09/17/2018
Newbie2Security: Passwords
0A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site. How do I make sure my passwords are good enough for security, but not forget them continuously?”
Well, passwords are a tough nut to crack these days. Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords. Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack. There’s good news, though, so let’s talk about passwords:
Passwords should be:
1 – Difficult for an attacker to guess
2 – Easy for you to remember
3 – Never re-used
4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)
Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password. Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.
Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords. They might be able to manage 1, 2, and 4; but only at the expense of 3. If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.
The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:
1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected. This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps. You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords. Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself. 1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.
2 – Use a Pass Phrase Instead: Who says a password has to only be one word? Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use. How about “ThisIsMySecureGooglePassword!” for your Google account? It’s the right length, has upper and lowercase letters, has a special character, etc. It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.
NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords. PLEASE think up a passphrase or sentence of your own.
4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever. If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.
5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone. It is never necessary for them to do so. They can access your information via their own methods, and don’t need you to tell them your password in order to do it. So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info. Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured. So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.
Defending yourself with strong, non-reused, passwords is a critical part of online security. These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of. Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.
03/19/2020
Chinese APT Group Weaponizes COVID-19 Fears
0by Mike Talon • Newbie2Security, Security, Tech, Windows
While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest. According to CheckPoint Research (https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/), this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.
Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart. Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.
The attack itself is straight-forward. An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine. In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.
The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.
As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not. Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices. Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself. It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.
While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected. Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.
Leveraging the COVID-19 fears of the world is despicable. Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief. That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing. I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.
It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events. As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses. This example, though, is extraordinarily despicable for two reasons: First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives. Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse. People who might have lived will die, and their blood will be directly on the hands of these threat actors. Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling. After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.
Share this: