Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Last month the biggest security news in the mainstream press was about the password (hash)breaches at LinkedIn, eHarmony, and last.fm. Last week, it was a bunch of passwords that were leaked via a Yahoo!service. These passwords were for a particular Yahoo!service, but the e-mail addresses being used were for quite a few domains. There has been some discussion of whether, for example, the passwords for Google accounts were also exposed. The short answer is, if the user committed one of the cardinal sins of passwords and reused the same one for multiple accounts, then, yes, some Google (or other) passwords may also have been exposed. Having said all of that, that isn't primarily what Iwanted to look at today. Ialso don't plan to spend too much time on the password policy (or lack thereof)or the fact that the passwords were apparently stored in the clear, both of which most security folks would probably agree are bad ideas.
The domains
First, Idid a quick analysis of the domains. Ishould note that some of the e-mail addresses were clearly invalid (misspelled domains, etc.). There were a total of 35008 domains represented. The top 20 domains (after converting all to lower case) are shown in the table below.

137559 yahoo.com

106873 gmail.com

55148 hotmail.com

25521 aol.com

8536 comcast.net

6395 msn.com

5193 sbcglobal.net

4313 live.com

3029 verizon.net

2847 bellsouth.net

2260 cox.net

2133 yahoo.co.in

2077 ymail.com

2028 hotmail.co.uk

1943 earthlink.net

1828 yahoo.co.uk

1611 aim.com

1436 charter.net

1372 att.net

1146 mac.com

The passwords
Isaw an interesting analysis of the eHarmony passwords by Mike Kelly at the Trustwave SpiderLabs blog and thought I'd do a similar analysis of the Yahoo!passwords (and Ididn't even need to crack them myself, since the Yahoo!ones were posted in the clear). I pulled out my trusty install of pipal and went to work. As an aside, pipal is an interesting tool for those of you that haven't tried it. As Iwas preparing this diary, Inoted that Mike says the Trustwave folks used PTJ, so Imay have to take a look at that one, too.
The first thing to note is that of the 442,836 passwords, there were 342,508 unique passwords, so over 100,000 of them were duplicates.
Looking at the top 10 passwords and the top 10 base words, we note that some of the worst possible passwords are right there at the top of the list. 123456 and password are always among the first passwords that the bad guys guess because for some reason we haven't trained our users well enough to get them to stop using them. It is interesting to note that the base words in the eHarmony list seemed to be somewhat related to the purpose of the site (e.g., love, sex, luv, ...), I'm not sure what the significance of ninja, sunshine, or princess is in the list below.

Top 10 passwords

123456 = 1667 (0.38%)

password = 780 (0.18%)

welcome = 437 (0.1%)

ninja = 333 (0.08%)

abc123 = 250 (0.06%)

123456789 = 222 (0.05%)

12345678 = 208 (0.05%)

sunshine = 205 (0.05%)

princess = 202 (0.05%)

qwerty = 172 (0.04%)



Top 10 base words

password = 1374 (0.31%)

welcome = 535 (0.12%)

qwerty = 464 (0.1%)

monkey = 430 (0.1%)

jesus = 429 (0.1%)

love = 421 (0.1%)

money = 407 (0.09%)

freedom = 385 (0.09%)

ninja = 380 (0.09%)

sunshine = 367 (0.08%)

Next, Ilooked at the lengths of the passwords. They ranged from 1 (117 users) to 30 (2 users). Who thought allowing 1 character passwords was a good idea?

Password length (count ordered)

8 = 119135 (26.9%)

6 = 79629 (17.98%)

9 = 65964 (14.9%)

7 = 65611 (14.82%)

10 = 54760 (12.37%)

12 = 21730 (4.91%)

11 = 21220 (4.79%)

5 = 5325 (1.2%)

4 = 2749 (0.62%)

13 = 2658 (0.6%)

We security folks have long preached (and rightly so)the virtues of a complex password. By increasing the size of the alphabet and the length of the password, we increase the work the bad guys must do to guess or crack the passwords. We've gotten in the habit of telling users that a goodpassword consists of [lower case, upper case, digits, special characters] (choose 3). Unfortunately, if that is all the guidance we give, users being human and, by nature, somewhat lazy will apply those rules in the easiest way.

First capital last symbol = 1259 (0.28%)

First capital last number = 17467 (3.94%)

On the other hand, if we don't enforce at least that much, users won't bother.

Only lowercase alpha = 146516 (33.09%)

Only uppercase alpha = 1778 (0.4%)

Only alpha = 148294 (33.49%)

Only numeric = 26081 (5.89%)

I thought it was also interesting looking at the passwords that contained a year:

Years (Top 10)

2008 = 1145 (0.26%)

2009 = 1052 (0.24%)

2007 = 765 (0.17%)

2000 = 617 (0.14%)

2006 = 572 (0.13%)

2005 = 496 (0.11%)

2004 = 424 (0.1%)

1987 = 413 (0.09%)

2001 = 404 (0.09%)

2002 = 404 (0.09%)

What is the significance of 1987 and why nothing more recent that 2009? When Ianalyzed some other passwords, I'd see either the current year, or the year the account was created, or the year the user was born. And finally, some statistics inspired by the Trustwave analysis:

Months (abbr.) = 10585 (2.39%)

Days of the week (abbr.) = 6769 (1.53%)

Containing any of the top 100 boys names of 2011 = 18504 (4.18%)

Containing any of the top 100 girls names of 2011 = 10899 (2.46%)

Containing any of the top 100 dog names of 2011 = 17941 (4.05%)

Containing any of the top 25 worst passwords of 2011 = 11124 (2.51%)

Containing any NFL team names = 1066 (0.24%)

Containing any NHL team names = 863 (0.19%)

Containing any MLB team names = 1285 (0.29%)



Iwish Ihad their list of curse words to test. :)
Conclusions?
So, what conclusions can we draw from all of this? Well, the obvious is that without any direction, most users will not choose particularly strong passwords and the bad guys know this. What constitutes a good password? What constitutes a good password policy?Personally, Ithink the longer, the better and Iactually recommend [lower case, upper case, digit, special character] (choose at least one of each). Hopefully none of these users were using the same password here as on their banking sites. What do you, our faithful readers, think?
---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu
The opinions expressed here are strictly those of the author and do not represent those of SANS, the Internet Storm Center, the author's spouse, kids, or pets. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The next version of Microsoft Office, unveiled on Monday, is a dramatic departure from the software that millions of users have come to know, built for the cloud and for touch-based computing and packed with features that make it more social and, Microsoft hopes, more intuitive to use than past releases.
 
Ask any Silicon Valley entrepreneur about their startup and they'll usually tell you the sky is the limit. For some, it's not just the limit but the goal. Combining advances in electronics and new sources of funding with the Valley's geeky, do-it-yourself culture, two teams are turning to the Internet to fund satellites and take project supporters along for the ride into space.
 
Marissa Mayer, a longtime Google executive, has been named the next CEO at Yahoo.
 
Richard Porter --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Marissa Mayer, a longtime Google executive, has been named the next CEO at Yahoo.
 
Skype, a division of Microsoft, confirmed on Monday that a glitch in its software has led to instant messages being shared with unintended parties.
 
Intel is dishing out a total of US$29,000 in cash prizes to Android developers in an effort to encourage coders to write games for tablets and smartphones using Intel chips.
 
I happen to think my daughter is the most wonderful kid on the planet. Total strangers, however, may not agree. And instead of courting their dissent by posting videos of my child doing delightful things, I turn to a more private way of sharing videos with friends and family.
 
Nokia cut the price of the Lumia 900 smartphone in half, to $49.99, less than four months after the device went on sale at AT&T.
 
Microsoft CEO Steve Ballmer today unveiled the next version of Office as the company launched previews of the suite for consumers and businesses.
 
0A29-12-2 :Metasploit 'pcap_log' plugin privilege escalation vulnerability
 

iDigitalTimes.com

Anonymous Publishes 1000 Email Credentials From Top Five Multinational Oil ...
iDigitalTimes.com
Phase two of the cyber-attack occurred on July 13 and contained 26 emails, clear text passwords and 724 emails and hashed passwords according to Nova Info SEC Portal. There is no clear indication of the hashtag algorithm used in the second content ...

and more »
 
Fortifying its resources for the high-performance computing (HPC) market, Intel has purchased Whamcloud, a commercial purveyor of the open-source Lustre file system. Terms of the deal were not disclosed.
 
Sprint has become the first U.S. wireless carrier to offer an ultrabook, which is being sold with a 3G/4G mobile hotspot device at no added cost.
 
The beta version of Office 2013 gets a needed facelift and adds a host of useful features, but its cloud integration leaves something to be desired.
 
A teardown of the Nexus 7 tablet reveals Google is apt to break even on the $199, 8GB version of its tablet while earning a modest profit on the 16GB version, priced at $249.
 
The stakes for Microsoft, which will outline the next version of its profitable Office suite later today, are extremely high because that part of its business generates more revenue than any other, an analyst said today.
 
Advanced Micro Devices will detail its upcoming low-power CPU for tablets code-named Jaguar at the Hot Chips show in August, and share the stage with IBM, Oracle and Fujitsu, which will provide further insight into next-generation server processors.
 
Cisco has acquired Virtuata, a privately held developer of technology for securing virtual-machine data in multi-tenant data centers, the company said Monday.
 

4 Reasons Why IT Security Needs Risk Management
Dark Reading
Rather than sending infosec employees on wild goose chases to defend against the scariest sounding threats, risk management takes a dollars-and-cents approach that grounds IT back to the reality of what it is trying to do—protect the organization's ...

 
Symantec last week crippled a large number of Windows XP machines when it shipped customers a defective update to its antivirus software, the company acknowledged.
 
Graphics chip manufacturer Nvidia is investigating claims that hackers have compromised its online stores as part of a larger attack that affected several of its websites.
 
Aerospace and energy system components manufacturer Woodward is the latest company to see its profits hurt by costs associated with an ERP software project, according to an announcement it made.
 
Sprint launched its 4G LTE network in 15 cities, mainly in areas surrounding the major markets of Atlanta, Dallas, Houston, Kansas City and San Antonio.
 
Sony began sales today of unlocked versions of its Xperia NXT series of smartphones in the U.S., with prices ranging from $299.99 to $559.99.
 
WordPress Plugin 'Count Per Day' 3.1.1 Multiple Cross-site scripting vulnerabilities
 
MGB OpenSource Guestbook 0.6.9.1 Multiple security vulnerabilities
 
Blackboard Mobile Learn v3.0 - Persistent Web Vulnerability
 
CakePHP 2.x-2.2.0-RC2 XXE Injection
 
SMF Board v2.0.2 - Multiple Web Vulnerabilities
 
VamCart v0.9 CMS - Multiple Web Vulnerabilities
 
Event Calendar PHP 1.2 - Multiple Web Vulnerabilites
 
Google Chrome 19 metro_driver.dll mishandling
 
Sony began sales today of unlocked versions of its Xperia NXT series of smartphones in the U.S., with prices ranging from $299.99 to $559.99.
 

Posted by InfoSec News on Jul 16

http://www.nextgov.com/cybersecurity/2012/07/are-fbis-android-data-sharing-apps-hacker-proof/56773/

By Dawn Lim
Nextgov.com
July 13, 2012

The FBI plans to tap George Mason University scientists to perform tests
on the law enforcement agency's Android mobile applications to see if
they are hacker-proof, a notice of intent reveals.

The bureau will match funding provided by the military venture capital
arm, Defense Advanced Research...
 

Posted by InfoSec News on Jul 16

http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/240003734/black-hat-researcher-rethink-and-refine-your-ids.html

By Robert Lemos
Contributing Writer
Dark Reading
July 13, 2012

When a company finds out that an attacker has been in its network and
stealing data, it's rare that its intrusion detection system (IDS) is
the key to the discovery. More often, as shown by the 2012 Verizon Data
Breach...
 

Posted by InfoSec News on Jul 16

http://www.zdnet.com/indian-navy-plans-dedicated-cyberforce-7000000922/

By Ellyne Phneah
ZDNet
July 16, 2012

The Indian navy is planning to create a dedicated cyberforce specializing in
Information Technology to protect its networks from hackers' attacks.

According to the Economic Times on Friday, the navy will use these officers for
administering and managing these IT networks, and is moving toward connecting
all its war-fighting...
 

Posted by InfoSec News on Jul 16

http://arstechnica.com/security/2012/07/german-security-experts-find-major-flaw-in-credit-card-terminals/

By Cyrus Farivar
Ars Technica
July 13, 2012

Two German security researchers have said that they can easily crack credit
card readers made by VeriFone, one of the world’s top firms in payment
infrastructure. Just this week, the company won a $35 million contract to
provide payment terminals for all taxis in Washington, DC.

The...
 
I think it's fair to say that most of us have too much paper in our lives, whether it's business documents, receipts, financial statements, or (my personal weakness) keepsake scraps like menus and ticket stubs. Flatbed scanners are inexpensive, but for large jobs (and, heck, even small ones), the scanning process is tedious.
 
When I reviewed Nocs's $70 NS200 Aluminum ( Macworld rated 3.5 out of 5 mice ), I found that the Swedish company's penchant for minimalism had resulted in a clean, but somewhat generic, design and that the sound quality, while unobjectionable, wasn't particularly compelling, either. Nocs recently sent Macworld the company's new $100 NS400 Aluminum, which represents a step up in price and performance.
 
Editor's note: The following review is part of Macworld's GemFest 2012 series. Every weekday from mid June through mid August, the Macworld staff will use the Mac Gems blog to briefly cover a favorite free or low-cost program. Visit the Mac Gems homepage for a list of past Mac Gems.
 
The recent news that a simple hack makes it trivial to circumvent iOS's in-app purchasing mechanism raises the question of whether Apple is doing enough to help developers safely conduct transactions through the App Store.
 
Name: Allison Aden
 
China's Huawei Technologies wants to take a bigger bite out of the enterprise market with a wider range of storage products, months after the company completed an acquisition of its joint venture with U.S. firm Symantec.
 
Forgoing features for speed has its trade-offs as these NoSQL data store shortcomings show
 
When a former Mozilla employee knocked the company's accelerated release schedule as having "killed Firefox's reputation," he got more than he bargained for.
 
Increasing numbers of weather-related disasters -- violent storms, wildfires that have ravaged more than 2 million acres in the Rocky Mountains and drought conditions affecting some two-thirds of the United States -- should have IT executives scurrying to update disaster recovery plans.
 
The U.S. is once again home to the world's most powerful supercomputer, rebounding after it was knocked off the top of the list by China two years ago and Japan last year.
 
A competitor suddenly seems to know a lot about the customers of our manager's company. Did a former employee take sensitive data when he left?
 
The organizations that will prosper in the future are those led by people who have imagined a future they want to live in.
 
Microsoft, Apple and Google have long seen that their future is in the cloud. Now they see their present there as well.
 
Some highly successful IT professionals decide the CIO's life isn't for them, so they move on to seek fulfillment elsewhere, perhaps as consultants or entrepreneurs. Do such departures represent a natural progression in the careers of accomplished executives, or do they say something troubling about the working environment of enterprise IT?
 
Manufacturing employment has been a bright spot for the economy, but IT workers aren't benefiting, a new report finds.
 
At its Google I/O developers conference in San Francisco, Google touted the new prototype of its Google Glass computerized eyeglasses.
 
Twitter has issued its first report about the requests it has received from various governments for information about users.
 
A worldwide network of data centers played a key role in CERN's discovery of what may be the long-sought Higgs boson, or "God particle," thought to be part of the explanation for why matter has mass.
 
New software from Web security specialists Blue Coat Systems allows companies to restrict what employees can do on their cellphones while logged into the corporate Wi-Fi.
 
Internet Storm Center Infocon Status