Sony password analysis

 The upside of big data breaches involving passwords is that it gives us Security Pros an understanding of what users are actually doing when they're selecting their passwords. The cynic in me thinks that we can spend time trying to educate employees, family, friends and neighbours into using strong passwords and changing them frequently - and they'll nod and smile and agree it is important...and then go back to using 'abc123' on their Internet banking.
I've blogged before on past analysis into exposed passwords, and now with the recent Sony breach Troy Hunt has posted an analysis of 37,000 of the exposed Sony passwords. Does it contain anything groundbreaking? It's a good bit of analysis that pretty much confirms what my inner cynic suspected - half of the passwords had only one character type (with 90% of these being lowercase only) and 45% of the passwords were numbers only. Only 4% of the passwords analyzed were what is commonly considered 'strong' passwords.

One of the nice things Troy did with his analysis was compare the uniqueness of the passwords across the different Sony databases exposed - a luxury one usually doesn't have when examining breached passwords - 92% of passwords where identical for the 2,000 accounts that had the same email address. Troy even managed to cross reference these accounts against the Gawker data breach and found of the 88 common accounts 67% were the same.
Oh and '123456' and 'password' were once again in the top few passwords used.

In other Sony related news - did Sony really sack a bunch of Security staff just before the data breach? That adds a new wrinkle to this most newsworthy of all breaches this year. I haven't seen it suggested, but could a disgruntled ex-employee have played a part?

Intrustion Mitigation

The Defence Signals Directorate (DSD) in Australia has released a document called "Strategies to Mitigate Targeted Cyber Intrusions" [pdf] that lists the top 35 recommended intrusion mitigations, ranked by effectiveness, user resistance and cost.It an interesting little 2 pager that is worth reviewing. There was a version released in 2010 as well [pdf].

Fake Apple Store

A whole new level of phishing...even the employees are fooled!

Lazy Auditors?

SC Magazine has an article entitled "Lazy auditors lay Australia's security bare" that extensively quotes fellow CSU alumni Craig Wright. Good article, but the blame can hardly be left solely at the feet of the auditors. Networking equipment is routinely forgotten when audits, vulnerability assessments or even risk assessments are conducted. The focus is often on the database server or the client workstation and commonly overlooks the equipment that allows these devices to communicate. Networking equipment is often hidden away in comms cupboards or deemed 'too risky' to patch or update.

The auditors can however take more blame for the whole 'checkbox compliance' attitude - I know I've sat through audits from major auditors that were little more than a joke, conducted by (often junior) auditors who had little idea of the meaning of the questions they were asking. If this is combined with management that are happy to see a box checked  rather than try and understand the details (such as the scope and depth of the audit, the experience of the auditor, the real gaps and risks, etc.) - in a fashion most would never do for a financial audit - then the problem is multiplied.

Does your organization's patch policy include these often forgotten items such as it's networking equipment? Have your auditors assessed them? Do they even know what they are or how these devices (if not properly managed) are a risk to the organization?

Hacker or Hackee

Two recent events have thrown the real potential impact of 'hacking' into a different light. The first was the attack on Australian domain name registrar and hosting provider Distribute.IT, who were attacked back in March by hackers who thoroughly trashed servers and destroyed data. Customers suffered an extended outage and much of the lost data proved unrecoverable (we'll leave any arguments about good data back practices for the time being). The attack was so malicious and targeted that an an insider or disgruntled ex-employee involvement is suspected. The attack was so devastating that Distribute.IT was sold for a song, effectively closing the doors for the original business entity. This is one of the few examples I can recall of a company being forced out of business because of a hacking attack - something that certainly didn't occur to TJ Maxx, Sony or RSA - despite any financial loss and reputational damage.

The other event is interesting for because it offers the opposite perspective. Rupert Murdoch has closed the 'News of the World' tabloid newspaper in the UK in the wake of a hacking scandal - but this time the company weren't the victims but the perpetrators of the attacks, hacking into voicemail message systems in order to get the latest scoop to feed the insatiable appetite of Joe Public for more juicy gossip.
Despite the outrage, 'no tech hacking' - such as dumpster diving or social engineering (known as 'blagging') - has long been a staple of tabloid journalists - posing as hospital staff to photograph celebrity operations or even going undercover as a staff member at Buckingham Palace. Somehow the latest antics have crossed a line (from the gutter to the sewer as a former British PM remarked), that has resulted in the closure of the News of the World (the self proclaimed 'world's greatest newspaper') after 168 years.

Two wildly different hacking events, same outcome: out of business...

More dataloss

Th Sydney Morning Herald has this story today about the loss (apparently on a USB stick) of the blueprints fore the new headquarters of the German foreign intelligence service. What hope do we have?

Blue Coat Mid-year Security Report

Blue Coat security have released their mid-year security report [pdf].
From the report:

The majority of web threats are now delivered from trusted and popular web sites that have been hacked for use by cybercrime. For this reason, reputation defenses become less effective...

... Search engine poisoning (SEP) ranks as the number one web threat delivery method at this point in the year. To be more specific, image searches have passed text searches and are now the top vector for malware delivery....

...From a user agent perspective, some Mac users are searching for pirated goods and images and falling into known malware delivery vectors. While exploit kits today focus on Windows users, many Mac users have their noses pressed against the glass of cybercrime. When cybercrime’s focus switches to the Mac, these users will be lined up like lambs....
It's short, but worth a read.


Perhaps it's the ex-Fine Arts student in me, but I'm always interested in data visualization, especially that which is able to describe complex data ideas in an easy-to-digest fashion. I came across this article on some unusual resume ideas which fits into that category.

I also picked up this book recently, so hopefully it will also some more interesing ideas on how to visually present security (and other complex) topics.

Edit: I also just came acrss this book, which looks like it mioght be worth picking up. In the same series the book Beautiful Security was very good, and Richard assures me that Beautiful Code was also well worth a read.

Passwords, Passcodes, PINs

 I recently came across a interesting article about PIN codes on iOS devices where an app developer pulled the login PIN numbers for his app to do some statistical analysis.

His findings are far from encouraging - or surprising - with (you guessed it!) '1234' taking the top spot, followed by '0000' (seriously...why bother with a passcode at all?).

This is pretty much in line with what i've blogged before about passwords. Of course if Mrs Shepherd-Barron hadn't gotten her way, the most popular PIN would probably match the most popular password...'123456'!

On passwords, a developer has taken all the recently exposed accounts and provided a nice web interface to allow you to see if your password may have been exposed. If your'e worried, run your login ID through the checker and see. The site doesn't ask for passwords, but considering many site usernames are email addresses - use it at your own risk!

On better Security news, the DSD (an Australian Government three-letter Agency) has released a preliminary guide to hardening iOS [pdf]. A more in-depth guide is expected in September 2011.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme