Tell Me You Have The Greatest Password On The Planet
You tell your clients all the time about good password policies. You tell your friends and family. You may be able to rattle off in your sleep “unique, long strings of varied characters with multiple numbers, capitals, and special characters.” But just how many people are heeding the call for better security? Has the public started taking cybersecurity seriously?
Well, not really—common passwords and password habits are still pretty bad. But there’s still hope. Much like a glacier, there has been some small, measurable movement in the right direction.
SplashData, a password management application provider, has released the fifth edition of their annual “Worst Passwords List,” putting the spotlight on the poor password habits of Internet users. Unbelievably, the most terrible—and most common—passwords remain the same: “123456” and “password.”
Despite all of the warnings and notifications that have attempted to permeate the public consciousness, people are still using these risky and unsafe options, leading to the conclusion that they either don’t know or don’t care about the great risk such weak passwords pose to their data.
| Rank | Password | Change in Rank |
|---|---|---|
| 25. | starwars | (New) |
| 24. | passw0rd | (New) |
| 23. | solo | (New) |
| 22. | qwertyuiop | (New) |
| 21. | princess | (New) |
| 20. | login | (New) |
| 19. | letmein | (Down 6) |
| 18. | monkey | (Down 6) |
| 17. | master | (Up 2) |
| 16. | dragon | (Down 7) |
| 15. | 1qaz2wsx | (New) |
| 14. | 111111 | (Up 1) |
| 13. | abc123 | (Up 1) |
| 12. | 1234567890 | (New) |
| 11. | welcome | (New) |
| 10. | baseball | (Down 2) |
| 9. | 1234567 | (Up 2) |
| 8. | 1234 | (Down 1) |
| 7. | football | (Up 3) |
| 6. | 123456789 | (Unchanged) |
| 5. | 12345 | (Down 2) |
| 4. | qwerty | (Up 1) |
| 3. | 12345678 | (Up 1) |
| 2. | password | (Unchanged) |
| 1. | 123456 | (Unchanged) |
If you use any of the preceding passwords, please—PLEASE—go change them now. We’ll wait.
This list was compiled from over two million leaked passwords over the course of 2015, and some interesting trends have emerged.
It does appears that users have begun to create longer passwords, perhaps a result of new site requirements that specify as much. In doing so, however, users have managed to render these longer passwords just as useless as shorter ones with perfectly predictable patterns, often dictated by a simple swipe of a finger over the keyboard in one direction.
At Super Bowl 50, Fan Safety Starts With Super-Snoopy Tech
http://www.cnet.com/news/at-the-super-bowl-fan-safety-starts-with-tech/
James Martin/CNET
In football, it's the job of the offensive line to protect their quarterback. At the Super Bowl, it will be up to federal agents and security specialists to guard the public from any blind sides.
As part of their work for the big game on Feb. 7, a security force is using technologies designed to look for signs of danger on the ground, in the air and over the Internet. Analysis tools are sifting through social media postings for threats of violence, while robots, choppers and an app put all the threat intelligence gathered by law enforcement agencies into a single feed.
Security cameras in and around Levi's Stadium will be put to full use during Super Bowl 50.
Much of the technology is running out of a Joint Operations Center running around the clock miles from the game at Levi's Stadium in Santa Clara. Nearly two dozen federal, state and local public safety agencies are working with private security experts at the center, gathering and sharing intelligence in real time.
About 1 million football fans will be in the San Francisco Bay area for the 50th Super Bowl. That scale, combined with the game's prominence, led the Department of Homeland Security to classify it as a Level 1 Special Event, a possible target for terrorism.
"We've planned for a number of contingencies and possibilities," said John Lightfoot, FBI assistant special agent in charge in San Francisco. "Doesn't mean we think they are going to happen, but we're ready."
Are We Having One of Those Days?
Watch Out At The Grocery Store!
In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states.
Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.
A skimming device made for self-checkout lanes that was removed from a Safeway Store in Germantown, Maryland.
The image above shows a simple but effective “overlay” skimmer that banking industry sources say was retrieved from a Safeway store in Germantown, Md. The device is designed to fit directly over top of the Verifone terminals in use at many Safeways and other retailers. It has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.
Safeway officials did not respond to repeated requests for comment about this incident.
My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure.
Many banks are now issuing newer, more secure chip-based credit and debit cards that are more expensive and difficult for thieves to steal and to counterfeit. As long as retailers continue to allow customers to avoid “dipping the chip” and instead allow “swipe the stripe” these skimming attacks on self-checkout lanes will continue to proliferate across the retail industry.
10 Tips For Network Security
- Train employees in security principles
- Protect information, computers and networks from cyber attacks
- Provide firewall security for your Internet connection
- Create a mobile device action plan
- Make backup copies of important business data and information
- Control physical access to your computers and create user accounts for each employee
- Secure your Wi-Fi networks
- Employ best practices on payment cards
- Limit employee access to data and information, limit authority to install software
- Passwords and authentication
The Lighter Side:
A man takes the day off work and decides to go out golfing. He is on the second hole when he notices a frog sitting next to the green. He thinks nothing of it and is about to shoot when he hears, “Ribbit, 9 Iron."
The man looks around and doesn't see anyone. Again, he hears, "Ribbit, 9 Iron…" He looks at the frog and decides to prove the frog wrong, puts the
club away, and grabs a 9 iron.
Boom! He hits it 10 inches from the cup. He is shocked. He says to the frog, "Wow that's amazing. You must be a lucky frog, eh?
The frog replies, "Ribbit, Lucky Frog." The man decides to take the frog with him to the next hole.
"What do you think frog?" the man asks. "Ribbit, 3 wood."
The guy takes out a 3 wood and, Boom! Hole in one. The man is befuddled and doesn't know what to say. By the end of the day, the man golfed the best game of golf in his life and asks the frog, "OK where to next?" The frog replies, "Ribbit, Las Vegas”.
They go to Las Vegas and the guy says, "OK frog, now what?" The frog says, "Ribbit, Roulette." Upon approaching the roulette table, the man asks, "What do you think I should bet"? The frog replies, "Ribbit, $3000, black 6."
Now, this is a million-to-one shot to win, but after the golf game the man figures what the heck.
Boom! Tons of cash comes sliding back across the table.
The man takes his winnings and buys the best room in the hotel. He sits the frog down and says, "Frog, I don't know how to repay you. You've won me all this money and I am forever grateful."
The frog replies, "Ribbit, Kiss Me."
He figures why not, since after all the frog did for him, he deserves it. With a kiss, the frog turns into a gorgeous 15-year-old girl."
“And that, your honor, is how the girl ended up in my room. So help me God or my name is not William Jefferson Clinton."...
How To Keep The NSA Out Of Your Network
How the National Security Agency Gets You
In the world of advanced persistent threat actors (APT) like the NSA, credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.
The NSA is also keen to find any hardcoded passwords in software or passwords that are transmitted in the clear—especially by old, legacy protocols—that can help them move laterally through a network once inside.
And no vulnerability is too insignificant for the NSA to exploit.
“Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on, he explained. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
Even temporary cracks—vulnerabilities that exist on a system for mere hours or days—are sweet spots for the NSA.
If you’ve got trouble with an appliance on your network, for example, and the vendor tells you to briefly open the network for them over the weekend so they can pop in remotely and fix it, don’t do it. Nation-state attackers are just looking for an opportunity like this, however brief, and will poke and poke your network patiently waiting for one to appear, he said.
Other vulnerabilities that are favorite attack vectors? The personal devices employees bring into the office on which they’ve allowed their kids to load Steam games, and which the workers then connect to the network.
