Naming Pets
Children are being warned that the name of their first pet should contain at least eight characters and a digit.
Entries Tagged "passwords"
Page 14 of 29
Attack Against Point-of-Sale Terminal
Clever attack:
When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it’s legit? In the past three months, Toronto and Peel police have discovered many that aren’t.
In what is the latest financial fraud, crooks are using distraction techniques to replace merchants’ machines with their own, police say. At the end of the day, they create another distraction to pull the switch again.
Using information inputted by customers, including PIN data, the criminals are reproducing credit cards at an alarming rate.
Presumably these hacked point-of-sale terminals look and function normally, and additionally save a copy of the credit card information.
Note that this attack works despite any customer-focused security, like chip-and-pin systems.
Israel Demanding Passwords at the Border
There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice.
This is the first story I’ve seen of a country doing this at its borders. The country is Israel, and they’re asking for passwords to e-mail accounts.
RuggedCom Inserts Backdoor into Its Products
All RuggedCom equipment comes with a built-in backdoor:
The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, “factory,” that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.
This seems like a really bad idea.
No word from the company about whether they’re going to replace customer units.
EDITED TO ADD (5/11): RuggedCom’s response.
Al Qaeda Steganography
The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie.
Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence—more than 100 al Qaeda documents that included an inside track on some of the terror group’s most audacious plots and a road map for future operations.
Cybercrime as a Tragedy of the Commons
Two very interesting points in this essay on cybercrime. The first is that cybercrime isn’t as big a problem as conventional wisdom makes it out to be.
We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.
Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.
The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.
For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors— or outright lies—cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.
Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.
[…]
A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
Password Security at Linode
Here’s something good:
We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers.
And this:
Some of you may have noticed a few changes to the Linode Manger over the past few weeks, most notably that accessing your “My Profile” and the “Account -> Users & Permissions” subtab now require password re-authentication.
The re-authentication is meant to protect your contact settings, password changes, and other preferences. The re-auth lasts for about 10 minutes, after which you’ll be asked to provide your password again on those sections of the Linode Manager.
It’s nice to see some companies implementing these sorts of security measures.
Law Enforcement Forensics Tools Against Smart Phones
Turns out the password can be easily bypassed:
XRY works by first jailbreaking the handset. According to Micro Systemation, no ‘backdoors’ created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do.
Once the iPhone has been jailbroken, the tool then goes on to ‘brute-force’ the passcode, trying every possible four digit combination until the correct password has been found. Given the limited number of possible combinations for a four-digit passcode—10,000, ranging from 0000 to 9999—this doesn’t take long.
Once the handset has been jailbroken and the passcode guessed, all the data on the handset, including call logs, messages, contacts, GPS data and even keystrokes, can be accessed and examined.
One of the morals is to use an eight-digit passcode.
EDITED TO ADD (4/13): This has been debunked. The 1Password blog has a fairly lengthy post discussing the details of the XRY tool.
The Security of Multi-Word Passphrases
Interesting research on the security of passphrases. From a blog post on the work:
We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1% of available accounts. This is far better than passwords, which are usually under 10 bits by this same metric, but not high enough to make online guessing impractical without proper rate-limiting. Curiously, it’s close to estimates made using Kuo et al.’s published numbers on mnemonic phrases. It also shows that significant numbers of people will blatantly ignore security advice about choosing nonsense phrases and choose things like “Manchester United” or “Harry Potter.”
[…]
This led us to ask, if in the worst case users chose multi-word passphrases with a distribution identical to English speech, how secure would this be? Using the large Google n-gram corpus we can answer this question for phrases of up to 5 words. The results are discouraging: by our metrics, even 5-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users. The returns appear to rapidly diminish as more words are required. This has potentially serious implications for applications like PGP private keys, which are often encrypted using a passphrase. Users are clearly more random in “passphrase English” than in actual English, but unless it’s dramatically more random the underlying natural language simply isn’t random enough.
Sidebar photo of Bruce Schneier by Joe MacInnis.