August 29, 2014

Cambridge University Study Says That Multi Word Passphrases Not As Secure As You Might Think

(LiveHacking.Com) – It is conventional wisdom that the more complex a password is then the harder it is for hackers to crack. This had led online users to start using multi-word passphrases (rather than single-word passwords) for account authentication. Multi-word passphrases are easier to remember than completely random password strings and have the supposed added advantage that they are just as secure. However research from the Computer Laboratory at the University of Cambridge suggests that this might not be the case. Although mult-word passphrases could be as secure as random password strings, it is important to evaluate actual user choices for password not theoretical passphrase possibilities.

The research paper, by Joseph Bonneau and Ekaterina Shutova, studied data taken from the now-defunct Amazon PayPhrase system (which was only availbale in the US) to learn how people choose passphrases in general. The pair then set about trying to guess the passphrases using a dictionary attack based on movie titles, sports team names, and other types of proper nouns taken from Wikipedia. Using this method the researchers cracked about 8,000 phrases.

Apply some clever mathematics and the results shows that passphrases provide the equivalent of 20 bit security against an attacker trying to compromise 1% of available accounts. Normal passwords provide under 10 bits when using the same maths, so clearly passphrases are better, but not enough to make online dictionary attacks impractical unless proper rate-limiting is used by the online service.

Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”

20 Percent of Fortune 100 Companies Were Hit by the RSA Attackers

(LiveHacking.Com) - Brian Krebs, who was until just a couple of years ago a reported for The Washington Post, has revealed that over 760 other companies have been hit by the same attackers which targeted RSA earlier this year.

In his blog post, Brian says that “more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.”

Brian does, however, give some caveats:

  1. Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit.
  2. It is not clear how many systems in each of these companies or networks were compromised.
  3. Some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
The most interesting name on the list include:
  • The Alabama Supercomputer Network
  • Cisco Systems
  • eBay
  • The European Space Agency
  • Facebook,
  • Google
  • IBM
  • Intel Corp
  • the Internal Revenue Service (IRS)
  • MIT
  • Motorola Inc.
  • Northrop Grumman
  • Novell
  • PriceWaterhouseCoopers
  • Research in Motion (RIM) Ltd.
  • Seagate Technology
  • VMWare

Missing Dots in Email Addresses Allows Security Researchers to Catch 120,000 Messages

(LiveHacking.Com) - Security researchers have captured thousands of emails by buying domains for commonly mistyped email addresses. Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. These emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

According to researchers Peter Kim and Garret Gee of the Godai Group around 30% of the top 500 companies in the US were vulnerable to this data leak.

The problem arises because of the way some organisations set up their email systems. Most companies use a single domain for all email, but some use subdomains. So rather than just user@bank.com the company has set up us.bank.com for its USA employees and uk.bank.com for its UK employees and so on.

By buying domains like usbank.com and ukbank.com the researchers where able to catch emails addressed to user@us.bank.com but due to a typing error were sent to user@usbank.com (without the dot after ‘us’).

Rather than getting an email back reporting the mistyped address, the email in fact went to the researchers. From there the email was forwarded to the correct address but with a bogus reply address so that the researchers could capture all the replies as well. This is what is known as a man-in-the-middle attack, or more specifically for email a man-in-the-mailbox attack.

Writing on the blog of security firm Sophos, Mark Stockley said: “It’s striking that the researchers managed to capture so much information by focusing on just one common mistake. A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos.”

Cybercrime Bigger Than Global Black Market in Marijuana, Cocaine and Heroin combined

(LiveHacking.Com) - The new Norton Cybercrime Report has put the cost of cyber crime to the world’s economy at $388bn annually, a figure that is greater than the combined global market for marijuana, cocaine and heroin ($288bn). Another startling statistic is that cybercrime costs are more than 100 times the annual expenditure of UNICEF ($3.65 billion).

The report, which was compiled using data from 24 countries, says that 431m adults experienced cybercrime in the last year. That is more than a million victims every day or 14 adults every second.

In terms of viruses and malware, the report notes that:

  • 4 in 10 adults surveyed do not have an up-to-date security software suite to protect their personal information online
  • 54% of online adults have experienced viruses or malware on their computers
  • 6 in 10 users of free AV software reported viruses and malware attacks
With regards to protection against viruses and malware, the report says that inadequate security software exposes people unnecessarily to the dangers of computer viruses and malware. With many failing to do the single easiest thing to prevent cyberattacks – i.e. install a full security suite – adults globally are going online, for considerable amounts of time, unprotected against the most common types of cybercrime.
And it is this last part which possibly reveals the true nature of the report. Although I don’t doubt the facts and figures, highlighting things like “6 in 10 users of free AV software reported viruses and malware attacks” and that the “single easiest thing to prevent cyberattacks” is to “install a full security suite” reminds us that this report is published by Norton/Symantec who want to sell you their security software.

The Return of Master Boot Record (MBR) Malware

(LiveHacking.Com) - According to the August 2011 Symantec Intelligence Report, Master Boot Record (MBR) malware is making a comeback. The report, which combines research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report, reveals that there were as many new boot time malware (MBR) threats in the first seven months of 2011 as there were in the previous three years.

The master boot record (MBR) is the first sector of a hard drive that is used by a PC to hold the partition table and to bootstrap its operating system. The contents of the MBR are read and executed by the BIOS during bootup before the operating system itself is loaded.

“MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair usually executed by highly skilled individuals,” said Paul Wood, senior intelligence analyst, Symantec.cloud.

Other highlights of the report include:

Pump and dump: Spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit.

Spam: In August 2011, the global ratio of spam in email traffic declined to 75.9 percent (1 in 1.32 emails); a decrease of 1.9 percentage points when compared with July 2011.

Phishing: In August, phishing email activity increased by 0.01 percentage points since July 2011; one in 319.3 emails (0.313 percent) comprised some form of phishing attack.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 203.3 emails (0.49 percent) in August, an increase of 0.14 percentage points since July 2011.

Web-based Malware Threats: In August, Symantec Intelligence identified an average of 3,441 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 49.4 percent since July 2011.

Endpoint Threats: The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 15.8 percent of all malicious software blocked by endpoint protection technology in August.

You can also get more information by reading the SlideShare Presentation: August 2011 Symantec Intelligence Report

 

 

Theoretical Weaknesses in AES Discovered

(LiveHacking.Com) - The Advanced Encryption Standard (AES) encryption algorithm used by the U.S. government has been the subject of much research since it was adopted in 2001. The latest research by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger has discovered a way to reduce the number of keys needed to perform a brute force attack by more than a factor of 3.

The research has shown that by using a method of attack known as Biclique Cryptanalysis the effective key lengths of 128, 192 and 256 bits are reduced to 126, 190 and 254 bits. According to the authors, as this attack is of high computational complexity, it does not threaten the practical use of AES in any way.

To break a cipher by brute force requires that every key combination is tested to see if it successfully unlocks the encrypted data. For a 128 bit key this means that there are 2128 possible keys. If a computer could test 1,000,000,000 keys per second it would take 10,000,000 quadrillion years to break the code.

The new attack against AES reduces a 128 bit key to effectively a 126 bit key. This means the same data could now be decrypted in just 2,690,000 quadrillion years!

Even if the key could be reduced to just 264 key possibilities it would still take about 500 years to decipher the data.

However, in 2002 a distributed network of some 300,000 computers all over the world, known as distributed.net, was able to find a 64-bit RC5 key using brute force attack in just under 5 years.

It was estimated that this network of computers had a throughput of over 30 teraFLOPS (30,000,000,000,000). This was in the age of single core 1.3Ghz Pentium 4 CPUs and limited access to GPUs for deciphering.

A modern super-computer can compute at 2 petaFLOPS. Although this is a measure of its raw computing power, for illustration we can imagine that it can test keys at 2 petaFLOPS (which it can’t). That means it could break a 128 bit key in 5 quadrillion years. Or a 126 key in only one quadrillion years. However, such a computer can break a 64 bit key in just 2.5 hours.

To quote the U.S. National Security Agency, “Attacks always get better; they never get worse.”

What this new research means is that it is possible to reduce the effectiveness of AES. Further research will most likely yield other weaknesses. If the keys can be reduced even further then the time needed to break them will also reduce.

Adobe Flash Player Responsible for 7 of Top 10 Vulnerabilities

(LiveHacking.Com) - Kaspersky Lab has published its malware report for the second quarter of 2011 and it has found that seven of the current top ten vulnerabilities are in Adobe Flash Player and the other three in Java. This means that for the first time Microsoft products have disappeared from this list. Kaspersky put this down to “improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.”

According to the report, navigating the web remains the riskiest activity on the Internet, with malicious URLs that serve exploit kits, bots, ransomware Trojans, etc. being the most frequently detected objects online.

In terms of geography, every second computer in India was at risk of local infection at least once in the past three months.

“Over the last few years, India has been growing steadily more attractive to cybercriminals as the number of computers in the country increases steadily. Other factors that attract the cybercriminals include a low overall level of computer literacy and the prevalence of pirated software that is never updated,” explains Yury Namestnikov, Senior Virus Analyst at Kaspersky Lab. “Botnet controllers see India as a place with millions of unprotected and un-patched computers which can remain active on zombie networks for extended periods of time.”

Whereas the five safest countries in terms of the level of local infections are: Japan, Germany, Denmark, Luxembourg and Switzerland.

The report also warns users about fake antivirus programs. During the second quarter of 2011, the number of fake antivirus programs detected globally by Kaspersky Lab began to increase: the number of users whose computers blocked attempts to install counterfeit software increased 300 per cent in just three months.

Windows XP is Petri Dish For Rootkit Infections

(LiveHacking.Com) – A six month study, by the AVAST Virus Lab, has found that 74% of rootkit infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

Window XP is the most common PC operating system with around 49% of avast! antivirus users running it compared to the 38% with Windows 7 and the 13% with Vista.

And the problem seems to be that there are a large number of pirate copies of XP which don’t run automatic updates as they can’t be validated by the Windows Genuine Advantage validation process. This leaves the out-of-date and upatched OS open to all kinds of attack, even old ones long patch by Microsoft.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.

Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.
The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

Experts from AVAST Software will be attending the upcoming Blackhat events in Las Vegas on August 3-7, 2011.

US Government Warns (Again) that Stuxnet Variants Could Target Critical US Systems

(LiveHacking.Com) – It was this time last year that the world first heard about Stuxnet, the computer worm that launched the first successful cyberattack on infrastructure facilities – namely Iran’s nuclear programme. In a US House of Representatives committee hearing, Roberta Stempfley and Sean P. McGurk from the DHS’s Office of Cyber Security and Communications revealed that the US Government is concerned that cyber-terrorists could use variants of Stuxnet to attack other installations that use programmable control systems.

Their comments echo testimony given in March of this year to a Homeland Security House Subcommittee by Deputy Under Secretary Philip Reitinger.

According to both testimonies (which are word for word the same) “copies of the Stuxnet code, in various different iterations, have been publicly available for some time now.” As a result “the Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems.”

ICS-CERT and the NCCIC remain vigilant and continue analysis and mitigation efforts of any derivative malware.

Top 10 Passcodes to Avoid Using on Your iPhone

Daniel Amitay, the developer of Big Brother Camera Security, added some code his app to anonymously record common user passcodes and the results are quite interesting. The app collected 204,508 passcodes and Daniel discovered that 10 common passcodes were used in over 15% of the cases. This means that you have a greater than 1 in 10 chance of breaking into someones cell phone by just trying the ten most common passcodes listed below.

  1. 1234 – 8,884 uses or 4.34%
  2. 0000 – 5, 246 or 2.5%
  3. 2580 – 4,753
  4. 1111 – 3,262
  5. 5555 – 1,774
  6. 5683 – 1,425
  7. 0852 – 1,221
  8. 2222 – 1,139
  9. 1212 – 944
  10. 1998 – 822

As expected, 1234 is the most common passcode and the other passcodes follow typical formulas, such as four identical digits (0000,1111,5555,2222) or moving in a line up or down the pad (2580 & 0852). 5683 isn’t instantly clear, but if you look carefully at the letters on the numbers you will see it spells “love”.

In 2010 Imperva released a study analyzing 32 million passwords and found that the 10 most commonly used passwords for computers and Internet accounts were:

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123