OPLIN 4cast #357: Can words still protect us?

Wednesday, October 23rd, 2013

safeOver the past couple of months, Dan Goodin wrote two articles in Ars Technica about password and passphrase protection that have been widely quoted in the tech media. (We link to the longer one of them below.) The articles were prompted by the release of a new version of Hashcat, a password cracking program that can now recover passwords up to 55 characters long. Because software like this keeps making password cracking easier, it is common to see recommendations that users instead use a passphrase – a long series of words that is easier to remember than a single complex password. But if passphrases are too easy, they may not be any better protection than passwords.

  • How the Bible and YouTube are fueling the next frontier of password cracking (Ars Technica/Dan Goodin)  “As awareness has grown about the growing insecurity of passwords that were presumed strong only a few years ago, many people have turned to passphrases, often pulled from what they believe are overlooked songs, books, or other sources. The idea is to generate a long passcode that contains upper- and lower-case letters and possibly punctuation that’s nonetheless easy to remember. This turns out to be largely an exercise in futility. As is the case with passwords, the same thing that makes passphrases easy to remember makes them susceptible to easy cracking.”
  • Books and Youtube are supplying password crackers with billions of passphrases (Tested/Wesley Fenlon)  “And now crackers have discovered that resources like the Bible, Wikipedia, and the Gutenberg archive provide millions of phrases that people may use for passwords, believing that they’re long enough to be secure or unknown enough to be unguessable. ‘Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1’ from H.P. Lovecraft is a prime example. No computer could bruteforce such a complex password string, but no computer will have to – once that phrase is in a dictionary, it’s easy to crack.”
  • Is it truly, finally, sadly, game over for passwords? (Neal O’Farrell)  “A passphrase should not simply be a statement or saying that you read somewhere or remembered from childhood. Because if it’s been used before, chances are it’s already in a dictionary and could be guessed. A real passphrase is supposed to be something about you and your life that is unlikely to be on the internet and guessable by a hacker. And taking it one step forward, and one very crucial step, you don’t use the exact passphrase but only selected elements.”
  • Password cracker cracks 55 character passwords (Infosecurity)  “What the new version of hashcat demonstrates is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols.”

Hashcat fact:
Hashcat claims to be the world’s “fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker.” It’s also free.

OPLIN 4cast #344: Basic protection

Wednesday, July 24th, 2013

virusThere was an interesting posting on the codeinsecurity blog a little over a month ago, which we didn’t see until recently, called “The anti-virus age is over.” The author, Graham Sutherland, argues that anti-virus (AV) programs cannot keep up with all the new types of malware in circulation and should just be considered “…a filter for the most basic attacks.” We know a lot of libraries still depend primarily on AV software for protection, so it seemed like it might be worthwhile to look this week at some of those new types of malware mentioned by Mr. Sutherland. (We’ve put the names of the malware types in bold.)

  • What is a polymorphic virus? (wiseGEEK) “Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.”
  • Advanced Persistent Threats: The new reality (Dark Reading/Michael Cobb)  “What is an APT? Though the term originally referred to nation-states engaging in cyber espionage, APT techniques are also being used by cybercriminals to steal data from businesses for financial gain. What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced. Unlike the majority of malware, which randomly infects any computer vulnerable to a given exploit, APTs target specific organizations with the purpose of stealing specific data or causing specific damage. The Conficker worm, for example, used many advanced techniques but did not target a particular organization. It infected millions of computers in more than 200 countries. In contrast, Stuxnet was designed to target a certain type, a certain brand and a certain model of control system.”
  • Advanced Persistent Threats get more advanced, persistent and threatening (The Register/John Leyden)  “Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.”
  • New course teaches techniques for detecting the most sophisticated malware in RAM only (Network World/Linda Musthaler) “The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It’s a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn’t be there.”

Sandbox fact:
One article above mentions a “sandbox.” Anti-virus software can sometimes combat difficult malware by using a virtual environment (sandbox) on a computer to run and test code from untrusted sources before it is installed for actual use.

OPLIN 4cast #331: Two factors are better than one

Wednesday, April 24th, 2013

two-factorPeople who work with Internet security have for some time advocated the use of “two-factor authentication” instead of a simple password control over access to sensitive or private information. Nobody likes to make things harder than we think they need to be, however, so adoption of two-factor authentication has been fairly limited. But last week, that may have begun to change, as Microsoft announced that two-factor authentication will be available (though not necessarily required) for all Windows products and services.

  • Microsoft rolling out two-factor authentication across its product line (ZDNet/Mary Jo Foley) “Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim’s password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.”
  • Microsoft Account gets more secure (Official Microsoft Blog) “This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info. More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, or accessing files on another one of your computers through SkyDrive.com. For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.”
  • Apple ID: Frequently asked questions about two-step verification for Apple ID (Apple Support) “Two-step verification simplifies and strengthens the security of your account. After you turn it on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key.”
  • AP Twitter hack sends stock market spinning (New York Magazine/Kevin Roose) “In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now. Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.”) But after today’s data point, it can’t wait any longer.”

Factor fact:
Good two-factor authentication combines a Knowledge Factor (something the user knows) with a Possession Factor (something the user has).

OPLIN 4Cast #286: Responding to a breach

Wednesday, June 13th, 2012

Last week’s revelation that millions of LinkedIn passwords had been stolen was just the latest in a long line of data breach stories. While public libraries don’t store millions of passwords or credit card numbers, they do store a lot of patron data, and things as mundane as people’s street addresses are beginning to be considered sensitive information by some security experts. With luck, your library ILS vendor has not made the same mistake that LinkedIn made and stored sensitive user information with relatively weak encryption. But if the worst should happen and your library system gets hacked, what’s the best way to respond? Are there lessons to be learned from the misfortune of previous data breach victims?

  • Dissecting LinkedIn’s response to the password breach (PC Magazine/Fahmida Y. Rashid)  “‘We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach,’ a LinkedIn spokesperson said in an email. She was unable to provide any other details. I was very concerned about LinkedIn’s focus on members at ‘greatest risk.’ How do they define this?”
  • Zappos data breach response a good idea or just panic mode? (Network World/Ellen Messmer)  “…online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.”
  • Heartland CEO on breach response (BankInfo Security/Tracy Kitten)  “…[Bob Carr, CEO of Heartland Payment Systems] says information sharing is key, especially among other payments processors. ‘Don’t minimize the impact,’ Carr says. ‘Share information. … The bad guys might be in somebody else’s system, so it is good for everyone to communicate.’ Although a great deal has changed since 2009, when Heartland’s breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run.”
  • Data breach response plans: Yours ready? (Information Week/Mathew J. Schwartz)  “Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. ‘I’ve seen organizations that totally jumped the gun–We’ve got to do it– and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,’ Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. ‘We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.’”

Breach facts:
The three breaches mentioned above affected: 6.5 million LinkedIn users; 24 million Zappos customers; and 130 million Heartland credit card accounts.
[And one more fact: OPLIN's plan for Security Incident Response is included in our overall Information Technology Security Management plan.]

OPLIN 4Cast #265: Innovations in cyber crime

Wednesday, January 18th, 2012

Malicious attacks on websites continue to make the news. Whether it’s Anonymous exposing a whole country’s control and data systems or hackers stealing huge amounts of data last weekend from Zappos, the pace of malicious activity on the web has certainly not slowed down. While these big-news attacks generally use rather traditional hacking methods, the nasty people on the web have also been busy developing new attack vectors, and you might want to be aware of them.

  • Developer sneaks fake apps into Android market (SecurityNewsDaily/Matt Liebowitz)  “Behind their innocent facade, the cloned apps hid a secret weapon – they compromised customers’ smartphones by using them to send premium-rate text messages to the tune of about $20. ‘The texts are notifications that the user has been charged around $5, but you end up getting 3-4 of them in one shot,’ DroidGamers wrote. ‘A free download just became a $20 purchase.’”
  • Hackers spread malware via children’s gaming websites (BBC News)  “‘I believe that children’s computers are more vulnerable to attacks because they are usually in worse shape – in other words the owners are less likely to have the latest security updates installed,’ said Mr Vlcek [AVAST Software chief technical officer]. ‘The child may also be less suspicious that something wrong is happening than an adult would be.’”
  • Cyber-criminals target mobile devices with QR codes (SecurityWeek/Brian Prince)  “‘This is the first time we have seen a QR code used in an active spam campaign,’ Patrik Runald, senior manager of security research at Websense, told SecurityWeek. ‘Because QR codes are the ultimate URL obfuscator, with the right social lure, QR codes can become increasingly more successful in driving users to websites hosting malware targeting the mobile device.’”
  • Security flaw in printers could expose businesses to hackers (Huffington Post/Janean Chun)  “Keith Moore, HP’s chief technologist, also disagrees that the threat of security breaches through printer hacking could already be widespread. Moore points out that the researchers didn’t use passwords on the printers they tested and adds that no consumers have reported similar incidents. ‘There has been no data at all that any of this has been exploited. So we’re looking at the theoretic possibility, in a lab, to see if that can ever occur in a real world situation.’”

Cyber attack fact:
This sobering 11-minute video of a TED talk by Ralph Langner reminds us that cyber attacks may not always come from criminals.

OPLIN 4Cast #258: DoS’d for the holidays

Wednesday, November 30th, 2011

Late in the afternoon on Black Friday, the oplin.org website was hit by an apparent Denial of Service (DoS) attack. DoS and DDoS (Distributed Denial of Service) attacks overwhelm a website with so many requests for connections that the webserver is too busy with this “junk” traffic to respond to legitimate traffic. As a result, it looked like the OPLIN website, and all the services that run on the same server – like the 4cast – were offline for a couple of hours until we stopped the attack. Why was oplin.org targeted? Good question, since it’s a pretty innocuous website, but certainly the timing of the attack suggests that we may have been an innocent victim of a general increase in DoS attacks that happens around the holidays.

  • E-commerce, retail websites alert for DDoS attacks this holiday season (eWEEK/Fahmida Y. Rashid)  “DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said. E-commerce businesses aren’t the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said.”
  • Corero advises retailers of risks associated with DDoS attacks during holiday shopping season (BusinessWire)  “DDoS attacks bring victim websites to a crawl or halt, using network flooding techniques that have been in use for more than a decade, and more recently, insidious application-layer attacks which are very difficult to detect. Online commerce depends on sites that are responsive and always available. Frustrated customers will quickly abandon an unresponsive site and go to another.”
  • Firewalls can’t keep up with DDoS attacks (PCWorld/John E. Dunn)  “The survey of 1000 medium and large organizations in ten countries found that up to 45 percent of respondents experience such attacks on a regular basis, a mixture of application and network-layer incursions. About half rated denial of service attacks as highly effective with 79 percent saying they still relied on firewalls to deflect them despite 42 percent finding that such devices were ineffective against conventional attacks at the network layer.”
  • Happy holidays: 5 ways to use DoS testing to thwart cyber extortion (BreakingPoint/Pam O’Neal)  “…online businesses still fear these threats, with little confidence in the DoS mitigation and security measures put in place to protect them. This is especially true for Internet retailers, the latest victims of hacker-extortionists. Internet retailers have a small window to ‘get it right’ when it comes to hardening their resiliency to DoS or DDoS attacks. And the post-Thanksgiving Cyber Monday is part of that small window.”

Method fact:
Kaspersky Labs reports that the “HTTP flood” method, which simply sends a huge number of HTTP requests to the targeted site over a short period of time, accounted for 88.9% of all DDoS attacks in the second quarter of 2011.

OPLIN 4Cast #204: Locking down WiFi

Wednesday, November 17th, 2010

wifi padlockUp until now, many public libraries have not been too concerned with the security of their public wireless networks. Libraries, after all, are open to the public, so why shouldn’t their networks be “open,” too? Does it really matter if a neighbor might “steal” some of the library’s bandwidth? But about a week before Halloween, the Firesheep extension for the Firefox web browser rattled the WiFi world. Suddenly, it became ludicrously easy to use open WiFi library networks to steal patrons’ usernames and passwords to unsecured websites like Facebook and Twitter. Suddenly, there’s a really good reason to lock down the library WiFi.

  • Firesheep in wolves’ clothing: extension lets you hack into Twitter, Facebook accounts easily (TechCrunch/Evelyn Rusli)  “Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies. As Butler explains in his post, ‘As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed’ in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.”
  • Protection from FireSheep (ReadWriteWeb/Audrey Watters)   “Since Firesheep was released, there have been a number of countermeasures developed, ostensibly to warn if not protect users from potential side-jacking. Blacksheep, released earlier this week by Zscaler, generates ‘fake traffic’ then monitors the network to see if Firesheep is active. But Blacksheep warns you that it is, then what? Other than shutting off your notebook and perhaps relocating to a different cafe with free Wi-Fi, what are your options?”
  • Free WiFi should use “free” password (Ars Technica/Jacqui Cheng)  “…businesses that offer free WiFi to customers—such as Starbucks or hotels—are still putting everyone at risk of being sniffed and hacked by leaving their networks open. If those businesses were to simply lock their networks down (WPA2, of course) with the password of ‘free,’ then customers’ information would be much more secure and the world would be a happier place.”
  • Password doesn’t shear Firesheep (BoingBoing/Glenn Fleishman)  “Thus, you could defeat Firesheep today by assigning a shared key to a Wi-Fi network until the point at which some clever person simply grafts aircrack-ng into Firesheep to create an automated way to deauth clients, snatch their keys, and then perform the normal sheepshearing operations to grab tokens. [...] The way around this is to use 802.1X, port-based access control, which uses a complicated system of allowing a client to connect to a network through a single port with just enough access to provide credentials.”

OPLIN Fact:
89% (645) of all Ohio public library buildings offer free public WiFi.

OPLIN 4Cast #202: The Business of Bots

Wednesday, November 3rd, 2010

robotNow that we’ve left Cybersecurity Awareness Month behind us (October, but you might not have seen it on your calendar) as well as the barrage of robot calls that always precedes an election, it seems like a good time to catch up on the news from the world of botnets, the pesky tools of cyber criminals that can take control of public PCs and turn them into bot zombies under the control of nasty people. We’re not trying to give you a post-Halloween scare—if you keep your security software up to date you should be OK—we just thought it’s interesting how similar the criminal botnet business is to many other online business ventures.

  • The rise of the small botnet (Security Week/Ram Mohan) “Today, would-be criminals can choose to buy the latest version of kits such as ZeuS, or even ready-made botnets, for as little as $2,500, which is not a large sum when you consider that the potential rewards could quickly add up to tens or even hundreds of thousands of dollars. Cracked versions of such tools are sometimes made available for free, which has caused some toolkit developers to add DRM protections to their software. Indeed, this industry has even taken advantage of the ease and scalability of cloud-based business models allowing customers to ‘rent’ their fully hosted botnet solutions for as little as $60 a day.”
  • Botnet for sale business going strong (eWeek/Brian Prince) “In the cyber-underground, botnet victims are a form of currency, Gunter Ollmann, vice president of research at Damballa, told eWEEK. A particular management tool may cost $500 to purchase but could be traded for 4,000 bot victims in the U.K., for example. The hurdles to building a botnet are so low now ‘any man and his dog can get started in this business,’ he said.”
  • The “Iranian Cyber Army” strikes back (Seculert Research Lab) “There are numerous different exploit kits being sold in underground forums among cyber criminals. Competition in this crowded and lucrative market is driving authors to create exploit kits with sleek and sexy user interfaces, so the product will be more attractive to potential customers.”
  • Japan has national botnet warriors (Ars Technica/Matthew Lasar) “Cyber Clean does the usual good stuff, trying to raise public awareness about the dangers of bots. [...] But the Cyber Clean operation goes a massive step further than public education. It searches for bot-infected PCs, then engages in a series of ‘attention rousing activities’ to get the user to realize that her computer has been hijacked.”

Japan fact:
The .jp (Japan) Internet domain is one of the world’s safest domains, ranking only behind .edu and .travel for lack of threats from malware, browser exploits, spam, aggressive pop-ups, and suspicious affiliations.

OPLIN 4Cast #146: Your security is our security.

Wednesday, September 30th, 2009

security graphicYou have heard it before, you will hear it again…security, security, security.

Day after day we warn users that without good security, 1.) their e-mail accounts are dangerously exposed to hackers, 2.) their networks are vulnerable to outside attacks and 3.) the OPLIN network can be compromised.

All three of these instances happened this week, causing OPLIN staff to scramble to reduce the amount of damage.  This is a big deal.

Historically, when someone gets hacked on the OPLIN network, the reason for the compromise isn’t to steal your identity or use your computer to tap into some top-secret government agency.   We get hacked because someone wants to steal an e-mail account for sending out spam.

Thousands of people are impacted when one user e-mail ID is compromised or one library server isn’t protected.  OPLIN IPs get blocked by folks like Google, Yahoo! and Time-Warner, and it takes time to get removed from their blocked lists.  In the mean time, all OPLIN mail is backlogged and we block your offending IP as per the OPLIN Good Neighbor policy.

This week, the security breeches could have been easily averted.  Do not assume that someone else is taking care of your computer and e-mail security.  Ask!  Make sure you are receiving at least weekly Microsoft updates and daily anti-virus updates. Use a strong password on your e-mail account.  Be proactive and when possible, take personal responsibility for your machine.

Here are some articles about the severity of malware and ways to protect your account and the OPLIN network.

OPLIN 4Cast #143: New hardware, Secure & social, Sentiment analysis, Photos

Thursday, September 10th, 2009

1. New hardware on the horizon

2. Be secure AND social

3. Sentiment analysis

4. Photos