Brute Force Attacks and Their Consequences

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


Read More

The Password Dilemma – Unique and Complex is the Key

A lot of attention is being applied to passwords lately, and rightfully so.

Most everyone is trying to understand how easy or hard reverse engineering passwords is, and trying to better grasp the role it plays in today’s compromises. What is being realized is that it plays an instrumental role, and ranks easily amongst the top 5 reasons why web applications are compromised.

Read More

Backdoor Tool Kit – Today’s Scary Web Malware Reality

We often talk about the importance of keeping your server clean. You can see it in a number of our articles and presentations, this post will likely drive that point home.

This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.

Read More

PRWeb Stores Passwords In Clear Text

It is 2012 and with the growing web threats you would expect to see increased measures to protect user credentials. We hope that in the wake of events with LinkedIn and eHarmony others realize the importance of an increased security posture.

Consider the recent LinkedIn, e-Harmony or similar breaches in the past to see how important this topic has become.

Back to the topic at hand…

Read More

WHMCS Website Hacked and Database Leaked

The WHMCS website and twitter accounts got compromised yesterday, and their full database (and files) were posted online.

WHMCS Twitter Hacked

Yes, it means that if you have an account there, or if you use any of the WHMCS products, you have to change all your passwords asap, and wait from a confirmation from them before downloading anything from their web site again (since it might still be compromised or with backdoors).

They posted the following on their blog:

Read More

Brute force attacks against WordPress sites

We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.

Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.

Why is it bad that the password is easy and never changed?

There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.

Read More

DreamHost Security Issue Prompts FTP Password Resets

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.

Read More

Password security without a password manager

Daniel from http://www.dailyblogtips.com published an article with some of his ideas on how to create passwords for multiple sites.

The idea is to create an algorithm and use that for every site. It is a good concept, but there is a small danger if someone steals the password from one site and figure out the algorithm used. You then lost all your passwords.

My idea and what I always use is a bit different. I don’t like password managers, but I like crypto, so I take advantage of one-way hashes (md5, sha1, etc) and generate passwords using them.

How it works?

First, I choose a good long password that I will use everywhere. For example qwerty (don’t use that, just an example). Now for every site, your password will be the md5 (or sha1) of qwerty + site name. For example:

$ echo “qwerty http://www.facebook.com” | md5
9d7d9b30592fd43dd6629ef5c12c6e9a

$ echo “qwerty http://www.twitter.com” | md5
cdf0e74e19836efb20f29120884b988d


That way my password for facebook is 9d7d9b30592fd43dd6629ef5c12c6e9a and for twitter is: cdf0e74e19836efb20f29120884b988d

Both long and secure. If someone steals my twitter password he has no way to reverse back to figure out the other passwords. Plus, doing that you don’t need any password software stored (just the md5/sha1 binaries which come by default on Linux and are easy to find on Windows).

Simple and easy..

Who has better passwords? Men or Women?

A few days ago Tonu Samuel published the distribution of passwords between men and women for a site with more than 800,000 users.

Who do you think is better at passwords? Let the gender war begin…

At total, they got around 700,000 males and 130,000 female users, but let’s look at the percentages.

  • Percentage of users using their first or last name as their password (or a combination of the two):

    Male: 5.5%
    Female: 6.2%

  • Passwords by size
  • Male:
    6 chars: 31%
    8 chars: 19%
    7 chars: 16%
    9 chars: 7%
    5 chars: 7%
    4 chars: 6%

    Female:
    6 chars: 31%
    8 chars: 18%
    7 chars: 17%
    5 chars: 8%
    9 chars: 7%
    4 chars: 7%

As you can see, the percentages are very close. My conclusion is that men and women are equally bad at creating passwords :) If you look at the document, the most used passwords are still “123456”, “password”, “qwerty”, etc… These basic combinations are used by more than 5% of all accounts.