Tag Archives: Password

Data breach in South Korea hits 27 million – half the population

A data breach of staggering proportions has hit South Korea – involving 27 million people and 220 million private records – and affecting 70% of the population between the ages of 15 and 65, according to Forbes.

Sixteen hackers were arrested for the attack, which targeted registration pages and passwords for six online gaming sites – with the aim of selling game currency. South Korea has a strong online gaming culture, and people of all ages indulge in the hobby.

South Korean authorities said that the gang had stolen 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.

Data breach hit 70% of adults

According to police, Kim reportedly received 220 million personal information items from a data breach of unknown origin, including the names, resident registration numbers, account names and passwords, of the 27 million people from a Chinese hacker he met in an online game in 2011.

Kim and his associates are thought to have used a hacking tool known as an “extractor” to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).

The Register reports that, “Kim bagged almost $400,000 by hacking six online games using the details and gave the Chinese cracker a $130,000 cut. The buyer used the creds to steal items from gaming accounts and sold off to other players.”

Hacking tool known as ‘extractor’

Police estimate that secondary damages from the data breach cost at least $2m.

When Kim’s gang could not break into accounts, they bought yet more personal information including identity cards from a cellphone retailer in Daegu, and then changed passwords to gain access.

Kim is also accused of having sold his hoard of personally identifying information to mortgage fraudsters and illegal gambling advertisers.

 

The post Data breach in South Korea hits 27 million – half the population appeared first on We Live Security.

PIN number: Police want codes on ALL devices

Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number as a default into new handsets, with the British police unit responsible for phone theft wanting to “target-harden” phones.

Currently, up to 60% of phones have no form of password protection, said the National Mobile Phone Crime Unit.This not only makes it easier to resell the gadgets, but hands over personal data – including, potentially GPS data showing the locations of homes, as well as passwords and banking details, according to The Register’s report.

DCI Bob Mahoney of the NMPCU said, “We are trying to get [PIN number systems and other codes] to be set as a default on new phones, so that when you purchase it you will physically have to switch the password off, rather than switch it on.”

The NMPCU said in a statement to Motherboard that PIN-protected phones were less valuable to thieves.

PIN number: Less valuable to thieves

“We have been talking to the industry and government. This is one of the main ideas among a range of measures we are trying to push to protect personal data. All of the industry has been engaged at all levels – and government too.”

“We have intelligence that shows a phone with personal information is worth more than other mobiles, because the thief can sell it on to anyone who can make use of that info,” the DCI said.

“On an unlocked phone, you can find a person’s home address, home telephone number, their partner’s details, diary, Facebook and Twitter account. This allows thieves to know when a target is not going to be at home or perhaps use their details to set up banking loans. They could destroy a person’s life.”

‘This can destroy lives’

We Live Security has written a guide to securing mobile devices (including tips such as ensuring screen time-outs are lowered before a PIN number is required so a thief is less likely to get access to an ‘unguarded’ handset).

PR efforts from major phone companies tend to focus on novel protection methods such as biometrics, but Get Safe Online, a government organization focused on cyber safety, said that passwords, when rolled out widely were an effective measure. “Fingerprint recognition offers a degree of safety, but there is still no substitute for a well-devised and protected password or PIN.”

Techradar said that Samsung had been in discussion with government. Mahoney said the discussions had been underway for two years and the “idea was gaining traction.”

Mahoney said, “If you have to get into the phone to switch something on, our research indicates people are less likely to do it. The industry are very supportive.”

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

Banking security – new apps ‘know’ your touch

Everyone hates passwords – even the guy who invented them – but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.

Password theft – on a massive scale – has become a near-weekly happening, and biometrics have their own disadvantages – such as inaccurate scanners which won’t work when wet, as well as hacks with latex fingerprints and other such gizmos.

But customers at Danske bank have been trialling a new “behavioral” form of identification, according to Forbes magazine. Rather than simply ID a customer using a PIN, the app tracks the pressure and speed they use to type it in.

Banking security: Touch too much?

The theory is that even if a PIN is weak, or stolen, the thief cannot mimic the distinctive pattern of pressure the user types theirs in with.

“Eventually mobile security may no longer hinge on whether a password is long enough, but on how well the device knows the user,” ComputerWorld comments.

“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec,. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”

‘How well the device knows you’

As a security solution, it’s low-cost (it uses sensors already present in the phone) and demands nothing of the customer. The trial has been such a success that multiple banks in Sweden, Norway and Denmark will use similar apps shortly. The app scored 99.7% session acccuracy.

“Multilayered security can be achieved by combining the three pillars: something you have (i.e., the phone as a token), something you know (like your PIN), and something you are which is your physical or behavioral metrics,” says Behaviosec.

At present, Behaviosec’s technology can pick up a ‘false’ user within 20 to 60 seconds. The company said it could also have wider applications such as preventing children accessing inappropriate content on tablets.

The start-up is now investigating further behavioral tracking – such as monitoring the way in which a user picks up a smart device, using the gyroscope.

Our own daily routines could even be used as “passwords” some researchers believe. Google’s “predictive” Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a “password”?

“Most people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,” says Markus Jakobsson of the Palo Alto Research Centre.

Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.

Jakobsson claims that by combining techniques, it’s possible to lock out up to 95% of adversaries, even, “an informed stranger, who is aware of the existence of implicit authentication and tries to game it.”

The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.

Twitter hacked – Cricket legend ‘Beefy’ Botham exposed

One of England’s greatest-ever cricketers, Sir Ian Botham, appeared to have had his offficial Twitter hacked yesterday as an obscene picture unexpectedly appeared on the sportsman’s feed, according to the Evening Standard.

The single post was accompanied by the message, “What are you thinking…. xx”.  Botham was rapidly warned by friend and Welsh football pundit Robbie Savage that he had had his Twitter hacked, “Mate I think you’ve been hacked.”.

Botham rapidly regained control of the account, and Tweeted, “I would like to thank the hacker….I’ve just got 500 hits in 20 mins !!”

Twitter hacked: ‘Beefy’

In his column in the Daily Mirror newspaper, ‘Beefy’ said, “For those of you on Twitter who may have seen a distasteful photo from my account yesterday, let me assure you it was the result of someone hacking into it. I’ve played a few jokes in my time, but this was pathetic.”

“My old mate and fellow Mirror columnist Robbie Savage was straight on to me to change my password – which I’ve done. I’ve also asked the boffins in the Sky tech department to see how I can stop it happening again.”

Veteran security writer and researcher Graham Cluley wrote, “Let’s hope that Sir Ian Botham has now properly secured his Twitter account and other social media assets more effectively. It would be terrible if future hacks would cause his fans to boycott his future tweets.

The only silver lining is that Ian Botham is now trending on Twitter.”

More followers after picture

Botham too saw the silver lining to the hack, saying, “If some keyboard warrior has nothing better to do than post silly pictures, more fool them. The only impact it has had on me bizarrely is to give me more followers – strange.”

A We Live Security guide to how and why passwords can be hacked – and how to stop it – can be found here.

The post Twitter hacked – Cricket legend ‘Beefy’ Botham exposed appeared first on We Live Security.

Russian PM has his Twitter account hacked, announces “I resign”

There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.

The hackers tweeted out a resignation message from the Russian PM

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

I resign. I am ashamed for the actions of the government. I’m sorry

If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.

But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.

According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.

The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.

A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.

Shaltay Boltay's Twitter account

Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.

In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.

And there lies the problem.

Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.

It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.

Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.

If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.

And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords

Biometrics such as fingerprints or eye-scans are touted as a replacement for the passwords and PINs we all know and hate – and Intel’s new smartphone earbuds could be the most discreet way of authenticating a user ever.

The earbuds, designed with SMS Audio, harvest heart-rate information using optics inside the ear – monitoring blood pulses and eliminating “noise” according to Business Insider.

The SMS Audio Fitness buds are built for fitness fans, but Intel plans further applications – and is vocal in its opposition to passwords. Other gadgets, such as the Bionym bracelet, already use heart-rate as an identifier: it’s more unique than fingerprints, and the SMS Audio buds could be a step towards a wearable “password” you can almost forget.

“A built-in optical sensor that continuously measures heart rate during intense exercise, states of relaxation and every moment in between – while dynamically removing noise signals caused by body motion and ambient light,” says Intel in a statement.

In the past month, We Live Security reported five major database leaks, usually of passwords.

Passwords: Let there be light?

Gizmodo reports that biometric devices have so far failed to gain widespread acceptance in part because of their bulk – whereas the SMS Audio devices charge themselves using motion, removing the need for extra batteries or chargers.

“In the wearable space, we see a lot of hype. I don’t think the market is ever going to be that big if all we have are just square cellphones taped to your wrist,” says Mike Bell, General Manager of Intel’s New Devices Group.

There are competitors which use the reading – but the Bionym bracelet relies on being charged, unlike Intel’s, which communicates directly with smartphones via the audio jack.

It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym chief executive Martin said. “The modern research into practical systems goes back about 10 years or so. What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

For you, no charge

ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Intel said, “The complexity of keeping digital identities safe grows as mobile applications and devices become a more important part of our daily lives. Intel’s intent is to intensify our efforts dedicated to making the digital world more secure, and staying ahead of threats to private information on mobile and wearable devices.”

TechCrunch reports that, “additional application support” will be added. Intel is reaching out to developers to make apps:  “Intel has created an SDK called the Intel IQ Software Kits for any companies that want to use the features that Intel developed while building the circuitry inside the BioSport.”

 

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

2FA – are big banks failing America?

The Target breach caused real damage to millions of American card users – but big financial institutions are doing little to remedy security issues, according to the New York Times.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

2FA: Big savings – for banks

The opinion piece, a plea for increased adoption of two-factor authentication systems, has ignited debate.

Computer World discusses if there are any “silver bullets” for a world where passwords are stolen in industrial quantities. Some attacks such as a recent attempt against PayPal have attempted to bypass these systems – but they are still another hurdle for gangs to clear.

The below ESET video explains what two-factor is.

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.

2FA: Why are banks failing us?

Information Week says that 2FA systems are a key part of ensuring corporate security: “Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere. Any company that takes its security seriously should protect privileged accounts with strong two-factor authentication (2FA).”

A recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk.

Two-factor systems can help small businesses by allowing home working – and cutting overheads such as office space.

Bank attacks – safety tips

Both Information Age and Computer World suggested further measures – with Computer World suggesting Google Chromebooks as ideal for banking.

“Like private browsing, guest mode erases all traces of your browsing activity when you’re done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated,” the magazine writes.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

Many sites – including Twitter, Gmail and Dropbox – offer two-factor systems already, free, although you have to enable them yourself – it’s usually found under Settings or Privacy, and most sites walk you through the process.

It’s worth doing so if you keep any private information in such accounts – and particularly if you store sensitive business information.

Two-factor authentication makes it far more difficult – although not impossible – for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in” – you have to go to settings, and add your authentication method manually.

 

The post 2FA – are big banks failing America? appeared first on We Live Security.