Tag Archives: strong passwords

Does that make sense: Bitlocker for Desktop Computers?

13 January 2015

The answer is: It definitely makes sense.

Okay, this sounds strange because it’s not very likely that a desktop computer will be lost. But if your computer is stolen, the thief has full access to the data stored on the disk, even if he could not login to your system.

An attacker has just to boot a Linux from a USB stick and to mount the Windows hard disk into the Linux filesystem. This will allow him to read the information stored on your computer, credit card statements, insurance policies, or scanned love letters.

But the worst is yet to come. The thief has access to your hashed Windows passwords. These are stored in the SAM (System Account Manager) database in directory C:\windows\system32\config\sam. The SAM is locked when Windows is online, but could be easily read when mounted into a Linux System. Very strong passwords are paying off in such case…

Don’t Panic, and have a good day.

Sunset on rhine ferry Leverkusen, 11/28/2014

Sunset on Rhine Ferry Leverkusen, 11/28/2014

Sony-pocalypse -Sony hack exposes poor security practice

6 December 2014

In ‘Sony hack exposes poor security practices’ Warwick Ashford talks about the lessons learned from the latest Sony cyber attach.

‘According to the FBI, the malware comes wrapped in an executable “dropper” that installs itself as a Windows service.’

The big question is: How comes a dropper on my computer? And why could a dropper start itself as a service? Under normal conditions, administrative privileges are required to start a Service.

‘It also uses the command line of the Windows Management Interface (WMI) to spread to other computers on the network.’

This is definitely the most important information. If you are somewhat familiar with Windows computer networks you know, that you can install services on another computer in your network only, if you have administrative privileges on this computer.

In other word, this means that the attackers got access to a domain administrator account. Or a service account which is installed on all computers in the network, including the servers.

All this sounds like phishing and weak passwords, flavored with a missing concept for privileged account management. It’s always the same old story…

If you like to read more about the impressive technical details of the malware see this report on ars technica.

Lütetsburg Park, 53°35'55.0"N 7°15'39.5"E

Lütetsburg Park, 53°35’55.0″N 7°15’39.5″E

Have a good Weekend!

Review: Poor password practices put 60% of UK citizens at risk

4 December 2014

Poor password practices put 60% of UK citizens at risk.

Warwick Ahsford’s report is really alarming.  ‘More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.’

But the worst is yet to come. They are using also weak passwords: ‘Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.’

Passwords are definitely inappropriate for authentication in the age of cyber crime. The news of the past weeks show that major players on the IT market like Twitter, Microsoft or Google developed technologies to address this problem.

FIDO U2F Security Key

FIDO U2F Security Key

The FIDO U2F standard (FIDO = Fast Identity Online Alliance, U2F = Universal second Factor) appears to be a quantum leap towards secure authentication in the world-wide web. Google has already integrated this standard in the Chrome browser. The second factor is established by a security key attached to a USB port.

Unfortunately it comes to fruition only after login into your computer, phone or tablet Computer, and only for Chrome.

And that’s in my opinion the crux of the matter. In a perfect world, I would like to login to my computer with a PIN or fingerprint and the FIDO U2F security key attached to the device.

A central, world-wide available and trusted identification authority verifies my identity and creates my identity token, which is valid for the duration of my session.

All services like Google, Home Depot, Amazon, the city council or the tax office rely on this identity token. For reasons of security the identity must be checked again before critical transactions are carried out.

Sounds fantastic, doesn’t it?

Look forward to a world without passwords!

Windows 10 offers two-factor authentication out of the box – Thank’s, Microsoft!

30 October 2014

Native support for Two Factor Authentication in Windows 10. This news saved my day!

This new security feature in Windows 10 might be the reason why IT groups start evaluation of Windows 10 as soon possible. Because with Two Factor Authorization all data breaches with root cause ‘theft of credentials’ will become impossible. Phishing attacks in the enterprise environment will become meaningless and the ‘strong password’ discussion obsolete from one day to the next.

But the best is yet to come: Two Factor Authentication will be available for all platforms. With windows 10 you can use the same Two Factor Authentication method for your mobile devices as for your laptop or workstation. It’s really a pity that Windows 10 will not run on iDevices.

For details see the Jim Alkove’s post ’Windows 10: Security and Identity Protection for the Modern World’

Hopefully, Microsoft will support Two Factor Authentication also for the Windows Home Editions.

Dropbox Hacked – Minimize your Attack Surface!

16 October 2014

I heard the news Tuesday evening at 10 o’clock: “Dropbox hacked”. About 7 million usernames and passwords stolen.” I could hardly believe it. My first thought was: Why only 7 million credentials? Dropbox has 200+ million users? Why should someone be satisfied with 7 million credentials if he could have 200 million? Something seems to be very wrong with this story. Moreover, the quality of the data is very bad. Please check the Pastebin site for a sample.

And then the recantation: Dropbox announced that there was no data breach. “‘These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks, and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well,’ a Dropbox spokesman said in an email to Reuters.” For details see Hundreds of alleged Dropbox passwords leaked.

Since the media interest is nearly zero today the story is certainly true.

What really annoys me is how sloppy user credentials are treated by the ‘other services’. Data and log-in credentials were stolen from third-party apps, which actually should simplify the daily life with Dropbox. For more details see the great report Snapchat And Dropbox Breaches Are Really Third-Party-App Breaches by Elise Hu from 14 October 2014.

Unfortunately these apps increase the complexity of our life and gadgets. Each app comes with its known and unknown vulnerabilities which could be used by an attacker to get access to our private data. But the worst is yet to come: You are surrounded by friends with buggy gadgets which will have an impact even on your life when hijacked by an attacker.

To put it concisely: The more apps you use, the greater becomes your attack surface and, the higher is the danger of a data breach.

How to solve this problem? Simplify! Focus on the really important apps and uninstall the others. Activate TFA and use strong passwords. And tell your friends to decrease their attack surface as well.

Don’t Panic!

It’s all about strong passwords, but what is a strong password?

11 October 2014

In his report Apple security depends on users, hack shows. Warwick Ashford talks about the latest Apple security issues:

‘However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.’

To put it concisely: It’s all about strong passwords.

But what is a strong Password?

There are lots of advices how a build a strong password like ‘#Q7fr%78’. Unfortunately those passwords are really hard to remember and to input. Some days ago I watched a webinar about WordPress security where a different approach was presented.

It’s all about password length because the number of combinations an attacker has to try in a brute force attack depends essentially on the length of the password:

Number of combinations = [Number of characters] to the power of [length of your password]

That’s just boring math. Thus let me show what this means by an example:

If you choose a password from lowercase letters ‘a..z’ only, the number of characters is 26. For a four character password like ‘abcd’ the number of combinations an attacker has to try is

26 to the power of 4 = 26 x 26 x 26 x 26 = 456976.

That takes about 0,2 milliseconds on a desktop computer with Intel I7 processor for cracking. Four characters are definitely too short!

For a 12 character password like ‘abcdefghijkl’ the number of combinations an attacker has to try is

26 to the power of 12 = 95428956661682200, and the time to crack is about 1.5 years.

The following table shows the cracking time in relation to the password length:

Password cracking time vs. lenght

Password cracking time vs. lenght

The yellow marked shows the one-year-time-to-crack for the character set. The one-year-time-to-crack is the password length where an attacker with an Intel I7 processor based computer needs one year to find the combination with a brute force attack. For our plain character set the one-year-time-to-crack is 12.

With character set ‘a..z A..Z0..9’ the one-year-time-to-crack is 10, With the complex character set ‘a..z A..Z0..9 _-%$§&/()#=?’ the one-year-time-to-crack is 9.

Even with the complex character set you should use at least 9 characters.

As a result we get: It’s all about the password length! The influence of the character set is negligible. Even with the plain character set one could create hard to crack passwords.

I would recommend to use at least 14 characters even with the complex character set. Just to be ready for faster CPUs and to anger the NSA!

How to build strong passwords?

My passwords are easy to build and remember. Start with 4 randomly selected words, in total more than 14 characters, like

‘Never use the word.’

This password is rated ‘Strong’ by the Microsoft password checker. Never use the first words of your favourite song or something you published on Facebook or elsewhere, because an attacker will do some social engineering and use this results first.

Strong is not enough, thus write the first character of each word in capital letters and add a special character or two at both ends:

‘#Never Use The Word._‘

This version is rated ‘Best’.

If you are a masochist, hurt yourself and change the first vowel in each word to a number:

‘#N1ver 2he Th3 W4rd._‘

Isn’t this an easy to remember password? 😉


The JPMorgan Data Breach – How could it happen?

9 October 2014

Let’s start with good news. In JPMorgan’s FORM 8-K report from 2 October 2014 we could read that it could have been a lot worse:

Only ‘User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.’

And ‘… there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.’

But what really confuses me is the statement ‘As of such date, the firm continues not to have seen any unusual customer fraud related to this incident.’

How can they be sure that it has stopped?

The big question in the JP Morgan case remains unanswered: How could it happen?

Currently neither the bank nor the FBI had given an official report about the details of the cyber-attack. But reading between the lines can help to gain a rough picture of what probably had happened. I really like developing new conspiracy theories ;-).

On 2 October 2014, Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth reported in The New York Times:   “Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. … By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.”

CNET report ‘JPMorgan hackers altered, deleted bank records, says report’ from 28 August 2014 brings some light in the dark: “This case, however, involved outsiders who targeted specific employees at JPMorgan Chase to gain access to their computers and the bank databases.”

This sounds to me a lot like a successful phishing attack. Incredible!

In his post ‘JPMorgan breach heightens data security doubts‘, Alex Veiga, AP Business Writer, reports on 3 October 2014: “In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.”

Why should a company reset the passwords of all its technology employees? This makes only sense if they suspect that the passwords were compromised.

The phishing attack theory becomes much more credible!

But the most exciting statement could be read in the CNET report: ‘If hackers are capable of accomplishing this, it means they have spent a significant amount of time studying the [bank’s] records system before attempting any kind of serious manipulation,” he said. “It’s not impossible, however, if they were able to modify records using high-level credentials and do it in a way that was undetected.”‘

How can they be sure that it has stopped?

Webinar: WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula

15 September 2014

WordPress Security Simplified — Six Easy Steps For a More Secure Website sponsored by Incapsula.

I got this invitation some days ago. This webinar might be a good starting point to dive in the exciting world of application security.


Google confirms ‘five million’ customer data dump but denies breach

13 September 2014

Google confirms ‘five million’ customer data dump but denies breach – IT News from V3.co.uk.

The news about the Google hack this week were somewhat puzzling at a first glance. Five million customer data stolen but no attack on internal systems? It took me some time to understand this.

In my opinion some hackers collected a large number of accounts from lots of companies, including some Google accounts. From my experience with phishing attacks, and the statements in several reports about the lousy data quality, this sounds quite plausible.

Some statements in post ‘Cleaning up after password dumps’ published by Google’s Spam and Abuse Team on 10 September in its Online Security Blog confirmed my impression:

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

How could we avoid such data theft in the future?

From a technical point of view only Two or Multiple Factor Authentication (MFA) could prevent such attacks. In post Google denies breach after hackers leak millions of user logins published on 11 September in Computerweekly.com, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, stated, that MFA is the sole means to prevent misuse of stolen credentials.

The last statement in this post was very puzzling:

“Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable,” said Chrysanthou.

What increased investment? For usage of Google 2 Step Verification? Or TFA in Apple’s iCloud Services or WordPress.com? There are no additional costs! The only drawback of MFA is loss of comfort for the users of this services. But the gains in security are invaluable. I would be very pleased if Amazon, eBay, and Microsoft would add TFA to their services as soon as possible.

When it comes to implementation of MFA inside of companies we definitely talk about increased investment. Adding MFA to an Active Directory that serves ten thousands of internal users or to a service for external customers will result in an additional investment and higher operation costs. But with TFA the eBay data breach earlier this year would have been prevented. Just as the Code Spaces collapse.

The big question is as always: What is the total loss of turnover created by a data breach compared to the total costs of implementing TFA?

Can Code Spaces tell us?

NMH survival strategy

26 July 2014

Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.

What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.

Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.

No impact

Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.

Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.

Medium impact

In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.

Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.

High impact

Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.

If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.

From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!

Become a superhero!