From the recent hacker activities, it is obvious that there is a greater
level of insecurity in the online world now. Black hats (hackers who specialise
in unauthorized and malicious online activity) are focused on collecting
passwords and instead of breaking computer security system or brute-forcing pass
phrases, they use a variety of easier techniques to source credentials. Too many
of us use the same login details for several different websites. The reason
behind this is very simple. With so many different authentications needed for
accessing various different sites, it's easier to remember just the one password
rather than a whole bank of them. Here, we will look at some alternative methods
for creating and managing passwords, but first let's look at why this is a
problem.
How cyber criminals lure you?
There are a number of methods that cyber criminals use to trick or encourage
us to give up sensitive information, and these include setting up fake mailing
lists, bogus forums, and phony social network sites to harvest login details.
The main concern with this stems from the fact that most people use the same
username and password pair for different sites. Once the hacker secures a route
into your sensitive information, he has a good chance of signing in to sites
like social networks, email accounts or online bank accounts, with the same user
name and password.
Direct Hit! |
Applies To: Everyone |
Because of this, we've seen fake sites set up to act as a legitimate user
forum or Web 2.0 site, which require a user to be registered before making a
post. When the user registers, the hacker immediately gains access to all the
necessary information needed for the next stage in their attack -the user name
and the matching password.The cyber criminal can collect other information like
the IP address the user originated from, his email address, gender, age and so
on. From the email address alone, a hacker can guess the mail server and
potentially access it with the given password. One obvious purpose for this is
to harvest the address book which can be used in a spam campaign or to spread
malware. Access to your emails may also give the hacker other personal
information since a great deal of data is often stored in email form including
online bills (proof of address), banking habits and shopping history. Even
further, this bad guy could try to use the same credentials on well-known sites
like Facebook, and in the worst case scenario, he can log in to online banks in
order to steal money directly.
There is nothing new about this type of fraud. Similar techniques have been
used for the last decade for stealing credit card numbers. There is a difference
between bank cards and passwords; we cannot change the number on the plastic
card, but we could use a unique password for each site.The real question is, is
it actually our fault if someone gains an advantage because of our laziness?
The above illustration clearly shows the risk we take when signing up to a
new site. 'So what?', you might ask, I never visit malicious sites. Here is
another scenario then. You regularly visit a site for years and are confident
that the company behind the site is legitimate. Unfortunately many websites
store passwords in an unencrypted form. An attacker therefore has a chance to
steal your password even if they do not know anything about you. Only a few
months ago, the social network site RockYou was compromised and over 32 million
user accounts were stolen as they were stored in clear text. These passwords
could be used on other sites as well, thanks to the bad habit we have of using
the same password. Towards the end of last year, the Websense Security Labs
highlighted phishing data which showed that many users are still using
passwords basic enough to guess or discover in a reasonable amount of time.
Lately, we've seen quite a few mass injection attacks on websites by
attackers coming in through the front door with passwords in hand. You might
wonder how attackers gained the passwords of these ftp/scp/ssh accounts. There
are a number of possibilities, but to mention a few: an employee in web
administration visited a malicious website and became infected with malware,
which then monitored their keystrokes and captured their password; an employee
surfed the web in an unsecured Wi-Fi network; an employee's personal web account
password was guessed, or their secret question was guessed by googling for
personal information.
10 rules for safer passwords
|
Once access was gained to their account, attackers found more sensitive
information that allowed them access to corporate network machines or data.
Providing the answer to a secret question has always been thought to be the
ultimate test in order to prove your identity and change your password. But
unfortunately this is not the case. Hotmail, for example, has various secret
questions from which the user chooses: Mother's birthplace, Best childhood
friend, etc.
Search engines have allowed attackers to find information about individuals
like never before. The more public a profile you keep on a social networking
site, the easier it is to obtain answers to most, if not all 'secret' questions.
As we all know, an attacker with enough time, patience, and resources will
eventually find a way in to a target.
The secrets to a good password
There are many methods out there advising you how to generate a secure
password for yourself. Some of them are fun to apply, like picking cartoon
characters and mixing them together, or taking all the first letters of each
word from a sentence that you can remember. Nice, but are these really secure?
To answer to this question we need to raise a couple of other questions: did
not we just mention that we must use individual keys for every single site we
sign in to? Have not we said that we should change passwords every so often on
each of these sites? Then how can we remember tens or hundreds of these cartoon
figures or sentences?
One possible solution is to use password patterns. This means that we use
basically the same pass phrase for every single site, but we insert some
alteration into it each time. For example, if the secret word is "MyP@ssw0rd",
we could use "MyP@ssG00glew0rd" and "MyP@ ssYah00w0rd" for Google and Yahoo
respectively. It looks different, it's easy to remember, and it seems to solve
the problem of using the same passwords on different sites. However, it is quite
easy to guess the static and dynamic part of the password, so it does not really
harden the authentication.
We need to look for another way of generating secure passwords and also
something that is possible to remember in the future. There are solutions
available for generating and storing our credentials. If you search for the
phrase "password manager" on the Internet, you will see a huge selection tools
All you need then is to remember one master pass phrase that allows you to
access the rest of your passwords. There are things we all know are common
sense, yet we still break most of the fundamental rules. But that doesn't mean
we shouldn't attempt as users and administrators to abide by the basic rules to
keep ourselves and our companies safe online. Black hats are focused on
developing techniques to source your credentials - don't make it too easy for
them by virtually giving them away.
Carl Leonard, Senior Research Manager, Websense Security Labs