Tag Archive for Passwords

| July 15, 2014
Comments Off on More Server Admin Passwords Exposed

More Server Admin Passwords Exposed

More Server Admin Passwords ExposedI just wrote about the hole in IPMI and now researchers are reporting more problems. Help Net Security writes that over 30,000 servers with the Super Micro WPCM450 line of chips on their motherboards have baseboard management controllers (BMCs) that offer up administrator passwords to anyone who knows where to look. Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net warns that BMC’s which collect information on the health of the hardware and software data do not protect this critical information, Mr. Wikholm wrote;

critical files can be accessedYou can quite literally download the BMC password file from any UPnP-enabled Super Micro motherboard running IPMI on a public interface

The article explains this confidential information is available because Super Micro created the password file in plain text. The file can be downloaded by simply connecting to port 49152. The researcher added that many more critical files can be accessed by the public;

All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files

Help Net Security confirms that Super Micro no longer uses the WPCM450 chips. But a scan of the Internet using Shodan, a specialized search engine for finding embedded systems, indicated 31,964 affected systems were online. The company has also offered up a fix, to this vulnerability which requires administrators to re-flash their systems with the new IPMI BIOS. This workaround is not available to all servers, especially in 24×7 shops.

Patch your systemsMr. Wikholm has stepped in and has devised a temporary fix for those who don’t want to risk re-flashing the server IPMI BIOS. The fix centers around killing UPnP processes on the BMC. The drawback of the fix is that it lasts only as long as the system isn’t disconnected or rebooted.

The existence and the exploitation potential of the flaw was confirmed by SANS ISC handler Tony Carothers: “One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.”

rb-

Fortunately Super Micro no longer sells this chipset, but there are still over 30K of these time-bombs out there waiting to explode on some poor sysadmin. Hopefully checking out the IPMI BMC is now part of a standard device hardening policy. if not, it should be.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| May 2, 2013
Comments Off on Ellen Spoofs Password Infomercial

Ellen Spoofs Password Infomercial

Ellen Spoofs Password InfomercialGraham Cluley at Sophos’s Naked Security Blog recently blogged about a crazy password infomercial and day-time TV talk show host Ellen DeGeneres’ reaction to the late-night advert. The infomercial that caught the talk show host’s attention proves that you can always rely on late-night TV to try to sell you anything.

Ellen DeGeneresEllen DeGeneres recently focused some attention on a product that claimed to solve a computer security problem experienced by many inner-webs users – how to remember your passwords. Here’s the link to the video below about the “Internet Password Minder”:

As one of the customers featured in the infomercial breathlessly explains:

"I don't have to worry anymore about security or identity theft... I now have all my passwords in one place. It's great"

Apparently, this is not a put-up by the “Ellen” show. As Ellen amusingly asks, wouldn’t it be cheaper to save money and write all your passwords on a $5 bill? You could even keep the (patent-pending – don’t steal the idea!) $5 bill password minder in your wallet if you liked – much more convenient than the book-sized Internet Password Minder!

hard-to-crack passwordSophos offers a video explaining how to generate a tough, hard-to-crack password that is still easy to remember. If you can’t remember your passwords and have difficulty juggling different passwords for different websites, then Sophos recommends password management software like KeePass, 1Password or LastPass. I have covered the password issue many many many times before.

Mr. Cluley pointed comment on Ellen’s website from someone who claims to be the woman in the infomercial who no longer worries about identity theft.

rb-

I don’t watch The Ellen Show (I work during the day), but I know my mom does so a hat-tip to Ellen for raising awareness of password security issues with her large TV audience in an amusing way.

Those of us charged with keeping our clients and parents safe from the cyber-malcontents on the Intertubes, need all the help we can get, even if is from as unlikely a source as Ellen DeGeneres. Maybe now mom will stop asking me to change all of the passwords to something easier.

Do you think that Ellen’s spoof of the password infomercial helps the cyber-security cause?

 

Do you think that Ellen's spoof of the password infomerical helps or hurts the cyber-security cause?

View Results

Loading ... Loading ...

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| August 16, 2012
One comment

25 Most-Used Passwords Revealed

25 Most-Used Passwords RevealedRachel King at ZDNet’s Zero Day writes that the recent data breaches at LinkedIn, Last.fm, and eHarmony has put passwords back in the spotlight. Unfortunately, many people still rely on “password” to secure their digital identity. Antivirus software provider ESET noted some recent work by IT security consultant Mark Burnett who has compiled a list of the “top 500 worst (aka most common) passwords” based on a variety of methods he has detailed on his blog. The entire list is available here (ZIP).

25 Worst passwords

20122011
password
password
123456
123456
12345678
12345678
1234
qwerty
qwerty
abc123
12345
monkey
dragon
1234567
pussy
letmein
baseball
trustno1
football
dragon
letmein
baseball
monkey
111111
696969
iloveyou
abc123
master
mustang
sunshine
michael
ashley
shadow
bailey
master
passw0rd
jennifer
shadow
111111
123123
2000
654321
jordansuperman
supermanqazwsx
harleymichael
1234567football
2012 data from xato.net and 2011 data from SplashData.com

rb-
Why don't they listenApproximately 2/3’s of the worst passwords stayed the same between 2011 and 2012. Are your users’ passwords on this list? If so, it’s safe to say you should consider a password change policy to force them into using a stronger password.

I have written about passwords since at least 2010 – here, here, and here. When will they listen?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| March 15, 2012
Comments Off on First Computer Passwords Useless

First Computer Passwords Useless

First Computer Passwords UselessRobert McMillan at Wired dug thru the annals of tech and recently confirmed that passwords have been a pain in the tuckus for a millennium. But who’s to blame? Who invented the computer password?

ShakespeareThe origin of the password is shrouded in the mist of history like the invention of the wheel or the story of the doorknob, according to Wired. Roman soldiers memorized spoken passwords to gain access to camps. Shakespeare kicks off Hamlet but where did the first computer password show up? Wired asks.

Computer passwords probably arrived at the Massachusetts Institute of Technology in the mid-1960s. Wired says nearly all the computer historians they contacted said that the first password must have come from MIT’s Compatible Time-Sharing System. In geek circles, it’s famous. CTSS pioneered many of the building blocks of computing as we know it today: things like e-mail, virtual machines, instant messaging, and file sharing.

IBM logoFernando Corbató who worked on CTSS back in the mid-1960s is a little reluctant to take credit. “Surely there must be some antecedents for this mechanism,” he told Wired, before questioning whether the CTSS was beaten to the punch in 1960 by IBM’s (IBM) Sabre ticketing system. When Wired contacted IBM, big blue claimed it wasn’t sure.

According to Mr. Corbató, even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired.Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Professor Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”

Data breachThe irony is that CTSS may also have been the first system to experience a data breach. The article recounts that in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in had access to the entire list of CTSS passwords.

The story goes that an MIT Ph.D. researcher was looking for a way to bump up his usage time on CTSS. He received four hours per week, but it wasn’t nearly enough time to run the simulations he’d designed for the new computer system. So he simply printed out all the passwords stored on the system.

There was a way to request files to be printed offline by submitting a punched card,” he wrote. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.

To spread the guilt around, Mr. Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano and leaving “taunting messages” behind.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| March 13, 2012
2 comments

Detroit Safest Online City Again

Detroit Safest Online City AgainNorton, the anti-virus arm of Symantec (SYMC) teamed up with research firm Sperling’s BestPlaces to rank US cities based on a number of cybercrime risks and they found Detroit the safest online city for 2012. I wrote about Detroit’s 2011 ranking here.

DetroitBert Sperling, lead researcher for the analysis said, “By looking at data from consumer lifestyle habits as well as cybercrime data provided by Symantec, … we’re able to provide a holistic view of the various factors that put a person at potential risk.

The Huff Post reports that the study looked at the prevalence of Internet use in addition to the types of risks users face online. Consumer statistics include the number of PCs, use of smartphones, the use of social networks, e-commerce, and accessing potentially unsecured Wi-Fi hotspots. BestPlaces also looked at the following cybercrime data: bot-infected computers located within a specific city, attempted malware infections, spamming IP addresses found within a specific city, and web attacks originating within a specific city.

Wi=FiSymantec says Detroit had low scores in the number of Wi-Fi hotspots, potentially risky online consumer behavior, and PC expenditures. Other low-ranked cities include Tulsa and El Paso.

Users are at most risk for cybercrime in the following cities:

1. Washington
2. Seattle
3. San Francisco
4. Atlanta
5. Boston

SymantecWith the explosion of smartphones, tablets, and laptops in recent years, and the rise of apps and social networking sites, our online and offline lives are blending together in ways that we’ve never before experienced,” said Marian Merritt, Norton Internet Safety Advocate. “…this analysis highlights the potentially risky factors we face each time we go online. By taking a few simple precautions now, people can make sure they stay protected against online threats.”

Greg Donewar, manager of the National White Collar Crime Center told Huff Post,… over the past year, we’ve seen a considerable increase in cybercrime attacks, and whether a person lives in the riskiest online city or the safest, consumers everywhere need to be aware of the inherent dangers of online activity.

rb-

Forbes says that cyber-crime is a $37 billion crime that affects 1 in 25 Americans. Take these steps to protect yourself online:

Create better passwords. Avoid passwords like password, 123456, qwerty, abc123, or monkey, these are the top most common passwords (I have been writing about weak passwords for since 2010). Forbes says your first line of protection against cybercrime is to make sure all of your passwords follow these rules of thumb:

  • At least eight characters
  • A mix of these four types of characters: upper case letters, lower case letters, numbers, and special characters
  • Not a name, slang word, or any word in the dictionary
  • Don’t keep the same password; change it every six months
  • Have uniquely different passwords (not just slight variations of the same password) for every account and site

Monitor your financial accounts. If you shop online, use online banking, or have any personal or financial information available online, you are at risk of finance-related crimes like identity theft and fraud which Huff Post says costs the average victim $631 in out-of-pocket costs. Forbes says that one of the easiest ways to protect yourself is to monitor your credit to detect any red flags early. They recommend users set up spending limit alerts on credit cards and checking accounts to keep tabs on your balances. Automatically monitoring for suspicious activity and fraudulent accounts helps catch costly identity theft and fraud immediately.

Lockdown your smartphone. If you use your smartphone to shop, spend, socialize, and surf, your phone’s sensitive information essentially becomes a one-stop shop for cybercriminals. Forbes says if stolen or exposed to thieves, your smartphone can compromise your personal and financial information anytime and anywhere. Here’s a quick five-minute checklist from Forbes on how to properly secure your mobile phone:

  • Password-protect your phone with a complex and unique password, and set your phone so it auto-locks and never saves any passwords.
  • Enable a service with remote tracking. You can also set your phone to automatically wipe your data if your phone password is inputted incorrectly several times.
  • Turn Bluetooth off if you’re not using it. Thieves can pair their Bluetooth device with yours and hack personal information.
  • Be careful on public Wi-Fi networks where thieves can remotely access your data undetected. Only connect your phone to secure networks.
  • Before downloading any apps to your phone, always do a quick search to make sure it comes from a legitimate site or publisher. Check user reviews on sites like appWatchdog for complaints.
Related articles
  • Why you should password-protect your smartphone (ctv.ca)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »