The Met Police can feel justifiably proud of themselves, with an investigation leading to the jailing for many years of a pair of criminals who attacked computers with malware to steal £3 million from UK bank accounts.

Excellent news; high-fives to everyone involved. However, the force’s communications team slightly tarnished the win with some rather confusing advice on internet security.

It’s easy to forget that online security can be confusing for people who don’t spend all day reading about it. Odd jargon such as phishing and trojans, and shrill warnings from security firms don’t help matters, so the Met’s Police Central E-Crime Unit (PCeU) — the UK’s experts on such matters — has offered some tips to help.

Some of the advice is perfectly fine: keep OSes up to date, use antivirus software, consider installing a firewall, and think before you download.

Other tips it offered are rather confusing — and gathered bewildered laughs from the PC Pro team.

The PCeU statement advises:

“Disconnect your computer from the internet when you’re not using it.”

This one raised some eyebrows. By all means switch the PC off when you’re not using it, but disconnecting it from the internet seems a little extreme. Of course, the best way to avoid infection is to leave your PC in the box, but we’re not going to do that (it makes it hard to type).

“Run full disk scans periodically, which will help prevent malicious programs from reaching your computer.”

Err… what? How does scanning the computer prevent malware from reaching your computer? Doesn’t that mean it’s there already?

“Avoid opening attachments or following links in emails and on websites.”

It’s certainly good advice to not download attachments from unknown senders or click shortened links from untrusted sources, but if we never clicked a link again, Sir Tim Berners-Lee’s web would be rendered rather useless.

While the finer points of online security are complicated, keeping yourself generally safe on the web is common sense. But it’s hard enough to sift through the hyperbole coming out of some security firms and even the Government, without adding confusing advice from the experts at the PCeU to the mix, too.

There’s a general belief in the security industry that being hacked is bad for business: it makes your firm look careless and will cost you customers.

I’ve always wondered if that’s true. Will Sony lose gamers’ hearts because it lost their password details? Will Citi Group, Sega, or any other recent target go out of business over a hack? Or is the PR fallout from a breach not actually as bad as the security industry says?

One website stands accused of purposefully testing that theory. Beautiful People is a dating website that — as the name suggests — only lets beautiful people join (although I’ve always wondered why attractive people need dating help from an algorithm?). The site filters out the “ugly” people — that would be us normal people — via a Hot or Not style voting system.

Today, Beautiful People announced it had been hit by a virus, which it dubbed the “Shrek Virus”, that had allowed ugly/normal people to slip though the vanity filter; it has booted those 30,000 would-be daters, refunding those who had paid to sign up.

It’s a fantastic piece of chicanery, of course, designed to boost awareness of the dating website

“It was initially thought to be one of the 5.5 million BeautifulPeople.com rejects, but further investigations point to a former employee who placed the virus before leaving the team in May,” the press release says, actually referring to would-be customers as “rejects”. “Despite wreaking havoc with the application process, member privacy and security was never breached.”

And that’s all rather convenient, notes Sophos security researcher Graham Cluley.  ”It’s a fantastic piece of chicanery, of course, designed to boost awareness of the dating website, get them many thousands of pounds of free publicity with little risk of damage to their reputation,” he says in a blog post.

“So, lots of publicity for the website but nothing for current or future members to worry about then. How convenient!” he adds, noting the site’s PR firm has previously used somewhat similar tactics. (Of course, as The Register points out, Cluley’s job is to get press coverage for Sophos, so “we’re in danger of being sucked into a conspiracy feedback loop”. And to pre-empt the inevitable comments: I realise I’ve fallen for it and have handed coverage to both.)

Real hack?

Beautiful People’s PR assures us the hack is real, but as the investigation is ongoing, not many details are available. Perhaps more worryingly than a maybe/maybe not hack is that the site’s spokeswoman sent me photos of some of the so-called “rejects” for publication (I’m not that mean).

Asked whether that might be a privacy issue, she assured me the applicants had signed away the rights to their photos, and the site could use them as they saw fit. Yes: if you apply for Beautiful People, they might use you as an example of a reject — now that truly is ugly.

We’d like to find anyone rejected by the site during this virus-induced purge, just to prove it actually happened. We promise not to laugh at your failure to join the ranks of the Beautiful People; one look at our column mugshots should confirm that looks have never been that important to PC Pro.

]]> http://www.pcpro.co.uk/blogs/2011/06/20/are-security-breaches-really-bad-pr/feed/ 11 http://www.pcpro.co.uk/blogs/2011/06/16/what-lulzsec-logins-reveal-about-bookworms/ http://www.pcpro.co.uk/blogs/2011/06/16/what-lulzsec-logins-reveal-about-bookworms/#comments Thu, 16 Jun 2011 16:35:27 +0000 Darien Graham-Smith http://www.pcpro.co.uk/blogs/?p=38632 Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. But don’t panic: I’ve been through the list and I can confirm that none of my details have been compromised. So far.

Not everyone has been so lucky, though. As I write this, unscrupulous voyeurs around the globe are sifting through these compromised email accounts looking for… well, whatever they can find. We’ve heard of people finding login details for social-networking sites, online-dating services and even porn sites.

Here at PC Pro we can’t condone such behaviour, fascinating though it would doubtless be to gain such an insight into a stranger’s private life. Happily, the email addresses and passwords themselves are quite revealing.

Where the passwords came from

LulzSec hasn’t said where these credentials came from – in fact, it’s explicitly said they’re “random assortments from a collection.” But the email domains to which the passwords grant access break down as follows:

Nothing too shocking there, except an unexpected skew towards Brazil. More revealing, perhaps, are the usernames and passwords that people have chosen for themselves.

Email usernames

Email accounts must be unique within their domain, so there’s not much repetition. And, unsurprisingly, many people seem to use some variation of their real name: the addresses contain hundreds of Johns, Roberts and Marys (and just as many Diegos and Felipes).

But many more fanciful terms also come up repeatedly in the LulzSec archive. Of 62,000 leaked leaked addresses, 29 include the word “goddess”, while 37 users identify as some sort of “vamp” or “vampire”. Sixty two call themselves either a prince or princess, while 68 call themselves king and a whopping 85 go by queens.

77 users have the word “dragon” in their email address, while 127 go with “bear”

On a similar theme, 77 users have the word “dragon” in their email address, while 127 go with “bear”. Closer to home, 135 of the email addresses include the term “sex”, and 204 of them refer to “love”. Over 300 referred, in some way or other, to “lady”.

Surprisingly, though, the most popular term I could find was “book”, featuring in 326 different usernames.

Why is that? Mikko Hyppönen of F-Secure theorised on his Twitter feed that many of these credentials must have come from a community for aspiring authors. And when we look at the passwords that people have chosen for themselves, that seems a very plausible surmise.

Bookish passwords

Of the 62,000 passwords released by LulzSec, the most-used is “123456”, which comes up 568 times. The next most common password is “123456789”, with 184 occurrences. So far so predictable, and the next hit – “password”, at 133 occurrences – is no more surprising.

The next most common password, however, is “romance”, at 88 occurrences (tying with the rather more prosaic “102030”). After that, with 67 occurrences, is “mystery”.

The theme continues: skipping over some more variations on the numeric theme, other popular passwords include “shadow” (62), “bookworm” (54), “reader” (52), “reading” (47), “booklover” (33) and “library” (26). It all points in a clear direction; and if you’re still doubtful, perhaps the smoking gun is the fact that 30 people have chosen “writerspace” as their password.

What have we learnt?

Clearly, this is a back-of-an-envelope breakdown of a mixed mass of unverified data. But for all that, it gives a fascinating glimpse of some other people’s lives. And it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they’re visiting.

If you’d like to study the leaked information further – but don’t want to get involved in dodgy downloads – I’ve put together a stripped list of the passwords. I’ve removed the usernames and domains so this data can’t be used for nefarious purposes, but you can still carry out whatever analysis you like, and I’m sure there are plenty more interesting patterns to tease out (I’ve noticed a distinct Disney theme, for example). I’d be delighted to hear your findings.

Also, I’d be very happy to hear if anyone can explain why the seventh most common password in the data file – apparently shared by 62 users – is “ajcuivd289”.

A Microsoft press release that landed in my inbox this morning has left me fuming. “Microsoft Survey Warns of Emerging Internet Phone Scam” reads the headline.

The “emerging” phone scam it’s referring to? The swindle that sees conmen cold-calling computer owners, telling them they’ve got a virus on their PC, fleecing them for hundreds of pounds to remotely “repair” non-existent problems and installing God knows what on their PC in the process. The very same phone scam that PC Pro was the first publication to uncover in March 2010.

Why it has taken Microsoft 16 months to wake up to this problem is bewildering. Especially as we alerted Microsoft’s press office to the fact that these con artists were often pretending to be Microsoft and splashing Windows-style logos all over their websites when we broke the story last March.

In the meantime, it’s clear that thousands of people have been cheated. Microsoft’s own survey finds that “79% of people deceived in this way suffered some sort of financial loss”. The details are even more galling:

* 17% of victims had money taken from their accounts

* 19% reported compromised passwords

* 17% were victims of identity fraud

* 53% suffered subsequent computer problems

* The average amount of money stolen was £543

* The average cost of repairing damage caused to computers was £1,073  — rising to $4,800 (£2,977) in the US

* Only two thirds of the people defrauded were able to recover the stolen money (presumably from their credit-card company), and even then, only an average of 42% of the stolen funds

Only now is Microsoft publicising the scam – and conveniently reminding users that Microsoft’s own security software would prevent the installation of malicious software. If it had pulled its finger out and warned people of this 16 months ago, many thousands more people might not have been left with a large credit-card bill, a ruined credit history and a broken PC.

When we asked Microsoft why it had taken so long to warn people of this rip-off, a spokesman replied:

“Microsoft had been aware of these phone scams but wanted to look into the breadth that they have spread, especially among English speaking countries.”

A statement that, to my mind, borders on dereliction of duty. You don’t spend 16 months sitting on your hands waiting for nice pretty patterns to emerge on Excel spreadsheets before you warn people of an expensive con trick; you do it as soon as humanly possible.

Furthermore, we asked Microsoft – which spends countless millions pursuing small scale pirates selling knocked-off copies of Windows on market stalls – what it’s done about shutting down these rogue “repairmen”, who are often trading under the Microsoft name.

“Microsoft is investigating the cases reported to us by customers and we will consider legal action where appropriate, as we have in other online scareware cases to date.  We continue to encourage consumers to exercise caution from scams and follow the guidance found at The Microsoft Safety & Security Center.”

Which is PR speak for “not a lot”.

Microsoft has made great strides in improving the security of Windows in recent years, which is partly why these new “social engineering” scams have emerged. But as with Apple’s sluggish (although relatively lightning fast) response to the similar Mac Defender scam, these companies have to do more than defend their operating systems: they have to defend the people using them too.

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history.

Today’s Metro has a spectacularly sensationalist headline (that’s now been changed on the website) screaming from its front page: “Android phones ‘all leak secrets’”. That’s potentially worrying if, like me, you’re an avid Android user – after all, if I wanted my phone to be less private than Jordan’s holiday, I would have bought an iPhone (only joking Apple lawyers).

According to Metro, “almost all” Android phones are vulnerable to a problem that allows “criminals to steal users’ personal information”. That’s done, theoretically, by hackers using unsecured Wi-Fi networks to gain access to the data contained within your phone’s Calendar and Contacts applications, according to researchers at Ulm University, in Germany.

In fact, the chances of your phone leaking all of your secrets is marginal at best: you’d have to connect to an unsecured Wi-Fi network, and anyone with the slightest bit of techy common sense knows that connecting to unsecured networks is a big mistake on any device.

The long and short of it is far simpler and less dangerous than Metro’s sensationalist headline makes out. Any device that connects to an unsecured network is vulnerable; indeed, if you hook up your laptop to an unsecured connection then you’re potentially opening yourself up to losing far more than your calendar and contacts – bank details, for instance, or vital passwords.

Typically, Metro buries another major caveat towards the end of its story: that Google has already fixed the issue in Android 2.3.4, which is currently being released for the Google Nexus One and Nexus S – and will surely be rolled out across a whole swathe of other devices.

There’s no doubt security is important, but this issue is marginal; numerous devices will soon have this gap plugged by updates and, in any case, it only affects Android users if they decide to risk connecting to an unsecured Wi-Fi network. Metro’s making a mountain out of a molehill and, if you’re an Android user with the slightest bit of common sense, it shouldn’t worry you one jot.

Unless you have been living in Osama Bin Laden’s old cave, you can’t have failed to notice that Sony is having a bad time of it right now.

First the PlayStation Network is hacked and customer data compromised, and then we discover that the Sony Online Entertainment network has suffered the same fate. There has been plenty written, including some excellent editorial here at PC Pro, covering the what and why of the breach, so there is little point me going over that again.

I’m more interested in how Sony responded after discovering the breach. Did the gaming giant get it right regarding disclosure in this case? Is the Pope a belly dancer?

It was bad enough that Sony took so long to inform customers of the PlayStation Network breach: a week is one heck of a long time. Yet that’s how long it took Sony, one of the biggest entertainment outfits on the planet, to confirm what data had been compromised and get around to informing customers that they might be at risk.

Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing?

Ross Brewer, a director at log analysis firm LogRhythm, shares my surprise stating “compromised user accounts were discovered as early as 17 April… yet it has taken seven days to warn users that they are now at increased risk of email, telephone, and postal mail scams, as well as credit-card fraud”.

Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing? As William Beer, a director in PwC’s information security practice, points out “the period after a breach is time-critical in terms of communicating with consumers, regulators and protecting reputation” – especially when consumer trust is being tested by the amount of personal information they are expected to divulge and entrust to gain the benefits of an online service. Even the EU Justice Commissioner Viviane Reding has said that seven days “is much too long”.

But that’s not the half of it. It turns out that the Sony Online Entertainment network, which serves PC gamers and saw a further 24.6 million customer details compromised to add to the 50 million on the PlayStation Network itself, was actually hacked first. Sony knew about the hack, but didn’t believe any customer data had been compromised so kept quiet. Big mistake, as it turns out. The reputation of Sony will, in my never humble opinion, have been hurt much more by the creeping revelations of consumer data exposure than the short-term harm of warning customers to be on guard, just in case.

Lastpass sets the example

If Sony wants to know what it should have done, then look no further than the emerging story of a potential hack attack at the Lastpass password management service. The company “noticed an issue” yesterday whereby its logs revealed a network traffic anomaly on a non-critical machine and upon investigation, having been unable to identify the root cause and spotting some matching activity regarding outbound traffic, concluded there was the potential for a hacker to have breached the database and transferred email addresses, the server salt and their salted password hashes.

Rather than keep mum through fear of reputational harm, Lastpass immediately its users and put in place a procedure to force them to change their master passwords. “The potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data” a Lastpass spokesperson said. “Unfortunately not everyone picks a master password that’s immune to brute forcing”.

As well as forcing the password change, Lastpass required the request to come from a known IP or with an email validation for additional security. “We realise this may be an overreaction and we apologise for the disruption this will cause” the spokesperson said “but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later”.

Now that may sound like commercial suicide when you consider that this is a security outfit offering a password vault service admitting that it may have been compromised. I beg to differ: this is a security company taking its responsibilities seriously (although if a breach has taken place, then some difficult questions need to be asked). Disclosing quickly and honestly maintains the trust relationship with its customers.

Are you listening Sony?

More and more businesses are dreading that Tuesday every month when Microsoft release a bunch of security patches and updates.

Patch Tuesday should be a thing to look forward to, of course, seeing as it’s when the latest round of application and operating system vulnerabilities get a nice big sticking plaster to protect your systems and data from exploit. The trouble is that when, as with the latest Patch Tuesday, there are no fewer than 17 security bulletins (nine rated as critical) covering a whopping 64 vulnerabilities –  many of the patches requiring a full system restart – it all starts to become something of an IT management nightmare. Especially for the smaller business where there isn’t an IT manager or even an IT department to handle such things.

The vast majority of smaller businesses that I talk to are not IT savvy, they get by and rely upon the systems and software they are supplied to do their job. They don’t switch browser to Firefox or Chrome, they run Internet Explorer because that’s what everyone else uses and it came with the box. What’s more, they often run an older version of Internet Explorer as they apply the “if it ain’t broke” rule. Wrongly in the case of older versions of IE, of course, which are broken from a security perspective.

The latest Patch Tuesday updates included one (security bulletin MS11-018, which was rated critical and covered IE6, IE7 and IE8) which protects them from a vulnerability that can compromise the browser as soon as it visits a malicious site. It’s vital if a business is using one of those versions of Internet Explorer that they apply the patch, yet it’s bundled in with all the others and likely to be lost in an all or nothing approach to updating.

Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this?

Many small businesses opt for the nothing approach, at least in the short term, as installing and rebooting eats into either work or leisure time. Many will have been advised to turn off automatic updating to prevent such interruptions to their business processes and will simply ignore the warnings about updates altogether.

For consumers these mammoth updates are a nuisance, but nothing more. If they want to minimise disruption they can simply schedule the update to take place while they sleep. Small businesses are not in such a position, they have to supervise the process to ensure there are no hiccups. Those businesses without specialist IT support are in a Catch-22 situation: they have to understand the vulnerabilities as they apply to their particular needs and prioritise the patching process accordingly, but they don’t so they can’t. Then there’s the problem of compatibility testing, especially if the business uses custom applications that could be impacted by the patching.

Security patching of critical vulnerabilities is vital to safeguard your business data, but unplanned patching can interrupt business processes and potentially break custom applications. Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this? Surely it would be better if the reasons for patching and implications of not patching were explained better to the end users rather than pointing to the somewhat jargonised security bulletins?

So, if you are a small business, how do you deal with Patch Tuesday?

You’ve already doubtless noticed that email marketing outfit Epsilon had fallen victim to a data security breach. US-based Epsilon, a third-party marketing company that sends out emails to customer addresses supplied by well known businesses all over the world, admitted on 30 March that its email database had been hacked.

While only customer names and email addresses were compromised, and then only concerning around 2% (or 50 companies in total) of Epsilon’s client base, the ‘your email address has been compromised’ warnings have been rolling in thick and fast: Hilton Worldwide, Mothercare, Capital One, Barclaycard and Marks and Spencer to name but a few.

But while the security breach itself is serious, it’s tempting to think that the fallout won’t be. After all, what can someone do with your email address and name? The truth is that I expect the Epsilon email attacks to start coming thick and fast, just as soon as lists of names and email addresses tied to specific retailers and businesses have been compiled and sold on the underground criminal market.

Think about it:  getting a generic spam or scam email that isn’t highly targeted (warning you about a bank security issue with a bank you’re not a customer of, for example) is supremely easy to spot and dismiss. When an email arrives that not only names you personally, but connects you with a company that you do business with, then the plausibility factor increases incredibly and your defences immediately lower.

Trusteer set up an experiment to prove that a carefully crafted attack will fool the majority of educated users, and the results are rather shocking

Spam will probably be the first point of attack, but expect to see an increase in phishing emails and malicious links. And it’s the latter that is worrying me the most, especially given the results of an investigation by security outfit Trusteer into just how easily people will click ‘believable’ links in socially engineered emails, despite the best efforts of those in the security business to educate them otherwise.

Trusteer set up an experiment to prove that a carefully crafted attack will fool the majority of educated users, and the results are rather shocking. Using a LinkedIn account set up for the experiment, 100 users were chosen who were known to the company (friends, family, associates) and known to be security savvy. These users were even warned, and asked for permission, to take part in a security experiment but not given any information about what, why or when. You would expect them to have been extra vigilant under such circumstances. An email was sent stating that one of their connections has a new job, complete with a big button for viewing the new job title that actually led to a different website.

The results? No fewer than 41 subjects reached the ‘fake’ landing page within a day, 52 within 48 hours, and 68 people clicked on the potentially dodgy link within a week. Of the 32 who didn’t click, 16 said they hadn’t got the email, seven didn’t read LinkedIn updates anyway and the remaining nine weren’t interested enough in the person concerned to click.

So, if you’ve got one of those warning emails from a company you’ve done business with, be extra vigilant over the coming weeks with regards to your email.

To judge by its website, Eclipse Antivirus must be an astonishing piece of security software. Not only has it won awards from most of the British tech press, it’s won three from PC Pro alone – including a slot on our A List. The feat is even more impressive given we’ve never heard of it.

This is, it seems, yet another attempt to con people into using fake antivirus software. Last year, we were the first to report on a scam that saw conmen ring unwitting victims, telling them they have a virus on their PC and then convincing them to part with their credit-card details to  install remote access software to “remove” it.

This apparent con bears many of the same hallmarks: a convincing-looking website, the use of Microsoft-style security logos and a string of “customer testimonials” proclaiming how brilliant the software is.

It also boasts many of the “outright con” warning signs, including no postal address, no telephone numbers and a checkout that looks like it was built by the work experience kid.

We’ll do our best to track down the perpetrators and get them to remove our logos, although given the website is registered to an address in Kiev, we’re not holding out much hope. We’ll also report it to Google, Microsoft and the security companies, in the hope of getting it removed from search engines and added to security blacklists.

In the meantime, please make sure you don’t give these people your money.