Archive for the 'Computer Security' Category

PIN/Password Analysis Shows That We’re Predictable

Tuesday, August 6th, 2013

Computer SecurityThe author of the linked article accumulated a database of hacked PINs and numeric passwords, then analyzed it to see what patterns emerged. Here are some of the highlights:

  • 20% of all PINs use just five different numbers: 1234, 1111, 0000, 1212, and 7777.
  • The fourth most popular seven-digit password is 8675309. (Wait for it…)
  • Using a year in the form 19XX is a bad idea.
  • The least used PIN is 8068.
  • Including 007, 420, and 69 may seem like a neat idea, but they turn out to be quite common.
  • Numbers made from drawing lines or patterns on the keypad are also popular.

Link: http://www.datagenetics.com/…
(via Kim Komando)

An Astounding Number of Vulnerable Internet Devices

Saturday, April 6th, 2013

Computer SecurityA computer researcher wanted to map all 3.6 billion of the Internet’s usable IPV4 IP addresses, to see which ones are actually being used and to determine where the devices are physically located. This would be quite a task for a single computer, so he created a botnet with 420,000 zombie devices to do the task for him. What I find most interesting, however, is how he managed to compromise those devices. He simply tried to connect to each one with the following four username/password combinations:

  • admin/admin
  • root/root
  • admin/(blank)
  • root/(blank)

No kidding. That’s all it took.

For the more technically minded, the paper says that “the vast majority of all unprotected devices are consumer routers or set-top boxes.” So just for kicks, I telneted to my router and found that the admin/admin combination worked. Fortunately it’s configured such that remote telnet is disabled—so I was not part of this experiment. The paper goes on to say that the 420,000 number is for the devices they turned into zombies, and that the actual number of vulnerable machines is about four times that many.

Link #1: http://www.techrepublic.com/…

Link #2 (research paper): http://internetcensus2012.bitbucket.org/…

Hackers Take Over Emergency Alert System and Warn of Zombie Attack

Monday, February 18th, 2013

Computer SecurityThe United States recently replaced its old telephone-based Emergency Alert System with a web-based one. And of course this opened the system to hackers, who broke in and broadcast an alert about zombies rising from the grave (“Local authorities in your area have reported the bodies of the dead are rising from their graves and attacking the living.”). Various television and radio stations in California, Michigan, Montana, and New Mexico actually broadcast the alert. It appears the main problem was that those stations didn’t change the default password for the new system. Oops.

Link: http://www.thespec.com/…
(via Bureau 42)

Computer Security Terms Explained

Thursday, February 14th, 2013

Computer SecurityEver wondered about the difference between a virus, a trojan, and a worm? And just what is a drive-by download? And if my computer is a zombie, will it try to eat my brain? Kim Komando uses everyday language to explain these terms and more, in the linked article.

Link: http://www.komando.com/…

Security Alert: Disable Universal Plug and Play Now

Saturday, February 2nd, 2013

Computer SecurityThere are multiple security issues with Universal Plug and Play (UPnP) implementations, some of which have been known for years. (For those who aren’t familiar with UPnP, it’s a protocol that makes it easier to set up network devices. For example, it allows a PC to seamlessly connect with a new network printer.) Security researchers at Rapid7 performed tests to determine just how many Internet-connected systems were vulnerable, and the results were staggering—they found 81 million unique IP addresses that had at least one of the vulnerabilities, which comes out to about 40-50 million devices.

The vulnerabilities allow hackers to either crash the device or run arbitrary code. At first this may not seem like a big issue—I mean, who really cares if someone manages to hack your network scanner? But then if you think about it, what if they make copies of everything you scan and send them to a central server in Russia? Or what if your printer is hacked and they start printing spam? Or if they just decide to see how many devices they can bring down across the world?

You may be wondering, what does this mean for people like you and me? Most home users can safely ignore UPnP vulnerabilities on every network device except the Internet router/modem, provided the router’s firewall is enabled. But you will need to lock down the router. I was able to access my Actiontec router and quickly disable UPnP in the advanced settings. If you don’t know how to do this, I suggest contacting your ISP for help, or, if you purchased the router from a store, contact the manufacturer.

This web page will test your router and determine if it’s vulnerable. There’s also a free Windows program, ScanNow, that will check your local network to see which devices are affected. If you find one, the best thing to do is check the manufacturer’s website for firmware updates, although this may not fix the problem.

The linked white paper has technical details, as well as links to documents that list every vulnerable device. (These links are on the last page.)

Link #1: http://arstechnica.com/…

Link #2 (white paper): https://community.rapid7.com/…

Major Java 7 Vulnerability in the Wild – Update Now

Saturday, January 19th, 2013

Computer SecurityA little over a week ago, word spread on the Internet that a previously unknown security flaw in the Java browser plugin was being “massively exploited in the wild”. The bug allows an attacker to execute arbitrary commands on a vulnerable system. It exists in all versions of Java 7 through update 10, which was the latest release as of a week ago. Based on the widespread use of Java (installed on more than 1 billion PCs) many organizations, including the US government, recommended disabling Java in the browser, or uninstalling Java completely.

The real problem was not that a flaw was found, but that it was already in the wild and had infected a significant number of machines.

Oracle released an emergency patch within three days of the announcement: Java 7 Update 11. If you’ve not already done so, you should update your Java software—this can be done via the Java Control Panel, or via www.java.com. Developers who use the JDK can go to the Java download page to get the latest version. If you don’t know which version(s) of Java you have installed, this page will tell you.

Note that even with the update from Oracle, US-CERT still recommends disabling Java in browsers, to “defend against … future Java vulnerabilities.” Apparently optimism is not in their vocabulary.

Link #1 (announcement of flaw): http://arstechnica.com/…

Link #2 (announcement of update): http://arstechnica.com/…

Link #3 (govt advisory): http://www.us-cert.gov/…

Link #4 (oracle advisory): http://www.oracle.com/…

Beware of Malicious QR Codes

Saturday, January 5th, 2013

QR Code for Chad's NewsQR codes are those black and white squares that you can scan with your smartphone to go directly to an associated website. They’ve become popular enough to attract the attention of spammers and malicious hackers, who are including codes in spam emails. They’re also placing QR code stickers in areas with a high amount of foot traffic (think airports and tourist sites) in the hopes that people will scan them. And even worse, they’re putting the stickers on top of regular QR codes—so it seems legitimate, but you end up going to a malicious website. According to the linked article, the only safeguard is to “download and install a QR reader that checks the website’s reputation, and then offers them the option of taking them there or not.”

Link: http://www.net-security.org/…
(via Slashdot)

Another Step Toward the End of the Password

Friday, December 28th, 2012

Computer SecurityUsing custom software and a computer cluster of 25 graphics cards, password-cracking expert Jeremi Gosney has created a system capable of guessing 350 billion Windows passwords per second. From the article, it takes 5½ hours to “brute force every possible eight-character [Windows] password containing upper- and lower-case letters, digits, and symbols.” This development reinforces the message of this xkcd comic, that long passwords are much harder to crack than shorter but more complicated ones. Note also that an easy way to create long but memorable passwords is to use a passphrase.

Link: http://arstechnica.com/…

Why Hosting a Tor Server is a Bad Idea

Tuesday, December 25th, 2012

Computer SecurityTor is a computer network that allows people to transmit information anonymously. It is free for anyone to use. The network comprises a large number of servers (called relays) hosted by volunteers. The benefits seem to be good at first glance. Tor allows dissidents in politically oppressive regimes to anonymously get information out to the world at large. Companies and governments can use it to transmit sensitive communications. Journalists can safely connect with whistleblowers. Or it can be used by people who simply value their privacy. Anyone can configure the Tor software to make their computer into a Tor network relay. It’s quite easy for people like you and me to help promote these good causes.

The problem, however, is that criminals also use Tor—including terrorists and child pornographers. And if you’re hosting a Tor server/relay that transferred illegal material, the police can and will come after you. The linked articles give two such cases.

Link #1: http://arstechnica.com/…

Link #2: http://arstechnica.com/…

What We’ve Learned About Voting Machines Since the 2000 Election

Sunday, November 4th, 2012

GovernmentWith the election coming up on Tuesday, the linked article discusses the changes made in the wake of the problems with the 2000 presidential election. To summarize: computerized voting machines are actually worse than the paper ballots that failed so dramatically in 2000.

Link: http://arstechnica.com/…

Don’t Use That Fingerprint Reader on Your Laptop

Sunday, September 9th, 2012

Computer SecurityBiometric identification systems such as fingerprint readers, retina scanners, etc. are supposed to make it harder for people to hack your computer. But in the case of the UPEK Protector Suite, the opposite is true. This is due to unsecure programming practices that make it trivial for someone to learn your Windows password. See the linked article for more information.

Link: http://blog.crackpassword.com…
(via Ars Technica)

If You Lose Internet Access Next Monday, Here’s Why

Thursday, July 5th, 2012

Computer SecurityThe DNSChanger trojan infected hundreds of thousands of computers worldwide and changed their DNS server settings to point to rogue servers. (Your DNS setting tells your computer where to go to look up a URL such as www.chadsnews.com. Without one, you’re effectively shut off from the Internet.) The FBI shut down the source of the malware but realized that turning off those rogue servers would have severe effects for those who were infected—they would lose Internet access. So as a stopgap measure, the FBI set up real DNS servers to replace the malicious ones. This Monday (July 9th), however, the FBI is going to permanently turn off those servers.

The FBI has a webpage with instructions on how to determine if your computer is infected. I suggest taking a few minutes now to verify that your DNS is okay. If you’re infected, and even if you’re not, this might be a good time to consider using OpenDNS as your DNS provider.

Link #1 (PDF): http://www.fbi.gov/…

Link #2: http://www.kvue.com/…
(via Kim Komando)