Password News

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q1 2017

PasswordNews.com — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.

SECOND EDITION

Password hacks and stolen identities at the epicenter of security breaches

Solutions to password challenges might be the marriage of education and innovation.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Mar. 31, 2017

Passwords continue to be the bane of the security industry, with some even calling it the Achilles heel. As new developments in biometrics aim to offer solutions to the password problem, many local media outlets try to help consumers understand how to stay safe online.

Password management applications, once trusted ways of storing and creating passwords prove that no software application is impervious to attacks.

PASSWORD DIARY

March

Mar. 30. A new report details the impact that cybercrime has had on higher education institutions, noting that hacktivists and scammers are sharing, selling, or simply giving away stolen .edu passwords and other account credentials.

Mar. 22. Amidst all the hype over claims that Apple’s iCloud had been hacked, experts suggest remaining calm and changing passwords.

Mar. 21. An exploitable content script in the LastPass Chrome extension allowed malicious attackers to access usernames and passwords as well as execute commands on a user’s computer.

Mar. 17. In the wake of the indictment of Russian hackers charged with hacking hundreds of millions of Yahoo accounts, many local and national news outlets offer tips on developing stronger passwords.

Mar. 15. New biometrics technology that reads a user’s lip movements, which are very difficult to mimic, might prove to add more security to the password problem.

Mar. 13. Study attempts to understand changing attack surfaces and the impact social media will have on the increased number of compromised passwords.

Mar. 10. Many express concerns in response to the call to collect passwords at US borders, a decree seen as antithetical to the first rule of online security: never share passwords.

grayfooterline
RELATED: 2016 BLACK HAT HACKER SURVEY: Hackers support data privacy but are still willing to crack your passwords for a price.
grayfooterline

Mar. 10. Mulling over the conundrum of how to secure passwords raises the question of whether human beings should even know what their passwords are.

Mar. 9. During National Consumer Protection Week, local news sources provide helpful advice to help keep consumers safe online by creating secure passwords.

Mar. 8. Video doorbell company charges a steep fee for password reset on their DoorBird IoT intercom and customers are not happy.

Mar. 7. If mobile devices have yet to cause security problems to the enterprise, this guide will help enterprises understand how to protect against mobile threats by encouraging end users to avoid unsecure WiFi, to use strong passwords, and to add 2FA.

Mar. 6. Dark web vendor, SunTsu583, posted for sale one million Gmail and Yahoo account credentials, sourced from a variety of hacks going back to 2008.

Mar. 4. Tens of thousands of parents in the UK who recorded messages for their children on  smart toys from CloudPets had their personal details hacked without the use of a password.

Mar. 4. Personal information from thousands of sites was compromised after a known bug in the Cloudflare security system leaked information for months. Given the widespread use of the cloud service and the lack of clarity in exactly which websites were affected, now is a good time to change those passwords, again.

Mar. 2. A least one security issue found in the top nine password management applications available in the Google Play store.

Mar. 1. Music fans were able to rest at ease after news of a hack took center stage. Despite their website being compromised by hackers, Coachella’s promotion company, Goldenvoice, reported that no passwords or payment information was stolen.

Mar. 1. Devices that recognize the uniqueness of an individual hope to be the next gen technology that may finally solve the password problem.

February

Feb. 27. Disconcerting results of a Keeper Security Inc. survey reveal the frequency with which users both reuse and change their passwords.

Feb. 23. Passwords deemed the heart of the security problem that has resulted in the escalation of breaches. Enterprises can take a combined approach to secure their assets, which should include limiting user access privileges and phasing out passwords.

Feb. 22. A nonprofit technology coalition, the Center for Democracy & Technology, argues that collecting passwords at borders puts travelers around the world at risk.

Feb. 16. Following best practices in security awareness is a safe bet that will keep end users from gambling on their password security. These tips could help the enterprise stay ahead of potential threats.

Feb. 15. Even though the Toys ‘R’ Us chain wasn’t hacked, the credentials of those in their member rewards program were compromised, likely the result of stolen passwords.

Feb. 12. An unnamed university falls victim to its own smart devices, including a vending machine, when a botnet spread by brute forcing default or weak passwords.

grayfooterline
RELATED: FREE Guide: Top 5 Privileged Account Security Reports CISOs Live For
grayfooterline

Feb. 10. Offering self defense tutorials for the digital world, this ‘how to’ guide walks readers through the process of setting up a password manager.

Feb. 8. A look at whether collecting passwords for social media sites as a requirement to enter the US makes any sense in the security world.

Feb. 6. A hacker at Central Michigan University stole usernames and passwords, leading to their accessing W-2 forms.

Feb. 3. Even though there is a lot of buzz around the exciting innovations in biometric technologies, some question whether fingerprints and voice recognition will be any safer when it comes to authentication.

Feb. 2. A flaw was discovered in the StruxtureWare Data Center expert industrial control kit which could result in a hacker gaining remote access to unencrypted passwords.

Feb. 2. Gamers learn the hard way that they need to take password security seriously after XBox piracy forum hack affects 2.5 million users.

Feb. 1. And the winner is…the University of Wisconsin awards the worst passwords of 2016 to a list of 25 horribly weak passwords. The number one spot went to ‘123456’.

Feb. 1. A new ‘smart router’ comes to market claiming to offer security without the use of a password to login.

January

Jan. 31. The state of Kentucky takes a big step forward in password protection by joining the National Cyber Security Alliance (NCSA) and urging citizens to create strong passwords.

Jan. 28. Indifference proves to yet again be the root of all evil, especially online. For those who think they can flout the warnings of password vulnerabilities, know that not caring is not an option.

Jan. 27. Well known source for website breaches, LeakedSource, goes dark after claiming to having sold access to billions of stolen passwords.

Jan. 26. Farewell to Gmail. Sean Spicer’s accidental tweet that looked suspiciously like a password revealed helpful the need to update some important security information.

Jan. 26. New biometrics technology using voice recognition instead of passwords claims to have seen a decline in fraud.

Jan. 25. The financial industry sees a potential resolution to the problem of offering interoperability capabilities to customers without compromising security by sharing passwords.

Jan. 20. Students suspected of stealing teacher passwords and changing grades at the University of Iowa.

grayfooterline
RELATED: New Report Finds 300 Billion Passwords Will Be at Risk By 2020
grayfooterline

Jan. 20. The passwords that employees use at work are only as safe as those they would use in their personal lives, which doesn’t bode well for enterprise security.

Jan. 19. The transition of power at the White House was not impacted by the fact that many members of the incoming cabinet, including cybersecurity advisor Rudy Guiliani, have had their passwords stolen in the past.

Jan. 17. A vulnerability in both the Clash of Clans and Clash Royale games could cause everyone in their respective forums quite a headache as third party hackers are reportedly able to access user emails and encrypted passwords.

Jan. 16. Using different languages and converting sentences to passphrases are just a couple of ways that users can create strong passwords.

Jan. 16. OWASP points out the antiquated security practices used by McDonald’s, noting that cross-site scripting is not only bad but also leaves user’s passwords remotely available to an attack.

Jan. 12. With only a third of internet users creating different passwords for multiple accounts, many are leaving the door to their digital identities wide open for attackers.

Jan. 6. For those who are tentative about trusting their browsers to store their passwords, know that some browsers have strengthened their security features, but few are without risks.

Jan. 5. Banks that offer the convenience of cardless ATM withdrawals aren’t necessarily accounting for the possibility that a criminal could use a stolen username and password to conduct a fraudulent transaction.

Jan. 5. Hoping that consumers will start the new year off by banging out some new passwords, this local Ohio station challenges people to test the strength of their password security.

Jan. 3. National Strategy for Trusted Identities in Cyberspace (NSTIC) is challenged with finding the best solution to the password problem, leaving them to determine whether fingerprints and iris scanning are more secure alternatives.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

Q4 2016

PasswordNews.com — sponsored by Thycotic — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy security issues with passwords ranging from stolen credentials to purchasing stolen passwords on the black market.

FIRST EDITION

Weak passwords result in major breaches

LinkedIn and Tor made the headlines, but no one suffered damage the likes of Yahoo in 2016, except, maybe, the Internet of Things.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jan. 3, 2017

Of the millions of users connected to the internet, few of them are not suffering from security fatigue. The constant reminders to change passwords have many ignoring password security all together.

Yahoo continued to make the headlines as more details of their massive breach came to light. The fear of password reuse across multiple sites and platforms had many companies urging their customers to err on the side of caution and change their passwords.

Given that passwords are one of the weakest links to security, researchers are exploring the viability of biometrics and other technologies to help protect user accounts. A new report from Cybersecurity Ventures and Thycotic informs that passwords are here to stay – and the world will need to cyber protect 300 billion passwords by 2020.

PASSWORD DIARY

December

Dec. 29. Given that security experts say some of the best hackers are able to break two thirds of all passwords, it’s recommended people change their passwords often and use complex phrases like “Rov3rWENT2Mark3t.”

Dec. 29. Changing passwords is one of the easiest baseline steps internet users can take to work toward stronger cybersecurity in 2017.

Dec. 23. Multi-factor authentication, biometrics, training, and other good security alternatives beyond passwords can work to protect enterprise data, given that most users don’t often change and frequently reuse their passwords across personal and business accounts.

Dec. 22. Yahoo’s massive breach might have been the harbinger of passwords passing. Experian predicts the death of the password in the aftermath of Yahoo’s massive breach, which will likely continue to have implications for years to come.

Dec. 22. Groupon cites stolen login credentials as the cause for fraudulent logins and purchases, emphasizing the fact that password reuse makes accounts vulnerable even if the site itself has not been hacked.

Dec. 19. MD5 has long been known to be an unreliable security measure, yet the security team at Yahoo struggled to get approval for the tools they needed, which likely contributed to the largest data breach on record.

Dec. 19. The online learning site, Lynda.com (owned by LinkedIn) suffered a breach in which hackers gained access to 9.5 million accounts, despite the company’s use of the “PBKDFv2” algorithm to hash the passwords.

Dec. 15. Time Magazine reported on everything users need to know about the Yahoo breach, citing that the accounts of nearly 150,000 government employees were hacked, potentially posing a risk to national security.

grayfooterline
RELATED: 2016 BLACK HAT HACKER SURVEY: Hackers support data privacy but are still willing to crack your passwords for a price.
grayfooterline

Dec. 15. An unauthorized third party, believed to be state actors forged cookies and impersonated users at Yahoo. As more information comes to light about the enormous attack, the scarred company struggles to change its security procedures.

Dec. 13. Password management system provider, LastPass, offers cross-platform syncing as a free option on its tool, encouraging password management use in order to make security an accessible option for internet users.

Dec. 13. Survey reveals that adults use (and reuse) simple to remember passwords because the fear of forgetting a password outweighs the fear of being hacked.

Dec. 12. Fast food giant, KFC warns members of the Colonel’s Club that their passwords should be changed after an attack targeted 30 of its 1.2 million members.

Dec. 9. After researching 50,000 compromised emails and passwords, data reveals that 42 percent of those who used their username as their password had their accounts hacked and that the the most commonly used passwords include the words ‘love’, ‘star’, ‘girl’, and ‘angel’.

Dec. 8. Biometrics may not be the most secure solution to the security problem of passwords. Hackers can still steal a fingerprint or replicate a digital version.

Dec. 6. The Commission on Enhancing National Cybersecurity warned President Obama that passwords make committing cybercrime easy for black hats. TLS technology offered as a possible solution.

Dec. 5. Turns out the attack on TalkTalk’s broadband routers was a bit more extensive than originally suspected, and customers are once again urged to change their passwords.

November

Nov. 30. Hackers gambled on the U.K.’s National Lottery security protocols and won big, scoring access to 226,500 of its 9.5 million registered players.

Nov. 23. Deliveroo denied that their cite had been compromised, blaming credential reuse from other hacked sites like LinkedIn for fraudsters gaining access to customer accounts. The finger pointing emphasizes the urgent need to change both passwords and user behavior.

Nov. 22. Despite concerns over the pitfalls associated with biometrics technologies, Visa partners with BioConnect, showing that an authentication free from pitfalls is viable when using the right platform.  

Nov. 22. Default passwords one of many security concerns discussed at a meeting with the Subcommittee on Commerce, Manufacturing, and Trade.

Nov. 20. Changing default passwords on IoT devices through the mobile app or web page provided with the device will help to secure wireless devices at home and in the office.

Nov. 17. Massive DDoS attacks with Mirai, which used default passwords, prompted two government agencies to share guidance on how to approach security with IoT.

Nov. 16. Security experts question the ethics of companies who pay criminals on the black market for stolen passwords, arguing instead that with a little more effort, the information can be found through cross-referencing data dumps.

grayfooterline
RELATED: FREE Guide: Top 5 Privileged Account Security Reports CISOs Live For
grayfooterline

Nov. 14. WindTalker system analyses radio signals in WiFi networks, through which researchers say it is possible to detect passwords and other private information of the user.

Nov. 11. Facebook’s purchase of stolen passwords on the black market claimed to the company keep its 1.79 billion user accounts safe by scanning for stolen passwords across multiple platforms.

Nov. 10. Using Tor and a password manager are just two of the ways security researchers recommend protecting your private information from government surveillance.

Nov. 8. By exploiting weaknesses in how passwords are reset, a 29 year old hacked into more than 1,000 email accounts at two US universities.

Nov. 8. In the aftermath of Mirai, experts look back and question what could have been done differently, identifying hard-coded passwords in IoT devices as one of the eleven key takeaways.

Nov. 7. As they look ahead at the long lasting effects that could result from Mirai’s botnet, the FDA issues guidelines for manufacturers of internet connected devices.

Nov. 4. Serpent ransomware, a new version of PayDOS, takes advantage of the hard-coded passwords, but distributes batch files that rename rather than encrypt.   

Nov. 2. LastPass boosts their service offerings, allowing users to have free multi-device access.

October

Oct. 29. Falling victim to a phishing scam approved as legitimate from Clinton campaign IT official, John Podesta clicked on a fraudulent link giving hackers access to his account.

Oct. 27. Presenting a brain challenge for their customers, a Thai restaurant in San Antonio, Texas posts a complicated math equation for those who want to use their free WiFi. The answer to the problem is the password.

Oct. 21. Wanted for stealing 117 million passwords in the LinkedIn hack, Yevgeniy Aleksandrovich Nikulin, a 29-year-old Russian was arrested in Prague and indicted by a grand jury in connection with the hacking of three different websites.

Oct. 16. Lack of security in IoT devices prompts European Commission to draft new requirements that will enhance the security of those devices, including those with default passwords and those with passwords that can easily be bypassed.

Oct. 14. Changing passwords seen as an overwhelming task for computer users who suffer from ‘security fatigue’. Unfortunately, the failure to adhere to best password practices leaves users more vulnerable.

Oct. 14. An overwhelming majority of the 200 IT decision makers surveyed by SecureAuth Corporation believe that passwords will be non-existent in five years.

grayfooterline
RELATED: New Report Finds 300 Billion Passwords Will Be at Risk By 2020
grayfooterline

Oct. 14. Select Netflix customers received different versions of an alert advising them that their email and password might have been leaked as the result of a breach at another organization.

Oct. 11. A fun test of user awareness around password security, the Financial Times offers a quiz for readers to test their knowledge. Turns out that “pAsswOrd” is 4,000 times stronger than “p@ssw0rd.”

Oct. 8. To mitigate security risks, Amazon issued an email alert telling users that their password had been changed after a list of compromised credentials was published online.

Oct. 7. Researchers at the University of Washington hope that sending passwords from a device through the human body via low-frequency signals might be the security technique of the future.  

Oct. 5. Password manager applications, including Dashlane, Keeper, 1Password, and LastPass, are good ways to increase password security on personal devices.

Oct. 5. Pay-by-selfie rolls out for some Mastercard holders across Europe who can now use  facial recognition biometrics instead of a password to complete payment transactions.

Oct. 3. The Mirai botnet that knocked Brian Krebs offline and the largest DDoS attack on record was largely successful thanks to these 61 passwords.

Oct. 2. Wombat Security CTO offers tips for password hygiene and recommends using a password manager application and two factor authentication to keep passwords in order.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.