Tag Archive for Passwords

| April 15, 2017
Comments Off on Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a PixFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

Samsung Galaxy S8However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed  that Face Unlock which was later acquired by Google (GOOG).

photographs are stored in facial recognition databasesJust to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.States allowing FBI to search driver license pictures

 

I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.” So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

There's no real way to conceal your eyes, face or fingerprints from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face, or fingerprints from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| April 2, 2017
Comments Off on 300 Billion Passwords

300 Billion Passwords

PasswordsThe death of the password has been predicted for years. Bill Gates predicted the death of the password at an RSA Security conference in 2004. In 2011, IBM (IBM) predicted that biometrics would replace passwords by 2016. In case you haven’t noticed in 2017 and passwords are still with us and they suck. “It’s now years after those statements were made, and passwords are still in heavy use,” Joseph Carson, head of global strategic alliances at Thycotic Software told CSO.

PasswordA new report (Reg. Req.) from cyber-security research firm Cybersecurity Ventures says that the number of passwords in use will grow from about 75 billion today to around 100 billion in 2020. AND the number of passwords used by machines, such as IoT devices, will grow even faster, from around 15 billion in 2015 to around 200 billion in 2020, the report said. That is 300 billion passwords by 2020.

And these numbers don’t include one-time passwords, SSL encryption keys, and other short-term credentials said Thycotic’s Carson. Thycotic Software sponsored the report.

Mr. Carson told CSO the estimates come from worldwide statistics about the total number of computers, operating systems, servers, routers, and other technologies and applications that come with passwords or need users to create passwords to use them. he added, “Then there are the social media accounts, which have been growing significantly.”

The average user has over 25 passwords, he said. There’s no decline in the number of passwords, in fact, the opposite is the case. “We find that the growth is accelerating at a massive pace,” CSO observed that the use — and reuse — of all these passwords is creating an ever-growing attack surface of both human and machine-to-machine passwords. A record number of credential breaches were disclosed in 2016, Mr. Carson added — 3 billion, with 43% of people having had at least one password or credential stolen.

A report released by the Pew Research Center said that for U.S. adults, the number was even higher. According to a 2016 survey, 64% said that they had personally noticed or been notified of a data breach that affected their accounts or personal data.

MoneyAccording to Mr. Carson, the financial damages of the breaches will continue to increase as well. Thycotic and Cybersecurity Ventures predicts potential damages from cyber-crime to reach $6 trillion by 2021.

rb-

Looks like passwords are here to stay. Followers of the Bach Seat know that passwords suck. I have covered a number of options to replace passwords. None of the biometric options have taken off as IBM had predicted.

Where biometric authentication is deployed, it’s been as an adjunct to passwords, not a replacement. Passwords are used to set up the initial trusted relationship, and as a fallback when the biometrics fail. Mr. Carson concludes, “The biometrics are used for ease of access to systems … Biometrics will never replace passwords.”

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| February 11, 2017
Comments Off on Your Bad Password Habits

Your Bad Password Habits

Your Bad Password HabitsYet more proof that passwords suck. Kaspersky Lab has published new data that reinforce the fact that passwords suck. Kaspersky found that Internet users around the world have bad password habits. Most users have not mastered how to use passwords effectively to protect themselves online.

Kaspersky Labs logoThe Kaspersky research has shown that people are putting their online safety at risk by making bad password decisions and simple password mistakes that may have far-reaching consequences. The research outlined in Networks Asia unearthed three common bad password habits that are putting many Internet users at risk. Internet users:

Common bad password habits

  1. Use the same password for multiple accounts, meaning that if one password is leaked, several accounts can be hacked.
  2. Use weak passwords that are easy to crack.
  3. Store their passwords insecurely, defeating the point of having passwords at all.

PasswordAndrei Mochola, Head of Consumer Business at Kaspersky Lab said, “Considering the amount of private and sensitive information that we store online today, people should be taking better care to protect themselves with effective password protection.

Password research

  • 10% of people use the same password for all their online accounts. Should one password be leaked, these people are at risk of having every account Head in the sandhacked and exploited.
  • 18% have faced an account hacking attempt but few have effective and cyber-savvy password security in place.
  • Only 30% of Internet users create new passwords for different online accounts

Additionally, Kaspersky found that people are not creating passwords that are strong enough to protect them from hacking and extortion. Despite that users think their online banking (51%), email (39%), and online shopping accounts (37%) need strong passwords, only;

  • 47% use a combination of upper and lowercase letters in their passwords,
  • 64% use a mixture of letters and numbers.

simple password management mistakesKaspersky’s Mochola observed,  “This seems obvious, but many might not realize that they are falling into the trap of making simple password management mistakes. These mistakes, in turn, are effectively like leaving the front door open to emails, bank accounts, personal files, and more.

Mistreating their passwords

According to the article, the study found that people’s bad password habits include sharing them with others and using insecure methods to remember them.

  • 28% have shared a password with a close family member.
  • 22% have admitted to writing their passwords down in a notepad to help remember them. Even if a password is strong, this leaves the user vulnerable because other people may see and use it.
  • 11% have shared a password with friends, making it possible for passwords to be unintentionally leaked.

people are mistreating their passwordsMr. Mochola described good password practices, “The best passwords cannot be found in the dictionary. They are long, with upper and lowercase letters, numbers, and punctuation marks. However, with people having so many online accounts today, it’s not easy to remember a secure password for everything. Using a password management solution can help people remember and generate strong passwords to minimize the risk of account hacking online.”

rb-

Great advice from Kaspersky, but as followers of the Bach Seat know, humans suck at passwords they use the same bad password habits here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| November 10, 2016
Comments Off on Bad Passwords Crippled the Web

Bad Passwords Crippled the Web

Bad Passwords Crippled the WebFollowers of the Bach Seat know that passwords suck and now default passwords really suck. In fact, default passwords seem to be a key part of the massive DDOS attack that disabled large parts of the Internet on October 21, 2016. The cyberattack targeted Internet traffic company DYN. DYN provides DNS services for many high-profile sites. Some of the sites affected by the attack on Dyn included; Amazon (AMZN), Business Insider, New York Times, Reddit, and Twitter (TWTR).

Security researcher Brian Krebs, whose site, krebsonsecurity.com, was one of the first sites hit by a massive 620 GB/s DDoS attack, has reported the Mirai botnet was at the center of the attack on his site. CIO.com reports  ‘Mirai’ can break into a wide range of Internet of Things (IoT) devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots. CIO reports a single Chinese vendor, Hangzhou Xiongmai Technology made many of the devices used in the Mirai attacks.

Level 3 Communications says there are nearly half a million Mirai-powered bots worldwide. To amass an IoT botnet, a Mirai bot herder scans a broad range of IP addresses, trying to login to devices using a list of default usernames and passwords that are baked into Mirai code, according to US-CERT. The Mirai zombie devices are largely security cameras, DVRs, and home routers. Mr. Krebs identified some of the specific devices.

Mirai Passwords

UsernamePasswordFunction
admin123456
root123456ACTi IP camera
adminpassword
admin1password
rootpassword
admin12345
root12345
guest12345
admin1234
root1234
administrator1234
888888888888
666666666666Dahua IP camera
admin(none)
admin1111Xerox printers, etc.
admin1111111Samsung IP camera
admin54321
admin7ujMko0adminDahua IP camera
adminadmin
adminadmin1234
adminmeinsmMobotix network camera
adminpass
adminsmcadminSMC router
Administratoradmin
guestguest
motherfucker
root(none)Viviotek IP camera
root00000000Panasonic printers
root1111
root54321Packet8 VoIP phone
root666666Dahua DVR
root7ujMko0adminDahua IP camera
root7ujMko0vizxvDahua IP camera
root888888Dahua DVR
rootadminIPX-DDK network camera
rootankoAnko Products DVR
rootdefault
rootdreamboxDreambox TV receiver
roothi3518HiSilicon IP Camera
rootikwbToshiba network camera
rootjuantechGuangzhou Juan Optical
rootjvbzdHiSilicon IP Camera
rootklv123HiSilicon IP Camera
rootklv1234HiSilicon IP Camera
rootpass
rootrealtekRealtek router
rootroot
rootsystemIQinVision camera, etc.
rootuser
rootvizxvDahua camera
rootxc3511H.264 - Chinese DVR
rootxmhdipcSenzhen Anran security camera
rootzlxx.EV ZLX two way speaker
rootZte521ZTE router
serviceservice
supervisorsupervisorVideoIQ
supportsupport
techtech
ubntubntUbiquiti AirOS Router
useruser

US-CERT says the purported author of Mirai claims to have 380,000 IoT devices are under its control. Some estimate the botnet has generated greater than 1Tbps DDoS attacks.

DDOS attackWhen Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.

rb-

Followers of Bach Seat already know that many of the default passwords used by Mirai are among the worst and should have been changed already. They include:

  • Password
  • 123456
  • 12345
  • 1234

While reports say, Chinese vendor, XiongMai Technologies equipment was widely exploited, other notable tech firms are included. The Mirai zombie army includes equipment from Xerox (XRX), Toshiba (TOSBF), Samsung (005930), Panasonic (6752), and ZTE (763).

I wrote about security cameras being compromised as part of botnets back in July here.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| October 15, 2016
Comments Off on 2016’s Most Dangerous Online Celebrities

2016’s Most Dangerous Online Celebrities

2016's Most Dangerous Online CelebritiesThe 10th annual McAfee Top 100 Most Dangerous Celebrities to Search for Online Study, published by Intel Security, was recently released.  The yearly report uncovers which celebrities are the most dangerous to search for on Intertube.  These dangerous celeb results can expose fans to viruses, malware, and identity theft while searching for the latest information on today’s pop culture stars.  Intel (INTC) used its McAfee site rating software to find the number of risky sites generated by searches on Google, Bing, and even beleaguered Yahoo.

Intel securityConsumers today remain fascinated with celebrity culture and go online to find the latest pop culture news,” said Gary Davis, chief consumer security evangelist at Intel Security.  “With this craving for real-time information, many search and click without considering potential security risks.  Cyber-criminals know this and take advantage of this behavior by attempting to lead them to unsafe sites loaded with malware.

Most Dangerous Online Celebrities

This year’s most dangerous celebrity online is Amy Schumer.  The comic joins recent most dangerous celebrity online alumni Jimmy Kimmel, Jay Leno, and Emma Watson.  According to Intel Security, a search for the “Trainwreck” actress has a 16.1% likelihood of returning results that direct fans to sites with viruses and malware.

2016 most dangerous celebrity online is Amy SchumerJustin Biber is the second most dangerous online celebrity.  As for the “Sorry” singer, there’s a 15% chance that Beliebers could connect with a malicious website.

The rest of this year’s Top 10 list included:
3.  Carson Daly 13.4%
4.  Will Smith 13.4%
5.  Rihanna 13.3%
6.  Miley Cyrus 12.7%
7.  Chis Hardwick 12.6%
8.  Daniel Tosh  11.6%
9.  Selena Gomez 11.1%
10.  Kesha 1exploit celebrity fandom for abuse1.1%

Intel says there are two big truths: cyber-criminals try to exploit celebrity fandom for abuse.  The first is that consumers want convenience.  As people rely less on cable and, instead, search for the content they want online, they’ll find many third-party sources for their favorite music or videos.

But unofficial sources are often dangerous.  Links can send users to unsafe sites, where sneaky tactics for stealing data and usernames are awaiting.  The popular torrent file format for downloading files allows cyber-criminals to sneak viruses onto devices.

social media obsessed cultureSocial media-obsessed culture

The second truth attackers are exploiting is the desire for gossip – now.  In today’s social media-obsessed culture, fans want real-time information about their favorite celebrities.  It isn’t uncommon for a celebrity to share a photo, post, or comment around the world in a matter of seconds.  Those posts often spark a wave of searches.  With all that traffic, cyber-criminals can trick fans into visiting a faux-gossip website infested with malware to steal passwords, credit card information, and more.  This method is particularly effective on social media channels, like Facebook, Twitter, and WhatsApp, where the standards for trust are low.

How to protect yourself

In addition to recommending anti-virus software, Intel, whose products include McAfee software, urges consumers to be skeptical when surfing the web.  But don’t worry.  No one is asking you to give up your celebrity infatuation; here are a few things you can do to make sure you’re entertained safely:

  • rusted video streaming services Watch media from sources.  Are you looking for the latest episode of Amy Schumer’s TV show, Inside Amy Schumer?  Stick to the official source at comedycentral.com or well-known and trusted video streaming services like Hulu to ensure you aren’t clicking on anything malicious.
  • Be wary of searching for file downloads.  Of all the celebrity-related searches we conducted, “torrent” was the riskiest by far.  According to Intel, a search for ‘Amy Schumer Torrent’ results in a 33 % chance of connecting to a malicious website.  Cybercriminals can use torrents to embed malware within authentic files, making it tricky to detect safe downloads from unsafe sources.  It’s best to avoid using torrents, especially when so many legitimate streaming options are available.
  • Keep your personal information personal.Keep your personal information private.  Cybercriminals are always looking for ways to steal your personal information.  If you receive a request to enter information like your credit card, email, home address, or social media log-in, Intel says you should not give it out thoughtlessly.  Please research and ensure it’s not a phishing or scam attempt that could lead to identity theft.
  • Use security protection while browsing.  Many software products can scan web pages you’re browsing, alerting you to malicious websites and potential threats.  This can keep you safe as you study the latest gossip.

rb-

The stars are new, but the game is the same.  In addition to applying some critical thinking to your web browsing, the same advice from 2015, 2014, 2013, 2012, etc. stands……

Maybe I will get more hits after putting these pop names in here.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005.  You can follow him on LinkedInFacebook, and Twitter.  Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »