Wednesday, December 13, 2017
Home Tags Brute Force

Tag: Brute Force

Being enthusiastic shoppers just like many other people around the world, at Kaspersky Lab we are, however paranoid enough to look at any Internet of Things (IoT)-device with some concern, even when the price is favorable.
So we randomly took several different connected devices and reviewed their security set up.
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs,which may allow an attacker to recover the RSA private key corresponding to an RSA public key generated by this library.

This vulnerability is often cited asROCAin the media.
Attackers leveraged popular cloud service platforms to conduct persistent - and stealthy - login attempts on corporate Office 365 accounts.
Two words: Sweet 2FA Comment  Just under 90 Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend.

And there is a long-established technology which can normally see off this kind of attack.…
Brute force attack on weak passwords, cracked <90 email accounts The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attackrdquo; over the weekend and says <90 email accounts have been compromised as a result.…
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks.
In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.
A researcher claims that almost 200,000 shoddily made IP cameras could be an easy target for attackers looking to spy, brute force them or steal their credentials.
Google's vast cloud computing infrastructure was harnessed to demonstrate that it is possible to crack the Secure Hash Algorithm-1 cryptographic function through a brute force computational methods.
In other words, crypto ransomware is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.
Let me check my Rolodex... T for Travel Agent ... Legacy travel booking systems disclose travellers’ private information, security researchers warn. Travel bookings worldwide are maintained in a handful of Global Distributed Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since been interwoven with web services, but still lack several web security best practices,” according to researchers from German security firm Security Research Labs. The three largest travel booking systems - Amadeus, Sabre, and Travelport - administer more than 90 per cent of flight reservations as well as numerous hotel, car, and other travel bookings. All three systems use a booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) to access and change travellers’ information. This authenticator is printed on boarding passes and luggage tags. The firm claims anybody able to find or take a photo of the pass or tag can theoretically access the traveller’s information – including email address and phone number – through the GDS or an airline’s website. Traveller information is also at risk of hacking because authentication strings can be vulnerable to brute-force attacks, say the researchers. Two of the three main GDSes assign booking codes sequentially, further shrinking the search space needed for a brute force attack. Airlines and GDS systems fail to block IP addresses after a large number of unsuccessful booking attempts, claims the firm. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” the researchers conclude. Obtaining a booking code opens the door to all manner of abuse, the researchers claim. The booking overview typically contains contact information such as phone number, email, postal address, travel dates and preferences, and often passport information. Worse yet, most airlines allow flight changes - some even cancellations for a voucher - potentially allowing hackers to steal flight credits and travel for free. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights. Lastly, knowing details of a booking that has just been made – which is possible in GDSes that use sequential booking codes – creates a launchpad for hackers to target travellers for social engineering, asking for their payment info or frequent traveller credentials, claims the firm. El Reg invited Amadeus, Sabre, and Travelport to comment on the research. In a statement, Amadeus said it was reviewing the findings. Amadeus is assessing the findings of the research on travel industry security, and we have upgraded security to our own properties. We give the security of customer systems and data the highest priority and our systems and processes are under continuous review. We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems. Travelport offered a generic statement (below) saying that it takes security seriously without commenting on the specifics of Security Research Labs’ research. Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in. As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide. We’ve yet to hear back from Sabre. “Global booking systems have pioneered many technologies including cloud computing,” the researchers conclude. “Now is the time to add security best practices that other cloud users have long taken for granted.” “In the short-term, all websites that allow access to traveller records should require proper brute-force protection in the form of CAPTCHAs and retry limits per IP address,” they add. Details of the research were presented at the 33C3 conference last week, in a talk entitled Where in the World Is Carmen Sandiego?: Becoming a secret travel agent (slide deck, pdf). A 60-minute video of the presentation can be found here. ® Sponsored: Customer Identity and Access Management
Whether quantum computing is 10 years away or is already here, it promises to make current encryption methods obsolete, so enterprises need to start laying the groundwork for new encryption methods. A quantum computer uses qubits instead of bits.

A bit can be a zero or a one, but a qubit can be both simultaneously, which is weird and hard to program, but once folks get it working, it has the potential to be significantly more powerful than any of today's computers. And it will make many of today's public key algorithms obsolete, said Kevin Curran, IEEE senior member and a professor at the University of Ulster, where he heads up the Ambient Intelligence Research Group. That includes today's most popular algorithms, he said.

For example, one common encryption method is based on the fact that it is extremely difficult to find the factors of very large numbers. "All of these problems can be solved on a powerful quantum computer," he said. He added that the problems are mostly like with public key systems, where the information is encoded and decoded by different people.
Symmetric algorithms, commonly used to encrypt local files and databases, don't have the same weaknesses and will survive a bit longer.

And increasing the length of the encryption keys will make those algorithms more secure. For public key encryption, such as that used for online communications and financial transactions, possible post-quantum alternatives include lattice-based, hash-based, and multivariate cryptographic algorithms as well as those that update today's Diffie-Hellman algorithm with supersingular elliptic curves. Google is already experimenting with some of these, Curran said. "Google is working with the Lattice-based public-key New Hope algorithm," he said. "They are deploying it in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm.

By adding a post-quantum algorithm on top of the existing one, they are able to experiment without affecting user security." Flexibility is key Some future-proof encryption algorithms have already been developed and are now being tested, but enterprises need to start checking now whether their systems, both those that they have developed themselves and those provided by vendors, are flexible enough to allow old, obsolete algorithms to be early replaced by new ones. Fortunately, according to Curran, there are already algorithms out there that seem to be workable replacements and that can run on existing computers. One company that is paying very close attention to this is Echoworx, which provides on-premises and cloud-based enterprise encryption software. Quantum computing will break all of today's commonly used encryption algorithms, said Sam Elsharif, vice president of software development at Echoworx.

Encryption that today's most sophisticated computer can break only after thousands of years of work will be beaten by a quantum computer in minutes. "This is obviously very troubling, since it's the core of our business," he said. "Echoworx will be in trouble -- but so will all of today's infrastructure." Since longer keys won't work for public key encryption and companies will need to replace their algorithms, the encryption technology needs to be modular. "It's called cryptographic agility," he said. "It means that you don't hard-wire encryption algorithms into your software, but make them more like pluggable modules.

This is how software should be designed, and this is what we do at Echoworx ." Once post-quantum algorithms have been tested and become standards, Echoworx will be able swap out the old ones with the new ones, he said. "You will still have a problem with old data," he said. "That data will either have to be destroyed or re-encrypted." Hardware-based encryption appliances will also need to be replaced if they can't be upgraded, he said. Don't worry, it's still a long way off How soon is this going to be needed? Not right away, some experts say. "The threat is real," said Elsharif. "The theory is proven, it's just a matter of engineering." But that engineering could take 10, 15 or 20 years, he said. Ulster University's Curran says that quantum computers need to have at least 500 qubits before they can start breaking current encryption, and the biggest current quantum computer has less than 15 qubits. "So there is no immediate worry," said Curran. However, research organizations should be working on the problem now, he said. "We may very well find that we do not actually need post-quantum cryptography but that risk is perhaps too large to take and if we do not conduct the research now, then we may lose years of critical research in this area." Meanwhile, there's no reason for an attacker to try to break encryption by brute force if they can simply hack into users' email accounts or use stolen credentials to access databases and key files. Companies still have lots of work to do on improving authentication, fixing bugs, and patching outdated, vulnerable software. "Many steps need to be taken to tighten up a company’s vulnerability footprint before even discussing encryption," said Justin Fier, director of cyber intelligence and analysis at Darktrace. In addition, when attackers are able to bypass encryption, they usually do it because the technology is not implemented correctly, or uses weak algorithms. "We still have not employed proper protection of our data using current cryptography, let alone a future form," he said. "Quantum computing is still very much theoretical," he added. "Additionally, even if a prototype had been designed, the sheer cost required to build and operate the device within the extreme temperature constraints would make it difficult to immediately enter the mainstream marketplace." No, go right ahead and panic Sure, the typical criminal gang might not have a quantum computer right now with which to do encryption. But that's not necessarily true for all attackers, Mike Stute, chief scientist at security firm Masergy Communications. There have already been public announcements from China about breakthroughs in both quantum computing and in unbreakable quantum communications. "It's probably safe to say that nation states are not on the first generation of the technology but are probably on the second," he said. There are even some signs that nation states are able to break encryption, Stute added.
It might not be a fast process, but it's usable. "They have to focus on what they really want," he said. "And bigger quantum computer will do more." That means that companies with particularly sensitive data might want to start looking at upgrading their encryption algorithms sooner rather than later. Plus, there are already some quantum computers already on the market, he added. The first commercial quantum computer was released by D-Wave Systems more than a year ago, and Google was one of its first customers. "Most everyone was skeptical, but they seem to have passed the test," said Stute. The D-Wave computer claims to have 1,000 qubits -- and the company has announced a 2,000-qubit computer that will be coming out in 2017. But they're talking about a different kind of qubit, Stute said.
It has a very limited set of uses, he said, unlike a general-purpose quantum computer like IBM's which would be well suited for cracking encryption. IBM's quantum computer has five qubits, and is commercially available. "You can pay them to do your calculations," he said. "I was able to do some testing, and it all seems on the up and up.
It's coming faster than we think." Related video: This story, "Prepare now for the quantum computing revolution in encryption" was originally published by CSO.