3.1 C
London
Sunday, November 19, 2017
Home Tags Password

Tag: password

password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which is to be kept secret from those not allowed access.

The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The terms passcode and passkey are sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, date of birth, address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

It's all too easy to neglect data security, especially for a small business. While bigger organizations have IT departments, service contracts, and enterprise hardware, smaller companies frequently rely on consumer software, which lacks the same sort of always-on security functionality. But that doesn’t mean that your data is unimportant, or that it has to be at risk. Encryption is a great way...
Lulzsec hacker group handed jail sentences LulzSec hacker Jake Davis: 'The internet is a world devoid of empathy' British hackers who were behind a series of high profile cyber-attacks in 2011 have been sentenced. The four men, Ryan Cleary, Jake Davis, Mustafa al-Bassam and Ryan Ackroyd, were part of the Lulzsec hacking group. Cleary was jailed for 32 months, Davis for two years...
Advanced persistent threat (APT) is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Other recognized attack vectors include infected media, supply chain compromise, and social engineering.Individuals, such as an individual...
Does your password go up to 11? Probably not. But one day it could.
Love it or hate it, Windows 8 is the bellwether for PCs. Where Microsoft goes, PCs follow.And now Microsoft is making a grab for the mobile market, too. The latest version of Windows is designed with touchscreens in mind, and one bright side of that evolution is the addition of features that make Windows more intuitive and easier to use...
Passwords.

They're the bane of any IT security guru's existence. Picking a good one, making them easy to remember, forgetting them, resetting them, storing them correctly, and now, it appears, deciding whether to mask them. It's not a new issue. Well-known information security advocate Bruce Schneier argued back in 2009 that there's not much point in showing asterisks or bullets in place of a user's password — masking it — while they enter it, as anyone who's close enough to read over the user's shoulder can simply look at the keyboard. It's a classic case of security negatively impacting usability, and Schneier argued at the time that it really isn't worth it, since the user is typically alone in their office, anyway. That seems to be the justification for why the latest beta release of Fedora no longer masks passwords as you type. When starting an installation of Fedora 19 Beta TC2, administrators are asked to set a root password, but the password isn't masked until the focus is taken away from the field.

This gives the administrator the convenience of checking that they're typing the password in correctly, but it does raise concerns, considering it's the root password for the system. (Image: Screenshot by Michael Lee/ZDNet)The issue was filed on Red Hat's Bugzilla instance as a bug, but initially dismissed by Chris Lumens, one of the developers on the Anaconda installer for Fedora.

He wrote that it was "working exactly as it is intended", and brings about other benefits, such as solving keyboard layout-related problems — an issue that is particularly taxing during an install stage. The installation process also allows administrators to create an additional local user account, and also add that to the machine's list of administrators. But creating such an account has the same mask effects, and, strangely enough, includes a complexity "meter" that is missing when setting the root password. (Image: Screenshot by Michael Lee/ZDNet)Even stranger is that once administrators go through the installation process and actually get Fedora up and running, login passwords are masked when typed, anyway.

The exception to this is changing a user password in the GNOME graphical user interface — but, even then, the default action is to mask the password unless the "Show password" option is checked. And that is one of the ways that installation password masking — especially for the root password — should have been done.

Other alternatives could include masking everything but the most recently typed character. Or by doing what Microsoft recently did in Windows 8: Including a button next to logins, which shows the unmasked password for as long as the user is clicking it. This is another instance of when an assumption is made that the user wants convenience over security, when the proper thing to do is put in place a reasonable level of security and let the user downgrade as necessary. Users can always choose to reveal their password if they know that no one else is in the room, but if the lowest security options are implemented by default, it's too late.

After all, the people responsible for designing security mechanisms don't know exactly the environment users are in, and can't always offer advice that will apply to everyone. Does this mean that gurus like Schneier are mistaken, then? I guess it's telling that Schneier himself later admitted that he probably was. Is password masking necessary? Or should it be considered too inconvenient to enable by default? Have your say in the comments.
The Inventors of Tokenless® Authentication SecurEnvoy is the trusted global leader of tokenless® two-factor authentication. As the pioneers of mobile phone based tokenless® authentication; SecurEnvoy lead the way with ground breaking solutions that others aspire too. Our innovative approach to the tokenless® market now sees thousands of users benefitting from our solutions all over the world. With users deployed across five continents,...
There's an old adage that on the internet, nobody knows you're a dog. It's been previously used to demonstrate that it's hard, if not impossible at times, to determine whether someone really is who they say they are — be it man, woman, or dog — but it equally applies to hackers. Although offline, it's easy enough to connect with someone's day-to-day personality, it doesn't offer any insight into who they are and how they act online. Let's face it, as much as Hollywood might lead us to believe that hackers gain their street cred from hacking via sophisticated 3D-modelled file systems, or that two people typing on one keyboard doubles a computer's hacking abilities, the more boring reality is that it's mostly done by typing commands into a terminal shell (and I don't mean "access security"). Just as image is everything for some people offline, so too is it online. It's why sites like Zone-H exist, showcasing what websites online attackers have defaced.

And just like in the offline world, many will take credit for others' work, make up successful attacks, or twist simple attacks into what seem like more nobler causes. Which is what may have happened with the Commonwealth Bank of Australia (CBA) recently.

A hacking group going by the name LatinHackTeamReborn, presumably trading off the name of the former LatinHackTeam group, claimed to have breached CBA's UK site. It posted the alleged email addresses, hashed passwords, and names of users on the site, stating that it made its attack by "rerouting after attacking the firewall", and that it was "striking back after what you did to us". The only problem is, it's not CBA's data. "We have done a thorough investigation, and we can confirm that no Commonwealth Bank systems have been hacked and no customer data has been compromised.

The CBA customer information is safe and secure," a spokesperson for the bank told us. It's clear from the leaked data that it's not banking information. CBA uses numerical codes for it online banking system, not email addresses, and the passwords, while hashed, were done using MD5 with no salt.

If such a method of securing passwords was used on a live banking system, it would certainly raise eyebrows, but CBA denies that it belongs to it. But the email addresses do appear to be valid, and, worryingly, of a UK and Australian nature. It's not unheard of for a hacked organisation to lie to the media, and for the information to actually be from a lesser-known and not mission-critical system (we might as well throw "developed by a third party" in here as well). But, digging deeper, I'd be more inclined to trust CBA's word. That's not just because of the damage to its reputation should it be proved that it lied, but because it would really mean trusting a hacker group that only created its Twitter account a few hours prior to the attack, which for some reason decided to include the #stopglobalwarning (yes, warning) hashtag in its attack, and opted for the cryptic, Hollywood-esque method of "rerouting" after attacking a firewall. Wherever this data came from, it didn't happen by picking different routes. It most likely resulted from improper access to a database, probably by using SQL injection. And what has CBA got to do with whatever happened to LatinHackTeam anyway? Nothing, as far as I can tell. It's a bank — and hackers breaking into banks is a sure-fire way to improve your image and gain credibility. Which is probably why the hacking group also claimed to have attacked the Bank of Israel. That would be a significant feat itself; only the email addresses, hashed passwords, and organisations named have nothing to do with the Bank of Israel.

They are actually from leaks posted by others, on previously compromised websites; in this case, the Ontario Imported Wine-Spirit-Beer Association. It runs its site off WordPress, which, if not maintained to the current version, is an easy target for even the most novice attackers, thanks to the wealth of information freely available online. Most of the time, impersonators are going to get away with it because there are few consequences for being named and shamed, and fewer who have the time or inclination to do it ("Bank not hacked" is not a headline, after all).

Even when it does happen, this is the internet, where creating a new alter ego is as simple as a few clicks, and a teenager, or an industry veteran, can be born again as a political greenie against global warning, a freedom fighter, a North Korean official, or perhaps all of them at once. It's true that on the internet, nobody knows if you're a dog, but also, most times nobody knows you're really a dog pretending to be some sort of bank-robbing hacker.
There are some government agencies that most would expect to have a fair grasp of security, even for those systems that are not core to their operations. That's what we thought with the Australian Tax Office's Publication Ordering System, but sadly, we were proven wrong. University student Dan Farrall discovered that his UK government's communication headquarters (GCHQ) careers site has been sending back passwords in complete plain text.

For those of us outside of the UK, GCHQ is one of Britain's intelligence agencies, dealing primarily with signals intelligence and charged with "safeguarding Britain's electronic communications and digital space". It works with the nation's security services and secret intelligence services MI5 and MI6, and is thought of as the counterpart to the US National Security Agency or Australia's Defence Signals Directorate. As Farrall pointed out on his blog, apart from the harm to its reputation, the sort of information that would be held within these systems would be significant. We double-checked Farrall's claim and confirmed that the passwords were in fact being sent in plain text, and while we were at it, we started an application for a malware reverse engineer. Password recovery email. (Image: Screenshot by Michael Lee/ZDNet)Aside from the usual residential information, the applications required passport numbers, reasons for wanting to apply, the relevant skills for the position being applied to, education history, and qualifications. I imagine that such information would be especially interesting to foreign nations that would like to narrow down and possibly turn tomorrow's government penetration testers, or tap those that work on discovering and patching vulnerabilities for the UK government. Farrall claimed to have contacted GCHQ about the issue at the end of February, but received no response. GCHQ responded to ZDNet's queries about the issue, stating that "the current applicant tracking system used by GCHQ is a legacy system" and that is already in the process of replacing it. Although the main issue with plain text passwords lies with the entire username and password database being unprotected and accessible in the event of a breach, GCHQ appeared to believe that the problem was simply a matter of passwords being sent over email. It told ZDNet that "only the very small percentage of applicants (who need their accounts reset) are sent a new password.

This comes with clear instructions of how to protect their data." From the email in the screenshot above, these clear instructions involve not writing down the password or giving it to anyone else. Updated on 27 March, 2012 at 10.45am AEDST: Included response from GCHQ.
There are so many sites that store passwords in the clear that normally when I come across one, I make a mental note to never trust it with anything too important, or to find a similar service that actually does care about security. However, as Alex North has recently discovered, when it's your own government's taxation office and it somehow believes that it's following best practice, a seething ball of rage slowly worked its way up from my spleen. The Australian Taxation Office (ATO) has been storing passwords in plain text. I don't need to tell you why that's a bad idea. We've already seen how disastrous it can be when companies only store unsalted hashes of passwords — the Australian Broadcasting Corporation (ABC) joined LinkedIn on that honour roll recently. North found out by requesting his password from the ATO's Publications Ordering Service, shortened, perhaps appropriately, to POS.

This is where I'd normally shake my head, but walk on by.

There are hundreds, if not thousands of companies that have little clue as to how bad this practice can be, so much to the point that a name-and-shame site called Plain Text Offenders exists. But the remarkable thing about North's finding is that he went one step farther, made a complaint, and received a reply from the ATO's "technical area". The ATO's response was that the process it follows is one of the most commonly adopted methods of password recovery, and is safe because the recovered password is only sent to the user's registered email address. I sure hope not.

There are plenty of sites that do the wrong thing, but the majority of responsible sites I've seen tend to do the right thing and require a time-sensitive confirmation link. It's not perfect, considering that email is typically not a secure medium, but done right, the confirmation link expires when used or after a period of time, unlike the password. Although North didn't go digging any further, I figured I would — and I found that the problems get even worse, although the ATO's "technical area" has some idea of basic security concepts. Take poor password generation, for example: It has a script that will check if your password is one in a blacklist of common passwords. However, that entire dictionary is checked client side in a script, and is hardly comprehensive. In fact, some of the other password complexity requirements mean that a lot of the words in the blacklist don't even qualify. Part of the POS password ban list. (Image: Screenshot by Michael Lee/ZDNet)My dodgy password of "Password1", for instance, made the cut. But given that all of this checking happens on the user/attacker's own computer, there's nothing to stop them from hijacking the JavaScript and skipping the checks. That's not the only place that client-side verification occurs. Attempt to log in with the wrong credentials enough times, and another JavaScript function will kick in, disabling the login form for 3 seconds. Someone at least knows that attackers can and do brute force systems, but hasn't figured out that it doesn't happen by entering usernames and passwords manually. This happens on the two other sites set up for businesses and tax agents, although the tax agent site redirects users to a page telling them that they'd been locked out of the site for 24 hours. That would be a crude but effective measure, only it doesn't actually lock anyone out. In fact, the tax agent site doesn't even prompt for a password, only a tax agent number (TAN).

And with a number of them freely Google-able, one could probably log in under someone else's account, passwords be damned. But, as North pointed out sarcastically, big deal. POS is a government service, so anyone can order free documents. In fact, anyone can sign up, order a bunch of documents and have them sent to various addresses if they really wanted to.

The whole system is flawed, not just the password requirement. We put our own query to the ATO, and it confirmed that its POS site stores passwords in plain text, but it also highlighted that the system is an external application hosted and managed by its "publication warehouse supplier". That means, at least, that it's separate to more sensitive information, as it is "unable to access taxpayer information or their details" and "there are no financial or bank account details stored on POS". It also acknowledged that as "with any online ordering system, if a person was so inclined, they could place orders to another address. In addition to our ongoing consideration of security developments, we monitor requests to identify out of the ordinary activity, which may include repeat or 'over the limit' requests". The difference between "any online ordering system" and POS, however, is that most people have to pay for the product.

There is (thankfully) no payment mechanism in place for POS, as the ATO funds the printing and delivery of the products. But who funds the ATO? Taxpayers, ultimately. As for entering TANs, the government is able to help attackers out there, too. Unlike Tax File Numbers (TFNs), which taxpayers are not meant to share, TANs are publicly available information that can be looked up on the Tax Practitioner's Board. The ATO told us that with this information, an attacker would be able to "view the requester's contact details and past and current orders of ATO material", which admittedly isn't ground-breaking information to have, but it leaves me wondering what the point of a login system was in the first place. Nevertheless, the ATO told us, "security is important to us; while we feel this represents a low risk overall and operates completely separate to ATO systems, we are working with our supplier to address best-practice security measures, including improvements that can be made to this system for the future." Hopefully, this will be sooner rather than later. But judging from the ATO's response, it may not be in a rush.

After all, it told us that "POS has not been compromised once in it[s] years of operation". The point is not about not being breached; it's about what you do when you have been.

In the ATO's case, it will lose all of its passwords, many of which are probably being used on other sites.

The only thing it will be able to do for its users is send an apologetic email, shoving the responsibility to them to clean up the mess. If you look at Evernote, which I am using as an example because it suffered a breach over the weekend, it has done (most of) the right things. Passwords were hashed and salted, which means that unlike just hashing, which simply obfuscates poor passwords, they are close to impossible to get the plain text from. Upon learning of a breach, it instituted a password reset on its users, just in case. While it arguably could have done a better job at informing its users that it had actually reset their passwords, it checked all the right boxes when it came to ensuring that passwords are being responsibly stored. The best part about it? Most don't even pay Evernote for this.

Rootkits (Symantec)

Computer security has become a hot topic for the news industry. Hardly a week passes without some new threat or data breach making headlines. Increased media coverage of these attacks reflects the growing need for everyone to be educated about secure computing, not just system administrators and security professionals. As with news in general, the more sensational or frightening the security...
Malware, hackers, spam, identity thieves and more – which antivirus package should you invest in to prevent them playing havoc with your life? We test 10 of the best antivirus apps available Antivirus isn't something you can get away without any more, and if you think you can't be infected, chances are there's a virus writer somewhere ready and willing...