CyberSecurity Institute – Page 72 – Security News Curated from across the world

Sweet Password Security Strategy: Honeywords

Posted on May 9, 2013December 30, 2021 by admini

“Sometimes administrators set up fake user accounts (“honeypot accounts”) so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login,” they said.

Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. “This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password,” they said.

On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then it’s more likely that the password database has been stolen. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users’ passwords have been compromised. But that approach is insecure, and password-security experts have long recommended that businesses use built-for-purpose password hashing algorithms such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks.

That’s why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use.

Link: http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334

Stats confirm malware built at record rates

Posted on May 8, 2013December 30, 2021 by admini

PandaLabs said trojans are particularly effective because of their ability to take advantage of vulnerabilities in commonly deployed third-party software, such as Java or Adobe, and be served through compromised websites.

“This attack method allows hackers to infect thousands of computers in just a few minutes with the same trojan or different ones, as attackers have the ability to change the trojan they use based on multiple parameters, such as the victim’s location, the operating system used, etc.,” according to PandaLabs.

Link: http://www.scmagazine.com.au/News/342296,stats-confirm-malware-built-at-record-rates.aspx?utm_source=feed&utm_medium=rss&utm_campaign=SC+Magazine+All+Articles+feed

Few businesses appear ready to defend themselves from cybercrime, report findsFew Businesses Appea

Posted on May 8, 2013December 30, 2021 by admini

The study released Wednesday found that of the businesses surveyed, about 70 per cent had no procedure in place to deal with a successful hack and only 22 per cent actually looked to identify where they were most vulnerable.

There was even less awareness of the government’s cyber-security strategy, with about seven per cent of respondents aware of the document that was released in 2010, and about 12 per cent aware of the government’s cybercrime prevention campaigns.

Of the 520 businesses surveyed in the national study, 69 per cent reported some kind of digital attack against them in the previous 12 months, with one-quarter saying the attack had “considerable” effects on their business.

The telephone survey of 520 companies across Canada touched on companies in six industries — financial services, airlines and shipping, telecommunications, critical infrastructure, aerospace and defence, and retail — and companies with revenues from under $1 million up to more than $100 million.

Microsoft releases fix-it for Internet Explorer 8 vulnerability

Posted on May 8, 2013December 30, 2021 by admini

The vulnerability is described as a problem in the way IE “accesses an object in memory that has been deleted or has not been properly allocated.”

The company normally issues updates for its products on the second Tuesday of the month, but will issue an out-of-schedule patch if the problem is deemed serious enough.

The code redirected people to another infected page within the site, which then attempted to exploit the IE 8 vulnerability. AlienVault said the hacking campaign appeared similar to a known China-based one called “DeepPanda,” which installed remote-access trojans (RATs).

Link: http://www.computerworld.com/s/article/9239041/Microsoft_releases_fix_it_for_Internet_Explorer_8_vulnerability?source=CTWNLE_nlt_dailyam_2013-05-09

Highly critical vulnerability fixed in Nginx Web server software

Posted on May 8, 2013December 30, 2021 by admini

The development team behind the popular Nginx open-source Web server software released security updates on Tuesday to address a highly critical vulnerability that could be exploited by remote attackers to execute arbitrary code on susceptible servers. Identified as CVE-2013-2028, the vulnerability is a stack-based buffer overflow and was first introduced…

Anonymous May 7 Target List Includes 12 Large Credit Unions

Posted on May 7, 2013December 30, 2021 by admini

Other credit union sites listed on the OpUSA post on Pastebin include the $54 billion Navy FCU of Vienna, Va., the $27 billion State Employees’ Credit Union of Raleigh, N.C., the $12 billion Boeing Employees Credit Union of Tukwila, Wash., the $9.8 billion SchoolsFirst FCU of Santa Ana, Calif., the $8.2 billion The Golden 1 Credit Union of Sacramento, Calif., the $5.4 billion Suncoast Schools FCU of Tampa, Fla., the $5.6 billion American Airlines FCU of Fort Worth, Texas, the $8.3 billion Alliant Credit Union of Chicago, the $7.2 billion Security Service FCU of San Antonio, Texas, the $6.2 billion San Diego County Credit Union of San Diego and the $5.8 billion America First FCU of Riverdale, Utah. John Magill, CUNA executive vice president of governmental affairs, said during a Monday morning press call he has spoken to NCUA staff members about the attack, and they said the regulator is aware of the target list and has contacted the 12 credit unions.

Kevin Prince, chief technology officer at the Santa Ana, Calif.-based technology management firm Compushare, said the attack could be impactful, but added nobody knows how it could play out. Compushare has worked on an FBI task force for a long time combating Anonymous cyberattacks, and Prince said the bureau “is having a hard time doing anything about it.”

Prince, who was a guest on CUNA’s call, recently released a white paper that reassures small financial institutions they’re not likely targets, but nonetheless provides ways to prepare in case they are, or simply worry they may be.

Instead, Prince advised, credit unions should work with their internet service provider to stop the attack “upstream” before it gets to the credit union’s website or online banking service.

Because most credit unions don’t host their own online banking site, working instead with a third party provider or core processor, their prep time would be better spent reviewing third party due diligence than attempting to shore up their own connections, he said.

The white paper, titled “DDoS Attacks: How Real Are the Risks for Community Financial Institutions”, is available to be downloaded on Compushare’s website.

Link: http://www.cutimes.com/2013/05/06/anonymous-may-7-target-list-includes-12-large-cred?ref=hp