" passwords "

Cybercrime

The Era of Cyber-crime – Don’t Fall Victim

There has been an increase in cyber-attacks on high profile companies recently – JP Morgan Chase, Target and Home Depot as well as breaches in online services such as iCloud, Dropbox and Snapchat.

A cyber-attack is defined as – any type of offensive action employed by individuals or whole organizations, that targets computer information systems.

With each new attack it’s increasingly clear, no company is immune to cyber-attacks and preparation is key to mitigating risk.  This preparation must start with a commitment at the very top of the company. With a top-down approach and directors who are actively engaged, companies stand a greater chance of protecting their shareholders’ interests in cyberspace.

The companies that are most often targeted are financial institutions, healthcare organisations, major retailers and online/cloud storage services.

The most recent attacks, used methods that are:

  • Sophisticated – exploiting weak points, using backdoor controls and advanced malware.
  • Social – targeting specific people with social engineering and stealing and using valid credentials.
  • Stealthy – implemented in a series of low profile moves that are undetectable to standard security or hidden among thousands of logs collected daily.

(more…)

Worst passwords you can use

Reports recently surfaced that 6.4 million LinkedIn passwords were stolen. LinkedIn confirmed that some of their members’ passwords were compromised, and asked the affected members to change their passwords.

The LinkedIn password hacking news emerged after a file containing 6.5 million unique hashed passwords was posted on an online forum.

According to reports around 200,000 of these passwords were already cracked, which means that the hackers had access to the plain text password which could be used to access the member’s account.

A site called LeakedIn.org was set up where users can check whether their LinkedIn passwords are part of the list of compromised passwords. The service creates a SHA-1 hash of an entered password, and then checks it against the hashed password list to see if your password was leaked (or even cracked).

One of the negative effects of the LinkedIn security breach, explains web expert Chris Shiflett, is that the growing list of hundreds of thousands of cracked passwords will be used to seed rainbow tables that can be used to crack future password leaks in SHA-1 hash format.

Because it is very difficult to reverse engineer an SHA-1 hash string, but very easy to check whether a certain password corresponds to a SHA-1 hash string (which can hence be used to access an account), it is important to select a strong password.

You must make sure that your password is unlikely to be represented in any password list or dictionary, and is also difficult to fall victim to any brute force attack.

A good starting point is to make sure your password is not among the list of most used (and hence worst) passwords.

SplashData, a provider of password management applications, provided a list of the “25 Worst Passwords of 2011”.

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

SplashData making passwords more secure with these tips:

Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, “eat cake at 8!” or “car_park_city?”

Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online e-mail, social networking, and financial services. Use different passwords for each new website or service you sign up for.

Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites.

The Digital Dangers of LinkedIn

While South Africans are obsessed with physical safety, the hacking of LinkedIn has shown how oblivious we are to cyber crime, writes Thalia Randall.

Wednesday saw a major victory for the online hacking community: six million encrypted passwords were successfully “stolen” from LinkedIn and published on a Russian website, along with an open invitation for hackers to decrypt the data.

The experience left many of South Africa’s 1.6 million LinkedIn users scurrying for virtual “cover”, as they changed their passwords to pre-empt a personal security breach.

According to Panda Security country manager Jeremy Matthews, it also highlighted something about South African internet users: a naive “carelessness” about our security measures online.

“As South Africans, we’re very conscious of physical security and traditional crime. But [what we don’t realise] is that there is as much danger in the the online world as there is in the physical one,” he said.

National oblivion, he stated, happens because South Africans are not “conscious” of our “shift from the physical to the digital”.

This leads to a naivete that makes us more vulnerable to virtual attack, he said.

The weakest link

And public vulnerability is a hacker’s biggest opportunity.

Illustrative of this is the second wave of online-intruder-opportunism that saw hundreds complaining on Twitter on Thursday. Fake emails bearing the LinkedIn logo invited users to enter their new password after clicking on a link.

Unaware that LinkedIn’s Vicente Silveira has indicated that “there will not be any links” in the authentic directive email from the company, many users unwittingly provided their new passwords to further would-be invaders.

But according to Matthews, the problems stemming from this “would not have been so bad if people had better passwords”.

“People need to learn the necessity of password management. Digital security is part technology, part management,” he said.

Robert Fall, a web application developer in Cape Town, explained the knock-on effect of poor password management.

“If someone has used the same password on another account, the intruder would now be able to gain access to both,” he said.

“People may say ‘if someone gets access to this silly little blog, I don’t really care’. But what they don’t realise is that if someone accesses that blog, then they know your email address, and then they could re-set the password to your internet banking,” added one of Fall’s colleagues.

“Basically everything you have online is linked to your email address. Once hackers have access to that, your entire online personality is at risk.”

How to up our virtual ante

According to Fall, one way to avoid becoming an easy target is to use a “strong” password.

Strong passwords contain a combination of letters and digits, and are not related to anything personal about the user.

“If you posted the name of your dog on facebook, and also put it as a password question on gmail, you are at risk,” he said, explaining how easy it is to unwittingly link a password with personal details that are publicly available.

Another way, he said, is to have separate passwords for each account – thus limiting the damage to only one account if a hacker ever did invade.

For Matthews, the public must realise that “just because you have an anti-virus or a firewall installed, it doesn’t mean you are safe.

What we need is human firewalls!” he said. Part of Matthews’ suggested “human fire-walling” is making sure that users do not share passwords or discuss sensitive information within earshot of others.

In spite of his belief that people are far more aware of security risks today than they were a year ago, Matthews said “we [still] need to up our game, both at a corporate level and a personal level.”

“As a South African, I might have electric fencing and security beams – and that’s all well and good – but I still need to be careful who I answer the door to,” he said.

How to reset your LinkedIn password. Click here

Check if you LinkedIn account has been hacked. Click here

(Source: Mail & Gaurdian)

VIEWPOINT: Social networking, passwords and privacy

By Luis Corrons, Director of PandaLabs

We have been warning for a long time of the issue of adding our personal information to any social network. I use them by myself (Facebook, LinkedIn, etc.) and I’m surprised at the amount of personal information that my contacts have there, even more surprised when more than the 90% of my contacts work in security related companies -yes, that means that my social life sucks, I know 😉

Social networks are also a good communication tool, just a few days ago we could see how the Queenstown police arrested a man thanks to Facefook. But things are not black or white, and when the mankind is involved you can also see the dark side. In September 2008 we could see some news reports about terrorist using Facebook to kidnap Israeli soldiers.

But we don’t need to go that far. There is another major issue: people are lazy, we don’t want to have complex passwords that we can’t remember, nor to have a different password for each application; so people just choose an easy to remember password or just create passwords consisting of some of their own personal information, using their birthday, wife/husband name, hometown, etc. Last week 4 people were arrested for blackmailing Spanish singer David Bisbal. Basically they had got into his mail account and used the information stored there. The head of the gang, psychologist, was able to figure out his password after studying all the personal information of the singer that can be obtained from the Internet.

We do not usually have that kind of information about ourselves available for our friends, but we have it on Facebook and similar networks. They are only visible to our friends (we should redefine the word “friend” in a social network enviroment, but I won’t talk about it here). I have not tried (and won’t) to figure out my friends passwords, but I could do it and I’m sure it would work in many cases. And what happens if one of our friend’s accounts gets hacked, is that whoever it is will have access to all his friends info… scary at least.

So please, just follow some basic recommendations:

• Use common sense.
• Restrict viewing of your details to trusted persons.
• Don’t publish your full birth date.
• Don’t reveal your e-mail, phone number or postal address.
• Ignore unsolicited requests to be friends or group membership from unknown people.
• Use different passwords, and change them periodically.

Finally, you can take a look at this list, containing a list of the Top 500 worst passwords of all times, taken from the book Perfect Password (Mark Burnett, 2005). I miss some passwords in this list, as “guest”, “admin” or “backup”, but it is useful so that you can know which ones you shouldn’t choose.