Tag Archive for Security

| January 30, 2010
Comments Off on Password Insecurity

Password Insecurity

password The massive Rockyou.com breach reveals the weakness of the password. The Rockyou.com breach provided an opportunity to evaluate the true strength of passwords as a security mechanism. California-based security firm Imperva analyzed the stolen cache of 32 million passwords and the results are not pretty. According to researchers, most passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

Imperva“The problem has changed very little over the past 20 years,” explained Imperva’s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security. It’s important to point out that, the same password “123456” also topped a similar chart based on a statistical analysis of 10,000 Hotmail passwords published (Link removed at the request of Acunetix) October 2009 by Acunetix (Link removed at the request of Acunetix).

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Shulman in a press release.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

The rest of the passwords rated by popularity:

Imperva passwords

Some of the lessons that firms can lead from the Imperva research are:

1) Most users use short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute-forcing/password recovery application can find in a matter of minutes.  A hacker will typically take 17 minutes to gain access to 1000 accounts.

2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation.

3) Firms should emulate Twitter’sbanned passwords” list consisting of 370 passwords that are not allowed to be used.

The analysis proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts.  This research shows why firms must take proactive actions to manage their users’ choices in passwords.

PASSWORD RELATED SECURITY BEST PRACTICES:

• All passwords are to be treated as sensitive, confidential corporate information.
• Don’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account,  etc.).
• If someone demands a password call someone in the Information Security Department.
• Change passwords at least once every four months.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
• If an account or password is suspected to have been compromised, report the incident and change all passwords.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Password  “dont’s”:
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation

OTHER PASSWORD-RELATED SECURITY BEST PRACTICES:
• Account Lockout: all systems should be set to “lockout” a user after a maximum of 5 incorrect passwords or failed login attempts
• Lockout Threshold: all systems should have a minimum “lockout” time of five (5) minutes
• Password History: systems should be configured to require a password that is different from the last ten (10) passwords

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 21, 2010
Comments Off on SPAM Decline?

SPAM Decline?

SPAM Decline? PC World chronicles how analysts at the California-based security company FireEye executed a plan to shut down the Mega-D botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shut down this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak point. The Mega-D malware infecting PCs was directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of other destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would need a carefully coordinated attack.

To set up the coordinated attack the FireEye team first contacted Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed that most of the Mega-D C&C servers were based in the United States, with one in Turkey and another in Israel. The FireEye team received cooperation for the U.S.-based IPS’s but not the overseas ISPs. The Mushtaq team took down the U.S.-based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that bots would use to reach Mega-D-affiliated C&C servers overseas ISPs.

As the last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check-in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. After, FireEye’s action Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful. Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Rb-

The Daily Average SPAM Received (DASR) index reached an all-time low in December 2009. The DASR for December 2009 was 29.4. The trend was on the decline since its all-time high in May 2008 of 77.5, but this seems different.

The impacts of the Fire-Eye operations seem longer lasting. The DASR stayed down through December and into the New Year. The month-to-date DASR index for January 2010 is a paltry 15.

Even after the McColo takedown in November 2008, the DASR never reached this low level.  Hopefully, Spammers have seen the error in their ways, repented, and found something else to do, but more likely is they have reloaded with new ammo as they exploit social networks, Adobe, IE, and Google.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| January 19, 2010
Comments Off on Zeus Raids School

Zeus Raids School

Zeus Raids SchoolA New York school district was a victim of an apparent Zeus trojan attack which appears to have netted nearly $500,000. InformationWeek is reporting that the FBI and New York State Police Cyber Crime and Critical Infrastructure Unit are investigating an attempt last month to steal about $3.8 million from the Duanesburg Central School District near Schenectady, New York.

According to the January 6 article, online thieves made a series of unauthorized funds transfers from the school district’s NBT Bank account to an overseas bank between December 18 and 22, 2009. The third transfer during this period was flagged as abnormal activity by the bank, which began blocking pending transactions after the school district confirmed the transfers had not been authorized. Working with foreign banks, NBT Bank recovered about $2.5 million out of $3 million stolen during the four-day period, but two previous unauthorized transactions were discovered.

Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered,” wrote Superintendent Christine Crowley in a letter on Monday to district parents and community members. “However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds.

The district website says, “At this time, we do not have any more information on how this happened and do not expect to have any more information to share until the investigation concludes.

Security researchers at Trusteer point out in a recent DarkReading article that Zeus is detected only 23 percent of the time by up-to-date anti-virus applications. The massive Zbot botnet is made up of 3.6 million PCs in the U.S., according to Damballa data  The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to display its own content mimicking, for instance, a bank’s Web page.

Zeus’ infection rate is higher than that of any other financial Trojan. We are seeing actual fraud linked to Zeus — accounts being compromised, [and] money transferred from accounts of customers infected with Zeus,Mickey Boodaei, founder and CEO of Trusteer told DarkReading. “When we investigate some of our banking customers’ [machines infected by it], we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.

The security blog says that organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| December 21, 2009
Comments Off on Botnets Attacking Servers

Botnets Attacking Servers

Botnets Attacking Servers Web servers, FTP servers, and even SSL servers are becoming prime targets for botnets. They are targets, not as command and control servers says Mikko Hypponen, chief research officer at F-Secure, in a recent DarkReading article, “but in some cases to execute high-powered spam runs.”

Botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth says Joe Stewart, director of malware research for SecureWorks. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” Stewart told DarkReading. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.

Source of Web attacks

Marc Maiffret, chief security architect at FireEye says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010. “I think that the focus there on servers is really again more to help more easily infect a larger number of desktops,” Maiffret says.”You can think of this SQL/Web-spread vector as the modernized version of what use to happen with email and such many years ago.”

FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom. “FTP is being used to transfer bot code to other machines, servers, and users,” Ho says. “If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server.”  Paul French, vice president of products and solutions marketing for Axway laments that. “FTP is pretty ubiquitous … The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security [practices].”

Botnets using SSL servers

Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads” according to Hypponen.

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, DarkReading concludes.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »