hackers Archives • PC PORTAL

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ – the phone – rather than ‘something they know’ – the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha.

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.

Law’s long arm collars cyber crooks

Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down WebStresser.org, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.

The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.

Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.

In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.

Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.

We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).

What’s your data worth?

If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.

The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.

There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”

Securing all the things

ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”

Prepare for a summer of SamSam?

Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.

Guidelines in the NIST

The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.

Google beefs up Gmail security

Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.

The post Security newsround: May 2018 appeared first on BH Consulting.