An 11-year-old girl from New York has set up her own business selling cryptographically secure passwords, using a technique known as diceware.
The post 11-year-old sets up cryptographically secure password business appeared first on We Live Security.
Staying safe and protected online as an enterprise is growing in importance and recognition. We look at whether business security needs to be simpler?
The post Business security: Is simpler better? appeared first on We Live Security.
Speaking more than one language has, of course, many advantages. As strange as it might sound, creating safer passwords can be one of them.
The post Speaking another language might help you create a safer password appeared first on Avira Blog.
Photo via The Times UK
People create terrible passwords. As simple as this might sound it unfortunately remains news to millions — if not billions — of individuals who use the Internet. As proof, we’ll take a look at a selection of passwords that were revealed in the Ashley Madison leak.
Regardless of any shortcomings Ashley Madison had in terms of securing their perimeter against breaches, one thing that they did right (to the surprise of many security researchers and disappointment of many black hats) was encrypting their users’ passwords.
The leak contained a database of around 36 million usernames, with bcrypt-hashed passwords. There is no known way to crack all of these passwords before the heat death of the universe, especially assuming that some are truly random, but we can crack the worst ones.
Conveniently, the web is full of known-password lists that anyone can just download. The two we chose for this crack, which are widely available, are the so-called 500 worst passwords of all time (compiled in 2008) and the 14-million-strong password list from the rockyou hack.
It should be noted that we did not use the full list of 36 million password hashes from the Ashley Madison leak; we only used the first million. So, that may skew the results towards passwords created near the beginning of the site’s existence, rather than the end. Also, since the system used contains a 6-core CPU and two GTX 970 GPUs, we set the CPU to test the 500 worst list, and the GPUs to test the rockyou list. Because we’re SMRT, we used the same million for both the CPU and GPU cracks, which therefore produced redundant results in our output files. This has the side-effect of being less efficient overall, but allows us to make an apples-to-oranges comparison of the effectiveness of the two password lists, as well as the CPU vs GPU cracking speed.
Before we get into the results, let’s take a quick diversion to explain why this hack was so difficult and only revealed a small number of passwords.
If you know the answer to these questions, you may safely skip this section and move on to the juicy innards of the dissection. For those who stick around, we’ll try to keep it simple… no promises.
Encryption algorithms can be broken into two broad categories: reversible and irreversible. Both have their uses in different contexts. For example, a secure website, such as Google, wants to send you data, and wants you to see the data that it sends you. This would be a case for reversible encryption:
[ plain text ] -> (encryption black box) -> encrypted data -> (decryption black box) -> [ plain text ]
The other method is irreversible encryption, which looks more like this:
[ plain text ] -> (encryption black box) -> encrypted data
Notice that there’s no decryption — the encryption black box makes that impossible. This is how passwords are stored on a server administered by someone who cares about security.
At first glance, this seems a bit strange. “If my password is encrypted and you can’t reverse the encryption, how do you know if the password is correct?”, one might inquire. Great question! The secret sauce lies in the fact that the encryption black box will always produce the same output with the same input. So, if I have some plain text that is claiming to be the password, I can input that text into the black box, and if the encrypted data matches, then I know that the password is correct. Otherwise, the password is incorrect.
There are many irreversible encryption algorithms (the more formal word for “black box”), including but not limited to:
All of these algorithms take an input password and produce an encrypted output known as a “hash”. Hashes are stored in a database along with the user’s email or ID.
From the above list, md5 is the simplest and fastest algorithm. This speed makes it the worst choice of encryption algorithm for passwords, but nonetheless, it is still the most common. It’s still better than what an estimated 30% of websites do, which is store passwords in plaintext. So why is being fast bad for an encryption algorithm?
The problem lies in the way that passwords are “cracked”, meaning that given a hash, the process of determining what the input password is. Since the algorithm can’t be reversed, a hacker must guess what the password might be, run it through the encryption algorithm, and check the output. The faster the algorithm, the more guesses the attacker can make per second on each hash, and the more passwords can be cracked in a given amount of time with the available hardware.
To put the numbers in perspective, a common password cracking utility, hashcat, can do about 8.5 billion guesses per second on a GeForce GTX 970 (this is not the best card on the market, but we happen to have two available for use). This means that one card could take the top 100,000 words used in the English language and guess the entire list of words against each md5 password hash in a database of 85,000 hashes in a single second.
If you want to test every two-word combination of words from the top 100,000 (10 billion guesses per password hash), it would take 1.2 seconds per hash, or just over a day to test that same list of 85,000 hashes. And that’s assuming we have to try every possible combination on each password hash, which, given how common terrible passwords are, is likely not the case.
Enter bcrypt.
By design, bcrypt is slow. The same card that can test 8.5 billion hashes per second with md5 can test on the order of 50 per second with bcrypt. Not 50 million, or even 50 thousand. Just 50. For that same list of 85,000 passwords being tested against 100,000 common English words that took one second with md5, bcrypt would take over 50 years. This is why security experts unanimously agree that bcrypt is currently one of the best choices to use when storing password hashes.
But, even it only protects good passwords.
After about two weeks of runtime, the CPU found 17,217 passwords and the GPU found 9,777, for a total of 26,994; however, 25,393 were unique hashes, meaning that the CPU and GPU redundantly cracked 1,601 hashes. That’s a little bit of wasted compute time, but overall not bad. Of the 25,393 hashes cracked, there were only 1,064 unique passwords.
For reference, the top 20 most common passwords according to the 500-worst list are:
1:123456
2:password
3:12345678
4:1234
5:pussy
6:12345
7:dragon
8:qwerty
9:696969
10:mustang
11:letmein
12:baseball
13:master
14:michael
15:football
16:shadow
17:monkey
18:abc123
19:pass
20:fuckme
Below are the top 20 from the Ashley Madison list cracked so far, formatted as “rank: count password”:
1: 6495 123456
2: 3268 password
3: 2024 12345
4: 880 12345678
5: 768 qwerty
6: 453 pussy
7: 248 secret
8: 209 dragon
9: 201 welcome
10: 198 ginger
11: 173 sparky
12: 168 helpme
13: 164 blowjob
14: 152 nicole
15: 134 justin
16: 129 camaro
17: 120 johnson
18: 117 yamaha
19: 113 midnight
20: 103 chris
It’s important to note that this ranking is NOT the ranking of passwords used by the users of Ashley Madison at large. It is simply the ranking of passwords cracked so far from a subset of 1 million users of the site, which may also be the first (oldest) million. And by “so far”, we mean that the CPU crack is about 4.8% complete, and the GPU crack is about 0.0008% complete. The estimated completion time is so far in the future, hashcat is having a difficult time computing it, but it’s certainly on the order of decades or centuries.
Given those caveats, we can still make a few conclusions about the data with high confidence:
If you’re interested, here are the results of just the CPU crack so far using the 500-worst list:
1: 6495 123456
2: 3268 password
3: 1940 12345
4: 880 12345678
5: 716 qwerty
6: 454 pussy
7: 233 secret
8: 202 dragon
9: 201 welcome
10: 198 ginger
11: 173 sparky
12: 168 helpme
13: 164 blowjob
14: 152 nicole
15: 129 camaro
16: 128 justin
17: 120 johnson
18: 113 midnight
19: 110 yamaha
20: 103 chris
And just the GPU crack so far using the rockyou list:
1: 619 123456
2: 349 password
3: 279 12345
4: 116 qwerty
5: 103 123456789
6: 83 696969
7: 82 abc123
8: 82 12345678
9: 76 football
10: 73 baseball
11: 71 1234567
12: 70 fuckme
13: 69 ashley
14: 61 fuckyou
15: 58 asshole
16: 57 mustang
17: 52 superman
18: 50 111111
19: 47 password1
20: 47 hockey
This list is a little different from the list that another security researcher came up with using the same rockyou wordlist on the first 6 million passwords, but at least the top few are pretty consistent.
Outside of the top 20, there are some other interesting observations. Again, none of these are conclusive or precise, and even the order-of-magnitude may be off, but the sample size is at least large enough to see some trends:
There are at least 25 unique passwords with the word “love” in them:
78: 27 iloveyou
132: 18 lover
236: 11 lovers
237: 11 loverboy
266: 10 mylove
270: 10 loveme
304: 9 lovely
338: 8 onelove
454: 6 lovebug
522: 5 loveyou
606: 4 lovelove
723: 3 iloveu
828: 2 lover1
848: 2 iloveyou1
849: 2 iloveme
918: 1 truelove
969: 1 loveya
970: 1 loves
971: 1 loveme1
972: 1 lovehurts
973: 1 love123
974: 1 love12
985: 1 iloveyou2
987: 1 iloveu2
1038: 1 babylove
We’re not sure how sincere those 8+ people are who used “onelove”, or if those 27+ people using “iloveyou” are lying or using “you” as a plural, but we’re pretty sure those 2+ people who used “iloveme” were at least honest with their password. And “babylove” is a bit weird.
The passwords “fuckme” and “fuckyou” were both used by 60+ people, which in this test was about as common as “baseball” and “football”:
31: 76 football
33: 73 baseball
34: 70 fuckme
38: 61 fuckyou
76: 28 fuckoff
105: 21 basketball
217: 12 fuckyou1
241: 11 fuckyou2
274: 10 football1
308: 9 fucker
431: 6 softball
500: 5 snowball
547: 5 baller
The password “panther” was also pretty common, ranking about 40th. If you are unsure why that is, it’s the opposite of “cougar”, which did not appear on the list. It’s not hard to guess what a lot of the site’s men wanted, and what demographics they fell into. There were only 3 unique passwords that we found referencing large cat species, and the other two likely reference sports teams:
40: 59 panther
259: 10 tigers
337: 8 panthers
Tigger is plausibly the most popular Winnie the Pooh character among Ashley Madison users:
108: 20 tigger
158: 16 christopher
390: 7 rabbit
443: 6 poohbear
590: 4 piglet
658: 3 winnie
664: 3 tigger1
870: 2 eeyore
Kanga and Roo fans will be disappointed, and Gopher doesn’t really count anyway.
Only 3 unique superheroes that we found:
44: 52 superman
94: 24 batman
295: 9 spiderman
380: 7 superman1
But on the bright side, “superman” is about as popular as “boobs” and “asshole”.
There were 76+ unique all-numeric passwords found, with the top 20 being:
1: 6495 123456
3: 2010 12345
4: 880 12345678
21: 101 123456789
29: 81 696969
32: 74 1234
35: 70 1234567
47: 50 111111
58: 38 654321
68: 33 121212
75: 29 1234567890
83: 26 54321
84: 26 123123
85: 26 000000
90: 25 11111
96: 24 131313
113: 20 666666
126: 19 222222
162: 16 777777
163: 16 55555
The only surprising thing about this is that, given the site in question, why 696969 isn’t ranked higher. And no, 8675309 was not in the list (although someone probably did use it, we just hadn’t found it).
This string of words caught our eyes:
118: 19 newyork
119: 19 maggie
120: 19 jackass
121: 19 dallas
122: 19 cowboy
123: 19 cookie
We’re not going to read anything into that.
Or this:
127: 18 taylor
128: 18 stupid
129: 18 princess
130: 18 patrick
131: 18 mother
132: 18 lover
George Carlin’s Seven Dirty Words didn’t all make an appearance (yet), but the list included a few additional profanities:
6: 450 pussy
34: 70 fuckme
38: 61 fuckyou
42: 57 asshole
76: 28 fuckoff
120: 19 jackass
176: 15 bullshit
217: 12 fuckyou1
241: 11 fuckyou2
308: 9 fucker
680: 3 pussycat
871: 2 dick
The months were not evenly represented:
277: 10 december
339: 8 november
502: 5 september
550: 5 august
645: 4 april
721: 3 january
Nor were the States:
118: 19 newyork
134: 18 dakota
243: 11 florida
352: 8 georgia
363: 8 california
395: 7 mississippi
404: 7 hawaii
414: 7 carolina
659: 3 virginia
Searching for the word “star” brought up “starwars”, but not “startrek”:
97: 23 stars
227: 11 starwars
231: 11 rockstar
326: 8 superstar
Below are a few amusing passwords, in that multiple people used them:
186: 14 police
189: 14 justme
348: 8 internet
351: 8 google
366: 8 booger
403: 7 hotmail
497: 5 unicorn
548: 5 badgirl
549: 5 babyboy
592: 4 peewee
620: 4 gangsta
621: 4 friend
632: 4 creative
699: 3 loser
737: 3 disney
860: 2 genius
861: 2 gangster
Creative? Genius? Just you? I think not.
There is no excuse for using terrible passwords, considering that the usage of intelligent passwords plays a key role in keeping you safe from attacks and breaches. Even with one of the strongest password encryption algorithms out there, it was trivial to get a large list of weak passwords by checking known passwords against the list of hashes.
As citizens of the Internet, it’s up to us to choose strong passwords. We are responsible for our own security, and cannot trust anyone on the Internet to do it for us. Especially not a company whose mission is to promote cheating.
Are there any other trends you’d like us to look for in the recovered passwords list? Let us know by leaving a comment below! Do you have an Ashley Madison account? If so, are you worried that your password might be leaked? Leave your username and password in the comments and we’ll check for it! (Just kidding, please don’t do that.)
If you ever had an Ashley Madison account created before July 15th, 2015, then the hash was definitely leaked. The password may have been cracked already by us or someone else, especially if it was weak. If you haven’t already, go and change it. Even if it was strong, change it anyway. Here is a useful guide on how to create a strong password. Better yet, use a password manager, and only create one strong password that you must remember, and use randomly generated passwords for the rest.
Stay smart and be safe out there!
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
It’s important to ensure your child’s data and devices are secure at school and at home. Check out our to back to school digital security guide.
The post Make password into a story and more parental hacks appeared first on We Live Security.
via Wired
For those of you keeping track, you can add high-tech sniper rifles to the growing list of Things That Can be Hacked. The vulnerability that allowed two security researchers to break into the computer guidance system of a sniper rifle is the same that allows hackers to access baby monitors and home routers. Simply put, the default Wi-Fi password, which was locked by the manufacturer, allowed anyone within range to connect. The typical range is up to 150 feet (46 m) indoors and 300 feet (92 m) outdoors.
In advance of the Black Hat conference this month, security researchers Runa Sandvik and Michael Auger, have demonstrated that they can hack TrackingPoint precision-guided firearms.
The TrackingPoint rifles can make a sharpshooter out of a novice. This is thanks to the computer-aided sensors including gyroscopes and accelerometers which take into account all the factors that a sniper scout would look for; wind, speed of the target, distance, snipers orientation, ammunition caliber, even curvature of the earth.
I asked Steve Ashe, a veteran of Desert Storm and Desert Shield, who collaborated closely with the sniper team what he thought about such technology. “Trained scouts and snipers must master a set of physical and mental skills that is beyond the reach of most people. This type of rifle can never replace that. Besides being crack shooters, they are in excellent physical condition, able to do complicated calculations in their heads and have mastered field craft such as land navigation, stalking and range estimation.”
One of the features of the TrackingPoint rifle is the ability to video stream your shot and share the view from the scope to another device connected via Wi-Fi. It’s this connection to Wi-Fi that turned out to be the weak point. The gun’s network has a default password that cannot be changed.
Desert Storm veteran Steve Ashe with sniper rifle that can’t be hacked.
Sandvik and Auger told Wired magazine that they developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit its software. They demonstrated that making a change in one of the variables listed above could cause the rifle to miss its intended target, disable the scope’s computer making it a useless piece of weight, or prevent the gun from firing. The TrackingPoint rifle has a range of up to a mile.
“A trained sniper is constantly making adjustments for these things. Of course, one thing they are always looking for is to shot further with more knockdown power,” said Ashe.
The good news is that hackers cannot make the gun fire by itself – that still requires a real finger pulling the trigger.
I asked Steve if the possibility of analog hacks existed. “Snipers always have their guns, and they hold onto their ammunition. But they have to sleep.” He said that snipers press their own bullets so they would be sure of the weight, but it’s possible, albeit improbable, that someone could tamper with it. Another hack would be to shave the firing pin, but again, highly improbable.
Speculation about the implications of Sandvik’s and Auger’s hack are pretty obvious. With military and law enforcement applications, having a third party control the trajectory of your bullet or brick your gun could cause a mission to go awry. Graduates of the US Army Sniper School are expected to achieve 90% of their first round hits at 600 meters, so with those kind of statistics, the question becomes why do they even need it?
“The computer assisted sniper rifle, has not yet made its way into the military or law enforcement units, even though they are testing it. But you gotta understand, things move slowly in the military. The Marines haven’t updated their sniper rifles in 14 years. Doesn’t look like something like this will become a threat,” said Ashe.
Thankfully, only about 1,000 of the TrackingPoint firearms have been sold and the company is reportedly not shipping any rifles currently.
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
The advice comes as a response to users complaining in the Skype forum that they have been apparently receiving malicious links from friends.
This sort of attack, where attackers either gain access or can mimic an authentic account is known as spoofing and can be very successful due to the level of trust that people have in their own contacts.
If you think that you or someone you know has been a victim of spoofing, here are three things that you should you do.
Normally, spoofing or phishing emails will contain a link to a site. Don’t click on it, especially if it is a shortened link as seen in the Skype forum example. If you believe it could be genuine, hover over the link and your browser will reveal the final destination of the link.
As cyberattacks get ever more complicated and better disguised, it can become difficult to stay protected. That’s why it’s important to get the best possible antivirus solution that can help keep you safe not just from viruses and malware but additional tools like AVG’s LinkScanner technology can scan links and attachments to check whether they are safe even before you click on them.
Just as Microsoft advised on the Skype forums, if you believe you’ve been a victim of any kind of spoofing or account fraud, it’s important to change your password. If someone has access to your account you should put a stop to that as soon as possible.
Take a little time when developing your new password and make sure that it gives you as much protection as possible.
For help doing this, take a look at the graphic below that will help you create a strong, unique password in three simple steps.
The show revolves around Elliot who works as a cyber security engineer by day and is a vigilante hacker by night.
I watched the episode and then sat down with Avast security expert Pedram Amini, host of Avast’s new video podcast debuting next week, to find out if someone like you or me could be affected by the hacks that happened in the show.
In the second minute of the episode we see Elliot explaining to Rajid, owner of Ron’s Coffee, that he intercepted the café’s Wi-Fi network, which lead him to discover that Rajid ran a child pornography website.
Stefanie: How likely is it that someone can hack you while you’re using an open Wi-Fi hotspot?
Pedram: Anyone with a just a little technical knowledge can download free software online and observe people’s activities on open Wi-Fi. We went to San Francisco, New York, and Chicago for a Wi-Fi monitoring experiment and found that one-third of Wi-Fi networks are open, without password-protection. If you surf sites that are unprotected, meaning they use the HTTP protocol, while on open Wi-Fi, then anyone can see, for example, which Wikipedia articles you are reading, what you’re searching for on Bing, and even see what products you are browsing for on Amazon and eBay, if you do not log in to the site.
Stefanie: Wow! That’s a bit frightening… How can I protect myself then?
Pedram: You can stay safe while using any public Wi-Fi network by using a Virtual Private Network (VPN). A VPN creates a virtual shield and tunnels traffic to a proxy server. The proxy server protects your personal data, thus preventing hackers from accessing your files and other sensitive information stored on your device.
We actually found that more than half of Americans connect to free and open Wi-Fi networks and that of the 55% who do, 76% prefer networks that don’t require registration or a password to connect, yet only 6% use a VPN or proxy while connected to open Wi-Fi.
Fast forward to minute 10:55. We see Elliot with his therapist Krista, whom he hacked (hacking people is clearly his hobby 
).
Stefanie: Elliot says that hacking Krista was simple, because her password was her favorite artist and her birth year backwards. We know that you should always use a complex password, more than eight characters and that your password should include letters, numbers, and symbols, but do most people really have complex passwords? Could having simple passwords really put you at risk?
Pedram: Most people, unfortunately, do not have complex passwords. For example, we found that one-third of American’s router passwords contain their address, name, phone number, a significant date, and their child’s or pet’s name. Not only that, but last year we found that most hackers’ passwords were only 6 characters long and that the most frequently used word in their passwords was the word “hack”.
Having a simple password that is either a dictionary word or that is comprised of personal information can put you at risk
If you think about it, bits and pieces of our private lives are scattered on the Internet. Someone can easily do a quick Google search, check out some of your social media sites and with a little time and patience, they can figure out your simple password. Even worse, if you use the same password for multiple sites, you really make it easy for hackers to hack all of your accounts.
Moving forward to minute 25, Angela, Elliot’s friend and colleague, calls him for help because their client, E Corp, a multinational conglomerate, has been hit with a DDoS attack.
Stefanie: What is a DDoS attack? Can this affect the average computer user?
Pedram: DDoS stands for distributed denial of service attack and is used to make a service unavailable. In the end we discover that the attack on E Corp was actually based on rootkits that had subverted a variety of servers, but I’ll continue to describe a DDoS attack.
DDoS attacks are sent by two or more people, but more often by an army of bots AKA a botnet. These bots send so many requests to a server that the server becomes overloaded and cannot provide its service anymore. DDoS attacks target large businesses, so the average computer user does not become affected, unless the service they want to use is not available because it has been hit by a DDoS attack.
However, the average user can help facilitate a DDoS attack unknowingly. We researched home routers and found that millions are vulnerable. Routers are connected to the Internet 24/7 and can be easily exploited and used as a bot, which, as I explained, can be used in a DDoS attack. A famous example is the hack of the Sony Playstation Network and Xbox Live last Christmas – the hacker group claimed they used a router botnet for the attack.
To prevent this from happening, people should make sure their router firmware is always up-to-date and perform a router scan to check if their router is vulnerable or not.
In minute 55, Elliot tries to hack Krista’s new boyfriend, Michael. He calls Michael pretending to be a from his bank’s fraud department, confirming his address and asking him security questions to verify his account: what his favorite baseball team is, his pet’s name. Using the information he gathered combined with a dictionary brute force attack he attempts to get Michael’s password.
Stefanie: What is a brute force attack? Can this happen to the average user?
Pedram: A brute force attack is password guessing which systematically checks all possible passwords until the correct one is found. Think of it like a machine going through a huge dictionary of passwords that types each one into an account to unlock it.
Brute force was likely one of the techniques used in hacking the iCloud accounts which eventually lead to the nude celebrity pics from stars like Jennifer Lawrence and Kirsten Dunst being distributed over the Internet. This type of attack is not exclusively used against celebrities. Hackers can use brute force attacks to hack any user accounts, given they have account email addresses. Typically, they would target accounts that hold credit card or other financial information they can abuse for financial gain. This is why, again, it is vital you use strong passwords for all of your accounts.
Stefanie: Thank you for the chat Pedram. I look forward to discussing Mr. Robot’s next episode, Ones and zer0es with you next week!
You can watch MR. ROBOT on USA Network Wednesday nights 10/9 central.
Follow Avast on Facebook, Twitter and Google+ where we will keep you updated on the new Avast video podcast hosted by Pedram Amini.
A security researcher has highlighted an iOS bug that makes it easier for hackers to to steal iCloud passwords.
The post iOS bug leaves iCloud passwords vulnerable appeared first on We Live Security.
In the study by Telesign, web users had on average six passwords protecting 24 online accounts, another cause for concern. Using old or weak passwords across multiple sites can leave people vulnerable to attack.
Using the same password on multiple sites is one of the biggest mistakes that people can make in terms of Internet security. If a password for one account gets compromised then it can start a chain reaction that leaves other online accounts vulnerable to attack. With high profile data breaches regularly in the news, this is not as farfetched as it may sound.
There are three basic steps that we can all follow to help keep our online accounts safe:
Use a strong password
Creating a strong and memorable password doesn’t have to be difficult, we’ve outlined three easy steps in our password guide.
In the meantime, here are four common password mistakes to avoid.
Use a different password for each account
Here to explain why it’s always a good idea to use site-specific passwords, here is AVG Security Awareness Director Michael McKinnon:
Use Two-Factor authentication
Lastly, I suggest using two-factor authentication whenever it’s available. Two-factor authentication means that your password alone isn’t enough to access an account. Instead you’ll need a code sent to your phone or generated by an app to validate your identity.
Watch the video below to learn more:
