With recent news that hackers’ have attacked the German e-crime site Carders.cc resulting in members details being posted online, now seems a good time to look at just how hackers go about their business…
In a desire to reduce risk and meet compliance and audit requirements, companies invest in security technologies including firewalls, anti-virus and anti-spy/spam. The smart ones also implement security policies and controls in an effort to protect their network, assets, and business. Unfortunately all this can be defeated instantly because hackers too are harnessing new methodologies, technologies and resources. Hackers will try the easy route first, looking for the weakest links in your network, such as an out of date OS, an un-patched web server, or default configurations. But the easiest by far is getting your password.
While usernames are used in conjunction with passwords, they cannot realistically protect your data or business. Companies assign usernames systematically, often using standard first name/last name formats, making it a breeze for a hacker to find or guess a username. All that is left to protect your system is a vulnerable password and as such entry is ‘authorised’ there will be no sign of forced entry, and little chance of an alarm being raised; the biggest and most invisible threat facing us all. So, how exactly do hackers go about getting passwords?
The methods range from the ridiculously simple to highly technical. Guessing the password is ridiculously simple. A recent study of 32 million passwords showed just how ‘guessable’ passwords can be. ‘123456’ was in first position with ‘Password’ at fourth and nearly 50% of users, used names, slang words, dictionary words, or trivial passwords using consecutive digits, adjacent keyboard keys etc. A quick web search will present a hacker with a handy list.
Hackers rely on continued use of the password because it is so weak. Phishing and phasing attacks use “dummy” web sites to trick users into providing passwords and personal details. Social networks are now firmly established as a great resource for hackers who see them as the best Social Engineering Hacking tool.
A more technical approach may involve the use of traditional keyloggers, and sniffing programs, and all are available free on the internet. Typing ‘Password Hacking’ into Youtube will return over six-thousand videos demonstrating the password hack and so even the novice is off to work. With passwords so discredited, there are three key things to consider in response.
1. Password best practices state:
• They should contain at least eight characters
• They should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters. If there is only one letter or special character, it should not be either the first or last character in the password.
• It should not be a name, a slang word, or a dictionary word. Neither should it include part of your name or e-mail address.
• Passwords should be changed every 30 – 90 days
2. Check your infrastructure for unnecessary or out of date bug-riddled network devices, services, or applications? Conduct a regular network audit.
3. Educate users on password security, social engineering threats and some of the latest trends. They are users not security specialists. Do they know all of the above? Do they know not to use the same password across their social and business applications? You have a duty of care.
Good password practice will help, but two-factor authentication takes it to a new, much more secure level. Providing users with a PIN and a token which generates a one-time password, valid for a single use, will deprive hackers of their quiet and invisible entry into your network. Through a combination of implementing best practice, keeping your network infrastructure robust, and employees educated, the hacker risk can be mitigated and your confidentiality and integrity maintained.
