Tag Archive for Hack

| June 15, 2024
Comments Off on Why Are We Still Using Bad Passwords

Why Are We Still Using Bad Passwords

Why Are We Still Using Bad Passwords in 2023Why Are We Still Using Bad Passwords? 123456 is the worst password of 2023. Users have chosen 123456 on more than 23 million breached accounts, even though it takes less than a second to crack. NordPass, the sponsor of the paper, claims that the popularity of 123456 has made it the #1 cracked password for 3 of the last 5 years. In 2019, 12345 from “Spaceballs” overtook it, and “password” did the same in 2022.

Stop watchOnly 2 of 2023’s top 25 passwords will resist an attacker for more than 10 seconds. The 17th most common password, “admin123”, can withstand cracking attempts for a whole 11 seconds. The most secure password in the top 25, “Pass@123”, can fend off an attack for 5 minutes.

NordPass 25 worst passwords 2019 - 2023
20192020202120222023
0112345123456123456password123456
02123456123456789123456789123456admin
03123456789picture11234512345678912345678
04test1passwordqwertyguest123456789
05password12345678passwordqwerty1234
0612345678111111123456781234567812345
07zinch123123111111111111password
08g_czechout1234512312312345123
09adst12345678901234567890col123456Aa12345
10qwertysenha12345671231231234567890
1112345678901234567qwerty12312345671234567
121234567qwerty0000001234123123
13Aa123456.abc1231q2w3e1234567890111111
14iloveyouMillion2aa12345678000000Password
151234000000abc12355555512345678910
16abc1231234password1666666000000
17111111iloveyou1234123321admin123
18123123aaron431qwertyuiop6543211111
19dubsmashpassword11233217777777'P@ssw0rd
20test1qqww1122password123123root
21princess1231q2w3e4r5tD1lakiss654321
22qwertyuiopompopiloveyou777777qwerty
23sunshine123321654321110jp110jp'Pass@123
24BvtTest1236543216666661111112233
2511111qwertyuiop987654321987654321102030
Nordpass

How can I keep my passwords safe?

Your password should have at least 12 characters

Your password should have at least 12 charactersA longer password with more characters is better. It gives a hacker more combinations to try. Some sites may require a certain number of characters in your password, but generally, a password with at least 12 characters is a safe bet.

Use numbers, symbols, uppercase and lowercase letters

The more variety you have, the better. Be sure to include numbers, symbols, capital, and lowercase letters. Make everything as random as possible to keep the hackers out. For example, a password like ‘S#w%i&n(g967’ would be much more difficult to crack than ‘swing967.’

Avoid dictionary words

Avoid dictionary wordsAvoid using any single word as a password. It’s too easy for a hacker to take one lucky guess from a common dictionary, like ‘dog’ or ‘banana.’ Even a password like ‘freeride’, which combines two dictionary words, is too simple.

Don’t use substitutions

Avoid replacing letters with common symbols, it can weaken your password. For example, if you want to use the word ‘lucky’ but instead write it as ‘1ucky.’ It’s too obvious because the 1 and the letter L look too similar.

Choose a passkey over a password

Whenever possible, opt for passkeys instead of passwords. Passkeys, which are unique codes tied to your device, offer more security and are less prone to breaches. Companies such as Amazon, Apple, Google, and Microsoft are increasingly supporting passkeys as a safer alternative.

rb-

We should approach NordPass’ findings with caution due to their unclear methodology. They are not very transparent about their methodology. The presser said the passwords were “compiled in partnership with independent researchers specializing in researching cybersecurity incidents. They evaluated a 4.3TB database extracted from various publicly available sources…”

There are some suspicious trends in the Nordpass’s data. English words make up all of the top 25 recognizable passwords. Quite a feat for over 24 billion credentials breached since 2016. Many other are numerical strings or the result of typing nearby keys on a QWERTY keyboard. Despite these issues, the report makes for interesting geek reading.

Related article

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me on Facebook. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| November 26, 2021
Comments Off on GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?GoDaddy (GDDY), the world’s largest domain name registrar, disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of websites affected by this breach.

GoDaddy logoThe company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

GoDaddy resellers also compromised

On Tuesday (11/23/2021), GoDaddy confirmed that some of their resellers were also compromised in the attack. If you purchased your WordPress domains from

Assume your WordPress site has been compromised.

According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker’s access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

What happened at GoDaddy?

credentials in cleartextSeveral sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

What did the attacker have access to?

The SEC filing indicates that the attacker had access to:

  • User email addresses,
  • Customer numbers,
  • Original WordPress Admin password that was set at the time of provisioning,
  • SSL private key and
  • sFTP and database usernames and passwords.

What could an attacker do with this info?

The attackers had unrestricted access to these systems for over two months. During that time, they could have:

  • Secure FTPThey have taken over these sites by uploading malware or adding a malicious administrative user. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.
  • The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the impacted sites’ databases.
  • Sometimes, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
  • The exposed email addresses and customer numbers cause increased phishing risks.

How to resecure your GoDaddy host WordPress site

GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

  1. If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
  2. Change passwordsChange all of your WordPress passwords.
  3. Force a password reset for your WordPress users or customers.
  4. Change any reused passwords and advise your users or customers to do so. 
  5. Enable 2-factor authentication wherever possible. 
  6. Check your site for unauthorized administrator accounts.
  7. Scan your site for malware using a security scanner.
  8. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu.
  9. Be on the lookout for suspicious emails.

rb-

These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.


Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| July 26, 2019
Comments Off on Fix Your Dongle – Today

Fix Your Dongle – Today

Fix Your Dongle - TodayIf you use a Logitech (LOGI) wireless mouse, keyboard or other device fix your dongle! The Logitech wireless dongle (officially Unifying Receiver) is vulnerable to an issue discovered in 2016 as well as newly discovered vulnerabilities unless you’ve updated the firmware. Download and install the latest firmware update to protect against vulnerabilities.

Mousejack attach

Logitech logoAffected Logitech wireless devices are vulnerable to a hack called “Mousejack.” Mousejack, (CVE-2016-10761) was first reported in 2016 by IoT security firm Bastille Networks, Inc. The Mousejack attach works by sending malicious radio signals (packets) wirelessly to an unsuspecting user through Logitech Unifying wireless technology. Logitech only partially fixed the hole (Cert VU#981271) in 2016. Mousejack uses the vulnerable Logitech Unifying receiver to intercept and inject unencrypted signals within a range of about 100 meters.

Incomplete fix

Logitech did not recall the Unifying Receiver back in 2016 when Mousejack appeared. Four new vulnerabilities were discovered in 2019. The new vulnerabilities are based on the incomplete 2016 fix. Logitech will only fix two of the four vulnerabilities, the others will remain unpatched. The vulnerabilities are logged as:

Logitech will not fix the holes identified in CVE-2019-13052 or CVE-2019-13053, both of which impact all Logitech Unifying devices. A Logitech representative told the Verge:

Logitech evaluated the risk to businesses and to consumers and did not initiate a recall of products or components already in the market and supply chain.

Logitech wireless mouseLogitech plans to patch the security flaws in CVE-2019-13054 (impacts Logitech R500, Logitech SPOTLIGHT) and CVE-2019-13055 which affects all encrypted Unifying devices with keyboard capabilities.

All Logitech USB dongles

Marcus Mengs, the researcher who discovered these vulnerabilities, told ZDNet the vulnerabilities impact all Logitech USB dongles that use the company’s proprietary “Unifying” 2.4 GHz radio technology to communicate with wireless devices.

Unifying is a Logitech standard dongle radio technology, and has been shipping with a wide range of Logitech wireless gear since 2009. The dongles are often found with the company’s wireless keyboards, mice, presentation clickers, trackballs, and more.

  • Sniff keyboard traffic,
  • Inject keystrokes (even into dongles not connected to a wireless keyboard)
  • Take over the computer to which a dongle has been connected.
  • Steal the encryption key between the dongle and its paired device
  • Bypass a “key blacklist” designed to prevent the paired device from injecting keystrokes

Bastille Networks

Techsupportalert.com reports that many of the vulnerable dongles are still on the market even though Logitech started releasing updated dongles sold with mice, keyboards, and stand-alone receivers.

 Hard to find firmware update

firmware updateNot long after the discovery, Techsupportalert.com, says Logitech issued a firmware update but it was hard to find on the support site and wasn’t widely known. If you didn’t update the firmware then (and most of us didn’t know about it) now is an excellent time to update.

Even if you installed the Logitech drivers and configuration app that came with the device, you are not protected. The required firmware update is not included, it must be downloaded and installed separately.

Give credit to Logitech, their firmware can be updated, where other manufacturer’s wireless dongles cannot be updated. This includes products from Microsoft, Dell (DELL, HP (HPQ), and Lenovo (LNVGY). In fact, any device that uses the same Nordic Semiconductor or Texas Instruments (TXN) chips and firmware for wireless receivers is vulnerable. The NordicRF nRF chip is a common chip used in wireless keyboards, mice, and presentation tools, which are frequently found in non-Bluetooth wireless input devices.

If you use a wireless device from Logitech or the Lenovo 500 devices, Bastille recommends you update your firmware. Any other non-Bluetooth wireless devices should be disconnected and you should contact your vendor and ask what models are not vulnerable before you replace your current gear.

Lenovo’s announcement is here.

Logitech’s announcement is here.

Here are the direct download links to the Logitech Unifying Receiver firmware update for PC, Mac, and the gaming mouse:

  • Logitech PC firmware update (zip)
  • Logitech Mac firmware update (zip)
  • Logitech G900 gaming mouse firmware update (zip)

rb-

Logitech Unifying ReceiverYou probably have an affected device on your network. Logitech has sold well over a billion mice. Users can recognize if they’re using a vulnerable dongle if it has an orange star printed on one of its sides.

If you have any extra Logitech wireless dongles around (I have several) you may want to update them.

You should also check back in with Logitech support, to see if the promised additional fixes will be forthcoming in August 2019.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| December 30, 2018
Comments Off on Doomba

Doomba

DoombaA fitting way to close out 2018 is to celebrate the 25th anniversary of the classic first-person shooter game “Doom.” Doom tells the story of a base operated by the Union Aerospace Corporation on the Martian moon Phobos. The base is overrun by demons from Hell after its top-secret teleportation experiments go awry. A detachment of space marines are sent to investigate and all but one are slaughtered. It’s up to the player to fight through the horde of demons on Phobos and, eventually Hell itself, to prevent a massive invasion of Earth.

Roomba self-driving vacuumLike the last space marine, Doom is a survivor. As Motherboard explained, Doom is compatible with many devices because id Software wanted it to be. id Software released Doom‘s source code to the public in 1997 for reuse. Doom has been modified to run in ASCII and on a number of platforms including ATMs and printers.

The latest hack of Doom comes from developer Rich Whitehouse. He exploited the fact that Roomba self-driving vacuum robots create maps of your house as they sweep up. iRobot CEO Colin Angle swears he will totally never sell maps of your home to advertisers. Despite the CEO’s assurances, Mr. Whitehouse demonstrates that these maps can be exported. He uses the Roomba maps to create Doomba a tool that converts Roomba maps for use in Doom. Mr. Whitehouse told Digital Trends.

There’s a lot going on under the hood, though. The Roomba is broadcasting a position and angle across the network in roughly one second intervals, as well as a bunch of other data. I write the relevant data out to a .noeroomba file as it comes in. When you go to load that .noeroomba file [into my own tool] Noesis, that’s when the magic happens.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| June 17, 2018
Comments Off on What is SS7?

What is SS7?

What is SS7?– Updated 10/25/2018 – The NYT is reporting that China and Russia are spying on Trump via his unsecured iPhone. NYT says that though intercepted calls, likely related to SS7 the Chinese have pieced together a list of the people with whom Mr. Trump regularly speaks in hopes of using them to influence the president, the officials said. Among those on the list are Stephen A. Schwarzman, the Blackstone Group CEO, and Steve Wynn, the former Las Vegas casino magnate.

Trump uses unsecure cell phoneA number of outlets are speculating that the Chinese are using the known SS7 flaw to spy on the president’s iPhone.  I have written about the problems with SS7 a number of times since 2016 and now the chicken has come home to roost.

Trump recently bragged that he gave the North Korean dictator his personal cell number. If that is true, he has created a major national security exposureKarsten Nohl, chief scientist at the firm Security Research Labs, who researches cell network attacks told Wired,  “Absolutely that is a problem.” He says hackers can abuse flaws in Signaling System 7 to listen in on someone’s phone calls, intercept their text messages, and track their location.

North Korean intelligence isn't already tracking Trump's phonesIf North Korean intelligence isn’t already tracking Trump’s phones through malware, a direct phone number could give them a way in. The SS7 attacks can give hackers relatively easy access to calls and texts, and location data. Wired points out that North Korea has proven itself as an adversary willing to hack and manipulate systems around the world for its financial or intelligence gain—it was responsible both for the 2014 hack of Sony and 2017’s WannaCry ransomware outbreak – SS7 hacking is likely no exception.

The telecom industry and U.S.government have done very little to plug the SS7 hole. Senator Ron Wyden, a Democrat from Oregon and a senior member of the Senate Select Committee on Intelligence, has been tracking the SS7 issue for several years. He has sent letters to FCC Chairman Ajit Pai, asking for answers on SS7 security and details about how many network providers have been breached through SS7. Mr. Wyden wrote, “I’ve spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked, or scammed.”

Attackers used SS7 to get customer dataFCC Chairman Ajit Pai

Mr. Wyden said he had been told by a big-name mobile network that malicious attackers are believed to have used SS7 to obtain US customer data. DHS confirmed reports of “nefarious” types leveraging SS7 to spy on American citizens by targeting their calls, text messages, and other information.

So what is SS7?

The Signaling System 7 (SS7) network is fundamental to cellphones operations, but its security design relies entirely on trust. The protocol does not authenticate messages; anyone with access to SS7 can send a routing message, and the network will make it. Now as SS7 network operators are opening the SS7 network to third-party access, vulnerabilities are being exposed and attacked initially by governments and now criminals.

Since 1975, over 800 telecommunications companies around the world use SS7 to ensure their networks interoperate. SearchNetworking.com defines the Signaling System 7 (SS7) as an international telecommunications standard that describes how network elements in a public switched telephone network (PSTN) exchange information over a digital signaling network.

SS7 control messages

SS7 control messages contain routing, congestion, and authentication information.

  • SS7 routing deals with: How do I send a call to 313-555-1234?
  • Congestion – What to do if the route to a network point is crowded.
  • Authentication – Confirms that the caller is a valid subscriber and lets the call set up continue.

They explain that SS7 consists of a set of reserved or dedicated channels known as signaling links. There are three kinds of network points signaling points:

  • Service Switching Points (SSPs) originate or terminate a call and communicate with SCPs to determine how to route a call or set up and manage some special feature.
  • Signal Transfer Points (STPs) are packet switches that route traffic on the SS7 network.
  • Service Control Points (SCPs) SCPs and STPs are usually mated so that service can continue if one network point fails.

Cell phonesSS7 out-of-band signaling (control) information travels on a separate, dedicated 56 or 64 Kbps channel and not within the same channel as the telephone call. Historically, the signaling for a telephone call has used the same voice circuit that the telephone call traveled on. Using SS7, telephone calls can be set up more efficiently and special services such as call forwarding and wireless roaming service are easier to add and manage. SS7 is used for:

  • Setting up and managing the connection for a call,
  • Tearing down the connection when the call is complete
  • Billing,
  • Managing features such as:
    • call forwarding,
    • calling party name and number display,
    • three-way calling,
    • Toll-free (800 and 888) and toll (900) calls
    • 911 emergency service calls in the US, and,
    • Other Intelligent Network (IN) services.
  • Wireless as well as wireline call service including:
    • Mobile telephone subscriber authentication,
    • Personal communication service (PCS) and,
    • Roaming,
    • SMS messages.

Within SS7, SMS messages are sent on the same channels and infrastructure as SS7 uses to control the core of the telephone networks.

When an SMS message is sent from an SMS-capable cell phone, the message is handled no differently than a normal call setup: it moves from the cell phone to a base station to a Mobile Switching Center (MSC).

SMS messageFrom the mobile switching center, the SMS message moves inside the SS7 network to the Short Messaging Service Center (SMSC), a standard part of the network. The SMSC queries the Home Location Register (HLR) to find out where the recipient of the message is and whether he or she is switched on to receive a message. If not, the SMSC stores the message until it can be delivered.

Mobile Switching Center (MSC) — The MSC is the equivalent of the local switch inside the mobile network. It provides very similar services to a switch, but uses virtual circuits over radio channels instead of physical voice circuits. One variation on the MSC is the Gateway Mobile Switching Center (GMSC) which routes calls into and out of the network and will not have phones locally registered.

Visitor Location Register (VLR) — The VLR is the database attached to an MSC that keeps track of all the phones currently “registered” to it, informing other nodes of status changes, and checking authentication information.

Short Message Service Center (SMSC) —The SMSC is the clearinghouse for SMS messages on an SS7 network and provides store-and-forward services.

Home Location Register (HLR) — HLR is a core database that keeps track of subscribers. It contains information on the current account status and provides authorization information for billing. When a call or SMS is trying to reach a subscriber, this is the node that is queried to find out where in the network that subscriber actually is.

SS7 Architecture

rb-

Mr. Nohl told Motherboard SS7 is, “probably the weakest link in our digital protection chain.” CTIA, the telecom lobbying arm, denies there is a problem with SS7. CTIA told DHS that the SS7 flaws are “perceived shortcomings.” They also said that talking about SS7 attacks is “unhelpful.” CTIA, practicing “security through obscurity,” claimed that talking about the issues may help hackers. 

This is a mess. Contact your senator and representative in D.C. and tell them to support Senator Wyden, efforts to force the FCC to deal with the SS7 flaws. 

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
« Older Entries