Zappos, Stratfor, Sony, Gawker; Got your attention? Good, now start using a password manager!

Troy Hunt explains why you really, really need to start using 1Password:

Another week, another major security incident with a significant website. So the news this time is that Zappos – those guys who sell shoes (among other things) – to folks in the US may have, uh, accidentally disclosed somewhere in the order of 24 million user accounts. Bugger.

Now of course at the root of this is inevitably yet more evildoers intent on breaking through website security for financial gain, activism or just plain old kicks. Regardless of the modus operandi of these incidents, the fact remains that a significant number of accounts have been exposed and there’s now the real possibility that usernames and passwords – perhaps your username and password – are going to be floating around the internet being seen by who knows how many people.


[From Zappos, Stratfor, Sony, Gawker; Got your attention? Good, now start using a password manager!]

5 website security lessons courtesy of Stratfor

Good advice from Troy Hunt — the hacking of Stratfor is a warning to all of us that we cannot assume that our username/password is safe at any site. If you reuse the same password you must assume that every site associated with that reuse will become public someday. Excerpt:

(…) Once you’ve been well and truly owned in Stratfor / Sony / Gawker style, that dirty laundry is going to become very, very public. Stratfor did a number of fundamentally stupid things in their website design and those practices are now on show for the world to see. Using MD5 as a hashing algorithm; bad form. No salts used; foolhardy. Storing credit cards in the clear; downright negligent.

Stealing ATM PINs with a Thermal Camera

Bruce Schneier says watch out!. My first thought is we need to spend 5 seconds seconds doing a “hand print” on the keypad to warm all of the keys:

It’s easy:

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.

Paper here. More articles.

[From Stealing ATM PINs with a Thermal Camera]

Choosing Secure Passwords

The classic 2007 Bruce Schneier article offers a concise explanation of the methods used by modern password cracking software. You will see why the majority of “joe user” password constructions are easily cracked. And if you have exposed biographical information on the web (or on your computer) it is much more likely that the penetrators will crack your password.

My piece aside, there’s been a lot written on this topic over the years — both serious and humorous — but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.

…According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn’t necessarily a dictionary word, but it’s something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time).

So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like “letmein,” “password,” “123456” and so on. Then it tests them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!” and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.

Then, PRTK goes through a series of increasingly complex root dictionaries and appendage dictionaries. The root dictionaries include:

Common word dictionary: 5,000 entries

Names dictionary: 10,000 entries

Comprehensive dictionary: 100,000 entries

Phonetic pattern dictionary: 1/10,000 of an exhaustive character search

The phonetic pattern dictionary is interesting. It’s not really a dictionary; it’s a Markov-chain routine that generates pronounceable English-language strings of a given length. For example, PRTK can generate and test a dictionary of very pronounceable six-character strings, or just-barely pronounceable seven-character strings. They’re working on generation routines for other languages.

PRTK also runs a four-character-string exhaustive search. It runs the dictionaries with lowercase (the most common), initial uppercase (the second most common), all uppercase and final uppercase. It runs the dictionaries with common substitutions: “$” for “s,” “@” for “a,” “1” for “l” and so on. Anything that’s “leet speak” is included here, like “3” for “e.”

The appendage dictionaries include things like:

All two-digit combinations

All dates from 1900 to 2006

All three-digit combinations

All single symbols

All single digit, plus single symbol

All two-symbol combinations

Read the whole thing »

Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum

This Freakonomics Quorum is really excellent, peppered with valuable links to other resources. Dubner assembled a competent panel of IT security pros, beginning with Bruce Schneier – our regular reliable source, who offers typically calming perspective. Let’s just highlight the comments of one expert (hint: incentives matter).

Henry Harrison is the technical director for cyber security at BAE Systems Detica, an information-security firm. Harrison supports Detica’s work across government and commercial customers and helps steer investments toward new cyber-security capabilities.

Let me restate what I think is being asked here. Why is there so much hacking being reported in the media of late? And is there actually more of it going on than there used to be?

Let’s work backwards. Over the longish term, there is definitely more of every sort of cyber-crime and cyber-espionage going on than there used to be. Twenty years ago, the world was only very loosely connected (in an electronic sense) and still at the very early stages of dependence on I.T. — so the returns to be had from hacking and other forms of nefarious electronic activity were relatively limited. Since then, the world’s interconnectedness has grown quite astonishingly, meaning there are much greater incentives for those who want to hack into both corporate and personal I.T. systems.

What’s more, the online environment presents very little in the way of disincentive for this sort of activity. There are numerous ways to obscure the source of an attack, meaning that it’s very difficult to work out who’s doing these things, and even if they do, not much likelihood that they’re going to do anything really painful in return. Of course, it’s not a completely deterrence-free zone: people do go to prison, and diplomatic pressure does get applied. But it’s really nothing comparable to the real world. I doubt we need any scientific studies to assess the relative adrenalin levels of someone hacking into a network compared with someone walking into a bank with a stocking over their head and a shotgun in their hand (though it would be an interesting comparison).

So: increased incentives and relatively few disincentives. Over the longer term then, there is (a lot) more hacking going on than there used to be.

Now to the first question. Definitely one of the factors that’s leading to more hacking being reported is that more of it is going on. But of course there’s a media cycle element to it as well. Because more is going on, cyber security in general is getting to be a bigger story; this means that hacking incidents get to be front-page news more often than they used to. They feed a developing storyline rather than being reported only as individual incidents. And this in turn means that for those whose motivation is publicity, incentives are strengthened.

It would be a mistake though to think that this sort of publicity-seeking behavior is sufficient on its own to sustain the media attention. I think the media is sticking with this story because of the much more significant trend underneath it, as demonstrated by rarer, but occasionally reported, incidents such as RSA, Google (“Aurora”) and the oil companies (“Night Dragon”) — and by significant new government spending around cyber security in the U.S., U.K., and many other countries.

On that front, we might just be beginning to see corporations open up a bit about reporting incidents that happen to them. But that really is at a very early stage. Through our work with customers, we run up against a much larger proportion of potentially high-profile incidents which have never been reported and probably never will be. There’s an awfully long way to go in terms of better disclosure and consequently more awareness of what’s really going on out there.

What’s perhaps more surprising to many people is that there are even more incidents that have never even been detected, let alone reported. When the motivation for an attacker is to gain publicity, obviously the incident ends up being “detected” — because the perpetrator reports it. But if the motivation is to steal confidential information — intellectual property, or sensitive commercial data — then the whole objective is not to be detected. Most companies simply aren’t looking for this sort of covert infiltration today, and in various cases when we have started to look for it inside a new customer’s network, we have fairly rapidly found evidence of intruders who have had access into the network for some time, completely undetected by the victim organization. Extrapolating from that to the majority of organizations who — today — are still not looking for these covert activities inside their networks, we can be fairly certain that there are a significant number of hacking incidents which are successful but completely undetected.

What will happen next? I suspect that the current media cycle has a while to run and that we will continue to see a large number of high-profile incidents where the motivation is to gain publicity. But I know more about security than I do about media, so I’d probably take that with a pinch of salt and pay more attention to my second prediction: that more and more organizations are going to start asking themselves whether they ought to be looking for evidence of the sort of covert data-stealing that’s currently going undetected. As more organizations find out that this sort of hacking is going on, they’ll start feeling the urgency to report the incidents because of the material impact they can have on the business.

Security: the scareware scams

MIT Technology Review has an excellent longish survey article on the plague of scareware. As just one example, I know that poisoned Google image-searches have snagged some very savvy computer users, leading to invasion by one of the rare Mac OS X threats (“Mac Defender”).

Not long after Prince William and Kate Middleton exchanged vows on April 29, a 1981 wedding portrait of the groom’s late mother, Princess Diana, appeared as one of the top three images for people typing the most popular search term on Google that morning: “royal wedding coverage.” But the link was a trip wire. Fraud artists had finagled a malicious website through Google’s algorithm. The link led to a hacked page on a Web comic book called, which redirected the browser to another site—one with a domain name from an obscure Australian island territory and hosted in Sweden. That site displayed a realistic-looking program called “XP Anti-Spyware” that issued bogus warnings—Your Computer Is Infected! A few clicks led to a purported solution, for $59.95: a download of a fix that didn’t actually exist.

Chalk up another success for what’s generally known as the “fake antivirus” scam. Federal investigators and security experts estimate that its various iterations have extracted at least $1 billion from victims in the past several years, and it has become the most visible manifestation of an overall rise in malicious software, or “malware,” distributed online (see charts below). The damage goes beyond the theft of cash: even if you don’t pull out your wallet, sometimes merely clicking on the bogus come-ons can deliver other forms of malware that may steal your passwords or conscript your computer into a remotely controlled gang called a botnet. Because it generally relies on fooling people into voluntarily installing malware—a strategy called a social-engineering attack—it can wind up infecting even well-maintained machines, both PCs and Macs. “As a human-level act of deception, it is just classically beautiful,” says David Clark, a research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, who was the Internet’s chief protocol architect in the 1980s.

Read the whole thing »

Steve Gibson’s “password haystack”

Security guru Steve Gibson offers a clever passphrase evaluator page, including some general guidance on practical ways to create “real world useable” passwords.

Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

This is quite different from typical “password strength” evaluators, which examine entropy (how random are the characters in your proposed string).

We will be changing some passphrases based on Steve’s insights.

BTW, don’t forget that password crackers know how to build test phrases by combining dictionary words with white space. So a string of lower case words separated by spaces is secure if it is a really long phrase (easy to do with Steve’s methodology). A good idea to vary the whitespace too.

The relevant podcast is Security Now #303, which includes some useful commentary on Mac OS X security issues.

Aggressive Social Engineering Against Consumers

When there is so much money to be harvested, expect the mafia to put more and more effort into penetrating your computer. As I write, the spectrum of threats is mainly social engineering – tricking people to let the criminal in to their “house”.

Cyber criminals are getting aggressive with their social engineering tactics.

Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home.

“He said he wanted to fix my problem over the phone,” Christopherson said.

She said she was then convinced to go online to a remote access and support website called and allow him to connect her computer to his company’s system.

“That was my big mistake,” Christopherson said.

She said the scammers then tried to sell her anti-virus software they would install.

At that point, the 61-year-old Anglican minister became suspicious and eventually broke off the call before unplugging her computer.

Christopherson said she then had to hang up on the same scam artist again, after he quickly called back claiming to be the previous caller’s manager.

To stay alert to security issues you can subscribe to Bruce Schneier’s blog. He is one of the best in the field.

There are many examples of the creativity of the cyber criminals. One is that some branch of the crime enterprise is making it free to get in the cybercrime business – via a free download of the Blackhole exploit kit. The strategy is to enlist thousands more script kiddies, some of whom may succeed. These are like conscripts to their army, i.e., to their cybercrime ecosystem.

RSA Offers to replace authentication tokens

The RSA/Lockheed breach is very serious. Many security professionals thought the RSA authentication protocol using the SecurID token was bulletproof.

SecurID tokens have become a fixture of office life at thousands of corporations, used when employees log onto computers or sensitive software systems. The token is an essential piece of security, acting as an ever-changing password that flashes a series of six digits that should be virtually impossible to duplicate.

(…) In March EMC disclosed it had been hit by a sophisticated cyberattack on its SecurID products. It advised customers to beef up their own security, such as making sure no rogue programs had been installed on servers running RSA software. It also suggested users increase the length of employee “PIN” numbers used in tandem with the digits spit out by the RSA token.

As the company did a forensic analysis of the attack, it began to suspect the attacker was focused on defense contractors based on the sophistication of the attack and the profile of the hacker.

“Their modus operandi led us to believe this perpetrator was likely to attack defense secrets and related intellectual property,” Mr. Coviello said, of the intruders. The Lockheed infiltration received high-level attention in Washington, including from President Barack Obama, who was briefed on the incident.

Read the whole thing »