Industry Intel

When it comes to digital security, little is as important as knowing how to create a strong password. An ideal password is easy enough to remember so that it doesn’t need to be written down, yet complex enough to prevent someone else from guessing it. For many, this is a challenging and even frustrating experience, a delicate balancing act. However, there are a few techniques that can help you to reliably create strong passwords. The first thing to know is what passwords you should NEVER use.

SplashData, an online security company who’s “SplashID” software allows you to securely store your passwords, has recently released a list of the Worst Passwords of 2015. This list was compiled from more than 2 million passwords that were publicly leaked during the last year:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx (first two columns of main keys on a standard keyboard)
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop (top row of keys on a standard keyboard)
23. solo
24. passw0rd
25. starwars

This is the fifth year that SplashData has released a Top 25 list, and many of the entries have been seen year after year. The passwords “123456” and “password” have been the top two entries since SplashData has started publishing an annual Top 25 list. However, due to the popularity of “Star Wars: The Force Awakens”, this is the first year that related passwords like “solo”, “princess”, and “starwars” have appeared on the list.

What we can take away from this list is that many people continue to put themselves at risk by using weak, easily guessed passwords. “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” Morgan Slain, CEO of SplashData, said in a statement.

“As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

So, what can you do to ensure that your passwords are strong?

• Avoid using full words and names. Hackers regularly use “dictionary attacks” to guess passwords, and any word or name that is commonly known is considered unsafe to use.
• Create passwords or passphrases of twelve characters or more with mixed types of characters. A password longer than 12 characters, if created with the appropriate complexity, will be nearly impossible to guess quickly.
• Use a different password for each website you log into. If someone is able to discover your password for one site, they will not be able to use that same password to log into another site with your information.
• Use a password manager such as LastPass or SplashID to organize and protect passwords, generate random passwords, and automatically log into websites. This is also a feature that is offered with some Webroot SecureAnywhere software packages.
• Test your password for complexity with a password checker, such as Password Meter.

To create a strong password, try using the “Letter/Number Substitution” technique, which generate seemingly random jumbles of letters and numbers that only you would remember. First, think of a phrase that you want to associate with the site or service you are setting up.

• Example: “testpassword” (DO NOT USE)

Next, substitute characters for some of the letters using numbers and special characters which resemble those letters.

• Example: “t3$9@S$w0rD” (DO NOT USE)

This example password is rated as 100% “Very Strong” using the Password Meter. By using this technique with even longer words in combination with numbers or special characters placed between the words, you can create passwords that will be nearly impossible to guess. With these tips in mind, you can ensure that your password won’t appear on next year’s list!

A lot happens in the security world, some big and some small, and many stories get lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot ThreatBrief, highlighting 5 major security news stories of the week.

Kiev Airport Cyber Attack

In recent weeks, Ukraine’s infrastructure has been under attack by Russian hacktivists, with Kiev’s main airport as the primary focus of the latest attack. It would seem that the BlackEnergy malware platform was in use, once again, to gain access to several computers on the airport’s network, including access to air traffic control systems. Ukrainian authorities are still unsure if the Russian government is involved, as this string of attacks comes at a volatile time for both countries.

Read More: http://www.reuters.com/article/us-ukraine-cybersecurity-malware-idUSKCN0UW0R0

British Banks Fighting Malware Improvements

With over a dozen British banks being targetted by the persistent banking trojan, known as Dridex, it’s latest update is capable of altering crucial DNS settings. By changing these settings, it directs the unknowing user to a fake banking website, which allows sensitive information to be gathered and sent off to a command-and-control server for verification. Dridex is most commonly transmitted using macro-enabled MS Office documents sent as attachments via email.

Read More: http://www.csoonline.com/article/3024323/security/dridex-banking-malware-adds-a-new-trick.html#tk.rss_news

Top US Cities Hit With Malware in 2015

In the past week, a study revealed the cities in the US that were the most common targets for malware attacks in 2015; the highest being Little Rock, Tampa, St. Louis, Orlando, and Denver. Each of the top five cities had rates over 650% of the national average, with Little Rock reaching 1,412% above. While it is unclear whether geographical location has any effect, the New England region was not present in the top 20 regions listed.

Read More: http://www.networkworld.com/article/3023432/malware-cybercrime/little-rock-tampa-and-st-louis-hardest-hit-by-malware-among-us-cities-study-finds.html

Encryption Still Major Issue for Companies

Encryption issues have plagued companies and customers alike for many years, and there are no signs of it slowing, as many companies still refuse to implement it on a widescale. This comes as no surprise as nearly two-thirds of companies only use encryption for “proprietary company data”, while most companies cite “employee data” as their reason for implementing encryption at all, it seems to be often pushed aside or forgotten.

Read More: https://nakedsecurity.sophos.com/2016/01/19/survey-shows-many-businesses-arent-encrypting-private-employee-data/

Apple Corrects Cookie Theft Bug

It was noted recently that a bug found in Apple’s iOS that allowed for unauthorized access to unencrypted website cookies has been resolved with the release of iOS 9.2.1. The bug itself could allow attackers to impersonate unsuspecting users on their commonly browsed sites, and allow for a malicious javascript payload to execute on subsequent site visits.

Read More: http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hackers-to-impersonate-users/

This week, we held our first BrightTALK webinar of 2016 (January 19th), talking about crypto-ransomware. I’ve got to admit I’m always overwhelmed at the numbers of people interested in this as a topic, and I called in help from one of our top threat researchers Tyler Moffitt to help me out with answering the more technical questions. In fact, Tyler and I double-handed the presentation as we’re both getting used to discussing the issues. It always helps when you have a real expert on hand, my background isn’t a coding one.

We tried as always to be terrifyingly truthful. At Webroot, we have had a lot of success with our next-generation behavioral approach of stopping customers from getting infected by all the variants of Crypto. Inevitably that leads to malware authors’ taking an interest in finding ways around our defenses, which admittedly has lead to a few very regrettable failures in stopping the infections) Right now though we are holding our own and, in fact, have been forced to innovate more to be even better at stopping this threat.

None-the-less, we do not believe we can stop every crypto threat, but we do believe we can protect against these attacks far faster and more effectively than other endpoint solutions. I might add no testing or results I’ve seen anywhere else or claims from expensive machine learning next generation vendors makes me believe anything different. There are a lot of Emperor’s new clothes out there, and as my namesake Hans Christian Andersen’s points out, “They haven’t got anything on!”

I’ve also done something I don’t normally do and that’s send out slides to those that requested them, if for a good reason. Which usually is to persuade a recalcitrant or unbelieving customer they need to spend some cash on protecting their only real asset, their irreplaceable data. I did mention a story I was told by a Webroot Partner in Australia about a friend (not a Client of his) who’d paid-up AUS $100,000 to get his server unencrypted after an attack, much what the FBI were forced to admit they often advise too.

These days if the crypto-ransomware has encrypted your files and unless you have other precautions in place, you are in trouble. Even paying up is not a guarantee. And this isn’t just for businesses but home consumers as well; this infection will and does target anyone with a connected PC.

The presentation which I am referring to above can be accessed here: https://www.brighttalk.com/webcast/8241/181075. This is a very logical approach when it comes to discussing what crypto-ransomware is; it’s history; its variants; some ways it avoids detection and probably most valuable what to do to protect yourself from having to pay extortion money for your own data.

On a more emotional level, I’d like to take the treasured programming from the malware authors of crypto-ransomware and delete it forever. I’m sure they’d agree with their own assertion that CryptoWall is not malicious. I agree it isn’t – it’s pure evil in a digital age.

A lot happens in the security world, some big and some small, and many stories get lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot ThreatBrief, highlighting 5 major security news stories of the week.

Fitbit Accounts Hacked

On Monday of this week, it was reported that dozens of Fitbit accounts had been accessed, with users information leaking to external sites. According to Fitbit, customer’s usernames, passwords, and location information were accessed, likely from customers reusing passwords for multiple website logins. Fitbit doesn’t currently use two-step authentication for account security, but that is likely to change in the coming months.

Read More: https://nakedsecurity.sophos.com/2016/01/11/fitbit-users-fall-victim-to-account-takeovers-dont-reuse-passwords/

Industrial Sized Vulnerabilities

Having devices connected to a network is always a risky proposition, especially when the devices in question are industrial motors; running power plants, water treatment plants, and other large infrastructure systems. Recently, a vulnerability was found that would allow unauthorized read and write access to the drives, thus allowing the motor speed to fluctuate or rise to unsafe levels.  The vulnerability has been found in several variable-frequency drives currently available on the market.

Read More: http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-industrial-motors/

Japanese Banks Attacked

Recently, the Rovnix banking trojan, which has been quite prevalent in Europe, has bridged the language barrier and aimed itself at the Japanese banking system. The infection is commonly spread through email attachments, which contain the malicious payload in an otherwise unsuspecting email. Using web injection, Rovnix is capable of loading an imitation page of the targetted bank and allow users to login normally, while logging that information externally.

Read More: http://www.darkreading.com/vulnerabilities—threats/japanese-banks-targeted-with-new-rovnix-trojan/d/d-id/1323818?

Nissan Sites Hit with DDoS Attack

With the Detroit Auto Show taking place this week, it could only be coincidental that Nissan’s global and Japanese sites have been the main focus of a DDoS attack, in response to whale and dolphin hunting by Japanese hunters. Nissan appears to have been targetted, not due to their stance on hunting, but because they are a major Japanese corporation and the attack would bring national attention to the whaling issue.

Read More: http://www.bbc.com/news/technology-35306206

NSA Code Found in Juniper Software

In the last week, Juniper Networks have announced they will no longer be using a particular piece of code that may have been linked to the NSA, to allow monitoring of private network sessions. The code used a mathematical constant that was generated using Dual Elliptic Curve, which is not only untrusted, but was widely distributed via government contracted software kits.

Read More: http://www.businessinsider.com/r-juniper-networks-will-drop-code-tied-to-national-security-agency-2016-1

A lot happens in the security world, some big and some small, and many stories get lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot ThreatBrief, highlighting 5 major security news stories of the week.

Hackers Targeting Ukraine Energy Infrastructure

In the last week, several regions of Ukraine were subjected to electrical blackouts as the result of a malware attack. The malware package, dubbed BlackEnergy back in 2007 when it originally surfaced, has the capability to render machines unbootable, destroy critical systems, and create backdoors into the infected machine.

Read more: http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/

Tax Season Security Risks

As tax season approaches, many people are finding themselves as victims of identity fraud. This remains prevalent as many are not as concerned about online security when using government sites and entering personal information. By creating fraudulent sites and using phishing emails disguised as tax information, identity theft is easier and more widespread than ever before.

Read more: http://www.net-security.org/secworld.php?id=19285

Comcast Security Not So Secure

Recently, third-party security vendor Rapid7, discovered a method of infiltrating the Xfinity security system by using a simple radio-jammer to disrupt the wireless signals used to determine if the home is secure or not. This gap in communication would be unnoticed as there is no indication to the homeowner that the “all clear” signal is no longer being received. Fortunately for Comcast customers, the issue is being reviewed and hopefully a solution is found.

Read more: http://arstechnica.com/security/2016/01/comcast-security-flaw-could-help-burglars-break-into-homes-undetected/

Javascript Ransomware on the Rise

At the start of this year, a new variant of RaaS began making headway into the market, labeled Ransom32. This iteration of ransomware comes packaged in a javascript application that allows anyone with a Bitcoin account to run their own Ransomware campaign and customize everything from level of computer lockdown to the amount of Bitcoins to be paid.

Read more: https://www.webroot.com/blog/2016/01/06/ransom32-raas-used-multiple-os/

Thai Police Forces Hacked

In response to the recent court decision regarding the deaths of two British tourists in Thailand, hacker group Anonymous targeted several police websites and took them offline. It is believed that the decision was made hastily and the men accused were charged and executed without solid evidence. An image displayed on many of the Thai police websites states, “Failed law. We want justice!”

Read more: http://news.softpedia.com/news/anonymous-hacks-14-thai-police-websites-to-protest-flawed-murder-investigation-498485.shtml

2015 has been the worst year so far for security breaches.  Although the state of online security reminds me of that scene in Office Space where Peter says that every day you see him is the worst day of his life, there’s a few things you can do to protect yourself against getting your data and online identity stolen.  If you’re looking for a New Year’s resolution that isn’t “I’m going to buy a gym membership and only go for a week”, try this list (it goes to 11!) on for size.

1. Change your passwords, just in case – chances are the password database of some online service that you use has been stolen sometime in 2015.  While most companies don’t store the actual password, they do store a password hash (fancy term for encryption, basically) that can sometimes be used to reverse engineer your password.  That can take some time on a powerful computer, so even though the breach might have happened 6 months ago and nobody’s hacked into your account yet, that doesn’t mean you are safe.  Change your passwords regularly, just like you change the batteries in your smoke detectors.
2. Use a password manager – every security boffin will tell you not to use the same password everywhere.  The problem with that is that we all probably have at least 3 dozen online accounts.  Remembering all those passwords, especially if you change them regularly, just isn’t feasible.  That’s where password managers come in.  Just remember one master password and the password manager software stores all the rest securely for you.  It also fills in your password automatically if you use their browser extension.  Don’t use the browser auto-fill for passwords, as those are usually not stored securely.
3. Use good passwords – don’t use a password that contains any personal information about yourself, such as your birthday, your dog’s name or your favorite flavor of Ben & Jerry’s ice cream.  Using that information makes it easier to break password hashes in the process mentioned in point 1.  Good passwords should be long and random (that’s what she said!).  If you do take the advice in point 2 and use a password manager, they typically offer a secure random password generator.  If not, you can use this website: https://strongpasswordgenerator.com/
4. Secure your WiFi – when you plugged in that new wireless router you got for Festivus, you probably didn’t realize that you had to change the password on it.  If you don’t then anyone you let on your wifi (or who breaks in) can log in to your router and do whatever they like.  While the wireless security might also be on by default, it doesn’t hurt to check and make sure it is using the strongest security setting, which is the WPA2 protocol.  To log into your router you generally have to look at the info on the bottom of the device to see how to login and what the default login and password are.  Typically you’ll put the IP address of the router into your browser to get started.  If the only association you have when I mention IP is a joke about a book called The Yellow River, then find the nerdy kid who lives on your street (the one wearing glasses and a Minecraft shirt) and offer them a $25 Gamestop gift card to come secure your router for you.  Remember to notify the kid’s parents first so they don’t think you’re kidnapping him or her.
5. Change your PIN to something unpredictable – analysis of debit card PINs shows that over a quarter of them are one of 20 common combinations such as 1234 or 0000.  If your PIN is one of the 20 on this list, then go change it right now to something that isn’t on the list.  Also, saying “PIN number” is redundant since PIN stands for “Personal identification number”, so stop saying that.
6. Freeze your credit – if you get your identity stolen you’ll eventually get it sorted out.  The problem is that will take hundreds of hours of your time, and you might not have access to your bank accounts until you get it cleared up.  Have you tried living without money lately?  It’s not a lot of fun.  If you want a story scarier than the Krampus movie, read this.  You can regularly check your credit reports for new accounts that you didn’t open, but an ounce of prevention is always best.  Call up the credit agencies and freeze your credit.  That way nobody, including you, can open new lines of credit without first unfreezing using a secure procedure.  It’ll also stop you from impulse buying a new Mustang that you can’t afford.  The FTC has a handy guide here.
7. Turn on two-factor authentication – two-factor authentication is one of the typical stupid names that techies come up with when naming technology.  It should be called something self-explanatory such as “confirm my identity”.  What it means is that when you log into an online service, they text you a passcode after you’ve logged in.  You have to type in the code they text to your phone to confirm it’s really you.  This makes sure that you not only know the password but also have access to your own phone.  Two ways of identifying you – that’s what the phrase “two-factor authentication” means in plain English.   It’s unlikely that a thief will be able to steal your password and your phone at the same time, which is why this makes things more secure.  Good banks and credit unions will have this enabled by default.  Some of your online services or banks might not have it turned on by default, which is dumb of them.  If that’s the case, go into the settings and turn it on, or call them and ask them to turn it on for you.  If your bank or credit union doesn’t offer 2FA (to make the phrase two-factor authentication even more obtuse) then it’s time to switch banking institutions.
8. Enable a PIN on your phone – yes it’s annoying.  If it bothers you that much, get a phone with a fingerprint reader.  If you don’t, then whoever finds your phone after you leave it in the bar at 3am will have your entire life at their fingertips.  They can reset all your passwords because they have access to your email.  Then they can clean out your bank accounts and leave you with something worse than a hangover the next morning.
9. Don’t believe anyone who contacts you – you know that guy who comes up to you at the gas station with an empty gas can and a story about a lost wallet?  He’s a con man.  Same goes for the person who calls you pretending to be Microsoft or the email pretending to be from Paypal.  If someone initiates contact with you then chances are they aren’t who they say they are.  If someone calls saying they are from your bank, from the IT department or from Microsoft and starts asking you for credit card numbers, passwords, or to remote into your computer, then hang up on them.  The only legitimate call you’ll get from your bank is when their security department calls you in the middle of your holiday shopping spree to verify that you are the one who made those rash purchases.  In those cases they’ll tell you what transactions were made with your card and ask you to confirm it was you and not a thief who stole your credit card details.
10. Update all your software – most hackers breaking into online systems use known vulnerabilities that have already been patched.  They look for computers that haven’t been updated to the latest patches.  Run Windows Update to update your operating system and also update any other software you use regularly.  That software will generally have a menu option to check for updates under the Help or About drop-down menu.  Well-written software will check for updates automatically.  A lot of software is not well written.
11. Don’t open email attachments – especially from people you don’t know.  Even if the email looks like it is from someone you know, it could be that their email account was hacked.  If they didn’t tell you previously to expect an email with an attachment, then don’t open it.  If you get a suspicious email from a friend or family member, call them up and ask them if they really sent it and why they attached a word document that it’s really, really important that you open right now.  Most likely they’ll have no idea what email you are talking about.  For a list of other common online and email scams, check out this page.

Wouldn’t it be nice if technology could be used to make all of the above something you don’t have to think about?  Maybe in about 20 years this will be the case.  In the meantime, it makes sense to spend a few hours protecting yourself now so that you don’t have to spend 100 hours on the phone with banks and creditors sorting out the mess when your identity gets stolen.  Stay safe in 2016!

https://www.youtube.com/watch?v=KOO5S4vxi0o