100 Worst Passwords of 2017

Splashdata, who makes password management software, releases a list of the top compromised passwords.

They did this by collecting five million compromised passwords and analyzing them.

The top password this year is, again, 123456 .

The number two password is, yes, password .

Number three is 12345678 .

You can read the article to get all the rest of them, but it doesn’t get better when you go down the list.   Number 11 is admin; number 14 is login.  Number 16 is starwars .

After all of the articles that talk about selecting good passwords, 123456 is still number one.

Hopefully those compromised passwords did not include access to your bank account, but I wouldn’t even bet on that.

PLEASE, choose good passwords, do not reuse passwords across web sites and use a password manager.

The part about not reusing passwords is the toughest because we have so many of them.  That is why using a password manager is important.  That way you only have to remember one password.

Information for this post came from PC Magazine.

To Russia With Love

No, this is not a new Bond movie;  it is, instead, an example of one of the many weaknesses of an Internet that was never designed to handle malicious attackers.

I will try to make this as non-technical as I can, but it will be a bit technical, so please stay with me.

Larger Internet users, whether businesses or Internet providers, often have multiple connections to the Internet so that customers and partners can continue to reach them even if one of their Internet connections goes down.  Some companies might have 3, 4 or more connections.  Somehow, these companies need to tell other companies and Internet providers on the ‘net how to reach them – which connection to use for which internal nets.

Out of this problem – and literally on a couple of sheets of paper (see below), an IBM and a CIsco engineer designed BGP the Border Gateway Protocol.

Unfortunately, back in 1989 no one considered security.

How BGP works is that when someone wants to tell other Internet users about a new BGP connection, they “announce” it.

Unfortunately, the BGP protocol has not changed much since 1989 and still has no security.

What this means is that ANYONE can announce a new route.  This happens non-stop, every day.  Without security, you hope it gets done right.

We have seen many instances of BGP announcements that are very suspicious; earlier this month we had another one.

On December 11/12, for a three minute window, about 80 “routes” were hijacked, then for about 2 hours, 40 “routes” were hijacked and finally, at the end of this event, for a couple of minutes, 80 “routes” were hijacked again.

Surprisingly – or not – the hijacked routes all went through Russia.  While there is no security on BGP, a route does have to be associated with a specific user.  That is how we know the announcements came from Russia.

There are two reasons why Russia might do this.  One reason is to siphon a whole lot of data and then try to decrypt or analyze it.

The other reason would be to take down a large part of the Internet.  If the malicious user takes in all this data but does not put it back out on the Internet, then all of the traffic destined for these affected sites gets “black holed”, which means that all of their traffic goes into the digital trashcan.

The sites affected by this attack were Google, Facebook, Apple, Microsoft and a few others.  Likely not a coincidence.

Lets assume that this was just a test.  You route the traffic through Russia but put it back out on the Internet and maybe no one is any the wiser.

Then, when you want to create chaos, you route the traffic through Russia but put ZERO traffic back out.  The sites that you attack are totally down.  Hopefully, relatively quickly, the sites can announce new routes, but then the attackers can re-announce their routes.

It would be a mess.

And don’t count on the Internet gurus to fix this security “hole” any time soon.  It has been this way for decades and fixing it would be a many year process.  First you have to agree to what the fix is, then you have to develop the fix, next you have to test it and finally get everyone in the world who uses BGP – literally – to install it.  It would probably take a decade.

This is why companies closely monitor their BGP announcements – ones that they make and ones that other people make on their behalf – illegally.

Information for this post came from Ars Technica.


Reaper Botnet – A Scary Possibility

The Mirai botnet infected a couple hundred thousand Internet of Things devices last year by seeing if the default userid and password was not changed.  If it was not changed, it took over the device.   That attack then took down Dyn, a very high end DNS service.  When Dyn went down, so did Dyn’s customers like Amazon and Netflix.

What would happen if a new botnet network that was 10 times the size of Mirai appeared – what could that do to the Internet?

Well that new botnet network is here.  It is called Reaper.  It is already ten times the size of Mirai.  At least.

What makes Reaper different than Mirai is that instead of just looking for default passwords, Reaper uses known vulnerabilities of IoT devices and looks for devices that have not been patched.

When was the last time you patched your dishwasher or webcam?  If you are like most people, you have never patched your IoT devices.  If you have not patched them then they could become part of this new botnet.

To make it harder to take down, it uses a mesh network of control servers.  Take one down and another takes over.

Right now Reaper is not doing anything malicious.  That doesn’t mean that it won’t do something next week or next month.

The experts seem to think that Reaper is an experiment.   The author wants to see if the idea works.   It seems to me that this experiment is working!

So what happens if the people in charge of Reaper decide to go on the attack?  The size of the Reaper network is being artificially constrained because the current version of the software only looks for 9 unpatched vulnerabilities.  What would happen to the size of the network if it looks for 30 unpatched vulnerabilities?  Or 50?  That could make that million infected devices look small.

The software has the ability to automatically update itself, so if the owners of the network wanted to, they could update the software to look for more vulnerabilities and more potentially infected devices.

Given that the U.S. is very dependent on Internet for our businesses and personal lives, if an attack were to take it down, the ripple effect could be very large.

But we really don’t know what the botnet controller has in mind.

It likely is not good, however.

Information for this post came from Wired.

Microsoft Pre-Installs Password Manager That Can Compromise Your Passwords

UPDATE:  What do you do if you are a company who’s software is buggy and who is outed by a well respected journalist – Ars Technica’s Dan Goodin.

One approach would be to apologize.

Keeper Software’s idea is to sue the journalist for false and misleading statements.

The alternative would be to sue the researcher, Tavis Ormandy, who found the bug.  Unfortunately for Keeper, Tavis works for Google and if they tried suing Google, it likely would not turn out well, so they sued a much smaller web site, Ars Technica.

Keeper says that the defamation came from Dan’s comment that the bug was 16 months old.

Hopefully Keeper’s suit gets thrown out of court very quickly, but even if it does, it will still cost Ars a bunch to defend themselves.

Whether this is a bit of PR genius or PR disaster still remains to be seen.  (see article here).

Security is a never ending task.

For some reason, Microsoft decided to pre-install a third party password manager on the Win 10 Anniversary Update (version 1607).

Unfortunately, the version of Keeper that Microsoft is distributing has a slight problem.  The problem is that this version of Keeper has a critical flaw that allows for a complete compromise of the passwords that you have entrusted to this software.

On top of it, Microsoft doesn’t ask users if they want to install the Keeper software- it just installs it.  I assume that Keeper is paying Microsoft to install it.

The critical flaw in Keeper is one that Tavis Ormandy of Google’s Project Zero already found in Keeper over a year ago.

How Microsoft managed to distribute a version of the software that still had this bug is unknown, but points to a bit of a supply chain problem.  Microsoft should have known that Keeper had a critical flaw a year ago and checked to make sure that this version was fixed.  New bugs are expected, but bugs that were fixed a year ago should not be still be distributed.

The good news is that Keeper has created a patch for this version of the software and it is being distributed.

If you never opened the software or never saved any passwords in it, you would be safe, even with this bug, if that is any consolation.

Bottom like, USERS need to be responsible for the software that they use.  The challenge with that is that many users probably figured this was an app that Microsoft developed.  After all, they didn’t ask for it;  they didn’t download it; Microsoft never told them it was a third party app that was being silently installed.  It just appeared.

Thank you Google Project Zero!

Information for this post came from Hacker News.

Researchers Find Directv Security Hole No One is Patching

Researchers tried to do this the right way with no luck so now they are seeing if bad publicity will get the job done.

AT&T Directv creates a private wireless network to transfer video, audio and the user interface between it’s wireless slave boxes  hanging off the back of your TVs and the DVR that they talk to.

According to researchers, the bug is trivial to exploit and will go undetected.

The wireless video bridge, as it is called, is running a web server and when the researcher decided to check it out, he discovered that the web server does not require you to log in to it.  After all, all that should be talking to it is a Genie slave unit.

Worse yet, the web server does not do any kind of input validation, so if you want to send it bogus data, you can own the box as ROOT, Linux’ super admin userid.

The good news is that this wireless bridge is not connected to the Internet, but if someone was able to compromise a PC on the network, then it would be trivial to use it to compromise the Directv box.

The first attack that the researchers considered is a Mirai botnet like attack where a couple of thousand AT&T Directv boxes are used to attack the Internet and take down Google or Microsoft or whomever.  Definitely possible.

The researchers notified AT&T 6 months ago and AT&T has gone completely dark, so they are announcing the  bug.  Maybe the fear of being on the front page of every newspaper in the country – after all, now millions of hackers are aware of how to break in – might get them off the dime.

From a user perspective, there are only a couple of things that you can do and #1 is to completely isolate your AT&T devices from the rest of your network.

Information for this post came from The Register.


Russian Hacker Admits to Hacking DNC Last Year

A Russian hacker has confessed in court to hacking the DNC during last year’s election.  The Russian web site that is reporting this has not been friendly to Putin, so there are lots of dimensions to this conversation.

The web site says that Konstantin Kozlovsky stated that he was doing this on the direction of Russian state intelligence organizations.

Kozlovsky was arrested earlier this year for hacking Russian banks to the tune of $50 million.  He is currently being detained and the admission came from a pre-trial hearing regarding his detention.

He said that he reported to a major-general in the FSB, one of Russia’s spy organizations.  The intention was to manipulate the U.S. election process according to Kozlovsky.

He is now in prison for treason for reporting this information to U.S. intelligence agencies.  Is this part of the source for the U.S. intelligence community’s determination that Russia hacked our election last year?  Don’t know.

Suffice it to say that this will make some interesting fodder for all of the Russia investigations going on in Washington.

It is not clear to me what Koslovsky has to gain by either admitting he did that or by confessing to something he didn’t do.

*IF* Putin had admitted that he orchestrated the attack and was looking for a fall guy, then maybe lying about it, under coercion, might make sense, but in this case, it makes Putin a liar and our President, well, duped by Putin.  Based on that, none of this makes any sense.

Neither Putin nor Trump have said anything about this testimony, so at this point all there is to is stand to the side and watch the fight.

Information for this post came from Fortune.