blog points out that Prince neglected to tell record label Columbia of the deal. Columbia’s parent company, Sony, pulled the album’s release in the U.K.

Prince blazed an online path for other artists

Eventually, Prince shut down his NPG Music Club and launched LOtUSFLOW3R, which not only sold his music but tickets to his shows as well, outside the monopolies of the record companies and Ticketmaster. His early attempts to sell online and his fights with the traditional music powers left a big impression on British band Radiohead, then between major label contracts. Instead of settling on a new record label, the band released its album “In Rainbows” exclusively online, and allowed consumers to “pay what you like” for it, garnering a ton of mainstream press.

R.I.P. Prince, superstar musician, and Internet pioneer.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 18, 2016
Comments Off on Schools Face RansomWare Risk

Schools Face RansomWare Risk

More than 2,000 machines at K12 schools are infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam. TargetTech defines ransomware as malware designed for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment in Bitcoins for the decryption key.

JBossRansomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

PCWorld reports that the Cisco (CSCO) Talos threat-intelligence organization, announced that roughly 3.2 million machines worldwide are at risk. The article says that many of those already infected run Follett’s Destiny library-management software, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,” Follett identified the issue and immediately took actions to address and close the vulnerability”.

BitcoinIn a presser, Follett offers patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT detection rules on the presser page.

Snort is a highly regarded open-source, freeware network monitoring tool that detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to Syslog, a separate ‘alerts’ file, or to a pop-up window.

JBoss the vulnerable underlying system is described as an open-source Red Hat product that serves as an application server written in Java that can host business components developed in Java. Essentially, JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality.

PCWorld reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to check the contents of a server’s jobs status page. “This implies that many of these systems have been compromised several times by different actors,” the company said.

BackupWeb shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit is listed in Talos’s blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.

rb-

I have worked with a number of customers on their library automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records, especially for books that are out of print and kiddie books. If these files get locked up by ransomware, the system is useless and expensive to replace.

K12 schools are notoriously cheap, but the advice is the same as always,

  1. Keep your software UP TO DATE
  2. Use a real virus scanner on your servers and administrative stations
  3. Back-Up – Back-Up – Back-Up – With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »