CounterMeasures - A Security Blog � password

It’s International Change Your Password Day!

Rik Ferguson — Wed, 01 Feb 2012 14:01:41 +0000

under Creative Commons from Arenamontanus' Flickr

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals may well already have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple process to achieving this.

First, what NOT to do

- Do not use a word from a dictionary

- Do not use names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

- Do not use the same password for multiple different purposes.

- Do not share you passwords with anyone else, ever.

Brute forcing tools use dictionary attacks and hybrid dictionary attacks (where dictionary words are automatically modified using the common number/special character substitutions). So it is not sufficient to take a dictionary word and just change a few letters to numbers (Password into P455w0rd! for example) these sorts of password can be cracked in a matter of minutes

Here’s how you do it.

1- Think of a phrase you can easily remember, for example:

“Mötley Crüe and Adam and the Ants were the soundtrack of my youth.”

2- Take the initial letter of each of those words:

MCAAATAWTSOMY

This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !£$&+ for example, let’s change cases first:

MCaAatAwtSomY

Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

As a special point of interest, a great character to include in passwords (if you have a UK keyboard) is the £ symbol, as it is overlooked by many of the mainstream password brute forcing tools, so maybe we could end up with:

Mc+A&tAwTs0mY£

Now you have a secure password, you need to devise a way to differentiate it for each site you use. For example you could put the first and last letters of the web site name at the beginning and end of your complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember!

Guess, I’d better go and change my passwords…

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Over 10,000 Facebook account details hacked and published

Rik Ferguson — Tue, 18 Oct 2011 12:02:51 +0000

An update to this investigation is available here.
_____________________________________________________________________________________________________
A hacking group calling themselves “Team Swastika” have published what they claim to be the usernames and passwords for over ten thousand Facebook accounts on Pastebin, an online service for sharing large quantities of text data online. It should be noted that the PR agency for Facebook in the UK gave me the following statement, “This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of e-mail and password combinations that are not associated with any live Facebook accounts“.

Team Swastika are a new arrival on the hacking scene, having announced their “launch” only six days ago. although they have only one tweet to their name they have already caused concern by publishing database tables and user credentials stolen from the websites of the Indian Embassy in Nepal and the Government of Bhutan, apparently by SQL injection attack.

This latest publication of what they claim to be more than ten thousand Facebook user credentials is without context and with no indication of the means by which they were stolen. The posts themselves have already been removed by Pastebin but I managed to get a look at them before this happened…

Stolen credentials for Facebook accounts

The compromised user accounts come from all over the globe, and a quick glance through the list of associated passwords shows that the majority of affected users are not using complex passwords, with many being simply a derivation of the user name, a favourite football club or a short numerical password.

The ongoing effect of such a large scale compromise can be disastrous for affected users, particularly if the password is shared for multiple accounts. It can lead to compromise of the victim’s email account which can act as the skeleton key for many other online services, as any password reset procedure will normally pass through the account owner’s email inbox for verification. regaining control of a compromised account can be a costly and time consuming process, as this recent victim explains.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to achieve this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

I have not verified if the credentials as posted are legitimate, for reasons of privacy, but have passed the full list of affected accounts on to Facebook security so that they can warn and protect their users.

Sony (not) hacked

Rik Ferguson — Wed, 12 Oct 2011 13:45:25 +0000

Enter your password

News reports today are characterising an attack against the Sony PlayStation Network (PSN) and Sony Entertainment Online (SOE) as “another hack” or “Sony hacked again“. However, according to a blog post from Sony’s SVP and Chief Information Security Officer, that simply isn’t the case.

The attack against PSN accounts belonging to Sony subscribers went like this… Person or persons unknown, built or obtained a database of username and password pairs which they attempted to use to log into the PSN and SOE. The “overwhelming majority” of access attempts using these pairs of credentials failed, in fact less than 0.1% were successful. For this reason Sony suspect that the credentials used were not stolen from Sony directly, either now or in past intrusions. The database in question was most probably email and password pairs that have been obtained elsewhere but were being used in a brute force attack against Sony, in the knowledge that users have the unfortunate habit of reusing passwords across multiple services.

When Sony detected this irregular activity against its servers it immediately locked out all of the affected accounts and is informing the affected users that they need to change their passwords. Only a small fraction of that 0.1% showed evidence of irregular activity before Sony locked them down, meaning that the damage was successfully contained.

In reality this story should not be characterised as a failure over at Sony, but rather a success. Through their own monitoring systems they detected anomalous behaviour, acted quickly to contain the damage and locked out the accounts affected. They are also obliging the affected users to change their service passwords to better secure themselves in the future. Of course given the past intrusion at Sony, there is every possibility that the data does relate to that stolen from Sony earlier but also indicates that the mass password reset policy it instituted after the event served to render the majority of that data unusable.

After all it is not, as Sony have learned to their cost, whether you get attacked that is important, it’s how you deal with it. The lesson for Sony customers is not that Sony hasn’t learned lessons, it is rather that we as users still have some important lessons to learn.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

3 steps to protect yourself from Facejacking

Rik Ferguson — Thu, 26 May 2011 10:16:35 +0000

It’s sometimes difficult to believe but our social networking accounts have become, in many cases, a part of our lives which we entrust with a wealth of sensitive information and personal correspondence. Social media is rapidly overtaking email and instant messaging as the preferred communication medium of a generation, our personal and professional lives coexist within a single inbox that holds in some cases not just our messages but also our more frivolous chats.

I still vividly remember the day when I discovered that my brother had found and read my diary, he marked a star on every page where I had called my girlfriend so he could tell mum how long I had spent on the phone. My anger at the violation of a place to which I had committed my deepest teenage angst was of course incandescent, not to mention I got a phone ban… (I still have the diary, so there’ll be no denying this story, bro).

Anyway, as you can tell, the anger still simmers, it led me to consider today that not only is the social network replacing email and instant messaging, in many ways it is also replacing our diaries or journals. My own Facebook represents a much more complete log of my thoughts and activities than I ever managed to commit to a diary (Samuel Pepys I was not) and I am sure that the more committed facebookers out there post a lot more often than I.

So, what am I here to tell you? How to put the strongest possible lock on your Web 2.0 diary, keep out prying eyes and avoid whatever kinds of bans parents are dishing out these days.

Facebook have built in some great features to stop even a person who has your password from accessing your account, this stuff isn’t new, it’s just underused and under-publicised. If you regularly log in from the same device or devices, you can train Facebook to recognise those machines. You can ensure that if someone tries to log in from an unrecognised device that you are notified immediately (if you’re logged in). You can even make that person enter a code that will be sent as an SMS to your registered mobile phone. So unless the snooper has direct access to your personal computer or your mobile phone, they won’t be facejacking (or the less salubrious term, fraping) you, and if they do have that kind of access, well, your problems might be bigger than just Facebook.

So here’s how:

1 – Log into Facebook and in the top right drop-down Account menu select “Account Settings“.

2 – In the Settings screen that appears, click the Edit link next to “Account Security“.

Make the following changes:

a - Tick the box to enable secure browsing, this will ensure that your communication with Facebook is always encrypted where possible and guard and password stealing tools like Firesheep.

b – Under Login notifications, select whether you would like an email or SMS notification when an unrecognised device tries to access your account.

c – Under Login approvals tick the box to have a security code sent to your mobile device, and you’re all set. Even if someone knows your password, they still won’t be able to login without the security code.

70 million customers affected by the Sony breach

Rik Ferguson — Wed, 27 Apr 2011 07:28:18 +0000

The most recent update update from Sony unfortunately confirms the worst fears of many. Between April 17th and 19th an “unauthorised person” gained access to the personal information of Sony’s more than 70 million customers. The information confirmed stolen is as follows:

– Name
– Address
– Email address
– date of birth
– PlayStation Network/QRiocity login name and password and online ID

Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.

A new twist on Facebook phishing

Rik Ferguson — Tue, 09 Nov 2010 17:31:54 +0000

Facebook users have alerted me to some worrying looking unsolicited direct messages they have been receiving today.

Facebook Phishing Message

The messages, which purport to come from “FB Customer Care” warn that the unsuspecting victim is due to be “disconnected from our server due to several violations”. The nature of the violations is unspecified, but helpfully the scam artists (for that is indeed what they are) do offer a link where you can “Confirm your identity”

If a user is concerned enough to click the link in the message they will be taken to a replica of the Facebook website claiming to represent Facebook Security. As you can see from the screen grab below, it’s not just about Facebook credentials. These enterprising fraudsters are also after your date of birth and email credentials too!

Facebook phishing site

I have already alerted the incident handlers at Facebook about these scam mesages and now I’ve alerted you. If you’re using Trend Micro we are already blocking access to the related phishing sites.

Facebook beefs up account security

Rik Ferguson — Wed, 13 Oct 2010 08:49:49 +0000

In a very welcome blog post last night, Facebook announced a range of new security measures aimed at reducing the level of account hijacking on the world’s biggest social network.

Used under creative commons from Arenamonatus Flickr photostream

The headline feature is the introduction of one-time passwords on demand. So, if you want to log in to your Facebook account from a less-secure computer, for example a shared PC in a library or airport, then you will no longer need to use your standard Facebook password. Instead Facebook will send you an SMS containing a password that can only be used once and must be used within 20 minutes of being received. If you want to take advantage of this feature when it becomes available in your region, you’ll need to make sure you have a mobile phone number registered on your Facebook account, look in the Account menu top right, click Account Settings and check the Mobile tab.

Other features announced include the ability to see which computers, in which locations are currently logged into your Facebook account. So if you did leave that computer in Helsinki airport accidentally logged into your account, and the walk back is a little too far, you can remotely end that session averting the possibility of unauthorised account access (also maybe you’ll be able to tell if your mum is reading your private messages).

Finally Facebook have also undertaken to regularly prompt users to keep their security information up to date, so that in the event of a hijacked account the matter can be more quickly and easily resolved and legitimate, secure access to the account restored.

Regular prompting is good, don’t wait for Facebook to prompt you though, visit this page to update your information now (you can also add a mobile phone number here).

Kudos to the folk over at Facebook for taking account security seriously, good job.

Safer Social Networking

Rik Ferguson — Thu, 02 Sep 2010 11:12:28 +0000

I was asked recently for a few tips on how to look after yourself online, particularly with regard to social networking. I know many of the people who read this blog are regular users of Facebook & Twitter, so I wanted to share those tips here. It’s by no means an exhaustive list and I didn’t quite make to the catchy “10 top tips” but hopefully there are a few things here that you may not have previously considered.

Image from Philo Nordlund's Flickr stream under creative commons

1 – Familiarise yourself with both the privacy settings and the security policy of any social and professional networking sites you use. If you’re not happy with them, stop using the site.

2 – When you create your profile consider each piece of information that you share and whether if it is necessary or even relevant to that site. Do you need to share telephone numbers for example, maybe if your mail or direct messages come direct to your phone that is enough. Think practically don’t complete a form just because it is in front of you.

3 – When you share content, chat, mail or comment on other people’s posts or profiles never consider your communication to be personal or private. Even if you have made full use of the privacy settings available to you, you cannot be sure your content won’t be copy/pasted, downloaded or otherwise shared more widely without your knowledge.

4 – Most sites offer a means to reset your password should you forget it. This is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

5 – Do not use a single password for multiple different sites, that way if one is compromised you don’t have to worry about the others. Create complex passwords using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your complex password. (Tip: the character £ does not feature in some automated tools for brute forcing passwords so it can be a good one to use. To get that character on a non UK keyboard, hold down the Alt key and tap 0163).

6 – If you receive a friend request from someone you don’t know or recognise, contact them directly before you make the decision to add them to your circle of trust. Ask how they know you, and check they are legitimate. It’s not only your own privacy you are protecting, it’s also that of all your friends.

7 – Consider sorting your friends into groups, in many cases this will allow you to share specific content with specific groups only.

8 – Try to minimise the number of third party apps and services that you install or allow to access your account, learn how to remove or disallow them and get rid of any that you no longer use. Don’t forget even on Twitter once you authorise a service to access your account, that permission remains unless you manually remove it and it also persists through password changes.

9 – Don’t click links in messages or wall posts, even links sent to you by friends without checking first if the person intended to send it to you. The few moments it takes to check could save you from falling for a phishing scam or worse, infecting your computer. You could also be doing your friend a favour if you are letting them know their account is compromised and sending out links.

Belgian pump and dump botnet

Rik Ferguson — Fri, 18 Jun 2010 16:16:36 +0000

According to a report in Belgian newspaper De Tijd, malware has been used to compromise the online portfolios of Belgian investors. The botnet was then used to influence stock prices, making the criminals more than 100,000 Euros. The investigation has remained secret until today.

Image from rednuht's Flickr photostream under Creative Commons

The federal prosecutor and the computer crimes unit of the national police in Belgium were looking into events that took place in 2007. Between April and May 2007 criminals infected the PCs of customers of the the banks Dexia, KBC and Argenta with a bot (the exact nature of the bot is unspecified) which stole the usernames and passwords for online share trading platforms.

The article goes on to detail what appears to be a highly targeted, custom written attack that was able to automate stock trades across the botnet

“With a push of a button the botmaster instructs all the computers to buy or sell the same shares at the same time.“

Of course the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.

Hein Lannoy from the Belgian Banking, Finance and Insurance Commission (CBFA) is quoted as stating, “After the hack in July 2007 no further similar incidents occurred in the country“. He goes on to say “In April 2009 we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country.”

However from conversations with a local journalist today it seems that many Belgian banks (in fact most banks globally) are still only offering classical two-factor authentication aimed at authenticating the user rather than the transaction. While this kind of technology would certainly thwart this bot in its current form it is not impossible to defeat. As I have previously blogged banking malware has already evolved to the stage where it can overcome multiple factor user authentication.

With this in mind it is vital that any improvment in online banking security should verify individual transactions rather than simply authenticate the user. The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This can then be verified by both parties and cannot be modified by the malicious “man in the browser”.

Belgian law enforcement are now working with their international counterparts to pursue the offenders.