STE WILLIAMS

5 ways to reduce advertising network latency

Updated In a rather shrewd move, Google has said it will provide Chrome updates for Windows XP users for at least a year after Microsoft stops supporting the elderly OS next April.

“We recognize that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP,” said Mark Larson, superintendent of public safety (yes, really) at Google Chrome in a blog post.

“Moreover, many organizations still run dozens or even hundreds of applications on XP and may have trouble migrating. Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks.”

Of course, using Chrome with an outdated Windows XP system doesn’t provide protection against attacks against Microsoft’s operating system nor any installed applications. In August Redmond warned that Patch Tuesday rollouts could reveal unfixed flaws in XP that can be exploited.

Microsoft has told its resellers that the shift from XP is a “$12bn opportunity” for them to upgrade to Windows 7 or 8, but there are going to be a lot of holdouts.

According to research from Gartner 15 per cent of midsize and large enterprises will still have Windows XP running on at least 10 per cent of their PCs by the time Redmond cuts off vital support, and a lot of consumers around the world show no signs of abandoning the OS.

Google may think its show of largess will help it grow Chrome’s audience still further, but the firm’s not telling El Reg. But the Chocolate Factory may also believe that when XP users finally get sick of their 2001-era machines they consider a Chrome OS thing as a replacement.

Aside from the ludicrously high-priced Chrome Pixel, Chrome OS systems inhabit the lowest end of the cost scale for laptops, and Google has made security a big selling point of such systems. Getting XP users used to the Chrome interface might rub off on them, and Google could maybe snaffle a bit of that $12bn upgrade market for itself. ®

Update

“Third parties may provide ongoing support for their applications, but it’s important to recognize that support will not address fixes and security patches in the core Windows kernel so new vulnerabilities can still be exploited even though applications might be updated,” Microsoft told El Reg in an emailed statement.

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/google_extends_chrome_support_for_windows_xp_users_into_2015/

5 ways to reduce advertising network latency

A bungled IT upgrade has downed Denmark’s universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information.

Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind the system said Danes wouldn’t be able to use both the latest patched version of Java and NemID until Friday.

NemID is a single login for services from private banking and email to insurance services, local council services. It consists of a user ID, a password, and a code card that generates a one-time key.

The system was developed through a collaboration between the state and the banking sector, and reaches into “hundreds” of bank and public IT systems. And, to the no-doubt dismay of Reg readers, it relies on Java.

Java Update 45 was released on Tuesday, bringing with it a whopping 51 security bug fixes for the still widely used platform.

A dozen of these vulnerabilities merited the most severe CVSSv2 score of 10, meaning they could be used “to take full control over the attacked machine over the network without requiring authentication.”

So, the Danes are faced with a conundrum: upgrade and lose access to critical public and private online services, or don’t upgrade and keep their computers open to some potentially very serious security flaws.

Citizens who have already upgraded to Java 7 Update 45 are recommended to fully uninstall Java then reinstall Java 7 Update 40 for the insecure software to let them access their public services.

The problem for this doesn’t lie with Oracle, but rather with the integrator NATS, which seems to have bungled support for the new patch. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/java_causes_problems_denmark/

Alexandria, Va., October 15, 2013 – MeriTalk, a public-private partnership focused on improving the outcomes of government IT, today announced the results of its new report, “Cyber Security Experience: Cyber Security Pros from Mars; Users from Mercury.” The study, underwritten by Akamai Technologies, Inc. , compares what cyber security professionals report about their agency’s security with what end users – Federal workers – actually experience. According to the report, agencies often fail to take the user experience into account when deploying cyber security solutions. As a direct result, end users often circumvent security measures and open their agencies up to data theft, data loss, and denial-of-service attacks.

Federal agencies regularly battle very real cyber threats including international cyber attacks, denial-of-service attacks, hackers, and data theft. However, few Federal cyber security professionals feel completely prepared for these threats – 74% say they are not prepared for an international cyber attack, 74% say they are not prepared to support secure access for mobile devices, 70% are not prepared for a denial-of-service attack, and 70% are not prepared to secure cloud computing environments. Prepared or not, these cyber attacks show no signs of slowing – half of cyber security professionals say their agency is likely to be the victim of a denial-of-service attack in the next 12 months.

As a result of the numerous cyber threats, cyber security professionals are focused on keeping data secure but fail to prioritize the user experience. Seventy-four percent of cyber security professionals say their top priority is preventing data theft followed by ensuring a thorough web security strategy (56 percent), maintaining and upgrading security systems (55 percent), deploying the most up-to-date cyber security protocols (54 percent), and mitigating denial-of-service attacks (53 percent). Ensuring a user-friendly experience across all security applications comes in last on cyber security professionals’ list of priorities with only 40% reporting it as a top concern.

As security measures become less user friendly, they also become less effective. Cyber security professionals estimate that almost half (49 percent) of all agency security breaches are caused by a lack of user compliance. These breaches are frequent with half of cyber security professionals reporting they witness a breach in their agency’s security policies at least once a week. According to cyber security professionals, the most challenging end user applications to secure are email, external websites, and the internet from agency work stations. These are the same tools that more than 80% of end users rely on daily.

Not only do end users experience challenges with the applications they use daily, many of the activities they must perform as part of their daily work also cause frustration. The activities that cyber security professionals say are the most likely to cause a security breach are the same activities where end users run into the most frustrating security measures. The top areas for cyber security professionals’ concern and end users’ frustration are surfing the internet, downloading files, accessing networks, and transferring files.

“More security rules, more security tasks, and more security delays have done little to drive more user buy-in for cyber security,” said Tom Ruff, vice president public sector, Akamai. “Without question, Federal cyber security pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security.”

End users say cyber security measures hinder their productivity and as a result admit to breaking protocol. Sixty-six percent of end users believe the security protocols at their agency are burdensome and time-consuming. Sixty-nine percent say at least some portion of their work takes longer than it should due to security measures. Nearly one in five end users can recall an instance where they were unable to complete a work assignment on time because of a security measure. As a result, 31% of end users say they use some kind of security work around at least once a week.

Despite frustrations, end users and cyber security professionals agree that cyber security should be a top priority for Federal agencies. Ninety-five percent of cyber security professionals and end users agree that the deployment of cyber security measures is an absolute necessity to protect agencies from cyber threats such as data loss, data theft, and denial-of-service attacks. Almost all (98 percent) say keeping agency networks and data secure is everyone’s responsibility.

“Cyber Security Experience: Cyber Security Pros from Mars; Users from Mercury” is based on an online survey of 100 cyber professionals and 100 end users in August 2013. The report has a margin of error of +/- 9.78 percent at a 95% confidence level. To download the full study, please visit http://www.meritalk.com/cybersecurityexperience.

About MeriTalk

The voice of tomorrow’s government today, MeriTalk is a public-private partnership focused on improving the outcomes of government IT. Focusing on government’s hot-button issues, MeriTalk hosts Big Data Exchange, Cloud Computing Exchange, Cyber Security Exchange, and Data Center Exchange – platforms dedicated to supporting public-private dialogue and collaboration. MeriTalk connects with an audience of 85,000 government community contacts. For more information, visit www.meritalk.com or follow us on Twitter, @meritalk. MeriTalk is a 300Brand organization.

Article source: http://www.darkreading.com/government-vertical/new-study-half-of-federal-agency-securit/240162773

It’s National Cyber Security Awareness Month, and the official theme for the month is “Our Shared Responsibility.” A bit trite, perhaps, but it’s a message that is all too often lacking when security professionals communicate with users in their organizations. If you’ve ever felt that IT or the security group is public enemy number one in your workplace, it may be time to rework your trainings, presentations, and emails to integrate the shared responsibility message.

Suppose, for example, that you’re delivering training to users on how to avoid malware. The classic curriculum goes something like this: what is malware? what are the types of malware? where does malware come from? what should you do to prevent infection?

Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she’s supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!

Here’s a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walkthrough of a real or simulated malware attack. During or after the walkthrough, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we’ve installed web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).

What is the user’s experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting — a real world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the web filtering system less annoying now that she’s seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.

We humans are social animals. It’s no wonder that we respond better to “we’re all in this together” than to “do it because I said so.” National Cyber Security Awareness Month ends on Halloween, but “Our Shared Responsibility” should remain a permanent theme in your infosec communication and training strategy.

I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a non-technical audience. The presentation walks through a real attack, shows how selected security tools (not brand specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you’re doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons.

Article source: http://www.darkreading.com/sophoslabs-insights/with-shared-power-comes-shared-responsib/240162767

“Headless” browsers pummeled a trading platform’s website this past week in a rare form of distributed denial-of-service (DDoS) attack that lasted for 150 hours.

The attack employed some 180,000 IP addresses — and as of today continues to rebound in smaller pockets — according to cloud-based DDoS mitigation service provider Incapsula, which discovered and mitigated the massive attack for its customer.

The company declined to name the targeted organization, only saying it was a trading platform and that the attackers were likely motivated for competitive reasons. “The order of magnitude was significant,” says Marc Gaffan, co-founder of Incapsula. “No one has 180,000 IPs at their disposal unless it’s an amalgamation of separate botnets they are using interchangeably. This was a sophisticated and thought-out process.”

DDoS attacks increasingly have moved up the stack to the application layer, mainly for more targeted purposes, such as disrupting transactions or access to databases, for instance. According to new data from Arbor Networks, DDoS attacks in general are getting more powerful but their duration is declining: the average DDoS attack size thus far is 2.64 Gbps for the year, an increase of 78 percent from 2012, and some 87 percent of attacks last less than one hour.

That makes the recent headless browser attack even more unusual, given that its duration was so long. “That’s pretty long. Obviously, someone was upset at them,” says Marc Eisenbarth, manager of research for Arbor.

[DDoS attack sizes are rising even as the duration of the attacks grows shorter, according to Arbor Networks. See DDoS Attacks Grow Shorter But Pack More Punch.]

The attack also was unusual in that it employed a version of the Phantom JS headless browser toolkit, which is a Web app developer’s tool for testing and simulating user browsing of an application. “This was the first time we saw this technology in a DDoS attack,” Gaffan says. “It mimics human behavior so effectively that it’s a challenge for mitigation services to deal with.”

Phantom JS is basically test tool that uses a bare-bones or “headless” browser – no buttons, address bar, etc. – with an API so programmers can test-run and automate their apps. “They can do a load test to websites simulating browser behavior and run JavaScript and accept cookies,” for example, Gaffan says.

Arbor’s Eisenbarth says he rarely sees Phantom JS being abused the way Incapsula has described this DDoS attack on its customer. “We don’t see Phantom JS as much. What we do see are attackers creating hidden IE [Internet Explorer] browsers that actually are full-function browsers and are even more sophisticated at bypassing detection mechanisms,” Eisenbarth says.

The attackers also employed some 861 different variants of the headless browser, and were generating some 700 million hits per day on the targeted website, according to Incapsula. “It’s really an evasion technique. We try to catch what they are doing, and they try to evade us,” Gaffan says. “Our job is to filter out the good guys [legitimate visitors] and let them pass … the site still needs to operate. And then keep the bad traffic out.”

Dan Holden, director of security research at Arbor Networks, says these Layer 7 DDoS attacks take more effort to execute. “There’s got to be something financial” motivating the attackers here, he says. “These are more common when you’ve got very focused and targeted attacks.”

Incapsula’s Gaffan says application-layer DDoS attacks are becoming more popular, and often accompany network-layer attacks. “That leaves you scrambling on all fronts,” he says. “An application-layer attack is easier to perpetrate because it requires less resources, but you need expertise” to pull it off, he says.

The victim organization’s business in the end suffered little impact since Incapsula was able to mitigate the attack, he says. But the DDoS hasn’t disappeared yet, either: “It started last week, and to some extent, it’s still ongoing,” Gaffan says. “There’s an ongoing process [by the attackers] of updating and changing” the headless browsers in the attack, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777

That universities suffer more malware infections than enterprises and government agencies should come as no surprise, but new data shows that they are a whopping 300 percent more likely to house malware in their networks than networks in the commercial or public sector.

Research from OpenDNS’s Umbrella Security Labs found that colleges and universities in the U.S. and Europe are that much more infected than the business or government space, based on data gathered from OpenDNS’s network of 50 million users worldwide.

“That [percentage] was somewhat of a surprise to us,” says Dan Hubbard, CTO of OpenDNS and head of Umbrella Security Labs. “You always hear about universities being more open than regular corporations and organizations, but these numbers were a little higher than we expected.”

Higher-education networks also are targeted most by the so-called EXPIRO malware, a file-infecting family that’s been around since around 2010. According to OpenDNS, EXPIRO typically infects local, removable and network drives and installs malicious extensions for Chrome and Firefox. It steals stored certificates and passwords from IE, Microsoft Outlook and FTP client FileZilla.

Infected machines redirected to a malicious URL, and can steal online banking credentials and other information, and the malware also can disable Windows security on the infected machine.

So why is EXPIRO the BMOC, big malware on campus? “It’s hard to tell what they are after. There are multiple variants of EXPIRO,” Hubbard says. It can be used to steal usernames and passwords and Web history, for instance, he says. “That user information is wrapped in a DLL and it sent back to a CC [command and control] in an encrypted file,” says Hubbard, who notes that EXPIRO has been spotted using exploit kits such as Blackhole.

EXPIRO malware is typically spread via infected websites, either drive-by attacks or via a phishing email URL lure. The infected website typically hosts a Java or Adobe PDF exploit, which once installed steals user and system information.

The big problem on university campus networks, of course, is that they by nature are open and IT doesn’t manage each student’s client device. “These are unmanaged networks for the most part,” Hubbard says. Even so, universities can establish basic security best practices to minimize infections, he says.

OpenDNS recommends that colleges alert their users of new spearphishing campaigns targeting their institution, and that they employ predictive analysis to prevent waterholing or malvertising attacks. OpenDNS also suggests using DNS-based enforcement to stop infected machines from communicating to botnet operators over non-Web connections.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/universities-schooled-by-malware-higher/240162781

Cambridge, MA USA – October 16, 2013 – Onapsis Inc., the leading provider of solutions to audit and mitigate threats targeting ERP platforms, today announced new functionality in its flagship product, Onapsis X1. This enhancement will extend support to organizations running SAP’s HANA in-memory database. Recognizing the importance of security, SAP provides its customers with a SAP HANA Security Guide furnishing details and recommendations for the implementation of SAP HANA with guidelines for network, communications and data storage security across the lifecycle of their HANA deployment. Through new Onapsis X1 HANA functionality, Audit, Information Security and SAP professionals will be able to verify that their organization’s HANA implementations meet criteria recommended by SAP, as well as to identify and mitigate additional cyber-threats targeting this platform.

Mariano Nunez, CEO of Onapsis, said “At Onapsis, our goal is to enable organizations to protect their SAP business processes and information. HANA is one of SAP’s fastest-growing platforms and I am excited that Onapsis continues to prove itself as the industry leader by providing the first SAP-certified solution to ensure our customers’ HANA implementations are protected as well. Furthermore, through this new Onapsis X1 release, our global partners can immediately offer HANA security expertise to their SAP customers.”

Available in November, the new Onapsis X1 HANA capabilities enable organizations to confirm that they are implementing and maintaining HANA securely. The product enables them to perform automated checks against SAP’s published security guidelines, as well as automate regular audits for the proper implementation of SAP Security Notes. Additionally, Onapsis X1 will add to its security assessment capabilities by performing security audits of HANA implementations, identifying vulnerabilities, and providing detailed mitigation information.

Onapsis provides unique solutions to protect the ERP systems against cyber-attacks. The company’s flagship product Onapsis X1, is the industry’s first comprehensive SAP-certified solution for the automated application security assessment of SAP systems. Backed by the frequent updates from the Onapsis Research Labs, Onapsis X1 detects insecure SAP ABAP and Java configurations, missing SAP Security Notes and patches, dangerous user authorizations, insecure interfaces between SAP systems, and threats affecting SAP Mobile and HANA platforms. By following Onapsis X1’s detailed mitigation procedures, customers can decrease business fraud risks, enforce compliance requirements, and ensure the continuous operation of their business-critical processes.

About Onapsis

Onapsis Inc. is the leading provider of solutions to audit and mitigate threats targeting ERP platforms. At the heart of the company, the Onapsis Research Labs is composed of world-renowned experts with a proven track-record in the ERP and SAP security fields. Through its innovative software solutions, global customers can secure SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud. More information at www.onapsis.com Follow us on Twitter: @Onapsis

Article source: http://www.darkreading.com/management/onapsis-supports-sap-hana/240162803

5 ways to reduce advertising network latency

Exclusive Web security firm Incapsula helped a Chinese Bitcoin trader to weather a ferocious denial-of-service attack last month when the volume of inbound traffic to the site peaked at 100Gbps.

The attack against BTC China, a platform where both Bitcoin and Chinese yuan are traded, lasted nine hours and is one of the fiercest on record. But unlike the even bigger 300Gbps attack against Spamhaus back in March no amplification techniques were used in the assault against BTCChina.

Incapsula previously disclosed the appearance of the 24 September attack…

Yesterday we prevented a ~100Gbps DDoS. The attack’s load was distributed across our 350Gbps network. (see image) pic.twitter.com/80lpHs9UMg

— Incapsula.com (@Incapsula_com) September 25, 2013

… but only revealed the nature of the assault and named the intended victim during an interview with El Reg on Wednesday.

The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack thrown against Spamhaus or more modern application-layer attacks. The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets.

The exchange is currently the third largest in the world.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. Only open public-facing DNS servers respond to spoofed requests but there’s more than enough of them around to make the tactic viable. Attackers’ requests are only a fraction of the size of the responses.

The tactic is more sophisticated than the old school “caveman with a club” SYN flood attacks thrown against BTCChina.

The circumstances of the BTC China attack mean that the unknown assailants had a huge amount of bandwidth at their disposal. “This amount of fire power isn’t cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack,” according to Incapsula.

Incapsula co-founder Marc Gaffan told El Reg that the attack was most likely powered by network of compromised servers rather than zombie PCs drones. Commandeering insecure WordPress server installations and the like as a resource for DDoS attacks has become a fairly widespread hacker tactic over recent months.

It’s unusual for a 20+ Gigabit attack to last for anything more then an hour. The assault against BTC China was the longest 50+ Gigabit attack Incapsula has ever faced down. “This was a progressive attack,” Geffen told El Reg. “The attackers either ran out of resources or money. It’s also possible they gave up after they realised they were not making headway.”

Geffen added that the BTC China attack was “fairly sophisticated” at least by the standards of old school SYN Flood attacks. “The attackers didn’t just use one big cannon,” he said.

Bobby Lee chief exec of BTC China told El Reg that the DDoS attack was the first the exchange has faced in two years of operation. He said the effect of the assault was to slow down legitimate access to its site – users complained of patchy access or site unavailability during the time of on an attack in a Reddit thread here. Lee added that he had no idea who might have been behind the attack or their purpose.

“They attackers were out disrupt things,” he said. “We don’t have a suspicion they were out to cause a [more general] Bitcoin crash.”

However, Lee did say that he thought it unlikely that the attack on BTC China was part of a more widespread campaign to attack BitCoin exchanges by hackers hoping to undermine confidence in the currency. Cybercrooks launched DDoS attacks on other exchanges during the summer in a bid to trigger a mass panic-driven sell off of the volatile currency. The tactic allowed them to buy Bitcoins when its price dipped before selling it at a profit once confidence in the market returned.

Although the attack against BTC China was rare in both its magnitude and duration, the increased availability of bandwidth means the scale of attacks is growing all the time, according to Incapsula.

“Even if your network provider has enough bandwidth to keep your site up, DDoS attacks not only suffocate your resources, but your neighbours as well. If you’re too noisy, you may be evicted (dropped by your service provider),” it warns.

Rival DDoS mitigation firm Arbor Networks separately published an attack trends study on Wednesday showing that the average volume of traffic in DDoS attacks in the year to date stands at 2.64 Gbps, up 78 per cent from 2012. There’s been a fourfold-plus (350 per cent) growth in the number of attacks hitting more than 20Gbps so far this year, as compared to the whole of 2012.

The largest monitored and verified attack size increased significantly to 191Gbps – an August assault against a mystery target not named by Arbor. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/bitcoin_exchange_ddos_flood/

5 ways to prepare your advertising infrastructure for disaster

Spooks working at one of Europe’s largest defence contractors have warned that the delayed Ubisoft game Watch Dogs could create a whole new generation of hackers.

Cyber-security experts at Thales, a French multinational defence firm, are nervous that kids will be “turned on” to hacking by the new game. However, they may have been given a brief reprieve, because its release has now been delayed, sparking consternation across the internet.

Watch Dogs is an open world stealth game which allows the player to hack various computer systems in a city and reconfigure machines to do their bidding.

However, Kevin Wood, cyber centre technical lead at Thales, told The Reg that his staff were terrified by the possibility that hacking was about to go mainstream.

He said: “The tagline of this game is ‘hacking is our weapon’. You can buy it for £40 and then hack the infrastructure of a city state to achieve your aims.

“It will raise awareness of hacking. I’m not saying players will leave the game able to breach serious defences, but it’s a game, so hacking might become a game too.”

Wood was speaking at the launch of Thales’ (which rhymes with chalice) new Cyber Integration and Innovation Centre, in a building staff have dubbed “The Hanging Gardens of Basingstoke”.

Cyber warriors based in this London satellite town have built up a malware zoo made up of more than 6,000 pieces of malicious software. They will use these caged monsters to test clients’ system security by simulating cyber attacks.

Staff at this £2m centre have no doubt that the threat they face is growing every day.

Sam Keayes, vice president for security and consulting at Thales UK, added: “We are worried about the democratisation of hacking more generally, particularly as the number of tools that are freely downloadable, useable and configurable is growing. The industralisation of these tools and the coming online of hacking games means that you increase the pool of people who are interested in hacking.”

Shares in Ubisoft slumped by 26 per cent after it announced that the release of Watch Dogs had been delayed. It was due to be released at the same time as the new Playstation 4. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/17/thales_says_ubisoft_makes_hacking_look_cool/

The case against passwords has never been stronger.

While easily-guessed passwords have made media headlines, today’s password cracking systems can make short work of passwords, even those created using seemingly complex mnemonic devices. Current cracking techniques, fueled by cheap parallel computation using off-the-shelf graphic processors, can guess trillions of combinations every hour.

The hashed password list stolen from global intelligence service Stratfor’s website, for example, contained more than 630,000 passwords randomly generated by the site and consisting of eight alphanumeric characters. Cracking efforts took less than 24 hours to completely recover that portion of the 815,000 hashes in the stolen file, in part because the company had not added a random seed to the hashing algorithm known as “salt,” says Steve Thomas, president of PwnedList, a subsidiary of InfoArmor that tracks compromised accounts.

“It has never been easier,” Thomas says. “Being able to do 23 billion password possibilities every second … when you get a dump of hashes, you can very quickly get most, or maybe even all, cracked in a number of hours.”

Over the past half decade, three factors have fueled a renaissance in password cracking. While password-recovery programs have gained immense computational power by offloading the intensive calculations of dictionary-based and brute-force guessing to off-the-shelf graphics processors, users continue to use the same mnemonics to create passwords that seem secure while being easily memorized. Yet, the insecurity of websites–from LinkedIn to Stratfor and from RockYou to Sony–has given researchers real-world lists of millions of hashes from which to uncover the systems that people use to create their passwords.

The result is that, at the same time that the power of cracking programs has skyrocketed, researchers are smarter at guessing the ways that users might create passwords, whittling down the lists of possible passwords. By creating better word lists and more intelligent methods of mangling real words and phrases, hackers and researchers can make an untenable computational problem much more feasible, Olga Koksharova, spokeswoman for password-recovery firm ElcomSoft, said in an e-mail interview.

“Smart guessing is relevant when passwords are not totally random but when there was used some technique to create a password,” she says. “In case of totally random passwords only brute-force attack can help and that is when speed” becomes most important.

[A Black Hat talk discusses shortcomings of the latest technical evolution of hashing passwords for safe storage in databases and proposes a competition to design something better. See Moving Away From Rash Hashing Decisions.]

Yet, password crackers have garnered a speed boost as well. Using a single computer with a single graphics card, the oclHashcat-plus program, for example, can check anywhere from hundreds of thousands to tens of billions of combinations each second, depending on the hashing algorithm was used to encrypt the entries in the password file.

“The technology that is used is graphics cards, because they are really good at doing parallel calculations,” Robert Graham, CEO of security consultancy Errata Security, said in an e-mail interview. “The current top-of-the-line video card, the Radeon 7970, can do over a billion guesses per second for several popular hashing algorithms.”

Yet, whether the advances in cracking pose a danger to users is another question. While some attacks rely on guessing a small number of passwords, such as attacks on WordPress and Joomla earlier this year, hackers generally do not spend the time doing offline cracking of passwords, Elcomsoft’s Koksharova says. Instead, they use social engineering techniques to gain access to victims’ accounts.

Still, users can take a few easy steps to get the most security out of passwords, and foil any catastrophic hack. Users should not just use word combinations or phrases with some letters replaced with numbers or symbols; researchers and hackers attempt to attack those types of passwords first.

Choosing an extremely secure password is less important than most people think, Errata Security’s Graham says. The most important sites, such as banks and e-mail providers, have rarely had their password files stolen, so it’s typically more important for users to ensure that they do not the same password on different sites.

“For each site you really care about protecting, make sure it’s unique, and not shared with any other website,” he says. “Otherwise, when those lesser websites get hacked, and those passwords get stolen, hackers will be able to break into your important accounts.”

Using a password manager may be the best approach, because it produces randomized passwords while minimizing reuse. In the end, most passwords just need to defend against a few guesses per second, not a billion, according to Graham.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/user-selected-passwords-still-getting-cr/240162756