Friday, August 15, 2014

Go in, don't bother knocking

A password like 'N^a&$1NG' could be cracked in approximately 3.75 days using an AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack 'GoodLuckGuessingThisPassword' using the same GPU. Of course not all passwords are broken by a brute force attack.

It's your choice: complexity in exchange for password length, or a long-phrase in exchange for social engineering attacks? Whatever you choose, if you do not have locking mechanisms or 2FA, the passwords for your users (or your's own) will fall down one after another. If this is like this when trying to put it difficult to hackers, in corporate environments things are even more complicated. "Who needs a hacker?" when Password1 will open one out of three business doors, is what Darren Pauli from The Register wonders. The security firm Trustwave has tested over 625,000 passwords, and broken 92% of them in a month... most of them in the first few minutes. This time, the most common password was Password1 followed by hello123, password and welcome1.

The truth is that anyone with a small budget and enough knowledge can take control of what they want. At least that is the conclusion they reached on Russia Today after reporting how a group of enthusiasts took control of a satellite from the 70s, decommissioned by NASA but perfectly functional. Its control room was an old McDonald's restaurant. From making burgers to taking control of a machine 20,000 miles away, it seems like a symbol of Western civilization, isn't it?

In conclusion, it's just about finding the way to open the door as silently as possible. Hence the importance of finding vulnerabilities before the "bad guys" do it and make a mess of them. On Chema Alonso's blog we found a rich overview of the multiple vulnerabilities collected by Spanish researcher Ruben Santamarta, for every kind of device using satellite communications, especially military-oriented ones. The consequences of exploiting these flaws put the willies.

Of course, if we talk about technology, passwords and vulnerabilities... let's imagine a maybe not too far scenario: instant facial recognition through databases connected to a Google Glass. A police officer could arrest a suspect of murder thanks to this kind of devices, which would be able to recognize the alleged criminal. So far so good, right? But... what if a cyber crook cross your face with your public (or perhaps not so public) data, and blackmails you in broad daylight? It may seem crazy, but there are companies that are already specializing in blocking facial recognition.

In any case it is not crazy to believe that we are exposed in a thousand ways. An old threat that was thought extinct, such as the Gameover Zeus botnet, has sprouted from the ashes, according to the company Arbor Networks. Google, which is making significant efforts to lead the battle for security, has just announced it is expanding its Safe Browsing service to curb threats beyond web pages. For example, malicious applications posing as legitimate ones which try to go online when nobody ask them to do so.

Beyond strong and long passwords, vulnerable communications, fascinating technology with a dark side, and possible infected computers, an unavoidable commitment is to report and publicize the risks, to mitigate the consequences to the fullest. So we ask for your support and we always thank you for spreading these issues. Have a good weekend.


Post a Comment