Do not use simple passwords and do not use the same password in more than one place

I found an article on Help Net Security about the kind of passwords people use. The article can be found here.

Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.

In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.

Key findings of the study include:

  • The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.
  • Recommendations for users and administrators for choosing strong passwords.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

“The problem has changed very little over the past 20 years,” explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security.

The complete report is available here.

There are two important lessons learnt from this:

1. Do not use simple to guess passwords

2. Do not use the same password in multiple places.

If you do not follow these guidelines, and someone guesses your password, you are pretty much out of luck as they will be able to access all the accounts and sites that this password works with.

I always recommend building passwords along the following guidelines:

  • length between 8 and 12 characters, alphanumeric and non-alphanumeric
  • contain at least one upper-case letter
  • contain at least 1 non-alphanumeric value
  • do not use a derivation of a word, e.g “t3stt3stt3st”, “password1”.
  • use a sentence as basis for a password, pick letters of each word of that sentence, replace letter with numbers, add at least 1 non-alphanumeric value.

An example of constructing a secure password (do NOT use the password below)

“This will be a cool password nobody will ever crack”

=>”Twb4cPWDnw3c!”

Use the guidelines above, and you will never be hacked for the reason of having had weak passwords.

Advertisements

Adobe fixes critical holes in Shockwave

Adobe quietly released a HIGHLY CRITICAL update to Shockwave on Tuesday. Exploiting these vulnerabilities enables an attacked to inject code and – shock – take over your system. Yes, you need to update your Shockwave installation ASAP. And yeah, you even have to uninstall your old version first!

Adobe advisory is here:

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.

[…]

Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606.

Download Patches from here: http://get.adobe.com/shockwave/.

How to secure your Smartphone (Blackberry, iPhone, Windows Mobile-based phones)

Considering that more and more people use Smartphones like Blackberries and iPhones, mobile security becomes more and more of an issue. You have an anti-virus scanner on your laptop? A firewall? You keep it up to date with the latest patches? That is awesome; I commend you for it. But what about your phone that you use to access your e-mail? How do you protect your Smartphone from getting hacked?

This is the first part of a series on how to secure your Smartphones. Credits to PCMag.

BlackBerry (System 4.5 and higher)

Go to Options, then Security Options, then:

  1. Password-protect start-up. Under General Settings, set Password to Enabled. You may also want to change other settings here, such as the number of password attempts allowed before the device is locked, and whether the device should automatically lock on holstering. Commit your changes by pressing the Back button (the half-circle arrow) and enter your new password when prompted. Choose a password you’ll remember and that will be quick and easy to type using the device’s keypad. Confirm that password, then exit to the main menu. Lock your phone by pressing and holding the * button to confirm that it has been password-protected.
  2. Encrypt data. Scroll past General Settings to Content Protection, and enable it. Under Strength, you can select Strong (80 bits), Stronger (128 bits), or Strongest (256 bits). I recommend using Stronger for faster encryption/decryption or Strongest for the most security. Selecting Yes for Include Address Book will keep your contacts secure but also result in disabling caller ID when the phone is locked. Circle-arrow back out, then create an encryption key by randomly moving the trackball and typing characters. A good practice is to regenerate an encryption key every two to four weeks: Under Security Options | General Settings, click on any service, then click Regenerate encryption key.
  3. Secure passwords. Please don’t fall into the trap of saving usernames and passwords in your mobile device’s browser. Anyone who finds your device and unlocks it then has access to all of your online accounts. Instead, use the Password Keeper utility to store and encrypt this info.
  4. Lock down Bluetooth. By default, Bluetooth is on. In addition to wasting your battery, this leaves you open to Bluetooth-based attacks. From the Home screen, go to Set Up Bluetooth. When prompted to Add Device select Cancel. Press the Menu button, then select Options. Set Discoverable to No, so other devices can’t find your BlackBerry, and set Security to High—or if the Bluetooth devices you use with your BlackBerry support it, set Security to High + Encryption to encrypt Bluetooth data transmissions. From the following checklist, enable only those services you think you are going to use with Bluetooth—most commonly headset and hands-free. Exit and save.
  5. Clear memory. Also under Security Options, memory clearing can delete sensitive data, such as unencrypted e-mail messages and username, password, and other certificate-related info, from memory. You can set the BlackBerry to clear memory under certain circumstances—for example, when you holster your BlackBerry or lock it.

Smartphone (Windows Mobile 6)

  1. Password protect start-up. Go to Start | Settings | Lock and configure a password. Check the box next to Prompt if the device is unused for and then select a time period from the drop-down box, something in the 5-to-30-minute range. You can set your password to be a simple four-digit PIN or a strong alphanumeric string and then enter your password in the boxes below. You can also set a hint, but remember that this can be read by anyone with physical access to your phone. At this point, it would help to go to Settings | Today, click the Items tab and check the box next to Device Lock to provide a quick locking option on your Home screen.
  2. Encrypt data. Under Settings | Security | Encryption, check the box that says Encrypt files placed on the storage card, then click OK. A storage card can actually contain both encrypted and nonencrypted data, but encrypted data can be read only from the device in which it was encrypted and written, or from a Windows PC using ActiveSync and Windows Mobile Device Center. There’s also a big gotcha lurking: If you have to perform a hard reset of your device or update the ROM, you will lose the encryption key stored on the device, and with it, access to your data. Companies can push encryption policies to Windows Mobile devices using Exchange Server 2007.
  3. Secure passwords. This requires a third-party solution, such as KeePass or some other eWallet type of encrypted password manager.
  4. Lock down Bluetooth. Go to Start | Settings, then the Connections tab, then Bluetooth. On the Mode tab you can enable or disable Bluetooth and make your device visible; Off and Not visible are the more secure settings. Scroll all the way right to the Security tab and check the box to require authentication for data beaming.
  5. Clear the memory and cache. In Internet Explorer, go to Menu | Tools | Options; in the Memory tab you can set a history retention time in days or clear the history manually. Click the Delete Files button to clear the Web cache. Navigate to the Security tab and click the Clear Cookies button.

iPhone

Unfortunately, you won’t find a list item called “Encrypt data” below. At this point, there doesn’t seem to be any encryption available for iPhones.

  1. Enable Passcode Lock and Auto-Lock. Click the main iPhone Settings icon, then click the General tab and select Auto-Lock. Select the time period you want, then exit out to the Home screen. Once Auto-Lock locks the phone, Passcode Lock will require a four-digit PIN to unlock it. Click the iPhone Settings icon, then General, then Passcode Lock. From there enable Turn Passcode On. Enter your passcode. Tap Require Passcode and then choose “immediately.”
  2. Secure passwords. There’s no native way to do this, so you’ll have to use a third-party password manager.
  3. Lock down Bluetooth. It’s great that Bluetooth is off by default on iPhones, but you should also set yours to require an eight-character PIN for connections with Macs. Turn on Bluetooth only when you need it.
  4. Clear the memory and cache. Back on the Passcode Lock screen, you can disable SMS Preview while the device is in its locked state, and also turn on the Erase Data function. This will wipe the iPhone clean after ten failed passcode attempts. You can clear cookies, browser cache, and history from the Settings menu in Safari.

This should get you started.

Patch your Adobe Reader ASAP or get hacked like Google did!

Go to http://www.adobe.com/support/security/bulletins/apsb10-02.html and get your latest patch.

The hackers who tried to steal source code from dozens of companies used an exploit in Adobe Reader to get it done..

From Wired:

A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to the companies and were in many cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to an attack that targeted other companies last July, the company said.

A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.

Adobe acknowledged on Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the victim of a “highly sophisticated” hack attack originating in China in December.

Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it and had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

The hackers gained access to the company networks by sending targeted e-mails to employees, which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.

Don’t get hacked! Patch now.

Adobe fixes out, addressing vulnerabilities that lead to system compromise

Update your Adobe Reader, Acrobat etc. installations. Adobe released 30 (!) security vulnerability fixes last week. Exploits are in the wild, using some of these vulnerabilities to ‘take control over the affected system’.

Details are here.

How to secure your Windows machine.

A recent statistic I read stated that over 70% (SEVENTY PERCENT) of new infections come from surfing to legitimate sites that are infected. A recent case was the New York Times (full story here):

Here’s a front-page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of bogus ads running on its Web site. The paper says “some readers” have seen unauthorized pop-up ads promoting antivirus software on NYTimes.com, and warns visitors who see the ad not to click on it but to restart their browsers instead. While the Times doesn’t spell this out, the newspaper has likely had its site hijacked by a “malware” scammer who is trying to trick visitors into installing pernicious software onto their hard drives

Thus, to get infected, it is perfectly enough to just hit your legitimate web sites. You do not have to browse to any questionable content anymore to get compromised.

In light of this, lots of people have been asking me what in my opinion is to reliably secure a Windows machine and protect it from the threats that are out there – viruses, worms, trojans, etc.

I recommend multiple layers of defense to be setup on a Windows machine. Below items are listed in order of importance, highest listed first.

1. Keep your Windows machine current with the latest patches.
Ensure that Windows Update is turned on and configured to automatically download and install patches. Make sure that when you put your machine into standby mode (instead of turning it off every day), that you pay attention to whether patches need to be installed and the machine need to be rebooted. I encounter a lot of installations that never get turned off, where the patches never get installed (although they are downloaded and ready to go).

2. Install a Anti-virus scanner.
This can be one of the big names out there: AVG (free), Norton, Trend Micro, McAfee. Get one of their package offerings that include phishing protection, link scanning, encrypted password storage. DO NOT BELIEVE that this is the only thing you need. Although they want to make you think that this is all you ever need, it is not true. Even the best AV scanners cannot keep up with the ever-changing strains of viruses that are out there (strains change hundreds or even thousands of times a day), therefore you need to have multiple layers of scanners to get a higher rate of protection.

Make sure that the ‘auto-protect’ features are turned on, i.e. the AV scanner runs ‘resident’ in memory. That means that live protection is turned on and viruses do not make it through.

IMPORTANT: YOU STILL NEED TO DO WEEKLY FULL SYSTEM SCANS.

Some people believe that they can leave auto-protect on but never scan their systems. The caveat with this is that auto-protect may miss a new strain of a virus and let it through. While the signatures get updated, auto-protect never detects it.

Therefore, a scan then may find it, but you need to make sure to run these scans.

Product-wise, I have been using Norton Internet Security for a long time, but I will let the license expire and try out a different AV scanner next year. Norton has disappointed me recently with the failure rate it has, i.e. viruses that do not get caught by it. Ideally, you use at least 2 different virus scanners, but this may get costly if you are looking to purchase solutions.

I am currently trying out the new Microsoft Essentials ‘AV and Malware’ scanner that was released on 9/30/09. I believe that AV and Malware protection should be free and included in a Operating System, but the MS AV scanner still may need some tuning to be comparable to any $$- solution.

3. Install a separate Malware scanner. This is important.

You NEED to have a backup scanner to whatever AV solution you are using. This increases the rate of detection and your total exposure significantly.

I recommend Malwarebytes’ Anti-Malware for this. It has worked well for me. There is a freeware and a commercial version for it. The major difference between the freeware and the paid version is that in the free version you have to run manual scans and it does not run in the background protecting you from new threats. I recommend you spend the $25 and purchase it. It is worth it. The interface is simple and structured in a no-nonsense kind of way, focusing on scanning, updating its database and showing you results of the last scans.

If you do not want to shell out the money to buy the full version, I recommend you use the Windows Task Scheduler to run this software daily to update the database and at least weekly to do a full scan of your system. It supports command-line arguments. Shoot me an email at info (AT) gansec.com if you want to have instructions on how to do that.

4. Install Secunia Personal Inspector to keep your applications up to date

Install Secunia PSI to keep your third party applications (Adobe PDF Reader, Flash Player, Shockwave, Real Audio Player, any other stuff you use besides Microsoft Software) current. It scans your system and matches it up with an always current database of new versions for the applications you use. It is an extremely handy tool that you will not want to miss once you get used to it. You would not believe how many third party applications can severely compromise your system security if exploits are used against vulnerabilities that they have (example). Secunia PSI is Freeware.

5. Install a firewall on your Windows machine.

This usually comes with Windows (Windows Firewall) or with one of the ‘Internet Suites’ of the commercial AV vendors. This is to block annoying connection attempts, Malware that tries to communicate outbound across other ports than your standard web port (80), potential inbound hacking attempts. Make sure it is enabled. When you first enable a firewall you may have to permit standard ports (e.g. outbound Web for iexplore.exe, firefox.exe, etc), but this will settle down after the initial turn-up. Yes, it is extra work, but you need to invest it.

6. Keep backups.

Keep backups of your Windows installation. You can burn the data on DVDs or external storage solutions. If you would like to look into external storage (especially important if you own a small business), I recommend Netgears’ ReadyNAS storage solution: About $1K for a fully redundant 1 TeraByte of storage. It is extremely trivial to setup (takes about 10 minutes to configure it to be ready for backups from the time you turn it on). Data will not be lost on this one.

These are 6 simple steps to get going on Windows Security. It takes some work to get there, but believe me, it beats the ‘man, my system is lost because of infections, I lost my documents, my bank account information got stolen and people write checks in my name via my Online-Banking access‘ by far.

– Sven Olensky.

Vulnerability in Adobe Reader and Flash Player – remote break-ins possible

Be careful when you use Flash Player to watch videos on the Internet or in your E-mail; also don’t open PDF files from unknown sources. There is currently an exploit in the wild that makes use of a new vulnerability, which essentially can result in an attacker taking over your system. There is currently no patch for this; Adobe is working hard to get one out next week. Until then, be cautious!

See the details on Adobe’s site: 
http://www.adobe.com/support/security/advisories/apsa09-03.html

[…] A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.
[…]
We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009 […] Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.