Verizon have released their 2014 Data Breach Report which is classified in 9 attack patterns, each have their own section grouped by industries. Their 60 pages reports provides some interesting statistics that are well illustrated, for example: servers are still the primary target because actors know that is where the data is likely to be. This isn't really a surprise that "They plainly show that attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade."[3]

The report can be downloaded here.

[1] http://www.verizonenterprise.com/DBIR/2014/
[2] http://www.verizonenterprise.com/DBIR/gfx/chart.png
[3] http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I recently had the opportunity to look at a sample of key-logged passwords collected from compromised machine over a period of 4 years.  I wanted to share some of the takeaways, since I'm not comfortable sharing too many of the details.

From a collection of website credentials stolen by key-logger software I observed three common, trivially-predictable patterns.  The first was use of the term "password" slightly modified.  for example, Pa55w0rd, or PaSsW0rd, etc., etc.  The second was the use of a name followed by a 1.  For example, elizabeth1.  The surprise pattern, and the most common in the sample I got to look at involved the name of the site with 123 tacked on the end.  For example, isc123.

From a collection of remote-access passwords (shell, RPD, etc.) the usual suspects where admin/administrator (in various languages administrador, administrateur,) various permutations of "password," and the varying lengths of sequential digits (e.g. 1234, like your suitcase.)

In these samples, the source was a plain-text exposure, so it really didn't matter how complex or secure the passwords, since they were captured in the clear.  However, this gives us insight into how much effort is required to extract passwords when hashed credentials are exposed.  This also explains why brute-forcing remote access credentials is still profitable.

  • As a user, you should avoid using these quick, throwaway passwords.
  • As a website owner, you should not allow passwords ending in 1 or 123, that's a pretty simple filter to implement.
  • As a network owner, you should be brute forcing your own access credentials using a short hit-list.
  • As an ISC Handler, you should practice what you preach.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Infosec survey points to rise in attacks on IT infrastructure
HP conducted a survey at Infosec this week, to judge how those present felt about IT security in general – and the message is that the majority are seeing an increase in malicious activity targeting their servers. Across 150 attendees which HP talked ...

and more »
Facebook's Anonymous Login is designed to create scarcity in the user data market, which increases the value of that data, and forces more small companies to get that data through Facebook's ad network, rather than from the users directly.
A recent White House report on big data wonders aloud about the capability of sensors and smart meters to turn homes into fish tanks, completely transparent to marketers, police -- and criminals.
Internet Storm Center Infocon Status