Posts tagged ‘Passwords’
I don’t plan to mention every security related thing I see in TV, but this one made me chuckle.
On The Finder, a new show on Fox, Michael Clarke Duncan’s character, finds a character logged into the computer as him. He asks in his booming voice, “How do you know my password?”
The answer, “you say it to yourself as you type it in.”
I’ve caught myself doing that a few times. The worse is when the password is a phrase from a song.
Last year at about this time, Qualys and Cyber-Ark announced a new integration. I implemented this last week.
Most companies have password policies requiring the expiration of passwords. Yet these policies hardly ever get applied to service and application accounts only users. Many times these service passwords even predate the implementation of strong password requirements. This is one of the ways Cyber-Ark can help. In addition to being a strong Vault to store your passwords, Cyber-Ark can manage your passwords in accordance with your password policy.
But what happens when Cyber-Ark can’t manage both parts of a password. For example the vulnerability scanner Qualys can perform authenticated scans. I have a qualys account on my Unix servers. But if I update the password on the Unix machines, I need to update them in Qualys as well. It is just as likely the accounts will be set to never expire, and the password will never be changed.
Now with this integration, I give Qualys an account to access Cyber-Ark vault. It can then check out the existing password and use it for the scan. Cyber-Ark is able to change the Unix account password and Qualys always has access to the current password.
To perform the integration, I used info in the Cyber-Ark knowledge base and the Qualys online help. That and some preexisting knowledge of the products will get you 85% of the way there. My two issues were 1) Not knowing how to label the folder correctly in Qualys config for the safe and 2) in Cyber-Ark, I accidently removed the PAPI rights for the user. Read what is on the screen. Qualys’ error messages were helpful, but it was unfortunate I had to run a full scan to find out if it worked or not. A test button would be helpful.
A few less static passwords is a victory I’m excited about, but I don’t imagine many others would feel the same way.
I was sidetracked by work this morning. As a result everyone and their brother has beaten me to the LastPass blog post. So let me be the millionth person to post “It is the last pass you’ll ever need, until we force you to change it.”
LastPass monitors their network, saw an anomaly and in an abundance of caution chose to force a master password reset. All these tweets “lastpass hacked” are a bit over the top. Particularly amusing is the Schadenfreude directed at anyone who would store their passwords in the cloud. How many of these people have actually evaluated the service and compared the risks/benefits to using a local application?
Is the cure worse than the disease? All day I’ve been unable to log into LastPass. Due to the high volume of traffic LastPass is logging people in under offline mode. I’m pretty sure that doesn’t work for me. I use Yubikey and I don’t think that works with an offline authentication. Fortunately I can get to my passwords on my iPhone, but my usage is still rather crippled.
Source: LastPass blog
Today I received via snail mail my annual season ticket holder renewal for the Washington Capitals. As also seems to be traditional, my PIN (really a password) was included on the invoice. This makes it easier for people to renew online without having to get their password reset.
Passwords provide authentication. That is to say, they are used to prove who you are to the computer. As such they should be kept secret lest someone else could perform actions as you.
Since the Caps can print my password on my paper invoice, they must have the password stored in clear text in their password file. If someone were to compromise their computers, either through hacking or internal misuse, they would have access to my password without any additional work. Storing passwords in plaintext or in an easily bruteforced hash indicates a lack of due care. In the past year there have been many incidents where online companies were compromised and the password database posted to the internet (Gawker, plenty-of-fish). Password should be stored securely by the web provider.
By writing down my password for me, in putting it on the invoice, they have now exposed the password to anyone else opening my mail. I must protect this invoice like a password safe or destroy it. I normally keep these invoices around to watch the ticket cost skyrocket.
The main reason this is a security problem and not just bad form is user behavior. Users tend to have one password for most sites where they are not required to change the password. My email address is on the invoice. Want to place any bets on whether that password will get you into my mailbox? Once in the mailbox you can often find other passwords or at worst be able compromise other accounts by using password resets which will probably send a one-time URL link to that email box.
As a user, the best defense against this sort of thing is to use different passwords for every account. If nothing else, never set up an account to use the same password used with the email address associated with the account. Keeping track of these things is hard. That is why I use LastPass. It prompts you to save accounts as you use them. You can run a security test to see which accounts have duplicate passwords.
Even so I would like to see the Washington Capitals commit to storing passwords securely so they can’t send passwords in clear text. If they don’t, I wouldn’t be surprised if in a few years the ticket renewal packages will be electronic. Sending the password in plaintext via email will be that much worse.
Gawker Media has experienced a data confidentiality breach that has disclosed passwords on all Gawker Media sites including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, and Deadspin.
If you have an account at a Gawker website, you should change the password immediately. If you use the same password on other websites those passwords should be changed as well.
Be aware of phishing schemes pretending to be security announcements about this event. To change your password use a known valid URL to visit the website, log into your account and change the password. Do no click on a URL in an email.
If a username/password combination used at gawker were also used with your ISP webmail account, an attacker could then log into your mailbox to find additional passwords. An attacker could request a password reset, which would be mailed to that mailbox allowing him/her to access more highly valued accounts.
Many of the compromised accounts belonged to Government employees. Employees are reminded that accounts are for business use. Personal accounts should be used when registering at shopping and other non-business websites.
From time to time, website account databases are compromised. You can protect yourself by using different passwords for each remote websites Password managers such as LastPass can be used so you don’t have to remember each password.
For more information on this Gawker breach see a writeup in Forbes
A couple of my friends had their webmail accounts compromised and I got pharma spam from them over the weekend. One had a Hotmail account and another a Yahoo account. I’m not sure whether they should be mocked more for using accounts at those domains or for getting compromised.
Restoring Access
If this happens to you and you’re really fortunate, you’ll be able to log into your webmail account, change your passwords, and change the security questions used to reset the password.
If you can’t gain access because the bad guy changed the passwords, try using the lost password button. If you can’t reclaim your account that way, you’re going to have to contact the Google/Hotmail/Yahoo, whoever the website owner is. Good luck with that.
Cleaning Up
Review all your settings. In Google Mail check your Filters and your mail forwarding. Mail from your bank could now be forwarded to the bad guy.
Maybe its paranoia talking but I would search my mailbox for “password” to see if any other accounts might have been learned by the bad guy because a plain text password was available in your inbox.
Prevention
People always want to know how this happened to them. Often they jump first to blaming their webmail provider. While that’s possible, it’s not something you can really control. It’s better to start looking at simpler explanations that you can do something about.
Was your computer hacked? Did a keystroke logger gather your webmail credentials? That is certainly possible. And it doesn’t hurt to check out the computer. I would have to wonder why the spammer would gain your credentials and then use another computer to send the spam. Some webmail providers give full mail headers including the PC used to send the email. For the spam I received I could see it wasn’t the same country as the sender.
Were you phished or tab napped. Attackers manipulate victims into providing valid authentication credentials at fake sites. The best defense to this is to use bookmarks to avoid typos, and go directly to https sites where possible.
Did you use the account from an insecure computer or network. It’s so tempting to hop on an open access point at the coffee shop. It’s tempting to use the ‘guest kiosk’ at the hotel while on vacation. You don’t know the hygiene of that computer. You don’t know who is snooping on that coffee bar network.
Is your password really weak? I don’t think webmail providers would allow a lengthy bruteforce attack without locking out the account. But if your password is incredibly bad, this could still be a cause.
Was your password used on another service? While blaming the host isn’t my first thought, hosts do get compromised every now and again. There ae multiple account/password lists available from server compromises. If you’ve been on a system that was compromised and their password list stolen, if you reuse the same credentials than you have a problem.
Unfortunately the causes for account compromise aren’t any clearer than the ways to get your mailbox back. Hopefully this gives some food for thought.
We bought Cyber-Ark’s Enterprise Password Vault product last year to provide an enterprise-grade method of protecting passwords. Administrator passwords to corporate systems are essentially corporate assets and its a big hassle when the password is forgotten or held hostage. (no hostage taking here, but I have seen issues caused by forgotten passwords).
Passwords are often kept in text files or excel files (hopefully encrypted). Most admins here are using a consumer grade password safe installed on their local computer. This can have issues in cases of sudden staff turnover or when the passwords aren’t adequately backed up. For Disaster Recovery purposes passwords are stored in a safe in a sealed/signed envelope. There isn’t adequate access control and logging on the use of those passwords.
Cyber-Ark is extremely complicated to implement. It’s so complicated that you really need professional services. Since the product isn’t cheap to begin with, that seemed like an insult. I typically prefer products that are either straight forward enough to work without professional services, or products that once implemented during the evaluation are ready to go. I decided to bypass professional services. Unfortunately for various reasons the virtual environment we had set up during the evaluation was deleted so I had to start from scratch. Just over a year after buying the product, I ate crow and purchased four days of professional services. Even now, I find implementing Enterprise Password Vault is so complicated that I wont be getting everything I’d like out of the vault right away. And more $$$ for professional services may be needed.
There is a lot you can do with Cyber-Ark but its better to start out slow. If I think it’s of interest, I”ll blog about what I’m doing as it moves from proof of concept to full implementation.
Cyber-Ark is really expensive and excessively complicated in my opinion. However, the potential is there to do great things. I’ve also enjoyed my dealings with sales (now gone from the company), the pre-sales engineer, and professional services. I only hope I find support as cool when I end up having to work with them.
My new computer from Puget Custom Computers arrived via FedEx on Wednesday. I am very happy with my computer and with the service provided by Puget. From my first visit to their website to the pictures they sent of my computer prior to shipping, I’d have to say they are first class.
I purchased the new computer mainly to perform GPU Bruteforcing. The Graphics Processing Unit on video cards can be used quite effectively for some operations. Right now I am using InsidePro’s Extreme GPU Bruteforcer to crack some NTLM hashes. Its humming along at 1406 Million passwords per second. I’m using 3 NVIDIA GeForce GTX 460 video cards. In the last computer I used for the same function I had a single Geforce 8800GT that only operated at 320 Million passwords per second.
If my math is right this means it would have taken about 8 days using my old computer to search for a 8 character password consisting of uppers lowers and numbers. With the new system it would take 1.8 days.
Yesterday I wrote about the importance of using good passwords because people are trying to bruteforce your email and social networking accounts. Today I logged into GMail and received a dire red letter message. “your email has been accessed from the United States.”
Upon reviewing the Gmail account activity log, I see access to my account from United States (CA) (204.176.49.44). An IPWhois wasn’t very helpful , its been registered to Verizon Business/MCI/UUNet. A google happened to include reverse DNS in the results showing me that 204.176.49.44 resolves to host44.tivo.com. After verifying that that host44.tivo.com also resolves to 204.176.49.44, I recalling using TiVo to watch some Youtube clips the other night. I used my Google account to log into Youtube from the Tivo. Mystery solved.
Apparently Google’s GMail tripwire is catching all Google authentications. Either that TiVo took my Google credentials and logged into GMail as well as youtube. The timestamp for the authentication doesn’t really line up with when I was watching the Youtube. Make me wonder if this is as innocent as I’d like to believe. Google really should differentiate between email access and authentications to other Google services.
