Headlines

The Password Problem

Washington Navy Yard On Lockdown After Reports Of Shooter

China Behind Massive Government Data Breach

New iCloud Hacking Tool Released

The Password Problem

Posted in: Security Awareness, Threats, Cybersecurity | Comments (0)

12/1/2014 by Holly Gilbert Stowell
Appears In December 2014 Print Issue of Security Management Magazine

The username and password have long been used to guard information, but cybersecurity breaches show just how vulnerable the paradigm is.

In September, attackers breached iCloud accounts belonging to celebrities such as Jennifer Lawrence and posted private photographs of the victims online. In August, news reports circulated of Russian hackers making off with 1.2 billion passwords from 420,000 websites. The Heartbleed virus, discovered in April, exposed private keys and passwords during user sessions. The list of breaches related to username and password theft goes on and on.

According to the 2014 Trustwave Global Security Report, two out of three security breaches in 2013 exploited weak or stolen passwords. Experts call for stronger, varied, and more complex passwords across different accounts, but others suggest doing away with the username password paradigm altogether.

“Usernames and passwords are basically broken from a security and a usability standpoint,” says Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology (NIST). Grant is in charge of a federal program that is exploring new authentication concepts, called the National Strategy for Trusted Identities in Cyberspace (NSTIC).

Grant says the rules for creating a strong password are too much for any one person to manage across dozens or even hundreds of accounts–using uppercase and lowercase letters, incorporating symbols, and not writing them down, just to name a few. He adds that attackers are increasingly sophisticated at stealing passwords and often use automated machines to crack credentials. “There are so many different ways to execute password-based attacks these days that the notion of such a thing as a ‘secure password’ in the year 2014 just doesn’t make sense,” he tells Security Management.

Instead, says Grant, steering people toward stronger forms of authentication that are more secure, more private, and easier to use is a key focus of the NSTIC program.

Established by a presidential initiative in April 2011, NSTIC was designed to address the problem of insecure credentials for online identification by working with the private sector to develop new standards for identity technology. The program seeks to create a marketplace of solutions for establishing one’s identity and gaining access to services without the traditional username and password, Grant says.

To work more closely with the private sector, NSTIC established the Identity Ecosystem Steering Group—industry professionals who have monthly meetings to talk about the program. Members include representatives from Citigroup, the American Civil Liberties Union, and LexisNexis.

Over the last three years, grants have been awarded to organizations that are trying different authentication methods, including biometrics, secure elements embedded in devices, and one-time-use passwords that are automatically downloaded from an app.

One such pilot program, being conducted by AARP, uses biometric authentication for an app within the company’s website. Another pilot is being conducted by ID.me, an organization that helps affinity groups, such as veterans, prove their identity online. This summer, ID.me worked with the theme park Sea World and the rock bands Kiss and Def Leppard, who all wanted to offer discounted or early ticket sales to veterans. Using grant money from NSTIC, the groups were able to ensure that all purchasers of discounted or early tickets truly were former military members. Grant says that eventually the Department of Veterans Affairs hopes to integrate the same technology within certain applications on its website.

Another pilot launching soon is with Inova Health System, the largest healthcare provider network in Northern Virginia. The company wants to offer patients the ability to access their electronic health records online, but as Grant puts it, the organization’s chief technology officer was “wise enough” to know that a username and password would not provide the necessary security. So Inova is working with the Virginia Department of Motor Vehicles to create a stronger credential that ties in with driver’s license registration. Those registered with the DMV would be able to authenticate themselves in a multistep process using a variety of secure credentials, including their driver’s license number. Grant says the Inova pilot shows potential because it’s “focused on letting citizens reuse the value” of what they went through to get a state-issued identification card.

In September, NSTIC announced the third round of pilot programs, which will award $3 million in grants. Though few details have been released, the official press release notes that the awardees, GSMA, Confym, and MorphoTrust USA, will focus on solutions that use mobile devices for authentication, minimize fraud-based loss, and improve access to state services.

Grant says the problem with online identity has less to do with building the right technology and more with addressing the overarching issues that technology doesn’t answer, such as privacy, liability, and usability. For example, how easy is the technology for consumers to use, and who is liable for a breach in the case of multiple businesses logging onto the same site? “What you’re really dealing with at the end of the day is a bunch of issues that make the technology a secondary barrier to overcome,” he notes.

He adds that NSTIC, as a government initiative, isn’t meant to be a silver bullet to solve the password problem overnight. “At the end of the day it’s a strategy,” Grant says. “It lays out a vision of what this marketplace should look like in a few years.”

Until this strategy is formulated, companies must make do with the current system. Experts advise that the best way to strengthen passwords is to make them only a part of the security solution. “Use multi-factor authentication,” advises Robert Twitchell, president and chief executive officer of Dispersive Technologies. He adds that it’s a good idea to avoid the use of public Wi-Fi hotspots to access your networks and recommends network segmentation. “Having everything the same enables a hacker to reuse techniques,” he notes.

Terrorists Finding Targets in Cyberspace

Since the 1990s, terrorist groups have used the Internet to spread their messages and gain new followers. Over time, they have only grown more sophisticated at leveraging this powerful tool. In the fall of this year, the Islamic State of Iraq and Syria (ISIS) used social media to recruit Western Muslim extremists; U.S. intelligence experts believe that at least a dozen Americans were recruited online and have joined their ranks. The group even hijacked hashtags of popular but unrelated topics on Twitter, such as an August earthquake in Northern California. Their strategy was to ensure that gruesome photos of dead American soldiers and other propaganda would pop up when people searched for “#napaquake.” This same terrorist group has posted videos of the beheadings of two American journalists and a British aid worker on YouTube to threaten and intimidate its enemies.

“They can hide in cyberspace,” said Gabriel Weimann, professor of communication at Haifa University in Israel, during a presentation at the Library of Congress in April. Weimann said terrorists can use the Internet “to reach huge audiences, especially young people…. There’s no way to block them, no way to censor them.”

Research points to the expansion of terrorism in cyberspace. The number of terrorist websites has grown dra- matically in the last decade and a half, up from 12 sites in 1998 to 9,800 sites in December 2013, according to the United States Institute of Peace.

By using the Internet, terrorists no longer need to bring recruits to one physical location. “They can actually go to virtual camps in cyberspace where they’ll find all the guidebooks, including how to prepare various poisons, how to hit planes, how to attack computer networks, how to damage a target with an explosive car, how to build a detonation device,” said Weimann. “It’s all online. They don’t need to go anywhere. They can sit at home and join the cause.”

Terrorism videos are also widely available online, and thousands of results can be found through a simple YouTube search. Hamas even launched its own versions of YouTube, including Aqsa Tube in 2009 and Pal Tube in 2011. These sites have the same look and feel as YouTube, but are strictly dedicated to the terrorists’ cause.

Weimann, who is a fellow at the Woodrow Wilson Center, pointed out that Google Earth, which offers satellite images of the world, has been leveraged to plan and execute attacks, as was the case in the 2008 Mumbai bombing attacks. In that massacre, carried out by Pakistani-based group Lashkar-e-Taiba, each of the terrorists had the distances, directions, and sites on their computers or smart devices so they could attack at the same time, knowing when and where to go.

In his presentation, Weimann also talked about the idea of narrowcasting, in which terrorists target groups based on age, education, demographic, and standard of living. “Instead of one message to all, they are moving now to a very specific and narrowcasting type of propaganda and recruitment online,” he said of the terrorists.

“One example, and perhaps the most alarming, is the targeting of children online,” said Weimann, who points out that children’s shows are often used to send the message of terrorism to a younger audience.

For example, Hamas aired an episode of Pioneers of Tomorrow on Al Asqa in May 2014, which featured a child who said she wanted to become a police officer so she could “shoot Jews.” A giant bumblebee is one of the show’s main characters.

“If you consider that your struggle is a long-term one, you are thinking about educating the next generation of terrorists,” noted Weimann.

Weimann said the lack of regulation on the Internet makes terrorism in cyberspace extremely hard to combat. However, maintaining an awareness of where the terrorists are online and who may be interacting with them is key to stopping them, and U.S. intelligence sources and others are doing this around the world.

There are also online campaigns to dissuade young people from joining the ranks of terror groups. One such video, which Weimann said is likely from a Saudi source, features a suicide bomber wreaking havoc on a busy town square. The name of the campaign is “Say No to Terrorism.”

The State Department’s Center for Strategic Counterterrorism Communication has been active lately in the fight against ISIS, posting lines such as “Think Again, Turn Away” to would-be extremist recruits on Twitter, Tumblr, YouTube, Facebook, and other social media sites.

“We may think of using the same platforms to appeal to the same targeted audiences with different narratives,” Weimann noted. “It is certainly one of the ways to counter terror issues on the Internet.”

H.M. DeBardeleben MSITM @ July 2, 2015

Washington Navy Yard On Lockdown After Reports Of Shooter

Posted in: Security Awareness | Comments (0)

7/2/2015 by Lilly Chapa
​​The Navy Yard in Washington, D.C. was put on lockdown this morning after calls came in around 7:30 a.m. of a shooter on the campus. The naval base is the site of a 2013 shooting that killed 12 employees. A massive police presence surrounded the area, although there has been no evidence of an active shooter. D.C. Fire officials reported that they have not had to transport any victims. ​The lockdown was still in effect as of 10:20 a.m., even after police confirmed that all Navy Yard employees had been accounted for. Police are continuing to investigate the area and have interviewed the employees who initially called emergency services.

Longtime Navy Yard employees compared this morning’s response to the 2013 shooting, according​​ to the Washington Post. ​Jennifer Bennett, who was shot during the incident two years ago, said the response this time around was more efficent. “They locked down the base. . . . They locked down the building,” she said. “They did everything right this time. Reaction was quick.”​​

H.M. DeBardeleben MSITM @ July 2, 2015

China Behind Massive Government Data Breach

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness, Threats, Cyber Attacks | Comments (0)

By Cory Bennett – 07/02/15 10:47 AM EDT
Indications the U.S. government believes China is behind the massive government data breach are piling up.

The FBI warned companies Wednesday night about malicious software that security experts have tied to Chinese hackers, The Daily Beast reported.

The message, known as a “flash” alert, provided technical details about the Sakula malware. It was apparently a resend of an identical memo sent out June 5, the day after the Obama administration first revealed the data breach at the Office of Personnel Management (OPM).
In the alert, the FBI said hackers had recently used Sakula to steal “sensitive business information and personally identifiable information,” which would include names, dates of birth, and Social Security numbers.

Such data, the alert said, was a “priority target” for the cyberattackers.

Sakula is the malware of choice for a prominent Chinese hacking group that has targeted many U.S. businesses. It’s also the malware that was behind the mammoth data breaches at health insurers Anthem and Premera Blue Cross.

Security firms had previously tied the cyberattacks on both health insurers to the crippling hacks at the OPM, which have likely exposed well over 18 million current and former government employees’ sensitive information.

But Wednesday’s memo is further evidence the government also thinks the incidents are linked. While the government has not publicly blamed China, Director of National Intelligence James Clapper has called China the “leading suspect” in the OPM breach.

It’s believed Chinese hackers were targeting the health insurers and the OPM as part of a cyber espionage scheme to build a comprehensive database on U.S. federal workers.

Sensitive information on government employees can be used to stage future cyberattacks, digitally imitate or blackmail officials, or even to recruit informants.

H.M. DeBardeleben MSITM @ July 2, 2015

New iCloud Hacking Tool Released

Posted in: Security Awareness, Threats, Hacks, Security Awareness, Security Awareness, Threats | Comments Off on New iCloud Hacking Tool Released

A new hacking tool called iDict has been made available online. iDict is designed to perform brute force dictionary attacks against Apple’s iCloud service.

Fortunately, iDict’s capabilities are limited by the size of the dictionary it uses to guess your password. So you’re really only in danger if your password is on the 500-word-long list included with the hacker tool.

The key takeaway here is that you should always use strong passwords. For those who don’t know a strong password:

  • Is at least eight characters long.

  • Does not contain your user name, real name, or company name.

  • Does not contain a complete word.

  • Is significantly different from previous passwords.

  • Contains characters from each of the following four categories:

 

Uppercase letters

A, B, C

Lowercase letters

a, b, c

Numbers

0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces

` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

H.M. DeBardeleben MSITM @ January 3, 2015