octreeblog

As if information security isn’t hard enough already to deter the cyber-criminal – hell bent on stealing our critical data, our bank and credit card details, our intellectual property and client information – it seems that to encourage users to apply some degree of complexity (or should that read common sense?) to their password selection is a whole different ball game altogether, despite the warnings.

A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using “password”, “123456″ and “12345678″ for their login credentials. The table was compiled from plain-text passwords and weak unsalted password hashes lifted from compromised databases and dumped online by Anonymous hacktivists and other miscreants. The new entries in this year’s list of common passwords are “welcome”, “jesus”, “ninja”, “mustang” and “password1″.

This year the dataset was boosted by several high-profile password security breaches at major websites including Yahoo!, LinkedIn, eHarmony and Last.fm.

Here’s the table of the top 25 most common leaked web passwords, with the change in position from last year in brackets:

1. password (unchanged)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up one)
5. qwerty (down one)
6. monkey (unchanged)
7. letmein (up one)
8. dragon (up two)
9. 111111 (up three)
10. baseball (up one)
11. iloveyou (up two)
12. trustno1 (down three)
13. 1234567 (down six)
14. sunshine (up one)
15. master (down one)
16. 123123 (up four)
17. welcome (new entry!)
18. shadow (up one)
19. ashley (down three)
20. football (up five)
21. jesus (new entry!)
22. michael (up two)
23. ninja (new entry!)
24. mustang (new entry!)
25. password1 (new entry!)

The roundup, produced by password app biz SplashData, put “123456″ in the number two slot for 2012; the same sequence was used by 37 per cent of all user accounts at the Anonymous-hacked Greek finance ministry.

This really is the first rung of the security ladder to climb. So what is a secure password? Opinions vary, however at least choose a word or phrase hard to guess but easy to remember. Here’s Bruce Schneier’s advice (and he knows a thing or two about security) so why not follow it?

• DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.

• DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.

• No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.

• DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

• DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.

• DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.

• DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.

• DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.

• DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian “Gizmo” Richards’ Dec. 11, 2008, Best Software column, “Connect safely over open Wi-Fi networks,” for Wi-Fi security tips.)

• DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.

Still, some people haven’t caught on to that yet. Kaspersky Labs lists six of the worst ideas for creating passwords.

• Simple, successive: It might be easy for you to remember ‘123456,’ or ‘qwerty,’ but guess what: Anyone who has ever seen a keyboard will be in your email in about 30 seconds. Making your password the same as, or related to, your login is also a serious mistake. Remember, when it comes to creating passwords, simplicity is bad, and complexity is your friend.

• The name of a loved one: You might love your mom to pieces, but using her name as the key to all things dear to you is easy pickings for an attacker. Your favorite niece’s name or your dog’s name isn’t any better, especially when that information might be posted on your Facebook page for all to see.

• Getting cute: Yes, the goal of a password is to keep people out. But using that theme as your password – ‘password,’ ‘keepout,’ ‘letmein,’ ‘stayaway’ – will have exactly the opposite result of what you’re looking for.

• Cool words: Some words are cool and easy to remember. That also means that they aren’t just always on the tip of your tongue – they’re on the tip of hackers’ tongues too. Stay away from words like ‘dragon,’ ‘mustang’ and ‘ninja.’

• Sports!: Everybody loves sports, right? Well, hackers do too. If you’re inclined to pick your favorite sport as your password – don’t. Words like ‘football,’ ‘baseball,’ or ‘soccer’ aren’t worth the digital pixels that created them.

• Simple fixes: Taking passwords that are simple and adding the slightest of curveballs won’t work either. Just because you added a numeral or an exclamation mark – ‘passw0rd,’ ‘basebalL’ ‘mother!’ – to your easily decodable entry key doesn’t mean your accounts are secure. They aren’t. It’s important to mix lower case letters, upper case letters, numerals and special characters into your password, but don’t be predictable about it.

What you can do: Develop complex passwords with a mix of lower and upper case letters, numbers and special characters and ensure you use a different password for each site, according to Dmitry Bestuzhev, a Kaspersky Lab researcher. “Remember, you can’t stop your service provider being hacked, but you can avoid a bigger disaster when all of your accounts get compromised at once just because you used the same password,” he said.

Take heed, and Happy New Year!

I wanted to share with you an article I came across recently written by a fellow Certified Security Professional, Corey Nachreiner of Watchguard, which was published in the UK’s Business Computing World. It reinforces everything I have been saying to small business owners, particularly those in the professional industries who have an awful lot more to lose than a few sales records. I’m pretty certain I don’t need to remind all of you of the potential penalties for Data Protection breaches (up to £500,000), as well as unlimited penalties imposed by your regulatory body. Yet few organisations seem to take these threats seriously. I had an accountant recently argue that most of the research carried out into threats, vulnerabilities and breach disclosure is pure hype and should not be heeded. I told him I let someone else do my books…………………

Anyway, I hope the sensible majority of you take note.

All too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don’t have anything that would interest cyber attackers. Surely, organized criminals or “hackivists” are going to be far more interested in going for the big targets that we read about in the news all the time such as Sony, HMRC, Subway and the University of Cambridge?

But the truth is that in recent years, cyber attackers have increased their focus on compromising small and medium enterprises (SMEs). A recent PwC report on security breaches showed that 76% of small businesses in the UK suffered a breach last year, with the average cost of their worst incident coming in at £15-30k.

There are two main classes of attack. First, the automated opportunistic attack, where a wide net is cast using mass emails, automated SQL injection, or automated network attacks to trap any victim. Everyone is the target of this attack – it’s just a numbers game. The second are specifically targeted attacks where a single organization or group of organizations is targeted, such as a group of companies in the same vertical market or public sector departments.

These attacks will usually consist of very targeted ‘spear-phishing’ emails attempting to lure victims to a malware site. What SMEs don’t realize is that attackers have been opportunistically going after them for years, but now they are increasingly targeting them more specifically.

It is clear that SMEs have been victims of the first type of attack for years now, whether they know it or not. Bot herders use automated techniques to try to ‘zombie-fy’ as many Internet connected victims as possible, without caring who they are, and they often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, often valuable, data.

In its 2011 Data Breach Report, Verizon noted that although the number of stolen records may have dropped in 2011, the number of breeches actually increased over 5-fold, suggesting that the attacks were affecting smaller organizations.

However, it is the more recent increase in targeted attacks on SMEs that is even more concerning. Recently, my company has seen an increase in more targeted phishing emails that focus on very specific SME organizations. For instance, one recent email appeared to come from ADP, a company that helps SME manage payroll, among other things.

This spear-phishing email was designed to target accounting and HR people, with the aim of gaining access to payroll systems. Other research organizations and experts are also seeing the rise in targeted attacks against SMEs. Recently, Symantec released its latest Security Intelligence Report for 2012, which confirmed that targeted attacks against SMEs doubled during the first half of the year.

Why target SMEs?

There are a number of reasons why attackers might want to focus on SMEs. Certainly, in general an SME will have weaker defences than a larger organization. This is in a large part due to the fact most SMEs still don’t think attackers target them, despite evidence to the contrary. A study done by The Hanford found that 85% of small business owners think a data breach is unlikely; thus they often don’t implement simple security controls. In the last few years, larger enterprises have been hammered with some big and very public breaches, and as a result, have beefed up their defences, making SMEs a much easier target.

An attack on an SME may even be just the gateway to bigger targets. Small and large businesses will often have many partners and these partners in turn will also have partnerships and connections with other, perhaps even smaller, companies. Attackers know they may not be able to storm the well-protected “castle,” but if they can get into one of the “guard’s” houses, they can use that to sneak in through a backdoor, metaphorically speaking.

SME breaches are also likely to pose less risk to the attacker. If you try to attack and steal millions from Google, you will quickly get onto the authority’s radar. However, if you attack small, lesser-known businesses and only steal a few thousand at a time, it may not even get reported. If you use automation to repeat this small theft many times, you can still make millions.

Finally, SMEs will still have very valuable information including customer financial data or commercially sensitive IP information. Don’t think anonymity protects you. If you are a small business, you are still a target.

New generation of phishing

SMEs need to be aware that the most common attacks impacting small businesses at the moment are well-crafted and targeted spear-phishing campaigns, which link to drive-by download sites. These targeted phishing campaigns have three things going for them:

• They are well-crafted compared to malicious emails of the past. They often look very legitimate and don’t have all the spelling and grammar mistakes old phishing emails had. Sometimes they will even inject HTML content from the company they are masquerading, to make them look very legitimate
• They target a very specific group or individual. By writing them specifically for a certain target at the organisation, that individual is more likely to interact with the message
• They contain a web link rather than an attachment. While even small business employees realize they should be careful with email attachments, many users still don’t realize that attackers can hijack your computer from a malicious website. They feel safe clicking web links in emails, making this far more effective than having an attachment.

Protection for the SME

There is no silver bullet to keep safe from cyber-attacks, but defence is not as hard or as expensive as some SMEs assume. The only real way to protect yourself is to implement ‘Defence in Depth.’ This is the act of layering multiple security controls together to give the enterprise the best chance of protecting itself from the many types of attacks hackers leverage.

Unfortunately, today’s threat is very much blended; the hook may arrive via email, IM, or a social network, but the true attack may happen over the web. Then, the follow-up attacks in your network may happen over a number of network services. So you need different security controls like a next-generation firewall, IPS, antivirus, reputational services, and so on, to protect yourself from various aspects of these attacks.

Don’t let your small size lure you into a false sense of security. Instead, leverage today’s technology to implement many layers of defence, and keep yourself out of tomorrow’s cyber-attack headlines. 

I am always interested to hear what precautionary measures you guys are putting in place. Security does not need to cost the earth, and convenience is no excuse for poor security.

Once again a public sector organisation has fallen foul of the Information Commissioner and received a hefty monetary penalty for Data Protection Act breaches.

The UK regulator has fined Greater Manchester Police after officers were found to be regularly using unencrypted memory sticks to store personal data. The poor data security practices came to the ICO’s attention following the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which also had no password protection, contained details of more than a thousand people with links to serious crime investigations. Despite similar security breaches in the past, the police force had not put restrictions on downloading information and staff were not sufficiently trained in data protection. The police force paid £120,000 because it took advantage of an early payment discount.

The reason for my post today is not to castigate the Chief Constable of Greater Manchester Police for ineffective security policy – that ignominy has already been suffered – but to highlight the dangers to every organisation, large or small, who may have to comply with the Data Protection Act, and the risks of negligence. Ask yourself if you hold a Data Protection license, and why.

If you are the data controller – defined in section 1 of the Act as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed” – you can be held liable should you suffer a data breach which potentially exposes personally identifiable information (PII). This can also be defined as “information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual”. That liability can extend to £500,000.

You need to review your policies and procedures – are they really adequate? You also need to consider whether or not you have taken the necessary technological measures to protect that data. Portable devices including laptops and memory sticks have to be encrypted.  Ignorance is no excuse – if the Data Controller “knew or ought to have known there was a risk of the contravention occurring, or that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention” the penalties are significant, and possibly threatening to the future of the business.

This is not just a big business or public sector legislature. It applies to all of us, potentially.

Don’t get caught out. It doesn’t cost the earth to protect yourself, or the interests of innocent others.