Choosing a Strong Password in 2017

January 14, 2017 – 7:17 AM

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

If you value your privacy, you must learn how passwords work, how the attacks that attempt to break them work and finally how to choose a strong password that won’t break no matter what you throw at it.

Most people don’t have a proper system for managing passwords. They pick the easiest password that they can remember and probably reuse it in multiple places. In this tutorial we’ll take a look at why this needs to change and how to replace this ad hoc process with a secure and more convenient approach.


The worst passwords of 2016 are as lazy as ever

January 14, 2017 – 7:00 AM

It seems that password security simply doesn’t work.

Many of us rely on simple, easy-to-remember strings of characters and letters, including strings found on your keyboard such as “1234567” or “qwertyu.”

While these strings are easy for you to remember, they are also no trouble at all for attackers to brute-force hacking techniques — or little more than a guess or two — to compromise your online accounts and take over your digital identity.

Online vendors and agencies are getting up to speed with these practices and now often offer or require two-factor authentication which connects a mobile phone to your account — or will ban soft, easy passwords like this altogether.

But as many are, many are not — and it is both companies and individuals that are at fault for lax security at the first stage.

According to Keeper Security’s annual list of commonly used passwords, we still haven’t got the message.

The security company’s researchers were left shaking their heads in despair as they discovered that the most common passwords used to protect our accounts have not changed much at all — and “123456” is still very much in existence.

The company scoured through 10 million passwords which became public domain over the year thanks to data breaches.

Keeper Security found that almost 17 percent of users insisted on using “123456” to ‘protect’ their accounts from intrusion, while “123456789,” “qwerty” and “password” also make an appearance in the top 25 worst passwords found — which, sadly, are also the most common.


CERT advises users to ‘discontinue use’ of two Netgear routers due to major security flaw

December 10, 2016 – 7:32 PM

In a major setback for Netgear, it appears that at least two of its high-end routers may contain a severe security flaw according to an advisory issued by CERT.

The vulnerability itself is incredibly easy to leverage and simply relies upon accessing a specially crafted URL in the following format from the local network:

http://< router_IP >/cgi-bin/;COMMAND

The above will result in a command injection attack via the router’s web interface which will execute arbitrary commands with root privileges. Notably, the attack can be initiated remotely by an attacker who manages to fool a local user into clicking on a malicious URL hidden behind a shortened link. Otherwise, a nefarious user already on the local network can craft and visit a URL of their choice in order to achieve the same outcome.

So far, the two routers that have been confirmed to be susceptible to this vulnerability are:

  • Netgear R6400 with firmware version (and possibly earlier)
  • Netgear R7000 with firmware version (and possibly earlier)

While unconfirmed by CERT, one Reddit user indicated that their Netgear R8000 router was also affected by the flaw, which means that the list of impacted hardware may well expand over the coming days.


323,000 pieces of malware detected daily

December 8, 2016 – 5:37 AM

According to Kaspersky Lab, the number of new malware files detected by its products in 2016 increased to 323,000 per day. This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.

The number of cyberthreats appearing every day is now so big that it is impossible to process each one of them manually. That’s why automating the malware discovery and analysis process, in combination with human expertise, is the best approach when it comes to fighting modern cyber threats.

As a result, the Kaspersky Lab cloud malware database, includes discoveries by Astraea – a machine-learning based malware analysis system working inside the Kaspersky Lab infrastructure. Over a fifth of the malicious objects included in the cloud database were discovered and identified as malicious by Astraea. The database now carries a billion malicious objects, including viruses, Trojans, backdoors, ransomware, and advertisement applications and their components.

The percentage of malware discovered and added automatically to the Kaspersky Lab cloud database by Astraea has been growing steadily over the last five years: from 7.53 percent in 2012, to 40.5 percent in December 2016. The proportion is growing in line with the number of new malicious files discovered daily by Kaspersky Lab experts and detection systems. This has increased from 70,000 files per day in 2011 to 323,0001 per day in 2016.


Malicious online ads expose millions to possible hack

December 7, 2016 – 5:46 AM

Since October, millions of internet users have been exposed to malicious code served from the pixels in tainted banner ads meant to install Trojans and spyware, according to security firm ESET.

The attack campaign, called Stegano, has been spreading from malicious ads in a “number of reputable news websites,” ESET said in a Tuesday blog post. It’s been preying on Internet Explorer users by scanning for vulnerabilities in Adobe Flash and then exploiting them.

The attack is designed to infect victims with malware that can steal email password credentials through its keylogging and screenshot grabbing features, among others.

The attack is also hard to detect. To infect their victims, the hackers were essentially poisoning the pixels used in the tainted banner ads, ESET said in a separate post.

The hackers concealed their malicious coding in the parameters controlling the pixels’ transparency on the banner ad. This allowed their attack to go unnoticed by the legitimate advertising networks.

Victims will typically see a banner ad for a product called “Browser Defense” or “Broxu.” But in reality, the ad is also designed to run some Javascript that will secretly open a new browser window to a malicious website designed to exploit vulnerabilities in Flash that will help carry out the rest of the attack.