Research In Motion’s long-awaited new mobile OS, the BlackBerry 10, contains a blacklist of 106 verboten passwords that users will not be able to use to secure access to their devices, researchers have found.
The new OS is expected to be released Jan. 30 and is part of a major effort by RIM to regain some of the government market share it has lost in the face of growing competition from Apple and Android.
The blacklist is a small but clever feature in a device that clearly is focusing on security for its enterprise users. It features strong AES 256-bit encryption that already is FIPS 140-2 certified, it allows segregated work and personal user profiles, and the browser includes a read-only mode that strips possible executables from the display.
The forbidden passwords include the obvious — “123456” and “abcdef,” “password” and “qwerty” — as well as some less obvious — “trustno1” and “zapata.” For the tipplers there is “miller” and “molson” (RIM is Canadian, after all). Some of the residents of Pooh Corner show up, including “eeyore,” “piglet,” “poohbear” and “tigger.” There are wizards, a few obscene suggestions, and I’m ashamed to say that one of my favorite passwords also is included. (I’m not telling you which one.)
Not everyone is impressed by the feature. John Yeo, director of Trustwave SpiderLabs EMEA, in a written statement called it a token that will do little to improve security. “Instead of blacklisting a few words, a more secure option would be to enforce some basic password complexity requirement,” he wrote. “Also, consider now there is a list of 106 known unusable passwords that someone malicious needn't bother trying."
Considering the computing power that can be thrown into dictionary and brute force password attacks, I don’t think that the exclusion of 106 words from the possibilities will make much difference. And while enforcing basic password complexity is a good idea, that is a policy issue between the user and the enterprise. Baking policy requirements into the OS could create difficulties and conflicts without doing much to improve overall security.
Blacklisting passwords might not be a great idea, but it’s a good one.
Posted on Dec 07, 2012 at 1:41 PM4 comments
Web browsers are getting better at detecting and blocking URLs associated with phishing sites, according to a recent test of leading browsers by NSS Labs, but defending against social engineering will require educated users, not just better software, says one researcher.
“Technology has not been able to deal significantly with social engineering on a number of fronts,” said NSS research director Randy Abrams.
One of those fronts is spear phishing, and that is bad news for government, which has thousands of users and operates with more transparency than many other organizations. “That makes spear-phishing them significantly easier,” Abrams said. “Government is going to have to spend more on education.”
Before going on, some definitions: “Phishing” tries to get a victim to disclose sensitive personal or account information, including access credentials. This can be done in a variety of ways, including e-mails and phony websites, and often is done on a large, broadcast scale.
“Spear phishing” targets specific individuals, groups or organizations, usually using information about the victim that the attacker has gathered through open-source research or intelligence operations. Because there are a small number of intended victims, detecting spear phishing is more difficult.
A new report from TrendMicro found that 91 percent of targeted attacks from February to September 2012 employed spear-phishing, and that 65 percent of attacks were aimed at government, by far the most targeted sector.
NSS Labs’ most recent examination of browsers looked at how well four popular ones blocked known phishing URLs. Results ranged from 90 percent for Firefox 15, through 91 percent for Safari 5 and 92 percent for Internet Explorer 10. The best performer was Chrome 21 at 94 percent.
These sites are more difficult to shut down because they have become more nimble. The number of phishing URLs is growing, from 40,000 per month in 2011 to 50,000 per month in 2012, and at the same time their lifespan is shortening, to an average uptime of just 23 hours in 2012. This timing is important because it takes a while for browsers to “learn” that a site is malicious. More sites and shorter lifespans means more zero-hour attacks, and the zero-hour block rates for the browsers tested against brand new malicious URLs ranged from just 53.2 percent for Chrome to 79.2 percent for Safari. This means a growing window of opportunity for attackers.
The good news is that phishing, like almost all social engineering attacks, requires the victim’s cooperation. If the victim doesn’t fall for the fake e-mail or visit the malicious site, he’s safe. Unfortunately, many people who have been brought up using technology are too trusting and have not been taught to be critical, Abrams said.
“We haven’t made social engineering education part of our societal education,” he said. “Fundamentally we are probably two generations away from getting a grip on social engineering if we start now. And government doesn’t have two generations to wait.”
Posted on Nov 30, 2012 at 11:29 AM1 comments
There was a surprise for researchers at Georgia Tech analyzing emerging threats. It was “the relatively low infection rate of mobile devices in the United States,” said Paul Royal, associate director of the school’s Information Security Center and an author of the Emerging Cyber Threats Report for 2013.
Although the number of malicious and suspicious apps for the Android OS has exploded -- from 30,000 in June to 175,000 in September -- an analysis by the Info Security Center of DNS traffic for one large cellular provider found only 0.002 percent of U.S. phones showed signs of infection. “People don’t appear to be downloading them,” Royal said.
One reason is that many of the malicious apps are in foreign languages and targeted at phones in other countries, where they are more likely to be used for financial transactions, he said.
That does not necessarily mean that phones or apps are safe, however. There are many apps that could be taking liberties with users’ phones that are not counted as malicious because they ask for those permissions up front, when they are installed. When an app asks for access to your contact list, “people see that as a necessary evil,” and not as a privacy violation, Royal said.
Posted on Nov 16, 2012 at 2:30 PM0 comments
With the presidential election behind us and the political status quo confirmed in Washington, the dangers in cyberspace continue to grow, says NSA Director and U.S. Cyber Command commander Gen. Keith B. Alexander.
The nation’s dependence on a global information infrastructure is growing at the same time threats are increasing both in number and in sophistication.
“Where are we going to go from here?” Alexander asked at the recent Symantec Government Symposium in Washington. “We have tremendous vulnerabilities. Everybody’s getting hit,” and the theft of intellectual property has become “the biggest concern we have right now as a nation.”
On top of that, recent attacks such as those against the Saudi oil company Aramco, believed to have been launched from Iran, demonstrate the ability to effectively wipe out data on targeted computers. “I am concerned that attacks like that are coming,” the general said. “We have to get ready for that.”
The message was not new. For years now Alexander has been pushing for better cooperation between government and the private sector in the face of cyber threats, and Defense Secretary Leon Panetta drew attention to the issue in October by revealing the Aramco attacks. But the intensity of the campaign is increasing, along with the stakes.
The Defense Department is moving ahead with plans and capabilities for conducting defensive and offensive operations in cyberspace and now is developing formal rules of engagement for cyberwar. But the DOD is placed in an awkward situation, having the intelligence, the capabilities and the mission of defending the .mil domain from foreign assault, but no authority to act in the non-military critical infrastructure on which it and the rest of the nation depends. That is the realm of the Department of Homeland Security, the FBI and the private sector. And while everyone would like to be under the DOD shield, nobody wants to turn over their security—or information—to the military.
There is informal cooperation. The NSA stands ready to provide its expertise to DHS for protection of civilian infrastructure. And DOD is working with the private sector through the Enduring Security Framework, a program launched in 2008 in which corporate executives are granted temporary, one-day classified clearance to get “scared straight” style briefings on cyber threats and capabilities. But DOD wants to see a legislative framework that will spell out the relationship between the military, the civilian government and the private sector in the area of cybersecurity.
Alexander, Panetta and the rest of the brass want two things: A baseline of security standards for civilian critical infrastructure that the military eventually could be called up on to defend, and clear lines of authority, responsibility and liability for sharing information across sector boundaries.
Whether the chances for this happening will be any better in the new Congress than in the current one—which was where cybersecurity legislation went to die—is anybody’s guess. But whatever the final formula for effective cyber defense is, it needs to emerge sooner rather than later, Alexander said.
“We can defend this space,” he said. “But we’re still at the starting line. We need to get moving.”
Posted on Nov 13, 2012 at 12:18 PM0 comments