All posts by Ben Finke

How To Pick a Good Password

As a regular reader of this blog, you’ll know we’re sticklers for good passwords.  And if this is your first visit, welcome to the show!

welcome-to-the-show

To be completely honest, a username and password is actually not an ideal way to secure a system.  Usernames are almost always easily guessable, and passwords usually are too.  But, for a lot of systems, that is what we have, so it’s important to pick good strong passwords to protect your information.

Before we dive into good password rules, I’d like to look at how passwords get compromised in the first place, so you’ll know what we’re up against.

Generally speaking, there are 4 ways that your super secret password becomes, well, not so secret:

remember-windows-password

  1. Your password is really easy to guess
  2. One of the websites you use experiences a breach (and you use that password everywhere!)
  3. Someone is able to use a “Forgot My Password” function to reset your password
  4. You get tricked into telling someone your password

Easy to Guess?

Why did I use "password" as my password?!
Why did I use “password” as my password?!

Just about everyone knows that your password shouldn’t be obvious.  Hilariously bad examples exist like “password”, “123456”, and “password1” (you know, to make it complex).   I know I sound like the stuffy old security guy when I say that, but it’s not something I just think, I know that those passwords are used all the time.  How could I possibly know, you ask?  Well, lots and lots or websites suffer breaches every year, and lots of those websites do a really crumby job of taking care of your password, and then the attacker usually ends up posting them for everyone to see, so security nuts like me get to chart these things.  In 2013, “123456” was the MOST POPULAR password in use, followed by “password”.  Not kidding:

http://splashdata.com/press/worstpasswords2013.htm

You also shouldn’t use your username as you password.  It sounds silly, but it happens.   Not too long ago we were performing a security audit on a web application, and one of the concerns the client had was over their ability to detect password guessing activity.  We scripted up some automated login actions, fed it a list of 2000 common usernames, and tried logging in with either “password” or the exact same word as the username.  To the client’s surprise (not ours) about 130 of the accounts used the same word for their username and their password. Another 35 or so used “password”.  It took us about 30 minutes.  Seriously.  Don’t use your username as your password.

One of your favorite websites is breached! (Gasp!)

website-security-breach-538x218

OK, so let’s say you’ve figured out a super awesome password.  It has numbers, capital letters, special characters, the works.  It’s 15 characters long, and no one would ever guess it.  Awesome, nice job.

So you take your super awesome password, and register on a site that sends you coupons for things like spray tans and dog spas (hey, no judgement here).

Also not good at protecting passwords, it turns out....
Also not good at protecting passwords, it turns out….

Turns out that the oddly orange dog loving entrepreneurs aren’t good at securing their website, and someone steals the user database and posts it for the world to see.  The usernames and the passwords are stored in cleartext, which means they look just like you type them.  It has your email address, and your password, right there, plain as day.  Your super awesome password is no longer secret, super, or awesome.  If you used this password on everything (Facebook, LinkedIn, your email account, your bank), it’s just a matter of time before someone bothers to try it.

Now let’s say that a few months later, another website you use suffers a breach, only they do something called hashing.  A hash is a one-way math function, that takes in your password and spits out a stream of numbers and letters.  Think of it like a meat grinder.  You put a steak in one end, and ground beef comes out the other side.

Stainless-Steel-Manual-Meat-Mincer-22-

In this case, the “grinder” always spits out the same hash value when you enter the same password, so instead of storing your actual password, they compare the hashed results of the password you just entered, and the hashed results they have on file.  And just like a meat grinder, there is no way to reverse the process. (How many times have you seen someone put a steak together from ground beef? Exactly.)

Attackers know this, and so have built these enormous tables called Rainbow Tables, where they take huge lists of potential passwords, perform the same hashing function, then use those tables to compare the hash values they just stole from the web site.  There are some things that you can do to make that harder, but lots of websites just get to the hashing part, and not further.

Note: Not an actual rainbow table.
Note: Not an actual rainbow table.

So the moral of this story is to use different passwords for different sites.  That way, if the above scenario unfolds, you only have one site to worry about, instead of your entire online identity.

Forgot your password?

You see these same questions every time you register on a site.  Mother’s maiden name?  City you were born in?  Maid of Honor at your wedding?  These are the questions you get asked when you want to reset your password.  And this is great, since you are now using separate passwords for all of your sites (right?) its possible from time to time you may need assistance getting into one of these.

Some sites handle the password reset issue well, some not so much.  Most sites will ask you a question, then send you a temporary code to your registered email address, which is good.  Even if someone guesses the answer, they still need access to your email.  Other sites will ask a security question, then let you reset the password right there if you get the right answer.  Those are dangerous, so you need to make sure the answers to those questions can’t be discovered in 2 minutes or looking at your Facebook profile.

OK, let’s pick a good password!

Now that we’ve seen the different ways that passwords can be compromised, let’s look at what makes a good password.

We know it shouldn’t be easy to guess, so regular words are out.  And since the attackers can use those Rainbow Tables to compare possible passwords, we need to use a password that is pretty long and has lots of different characters in it.

good_password

Some rules to use:

  1. Make sure your password is at least 10 characters long
  2. Use capital and lower case letters
  3. Use a number (or several)
  4. Use some punctuation (!@#$%^&*)

If you follow the above rules, an attacker would need a rainbow table roughly 100 pedabytes to ensure they have your password hash in their table.  If you drop one of those out though, it reduces fast.  Let’s say you only use letters and numbers.  That drops the rainbow table to 13 pedabytes.  Still huge, but not nearly as huge as before.  Let’s say you use a shorter password, like 7 characters.  Even if you follow the other rules, we’re down to about 250 gigabytes, much more manageable.  Let’s not make it manageable.   Every additional character you put in your password makes it exponentially harder for the attacker.

Time to change your EBay password!

ebay-reveals-new-company-logo-7cfa25d9f9

News reports coming out this morning indicate that EBay will be asking all of it’s 112 million users to reset their passwords on the site as soon as possible.  We highly recommend you do that, and use a good, hard to guess password that you don’t use anywhere else.

EBay is obviously an incredibly popular site, and emails about needing a password reset on EBay have long been a favorite ruse of email scammers.  Today’s email (which may or may not be caught in your spam filter) is actually legit (but you’re going to follow the rules for not getting phished, right?  Thought so..)

We’re still waiting on more details from EBay, but at this point it appears that attackers used stolen employee credentials to access the database containing all of the encrypted passwords for all EBay users sometime in February or March.  It appears at this point that no confidential information was contained within that database, but it does include usernames, email addresses, phone numbers, and addresses.

Paypal, a sister company of EBay, was not involved in this breach and as of right now there is no indication that this breach has effected PayPal at all.

Although the passwords were encrypted, EBay (and others) believe that sufficient tools exist that the attackers may be able to reverse the encryption.  So, better safe than sorry.  Oh, and while you’re at it, you don’t use the same email and password to log in to Facebook, do you? Or Twitter?  And certainly not any of the financial institutions you do business with, right?  Good, just checking.  Because you shouldn’t use the same password for everything, right?  Right.  Good.  Glad we got that cleared up.

Now if you’ll excuse me, I have an EBay password to change.  And while I’m there, I may as well check on my bid on that Atari 7800.  It’s vintage!

atari_7800

Thanks for reading!  More updates as they become available!

Additional Reading:

http://www.theverge.com/2014/5/21/5737914/ebay-will-ask-all-customers-to-change-passwords-after-massive-breach

http://www.engadget.com/2014/05/21/ebay-paypal-password-notice/

http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521

 

 

2014 Verizon Data Breach Report – An overview

knowledge_is_power

As information security professionals, we crave reliable information about  our adversaries and their tactics.  As you can imagine, this kind of data can be difficult to get (for a variety of reasons), so we take full advantage of any good information we can obtain.  One of the great sources of information over the past few years is the annual Verizon Data Breach Investigations Report (DBIR).

 

The DBIR started out as Verizon Enterprise (the part of the division that was previously known as Cybertrust) publishing anonymous statistics on the cases they had conducted over the previous year.  Since they were only called in when it was already known that a security incident resulting in information loss  occurred, they were in a good position to describe the chain of events leading to a data breach and look for patterns there.

Over the years, a number of other groups have added their caseload to the study.  The DBIR team has continued to refine their approach, and are consistently looking to use a new perspective to see if patterns emerge from the data.  This year the report includes all security incidents, not just cases where data loss was confirmed. This helps to grow the sample size of cases.  The annual DBIR is one of the best insights we have into how the bad guys work, and something we always look forward to reading.

There are lots of great pieces in this year’s report, and a lot of it aligns with trends we have seen in the past year as well.  In this year’s DBIR, a fresh perspective revealed that 92% of all information security attacks can be described with 9 basic patterns. This proves that a) these attack patterns are successful across industry verticals and b) the vast majority of attacks don’t require an extraordinary level of sophistication.  Which is both good and bad news.

One of the more eye-opening data points within the report every year is the difference in time between how long the initial (successful) attack takes (usually measured in minutes) and then compare it to discovery and containment (usually measured in months!).  This year’s report doesn’t disappoint in this area.  To the charts!

2014 DBIR - Compromise versus Contain
A look back over the last 10 years…. not getting much better. © Verizon

The above chart shows that the attackers have a much better ratio of successful attacks in less than a week than defenders do in just finding the evidence of the attack.  And the attackers are getting better.  Let’s look at one of the nine specific attack patterns highlighted in this year’s DBIR to see the gap between compromise to containment:

POS INfcetion Compromise versus Contain
© Verizon

There were several publicized breaches involving retailers in 2013.  As you can see (from the mildly terrifying graph above) the attacker successfully compromises their target and exfiltrates data from the network in minutes.  The information security team responsible for defending these systems may not find out that they have a problem for weeks.  But how did they find out they had a problem?

POS_discovery
© Verizon

Turns out that (for the POS attack vector) it’s always an external party that makes the discovery, usually because the data the attackers exfiltrated in for sale on the various marketplaces that traffic in such things.  While the overall trend isn’t quite that bad, it’s not great either:

All_Detection_Types
© Verizon

As you can see, internal detection checks in as the source of detection in 20% of the cases over the last 10 years.

We’ve got to do better.  We can do better.  We’ve got two major places to improve: detection and response time.

It’s a (sad) fact of life in the information security field these days, but we know that prevention isn’t enough.  We’ve got to be able to detect and correct when our preventative defenses are breached.  We’ve got to build better segmentation into our networks, manage the configurations and patch levels of our systems, and ensure we provide our defenders time to look around and find potential problems.

Even with increased detection, how do we fix the response time gap?  The DBIR notes in a few places that the attacker speed is most likely an indication that the attack sequence has been heavily automated.  It’s time for the blue teamers to automate too.  And we’re not talking about scripts for specific tasks.  We’re talking about digital robots executing the same standard operating procedures you’re security analysts would use, only faster and at scale.

Over the next few weeks we’ll be following up with some of our strategies on both detection and automation.  Let’s make a dent in these numbers for next year!

Thanks for reading!

Cryptolocker – the latest addition to your “Most Annoying Things” list….

iced-coffee

A few months ago I was at the airport, ready for my 6:50 am flight.  Yeah, that’s right.  6:50 AM.  In the morning.  I am going to be totally honest, I wasn’t even sure oxygen is out that early in the day, but evidently it is.  Anyway, arriving in the terminal mere moments before my flight, it occurs to me I have but a brief chance to obtain caffeine before wheels up.  Luckily, a Starbucks presented itself across the hallway.  Ducking inside, I order an iced coffee, to which the barista replies “We’re all out.”

Me: “Oh, are you having a problem with the ice machine?”

Barista: “Nope.”

Me: <Long Pause> “So…. are you out of coffee?”

Barista: “Nope, we have coffee.  We usually make a batch of coffee and cool it down, but we don’t have any right now.”

Full disclosure: I am not a physicist.  I have limited training in fluid thermo dynamics.  I am not a barista.

Me: “Umm.  OK.  Can I have a regular coffee and a cup of ice then?”

Barista: “OK, here you go.” <Hands me a cup of hot coffee and a cup half full of ice.  I drain the hot coffee into the cup with ice and hand back the hot coffee cup>.

I walked away celebrating my victory over inside-the-box thinking.  And then I promptly spilled the coffee on my shirt.  Oh yeah, and my flight ended up delayed for two hours.

Why did I just bore everyone with that story?  To illustrate how annoying and aggravating today’s topic is.  I’d rather repeat the iced coffee saga every morning than deal with this other thing.

annoying-computer

Hopefully you never have to deal with Cryptolocker.  It really is one of those don’t-even-wish-it-on-your-enemies kind of thing.  But at some point you or someone you know will.  So here we go:

Cryptolocker: A brief primer:

It can go by lots of names, but the most famous is Cryptolocker.  A member of the ransomware family of malware, Cryptolocker is installed on your computer like any other piece of malware, and then proceeds to encrypt all of the files on your computer.  Everything in your Documents folder, everything in your Pictures folder, and even files on network shares that your computer has connected.  Then you get the message pop-up: You can have the key to decrypt your files… for a fee.

cryptolocker

The malware itself isn’t actually that hard to remove.  The only problem is you are still left with all of your files encrypted.  Should you pony up the cash if this hits your computer?  While there are certainly stories of people trying this route and re-gaining access to their files, there are also plenty of stories of payment leading to no action on the bad guys part.  My suggestion is that you take some basic precautions that will allow you to survive an attack of this sort without having to deal with this decision at all.

An ounce of prevention…

True Story: Benjamin Franklin was actually referring to Cryptolocker - what a futurist!
True Story: Benjamin Franklin was actually referring to Cryptolocker – what a futurist!

When it comes to defending yourself, the very best thing you can do is follow some good practices before you ever have to deal with something like this.

A good backup routine is the single most important thing you can do to ensure your ability to survive any of these types of attacks.  The simplest way to do backups is to get an inexpensive USB hard drive and backup your important files once a week or so.  Don’t leave it connected all the time though!  In fact, if you have a fire safe, that would be a good place to keep it when not actively backing up your PC.

fire-safe

There are also an abundance of “cloud” backup solutions available, and the costs are dropping rapidly.  They have the added advantage of being offsite, available anywhere, and usually have some kind of automatic backup application that handles everything for you.  Even if Cryptolocker strikes, you can usually access the previous non-encrypted version of your files.

cloudbackup

The basic rule of thumb for determining if your backups are sufficient is by answering the following question: If I had to replace my current computer with a new one and all I had was this backup, could you do it?  Would you have everything you needed, like documents, pictures, music, and email?

After backups, the best prevention is following the basic safe computing practices: Don’t open attachments in your email from people you don’t know, keep your computer up to date on patches, and run an up-to-date host protection suite (won’t catch everything, but will certainly catch the obvious stuff).

If you’re already infected with Cryptolocker

I hope you have good backups.  So far none of the white hat researchers who have tried have been successful in reverse engineering the malware to find a method to obtain the decryption key.  The only way to fix a computer infected with Cryptolocker is to do a complete reinstall of the operating system, and then bring back in your documents from a backup.  Much like my shirt with the giant coffee stain, an infected machine needs a fresh start before it will be useful again.

That’s it for this post.  Thanks for reading, and stay safe out there!

Attacks against Internet Explorer browsers – What to do if you still run Windows XP

internet-explorer-pictures-internet-explorer-logo-pictures-ie-logo

{Updated April 30 @ 3 PM] -Late Sunday evening Microsoft released details about an ongoing series of attacks against Internet Explorer browsers.  This is a serious  vulnerability that  enables an attacker to gain control of a target computer by simply browsing to an infected website.

Microsoft has been working on researching this vulnerability with FireEye, one of EI’s antimalware partners, and have provided some information on the technical details of the attacks and some mitigation strategies while Microsoft works on a patch.

While this vulnerability affects virtually every version of Internet Explorer, the biggest concern is for those systems still running Windows XP, which reached End of Support status earlier this month, meaning no patches for security vulnerabilities are forthcoming.  So what can you do to protect yourself?

1. Use a different web browser.

chrome-ie9-firefox-logos-together

While Internet Explorer 8 is the latest version that will run on Windows XP (newer versions of Windows currently run Internet Explorer version 11), the latest versions of both Google’s Chrome and Mozilla’s Firefox run just fine on Windows XP.   While there may be some compatibility issues with internal applications, it is safe to allow the use of the older Internet Explorer browser within the network, and use Firefox or Chrome for all Internet based web browsing.

2. Install Microsoft’s EMET application

EMET

The Enhanced Mitigation Experience Toolkit from Microsoft provides a great deal of protection against vulnerabilities such as this one.  EMET installs like a regular application, and comes with a default profile to get you going.  The great thing about EMET is that you can apply this protection to any program on your computer, regardless of who wrote them.  A highly recommended install that will reduce your exposure to this and future vulnerabilities.

Microsoft’s EMET 4.1: http://support.microsoft.com/kb/2458544

3. Your normal account should not be an administrator level account.

user_account_8b

While we do not know if this particular vulnerability requires administrative rights on the target computer to be successful, we do know that the vast majority of attacks rely on the facts that almost everyone uses their computer with an account that has full administrative privileges.  In newer versions of Windows there are protection schemes in place like User Access Control to enable elevated rights when needed, and otherwise run at a normal user level.  But Windows XP does not have this feature, and for convenience most accounts are set up as administrators, and stay that way.  EI highly recommends that you modify your normal account to run as a regular user, and keep a separate admin account handy for installing and updating software.

4. Don’t click on links in email messages

300px-PhishingTrustedBank

In order for this attack to be successful, the attacker has to convince you to visit a page that he or she has embedded the exploit code on.  One of the most common ways to do this is through a “phishing” attack, where an email purporting to be from a friend, co-worker, or familiar company arrives asking you to visit a web page.  You should never click on a link, since the true destination is often hidden and difficult to detect at first glance.  If you get a notice from your bank that they have an important message for you, open your browser and navigate there directly, do not use the link in the email.  And if you do receive a suspicious email message, please forward that on to your security team for further review.

Microsoft’s security advisory: https://technet.microsoft.com/en-us/library/security/2963983

FireEye’s technical write-up of the vulnerability and attack methods: http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[Update]: Microsft has clarified some of their guidance that was issued earlier, focusing on the EMET tool and other workarounds in great detail:

http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx