OPLIN 4cast #357: Can words still protect us?

Wednesday, October 23rd, 2013

safeOver the past couple of months, Dan Goodin wrote two articles in Ars Technica about password and passphrase protection that have been widely quoted in the tech media. (We link to the longer one of them below.) The articles were prompted by the release of a new version of Hashcat, a password cracking program that can now recover passwords up to 55 characters long. Because software like this keeps making password cracking easier, it is common to see recommendations that users instead use a passphrase – a long series of words that is easier to remember than a single complex password. But if passphrases are too easy, they may not be any better protection than passwords.

  • How the Bible and YouTube are fueling the next frontier of password cracking (Ars Technica/Dan Goodin)  “As awareness has grown about the growing insecurity of passwords that were presumed strong only a few years ago, many people have turned to passphrases, often pulled from what they believe are overlooked songs, books, or other sources. The idea is to generate a long passcode that contains upper- and lower-case letters and possibly punctuation that’s nonetheless easy to remember. This turns out to be largely an exercise in futility. As is the case with passwords, the same thing that makes passphrases easy to remember makes them susceptible to easy cracking.”
  • Books and Youtube are supplying password crackers with billions of passphrases (Tested/Wesley Fenlon)  “And now crackers have discovered that resources like the Bible, Wikipedia, and the Gutenberg archive provide millions of phrases that people may use for passwords, believing that they’re long enough to be secure or unknown enough to be unguessable. ‘Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1’ from H.P. Lovecraft is a prime example. No computer could bruteforce such a complex password string, but no computer will have to – once that phrase is in a dictionary, it’s easy to crack.”
  • Is it truly, finally, sadly, game over for passwords? (Neal O’Farrell)  “A passphrase should not simply be a statement or saying that you read somewhere or remembered from childhood. Because if it’s been used before, chances are it’s already in a dictionary and could be guessed. A real passphrase is supposed to be something about you and your life that is unlikely to be on the internet and guessable by a hacker. And taking it one step forward, and one very crucial step, you don’t use the exact passphrase but only selected elements.”
  • Password cracker cracks 55 character passwords (Infosecurity)  “What the new version of hashcat demonstrates is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols.”

Hashcat fact:
Hashcat claims to be the world’s “fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker.” It’s also free.

OPLIN 4cast #344: Basic protection

Wednesday, July 24th, 2013

virusThere was an interesting posting on the codeinsecurity blog a little over a month ago, which we didn’t see until recently, called “The anti-virus age is over.” The author, Graham Sutherland, argues that anti-virus (AV) programs cannot keep up with all the new types of malware in circulation and should just be considered “…a filter for the most basic attacks.” We know a lot of libraries still depend primarily on AV software for protection, so it seemed like it might be worthwhile to look this week at some of those new types of malware mentioned by Mr. Sutherland. (We’ve put the names of the malware types in bold.)

  • What is a polymorphic virus? (wiseGEEK) “Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.”
  • Advanced Persistent Threats: The new reality (Dark Reading/Michael Cobb)  “What is an APT? Though the term originally referred to nation-states engaging in cyber espionage, APT techniques are also being used by cybercriminals to steal data from businesses for financial gain. What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced. Unlike the majority of malware, which randomly infects any computer vulnerable to a given exploit, APTs target specific organizations with the purpose of stealing specific data or causing specific damage. The Conficker worm, for example, used many advanced techniques but did not target a particular organization. It infected millions of computers in more than 200 countries. In contrast, Stuxnet was designed to target a certain type, a certain brand and a certain model of control system.”
  • Advanced Persistent Threats get more advanced, persistent and threatening (The Register/John Leyden)  “Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.”
  • New course teaches techniques for detecting the most sophisticated malware in RAM only (Network World/Linda Musthaler) “The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It’s a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn’t be there.”

Sandbox fact:
One article above mentions a “sandbox.” Anti-virus software can sometimes combat difficult malware by using a virtual environment (sandbox) on a computer to run and test code from untrusted sources before it is installed for actual use.

OPLIN 4cast #331: Two factors are better than one

Wednesday, April 24th, 2013

two-factorPeople who work with Internet security have for some time advocated the use of “two-factor authentication” instead of a simple password control over access to sensitive or private information. Nobody likes to make things harder than we think they need to be, however, so adoption of two-factor authentication has been fairly limited. But last week, that may have begun to change, as Microsoft announced that two-factor authentication will be available (though not necessarily required) for all Windows products and services.

  • Microsoft rolling out two-factor authentication across its product line (ZDNet/Mary Jo Foley) “Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim’s password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.”
  • Microsoft Account gets more secure (Official Microsoft Blog) “This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info. More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, or accessing files on another one of your computers through SkyDrive.com. For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.”
  • Apple ID: Frequently asked questions about two-step verification for Apple ID (Apple Support) “Two-step verification simplifies and strengthens the security of your account. After you turn it on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key.”
  • AP Twitter hack sends stock market spinning (New York Magazine/Kevin Roose) “In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now. Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.”) But after today’s data point, it can’t wait any longer.”

Factor fact:
Good two-factor authentication combines a Knowledge Factor (something the user knows) with a Possession Factor (something the user has).

OPLIN 4Cast #286: Responding to a breach

Wednesday, June 13th, 2012

Last week’s revelation that millions of LinkedIn passwords had been stolen was just the latest in a long line of data breach stories. While public libraries don’t store millions of passwords or credit card numbers, they do store a lot of patron data, and things as mundane as people’s street addresses are beginning to be considered sensitive information by some security experts. With luck, your library ILS vendor has not made the same mistake that LinkedIn made and stored sensitive user information with relatively weak encryption. But if the worst should happen and your library system gets hacked, what’s the best way to respond? Are there lessons to be learned from the misfortune of previous data breach victims?

  • Dissecting LinkedIn’s response to the password breach (PC Magazine/Fahmida Y. Rashid)  “‘We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach,’ a LinkedIn spokesperson said in an email. She was unable to provide any other details. I was very concerned about LinkedIn’s focus on members at ‘greatest risk.’ How do they define this?”
  • Zappos data breach response a good idea or just panic mode? (Network World/Ellen Messmer)  “…online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.”
  • Heartland CEO on breach response (BankInfo Security/Tracy Kitten)  “…[Bob Carr, CEO of Heartland Payment Systems] says information sharing is key, especially among other payments processors. ‘Don’t minimize the impact,’ Carr says. ‘Share information. … The bad guys might be in somebody else’s system, so it is good for everyone to communicate.’ Although a great deal has changed since 2009, when Heartland’s breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run.”
  • Data breach response plans: Yours ready? (Information Week/Mathew J. Schwartz)  “Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. ‘I’ve seen organizations that totally jumped the gun–We’ve got to do it– and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,’ Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. ‘We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.’”

Breach facts:
The three breaches mentioned above affected: 6.5 million LinkedIn users; 24 million Zappos customers; and 130 million Heartland credit card accounts.
[And one more fact: OPLIN's plan for Security Incident Response is included in our overall Information Technology Security Management plan.]