Tag Archives: passwords

[ISN] Small-time security threats bigger concern

http://www.autonews.com/article/20150309/FINANCE_AND_INSURANCE/303099941/small-time-security-threats-bigger-concern By David Barkholz Automotive News March 9, 2015 The biggest threats to a dealership’s data aren’t Russian hackers breaking through electronic firewalls or robots trying a thousand passwords on security codes until they finally crack into the system. It’s more likely the mundane stuff that will cause a breach that enables personal consumer data to slip out of the store, said Brad Miller, director of legal and regulatory affairs for the National Automobile Dealers Association. Watch out, he said, for laptops that may contain sensitive files being stolen out of cars. A thumb drive that contains code capable of capturing passwords or data can be plugged into the laptop. Also, software vendors long ago dropped by a dealership may retain active pass codes that enable data to be taken from the dealership, unbeknownst to store employees, Miller said. Or pirates may send dealership employees a “phishing” email hoping to fool one into giving out information or a password that opens the system to the thieves. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Uber’s epic DB blunder is hardly an exception. GitHub is awash in passwords

http://arstechnica.com/security/2015/03/ubers-epic-db-blunder-is-hardly-an-exception-github-is-awash-in-passwords/ By Dan Goodin Ars Technica March 4, 2015 Recent revelations that Uber stored a sensitive database key on a publicly accessible GitHub page generated its share of amazement and outrage. Some Ars readers called for the immediate termination of the employees responsible or for the enactment of new legal penalties for similar blunders in the future. Left out of the discussion was a point Ars first tried to drive home more than two years ago. To wit, GitHub and other public code repositories are awash with personal credentials posted by tens of thousands, or possibly even millions, of people, some of whom work for extremely sensitive organizations. A case in point are GitHub entries that appear to include everything needed to log into many Secure File Transfer Protocol accounts. One GitHub search revealed almost 269,000 entries like the one pictured above, showing the domain name or IP address, username, and password needed to log in to each account. Similar searches generated almost two million entries for WordPress accounts. A quick scan of the results shows that many of them represent no security threat at all, since the password fields are blank or the credentials belong to non-existent accounts or accounts that are accessible only to users already connected to the local network. But a mind-numbingly large percentage of the results appear to provide credentials for accounts on production servers. Whether percentage is 33, 25, or even 10, it’s way too high. It wouldn’t be surprising if many of the credentials offered shell accounts that ran with highly privileged administrator rights. To protect the careless, this post won’t reveal the specific search terms used, even though they are extremely easy for readers figure out on their own or to find on Twitter, in blog posts, or in other venues. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The tooth gnashing you hear is from Flash users installing a new 0day patch

http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/ By Dan Goodin Ars Technica Jan 26 2015 Adobe Systems is once again rolling out an emergency Flash update that patches a critical vulnerability under active attack to compromise the computers of unsuspecting users. The latest Flash versions fix a remote code-execution bug that, as Ars reported last week, recently came under attack in the Angler exploit kit. Malware purveyors and other types of online crooks use such kits to seed compromised websites with attack code. Once people visit the sites with vulnerable computers, the booby-trapped pages surreptitiously exploit the vulnerabilities and install backdoors that can be used to log keystrokes, steal passwords, and install new pieces of malware at will. An advisory Adobe published late last week warned that the bug resides in versions running on Windows, Macs, and Linux systems. So far, reports suggest that in-the-wild exploits are limited only to Windows systems. The vulnerability stems from a so-called use-after-free bug that allows attackers to corrupt the memory of affected computers. Trend Micro has additional technical details here. “A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh,” the Adobe advisory stated. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Yes, 123456 is the most common password, but here’s why that’s misleading

http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/ By Mark Burnett Ars Technica Jan 22, 2015 I recently worked with SplashData to compile its 2014 Worst Passwords List, and yes, 123456 tops the list. In the data set of 3.3 million passwords I used for SplashData, almost 20,000 of those were in fact 123456. But how often do you genuinely see people using that, or the second most common password, password, in real life? Are people still really that careless with their passwords? While 123456 is absolutely the most common password, that statistic is a bit misleading. Although 0.6 percent of all users on my list used it, it’s important to remember that 99.4 percent of the users on my list didn’t. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased. In 2011, my analysis showed that 8.5 percent had the passwords password or 123456, but this year that number has gone down to less than one percent. This is huge. The fact is that the top passwords are always going to be the top passwords, it’s just that the percentage of users actually using those will—at least we hope—continually get smaller. This year, for example, a hacker using the top 10 password list would statistically be able to guess 16 out of 1,000 passwords. Getting a true picture of user passwords is surprisingly difficult. Even though password is #2 on the list, I don’t know if I have seen someone actually use that password for years. Part of the problem is how we collect and analyze password data. Because we typically can’t just go to some company and ask for all their user passwords, we have to go with the data that is available to us. And that data has problems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cyber warfare: Capitol staffers aren’t ready

http://www.politico.com/story/2015/01/cyber-warfare-capitol-114383.html By TAL KOPAN Politico.com 1/19/15 Congressional staffers are the gateway to all lawmaking on the Hill, but they also may be unwittingly opening the door to hackers. The Hill’s networks are under constant attack. In 2013 alone, the Senate Sergeant at Arms’ office said it investigated 500 potential examples of malicious software, some from sophisticated attackers and others from low-level scammers. And that’s just the serious cases — in a different measurement, the House IT security office said in 2012 it blocked 16.5 million “intrusion attempts” on its networks. But the thousands of men and women who keep Congress running every day are committing the basic cybersecurity mistakes that attackers can exploit to do harm — like in the CENTCOM social media hack or crippling breach of Sony Pictures Entertainment. POLITICO interviews with nearly a dozen current and former staffers, as well as congressional IT security staff, reveal a typical array of poor cyber habits. Most of the staffers interviewed had emailed security passwords to a colleague or to themselves for convenience. Plenty of offices stored a list of passwords for communal accounts like social media in a shared drive or Google doc. Most said they individually didn’t think about cybersecurity on a regular basis, despite each one working in an office that dealt with cyber or technology issues. Most kept their personal email open throughout the day. Some were able to download software from the Internet onto their computers. Few could remember any kind of IT security training, and if they did, it wasn’t taken seriously. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Free tool automates phishing attacks for Wi-Fi passwords

http://www.csoonline.com/article/2863402/identity-access/free-tool-automates-phishing-attacks-for-wifi-passwords.html By Lucian Constantin IDG News Service Jan 5, 2015 A new open-source tool can be used to launch phishing attacks against users of wireless networks in order to steal their Wi-Fi access keys. Gaining access to a WPA-protected Wi-Fi network can be extremely valuable for attackers because it puts them behind the firewall, in what is generally a high-trust zone. This allows them to mount man-in-the-middle attacks against the network’s users to steal sensitive data and authentication cookies from unencrypted traffic. A common method of breaking into wireless networks that use the WPA2 (Wi-Fi Protected Access II) security protocol is to set up a rogue access point that mimics the real one


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Morgan Stanley: An employee stole partial client data

http://www.cnbc.com/id/102292464 By Everett Rosenfeld, Jeff Cox, Mary Thompson CNBC.com Jan 5, 2015 Morgan Stanley said Monday that it terminated an employee for stealing wealth management data from up to 10 percent of its clients, or about 350,000 people. The bank said there is thus far “no evidence of any economic loss” for its clients. Still, data for about 900 clients—including account names and numbers—were briefly posted online, the firm said. Morgan Stanley is the second-largest wealth manager in the country and the sixth-largest holding company, with assets of $814.5 billion. The company said the information did not include Social Security numbers or passwords. “Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the company said in a release. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ICANN HACKED: Intruders poke around global DNS innards

http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/ By Kieren McCarthy The Register 17 Dec 2014 Domain-name overseer ICANN has been hacked and its DNS zone database compromised, the organization has said. Attackers sent staff spoofed emails appearing to coming from icann.org. The organization notes it was a “spear phishing” attack, suggesting employees clicked on a link in the messages that took them to a bogus login page – into which staff typed their usernames and passwords, providing hackers with the keys to their work email accounts. No sign of two-factor authentication, then. “The attack resulted in the compromise of the email credentials of several ICANN staff members,” ICANN’s statement on the matter reads, noting that the attack happened in late November and was discovered a week later. With those details, the hackers then managed to access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the Governmental Advisory Committee (GAC), the domain registration Whois portal, and the organization’s blog. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail