Crimes at Cyber Headlines

Thursday, January 24, 2013

If You're Using 'Password1,' Change It. Now.

By Stacy Cowley | – Wed, 31 Oct, 2012 8:01 AM EDT

The number one way hackers get into protected systems isn't through a fancy technical exploit. It's by guessing the password.

That's not too hard when the most common password used on business systems is "Password1."

There's a technical reason for Password1's popularity: It's got an upper-case letter, a number and nine characters. That satisfies the complexity rules for many systems, including the default settings for Microsoft's widely used Active Directory identity management software.

Security services firm Trustwave spotlighted the "Password1" problem in its recently released "2012 Global Security Report," which summarizes the firm's findings from nearly 2 million network vulnerability scans and 300 recent security breach investigations.

Around 5% of passwords involve a variation of the word "password," the company's researchers found. The runner-up, "welcome," turns up in more than 1%.

Easily guessable or entirely blank passwords were the most common vulnerability Trustwave's SpiderLabs unit found in its penetration tests last year on clients' systems. The firm set an assortment of widely available password-cracking tools loose on 2.5 million passwords, and successfully broke more than 200,000 of them.

Verizon came up with similar results in its 2012 Data Breach Investigations Report, one of the security industry's most comprehensive annual studies. The full report will be released in several months, but Verizon previewed some of its findings at this week's RSA conference in San Francisco.

Exploiting weak or guessable passwords was the top method attackers used to gain access last year. It played a role in 29% of the security breaches Verizon's response team investigated.

[Related: Smartphone Features You Don't Really Need]

Verizon's scariest finding was that attackers are often inside victims' networks for months or years before they're discovered. Less than 20% of the intrusions Verizon studied were discovered within days, let alone hours.

Even scarier: Few companies discovered the breach on their own. More than two-thirds learned they'd been attacked only after an external party, such as a law-enforcement agency, notified them. Trustwave's findings were almost identical: Only 16% of the cases it investigated last year were internally detected.

So if your password is something guessable, what's the best way to make it more secure? Make it longer.

Adding complexity to your password -- swapping "password" for "p@S$w0rd" -- protects against so-called "dictionary" attacks, which automatically check against a list of standard words.

But attackers are increasingly using brute-force tools that simply cycle through all possible character combinations. Length is the only effective guard against those. A seven-character password has 70 trillion possible combinations; an eight-character password takes that to more than 6 quadrillion.

Even a few quadrillion options isn't a big deal for modern machines, though. Using a $1,500 computer built with off-the-shelf parts, it took Trustwave just 10 hours to harvest its 200,000 broken passwords.

"We've got to get ourselves using stuff larger than human memory capacity," independent security researcher Dan Kaminsky said during an RSA presentation on why passwords don't work.

He acknowledged that it's an uphill fight. Biometric authentication, smartcards, one-time key generators and other solutions can increase security, but at the cost of adding complexity.

"The fundamental win of the password over every other authentication technology is its utter simplicity on every device," Kaminsky said. "This is, of course, also their fundamental failing." To top of page.

For source: Click Here

Saturday, November 6, 2010

Police chief warns of rise in cyber crime

Britain is facing a rising tide of online crime such as bank fraud committed by computer hackers, the country's most senior policeman has warned. 

By Alastair Jamieson

Sir Paul Stephenson, the Metropolitan Police Commissioner, said organised crime gangs were increasingly turning to the internet in pursuit of illegal profits.

Writing in the Sunday Telegraph he said forces faced with a budget squeeze should not cut specialists tacking such complex crimes in order to maintain bobbies on the beat, adding "Uniform officers alone will not keep the streets safe."

Sir Paul said it would be "fundamentally misguided" to scale back efforts against internet crime when the growth of online shopping and banking has made Britons more vulnerable than ever to electronic fraud.

He warned: "My investigators tell me the expertise available to law enforcement is thin, compared to the skills they suspect are at the disposal of cyber criminals."

The warning comes after 11 suspects were charged last week in London, and 37 in New York, at the culmination of the year-long Operation Trident Breach investigation involving the Met and the FBI.Detectives believe a global fraud ring stole $70 million (£44 million) from online bank accounts using the Zeus Trojan, malicious software spread by email which infected thousands of computers and gained access to passwords.

Five more suspects arrested in the Ukraine were said to be kingpins.

In a separate case, another major cyber fraud trial will begin next week.

Sir Paul said organised criminals were "waking up to the profits and uses of e-crime" as an easier way to extort larger sums of money, adding: "The modern Tony Soprano-style crime lord will have a cyber expert on hand."

Yet he disclosed that of the 385 officers in England and Wales dedicated to online work, 85 per cent are fighting people-trafficking and child pornography – leaving fewer than 60 to fight financial crimes such as bank fraud.

Police forces are braced to bear their share of public sector budget cuts, with the Police Federation saying that as many as 40,000 jobs might be axed across England and Wales over the next four years.

Warning against political pressure to maintain the number of uniformed officers, Sir Paul said specialists working on e-crimes were "unseen officers, as far as the public and some politicians are concerned".

"Some commentators argue that we should concentrate on uniformed policing and draw back from specialised work that could be done by others," he said.

"Leave cyber crime to the banks and retailers to sort out, the argument runs. It's a fundamentally misguided argument.

"If the debate about police cutbacks gets bogged down in arguments about 'uniforms before specialists' we will not serve the public well."

He added that online fraud caused "deep distress" to victims and "threatens the integrity of our modern economy".

The Met's e-crime unit cost £2.75 million to run last year, but online fraud generated an estimated £52 billion worldwide in 2007.

It is estimated that the global 'virtual task force' of which the Met is part prevented £21 in potential theft for every £1 spent on it.

Sir Paul said police were only tackling 11 per cent of the 6,000 organised crime groups in England and Wales "in an operationally meaningful way".