More than 90% of passwords are vulnerable to hacks

May 2, 2013 – 7:18 PM

Even passwords considered “strong” by IT departments are often now vulnerable to hacking,  according to professional services firm Deloitte. In Deloitte’s Technology, Media and Telecommunications Predictions 2013, the firm predicts that 90% of user generated passwords will be vulnerable to hacking this year.

Deloitte says that the weakness inherent in current password systems could result in billions of dollars of losses, and damage to the reputation of companies compromised in attacks.

“This is due to factors such as password re-use, advances in hardware and software used to crack passwords, and non-random distribution of characters,” says Deloitte in its report. “As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.”

Deloitte’s report says that advances in computer technology have made eight-character passwords easier to crack by “brute force” methods – and points to the use of “crowd hacking” as another threat.

But the main problem is users themselves, according to the report. Habits such as choosing simpler passwords for entry on mobile devices has meant that many passwords remain insecure.

Source:
http://www.welivesecurity.com/2013/05/02/more-than-90-of-passwords-are-vulnerable-to-hacks-warns-deloitte-even-strong-ones/

What’s in a Password?

April 30, 2013 – 5:12 AM

Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.

One of the most common attacks used in such breaches is an SQL injection. This attack has ranked first place on OWASPs Top 10 faults in Web applications for many years. There are several well-known methods to prevent SQL injections, but unfortunately it is still often encountered in productive sites. Furthermore, mis-configured Web servers and vulnerabilities in remote management tools can allow attackers to gain access to systems and read potentially sensitive files.

There has long been a heated discussion about how best to store passwords and that discussion is still ongoing. Most people agree that storing passwords in clear text in a database is not a good idea. Although sadly it is still done in a lot of places, usually with the excuse of “no one has read access to the database, so what could possibly go wrong?” As history has repeatedly shown, this argument does not hold true for long.

As a user, you normally do not know how your passwords are stored on a service. One enlightening trick can be to use the password reset function. Some services will send you an email with your password in clear text, which obviously means that they store it in clear text to begin with. If in doubt, you can send the service an enquiry, but most will probably just assure you that they are using state of the art cryptography to protect your password, which does not tell you much.

But the keyword is correct, as most systems have started to use cryptographical one-way functions; so-called hash functions like MD5 or SHA1 are being used to store passwords. Note that these are not password functions, but rather functions that are normally used for creating message digests. By using them on the password and only storing the hash value, the problem of clear text passwords disappears. Unfortunately, attackers can create “rainbow tables”, with pre-computed pairs of passwords and corresponding hash values. With today’s cloud services, generating rainbow tables does not take too long and the combination values can easily be stored. Such a set up would allow a simple lookup to break all common passwords within seconds.

Source:
http://www.symantec.com/connect/blogs/what-s-password

Attack hitting Apache websites is invisible to the naked eye

April 29, 2013 – 5:20 PM

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of the hosts it has infected on hard drives. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

Source:
http://arstechnica.com/security/2013/04/admin-beware-attack-hitting-apache-websites-is-invisible-to-the-naked-eye/

Researchers investigate Adobe vulnerability that enables a PDF to be tracked

April 29, 2013 – 5:14 PM

Security firm McAfee said it has spotted a vulnerability in the latest version of Adobe Reader that would allow someone to track a PDF document.

The flaw, which is being exploited in the wild, affects all versions of Reader, including the most recent, 11.0.2. While the hole does not enable remote code execution – the most serious outcome a vulnerability can have – it can permit a sender “to see when and where the PDF is opened,” McAfee researcher Haifei Li wrote in a Friday blog post.

And researchers haven’t ruled out whether the flaw is being used as part of an advanced persistent threat (APT)-style attack.

“Is this a serious problem?” Li wrote. “No, we don’t want to overvalue the issue. However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch.”

Li said McAfee is aware of the issue being actively leveraged. It has spotted a number of PDF samples sent by an email tracking service provider. Researchers, however, are unsure if this was done with malicious intentions.

Source:
http://www.scmagazine.com/researchers-investigate-adobe-vulnerability-that-enables-a-pdf-to-be-tracked/article/291076/

VirusTotal now offers PCAP analysis

April 28, 2013 – 8:55 AM

VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.

PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:

  • Record malware network communication when executed in sandboxed environments.
  • Record honeyclient browser exploitation traces.
  • Log network activity seen by network appliances and IDS.
  • etc.

We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis.

Source:
http://blog.virustotal.com/2013/04/virustotal-pcap-analyzer.html