Search Results

Keyword: ‘linked in’

Third-party

July 1, 2012 Leave a comment

This section contains third-party documents published in the public interest (usually in support of a particular blog, linked in parenthesis)

WhistleBlowing Statement (short form)
(More accusations for Barclays to answer)

Advertisements
Categories:

The eBay hack, the loss of 140 million records, and the PR fiasco

May 23, 2014 1 comment
Ebay – hacked on Wednesday

Ebay – hacked on Wednesday

There are two functions to PR: the first is to shout the good news from the hilltops, while the second is to bury the bad. When bad news hits, PR says very little.

Bad news has hit eBay. It admitted Wednesday that it had been hacked – but it actually gives very little information. This is a mistake. It means that people will comb their words used looking for clues over what has actually happened. The result is conjecture; but what follows is the conjecture of some very clever security people.

Three things leap out from the eBay statement. The first is the repeated use of the word ‘encrypted’, with no mention of hashing for the passwords. The second is the duration of the breach – it occurred in February/March, but was only discovered a couple of weeks ago. And the third is the mention of the database – not part of, nor a geographical region, but the (whole?) database. So what can we surmise from all this?

Ian Pratt, co-founder of Bromium

Ian Pratt, co-founder of Bromium

Firstly, were the passwords encrypted or hashed? It makes a difference. The implication from the statement is that they were encrypted. Most security experts believe that this would be a mistake – passwords should be hashed and salted. In fact, Ian Pratt, co-founder of Bromium, goes so far as to suggest, “It would be rather unusual to encrypt passwords rather than hash them; it’s probably just lack of precision in the statement.”

But that’s what we said about the Adobe breach – and it turned out that the passwords were indeed encrypted rather than hashed. The opinion among the experts I talked to is fairly evenly balanced – while eBay’s semantics suggest they used encryption, many experts find it hard to believe. “This heavily implies that the passwords were not hashed,” said Chris Oakley, principle security consultant at Nettitude. “eBay’s report suggests that the passwords were encrypted rather than hashed,” added Brendan Rizzo, Technical Director EMEA for Voltage Security. Sati Bains, COO of Sestus, said, “Yes… it appears from the comment that they did [encrypt rather than hash].”

Jon French, security analyst at AppRiver

Jon French, security analyst at AppRiver

“Encryption and hashing are often confused with each other,” explains Jon French, a security analyst at AppRiver. “But from the sounds of the [eBay’s] press release, it seems they were using some sort of encryption.”

Andrey Dulkin, senior director of cyber innovation at CyberArk, is in no doubt. “Indeed, from the eBay statements we understand that the passwords were encrypted, rather than hashed. The fact that the statements repeatedly use the words ‘encrypted’ and ‘decrypted’ supports this interpretation.”

It is, of course, possible that eBay is simply not differentiating between the two processes, since most of its customers will not understand the difference. “The public understand the word ‘encrypted’ more than hashed – so encrypt is frequently used in place of hashed. But it is believed they were hashed,” suggests Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift.

Ilia Kolochenko, founder and CEO of High-Tech Bridge

Ilia Kolochenko, founder and CEO of High-Tech Bridge

Ilia Kolochenko, founder and CEO of High-Tech Bridge (HTB), doesn’t believe we can tell from eBay’s comments. “The difference isn’t easily understood by users. Even the spokesperson might not be aware. It’s quite possible that the company simply didn’t want to introduce the complexity of describing the technicalities of hashing and salting in a brief announcement.”

What’s the difference, and why does it matter?
The primary operational difference is that encryption can be decrypted; that is the original plaintext can be retrieved from the ciphertext through the use of the encryption key. Hashed outputs cannot be mathematically returned to the original plaintext.

In practice, an entire database of passwords would be encrypted via a single encryption key. But if hashing was used, each individual password would ideally have an unknown value added to it (a ‘salt’) and the results would be separately hashed. “This salt,” explains Voltage’s Rizzo, “is a way to make sure that the hash of a particular password cannot be compared to the known hash of that same password by the attacker through the use of rainbow tables.”

This means that if an encrypted database is stolen, only one key needs to be found to unlock every password in the database.If the passwords are hashed, every single password needs to be cracked individually.

“The advantages to hashing,” Nick Piagentini, senior solutions architect at CloudPassage, told me, “are one, there is no need to manage sensitive encryption keys; two, hashing processes have less overhead to run than encryption processes; and three, there is no need to reconstruct the password data from the hash. Encryption would only be used if there was a need to get the original password back.”

Could the hackers have the encryption key?
This is the 64 million dollar question (and is only relevant if the passwords were encrypted). We don’t know, and we may never know. But it is certainly possible. There are two possibilities: it could have been cracked or it could have been stolen.

Reuters spoke to eBay spokeswoman Amanda Miller:

She said the hackers gained access to 145 million records of which they copied “a large part”. Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
Hackers raid eBay in historic breach, access 145 million records

eBay says the database was compromised some time around late February or early March; but wasn’t discovered until about two weeks ago. What we don’t know is whether the compromise was still in active use by the hackers, what else they did during the two months they were undetected, or whether they left something unwelcome behind. Frankly, I find it hard to believe that having gained access without being discovered the hackers did not have a good look round.

Chris Oakley, principle security consultant at Nettitude

Chris Oakley, principle security consultant at Nettitude

(Incidentally, it is worth pointing out at this point another comment from HTB’s Kolochenko. Basically, eBay’s statement that financial details were safely stored on a separate server is pretty meaningless. “The two servers would have to communicate,” he explained. “The hackers could have installed some malware to listen to the communication between the servers, and sniffed the plaintext traveling between them.”)

So could they have found the encryption key? Opinion is divided. “This is a primary argument for using hashing over encryption for password storage,” comments Nettitude’s Oakley; “an attacker who is able to compromise the database may also be in a position to obtain the encryption key(s).” (Incidentally, if the passwords were hashed rather than encrypted, the hackers could just as likely have found the salt or salt mechanism, rendering the hashed passwords relatively easy to crack via rainbow tables.)

On the other hand, “I would hope they [eBay] didn’t ‘tape the key to the door of the safe’”, comments Trey Ford, global security strategist at Rapid7. “eBay and PayPal have solid security teams, and go through regular third-party assessments. I refuse to believe they would handle encryption key materials that poorly.”

Trey Ford, global security strategist at Rapid7

Trey Ford, global security strategist at Rapid7

And yet they left the users’ email addresses and other personal information unencrypted. If they were using encryption seriously, they would have used a hardware security module (HSM) to house the keys, and would have encrypted everything. “They do not seem to be very confident about their encryption system,” comments Sebastian Munoz, CEO of REALSEC, “when they are suggesting their customers to reset passwords. If efficiently encrypted, using specific certified hardware, there would be no need to reset the passwords, since protection is guaranteed. When you use a Hardware Security Module (HSM) and not a simple and insecure encryption-by-software process, there is no way that hackers can gain access to the encryption keys.”

Munoz further suspects that software based encryption was used since only the passwords were encrypted. Since software encryption impacts on performance, then cost arguments come into play.

Sebastian Munoz, CEO of REALSEC

Sebastian Munoz, CEO of REALSEC

So, given the duration of the breach and the probable lack of an HSM, it is perfectly possible that the hackers also found the encryption key – and if this is the case, they now have access to all of the greater part of 145 million passwords, along with ‘email address, physical address, phone number and date of birth’.

If they did not find the key, would they be able to crack the encryption key? Again, opinion is divided – it all depends upon what encryption algorithm was used. Older encryption algorithms might be susceptible to a ‘known plaintext’ attack (see Wikipedia for details). Getting the necessary plaintext would be no problem. The most popular passwords are remarkable consistent – so a simple analysis with something like DigiNinja’s Pipal on an existing cracked database would provide a fair sampling of plaintext.

Dr Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift

Dr Guy Bunker, spokesperson for the Jericho Forum and a cyber security expert at Clearswift

“However,” notes Bromium’s Ian Pratt, “assuming any kind of modern encryption (e.g. AES-128) was used then a known plaintext attack should not be feasible to recover the key and hence reveal other passwords.”

“Another approach,” suggested Clearswift’s Bunker, “is to ‘inject’ known passwords (either the hash or the encrypted version) into the database. This would create the equivalent of denial of service for the individual but would allow the attacker free reign over the account.”

The problem is we simply do not know what has happened. eBay’s attempts to downplay the incident is simply leading to conjecture.

UPDATE
While writing this report, Rapid7’s Trey Ford noticed adverts for the sale of eBay’s stolen database beginning to appear on Pastebin. “There has now been a posting on pastebin claiming to offer ‘145 312 663 unique records’ relating to the eBay breach,” he told me by email. We don’t know if they’re genuine, “it’s possible that a criminal has just spotted an opportunity to cash in on the attack with some other credentials dump they have.”

An analysis of the sample provided is inconclusive – the records are possibly genuine but not certainly genuine. But Ford had a look at the sample:

The sample that has been shared indicates that cracking the passwords will take considerable time. This is nothing like what we saw when LinkedIn was breached and the stolen credentials were quickly cracked due to only SHA-1 hashing being used for storage. In contrast, this credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes, which means they employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations. The method used can be regarded as the state-of-the-art way to store passwords on web applications. Again though, we don’t know that these are credentials taken from the eBay breach, and no details have come from eBay on how they secure passwords.

This would fit in with eBay’s apparent confidence that the passwords cannot be hacked. However, Reuters spoke to eBay about the sample, and

eBay’s [spokesperson Amanda] Miller said the information was not authentic.
U.S. states probe eBay cyber attack as customers complain

AppRiver’s Jon French also noticed the Pastebin offer. He told me by email,

I’ll be wary of anything like this until I see people saying they see their own names (or if I end up seeing mine). Eventually if the Pastebin offer is legit, someone will post the file for free somewhere or some security company that buys it will verify authenticity.

His colleague, Troy Gill, a senior security analyst at AppRiver also suggested something that serious criminals will be well aware of: “There is always the remote possibility that this is a honey pot set by authorities to lure in would be buyers.”

Summary
eBay is taking the standard route for crisis management: say nothing. This is hugely disrespectful to its customers, who need and have a right to know everything possible. But eBay is also making a mistake in trying to downplay the effect of the stolen data. It says it has “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information.” This is meant to make its customers feel better – the danger is that it might.

What eBay isn’t saying is that the unencrypted personal data also stolen (email address, physical address, phone number and date of birth) is a phisher’s wet dream. Armed with that information criminals will be able to concoct very compelling emails and cold call telephone calls. This is likely to happen on a vast scale and very soon. eBay might feel confidant about its own business, but the data it has lost puts millions of individuals and other companies in danger.

“When companies like eBay keep silent about the details,” commented High-Tech Bridge’s Kolochenko, “I would tend to expect the worst.” It is perhaps worth remembering the Adobe incident, which started off with a breach of a couple of million and slowly escalated into one of the worst breaches in history.

Categories: All, Security Issues

The threat of the petroruble

March 30, 2014 Leave a comment

Little snowballs at the top of a hill start so small — but if left to roll unfettered, over time they can grow large enough to flatten anything in their path. Putin has pushed a little snowball off the top of the hill.

One bank in Russia has decoupled itself from the dollar. It started with US sanctions over Crimea; but it has allowed Putin to enforce all trading via the Rossiya bank to be conducted in rubles — from consumables to oil. Did I say oil? I’m afraid I did — and this could be the beginnings of the petroruble.

It is the petrodollar that has kept the US — which consistently spends more than it earns — afloat for years. So long as the world’s oil is traded in dollars and world demand for dollars is maintained for that purpose, then the US can simply keep printing more money to pay for whatever it wants. Without that demand, the US economy would be in serious trouble.

So serious, in fact, that when Iraq (with the second largest oil reserves in the world) threatened to stop trading its oil in dollars and start using the Euro, the Bush response was to invade Iraq and impose a more friendly regime.

Russia, like Iraq, is an energy country.

The petroleum industry in Russia is one of the largest in the world. Russia has the largest reserves, and is the largest exporter, of natural gas. It has the second largest coal reserves, the eighth largest oil reserves, and is the largest producer of oil.
Wikipedia

If the rest of Russia follows the Rossiya bank and switches to all energy trades in rubles, then that’s a serious issue for America. If other oil companies aligned with Russia (for example, Iran and Venezuela) also dump the dollar for the ruble for oil trades, it escalates beyond serious. It could be catastrophic.

Let us all hope that the US response to the threat of Russia abandoning the dollar is not the same response it had for Iraq’s threat to abandon the dollar.

Categories: All, Politics

Dear Mum — I’ve been mugged… help me

March 1, 2014 1 comment

I got an email this morning from a friend, a world-renowned security expert, and — dare I say it — an ex-detective.

He was in trouble. In Ukraine. He’d been mugged and lost his money. His passport had been impounded by his hotel, and he was stuck. Could I help?

Well, even Google can recognise a London Scam (Dear Mum, I’ve been mugged in London — please send money); although I personally haven’t seen one for a couple of years now.

spacer

londonscam

spacer

But the interesting thing here is that the scammer used the correct email address: a.person@onewebmail.com. Closer inspection showed, however, that the reply address was slightly different: a.person@anotherwebmail.com.

So what we have is a scammer who had taken the trouble to find a relationship between two people and register an email address close to one of them. We can assume that the real a.person hasn’t been hacked and lost his contact list otherwise the scammer wouldn’t have needed the separate reply-to address. So the question is, how did the scammer tie the two of us together?

Finding my email is not a problem — as a journalist I hardly keep it secret. I would expect the real a.person to be more circumspect, however. And then there’s the relationship. I guess LinkedIn and Twitter serve a few more functions than most of us realise…

Categories: All, Security Issues

To hash or to encrypt — that is the question

December 12, 2013 Leave a comment

Can somebody explain this to me, please? I don’t understand.

In LinkedIn’s data breach, customer passwords were stolen because they had been hashed instead of encrypted.

It’s from the Vormetric blog under the title Breach Blog Roll posted today. My understanding is that it refers to the 2012 LinkedIn breach that resulted in the theft of more than 6 million user passwords. Again, my understanding is that the passwords were hashed but not salted.

What I don’t understand, however, is how being hashed rather than encrypted was the cause of their theft.

Help? Anyone?

UPDATE
For the record, the best response I’ve had so far came via Twitter:

Kurt Wismer operates the excellent 'anti-virus rants' blog

Kurt Wismer operates the excellent ‘anti-virus rants’ blog

‘anti-virus rants’ is here.

Categories: All, Security Issues

Password theory is good – password practice is poor

November 25, 2013 Leave a comment

There’s nothing wrong with passwords. At least there’s nothing wrong with the theory of passwords.

You have a locked room. The only way into the room is through a single door. The only way through the door is with a single key. You have the only key. What’s wrong with that?

Throughout this article we’ll talk about locked rooms and keys. The locked rooms are your accounts, mostly on the internet; and they contain your valuable personal data. The keys are your passwords to those accounts. You should have a separate key for each locked room. If you have a single key for multiple rooms and you lose that key or it is stolen, the finder can get into all of your rooms.

So, just like any key to any room, we have a responsibility to keep it or them safe if we want to keep our property safe. We need to make sure they cannot be guessed; that we do not leave them lying around for others to find; that we make it as difficult as possible for hackers to steal them directly from our desktop computers (anti-virus, firewalls and above all else, common sense); and that we do not make copies and use the same key for multiple rooms (we need a different key for every different room).

The problem is that we hear about new password thefts almost every day. Some of them happen because of earlier password thefts. As soon as your password is stolen, you are no longer the only person who can get into your locked room. Any person who has your password, the key to your locked room, can steal all of your personal, private and valuable information. Here’s a selection of thefts, basically just what I can remember – there’s many, many more – from this year alone:

spacer

Adobe 150,000,000 https://kevtownsend.wordpress.com/2013/11/14/adobe-you-really-cocked-up-on-this-one/
Apple 275,000 http://www.theguardian.com/technology/2013/jul/22/apple-developer-site-hacked
Cupid Media 42,000,000 http://www.infosecurity-magazine.com/view/35767/42-million-passwords-compromised-as-hackers-aim-at-cupid-online-dating/
Drupal 1,000,000 http://www.infosecurity-magazine.com/view/32697/drupal-hit-by-massive-data-breach
Evernote 50,000,000 http://www.infosecurity-magazine.com/view/31023/evernote-hacked-50-million-passwords-reset
Living Social 50,000,000 http://www.infosecurity-magazine.com/view/32087/50-million-livingsocial-passwords-stolen
LoyaltyBuild 1,500,000 http://www.infosecurity-magazine.com/view/35604/irish-data-center-breach-hits-15-million-european-consumers
MacRumors 860,000 http://www.infosecurity-magazine.com/view/35592/macrumors-breached-860k-passwords-potentially-compromised/
Morningstar 182,000 http://www.infosecurity-magazine.com/view/33348/morningstar-provides-some-information-about-breach
Nintendo 24,000 http://www.infosecurity-magazine.com/view/33342/thousands-of-club-nintendo-accounts-compromised
Racing Post unknown http://www.infosecurity-magazine.com/view/35814/racing-post-breached-users-passwords-stolen/
Scribd c300,000 http://www.nbcnews.com/technology/scribd-hack-exposes-thousands-users-1B9239618
Twitter 250,000 http://www.wired.co.uk/news/archive/2013-02/02/twitter-hacked
UbiSoft up to 58,000,000 http://www.infosecurity-magazine.com/view/33248/ubisoft-maker-of-assassins-creed-and-ghost-recon-breached
Ubuntu 1,800,000 http://www.infosecurity-magazine.com/view/33556/ubuntu-forum-hacked-18-million-accounts-compromised
vBulletin 900,000 http://www.infosecurity-magazine.com/view/35718/is-there-a-vbulletin-zeroday-out-there/
Yahoo 450,000 http://www.infosecurity-magazine.com/view/26976/yahoo-confirms-what-everyone-already-knew-about-password-breach

spacer

Criminals get passwords either by knowing them (because they are given them, or they are insufficiently hidden), or they guess them. In the first case they use social-engineering psychology to persuade the user to hand them over (more information on social engineering here, and spear-phishing here), or they find them unhidden by the user. In the latter case they guess the most common passwords, or use automated dictionaries to try every possibility until the right password (key) for a known account (locked room) is found.

Most websites include a limit on the number of failed access attempts allowed within a predetermined period. This means multiple attempts to guess the right password while online are almost certain to fail. That is why criminals steal password databases from websites – so that they can try millions of automated guesses offline without being interrupted. The purpose is still to find the key to gain entry to your locked room, and to steal everything of value within it.

But there’s an easy solution: use complex passwords that cannot be manually guessed, and electronically hide them so that automated guessing still won’t work.

There are two methods for ‘electronically hiding’ text: encryption and hashing. Encryption involves converting text into an apparently meaningless jumble of characters in a manner that can only be unjumbled if you have the secret decryption key – which can be the same as (symmetric encryption) or different to (asymmetric encryption) – the encrypting key for your password. Encryption, by definition, comes with the ability to decrypt – the ability to return the jumble back to the original text. Hashing is different. Hashing is one-way only. Hashing converts the original text into a meaningless jumble that cannot be de-hashed back to the original.

Hashing is the right solution for websites to hide their users’ passwords. It means that even the website doesn’t need to know the password, only the hash, which they cannot return to the original password key. With this method passwords need never and should never be stored by websites.

When you create a new account you are asked to provide a password. That password is hashed, paired with your user ID (often, but not necessarily, your email address), associated with your account, and stored. Whenever you want to access your account, you again enter your password. It is hashed again. If your user ID and the new hash result match with something stored, you are allowed access to the associated account.

Hint: if you forget your password, distrust a website that is able to send you your old password by email – it shouldn’t have your password. The ‘correct’ procedure is to guide you to a place where you can create a new password.

So, the effective use of passwords is a partnership. User’s need to create good passwords and keep them safe, while internet companies need to store them safely and securely. It is my contention that done properly, this will be enough.

Alternatives to the simple password
Before we go too far on the strengths and weaknesses of passwords, we should mention the alternatives.

Passwords are designed to provide user authentication – to prove that Joe Smith really is not just any Joe Smith, but the right Joe Smith. In security terms, authentication is often described by the number of factors it uses – with the implication and a degree of validity that the more factors used, the more secure the authentication. (Personally, I do not believe that is necessarily true.) ‘Factors’ in this sense are things you know (like a password), things you have (like a token), things you are (like a biometric), and so on. The two most commonly used additional factors today are soft tokens and biometrics.

Soft token 2FA
An example of the most commonly used two-factor user authentication is the separate token sent out-of-band to the user’s mobile phone. This is a one-off code. Now you could say that ‘the thing that is owned’ is the separate code, or the phone that it is received on. Either way, the user now requires something he knows (password) and something he owns (phone/token).

I have two problems with this. Firstly, whenever you introduce complexity into security, you also introduce weakness – the phone and the communication sending it can both be attacked separately. The second issue is that this complexity makes it harder to use – and users do not want any more difficulty. If 2FA is an option, most users opt to ignore it. That in itself is not an issue, because we’re back where we started. But the fact that there **is** a 2FA option can mean that users take less care, whether they opt for 2FA or not, simply because it is clear that the vendor is taking more care. There is a danger that 2FA can cause a false sense of security.

Biometric authentication
Biometrics is getting a lot of publicity. Governments use facial biometrics for surveillance and passports; law enforcement uses fingerprints for criminal recognition; and Apple uses finger scans for opening the new iPhone.

I have three concerns. Firstly, nearly all biometrics can be forged. It took researchers just days to break through Apple’s iPhone finger scan. Secondly, what do you do if your biometric is compromised? If your password is compromised, you create or request a new password. What do you do if your iris, or your voice, or your thumbprint is compromised? And thirdly, it’s that old false sense of security – people using biometrics tend to think they are more secure than they actually are.

My contention, which I shall try to demonstrate below, is that passwords – used correctly – are adequate on their own. All we have to do is use them correctly.

Creating secure passwords and keeping them safe
Criminals get into locked rooms by guessing the password key.

When Gawker was breached in 2010, researchers found that the ten most popular passwords were

  1. 123456
  2. password
  3. 12345678
  4. lifehack [LifeHacker is a Gawker publication]
  5. qwerty
  6. abc123
  7. 111111
  8. monkey
  9. consumer
  10. 12345

When LinkedIn was breached in 2012, researchers discovered that the ten most popular passwords were:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football

How long do you think it would take to guess passwords like these?

Of course, if the passwords are all held in a single database without any form of electronic jumbling, then a password thief doesn’t need to guess anything because he’s got them written down in front of him. So the websites store the passwords ‘hashed’.

Now the criminals have to start guessing. To help this process, they use computers and specialized dictionaries called rainbow tables. Rainbow tables are effectively long lists of precomputed hash outputs together with the original input text that was used.

Stolen password hashes are then simply compared to the rainbow tables. If the hash output is found, then the password is known – that is, the password has been cracked.

So when you consider a new password, you should also consider how they are cracked with rainbow tables. Any word that appears in a dictionary will be in the tables. Any number up to at least 999,999,999 will be in the tables. All conceivable combinations of letters up to a certain length, and all conceivable combination of letters and numbers up to a certain length, will appear in the tables. In short, if you use a password made up of any combination of letters and numbers up to, say, seven characters, and that password is stolen, you should consider it already cracked and available to the criminals.

This will include some of the commonly recommended methods for coming up with passwords – such as initial letters from quotations. “into the valley of death rode the six hundred” could provide ‘itvodrt600’. That looks like a strong password – but you should assume that it’s in a rainbow table somewhere.

The way to avoid rainbow tables is to use a very long password that mixes uppercase, lowercase, numbers, special characters and punctuation marks. The problem then becomes one of usability – passwords that are difficult to guess are even more difficult to remember.

The best way to produce, store locally and safely, and use strong passwords is to use a reputable and recommended password manager. I’m not going to recommend any myself – you must research that on your own. But the one I use generates passwords for me such as

%wc;I’,;Gp*CfQr9FUFpZYm|

I consider that to be reasonably secure against most tables.

The responsibility of the website
The fact remains that if the vendor doesn’t keep passwords hashed, then it really doesn’t matter how complex I make them.

So if it is incumbent on me to generate strong passwords, then it is equally incumbent on the website to store them securely. That means hashing them.

Actually, it means more than that. It means using a strong hashing algorithm (not all are equally good); it means using a slow algorithm (some were designed for speed when computers were slow, with the unintended consequence of making cracking faster and therefore easier); and they should be salted. Salting is the addition of additional random characters to the user’s password. Basically, salt makes the password even harder to crack – it turns a medium strength password into a strong password.

This is standard best-practice. Unfortunately, too many websites do not conform to best practice. In the last few weeks we have heard:

  • Adobe did not hash its passwords; it encrypted them (better than nothing, but not as good as hashing) It also stored users’ password hints next to the encrypted passwords in plain text – making it, in some cases, obvious what the password was.
  • LoyaltyBuild stored users’ credit card numbers unencrypted and with the cards’ CVV numbers.
  • Cupid Media stored its users’ passwords in plaintext.

What is the point of coming up with a long, complicated, unguessable password if the website just hands it to the criminals on a plate?

Conclusions and recommendations
For password access to locked rooms to work, they need to be strong (from the user) and hashed and salted by the website. Clearly that frequently doesn’t happen; and that’s why we have rampant identity theft.

Since it doesn’t happen voluntarily, we need a new code of practice backed by regulation if necessary. Much of it will fall on the website; but that’s a small price to pay for a secure and trusted internet.

Firstly, websites should require a minimum strength password from their users – so strong, in fact, that it becomes easier to use a password manager than to try to make them up.

Secondly, users must learn not to reuse the same password on multiple sites. Security audits must confirm this as part of staff awareness training, and schoolchildren need it to be taught in schools.

Thirdly, websites must be required, by law if necessary, to make it clear how they protect their users. Inadequate password security could then be shunned by users and ridiculed by professionals.

With these three basic developments, password-protected access will do the job it was designed to do: locked rooms will stay locked, personal and private.

Categories: All, Security Issues

Targeted attacks: what they are, why they succeed, and how to stop them

February 17, 2013 Leave a comment

Cyber attacks on the internet fall into two basic categories: random and targeted. Random attacks are by far the most prevalent, mainly because they are easy to do and can be largely automated. They don’t seek high value targets, they just seek a high volume of targets. Spam, scam and phishing campaigns are typical examples.

Targeted attacks are aimed at a specific person, or company, or organization. The targets are high value targets. “There are numerous motives,” explains David Emm, a senior security researcher at Kaspersky Lab. “These include theft of confidential data, cyber-espionage, political or social protest, and sabotage.” Cyberwarfare, an emotive term that is nevertheless accurate, is a clear example of targeted attacks: destructive malware like Stuxnet and Wiper should not cause collateral damage, but should affect only the prime target.

(Denial of service attacks against specific companies or services are an example of automated targeted attacks that are not part of this discussion.)

A targeted attack will usually involve one or more highly skilled cybercriminals. It will frequently, although not necessarily, be an advanced, persistent threat attack, or APT. There are many definitions of ‘APT’, but it is essentially a targeted attack by a competent and determined adversary willing to take as long as necessary to achieve his purpose. It is very difficult to defend against an APT attack.

The initial breach
Key to any attack is the initial breach. A study by Trend Micro in November 2012 demonstrated that 91% of all APT attacks unfold from an initial successful email-based spear-phishing attack; and that 94% of those spear-phishing emails carried a malicious attachment. Clearly, the best way to combat a targeted APT attack is to understand and mitigate against spear-phishing before the hackers get into the network.

Email spear-phishing is the use of personalised emails sent to an individual or small group of related individuals, engineered to persuade the recipient to open an attachment or click a link. It is part of what Trend Micro terms the ‘pre-infiltration’ phase of a targeted attack.

First the attacker researches, or profiles, the target. This is relatively simple: Facebook, LinkedIn, Twitter and a simple Google search – reinforced by the personal data scattered on the targets’ website – will combine to provide a detailed personal picture. From this the spear-phishing email is constructed. The content might be fashioned around an individual’s personal interests or a subject that will appeal to all of the target group (an internal salary review, perhaps), the source will be forged and malware disguised and attached. The hackers will have tested the malware against as many anti-virus products as possible, and selected something with the greatest chance of remaining undetected.

High profile APT breaches
The result is surprisingly successful, with Google and RSA among the highest profile victims. “In the attack against RSA,” explains Scott Gréaux, a vice president at the PhishMe company, “the spear-phishers sent two different phishing emails to a group of employees over the course of several days. The subject line read ‘2011 Recruitment Plan’. One person’s curiosity duped him into opening the message and…” the rest is history.

In May the Élysée Palace was breached, and in October it emerged that the South Carolina Department of Revenue had been breached with millions of social security details and hundreds of thousands of bank card details stolen. All of these victims were initially breached by targeted spear-phishing.

Evolution of the attack
Once a malicious attachment is clicked, malware will enter the system and the post-infiltration phase begins. It is likely to start with the installation of a remote administration trojan (commonly called a RAT) that will open a covert channel to the attacker. This allows the attacker to roam at will around the network – which he will do, but slowly and stealthily, gaining intelligence on the network infrastructure. He will learn what is stored where, and perhaps more importantly, how he can steal and exfiltrate information without being discovered.

During this process, the hacker will likely find the keys to the front door – legitimate log-on credentials. “As detailed by a report on the South Carolina hack,” explained Amichai Shulman, co-founder and CTO at Imperva, “the attackers grabbed remote access credentials to obtain a simple, standard channel of access into the organization. Using standard tools they explored the inside of the network looking for sensitive data and sent it out using standard file sharing services.” The longer the attackers can remain undetected, the more data they can steal.

Defending against targeted attacks
But all of this begs one major question: how can companies defend themselves against targeted attacks? It might appear as if traditional security is failing, but remember that we only hear about the few that get through, not the unknown number that are stopped. It’s not that companies need different security, they need additional security tailored to these new threats. One emerging technology is anomaly detection from big data analysis. The theory is that all of the organization’s data is monitored on a continuous basis. From this, a baseline of ‘normal’ activity is developed and anything subsequently anomalous to that normal activity is highlighted – it could be the activity of an intruder.

The fact remains, however, that prevention is always better than cure. With 91% of such attacks starting from a spear-phishing email, defence against spear-phishing has to be a priority. While there are security products that will help, the bottom line here is user education. “Organizations must pay attention to the human factor in security,” says Kaspersky’s Emm. “Users need to learn how to recognize phishing, and to stop over-sharing personal information online.” Above all, he says, “It’s important to remember that security is not unlike housework – it’s only meaningful if you repeat the process at regular intervals.”

See also:
Security awareness is taught, not bought
Spear-phishing is the single biggest threat to cyber security today
A new security paradigm for the zero-day advanced persistent threat

Categories: All, Security Issues

Did my plan to beat the recession work?

January 5, 2013 2 comments

On 15 December I shamelessly asked people to retweet a post: Re-Tweet this post – it’s part of my plan to beat the recession. The underlying purpose was to see if I could manipulate my social Klout score and qualify for a business loan. I couldn’t.

The post got 15 tweets, 3 LinkedIn shares, 2 G+ shares and 5 Facebook likes – and I thank everyone who responded.

spacer

Sharing the post...

Sharing the post…

spacer

During this period my Klout score rose to its highest ever: 49 – possibly enough to get me an interview for a job as a janitor in a business under administration; but not enough to fool the money men.

spacer

Highest score ever!

Highest score ever!

spacer

Since that time the score has resumed its downward trend, suggesting my natural social score is around 45 (much better than when I opened my Klout account with a score of 30 – at which time Thomas Power of the ecademy social/business network accurately described me as a ‘social muppet’). (Incidentally, ecademy was bought by Lyndon Wood last July and is now, even as I write this, morphing into SunZu – The Art of Business.)

69% of my Klout score comes from my engagement with Twitter. Less than 2% comes from Google+, and the rest from LinkedIn. Nothing comes from Facebook because I do nothing with Facebook.

spacer

Source of my social standing

Source of my social standing

spacer

So what can I conclude from this experiment? Well, the simple fact is that my score increased by about two points. The implication, then, is that if I were a more naturally social animal, cultivated Facebook and other networks and told everyone what I had for breakfast despite being hung over from last night’s debauchery (which I would have interrupted every two minutes to explain what base I had reached), then I could rapidly become a better business bet. But I would have to maintain this engagement over an extended, possibly continuous, period. Or, as Mary Branscombe said when she kindly commented on the original request:

spacer

Tweet from Mary Branscombe

spacer

What a strange world, this world of ours.

Categories: All

Anonymous and the ‘threat’ against Akamai and Josh Corman

October 11, 2012 2 comments

TechWeekEurope published an article yesterday about a panel discussion on Anonymous at RSA 2012. Although the discussion seems to have included some very rational comments from a number of panelists, the article unsurprisingly headlined on some of the more extreme views voiced by Josh Corman – suggesting for example that within the collective “the common attribute is angst.”

Anonymous was not amused. They give me an ‘official’ (if anything within Anonymous can be official) response, which I used in an article in Infosecurity Magazine here. One thing I left out was the last two sentences: “Anonymous is forever mutating, like a virus responding to its host’s new defences. Today’s mutation will be based on finding out about Josh Corman and the real motivation behind his article, was it just to raise PR for his firm, is it linked to a gov contract etc.”

There is a threat here that I didn’t want to include in a news story.

Anonymous subsequently published the full source of its statement here; so the threat was revealed anyway. It seems that it is being taken seriously. An online chat between Tom Brewster of TechWeekEurope and ATeamAnon went thus:

[The log has been withdrawn at the request of one of the participants. It showed a conversation between the author of the TechWeekEurope article and Anonymous. The journalist was attempting to stop any issue between Anonymous and Josh Corman from escalating. Anonymous indicated that feelings were strong and growing. Updated 08:40, 12 October 2012]

What we don’t know is whether this angst/rage will focus into a coordinated action against Akamai, or whether it will evolve into disjointed small-scale anger from individual groups. That’s why I didn’t report it. But time will tell.

Categories: All, Politics, Security Issues