Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1] yes. we have talked about this many times, but it doesn't seem to get old sadly. So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). For web sites:
For users:
That's at least what I can come up with while sipping on my first cup of coffee for the day. [1] http://www.holdsecurity.com/news/cybervor-breach/ --- |
Johannes 4042 Posts ISC Handler Aug 6th 2014 |
Thread locked Subscribe |
Aug 6th 2014 6 years ago |
If the issue is SQL injection grabbing of usernames and passwords (or password hashes).
Website owners need to use better password hashing. Too many sites use one round of MD5 (no really they do). Users need unique passwords per website so if one website stores plain text or uses weak hashing then other sites aren't compromised. Users need a password complex enough that an aggressive dictionary attack won't try it (estimates vary from 11 to 12 random characters, but 16 should be fine). This means that even if they can steal the password hash, they can't reasonably get the password to login from the hash. With SQL injection they may be able to reset passwords they can't guess, but then all bets are off, and nothing the user can do will necessarily help (they might even be able to disable 2FA on the account record at that point if 2FA is not mandatory). Probably everyone needs to do more security testing, but most sites taking money should have routine testing that might detect some SQL injection issues due to PCI compliance requirements. |
Anonymous |
Quote |
Aug 6th 2014 6 years ago |
I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie.
These guys don't even have a name, and don't release any details about the hack -- not even website names. This sounds like a group that's trying to establish cred or is just outright trolling. |
Darron Wyke 19 Posts |
Quote |
Aug 6th 2014 6 years ago |
Is there a bank or credit card company that implements two-factor authentication? None of mine does.
Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule? My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor. Anyone know how to get banks to take this seriously? |
Terry 2 Posts |
Quote |
Aug 6th 2014 6 years ago |
For web sites the questions to ask should be:
- Do you really, really need the users to log in? E.g. most blogs on the net manage just fine without needing the user to log in, so why would the ICS site need users to log in just to leave a comment. - Do you really, really need to give the user a password? Either the user uses a trivial/standard password, but this should be avoided/discouraged, otherwise the user will probably have forgotten their password when trying to log-in again and will therefor need to use a password recovery mechanism. Therefore, it makes no sense to give (or allow the user to choose) a password. Let the user enter a mail and send a login-link (that would otherwise have been in the recovery-mail). (If the user starts on a desktop, but checks mail on a mobile device, the desktop should should be offered to be logged in) |
Anonymous |
Quote |
Aug 6th 2014 6 years ago |
What I find odd about this breach is the amount of Domains.. >400k.. and close to a billion PW's? Your reference to the Target Breach as example, >40 million on one "swipe". If this is true, then I would say they breached a domain register company at some level. If that is the case, then "Houston we have a problem"
As one poster stated, there is yet confirmed data of major sites.. just a vacuum. Read nothing on Krebs,(who was on-top of Target Breach) nothing of FierceItSecurity (good article on HeartBleed and Backoff) and other sites I visit. I am scratching, but no "odor" is coming up... |
ICI2Eye 52 Posts |
Quote |
Aug 6th 2014 6 years ago |
About password hashing, the most critical thing most site owners forget to do is strong salting. For each one of your users, and preferably each time to generate or update a password, you want to create a long, unique, random salt string. And then yes, do use strong hashing, preferably sha512
These guys have good write-ups and frameworks for password hashing: http://www.openwall.com/phpass/ |
ChrisHolland 3 Posts |
Quote |
Aug 6th 2014 6 years ago |
Quoting Darron Wyke:I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie. You can always question each individual report of a potential breach. There is little doubt that for every password loss that has been peppered through the news, there were 100 that we never learned about. Possibly the site that was compromised didn't even learn about it yet. So it's a great idea to assume at least one of your passwords was already lost. Stronger hashing could help, but it's not entirely a solution, either; store your passwords using Bcrypt and a high work factor, or PBKDF2 and lots of rounds, and then: encrypt your hashes with a key stored in a different system E.g. load the decrypt key into RAM from a file on a special NFS mount which must be disconnected during boot, before server can connect to the internet. Make your "authentication service" a separate program running on a separate server which sanity checks inputs from your frontend server sent in simple ASCII --- don't consume the user SQL database directly with SQL code directly on the frontend server. |
Mysid 146 Posts |
Quote |
Aug 6th 2014 6 years ago |
Quoting Terry:Is there a bank or credit card company that implements two-factor authentication? None of mine does. It's irrelevant, at least in the US. Banks (and many companies) only care about compliance and peer performance. If everyone is doing the same thing and it meets "government standards", even if it's poor, you will not be found negligent. And that is all that matters. The feds do not require that banks have two-factor authentication, just "multi-factor" and the two are not the same. Requiring two passwords is not compliant but requiring one password and device fingerprinting meets the multi-factor requirement even though the device fingerprint is effectively a non-changing password. |
Anonymous |
Quote |
Aug 6th 2014 6 years ago |
In other words, to get banks to use real two-factor authentication, including at least one non-reusable password, there must be a change in bank regulations. So who can get the regulators to fix that?
|
Terry 2 Posts |
Quote |
Aug 6th 2014 6 years ago |
I see Krebs is now acknowledged the breach.
https://krebsonsecurity.com/ Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it? |
ICI2Eye 52 Posts |
Quote |
Aug 6th 2014 6 years ago |
I think the news story is pure hysterical hype (just like the recycled USB vuln tripe of two days before), but the underlying issue is still in scope for an ISC Diary entry. My small-ish regional bank uses a form of two-factor authentication. After typing username and pw, an automated dialer calls a phone number already on record with a random-ish PIN that is required to complete the process. Yes, it's crude, and I can think of several possible ways to beat it, depending on whether and how the system exposes the PIN and/or the phone number, but at least it uses a second channel. Regarding steps that must be taken by web sites, you skipped the most rudimentary one. There are still any number of sites I log into (including some surprisingly prominent names) that allow a low maximum number (as few as 6) of password characters, allow only 2 character types, or commit both cardinal sins. There might actually be benefit to relaxing some of the traditional "best practice" rules. For example I regard the restrictions on similar passwords or time factors on reuse to be failed and futile attempts to substitute control over less important aspects of user behavior for control of more important aspects. Such attempts just annoy the user and result in greater efforts to circumvent policy.
|
ICI2Eye 10 Posts |
Quote |
Aug 6th 2014 6 years ago |
Some banks offer it, some do not (yet).
Excellent and updated lists of both banking and non-banking sites and their two factor authentication status: http://twofactorauth.org/ http://evanhahn.com/2fa/ |
flink 1 Posts |
Quote |
Aug 7th 2014 6 years ago |
Quoting ICI2Eye:I see Krebs is now acknowledged the breach. Registered.. no response to access of list... From another security site.. Of course, today Google said it was going to INCREASE the Crypto on sites and their spiders. Gee thanks Google.. once again from where I sit, the more pieces of the pie they get into, their care less about the ingredients for it. The use of botnets by cybercriminals to steal credentials is on the rise, Gaffan tells FierceITSecurity. A disturbing 61.5 percent of all web traffic now comes from bots, and botnet activity has soared 240 percent in the last year, according to Incapsula data. Search engine bots are being used by cybercriminals to carry out web attacks. "Criminals are disguising themselves as Googlebot, so you presume it's a legitimate search of your site to index it. But it turns out the attackers are posing as Googlebot, and they are using this as a technique to get into sites. Web masters are terrified of blocking Googlebot because their rankings will plummet," Gaffan says. Once the attackers get into sites, they launch SQL injection attacks, cross-site scripting attacks, or insert malware through backdoors. They can then carry out distributed denial of service (DDoS) attacks, send spam, steal content and engage in other nefarious activities. The report about the Russian crime syndicate "looks a lot like that, where thieves are increasingly automating their attacks using bots," Gaffan says. Incapsula recently conducted a study that found around 4 percent of bots using the Googlebot's user agent, or ID, are fake. A whopping 66 percent of fake Googlebots are used to carry out DDoS attacks. Attackers will go after "anybody and everybody ... The thing about using bots is the whole thing is automated, so they don't care who they're going after," Gaffan concludes. |
ICI2Eye 52 Posts |
Quote |
Aug 7th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!