UK Parliament Hit By Cyber Attack

Late last week, the UK Parliament was under a “sustained” cyber attack.  Of course, the hackers were exploiting a known weakness common to many organizations — single-factor authentication which relies solely on passwords.

The parliamentary authorities said hackers had mounted a “determined attack” on all user accounts “in an attempt to identify weak passwords”.

A parliamentary spokeswoman said they were investigating the attack and liaising with the National Cyber Security Centre.

She said: “We have discovered unauthorised attempts to access accounts of parliamentary networks users…

“Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network.

“As a precaution we have temporarily restricted remote access to the network.”

International Trade Secretary Liam Fox said: “We have seen reports in the last few days of even Cabinet ministers’ passwords being for sale online.

“And it’s a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber security.” (source)

Whether your organization is an enterprise, SMB, not-for-profit, or government agency, you and your accounts are cyber targets.  With a robust two-factor authentication solution like GreenRADIUS, you can add a strong security layer to your organization that is easy for both users and administrators.  Contact us to learn more.

 

The Most Popular (and Worst) Passwords

A recent study of five million leaked passwords from enterprises in 2016 revealed the most popular ones among users.

Tops on the list was “123456,” which makes up about 4% of the sample set, followed closely by “password.”  In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts. (source)

It’s hard to imagine that 4% (!) of users have that one password.  But, as we’ve mentioned before, users tend to be the weakest link when it comes to the security of an organization.

Other passwords that made the list:

  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess

With two-factor authentication and a robust solution like GreenRADIUS, the problem of weak passwords is virtually eliminated.  One-time passwords with YubiKeys or Google Authenticator along with GreenRADIUS keep sensitive networks, records, and data secure, even if user passwords are hacked or leaked.  For users and admins alike, GreenRADIUS is both simple and convenient while maintaining a strong security layer for networks, servers, websites, and more.  Contact us today to learn how GreenRADIUS can keep your organization secure.

Cloudbleed – More Bad News For Using Passwords Alone

A new internet security vulnerability was announced last week, and it is “a scary big deal“.  Cloudbleed, the name given to this vulnerability, has led to a potentially wide-spread leak of passwords and other data all over the internet.  And, while announced just last week, the leak could have started as early as September 2016.  Websites that use Cloudflare are affected, and that numbers in the thousands, including Uber, Fitbit, and others.

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it. (source)

In this case, no matter how complex a password was, they are vulnerable.  And as usual, two-factor authentication (2FA) is recommended.

As we’ve argued in the past, you might as well enable two-factor authentication on everything, too, since it’s your best first defense against hackers. (source)

Implementing 2FA within your organization does not have to be difficult.  In fact, with GreenRADIUS, implementation can take as little as 15-30 minutes.  And our customers find it easy to manage and easy to use for both admins and users.  Contact us today to learn more.

Phishing Scheme Allows Access to Los Angeles County Confidential Records

Last month, charges were filed against a hacker who used a phishing scheme in May 2016 to potentially access over 750,000 confidential health and personal records in Los Angeles County.  As this incident shows, phishing emails are still incredibly successful and have a high rate of employees falling for this type of cyberattack.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email.  The message tricked 108 employees into providing usernames and passwords to their accounts, some of which contained confidential patient or client information, officials said.  (source, emphasis mine)

Over 10% (ten percent!) of employees provided their usernames and passwords(!) to their accounts.  That is an astonishing rate, and should be a warning to security professionals everywhere.  Users are generally the weakest link in the security world, and unfortunately, Los Angeles County became another victim.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

In response to the attack, officials said they have strengthened security measures on county email accounts and enhanced employee training to guard against a growing number of cyber intrusions.

Sadly, the “enhanced employee training” may not be enough.  Even if only one percent of employees provided their credentials, that is usually more than enough for a cybercriminal to do damage, damage to the individuals whose records were accessed and damage to the reputation of the organization, among other things.

With two-factor authentication deployed organization-wide, however, phishing schemes are virtually no longer a threat.  Even if an employee provides usernames and passwords, cybercriminals will not have access to the user’s second factor, such as a YubiKey or Google Authenticator (both of which are supported by GreenRADIUS, our two-factor authentication solution).  And generally, once cybercriminals become aware that two-factor authentication is in place, they will move on to an easier target that does not have 2FA.

With a robust solution like GreenRADIUS, businesses and organizations can implement an affordable, easy-to-deploy, and easy-to-manage two-factor authentication security layer.  Contact us to learn more.

GreenRADIUS enhancements for 2017? It’s up to you!

2016 has been an exciting year for GreenRADIUS.  Apart from security-related updates and bug fixes, your feedback has been the basis of over 50 new features and improvements to GreenRADIUS during the year!

The top 3 new features added to GreenRADIUS in 2016:

  • SAML 2.0 Enterprise 2FA Single Sign-On (SSO) to cloud services such as Salesforce, G Suite and Office 365
  • 2FA over the LDAP authentication protocol (in addition to using RADIUS)
  • 2FA support for 802.1x authentication (for NAC and WiFi)

Want to see more?  Click here to my previous post.

We have some exciting announcements coming soon.  However, what is coming in addition in 2017 is really based on your input.  For example, based on your feedback, in 2016, we added logs for all admin events.  Now, we are in the process of collecting logs from all of the different modules to syslog so that we can support SIEM central logging requirements.  We will also add archiving and log aging.

Please let us know what you need next from us.

  • Would you like to see 2FA support for a pure Microsoft RDS solution or a more general 2FA enabled gateway/remote access service that can support multiple environments?
  • What would you like to see in a cloud service version of GreenRADIUS?
  • Do you need support for Azure AD or G Suite Directory Services?
  • How would you like GreenRADIUS to work in a hybrid cloud environment such as with Azure AD?
  • With SAML 2.0 added, do you also need OAuth support?
  • Is there something else that you would like to see from us?

Please provide feedback by using our contact form or simply email us at info@greenrocketsecurity.com.  Those that provide input and suggestions by January 31, 2017 will have a chance to win 10 YubiKey 4s!

Thanks!

Top 10 New GreenRADIUS Features and Improvements in 2016

It was a busy, but successful 2016 for us!  The following list of new GreenRADIUS features and improvements in 2016 were almost all based on customer feedback and requirements.  So we would love to hear from you whether you are already a customer or are looking to add two-factor authentication to your security infrastructure.

  1. SAML 2.0 Enterprise single-sign-on (SSO) to cloud services such as Salesforce, G Suite, and Office 365
  2. 2FA over the LDAP authentication protocol
  3. 2FA support for 802.1x authentication (NAC and WiFi)
  4. User portal for self-service registration of mobile tokens and, if needed, allowing self-resync of OATH HOTP/TOTP tokens
  5. On-board OpenLDAP server replication
  6. Option to prompt for OTP instead of having to append OTP to password
  7. Certificate management through the GreenRADIUS console
  8. View and filter audit logs and new filtering options in reports
  9. Management of on-board firewall through the GreenRADIUS console
  10. Diagnostics capabilities

 

 

Password Guessing Is Becoming Easier And Easier

With all of the leaked passwords that have been made available recently (passwords from services such as Yahoo and LinkedIn), cyber-criminals have access to vast data sets of passwords that make it easier to crack passwords in general.

Security researchers in the UK and China published a paper last month detailing a system for targeted password guessing that is highly effective and claiming that the threat is “significantly underestimated”.

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes.

Using a targeted password-guessing framework named TarGuess, the researchers achieved success rates as high as 73 per cent with just 100 guesses against typical users, and as high as 32 per cent against security-savvy users. (source, emphasis mine)

As has been noted previously here and here, passwords alone are not enough to protect sensitive networks and data.  This new study simply underscores this fact.

By implementing a robust two-factor authentication solution, such as GreenRADIUS, organizations can add a strong security layer that virtually eliminates password vulnerabilities.  GreenRADIUS is easy to deploy and simple to maintain.  Contact us to learn more.

 

 

Even 16-character “random” passwords are vulnerable

I recently came across an interesting article that describes how a group of hackers approached a challenge by Ars Technica to crack 90% of 16,499 hashed static passwords in an amazingly short time!

Though I definitely knew about most of the techniques used in the challenge (the article is from 2013), what surprised me was that even seemingly long (16 char) passwords built from very random patterns can be hacked in as little as hours already a few years ago.  This makes it even scarier today where we have faster and cheaper systems that can be used to mimic what was used in the challenge.  The conclusion to draw from this is that long, complex passwords alone do NOT protect you.

Only static passwords combined with OTPs (One-Time Passwords), i.e. two-factor authentication (2FA), stand up to the challenge of keeping your login secure.

The challenge also shows that password manager applications which tout that long complex password launched from a password manager app solves the problem is completely inadequate today.  They really need to be updated to use 2FA to protect internet-reachable assets going forward.

The following list is a summary drawing from the information in the article of why 2FA is needed to protect logins:

  • Even seemingly random 16-char passwords can be broken in a matter of hours with cheap hardware
  • Wordlists and large lists of hacked passwords give even the unsophisticated hacker a base to crack from
  • Salted hashes make it significantly more difficult to crack, but it is just a matter of time to crack even with salt
  • Applied analytics techniques for the most common way to enter passwords (Capital at the start, lower in the middle and symbols and numbers at the end) helped make cracking faster
  • 2FA does not lend itself to attacks described in the article because hackers cannot use brute force or recalculated lists to attack
  • With 2FA, even seemingly weak first-factors (i.e. passwords) become secure when combined with an OTP (One-Time Password)

2FA saves the day once again!

Hillary and the Democrats Hacked

As mentioned in a previous blog post, foreign spies had been targeting the Donald Trump and Hillary Clinton presidential campaigns.  And in recent weeks, reports indicate attacks have not only been successful, but reaching other campaign arms as well, especially on the side of the Democrats.

A computer network used by Democratic presidential nominee Hillary Clinton’s campaign was hacked as part of a broad cyber attack on Democratic political organizations.

The latest attack follows two other hacks on the Democratic National Committee, or DNC, and the party’s fundraising committee for candidates for the U.S. House of Representatives. (source)

A separate report shows that the data leaked by the hack revealed personal phone numbers and email addresses of congressmen.  It also revealed passwords used by the Democratic Congressional Campaign Committee (DCCC).

Some of the passwords released show a shockingly low level of security. The password for an account to the DCCC website is “changeme.” Besides cell and home numbers for Democratic congressmen, the leak also revealed many of their personal email addresses. (source)

As we have mentioned many times before, passwords alone are a weak security measure.  Users tend to make them easy to remember, keep them in an unsecured environment, and are prone to phishing attacks.

The better and more secure way to have users access sensitive data and networks is to implement a strong two-factor authentication solution, like GreenRADIUS.  GreenRADIUS is a robust and affordable solution that is easy to deploy and maintain.  It will even protect a private email server, for those that use one.

Contact us today to learn more.

Password Files on OneDrive Increasing

Corporate users of Microsoft’s OneDrive cloud storage are increasingly storing files there that contain passwords.  According to a report released last month, “enterprises are routinely storing corporate password files in the cloud through Microsoft’s OneDrive backup technology.”

And the security risk is getting worse and growing.

The average corporate OneDrive service contains 204 unencrypted files labelled “passwords”.

This risky practice has actually increased over the last few months.  [Corporations] averaged 143 “password” files uploaded to OneDrive in Q3 2015. (source)

As much as IT professionals want to keep their organizations secure, sometimes security is only as strong as the weakest practices of its users.

Fortunately, a strong two-factor authentication solution like GreenRADIUS can keep your organization secure.  Even if passwords are compromised, GreenRADIUS and two-factor authentication can keep your networks and data secure.  Contact us today to learn more about GreenRADIUS and to evaluate it for free.