Category Archives: Security

All blog posts relating to Security solutions and technologies.

How Can Utilility Companies Navigate the Risks of Cyberspace

The Internet is a hostile space for water utilities and their SCADA (Supervisory Control and Data Acquisition) systems.  In a recent article Global Water Intelligence Magazine spoke to a number of security experts, including T&VS about how utilities should go about protecting themselves from malicious attacks.

The lessons from the Water utilities can equally apply to any industry where the increasing adoption of open internet protocols and wireless devices is forcing companies to evaluate their cyber security risk profile and strengthen their knowledge of cyber threats.

Mike Bartley
T&VS Founder and CEO

In the article Mike Bartley, CEO of T&VS, outlined that a good way to gauge a vendors solutions is to check if they at least adhere to the (Open Web Application Security Project) OWASP IoT Top 10 list of security vulnerabilities.

“I think if you’re looking at what is best practice then a lot of people can say OWASP is a good place to go to,” he said. “If they can say we’ve secured ourselves against the OWASP Top 10 that’s probably good practice but they should be able to demonstrate they have an ongoing assessment of the top 10 as well.”

Read the Full Article and the T&VS Security Solutions

 

Debenhams Flowers – Data breach hits 26,000 customers

Penetration Testing
Today saw Debenhams targeted as the latest victim of a cyber-attack. Up to 26,000 customers of its Flowers website have had their personal data compromised. Potentially crucial customer data was taken in the attack including: payment details, names and addresses. The attack targeted Ecomnova, a third party e-commerce company. See the full BBC new story

Everyday there are new headlines of consumer data being misused or security concerns with data being hacked. The largest most recent high profile event was the data stolen from TalkTalk in 2016 by a 17-year-old boy who then tried to blackmail the organisation. 160,000 customer records were accessed. The estimates are this event has cost TalkTalk directly / indirectly in the region of £60million, plus what about the ongoing brand damage. The list of other companies also targeted and brands effected include household names such as: Asda / Three Mobile / Tesco bank / Morrison’s / Moon pig / Sage / Wonga.

Click to download

In just over 1 years’ time on the 25 May 2018 the EU’s General Data Protection Regulation (GDPR) will come into place which is the most stringent and burdensome privacy mandate in the world. Don’t think that it won’t happen due to Brexit. It will happen and doing nothing is likely to leave you with a huge fine! Companies that operate within the EU now need to take extra precautions to ensure the safety of their data, or face a fine of up to 4% of global turnover. You need to start preparing now to navigate through the complexity involved in addressing GDPR to comply fully with the regulation.

GDPR is the biggest change in European data laws in the last 20 years. It is being implemented to ensure companies raise the bar on data protection to rebuild consumer trust. It will force companies to take a proactive view of their data policies and strategies. There must be accountability, responsibility, and the ability to demonstrate data privacy plans and implementations. The Information Commission Office (ICO) will be enforcing and breaches will be severely punished.

Are you sure your systems are secure?

Let T&VS help ensure you are ready for the 25 May 2018, guiding you through the challenging data privacy environment and compliance to the latest international regulations. Our team of data privacy experts will review where you have GDPR data stored and present recommendations on improvements. Find our about our Data Privacy Solutions

In parallel our asureSECURE security team will analyse your infrastructure for potential weaknesses and provide assistance in ongoing security measures.  If you would like to know more, please see reviews our Security Solutions/

BBC Radio 4 Discuss Cyber Attacks by Freezers

BBC Radio 4 Today listeners were treated this morning (14/03/2017) to a discussion on how a freezer could potential be used in cyber-attacks. The discussion was not about the new Doctor Who series, but a serious interview of Donald Toon, Director of Prosperity at the National Crime Agency, by a slightly perplexed John Humphrys.  (Listen to the program)

The interview was sparked by a new report on “The cyber threat to UK business”. The reports executive summary refers to how the rise of internet connected devices is giving attackers more opportunity to hack into systems, leading to a significant and adaptable cyber threat to UK business. Hence the discussion on internet connected freezers. The past year has been punctuated by cyber-attacks on a scale and boldness not seen before and the report gives a number of examples.

T&VS has been looking into this topic for several years and is already providing solutions to businesses around the world. For example:

  • Through Penetration Testing Services T&VS can try to attack your device to identify vulnerabilities. A report is written that explains how to fix the vulnerabilities, with re-testing advised. Click to see an Example Vulnerabilities Report.
  • Unfortunately, the security threat landscape is not static as new vulnerabilities and attacks are regularly discovered so T&VS provides an ongoing Security Review of the threat landscape and recommends if and when your device and application software need updating.
  • T&VS also provides Enterprise Mobile Security software that can protect devices in the field, for example, locking down a device so that only certain features can be used and only access an approved list of websites.
  • In-house testing can be a bottleneck and the T&VS Crowdsourced Software Testing services can offer access to 55,000 professional testers in 145 countries, capable of delivering 90-man days of testing in 72 hours.
  • Finally, many businesses need to provide confidence to their B2B or B2C customers. T&VS can provide tailored Client Facing Security Reports or guidance on getting the appropriate certifications against the relevant standards.

The UK government is committed to making the UK a secure and resilient digital nation and T&VS is playing its part.

Just this week T&VS is presenting it’s wide-range of cyber security products and services at Embedded World; and CEO Dr. Mike Bartley is presenting a talk on Securing the Internet of Things at the Cloud Security Expo at the London ExCeL Centre. T&VS is also attending the Future Of Cyber Security Europe Conference to debate the stringent new General Data Protection Regulation (GDPR) legislation that all companies doing business in Europe will have to adhere to, and how it will effect UK business.

For additional information please Contact Us

Is IoT Really the New Wild West?

This weekend has seen many new headlines in the mainstream press regarding the recent botnet attack creating more fear and lack of consumer trust in IoT devices, headlines such as:

  • “Do you want your shower to help Russian hackers? “
  • “IoT-enabled botnet launches record 1.5Tbps DDoS attack!”

Just why are IoT devices so vulnerable and who is going to help fix the issues or is IoT really the new wild west.

Hijacking Internet Connected Devices

The botnet attack occurred as hackers were able to hijack a vast number of internet connected devices (such as IoT wifi routers / home cameras) which they then used to throw vast amounts of junk traffic at DNS services operated by US company Dyn. With the DNS service being down, hundreds of very popular websites were inaccessible including: Netflix, Twitter, GitHub, AirBnB etc.

Why were IoT devices used in such an attack?

The reason is simple, most of the devices have very limited security measures which meant the hackers could easily place their malware on to the devices. In a recent survey by HP it found that over 70 percent of the IoT devices and sensors examined were susceptible to one or more of the vulnerabilities in the OWASP Internet of Things Top 10. Over the last few years there has been many examples of security flaws in IoT devices such as the very public example of Osram Lightify smart bulbs that security experts found could enable hackers to breach home Wi-Fi networks. Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights. Connected devices create an increased level of intrusion in our lives, generating new types and unprecedented quantities of data, raising further the importance of quality and security in such products.

Who is at Fault for IoT Security Vulnerabilities?

Consumer trust in IoT is already low but who is going to start to address the issues. Is it the responsibility of the consumer who owns the device to ensure it has the latest security patches? Is it the networks that allow the attacks to occur and could block the traffic? Is it the manufacturers who produce the products, should they be made to maintain updates for a period?

The problem with IoT is that consumers won’t fix it as they demand cheap products and manufactures are meeting this request with creating simple products, sometimes on a shoe-string. The only real answer has to be increased regulation but there is a current myriad of competing standards all fighting for top spot. Whilst the industry waits for the governments and IoT consortiums to start the regulation process it has to be up to the IoT providers to ensure the quality and security of their products.

The Solution

They must ensure that products pass through a vigorous QA process and be verified against the latest security standards. There must also be consideration for ongoing maintenance of the products ensuring they are regularly updated depending on their criticality. Unless these issues are addressed the only winners in the IoT wild west will be the hackers.

The T&VS IoT lab and certification process helps companies to ensure their products conform to the latest industry standards and QA and security testing best practices.

For more information see: T&VS IoT lab and certification

Find out more at the 52nd Test Management Forum

Mike Bartley Founder & CEO, TVS
Mike Bartley
Founder & CEO, T&VS

Mike Bartley, CEO and Founder of T&VS will expand on this discussion at the 52nd Test Management Forum taking place in London on Wednesday 26 October 2016.   Join us there.

Update: Presentation Slides Now Available

Abstract of talk:

The Internet of Things (IoT aka M2M) refers to an expanding network of interconnected internet-enabled devices. In the future everything will be connected, the current thinking is that only 2% of items in the world are connected and there is still 98% to go!  Estimates suggest that by 2020 there will be in the region of 50bn IoT devices – all talking with one another on a constant basis.

If you are a manufacturer, solution builder, or service provider, then how will you ensure that your solution works, will it stay connected to the different access points? IoT is going to drive the importance of interoperability between different markets/sectors and technologies. Customers today vote with their feet and are not loyal with poor performing products. How will you test your product with varying network conditions? How will your device work in the wild?

In this talk we will discuss what is required by a “IoT device testing lab” – e.g. conformance to all the standard protocols, connection with the standard network providers, some basic security testing?

We will also discuss whether we should consider an “IoT Kitemark” to provide some level of assurance?

The great OWASP resource on application security testing

Declan O’Riordan, head of security testing, T&VS Arulselvar Thomas, security expert, T&VS India

owasp
The reality is that applications written in .Net, PHP, and Java etc. are insecure by design, insecure by default and insecure in deployment. This is because their entire security model is based on the assumption that no malicious code will be executed in its environment.

Non-secure applications are a problem for nearly every business with an online presence and the more complex and interconnected an IT infrastructure becomes, then the harder it can be to secure the applications. More powerful web applications means more complicated code carrying a greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious players, bent on profiteering from data theft, or gaining online notoriety. In this article I would like to highlight different application security frameworks from OWASP.

OWASP

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It has been a registered non-profit Organisation in Europe since June 2011.

Why OWASP?

OWASP is a combination of national and international legislation, standards, guidelines, committees, and industry codes of practice. All online application security materials and frameworks are thoroughly reviewed by OWASP’s 30,000+ volunteers before being added under the brand of OWASP materials. Thus anyone can learn important lessons on application security from OWASP documentation. OWASP currently has over 142 active Information security projects, with new project applications being submitted every week.

Different OWASP security domains

An OWASP project is a collection of related tasks that have a defined roadmap and team members. The OWASP Top 10 vulnerability list is an example of a project that is very popular with both developers and testers. Initially OWASP projects concentrated on application security and addressed 95% of security issues across platforms such as .Net, PHP, and Java; releasing free tools and security resources in these areas. Due to market demand OWASP has now also started addressing the new potential security issues across domains such as smartphone technology, Internet of Things (IoT), SCADA Security, amongst others.

OWASP core values

OWASP’s Top 10 materials and best practice guidelines are aimed at both developers and security auditors to encourage more open source products and projects to handle effective security testing. Thus it helps the organization and other security researchers with cost effective security testing:

  • OPEN– Everything at OWASP is radically transparent from OWASP finances to OWASP code.
  • INNOVATION– OWASP encourages and supports innovation and experiments for solutions to software security challenges.
  • GLOBAL– Anyone around the world is encouraged to participate in the OWASP community.
  • INTEGRITY– OWASP is an honest and truthful, vendor neutral, global community.

OWASP guidelines

OWASP provides complete documentation guidelines to demonstrate application security across all domains. Maximum numbers of application security compliance controls are addressed by OWASP. This should help developers and testers to better understand their application security and achieve certification where required. OWASP also offers security standards and regulations which is a general application security framework addressing general application security guidelines and industry best practices such as:

  • BSIMM – The Building Security In Maturity Model
  • CMMI – Capability Maturity Model Integration
  • CLASP
  • CobIT -Control Objectives for Information and Related Technology
  • COSO -The Committee of Sponsoring Organizations
  • ISF – Information Security Forum’s (ISF) Standard of Good Practice
  • ITIL – Information Technology Infrastructure Library (ITIL)
  • ISO/IEC 27001:2005 27002:2005
  • HIPPA – Health Insurance Portability and Accountability Act
  • MS SDL – Microsoft Security Development Lifecycle
  • NIST Handbooks (e.g. the “800 Series”)
  • Octave
  • Open SAMM – Software Assurance Maturity Model
  • PCI DSS – Payment card Industry Data security standard

Conclusion

OWASP provides awareness and guidelines for web application security. The experts at OWASP have concluded that security vulnerabilities represent a serious risk to agencies and companies that have exposed their business logic to the Internet. Web application security problems are as serious as network security problems, although they have traditionally received considerably less attention. Attackers have begun to focus on web application security problems and are actively developing tools and techniques for detecting and exploiting them. Developers and testers need to respond and a great first step is to look at the OWASP Secure Coding Practices, Testing guidelinesASVS checklist and OWASP Top 10 lists.

What you should do

  • You need to educate your developers about OWASP’s application security framework.
  • You need to educate your functional testers to improve their test cases in respect to the basic OWASP security requirements.
  • Application owners should maintain awareness of the OWASP standard to reduce the risk of information security non-compliances.
  • Adopt OWASP best practices throughout the application development lifecycle.
  • Develop a culture where security is an ongoing process rather a onetime implementation consideration.

 

Free white papers on how to start building and testing secure web applications

The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

      –  An explanation of Web Application Security Development and Testing

      – Guidelines for developers and testers to reduce the top ten application security risks

Download your free white papers now

References

      – OWASP – https://www.owasp.org/

      – Wikipedia – http://en.wikipedia.org/wiki/OWASP

      – DenimGroup – http://www.denimgroup.com/blog/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html

      – Critical Watch – http://www.criticalwatch.com/assets/c-Owasp-to-Wasc-to-CWE-Mapping-Tech-Paper-0710131.pdf

 

Web Application Security: An Executive Briefing (London, 26 Feb.)

Due to Unforeseen Circumstances This Event Has Had to Be Cancelled

We are working to reschedule the event for later in the year and will post updates on our website. Our Apologies to those already registered.

Declan’s recent talk at a similar event in Bristol is now Available for Download

Session Overview

If your company writes or uses software connected to the internet then this briefing will inform you of the security threats you face, your responsibilities in respect of those threats and give practical suggestions on how to discharge those responsibilities effectively.

  • Thursday 26 February 2015
  • 8:00am-9:30am (UK times) – Doors open at 7:30am
  • London, UK (Runway East, Old Street)
  • Register below to ensure your FREE place

About the Presenter

PR008-Declan_O’Riordan_TVS_Security_ExpertDeclan O’Riordan is Head of Security Testing at T&VS and winner of the prestigious “Best Paper” and “Best Session” awards at the EuroSTAR 2014 conference on Software Testing. Declan has worked for both large and small companies and across a broad range of sectors from insurance and banking to retail and government agencies. Declan is well known for speaking on IT security in general and application security in particular and believes it is both possible and essential for project teams to have a working understanding of security.

Abstract

Internet security is an area that is not well understood, even by many of your IT staff. This is a golden age for hackers, with breaches increasing at a tremendous rate according to the latest Verizon report: Continue reading

What are the realities of the Sony cyber attack?

Declan O’Riordan, head of security testing, T&VS

Cyber Security became a big story over the Christmas period, in particular regarding two major problems at Sony. The second hack was a distributed denial of service attack by a group calling itself ‘LizardSquad’ on the Sony PlayStation and Xbox Live networks which prevented millions of young (and some not-so-young) users from playing on-line computer games during the holiday season. There is a good article on the details of that attack written by investigative journalist Brian Krebs here.

The primary Sony hack had much greater political consequences. The FBI director James Comey has presented his firm conclusions at a Fordham Law School cybersecurity conference that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioural analysis unit” of FBI experts trained to psychologically analyse foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. Perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans. The FBI story is covered by Wired here.

Unfortunately the confidence displayed by the US intelligence services is all very reminiscent of the Iraqi weapons of mass destruction that turned out to have a no more credible source than some bloke in the pub. What about the possibility that this attacker who has shown ability and willingness to bounce their connections all over the world is simply bouncing their messages off the North Korean IP infrastructure? It’s also quite possible that someone other than the real attacker joined the party and sent threatening messages as GOP (Guardians of Peace). Unlike tracking a missile trajectory to its source, attributing attacks in cyberspace is extremely hard. Thomas Rid and Ben Buchanon have written an article on this subject. It is much easier to launch cyber-attacks than to defend against them, and unless you are a government retaliation is illegal.

There are many theories regarding not just the source of the Sony attack, but also the methods used to obtain and publish confidential emails. One entirely credible notion is that some Sony staff including executives had very weak passwords. I’ve written a T&VS article of my own to explain how hackers not only use weak passwords to start an attack, but also target the file storing all the user passwords in the database and how that can lead to a massive data breach. The article will provide you with an insight that few non-experts have, and assist you in understanding if your enterprise is getting it right (or not)!

Read Declan’s password article here.

declan-oriordan-thumbnail

Declan O’Riordan, Head of T&VS Security Testing, will be following up his prize winning EuroSTAR conference paper with a Live Webinar of his presentation:

  • Webinar: ‘The What? Why? Who? How? Of Application Security’

  • 11 February 2015. 2:00pm – 3:00pm (GMT)

  • Register to attend this FREE webinar at TESTHuddle

In May this year Declan will also be speaking in the USA at STAR East and presenting two application security workshops for developers and testers in Brussels at Belgium Testing Days.

I can see your password from here!

Declan O’Riordan, head of security testing, T&VS

How to keep your business protected

I have no mind-reading abilities, but I’m going to make a prediction that the password you chose for your employers’ corporate website probably requires eight characters or greater, and must require three of the following four character types: upper case letters; lower case letters; numbers; special characters. Nothing unusual in that, but hackers know you probably selected the first character to be a capital letter, followed by five lower-case letters, and ending in two digits – e.g. London15. If the minimum password length is nine characters, you’ll probably add another lowercase letter at position seven – e.g. Bristol15. If instead you have to use all four character types, you’ll likely add a special character at the end – e.g. Bristo1!.

This is because instead of everyone making randomly individual choices, groups of people follow patterns of behaviour that result in predictable password topologies. Let’s work through the consequences of those password topologies for cyber security and understand why 97% of LinkedIn passwords have been ‘cracked’.
flowfig
Have you ever wondered what happens to your password after it has been created? It needs to be stored in a database for comparison with the password entered every time authentication is invoked for your account, for example when you login. Some absolutely reckless organizations store and transmit those passwords ‘in the clear’ (i.e. unencrypted) which makes it incredibly easy for attackers to obtain access to every user account and cause massive damage. Since hackers make password files a priority target during a breach, every password should be ‘hashed’ i.e. converted by an algorithm (known as a cryptographic hash function) from plain text into a unique ‘hash digest’.

flowfig1
To authenticate a user, the password presented by the user is hashed using the same algorithm and compared with the stored hash. Hash algorithms are one-way functions. They turn any amount of data into a fixed-length ‘fingerprint’ that cannot be reversed. This approach prevents the original passwords from being retrieved if forgotten or lost. They have to be replaced with new ones.

If any part of the input changes, the resulting hash is totally different as shown below:

   hash(“hello”) = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

   hash(“hbllo”) = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366

   hash(“waltz”) = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542

There are several ways hackers can crack the security provided by hashed passwords:

  • Dictionary attacks: Using common passwords, phrases, words and other strings such as ‘leet speak’ (“hello” becomes “h3110”) to try guessing a password, then hashing every word in the list and comparing them to the hash values in the genuine password file when the security breach is underway.
  • Brute-Force attacks: Try every possible combination of characters up to a given length. These attacks are computationally expensive and inefficient, but will always find the password eventually. The best defences make searching through all possible strings take too long to be worthwhile.
  • Lookup Tables: Pre-compute the hashes of passwords and compare them with hundreds of genuine password hashes per second. Try it against your own password by hashing it here: http://www.hashemall.com/ then using a free hash cracker https://crackstation.net/
  • Reverse Lookup Tables: Create a lookup table that maps each password hash from the compromised user account database to a list of users who had that hash, since many often have the same passwords. The attacker then hashes each password guess and uses the lookup table to get a list of users whose password was the attacker’s guess.
  • Rainbow tables: Reduce the size of lookup tables and store more hashes in the same amount of space. Saves memory but reduces cracking speed.

flowhbday
You might think the odds of finding matches between guessed password hashes and a database of genuine password hashes would be very long but the ‘birthday paradox’ proves that wrong. How many people do you think must be in the same room as you for the chance to be greater than even that another person has the same birthday as you? Answer = 253. How many people must be in the same room for the chance to be greater than even that at least two people share the same birthday? Answer = 23.

In the first instance you are looking for someone with a specific birthday date that matches your own. In the second instance, you are looking for any two people who share the same birthday. There is a higher probability of finding two people who share a birthday than finding another person who shares your birthday. Hackers tend to look for any two matching password hashes (their guesses and any password database hash) rather than persistently trying to brute-force one particular hash value.

A simple £2,000 password cracking tool with three high-end GPU (graphics) cards could crack all eight-character NTLM password hashes (NTLM is the Microsoft Windows NT LAN Manager authentication mechanism) in 3.7 days, all eight-character MD5 (a message-digest algorithm used as a cryptographic hash function) password hashes in 8 days, all eight-character SHA1 password hashes in 24 days (as used by LinkedIn), and all eight-character SHA256 password hashes in 64 days. However, it would take 999999999 billion years to crack all eight-character SCrypt password hashes (as recommended by OWASP but used by zero internet accounts). Clearly we have options!

As length is added, the time to crack password hashes gets longer. The same tool that could crack all eight-character MD5 password hashes in 8 days would take 750 days to crack all nine-character MD5 password hashes, 188 years to crack all ten-character MD5 password hashes, and 17,000+ years to crack all 11-character MD5 password hashes.

Now remember those predictable password topologies I mentioned in the introduction? They really shorten the odds of a cracking tool finding a matching password hash after a site is compromised because priority is given to the common topologies.

Generally, computer users have no clue what makes a password complex and therefore use simple, predictable passwords. Users typically pick the lowest-common-denominator that will be allowed by policies. Most Internet sites do not actually require users to choose complex passwords, and are a decade behind enterprises on password policy, and those enterprise policies haven’t changed for ten years. Password cracking however has progressed a great deal and makes mincemeat of many poorly defended password files.

One of the new methods is ‘Password reuse’. For example, at LinkedIn the same domain administrator password of 11 random characters had been used on LinkedIn one year previously, and had already been cracked. Hackers will reuse the same passwords they have cracked previously, including the passwords you use on other sites they have cracked. Think about your Facebook, LinkedIn, Skype, Twitter and corporate passwords. How similar are they? Hackers probably already have at least one of them.

Another rule is password generation based on previous data. People stick to mathematical ideas like putting a number at the end of the password.

In addition there is generation based upon user-base or source of a password leak (e.g. Link Linked Linkedin LinkedIn).

Finally there are pattern based (topologies) attacks using selective brute-force. Rather than testing all possible passwords, the attack targets some specific subsets, and tries all passwords that fit the pattern (topology). Since users gravitate towards certain topologies, a disproportionate number of passwords can be cracked by targeting those topologies.

In a sample of 263,888 password hashes at a Fortune 100 enterprise, 7,308 unique topologies were found. The top five patterns were used by 48% of all users. The top 100 patterns used by 85% of all users. Yet 99.9% of the passwords met their complexity requirements. Where U=uppercase letter, l=lowercase letter, and d=digit, the most popular were:

       Ullllldd (8 char) 12.7% e.g. London15

       Ulllllldd (9 char) 12.7% e.g. Bristol15

       Ullldddd – 10.6% e.g. Pass2015

       Ulllllllldd – 7.3% e.g. Password15

       Ulllldddd – 5% e.g. Nicky2015

flowfig2Armed with this insight, hackers are attacking password files and thousands of sites are suffering massive breaches. 630 sites using the MD5 hashing algorithm alone were compromised last year. Only about 1% of password hacks become public knowledge because most organizations prefer not to admit their customer data has been abused. We only know 97% of LinkedIn passwords are currently hacked because the password hashes were posted on a message board anonymously six months after they were obtained.

Many tools intended to rate password strength are very inaccurate because they ignore topologies. The password complexity meter ‘How secure is my password’ scored ‘Denver14’ as 15 hours, when actually it took researchers from KoreLogic less than two minutes to crack. However, the Kaspersky complexity meter rated ‘Denver14’ as three seconds to crack because it recognised the topology and is scripted to know how hackers and password crackers work.

We need better defences to frustrate password crackers. There are many, many, defences that can be put in place to control the threat of password cracking, but everything associated with cryptography seems hard and is often poorly understood, even by the project teams implementing solutions.

Do get in touch if you’d like T&VS to provide hands-on advice for enforcing and evolving password complexity, black-listing the most common predictable topologies and dictionary words, limiting the number of users gravitating towards the same topologies, requiring a minimum topology change between old and new passwords, password rotation, password storage, hash formats, salts, using key stretching functions, and transferring our security knowledge into your project teams to make a long-term difference: http://www.testandverification.com/solutions/security/

Free white papers on how to start building and testing secure web applications.
The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

       – An explanation of Web Application Security Development and Testing

       – Guidelines for developers and testers to reduce the top ten application security risks

Download your free white papers now.

Free briefing / webinar on Internet Security (20 January 2015).
If your company writes or uses software connected to the Internet this briefing will inform you of the security threats you face, your responsibilities in respect of those threats and practical suggestions on how to discharge those responsibilities.

Register for the briefing / webinar here.

Blog references:
OWASP: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Adriancs & Taylor Hornby: Salted Password Hashing – Doing it Right
Shon Harris: All in one CISSP
KoreLogic research: https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies

Return on investment for hackers

Declan O’Riordan, head of security testing, T&VS
You’re a criminal. You want a good return on your investments. Actually I hope the former statement is false but expect the latter is probably true. When it comes to cyber-attacks there appear to be some methods that are far more likely to succeed than others. Let’s take a look at some figures revealed by Verizon.

In their sample of 63,437 incidents (i.e. events that adversely affects the information assets), physical theft and loss of IT assets such as laptops accounted for 14% of all incidents. You might expect a corresponding 14% of breaches (i.e. confirmed data compromise) to be caused by physical theft and loss. Actually, the number of associated breaches is less than 1% due to effective security measures such as user authentication and data encryption. Insider misuse is a common problem at 18% of all incidents, but again the number of successful breaches is considerably lower at 8%. The lesson here for attackers is that some malicious actions provide a poor rate of return and are best left to opportunists.

TVS-SB002-Threat_incident_v_breach_Verizon

Which types of attack offer a good chance of success? It’s difficult to analyse how much preparation goes into a typical web application attack, since some are far more crafted than others and successful criminals tend to keep their trade secrets secret. One thing we can see is that while web application attacks amounted to a mere 6% of incidents, they led to a whopping 35% of all effective security breaches in the sample. That is by far the largest percentage for any type of threat. Is is unsurprisingly a strong growth area for attacks.

Are there any threats that provide a better chance of breaching security? Yes, several. Both Point of Sale (POS) intrusions and card skimmers featured in less than 1% of incidents each but led to 14% and 9% of breaches. The greatest probability of success of all threat types comes from the most organized of malicious parties: cyber-espionage. Whereas amateurs and hacktivists might mess about with Denial of Service attacks (3% of intrusions, 0% of breaches), the hard-core cyber criminals work in well-organised project teams with clear objectives. Cyber-espionage accounts for 1% of incidents but 22% of breaches!

What lessons can honest parties learn from this? I would suggest we target our defence spending according to the current most serious threats. Clearly web applications need to be designed, developed and tested to be more secure. The security of POS and card payment systems leaves much to do, especially in securing devices, locking down hub-and-spoke retail domains, and reducing trust in systems with external access. As for cyber-espionage, the spies will be looking for weaknesses in every area, and that means a wholesale improvement in making people more aware, putting secure processes in place, and configuring the technology to do what the customer wants and not what the spy wants it to do!

 

Free white papers on how to start building and testing secure web applications.

The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

            – An explanation of Web Application Security Development and Testing

            – Guidelines for developers and testers to reduce the top ten application security risks

Download your free white papers now.

 

Free Executive Briefing / Webinar on Internet Security (20 January 2015).

If your company writes or uses software connected to the Internet this briefing will inform you of the security threats you face, your responsibilities in respect of those threats and practical suggestions on how to discharge those responsibilities.

Register for the Executive Briefing here.

Security should be built in, not added later…

By: Declan O’Riordan Head of Security Testing, T&VS

declan-oriordan-thumbnail

Prologue: It was the best of security, it was the worst of security and based on true events…

Project A had a team that learned how to design, code, and test security into their application from start to finish. The secure application provided all the functionality customers wanted, and none of the vulnerabilities hackers aim to exploit.

Project B hoped for the best. The designers assumed users would only submit data that could be trusted, and anyone using the system was a trusted user. The developers decided there was no point in trying to build self-defending applications – “because hackers will always get in anyway”… Continue reading