Tag Archives: passwords

Top 5 Attack Vectors Report: Defend It Before You Hack It

0
Filed under Defense
Tagged as , , , , , , ,

robot-with-sheild-300x287Each year my team conducts hundreds of Penetration Tests in a wide variety of industries, ranging from Healthcare to Retail, Finance to Manufacturing, and many more. The team analyzed data collected from each of our penetration tests at SecureState since 2011 and found common themes in the methods of compromise utilized to break into organizations and compromise sensitive information. As a result, SecureState has issued a new report that expands on the attack vectors identified and suggests ways organizations can defend themselves against such attack vectors. SecureState’s 2014 Attack Vectors Report revealed the following Top 5 methods of compromise:

  1. Weak Passwords
  2. Web Management Consoles
  3. Missing Patches and System Misconfigurations
  4. Application Vulnerabilities
  5. Social Engineering

The full report is available for download on the SecureState website. I also presented a webinar (watch the replay here) with Defense team lead Robert Miller, expanding on the report’s findings and offering additional advice to organizations on how to defend against these attack vectors. I highly recommend you download this report to see where your organization stands in regards to these attack vectors.

What’s the bottom line?
The current mindset of many organizations is to only react after an attack or breach has already occurred. However, based on our findings and what the current onslaught of recent breaches have shown us, it’s clear that organizations face the same attacks month after month. Rather than be reactive, the defensive mindset needs to change to a proactive one. Consider focusing time, money and resources on your defensive controls before a penetration test occurs.

A penetration test should be your final step to ensure your defense can withstand an attack and to adjust your defenses if necessary. We’ve seen it time and time again where organizations only conduct an annual penetration test and expect that remediating tactical issues from the penetration test will improve their security posture. This needs to stop! Build and test your defensive controls first, then test to see how these controls hold up. Most of these controls are a mix of tactical and strategic, but reactively focused. By taking a proactive stance on defense, your organization will become much more secure and the time, money and resources spent will provide much more value to the business.

Defend it before you hack it.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Top 5 Security Settings for Apple iPhones and iPads

0
Filed under Apple, Mobile Security
Tagged as , , , , , , , ,

Apple mobile devices are among the most popular gadgets today. In fact, Apple reports that 250 million iOS devices have been sold and 18 million apps downloaded. I often find that, while the popularity of these devices increases, many don’t understand the basic security features that Apple makes available to them. Some of you may not even realize that these features exist and how easy they are to use. Let’s walk through the top five security settings for these devices:

#1 – The Passcode
This is the most important security feature of your device. It’s also one of the least configured settings. While it may be a pain to “unlock” your device when you want to use it, it’s also your first line of defense if your device is ever lost or stolen. The key to the passcode is to ensure its complex and greater than 4 characters or digits. Never use simple passcodes like “1234” or your ATM PIN number. The two other settings that you need to set are to “Require Passcode Immediately” and set “Simple Passcode” to OFF. You can find these settings under the “Settings” icon then “Passcode Lock”.

#2 – Erase Data
The erase data functionality adds another layer of security to your device. This function will erase all data after 10 failed passcode attempts. What this means is that if someone steals your device and tries to brute force your passcode, if they enter it incorrectly, the device is erased and returned to the factory default settings. Turn “Erase Data” to ON in the Passcode Lock screen.

#3 – Find My iPhone/iPad
If you ever lose or misplace your iPhone or iPad, “Find My iPhone/iPad” is a very important feature to enable. Simply download the application on your device or access it through iCloud (icloud.com). If your device is iOS 4 or below you will need to use the “MobileMe” (me.com) feature instead of iCloud. Either way, you will need to login with your Apple ID to set it up. You can then send the device a message or alert, locate the device on Google Maps, remotely set a passcode, and remotely erase the device. This feature is invaluable if your device is lost or stolen.

#4 – Backup Encryption
One of the more obscure settings that many users don’t set is the “Encrypt Backup” setting, which is found in iTunes. This setting even applies to the new iCloud service in iOS 5. This setting ensures that the backup of your device is encrypted. It goes without saying, if you can access this backup, the data on your device can be accessed and harvested. For example, earlier last year there was a “feature” in which Geolocation data could be easily harvested from the backup file. This has since been remediated, but just think how much information could be harvested about you through an unencrypted backup file.

#5 – Keep iOS Updated
Making sure that you always have the latest version of Apple iOS on your device is important because Apple is always releasing security updates and implementing new security controls. Simply plug your device into iTunes and you will get prompted to update your phone to the latest version. As a side note, don’t Jailbreak your device! Jailbreaking makes many of the built in security features useless and allows your device to be an easy target for data theft.

Ensuring that you have enabled and configured these security settings on your Apple iOS device is more important than ever. Devices like these are lost or stolen all the time and without taking the proper precautions, your data could be vulnerable. Having conducted Apple iOS device penetration testing assessments at SecureState for our clients, I can tell you how easy it is to break into these devices. It’s easy because the proper basic precautions were not taken. Take five minutes now and enable these settings; you’ll be glad you did.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Two New Social Media Security White Papers Released

0
Filed under Social Networks
Tagged as , , , , , , , , , ,

My employer (SecureState) has released two white papers as part of our Social Media Security Awareness Month.  You can also download some cool wallpaper for this month created by Rob our graphic designer (see the picture on the right).  :-)

First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Another Twitter Scam: Twitviewer

0
Filed under Social Networks
Tagged as , , ,

twitviewerOne of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you.  When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post.  The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”.  If you did fall victim to this you better change your password ASAP!  Check out the screenshot of the site before it was taken down…yeah, phishy indeed.

Who knows what the developers of this application were planning (malicious or others).  Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials.  In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter.  That way you don’t have to give your credentials to the web site and worry about them being compromised.  Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this.  If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services.  They can then use these credentials for anything else they wanted.  Unfortunatly, most users of these sites use the same password for everything.  Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything.  See this article for more information on password managers and social media web sites.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Password Length and Complexity for Social Media Sites

4
Filed under Social Networks
Tagged as , , , , , , ,

July 1st was “Twittersec” day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Are you using strong and unique passwords? You should!

1
Filed under Hacking
Tagged as ,

I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan’s, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.

While these types of attacks are not new…it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have…do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great…but you can still get lazy. We all have the lazy bug…especially with online forums and web sites. One idea that I learned to help combat this was to have a “throw away” password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn’t care if they were compromised. Everything else…use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point…LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it’s a pain in the ass to use a password manager but in the end…it’s well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS’s (and a Blackberry)…KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it’s free…it’s tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it’s a good time to change those passwords to something complex and unique. Don’t forget to use a password manager to help you out!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS