DANGER! All your passwords belong to us..

[ShyWriter]

.
All your passwords belong to us

 

Summary: Password hacks and new cracker tools surfaced this week to reinforce passwords are indeed sitting ducks. Will anything be done about it?

 

By John Fontana for Identity Matters |
August 29, 2013 -- 21:03 GMT (14:03 PDT)

I think I detected a discernible sigh of relief this week from billions of Internet users with 56-character passwords.

 

I could be wrong. Likely I am.

 

People try all sorts of crazy things to manage passwords, but 55 character strings are not anywhere near the top of the list.

 

This week has been another example of the hacker blitz on passwords; leading off with the password-cracker program oclHashcat-plus, which was infused with upgrades that allow it to break passwords as long as 55 characters. 

 

Talk about bringing down barriers to entry. Perhaps the last of our defenses are gone. And by the way, oclHashcat-plus is a free download if you're looking for a cheap and sinister hobby.
 

I've argued for a while now that it's the infrastructure that needs to change more so than the tired password system. Users need to understand the value of their personal data and they need to take steps to protect it. Why? Because the bad guys are actively after it.

 

It was a phished password that brought down the New York Times this week. But it wasn't a password that belonged to someone at the newspaper. The password was spear phished out of an Australian DNS registrar by the Syrian Electronic Army and used to poison DNS records and direct traffic away from nytimes.com.

 

Security firm Sophos reported an attack going on this week trying to get Gmail users to click on a Google Docs link in order to see a "secure document" from their banking institution.

 

Not to pick only on Google users, the page said it would accept Google credentials, as well as, Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.

 

The ultimate target was passwords.

 

Also this week, a new mobile Trojan is creating havoc for online mobile banking customers who use two-factor authentication. Called Perkele, it infects your PC or laptop along with your mobile device to steal two-factor passcodes sent to the mobile devices.

Victims are being duped by text message or email to open malicious links or attacked via drive-by downloads. Versafe, which discovered Perkele, told the Bankinfo Security web site that "banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user."

 

What do hackers do with stolen passwords. Those pilfered in large chunks are used, among other ways, to update rainbow tables, which progressively makes it easier to crack additional stolen passwords.

 

Once the passwords are cracked, email addresses coupled with stolen passwords are the two ingredients in spear phishing attacks (see: New York Times). In addition, those email/password combinations are loaded into a program and run against other websites. Ones where end-users may have reused the password.

 

This lingering password problem has been a tough issue to fix, especially given that the weak link in the chain, end-users, are reluctant to change their behavior, and the fact hackers  are becoming more sophisticated. 

 

Two-factor authentication has been dominating the news as a solution, but Perkele begins to show its vulnerabilities. What else can be done? Where do researchers, vendors and others begin to look for answers?

 

/Steve

[AdvancedSetup]

These are dictionary attacks, not brute force attacks.  Though in time even that probably won't matter but for now as long as its not in a dictionary and the attacker doesn't have access to the hash then much of this is just scare tactics.

[ShyWriter]

These are dictionary attacks, not brute force attacks.  Though in time even that probably won't matter but for now as long as its not in a dictionary and the attacker doesn't have access to the hash then much of this is just scare tactics.

 

Most hackers (at least the password hacker kind) build custom dictionaries that far exceed normal the normal dictionaries used in dictionary attacks. I ran across an article a month or so ago that I should have published here. Three "password crackers" did a VERY remarkable job on a password file that was encrypted and included all numbers, letters (U&L-case), all punctuation marks and special symbols as well as the umlauts and other special accent markings. The password file was even "salted" and still hacked.. If I can run across it again I will post it. 

 

Steve

[AdvancedSetup]

Yes but those are often due to the specific file hash being attacked.  Just saying that these type of articles are more so for creating panic than anything else.