Archive for the ‘Human Factor’ Category

123 Out Goes… Your Password

Friday, January 22nd, 2010

About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456”, followed by “12345”, “123456789”, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567”, “12345678”, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

Password masking: myths and truths

Tuesday, July 7th, 2009

Password masking: myths and truthsEver heard of password masking problem? To be honest, I have not – until I’ve read the Stop Password Masking article by Jakob Nielsen (somewhere referred to as "usability guru"), followed by a lot of other publications, blog posts and comments (see ‘em all); so-called security guru Bruce Schneier wrote even two essays on that. 

Well, that reminded me of a very funny stupid CAPSoff Campaign

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

(more…)

Home and Corporate Wireless Security

Monday, June 8th, 2009

Securing home Wi-Fi remains uncertain when it comes to law. Some urge users are not liable when they use default security settings and it is manufacturer who is guilty when/if wireless network was ‘successfully’ abused. Others put whole responsibility on users. This is practically a question to law and usually its resolution depends on lawyers’ skills to gather and manipulate the details. Your security encompasses not only security against the law when you happen to fall a victim to an intruder, but also protection against that very intruder. In the long run, it’s up to you whether to endeavor to prove your innocence or take measures to build a reliable fence.

If we turn to corporate wireless security, this fence is a must, as it is public data and corporate confidential information that are at risk. Unfortunately, AirTight study shows that 57% of surveyed companies from 6 US districts and London still have to sort out their priorities in terms of data security. In my opinion, if protecting home wireless network can be a dark horse requiring scrupulous examination, nonexistence of corporate wireless security should have relevant decision in court.

Surely, I couldn’t leave this message without mentioning our newest product for Wireless Security Audit, so if you care and use passwords for Wi-Fi protection, use this tool regularly not to allow strangers to poke their nose into your network.

Password Usage Behavior Survey Announced

Wednesday, June 3rd, 2009

ElcomSoft is launching a survey intended to collect more information on how people handle their passwords, which remain a major way for user authentication. Whether you are ElcomSoft customer or haven’t seriously thought about password security, we hope you will answer our questions.

The questionnaire is well designed and if you have no time you can simply tick the matching answers which are prepared for your convenience. If you have a special experience to share or lots of thoughts on passwords, please take a while and use empty spaces provided for your own answers.

The survey is set to run for several weeks in order to cover more people, for we understand that summer is the best season for vacations. After the survey is completed and results calculated, we will release a full report with facts and figures. We tried to put sensible questions in the belief that results’ analysis will help us find out which questions should be better and more deeply highlighted in our articles, whitepapers, as well as in our blog.

This is the first our empirical research and we hope you will find it interesting and enjoyable. You definitely have your own opinion on passwords, and as you understand this survey is a perfect way for you to share that opinion. So what do you think? Be frank and open, take the questionnaire, and help us let others know about it.

 

Officers of Indian Customs To Be Punished For Password Breach

Wednesday, June 3rd, 2009

The Central Board of Excise and Customs of India claimed that compromised passwords are the biggest threat to system security. Despite elaborate instructions on passwords, which all employees are supposed to follow, “instances of password compromise continue to recur with unfailing regularity”, an unnamed official says.

Sharing of passwords was identified as one of the main reasons of unauthorized access and information leakage. According to CBEC representative, officers who share their passwords with others should “be regarded as being in collusion in the fraud that results”. To prevent insecure use of passwords CBEC plans to introduce a set of measures, including disciplinary action and even dismissal from the Government service.   

Penalty threat may not be the most effective solution. In case of password breach, complex countermeasures are required, and regular password audit is a significant part of it. If it is required that users change their passwords every 30 days, then system administrators have to perform password audits with the same regularity. There is a lot of both free and commercial auditing tools that allow to check password security.

Source: Business Line

Using Passwords Online

Monday, June 1st, 2009

 Today’s technologies allow staying online practically 24 hrs a day, periodically falling into a sleeping mode. The Internet became easily accessible and numerous devices can connect us to the web from everywhere, and every time when we surf the web we are being registered, at least via IP address of our devices. 

I bet it was more than once that you had to fill out a sort of name-company-position-email-telephone-whatever form when registering or subscribing to something. Do you think about preserving privacy of your information when leaving such data on someone’s website? (more…)

Adobe PDF security

Friday, May 22nd, 2009

Wow, Adobe rethinks PDF security. Curious why? Because of vulnerabilities in Abobe Reader (and so zero-day exploits), of course. From the article:

According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

But security model of PDF encryption/protection is not going to change, [un]fortunately. (more…)

Secret Questions Are Vulnerable To Guessing Attacks, Study Says

Wednesday, May 20th, 2009

Although it is widely known that authentication via ‘secret’ questions is not secure, now we finally have statistical evidence to prove it. Microsoft Research and Carnegie Mellon University have conducted a study that measures how guessable answers to ‘secret’ questions are. The researchers looked at the questions used by AOL, Google, Microsoft, and Yahoo! in order to authenticate users who need to reset their forgotten passwords. The ability of users to memorize their answers was also questioned. (more…)

Too much security won’t spoil the router, will it make it better?

Monday, May 18th, 2009

A number of D-link routers are now equipped with captcha feature. Sounds interesting. 

Chief technology officer in D-link says: "We are excited to be the first in the market to implement captcha into our routers, providing yet another layer of security to our customers".

No doubt, captcha is a wonderful spam filter for mails and a reliable obstacle to unauthorized access in the web, but is it as good for routers as for the web? (more…)

Week of Scams

Friday, May 15th, 2009

This week has witnessed several scams involving social sites. On Tuesday Twitter users posted answers to their online security questions for everyone to see. On Wednesday Twitter account of the New York Times was hacked, and on Thursday we witnessed a phishing attack on Facebook. (more…)