Industry Intel

Touch ID Used to Scam Apple Users

Two apps were recently removed from the Apple App Store after several users reported being charged large sums of money after installing the app and scanning their fingerprint. Both apps were fitness-related and had users scan their fingerprint immediately so they could monitor calories or track fitness progress. But the apps launched a payment confirmation pop-up with the user’s finger still on the device to charge any card on file for the account. Luckily, the apps were only available for a brief period before being removed and refunds issued.

Signet Jewelers Expose Customer Order Data

Signet Jewelers, the parent company for Kay and Jared jewelers, was informed last month by an independent researcher of a critical flaw in their online sites. By simply altering the hyperlink for an order confirmation email, the researcher was able to view another individual’s order, including personal payment and shipping information. While Signet resolved the issue for future orders, it took additional weeks to remedy the flaw for past orders.

WeChat Ransomware Hits over 100k Chinese Computers

In the five days since December began, a new ransomware variant dubbed WeChat Ransom has been spreading quickly across China. With over 100,000 computers currently infected and thousands more succumbing each day, WeChat has made a significant mark. Though it demands a ransom of only roughly $16 USD, the variant quickly begins encrypting the local environment and attempts to steal login credentials for several China-based online services. Fortunately, Tencent banned the QR code being used to send ransom payments and disabled the account tied to it.

Nearly 100 Million Users Compromised in Quora Breach

Servers containing sensitive information for nearly 100 million Quora.comusers were recently compromised by unknown hackers. In addition to personal information about users, any posts or messages sent over the service were also breached. While informing affected users of the leak, Quora stated that all password data they store was fully encrypted using bcrypt, which makes it considerably more expensive and time-consuming for the hackers to break the algorithms and obtain the data. 

Marriott Hotels Breach Leaves Half a Billion Users Vulnerable

In one of the largest data breaches to date, Marriott International is under fire for exposing the personal data of nearly 500 million individuals. A class-action lawsuit has been filed against the hotel chain. For many victims, their names, home addresses, and even passport information was available on an unsecured server for nearly four years after the company merged with Starwood, whose reservation systems were already compromised.

Infowars Online Site Compromised by MageCart Attack

Earlier this week, a security researcher found payment card-stealing scripts running on the Infowars online site. The scripts managed to stay active for nearly 24 hours. At least 1,600 users of the site may have been affected during this period, though many were returning customers who wouldn’t have had to re-enter their payment information into the compromised forms. As of writing, the malicious scripts being used by Magecart are active on nearly 100 other online stores, with almost 20% getting re-infected within a two-week period.

Scammers Syphon €19 Million From French Film Company

A lawsuit recently revealed that savvy scammers successfully took nearly €19 million through a series of unauthorized transfers from a spoofed personal email address of the company’s CEO. After requesting additional information from the scammers, who continued to provide highly-detailed documents suggesting their legitimacy, several payments were transferred from the company’s main cash pool with promises of a quick payback from the scammers.

Chinese Headmaster Caught Cryptomining on School’s Systems

The headmaster of a Chinese school was fired after staff discovered an excessively high power bill previously written off as a faulty HVAC system was actually caused by several cryptomining rigs running off the school’s electricity. The headmaster brought the mining machines into the school in mid-2017 and evaded blame for the excess power consumption until the physical proof was discovered. While it appears no other harm was done, cryptomining software can be dangerous, as you can never be sure nothing else is bundled with it.

New Botnet Exploits Unpatched Bug in Over 100,000 Devices

Researchers have been monitoring a relatively new botnet that is currently controlling over 100,000 devices, including 116 device types from multiple manufacturers. By taking advantage of well-known bugs within Universal Plug n Play, hackers can quickly take control of the device and begin monitoring traffic from outside of the network.

Cathay Pacific Airlines Cyberattack Occurred Over Several Months

After originally claiming a data breach had taken place last month, affecting 9.4 million customers, new findings have shown the attacks have been happening regularly since March. Even though local laws didn’t require the company to notify authorities regarding a data breach, it is still surprising that it has taken almost nine months to determine what data had been exposed and what hadn’t.

You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.

Password constraints eliminate a number of both good and bad passwords. I had never heard anyone ask “how many potential passwords, good and bad, are eliminated?” And so I began searching for the answer. The results were surprising. If you want to know the precise number of possible 8-character passwords there are if all of the character sets must be used, then the equation looks something like this.

A serious limitation of this approach is that it tells you nothing about the effects of each constraint alone or relative to other constraints. (I’m also not sure if there were supposed to be four consecutive ∑s or if the mathematician was stuttering.)

We choose to use a Monte Carlo simulation to analyze the mathematical impact of the various combinations of constraints. A Monte Carlo simulation uses a statistical analysis approach that provides a close approximation of the answer, while also providing the flexibility to quickly and easily measure the impact of each constraint and combination of constraints.

A look at minimum length limits

To start, let’s look at the impact of an eight-character length constraint alone. There are 95^8 possible combinations of 8 characters. 26 uppercase letters + 26 lowercase letters + 10 numerals + 33 symbols = 95 characters. For a length of 8 characters, we have 95˄8 possible passwords.

If a password must be at least 8 characters long, then there are also about 70.6 trillion otherwise viable passwords you are not allowed to use (95+(95^2 ) +(95^3 ) +(95^4 ) +(95^5)+(95^6 )+(95^7)). That’s a good thing. It means you can’t use 95 one character passwords, 9,025 two character passwords, and so on. Almost 70 trillion of those passwords you cannot use are seven characters long. This is a great and wholly intended effect of a password length constraint.

The problem with a lack of constraints is that people will use a very small set of all possible passwords, which invariably includes passwords that are incredibly easy to guess. In the analysis of over one million leaked passwords, it was found that 30.8 percent passwords eight to 11 characters long contained only lowercase letters, and 43.9 percent contained only lowercase letters and numbers.  In fact, to perform a primitive brute force attack against an eight-character password containing only lower case letters, it’s only necessary to try about 209 billion character combinations. That does not take a computer very long to crack. And, as we know from analyzing large numbers of passwords, it’s likely to contain one of the most popular ten thousand passwords.

To beef up security, we begin to add character constraints. But, in doing so, we decrease the number of possible passwords; both good and bad.

Just by requiring both uppercase and lowercase letters, more than 15 percent of all possible 8-character combinations have been eliminated as possible passwords. This means that 1QV5#T&|cannot be a password because there are no lowercase letters. Compared to Darnrats,which meets the constraint requirements, 1QV5#T&|is a fantastic password. But you cannot use it. Superior passwords that cannot be used are acceptable collateral damage in the battle for better security. “Corndogs” is acceptable, but “fruit&veggies” is not. This clearly is not a battle for lower cholesterol.

As constraints pile up, possibilities shrink

If a password must be exactly eight characters long and contain at least one lower case letter, at least one uppercase letter and at least one symbol, we are getting close to one-in-five combinations of 8 characters that are not allowable as passwords. Still, the effect of constraints on 12 and 16 character passwords is negligible. But that is all about to change… you can count on it.

Are you required to use a password that is at least eight characters long, has lower and uppercase letters, number and symbols? Just requiring a number to be part of a password removes over 40 percent of 8-character combinations from the pool of possible passwords. Even though you can use lowercase and uppercase letters, and you can use symbols, if one of the characters in your password must be a number then there are far fewer great passwords that you can use. If a 16 character long password must have a number, then 13 times more potential passwords have become illegal as a result of that one constraint than the combined constraints of lower and uppercase letters and symbols caused. More than one-in-four combinations of 12 characters can no longer become a passwords either.

You might have noticed that there is little effect on the longer passwords. Frequently there is also very little value in imposing constraints on long passwords. This is because each additional character in a password grows the pool of passwords exponentially. There are 6.5 million times as many combinations of 16 character pass words using only lowercase letters than there are of eight character passwords using all four character sets. That means that “toodlesmypoodles” is going to be a whole lot harder to crack than “I81B@gle”

Long and simple is better than short and hard

People tend to be very predictable. There are more symbols (than there are in any other characters set. Theoretically that means that symbols are going to do the most to make a password strong, but 80 percent of the time it is going to be one of the top five most frequently used symbols, and 95 percent of the time is will be one of the top 10 most frequently used symbols.

Analysis of two million compromised passwords showed that about one in 14 passwords start with the number one, however for those that started with the number one, 75 percent of them ended with a number as well.

The use of birthdays and names, for example, make it much easier to quickly crack many passwords.

Password strength: It’s length, not complexity that matters

As covered above, all four character sets (95 characters) in an eight character password allow for about 6.634 quadrillion different password possibilities. But a 16 character password with only lowercase letters has about 43.8 sextillion possible passwords. That means that there are well over 6.5 million times more possible passwords for 16 consecutive lowercase letters than for any combination of eight characters regardless of how complex the password is.

My great password is “cats and hippos are friends!”, but I can’t use it because of constraints – and because I just told you what it is.

For years password experts have been advocating for the use of simple passphrases over complex passwords because they are stronger and simpler to remember. I’d like to throw a bit of gasoline on to the fire and tell you, those 95^8 combinations of characters are only  half that many when you tell me I have to use uppercase, lowercase, numbers, and symbols.

Latest Windows 10 Update Removes User Files

Microsoft recently pulled its latest update, version 1809, after several users complained about personal files being deleted. While some users were able to use third-party software to retrieve deleted files, users whose files wnet missing from the Documents folder are having a much trickier time without restoring from backups. Since hearing of the issue, Microsoft has paused the automatic update until they can find a resolution.

Magecart Campaign Continues Its Spread

Following the attacks on British Airways and Ticketmaster, Magecart skimmer techniques have been discovered on Shopper Approved, a collective of several online stores. Fortunately, the company was able to identify the altered JavaScript code and contact affected vendors. The malicious code itself was targeted at the checkout pages for the affected stores with specific URL keywords, leaving the remainder of the thousands of online retailers unaware anything had occurred.

Vulnerabilities Found in Millions of Chinese Electronics

A new wave of vulnerabilities has been spotted in nearly 9 million devices made by Chinese-based Xiongmai, leaving them susceptible to attack. Serious issues include default admin passwords without a prompt to immediately change it, no encryption when connecting to their cloud servers, and a lack of authorization checks when searching for updates. Many of these devices were known to be compromised during the Mirai botnet attacks, though the access points used for that have since been patched.

FCC To Block Illegal Spam Calls

Most people have received at least one unwelcome call on their mobile phone from a robotic auto-dialer. Now the attorneys general from 35 states are coming together in hopes the FCC can do something about those annoying calls. These types of spam calls seem to have increased in volume in recent years, even after the 2017 Call Blocking Order aimed at stopping them,  forcing customers to block calls themselves. With an estimated 40 billion robocalls this year alone, it’s no surprise so many states are interested in putting a stop to this nuisance.

Google+ Goes Out on Low Note

After constantly struggling with low adoption, Google’s response to more popular social media platforms like Facebook has officially reached its end of its life. Several months ago an API bug was spotted that allowed unauthorized access to thousands of Google+ user accounts. The bug was patched but remained undisclosed until recently. With new GDPR regulations on breach disclosure, even the possibility of low volumes of affected clients could still be trouble for Google.

Brazilian Bank Traffic Rerouted by Massive Botnet

A botnet containing more than 100,000 routers and other devices was recently spotted hijacking traffic destined for several Brazilian banks. The hijacking victims are then sent to one of at least 50 confirmed phishing sites that will attempt to steal any information the user will provide. Backing this ever-growing botnet are a small collection of tools used to brute-force weak passwords and continue to search for other devices with poor security.

Cyber Attack Shuts Down Canadian Restaurants

A major Canadian restaurant chain announced several of their restaurant brands had suffered a ransomware attack that affected nearly 1,400 stores in recent days. While many of the IT systems were quickly taken offline to prevent further spread of the infection, customers were met with non-functioning payment systems or just closed doors. Fortunately, the company keeps regular backups and was able to restore their systems without paying a ransom.

High-Profile Instagram Accounts Being Hacked

Several high-profile Instagram accounts were hacked and held hostage recently, with some accounts being deleted even after a payment was sent. Though many victims have contacted Instagram multiple times regarding access to their accounts, some were sent automated responses while others regained control of their accounts without hearing from the company.

Google Chrome Cracks Down on Extensions

With dozens of new extensions being added to Google’s Chrome Web Store every day, it has become increasingly difficult for Google to police for malicious apps. That’s why, accompanying the release of Chrome 70, will be the ability for users to restrict browser extensions to a single site and limit the amount of permissions the extension has over the pages viewed. Additionally, Chrome has implemented 2-step verification for all developer accounts to curb the volume of hacked apps made available.

Port of San Diego Hit by Ransomware

It was revealed last week that the Port of San Diego, which controls over 34 miles of coastline, suffered a ransomware attack that temporarily knocked out their computer systems. Fortunately, most routine port operations remained able to function normally while systems were offline. There is still no information on whether the ransom has been paid or how the infection occurred.

Firefox Vulnerability Leads to Crash

A new denial-of-service (DoS) attack has been created with the ability to cause desktop versions of the browser Firefox to freeze or crash. Upon visiting sites where the malicious script is present, the user’s browser forces download requests for a massive junk file that can cause the IPC channel for the browser to crash. Luckily, the researcher who created the attack method has contacted Mozilla about the issue, and there’s hope for a swift resolution.

Kodi Media Player Used to Spread Malware

Nearly 5,000 computers were recently compromised with cryptomining malware that was silently distributed either through malicious builds of the Kodi media player or from third-party add-ons used to enhance the player. Most of the infected computers were found to be mining for Monero and have already mined around $6,700 since the beginning of the campaign. When obtaining these types of add-ons, its best to visit official repositories rather than third-parties, as they tend to be more discerning of content they are hosting.

Online Fashion Retailer Breached

SHEIN has revealed a data breach from June that they themselves only discovered within the last month. Nearly 6.5 million customers could be affected, as the systems storing login credentials were compromised in the attack, the company stated in a recent press release. Fortunately for those customers, the company says they do not store payment data so a simple password change should be sufficient to protect their clients.

Scottish Brewery Hit by Ransomware

After publishing a job opening to their own site, Arran Brewery was able to successfully fill the needed position. Unfortunately for the Scottish brewery, attackers posted that listing on several international recruiting sites and received dozens of applications including documents embedded with ransomware, resulting in the company being locked out of crucial systems and a ransom demand of two Bitcoins. Arran Brewery opted to restore their systems from offsite backups rather than pay the ransom, but lost up to three months of data due to outdated backups.

DoorDash Customers Complain About Hacked Accounts

Several dozen people have contacted DoorDash regarding fraudulent orders placed on their accounts. DoorDash’s was confident they were not to blame for the breach, instead blaming “credential stuffing,” a tactic where attackers try using previous breach data from other sites hoping the same password was used multiple times. The company says it has no plans to implement further security measures such as two-factor authentication.