Language Selection

English French German Italian Portuguese Spanish

Voluntary Disclosure Is the Threat to Password Security

Filed under
Security

Computers can remember complex bits of data effortlessly, but people routinely fumble that task. Naturally, one of the big trends in computing security is making users memorize complex passwords -- then regularly wipe those from their memory in favor of equally obscure replacements.

To judge from the stern advice handed out by banks, Internet providers and information technology departments -- often, I suspect, after prodding by accounting departments and liability lawyers who don't want to be blamed for a security breach -- computer security hinges almost entirely on you choosing a string of letters, numbers and symbols in an order that has no correlation to any word or phrase that has ever been spoken or written in English or any other language.

That's fiction. First, while avoiding obvious passwords still constitutes a common-sense defense, that won't stop most password theft attempts these days. Second, forcing people to choose the most obscure passwords possible, then choose new ones every few months, is more likely to grease the skids for a successful compromise of those users' accounts.

This is because passwords aren't stolen in ways you might expect; a bad guy doesn't sit down in front of your computer and start typing in guess after guess until he succeeds. In the real world, accounts are usually cracked in two ways -- only one of which can be slowed or stopped by the use of a sufficiently inscrutable password.

One is to get access to the computer that stores users' login info. If the master password file stored on that machine is encrypted -- it should be, but sometimes is not -- the attacker then runs a password-cracking program to break that encoding. Otherwise, he or she can read the file as-is.

The other method relies on someone surrendering a password voluntarily. For example, an attacker can hide a program on a victim's computer to record each tap of the keyboard -- often by exploiting an old, long-since-patched vulnerability in Windows or by hiding the "keystroke logger" in a tempting download.

Or the attacker can just ask nicely for the password -- what's called "social engineering." The victims can be technical staff at a bank or an Internet provider who get a call from somebody claiming to be a colleague elsewhere in the company. Or the victims can be individual users who receive "phishing" e-mails imploring them to verify their account information by clicking on a link to a phony Web site done up to appear like that of a trusted institution.

The quality of a password matters only against the first type of attack -- the brute-force, code-breaking assault, which will hit pay dirt more quickly if stored passwords appear in dictionaries.

That's why security experts tell password creators to avoid using real words or names, even when altered by substituting letters with similar-looking numbers or symbols (for example, replacing "i" with "!" or "1"). One common suggestion is to use words only as ingredients -- say, by combining the first letters of names of friends or titles of favorite books.
But if an attacker employs keystroke logging or social engineering, it doesn't matter whether your password is "password" or "92nkkcx-j1!" Even the most inscrutable login offers no defense against those tactics -- which are what most attackers seem to employ these days.

"If you go back 10 years ago, password cracking was the way to do things," said Marty Lindner, a senior member of the technical staff at the CERT Coordination Center, the network-security center founded at Carnegie Mellon University in 1988. Now, however, he said that phishing and other social engineering attacks are "far more prevalent, far more devastating than anything else."

Granted, getting actual numbers on how people's accounts were broken into is difficult -- few institutions want to discuss how some teenage hacker managed to own them. But there's no arguing that phishing and spyware attacks are only getting worse, and understandably so; why should an Internet con artist waste time mastering password-cracking routines when there are smoother roads into the bank vault?

And yet too many companies seem content to rely on password Puritanism as their response. Sometimes it's just silly -- for example, when some newspaper sites force readers to choose passwords with at least one number.

But more often, it's self-defeating. When users are pushed to remember too-obscure passwords, they'll start writing them down on Post-It notes stuck to a monitor or (worse yet) start reusing passwords among multiple high-value accounts. Worst of all is the policy of some companies and financial institutions to require users to change passwords every 30 or 90 days.

Not only do those periods still offer more than enough time for a minimally competent hacker to swipe an account login, the regular changing of passwords can easily soften up people for social engineering attacks.

Think of what happens every time a user must change a password -- or inevitably forgets the login of the month or the quarter: They'll have to go to a Web page or call up a help desk to get the password reset. That interaction represents a regularly scheduled opportunity for an attacker to try to step in and impersonate either party.

A few weeks ago, confronted by an obscure Web-mail login subject to one of these inane password-expiration rules, I called the support number listed on that site to have my password reset. (No, I won't name the firm involved). I expected to have the new login e-mailed to me -- but instead the helpful fellow on the other end of the line just read it to me over the phone, making no attempt to verify my identity.

If I'd been interested in stealing access to somebody else's account, I could have had a lot of fun. Instead, I could only wonder why we keep wasting our time with these illusory measures.
There are real problems with network security these days. But treating customers as if they were reprogrammable robots won't solve any of them.

By Rob Pegoraro.

More in Tux Machines

Fedora: Fedora + Plasma + Unity, Design Interns, and New ISO Build

  • Fedora + Plasma + Unity = Nice looks?
    Hybrid things aren't usually the best option around. Like hybrid cars, for example. Technically, when you marry concepts, you change the energy state, and while this could make sense in that you blend the best of several worlds, when this is done in a forced manner over a short period of time rather than eons of evolution, you end with the worst bits as the product of your mutation. I read about the United theme for Plasma a few months ago, and given that I've spent a fair deal of time fiddling with themes and icons and fonts and making different desktop environments look prettier than their defaults, I was intrigued. So I decided to see whether the notion of having Plasma look like Unity is a sane option. Let us.  Fedora + Plasma + Unity = Nice looks? [...] What is thy point, Vanessa, the astute among you may ask? Well, I have nothing against United or its creators, but I did come to the conclusion that too much tweaking is worse than no tweaking, if this statement makes sense. I like the notion of trying to overcome the inherent problems in each desktop through the use of themes and extensions. After all, I've been doing that profusely for the past few months. But it gets undone when you cross the desktop environment space. Making Gnome better yes. Making Plasma better, absolutely. Unity as an overlay for Plasma, well tricky. There's too much disparity for you to be able to hide the underlying workflow mechanisms and UI philosophies. Then, every little inconsistency glares. You notice things you do not expect, and you get angry because there are certain things you do expect. Some transformations work quite well because they build on the foundations, e.g. various Gnome panels or Macbuntu. But Plasma has its own special charm and flow and making it into a weird version of Unity, which itself is a weird version of Gnome misses the bigger picture. And so, if you're asking me, Plasma and Unity are two separate worlds, best enjoyed in isolation. United is an interesting notion, but it also signifies the upper limit for my own wild ideas and tweaking. Yes, you can make it work, then again, it means taking away from the beauty and style of what these two desktops do, and that's not the purpose of my pimping guides. So we shall stop here, and explore other colors and shapes. Have fun, little penguins.
  • Fedora Design Interns 2017
    Here’s an update on internships. Older post linked to here. Quick recap: there’s been 2 long-term interns for Fedora design team since February, and one short-term guy, who came for 2 weeks at the beginning of June. Guys have been doing an amazing job, I can’t stress enough how happy I am to have them around.
  • F26-20170815 Updated ISOs released

today's howtos

Security: Hardware Back Doors, Microsoft Windows, Kronos

  • Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device
     

    On the one hand, if you let an untrusted stranger install hardware in your electronic device, you're opening yourself up to all kinds of potential mischief; on the other hand, an estimated one in five smartphones has a cracked screen and the easiest, most efficient and cheapest way to get that fixed is to go to your corner repair-shop.  

  • How hackers {sic} are targeting the shipping industry [iophk: "Microsoft TCO"]
     

    Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number.  

  • Locky ransomware is back from the dead with two new strains [iophk: "Windows TCO"]
     

    What hasn't changed, though, is the method of distribution.Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

  • Connected cars could have an airbag problem
     

    "It's not the car manufacturers' fault, and it's not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works," added Trend.

    [...] To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles."

  • Code chunk in Kronos malware used long before MalwareTech published it
    A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday. The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.
  • Secret chips in replacement parts can completely hijack your phone’s security
    People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

Ubuntu: Themes and Icons, MAAS, Podcast and More

  • Some interesting Ubuntu themes and icons
    Well, I guess there isn't much to say. If you like the stock looks, ignore this article. If you find the defaults not colorful or fun enough, or you just plain like tweaking, then you might want to consider some of the stuff I've outlined here. My taste is subjective, of course, but then, I aim for simple, clean designs and pleasing art work. Overall, you have a plenty of good options here. More icons than themes. Vimix or Arc seem like neat choices for the latter, and among the sea of icons, Moka, Numix and Uniform seem to do a great job. And of course, Macbuntu. I wish there were more monochrome or accented icons, but that's something I still haven't found. Anyhow, I hope you like this silly little piece. If you have suggestions, please send them, just remember my aesthetics criteria - simplicity of installation, clean lines, no gradients, no bugs. That would be all for today, fellas.
  • 7 of the Best Icon Themes for Ubuntu
    On a hunt to find the best icon themes for Ubuntu? Well, you’ve come to the right post place! In this post we will show you some of the best icon themes for Ubuntu, ranging from modern, flat icon sets, to a circular icon pack carrying a colourful twist. Oh, and as this article is constantly updated you don’t need to fret about any of the links or information being out of date. Feel free to bookmark this list for future reference, or share it on social media.
  • MAAS Development Summary – August 18th, 2017
  • S10E24 – Fierce Hurried Start
  • conjure-up dev summary: aws native integration, vsphere <3, and ADDONS