FROM THE EDITORS AT CYBERSECURITY VENTURES
PasswordNews.com — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.
Weak passwords result in major breaches
LinkedIn and Tor made the headlines, but no one suffered damage the likes of Yahoo in 2016, except, maybe, the Internet of Things.
Menlo Park, Calif. – Jan. 3, 2017
Of the millions of users connected to the internet, few of them are not suffering from security fatigue. The constant reminders to change passwords have many ignoring password security all together.
Yahoo continued to make the headlines as more details of their massive breach came to light. The fear of password reuse across multiple sites and platforms had many companies urging their customers to err on the side of caution and change their passwords.
Given that passwords are one of the weakest links to security, researchers are exploring the viability of biometrics and other technologies to help protect user accounts. A new report from Cybersecurity Ventures and Thycotic informs that passwords are here to stay – and the world will need to cyber protect 300 billion passwords by 2020.
Dec. 29. Given that security experts say some of the best hackers are able to break two thirds of all passwords, it’s recommended people change their passwords often and use complex phrases like “Rov3rWENT2Mark3t.”
Dec. 29. Changing passwords is one of the easiest baseline steps internet users can take to work toward stronger cybersecurity in 2017.
Dec. 23. Multi-factor authentication, biometrics, training, and other good security alternatives beyond passwords can work to protect enterprise data, given that most users don’t often change and frequently reuse their passwords across personal and business accounts.
Dec. 22. Yahoo’s massive breach might have been the harbinger of passwords passing. Experian predicts the death of the password in the aftermath of Yahoo’s massive breach, which will likely continue to have implications for years to come.
Dec. 22. Groupon cites stolen login credentials as the cause for fraudulent logins and purchases, emphasizing the fact that password reuse makes accounts vulnerable even if the site itself has not been hacked.
Dec. 19. MD5 has long been known to be an unreliable security measure, yet the security team at Yahoo struggled to get approval for the tools they needed, which likely contributed to the largest data breach on record.
Dec. 19. The online learning site, Lynda.com (owned by LinkedIn) suffered a breach in which hackers gained access to 9.5 million accounts, despite the company’s use of the “PBKDFv2” algorithm to hash the passwords.
Dec. 15. Time Magazine reported on everything users need to know about the Yahoo breach, citing that the accounts of nearly 150,000 government employees were hacked, potentially posing a risk to national security.
Dec. 15. An unauthorized third party, believed to be state actors forged cookies and impersonated users at Yahoo. As more information comes to light about the enormous attack, the scarred company struggles to change its security procedures.
Dec. 13. Password management system provider, LastPass, offers cross-platform syncing as a free option on its tool, encouraging password management use in order to make security an accessible option for internet users.
Dec. 13. Survey reveals that adults use (and reuse) simple to remember passwords because the fear of forgetting a password outweighs the fear of being hacked.
Dec. 12. Fast food giant, KFC warns members of the Colonel’s Club that their passwords should be changed after an attack targeted 30 of its 1.2 million members.
Dec. 9. After researching 50,000 compromised emails and passwords, data reveals that 42 percent of those who used their username as their password had their accounts hacked and that the the most commonly used passwords include the words ‘love’, ‘star’, ‘girl’, and ‘angel’.
Dec. 8. Biometrics may not be the most secure solution to the security problem of passwords. Hackers can still steal a fingerprint or replicate a digital version.
Dec. 6. The Commission on Enhancing National Cybersecurity warned President Obama that passwords make committing cybercrime easy for black hats. TLS technology offered as a possible solution.
Dec. 5. Turns out the attack on TalkTalk’s broadband routers was a bit more extensive than originally suspected, and customers are once again urged to change their passwords.
Nov. 30. Hackers gambled on the U.K.’s National Lottery security protocols and won big, scoring access to 226,500 of its 9.5 million registered players.
Nov. 23. Deliveroo denied that their cite had been compromised, blaming credential reuse from other hacked sites like LinkedIn for fraudsters gaining access to customer accounts. The finger pointing emphasizes the urgent need to change both passwords and user behavior.
Nov. 22. Despite concerns over the pitfalls associated with biometrics technologies, Visa partners with BioConnect, showing that an authentication free from pitfalls is viable when using the right platform.
Nov. 22. Default passwords one of many security concerns discussed at a meeting with the Subcommittee on Commerce, Manufacturing, and Trade.
Nov. 20. Changing default passwords on IoT devices through the mobile app or web page provided with the device will help to secure wireless devices at home and in the office.
Nov. 17. Massive DDoS attacks with Mirai, which used default passwords, prompted two government agencies to share guidance on how to approach security with IoT.
Nov. 16. Security experts question the ethics of companies who pay criminals on the black market for stolen passwords, arguing instead that with a little more effort, the information can be found through cross-referencing data dumps.
Nov. 14. WindTalker system analyses radio signals in WiFi networks, through which researchers say it is possible to detect passwords and other private information of the user.
Nov. 11. Facebook’s purchase of stolen passwords on the black market claimed to the company keep its 1.79 billion user accounts safe by scanning for stolen passwords across multiple platforms.
Nov. 10. Using Tor and a password manager are just two of the ways security researchers recommend protecting your private information from government surveillance.
Nov. 8. By exploiting weaknesses in how passwords are reset, a 29 year old hacked into more than 1,000 email accounts at two US universities.
Nov. 8. In the aftermath of Mirai, experts look back and question what could have been done differently, identifying hard-coded passwords in IoT devices as one of the eleven key takeaways.
Nov. 7. As they look ahead at the long lasting effects that could result from Mirai’s botnet, the FDA issues guidelines for manufacturers of internet connected devices.
Nov. 4. Serpent ransomware, a new version of PayDOS, takes advantage of the hard-coded passwords, but distributes batch files that rename rather than encrypt.
Nov. 2. LastPass boosts their service offerings, allowing users to have free multi-device access.
Oct. 29. Falling victim to a phishing scam approved as legitimate from Clinton campaign IT official, John Podesta clicked on a fraudulent link giving hackers access to his account.
Oct. 27. Presenting a brain challenge for their customers, a Thai restaurant in San Antonio, Texas posts a complicated math equation for those who want to use their free WiFi. The answer to the problem is the password.
Oct. 21. Wanted for stealing 117 million passwords in the LinkedIn hack, Yevgeniy Aleksandrovich Nikulin, a 29-year-old Russian was arrested in Prague and indicted by a grand jury in connection with the hacking of three different websites.
Oct. 16. Lack of security in IoT devices prompts European Commission to draft new requirements that will enhance the security of those devices, including those with default passwords and those with passwords that can easily be bypassed.
Oct. 14. Changing passwords seen as an overwhelming task for computer users who suffer from ‘security fatigue’. Unfortunately, the failure to adhere to best password practices leaves users more vulnerable.
Oct. 14. An overwhelming majority of the 200 IT decision makers surveyed by SecureAuth Corporation believe that passwords will be non-existent in five years.
Oct. 14. Select Netflix customers received different versions of an alert advising them that their email and password might have been leaked as the result of a breach at another organization.
Oct. 11. A fun test of user awareness around password security, the Financial Times offers a quiz for readers to test their knowledge. Turns out that “pAsswOrd” is 4,000 times stronger than “p@ssw0rd.”
Oct. 8. To mitigate security risks, Amazon issued an email alert telling users that their password had been changed after a list of compromised credentials was published online.
Oct. 7. Researchers at the University of Washington hope that sending passwords from a device through the human body via low-frequency signals might be the security technique of the future.
Oct. 5. Password manager applications, including Dashlane, Keeper, 1Password, and LastPass, are good ways to increase password security on personal devices.
Oct. 5. Pay-by-selfie rolls out for some Mastercard holders across Europe who can now use facial recognition biometrics instead of a password to complete payment transactions.
Oct. 3. The Mirai botnet that knocked Brian Krebs offline and the largest DDoS attack on record was largely successful thanks to these 61 passwords.
Oct. 2. Wombat Security CTO offers tips for password hygiene and recommends using a password manager application and two factor authentication to keep passwords in order.
– Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.
© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.
— Thycotic (@Thycotic) February 23, 2017
— Thycotic (@Thycotic) February 22, 2017
— Thycotic (@Thycotic) February 27, 2017
— Thycotic (@Thycotic) February 23, 2017
— Mimecast (@Mimecast) March 3, 2017