90% of passwords can be cracked in seconds

More than 90% of user-generated passwords can be made vulnerable to hacking in a matter of seconds, according to new research from Deloitte.

The consulting firm's Canadian Technology, Media & Telecommunications (TMT) Predictions 2013 report covers a range of technology predictions, including the outlook for subscription TV services and 4K televisions, but the vulnerabilities in today’s password practices top the list of things to consider in 2013.

The problem, researchers said, is that everything that we thought to be true must be reconsidered given advances in technology.

"Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” said Duncan Stewart, a director of research for the report. “But these can be easily cracked with the emergence of advance hardware and software.”

For instance, a machine running readily available virtualization software and high-powered graphics processing units can crack any eight-character password in about five hours, he noted.

But as ever, human behavior gets in the way when it comes to being safe. Specifically, the inability to remember multiple unique 24-character password strings. The limitations of most humans’ ability to remember complex credentials means that there is a tendency for password re-use, which also puts password security at risk. If a hacker cracks even an innocuous account, like a grocery store loyalty card, the credentials are likely to have been used elsewhere, like for online banking. Once a hacker has a password, he or she can potentially have the keys to the cyberkingdom based on most consumers’ behavior.

“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.

However, all hope is not lost: Multifactor authentication using tokens, cellphones, credit cards and more are likely solutions. That means that having additional passwords sent through SMS to a phone, a requirement for fingerprints and other biometrics, or even 'tap and go' credit cards may be the norm in the future, he concluded.

Report: U.S. Power Utilities Infected by Malware from USB Drives

BOSTON: A computer virus attacked a turbine control system at a US power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a US government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.

DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.

"This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.

Aging systems
Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have "auto run" features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical US infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.

The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as "sophisticated" viruses on workstations that were critical to the operations of a power generation facility.

The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term "sophisticated" to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.

A DHS spokesman could not immediately be reached to comment on the report.

The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.

It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending September 30, 2012.

Attacks against the energy sector represented 41 per cent of the total number of incidents in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign - when emails with malicious content are specifically targeted at their employees.

Most advanced espionage platforms ever discovered

The Red October malware that infected hundreds of computer networks in diplomatic, governmental, and scientific research organizations around the world was one of the most advanced espionage platforms ever discovered, researchers with antivirus provider Kaspersky Lab have concluded.

Its operators had more than 1,000 modules at their disposal, allowing them to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them. Most of the tasks the components carried out—including extracting e-mail passwords and cryptographically hashed account credentials, downloading files from available FTP servers, and collecting browsing history from Chrome, Firefox, Internet Explorer, and Opera—were one-time events. They relied on dynamic link library code that was received from an attacker server, executed in memory, and then immediately discarded. That plan of attack helps explain why the malware remained undetected by antivirus programs for more than five years.

The malware was also capable of using more traditional Windows EXE files to carry out persistent tasks when necessary. One example was modules that waited for an iPhone, Nokia smartphone, or USB drive to be connected to an infected computer. There were also extensions for the Microsoft Word and Adobe Reader programs that watched for specially crafted documents. When they arrived in e-mail, the modules immediately reinstalled the main malware component, ensuring attackers could regain control of a machine in the event that it had been partially disinfected.

The details are contained in 140 pages of technical analysis that concludes Red October dwarfs most other advanced espionage operations, including the Aurora campaign that targeted Google and three dozen other companies three years ago, or the Night Dragon attacks that penetrated energy companies in 2011. The breathtaking breadth of the malware comes into sharp focus, thanks to the unprecedented level of technical detail.

"According to our knowledge, never before in the history of ITSec has a cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration." Kaspersky researchers wrote.

Many malware analyses suffer from the researchers' lack of access to the victim data or to a large base on the attack code.

"To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," the report continued. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attacks."

Enter Sputnik

Malware in the Red October campaign belongs to a code family Kaspersky has dubbed Sputnik. It infects computers using booby-trapped Microsoft Word and Excel documents, which appear to have exploited vulnerabilities Microsoft had already patched at the time they compromised the computers. With more than 1,000 separate modules to catalog, Kaspersky researchers have broken them into 10 categories. They include:

  • Recon: Short for reconnaissance, these modules are used during the first stage of an attack, immediately after a computer has been infected. They collect general information about the target system so operators can understand how valuable it is and decide what other modules they want to install. These modules also collect browsing history, stored passwords, and FTP client settings using the one-time task method described earlier.
  • Password: Modules in this category extract credentials from an array of programs, including from the secure temporary folder of Microsoft Outlook, and Mail.ru Agent, a popular free application available from Mail.ru. Modules also collect Windows account hashes, apparently for offline cracking.
  • E-mail: Specific modules extract messages and data stored locally by clients such as Outlook and Thunderbird, as well as from remote POP3 or IMAP mail servers. They're capable of dumping message headers and bodies, in addition to attachments with pre-defined file-name extensions.
  • USB Drive: Steals files from drives attached over USB connections. Modules have the ability to collect files with pre-defined extensions, sizes, or dates. They can also use a file-system parser to recognize, restore, and copy deleted Microsoft Office files.
  • Keyboard: Records keystrokes, grabs text entered into password fields, and makes screen captures.
  • Persistence: Contains installers and payload code for Word and Reader plugins used to regain control of previously compromised computers that may have been partially disinfected.
  • Spreading: Scans for hosts on a local network, and then infects them using previously extracted credentials or attacks that exploit unpatched vulnerabilities. One module in this group can use SNMP commands to dump Cisco network router configuration data.
  • Mobile: Dumps valuable information from attached smartphones, including contacts, calendars, SMS and e-mail messages. Some modules can check to see if a device is jailbroken.
  • Exfiltration: Transfers data stored on local hard drives and available FTP servers and remote network shares to command servers controlled by the attackers. Unlike the Recon modules above, these modules run repeatedly.
  • USB Infection: Copy execution logs and other data files related to the current malware family from USB drives. This is the only one of the categories that Kaspersky has not been able to retrieve modules for.

It's interesting to contrast the sophistication of the Sputnik malware, and the work that went into its engineering, with the rudiments of the exploits used to spread it. The exploits discovered so far in the campaign came in e-mails that contained Word and Excel documents that exploited vulnerabilities which in some cases had been patched years earlier. Some of the attack code appears to have been developed by hackers in China and was also used against Tibetan activists and others. It may be possible that attackers used additional exploits that have yet to be unearthed.

Holding a candle to Flame

As advanced as the Red October's Sputnik family of malware is, it still doesn't outshine Flame, the surveillance and espionage malware that Kaspersky discovered targeting Iran. Among the features that make Flame stand out was its ability to hijack Microsoft's Windows Update mechanism so it could spread from machine to machine over an infected network. To pull off the feat, Flame achieved what's believed to be the only in-the-wild cryptographic collision attack using a technique that required the expertise of world-class cryptographers.

"In my opinion, Flame is the queen mother of advanced attack methodology," Kaspersky Lab Senior Security Researcher Kurt Baumgartner told Ars. "For example, the complexity and uniqueness of the 'God-mode cheat' used for the Windows Update MiTM replication methods were not challenged by the Red October exploit code re-use."

Still, he said, Red October's "deep level of detail when interacting with and penetrating an environment is new." Further, command and control infrastructure used to coordinate the Red October operation was more developed than the one used by Flame, despite comprising fewer registered domains.

The pitfalls of advertising such ridiculous beliefs

The Web Infrastructure of Westboro Church Continues Getting Attacked...

The hacktivist collective Anonymous, hacker Cosmo The God, and the botmaster known as The Jester, have continued their press against Westboro Baptist Church (WBC), after the group said it would picket the funerals of people killed at the Sandy Hook Elementary School in Newtown, Conn.

Westboro Baptist Church, an independent group that self-identifies as a church, is known for picketing the funerals of members of the armed services who have been killed in action in Iraq and Afghanistan.

On Wednesday, 15-year-old Cosmo The God, who's a member of Underground Nazi Hacktivist Group (UG Nazi), apparently took over the Twitter account of Fred Phelps Jr., who's the son of Westboro leader Fred Phelps Sr. The compromised Twitter page header was changed to read "Ooooooooops!" and bear the name of Cosmo. On Wednesday, multiple tweets began listing the names of the people killed at Sandy Hook Elementary School. The hijacked Twitter account remained active until Thursday morning, at which point it was suspended by Twitter.

Suggesting that the real Cosmo was behind the exploit, a Wednesday tweet from the hacked Twitter account was retweeted by the Cosmo The God Twitter feed, making it the first account activity there since a June 28 post announcing that "me and Josh were arrested early monday morning." Interestingly, the retweet was later missing, which may have been due to Twitter suspending the account of Fred Phelps Jr.

The takeover of Phelps' Twitter account was a repeat of Cosmo's apparent takeover of Westboro spokeswoman Shirley Phelps-Roper's "Dear Shirley" Twitter feed earlier in the week. Cosmo reportedly accomplished the takeover by exploiting a vulnerability in Twitter's trouble-ticket system, which allowed him to close requests from account owners before Twitter had responded to them.

Members of Westboro have yet to publicly respond to the recent Anonymous, Cosmo, or Jester attacks.

Earlier this week, Anonymous released personal details about the group's members, including social security numbers and dates of birth, via Pastebin as well as multiple Twitter channels, including @LulzExecutive and @Shm00pLOL, both of which have since been suspended by Twitter. Anonymous also filed for a death certificate in the name of Phelps-Roper, to prevent her from using her social security number. Anonymous members also have been publishing the phone numbers of hotels in Connecticut where members of the group are saying, and urging people to phone the hotel operators and request that they refuse to do business with Westboro.

Under the banner of #OpWBC -- as well as #OpWestBor -- on Twitter, members of Anonymous also have vowed to dismantle Westboro using every available means. To that end, members of the group have been urging people to sign a White House petition calling for Westboro to be labeled as a "hate group" and to have its tax-exempt church status revoked by the IRS. As of Tuesday, the petition had received more than 227,000 signatures, far in excess of the 25,000 needed to trigger an official response from the White House.

This week, approximately 10 of the 19 websites operated by Westboro also appear to have been disrupted by a hacker and distributed denial-of-service (DDoS) botmaster known as The Jester. He previously has provided assistance to Anonymous when it sought to knock websites offline. According to a Wednesday post to the Jester's Twitter feed: "I'm not trying to violate #WBC's civil rights. I'm just making best use of mine. And I'm non-violent. They hate that."

One reason it had been difficult for Anonymous participants to disrupt the Westboro websites on their own was because Westboro had contracted with DDoS and threat mitigation provider Black Lotus Communications to keep its websites online. But after that fact came to light, Black Lotus Wednesday announced that it would donate all revenue it's received from Westboro to charity, and began soliciting recommendations for which charities it should choose.

On Twitter, numerous people began lauding Black Lotus for dropping its support for Westboro, and making recommendations for where the money should go.

"We have received overwhelming support for donations to be given to various groups supporting the Newtown community, veterans groups like the Wounded Warrior Project, and LGBT groups like The Trevor Project," Jeffrey Lyon, Black Lotus Communications president, told Wikinews. The company's Twitter channel also called out United Way of Connecticut's Sandy Hook fund as a potential recipient.

Reached by email, Lyon confirmed that the money would be donated to charity, although his company has yet to make a formal announcement. He also confirmed that Westboro would remain a customer, at least for now. "As a security firm, it is our duty to defend our clients even in those cases where we disagree with their actions," he said. "WBC is non-violent and has not put anyone's lives at risk so our supposed authority to terminate the account under terms of service, as suggested by the protesters, is extremely weak. At that point the only option if we chose to cease our relationship would be non-renewal of service at end of term."

He said those facts had been relayed to protestors. "I reached out to @YourAnonNews and asked what they felt the best course of action would be given these facts," said Lyon. "They agreed to ask their supporters if our idea of gifting all ongoing WBC revenue to charity would be a positive outcome and the vast majority agreed."

Furthermore, noting that "the revenue we receive from WBC is very minimal," Lyon said the company would make its own, out-of-pocket donations, beginning with $2,000 to the United Way's Sandy Hook School Support Fund. He said the company planned to make an official announcement later this week.

Free Antivirus v. Commercial Antivirus

It’s often the case when I set out and write a news feature that I typically end up with far more copy than space allotted in our print edition. My most recent feature on Windows 8 security is no exception. Thank goodness for this blog, and its ability to serve as a venue for all those unused bits.

Below is content I had planned as a sidebar to accompany the story, but space being at a premium, a grudgingly gave it the axe. The content, however, still has some value.

As I researched initial reactions to Windows 8 security, one of the questions I asked everyone interviewed was whether the new Windows Defender security suite that comes pre-installed on Windows 8 machines would spell the end of stand-alone commercial anti-virus. After all, why would someone pay for something when they can get a similar tool for free? The question seems entirely appropriate given our recent coverage on anti-virus market share, which shows Microsoft’s free Security Essentials gobbling up some of the competition. Here is what some of the experts I interviewed said about the topic…

Killing it Softly?

Aryeh Goretsky, a researcher with security firm ESET, recently wrote a white paper evaluating the new security features of Windows 8. The new operating system will come with the pre-installed Windows Defender security suite, which has led some to predict the demise of commercial anti-virus offerings. It’s a prediction we have heard many times, Goretsky reminds us.

“Windows Defender as included with Windows 8 is a good product and does, in fact, provide a decent level of protection, especially when compared against other free anti-malware programs. However”, he added, “Windows Defender does not contain many of the advanced features of paid-for solutions….As with other free anti-malware programs, support options for Windows Defender are limited”. Perhaps we shouldn’t be surprised by Goretsky’s assessment because, after all, he does do his research on behalf of one of the world’s largest security firms – one that happens to offer commercial anti-virus products.

IEEE’s Kevin Curran says the beginning of the end for commercial AV came some time ago, with the introduction of Microsoft’s free Security Essentials. “Microsoft realized that they had to take control of security themselves”, he offers up in analysis. PC manufacturers’ channel deals with commercial providers, Curran noted, means they will continue to provide pre-installed AV on machines, with less and less tech-savvy people continuing to purchase and renew these products. “I feel sorry for these people”, he admitted, adding there are plenty of effective, free offerings available. Curran stated there will always be a market for commercial AV because of this, “but I wouldn’t buy shares in an anti-virus company”, he said jokingly.

Forensic analyst Paul Henry admitted that he’s been using Microsoft’s free anti-malware tools for some time. “And as bad as the catch rate is on signature-based AV, I just abandoned the commercial stuff and when to [Microsoft’s free version] myself, even in my own forensics lab. I’ve been pretty happy with it.”

“We can stop asking consumers to go out and buy anti-virus – it’s just built in”, remarked Stephen Sprague of Wave Systems “You have a solution that’s in the box.”

Sprague doesn’t see legacy AV providers disappearing anytime soon, reflecting on the fact that most of these companies have diversified their security portfolio. “But I haven’t used third-party anti-virus for a couple years – I use the Microsoft stuff and it seems to work really well without performance impacts”, he opined.

The Wave Systems CEO said it’s too soon to tell if Windows Defender is the death knell of stand-alone commercial AV, but he believes it could be quite possible: “Hopefully we will look back ten years from now and say, ‘you use buy software that did that?’ ”

By Drew Amorosi

Hacking-as-a-service offers access to business systems via Remote Desktop (RDP)

Call it a hacking-as-a-service (HaaS): a group renting network server access for a variety of Fortune 500 companies, including Cisco Systems, is taking advantage of weak passwords to offer logins for cheap. Despite its discovery three weeks ago, the service still appears to be going strong, at last count renting access to nearly 17,000 computers worldwide.

First discovered at the end of last month by security researcher Brian Krebs, the service, dubbed Dedicatexpress, can be used to carry out a variety of ills: email scams, phishing schemes, ransomware campaigns and, of course, more advanced information-gathering initiatives aimed at stealing corporate secrets. Krebs said that almost 300,000 compromised systems have passed through this service since its inception in early 2010.

“Pitching its wares with the slogan, ‘The whole world in one service,’ Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums,” Krebs wrote in his blog. In other words, all of the corporate logins are tied to servers inside company networks that have been legitimately enabled with the Windows Remote Desktop Protocol (RDP) functionality for outside access, but which have been given weak password/user name combos.

Further, it enables targeting. “Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations,” he said.

Using a list of the IP address ranges assigned to Fortune 500 companies, Krebs did not have to go far in searching the available hacks to find a compromised machine, available for just a few bucks.

“The [Cisco] machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55,” Krebs noted. “You’ll never guess the credentials assigned to this box: Username: Cisco, password: Cisco.”

Access to Dedicatexpress is granted to new “customers” who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. Pricing for access to a corporate server varies according to relative hacking horsepower, as it were, of what’s being sold: processor speed, number of processor cores, download and upload speeds, and the length of time that the hacked RDP server has been continuously available online.

The service, despite Kreb’s alert, is still going strong, according to a BBC report. The moral? Despite the huge potential security risk of these login details and accounts, privileged access points are all too often inadequately secured with weak or default passwords, leaving networks vulnerable to attack. So, HaaS offerings are unlikely to fade back into the dark cloud from whence they came.

“The existence of illegal cybercrime services such as ‘Dedicatexpress’ should come as little surprise,” said Matt Middleton-Leal, regional director, UK & Ireland at Cyber-Ark, in an email to Infosecurity. “Cybercriminals have long targeted login details and privileged passwords as an ideal way into a corporate network and to access critical information or cause havoc once inside. Privileged access points include administrative accounts, services and application accounts and enable ‘privileged’ users to log on to a network anonymously, with blanket access to an organization’s critical systems and Intellectual Property, as well as other sensitive data.”

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles