A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host.

In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos.

CrowdStrike’s threat research team discovered the privilege-escalation flaw in CRI-O version 1.19. The bug, tracked as CVE-2022-0811 and more creatively dubbed cr8escape, received a severity score of 8.8 out of 10.

CrowdStrike privately disclosed the vulnerability, and CRI-O’s developers today released a fix while recommending immediate patching. Besides Kubernetes, other software and platforms that depend on or use CRI-O – these include OpenShift and Oracle Container Engine for Kubernetes – may also be vulnerable, CrowdStrike warned.

Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node’s underlying Linux kernel and other resources. As part of this, Linux ensures that when one container alters a kernel setting, this change isn’t reflected in other containers or on the host as a whole, thus keeping the containers suitably isolated from each other and the underlying platform, CrowdStrike explained.

“Some parameters are namespaced and can therefore be set in a single container without impacting the system at large,” the threat researchers wrote. “Kubernetes and the container runtimes it drives allow pods to update these ‘safe’ kernel settings while blocking access to others.”

And herein lies the security flaw: CRI-O introduced a bug that allows attackers to bypass these safeguards and set kernel parameters. “Due to the addition of sysctl support in version 1.19, [the pinns utility] will now blindly set any kernel parameters it’s passed without validation,” the threat researchers explained.

This means that anyone who can deploy a pod on a cluster using the CRI-O runtime can “abuse the kernel.core_pattern parameter to achieve container escape and arbitrary code execution as root on any node in the cluster,” CrowdStrike continued.

[…]

Source: Kubernetes container runtime CRI-O has make-me-root flaw

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading!

---

Looking for a high resolution version to download?

Download the table now

---

It’s been two years since we first shared our (now famous) password table. So it was about time we not only updated it for 2022 but we wanted to walk you through our methodology. While the data fits nicely into the table above, things aren’t as as simple as it shows. So we’ll walk you through our data, our assumptions, and oh, you’re going to see a LOT of variations of the password table above!

“So how’d you make the table”?”

In 2020, we shared a colorful table that took the internet by storm. It showed the relative strength of a password against a brute force cracking attempt, based on the password’s length and complexity. The data was based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card. Two years later – quite a long period of time in processing power improvement terms –  we’re long overdue for an update.

First, let’s get some key terms out of the way. We’re going to talk about hashing. In the context of passwords, a “hash” is a scrambled version of text that is reproducible if you know what hash software was used. In other words, if I hash the word “password” using MD5 hashing software, the output hash is 5f4dcc3b5aa765d61d8327deb882cf99. Now if you hash the word “password” using MD5 hashing software, you’ll also get 5f4dcc3b5aa765d61d8327deb882cf99! We both secretly know the word “password” is our secret code, but anyone else watching us just sees 5f4dcc3b5aa765d61d8327deb882cf99. For this reason, the passwords you use on websites are stored in servers as hashes instead of in plain text like “password” so that if someone views them, in theory they won’t know the actual password.

You can’t do the reverse. A hash digest like 5f4dcc3b5aa765d61d8327deb882cf99 can’t be reverse computed to produce the word “password” that was used to make it. This one-way approach for hashing functions is by design. So how do hackers who steal hashes from websites ultimately end up with a list of real life passwords?

Hackers solve this problem by cracking the passwords instead. In this context, cracking means making a list of all combinations of characters on your keyboard and then hashing them. By finding matches between this list and the hashes from the stolen passwords, hackers can figure out your true password – letting them log into your favorite websites. And if you use the same password on multiple sites, you’re in for a bad time.

You can do this comparison with any computer, but it is much faster if you accelerate the process with a powerful graphics card. Graphics cards are those circuit boards that stick out of your computer’s bigger green circuit board. Among other things, this special circuit board has a Graphic Processing Unit (GPU) on it. A GPU is the shiny square tile on your graphics card that likely says NVIDIA or AMD on it. Originally GPU’s were built to make pictures and videos load faster on your computer screen. As it turns out, they’re also great for mining cryptocurrencies, and for calculating hashes. A popular application for hashing is called Hashcat. Hashcat includes hashing functions, like MD5, while allowing you to use them quickly and see how fast it was able to do so. As a side note, we usually say “hash function” instead of “hash software.”

[…]

Source: Are Your Passwords in the Green?

The rest of the article is very interesting, including many more graphs depicting various scenarios

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks.

NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks.

The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations.

The document, from NSA’s cybersecurity directorate, encourages the adoption of ‘zero trust’ networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries.

[…]

Source: NSA report: This is how you should be securing your network | ZDNet

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.

Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.

What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

Untrustworthy Implementation of TrustZone

In a paper (PDF) entitled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design” – written by by Alon Shakevsky, Eyal Ronen and Avishai Wool – the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management (DRM) data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

The authors are due to give a detailed presentation of the vulnerabilities at the upcoming USENIX Security, 2022 symposium in August.

The design flaws primarily affect devices that use ARM’s TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions.

TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Cryptography Experts Wince

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”

“They used a single key and allowed IV re-use,” Green said.

“So they could have derived a different key-wrapping key for each key they protect,” he continued. “But instead Samsung basically doesn’t. Then they allow the app-layer code to pick encryption IVs.” The design decision allows for “trivial decryption,” he said.

[…]

Source: Samsung Screwed Up Encryption on 100M Phones | Threatpost

Ireland’s Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country’s healthcare sector in the summer of 2021 — on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland’s largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 locations. More than 80% of the HSE’s extensive IT estate was affected by the Conti ransomware attack, which saw 31 of its 54 acute hospitals cancel services ranging from surgery to radiotherapy.

The report notes that:

• The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
• It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
• Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
• There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
• There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
• Over 30,000 machines were running Windows 7 (out of support since January 2020).
• The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.

PwC’s crisp list of recommendations in the wake of the incident — as well as detail on the business impact of the HSE ransomware attack — may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded. (PwC’s full 157-page HSE post-incident report is here.)

 

HSE post-incident report recommendations

Among its recommendations: That the HSE “should establish clear responsibilities for IT and cybersecurity across all parties that connect to the NHN, or share health data, or access shared health services. This formalisation of responsibilities should include specification of Service Level Agreements (SLAs) for centrally-provided services, including availability requirements. The HSE should define a code of connection that defines the minimum acceptable level of security controls necessary to connect into the NHN, to be agreed by all parties connected to the NHN, including requirements for central reporting of cybersecurity alerts and incidents. The HSE should establish a programme to monitor and enforce ongoing compliance with this code of conduct. Compliance with the code of connection should become part of the onboarding process of any connecting organisation.”

The report is in keeping with similar post-incident reports across most major recent cybersecurity incidents, including the ransomware attack on the Colonial Pipeline in the US in 2021 — with that company also having an absence of cybersecurity leadership and a basic lack of security hygiene contributing to the incident’s impact.

Source: PwC’s HSE hack post-incident report should be a textbook for leaders

[…]Polkit, previously known as PolicyKit, is a tool for setting up policies governing how unprivileged processes interact with privileged ones. The vulnerability resides within polkit’s pkexec, a SUID-root program that’s installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8.

Bharat Jogi, director of vulnerability and threat research at Qualys, explained in a blog post that the pkexec flaw opens the door to root privileges for an attacker. Qualys researchers, he said, have demonstrated exploitation on default installations of Ubuntu, Debian, Fedora, and CentOS, and other Linux distributions are presumed to be vulnerable as well.

“This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009,” said Jogi, pointing to commit c8c3d83, which added a pkexec command.

The problem occurs when pkexec‘s main() function processes command-line arguments and argc – the ARGument Count – is zero. The function tries to access the list of arguments anyway, and ends up trying to use an empty argv – the ARGument Vector of command-line argument strings. As a result, out-of-bounds memory gets read and written, which an attacker can exploit to inject an environment variable that can cause arbitrary code to be loaded from storage and run by the program as root.

[…]

At least the exploitation technique proposed by Qualys – injecting the GCONV_PATH variable into pkexec‘s environment to execute a shared library as root – leaves traces in log files.

[…]

Source: Linux system service polkit has make-me-root security flaw • The Register

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive.

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC’s storage device. However, a sinister development has been spotted over the New Year with a new UEFI malware, detected by Kasperksy’s firmware scanner logs, that implants malicious code into the motherboard’s Serial Peripheral Interface (SPI) Flash. The security researchers have dubbed this flash-resident UEFI malware ‘MoonBounce’.

[,…]

Below, a flow chart breaks down how MoonBounce boots and deploys from the moment your UEFI PC is switched on, through Windows loading, and into being a usable but infected PC.

APT41 Fingerprints Detected

Another important branch of the work done by security researchers like Kaspersky is looking into who is behind the malware that it discovers, what the purposes of the malware are, and what specific targets the malware is primed for.

Concerning MoonBounce, Kaspersky seems pretty certain that this malware is the product of APT41, “a threat actor that’s been widely reported to be Chinese-speaking.” In this case, the smoking gun is a “unique certificate” that the FBI has previously reported as signaling the use of APT41-owned infrastructure. APT41 has a history of supply chain attacks, so this is a continuation of a central thread of APT41’s nefarious operations.

Safety Measures

To help avoid falling victim to MoonBounce or similar UEFI malware, Kaspersky suggests a number of measures. It recommends users keep their UEFI firmware updated directly from the manufacturer, verify that BootGuard is enabled where available, and enable Trust Platform Modules. Last but not least, it recommends a security solution that scans system firmware for issues so measures can be taken when UEFI malware is detected.

Source: MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats | Tom’s Hardware

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository.

As of 28 November last year, the issue had not been fixed, so the team at Fingerprint JS decided to make the finding public to encourage the expedition of its repair.

[…]

not only can a malicious website learn the user’s identity, it can stitch together multiple separate accounts from the same user without that person even doing anything, other than running a window in the background. The malicious website can open other websites, if programmed in an iframe or popup, and thus open a Pandora’s box of leaking data.

Fingerprint JS made a video explaining the process:

[…]

Source: Safari 15 could leak Google account info to malicious sites • The Register

An app that visitors to the 2022 Olympics Games in Beijing are obligated to download is also a cybersecurity nightmare that threatens to expose much of the data that it collects, according to a new report.

MY2022, the mandatory app for visitors at this year’s Winter Games, offers a variety of services—including tourism recommendations, Covid-related health monitoring, and GPS navigation.

[…]

According to a new report from digital researchers with Citizen Lab at the University of Toronto, the app is so insecure that it may violate China’s own data security law, the Chinese Personal Information Protection Law, which went into effect late last year and is supposed to ensure basic data protections for Chinese citizens. The app may also be in violation of Google’s Unwanted Software Policy, which helps weed out malicious apps in the Android ecosystem, as well as Apple’s App Store guidelines, the report notes.

[…]

the app often fails to validate SSL certificates—meaning that it doesn’t verify where it’s actually sending the data that it transmits. This sets users up for potential man-in-the-middle cyberattacks, in which an attacker could spoof a connection to a legitimate website and thereby thieve data sent by the app. At the same time, researchers found that the app also transmits certain kinds of metadata without any kind of SSL encryption or other security protection at all—leaving it wide open for public inspection in certain cases.

In summation, despite collecting large amounts of sensitive health and travel information on its users (think: passport details, medical history, demographic data, and so on), MY2022 lacks safeguards to protect it.

[…]

They note that much of the data that has been left vulnerable to theft is already being openly collected by the Chinese government (the app’s privacy policy explains this)—so there would be little reason to implement a surveillance workaround. The report also notes that digital security is not so great in the Chinese app ecosystem overall, and, thus, it might be the case that the MY2022 developers simply created a shitty app, not a sneaky one.

[…]

Source: Security Holes Found in My2022 App for Beijing Winter Olympics

Have you immortalized your beloved dog, Charlie, in all of your online passwords? While he may be tasked to protect your home (or at least his food bowl), your heartfelt dedication might actually be compromising your digital safety.

Many passwords believed to be deeply personal to you are, in fact, quite common – making them easier to crack – and they could be putting you at an increased risk of being targeted by cybercriminals.

With this in mind, we’ve looked at the world’s most popular passwords in the last decade and found that millions of people worldwide are choosing the same passwords year after year.

Not only that, but there are common trends cropping up time and time again that are influencing the passwords we’re selecting – from your favorite pets and sports teams, to celebrities and movie titles.

Ready to take a look at the world’s worst passwords? Let’s dive in and find out why ‘Charlie’ might not be such a good boy after all.

Passwords: The Statistics

Although many of us know the dangers of weak passwords, it doesn’t stop us from choosing them. We rely on passwords to protect some of our most sensitive information, from dates of birth and addresses, to security codes, and credit card data.

Yet, still, we often opt for the same easy-to-guess passwords that cybercriminals can hack in a matter of seconds. Criminals use a variety of methods to hack our accounts, with one of the most popular being credential stuffing. Attackers find lists of compromised credentials – usually available from data leaks or purchased from the dark web – and combine stolen usernames and passwords together across hundreds of websites until they get access to your account. But usually, it’s not just one account.

The majority of us use the exact same password across several accounts to avoid the frustration of being locked out of accounts and having to remember longer, complicated passwords. But the risks associated with weak passwords cannot be ignored.

Password hacks are responsible for 81% of all data security breaches, making them the leading cause of compromised personal data. Reusing weak passwords gives hackers access to all of our apps and site logins in no time at all, leaving you vulnerable to fraud, identity theft, and other harmful cyber attacks.

We’re certainly not short of options to secure our passwords, either. There are plenty of password generators, managers, and other tools available to create unhackable passwords. Password managers, such as the CyberGhost Password Manager, even remember them for you, so you don’t have to.

Many websites also make stronger passwords a requirement, specifying the number of characters you should use, or that they should include a mixture of numbers, letters, and symbols. Some won’t even let you create an account if they think you’re using a fragile password.

So, what’s our excuse for making weak passwords to protect all of our personal or confidential information? Nothing, really.

The World’s Most Common Passwords in the Last Decade

Millions of passwords are hacked every year. And if we’ve learned anything from the lists of leaked passwords, it’s that they’re anything but unique.

Here’s a roundup of the world’s most common passwords over the last decade. If your password falls into these categories, it’s time to change it – and fast.

Number Sequences & Variations

Passwords involving number sequences and variations have stayed high on the list of the most used passwords year after year. They’re also some of the most hacked passwords, because they’re incredibly easy to crack.

Rather than a completely random set of numbers, these passwords usually follow a sequence, either in numerical order, or a few numbers repeated several times. Some users add letters and other characters to try to make these passwords more complicated, but again, these follow an easy-to-guess sequence.

The most common password is ‘123456’. It is actually the most used and compromised password in the world, occurring in 23.2 million cyber breaches in 2019.

Many use their dates of birth, which, while more unique, are still very weak. It doesn’t take long for a cybercriminal to figure out your birthday – usually a quick scroll of your social media profile will give them all they need. Birthdays can also be easily sequenced and decoded, since databases holding this information are readily available to anyone.

Hackers also often use algorithms to crack passwords, whereby computers guess simple numerical sequences at rapid speed. In a mere few seconds, a cybercriminal has access to your account. Essentially, you’re fighting against computer processing powers – and you’ll never win.

The Password

Ironically, millions of people worldwide choose the word ‘password’ as their password.

As it were, ‘password’ has actually remained in first or second place consistently for years, though recently more of us have been using variations that we think are more tricky to decode by adding numbers or switching out letters for numbers, including ‘password1’ or ‘passw0rd’.

We’ve even seen foreign variations of ‘password’ hitting the list, with ‘senha’ being a popular choice. For those of you wondering, ‘senha’ is Portuguese for ‘password’.

In 2019, ‘password’ was one of the most widely used passwords across breached accounts, occurring in 3.6 million breaches.

Other translations for password aren’t as popular though, especially those with special characters, perhaps because they’re harder to type in.

That said, if you’re tempted to use a foreign variation of ‘password’, it’s best not to. It doesn’t take long for a cybercriminal to work their way through the many different global languages before they get access to your account.

Keyboard Patterns

Keyboard patterns have long been popular passwords, with ‘qwerty’ ranking highly in all lists over the last 10 years. But many of us have tried to get more creative in recent years, adding in diagonal and backwards variations, numbers, and more characters.

Being creative with keyboard patterns doesn’t necessarily make them stronger, though. ‘qwerty’ is one of the most hacked passwords in the world, actually ranking higher than ‘password’ itself.

In 2019, ‘qwerty’ was involved in 4 million cybersecurity breaches.

Variations of ‘qwerty’ have gradually grown in popularity, probably as a result of many people realizing just how popular (and hackable) the word is on its own. Adding a few numbers onto the end or changing the pattern backwards is still a recipe for disaster.

Movies & TV Shows

Movies and TV shows are a very popular category when it comes to passwords. We’ve seen movie titles and series names pop up regularly over the last decade, with some of them shared by millions of us around the world.

While it can be tempting to set your all-time favorite movie and TV series as your password, doing so makes you vulnerable to hackers – especially if it’s very well-known or it’s premiered recently.

In 2014, ‘starwars’ made the list of popular passwords, coinciding with the long-anticipated release of Star Wars: The Force Awakens. Since then, it’s stayed high in the list, making us question how often people are actually changing their passwords once they’ve chosen them. Even the password ‘yoda’ has been hacked over 37,000 times.

The password ‘ninja’ also ranked highly back in 2012. That same year, the reboot of the highly popular kids TV show, Teenage Ninja Turtles, hit our screens. It seems there’s a pattern developing here, doesn’t it?

If you’re a lover of Pokémon and James Bond, think again before you set either of these as your password. Both ‘pokemon’ and ‘bond007’ are widely used. Hackers will try alphanumeric variations, too, including ‘p0kemon’, so even switching out a couple of characters doesn’t mean you’re safe.

Names

Unsurprisingly, names top the list of most popular passwords year after year.

If your name features on the list of the world’s most popular names, avoid using it as your password at all costs. ‘Michael’ for example, ranks at spot 18 of the world’s most popular names, and has consistently made it to the top 20 most used passwords.

Other common names also follow the same pattern. Some to avoid include ‘Ashley’, ‘Jessica’, ‘Jennifer’, ‘Thomas’, and ‘Daniel’. But, honestly, even those with more obscure names aren’t safe. Remember, it only takes a cybercriminal a few minutes to find your details and enter your name with your email to log in to one of your accounts.

It’s not just your first names you need to worry about, either. You’ll definitely remember the name of your child as your password, but it leaves you and your information vulnerable.

Trends show that the most popular baby names each year coincide with common passwords. ‘Maverick’, for example, reached spot 39 of the world’s most popular baby names in 2021. And it’s since become an in-demand password choice.

Animals & Pets

Animals are a consistent hot topic for passwords, although not necessarily the popular, domestic animals you’d expect.

Likely, many of the domesticated animals including cats and dogs aren’t long enough to meet character requirements for passwords. But also, perhaps many of us are trying to think out of the box and choose animals that are tougher to guess. We aren’t succeeding, though.

Both ‘dragon’ and ‘monkey’ have ranked consistently high in the last decade. While we don’t know the real reasons people choose these words, we do know that people tend to create passwords based on things they like.

Dragons in particular have weaved their way into our culture many times, from Game of Thrones to Dungeons & Dragons, so is it any wonder millions of us are choosing this mythical creature to lock our accounts?

Another likely influence is astrology. Both ‘monkey’ and ‘dragon’ are animals in the Chinese or lunar zodiac, and could be representative of a large population in Asian countries (and elsewhere) choosing these animals for their passwords. ‘tiger’ and ‘rabbit’ also made the lists – another two of the twelve Chinese zodiacs.

Popular pet names are also a common theme. We compared names we found with the world’s most popular pet names list, and found a direct link. If your favorite childhood pet was named ‘Bailey’, ‘Buster, or the beloved ‘Charlie’, it’s time to change your password. In fact, just steer clear of choosing a password that includes your pet’s name full stop.

Sports & Team Names

Choosing your favorite sport or team as your password makes it easy to remember, but also easily guessable.

Sports and team names have been consistently used as passwords for many years. In fact, sports is one of the most common themes for passwords, of all the categories we identified.

In particular, ‘football’, ‘soccer’, ‘golf’, ‘hockey’, ‘baseball’, and ‘basketball’ are some of the most frequently used passwords. ‘football’ has long been a top choice of password, ranking in the top 10 for the last decade. It’s only in more recent years that we’ve seen new sports contenders moving up the list.

We can also see trends in actual team names, especially across popular US sports, including American football and basketball. ‘Lakers’, ‘Eagles’, ‘Yankees’, and ‘Cowboys’ all made it into the list of the most popular passwords.

‘Liverpool’ topped the league of most guessable passwords, accounting for 280,723 cyber breaches.

In the UK, recent statistics show a similar trend with football (soccer) teams. Passwords using the words Liverpool, Chelsea, Arsenal, ManUtd, and Everton were all involved in a significant number of cyber breaches in 2019.

Cars & Vehicles

In the last decade, car models in particular have ranked highly in the world’s most used passwords.

Some of the most frequently used include ‘mercedes’, ‘ferrari’, ‘corvette’, ‘porsche’, and ‘mustang’.

‘Mustang’ moved up the list in 2014 coinciding with the release of the 50th year limited edition model. Interestingly, the Ford Mustang was also featured in Fast & Furious 6, which was released the year prior in 2013, likely influencing people’s preference for this password.

Similarly, the Corvette was used in the Transformers: Age of Extinction (2014) movie, as well as Gran Turismo 6, a popular video game released in December 2013. While both cars are popular regardless, clearly car-driven movies are a driving force for password decisions.

It’s not just cars to watch out for, either. ‘harley’ features as a widely used password, probably after the famous Harley Davidson motorcycles.

IT & Technology

The constant evolution of technology coincides quite naturally with the rise in tech-related passwords. This is likely linked to the ever-growing necessity for testing by IT departments.

In the last 10 years, we’ve seen a high number of dummy accounts created by developers to test applications and websites. Passwords such as ‘test’, ‘admin’, ‘master’, and ‘login’, have all become more common since 2019, including the many different variations swapping out letters for numbers and adding in symbols.

More often than not, IT departments reuse the same default passwords to test accounts. But this is putting organizations at risk, with many falling victim to botnet attacks as a result of weak, hackable passwords.

Cybercriminals use repetitive, password-guessing tech to break through systems and compromise company devices by guessing combinations of passwords. Weak passwords such as ‘test1’, ‘welcome’, and ‘letmein’ are easily guessable, and only take bots a matter of seconds to correctly decode.

The technology industry is set to explode even more in the next 3 years, with a forecasted growth rate of 104% in emerging tech. Based on recent trends, it’s likely we can expect many more passwords linked to testing and admin in the future.

Applications, Games & Sites

Applications, games, and websites consistently show up in the lists of popular passwords. Worryingly, however, many people are probably choosing a password correlating to the site they’re using, such as ‘google’ to access Gmail accounts and Google Drive, making them some of the worst possible passwords to use.

Both ‘Adobe’ and ‘Photoshop’ were incredibly popular between 2011-2013, as well as variations of these words, but they have since dropped off lists in favor of new, mainstream apps. That doesn’t mean they’re safe to use though – these passwords are easy to guess and hack.

Video-editing apps have grown in popularity with ‘dubsmash’ and ‘animoto’ appearing on lists since 2019. Most probably, this is due to the rise of TikTok with more of us creating videos to post on the platform.

In 2020, ‘evite’ climbed up the rankings, likely as a result of the data breach it experienced in 2019 which compromised data from over 100 million accounts. Again, this is further evidence that users were simply using the name of the platform as their passwords for their accounts.

Characters & Celebrities

We’re constantly seeing celebrities and characters pop up in the news, online, and on our TV screens, so it’s no wonder, really, that famous people also find their way into our passwords.

Superheroes are an especially popular choice for passwords, with ‘superman’ and ‘batman’ being used by millions worldwide every year since 2011. But another key trend we’ve seen is fictional characters, especially those from children’s movies and TV shows. ‘tigger’, ‘snoopy’, and ‘scooby’ are all used frequently year after year.

Even the name ‘Justin’ hit the list of most used passwords in 2020, possibly linked to the well-known singer Justin Bieber who released a number one album that year. Similarly, ‘Donald’ (probably after Donald Trump) shot up the list in 2018 during his time as president.

Key Events

Key global events play a key part in password choices, showing that clearly, whatever is at the forefront of our minds is influencing the words that end up protecting our accounts.

In 2011, ‘princess’ became one of the most popular passwords. Incidentally, this coincides with the Royal Wedding of Prince William and Princess Kate, which was watched by more than 160 million viewers around the globe.

We can see similar trends in more recent years.

In 2016, ‘football’ climbed up rankings as one of the most chosen passwords. That same year, football experienced some of the most memorable sports moments to date, including the Euros in France, the summer Olympics in Rio (where Brazil won gold in football), and Leicester City winning the UK Premier League against all odds.

Fast forward to 2020, and the same trend remerged. ‘Soccer’ hit the list of most popular passwords, following the 2020 Euros and Champions League Final, perhaps relating to an increase in audiences tuning in from the US and Australia where ‘soccer’ is more often used to refer to football.

Politics

The political climate is one that’s certainly been turbulent in recent years, with many unprecedented political events around the world and rising conflict. And the world’s most popular password lists reflect that, too.

In 2018, ‘donald’ became one of the most widely used passwords, after Donald Trump’s election as president of the United States in 2017.

Interestingly, we also saw ‘freedom’ become a top password choice in the same year, coinciding with the drastic change in the political climate influenced by Donald Trump.

In 2017, ‘ranger’ also hit the most-used password lists, following the globally shared story of a park ranger’s facial expressions in response to Donald Trump’s salary donation.

The politics category is perhaps not as saturated as others when it comes to passwords, but it clearly shows how the global climate is influencing our password decisions. If we’ve learned anything so far, it’s not to use any president’s or prime minister’s name as your password.

Nature

 A common – perhaps expected – theme for passwords over the last decade is nature, including plants, seasons, and even actual weather.

Some of the most-used passwords include ‘summer’, ‘flower’, ‘sunshine’, and ‘winter’, which have made lists year after year. But we’ve even seen ‘thunder’ being used, albeit lower down in the lists.

Expletives

Surprisingly, millions of people around the world choose to use expletives as passwords to protect their accounts and confidential information.

Many of the expletives chosen center around the ‘f’ word and variations, including the word with added numbers and other characters, such as ‘f**k1’. Many, however, are related to sexual expletives which we won’t go into detail here.

Some are less offensive, with ‘biteme’ being a common choice of password, as well as ‘iwantu’.

Interestingly, the number of expletives as passwords has gradually increased in the last decade, perhaps because swearing is generally on the rise around the world, too. The number of expletives used in American literature has soared in the last 60 years. In comparison to the 1950s, books published in the modern day are 28 times more likely to include swear words.

According to a BBFC survey, a third of people say they use offensive language more frequently than they did five years ago. Those that fall into the Generation Z category (born after 1996) are the most frequent culprits, 46% of people said they use strong language.

With expletives finding their way into our daily conversations more often, it comes as no surprise, then, that they’re some of our top choices for passwords.

Miscellaneous Categories

A number of passwords can be miscellaneously grouped into common trends over the years. In particular, colors, food, and locations are common choices for passwords.

In the food category, we’ve seen words such as ‘chocolate’, ‘cheese’, ‘butter’, and ‘cookies’ pop up very frequently. Considering the dramatic increase in health and lifestyle resources in recent years (from apps to social media influencers), it’s perhaps reassuring to see that people struggle to choose healthy foods even when setting passwords.

Some of the most common color-related passwords include ‘purple’, ‘blue’, and ‘orange’. Location-wise, it seems US cities and states are most frequently used, with ‘Dallas’, ‘Phoenix’, and ‘Dakota’ all making the top lists – though this may also indicate how often US accounts are targeted by hackers.

Another common theme over the last decade is words relating to love, and in particular ‘iloveyou’. More recently, people have used foreign variations on this three-word phrase, including the Vietnamese translation ‘anh yeu em’ (without spaces, of course).

The Future of Passwords (And Which Ones Not to Use)

Based on the trends we’ve seen over the previous decade, we have a good idea of what passwords people will be using in future and, certainly, which themes will be influencing our security decisions.

The Non-Movers

The usual culprits have made the top 10-20 most popular password lists for 10 years (and more), so there’s no doubt we’ll still be seeing them for years to come.

Numerical sequences, keyboard patterns, and variations of ‘password’ will be around for a long while yet, even with us knowing how hackable these passwords are.

So, if any of your passwords still involve ‘123456’, ‘qwerty’, or ‘passw0rd’, change them immediately.

Rising Names

The world’s most popular names are directly linked to the most-used passwords. In fact, names make up a large majority of the world’s most popular passwords, so we can say with certainty that they’re going nowhere.

New, upcoming baby names are also something to watch out for, as well as the usual contenders. Some of the most common baby names for the next year include Zion, Maeve, Kai, Luca, Mia, and Nova. There’s no doubt cybercriminals will be trying these names to access your accounts, so keep them locked out with a better password.

Pet names are likely to have an influence, too. Steer away from this year’s top dog names, including Bella, Luna, Lola, Max, Alfie, and – you guessed it – Charlie.

Applications & Websites

Based on recents trends, we may possibly see more passwords relating to apps rising in popularity, including Discord, Twitch, Headspace, and Duolingo.

Streaming sites may also find their way into our password choices, especially new contenders with a rapidly growing customer base. ‘Paramount+’ (launched in 2021) and ‘Disney+’ (from 2019) are both names you should avoid in your passwords.

In all honesty, though, even the less popular apps and websites aren’t safe. Cybercriminals can easily use bot attacks to try heaps of different apps and websites names and get access to your accounts.

Movies & TV Shows

Trends over the last decade show that we’re consistently choosing names of popular movies and TV shows, especially ones that are current, eagerly anticipated, or have been released that year.

2022 is set to be a huge year for the film industry, seeing the release of some of the biggest films to date. For that reason, avoid choosing words such as ‘Avatar’, ‘Mission Impossible’ ‘Spiderman’, ‘Jurassic’, and ‘Thor’.

Another trend we’ve noticed is that family-friendly films are a consistent thread. Perhaps parents are trying to set up accounts for their children or install parental controls, and choosing family films or TV shows as easy-to-remember passwords. But if we’ve learned anything so far, it’s that simple password solutions are often the worst.

Key Events

As well as a big year of movies, 2022 will be home to large sporting events. Sports in particular have been a driving force for passwords, from team names and sport types, to key events. So, we know this is something to watch out for.

Some of the biggest events happening next year include the Beijing 2022 Winter Olympics (February), Super Bowl (February), Commonwealth Games (July), MLB All-Star Game (July), and the FIFA World Cup (November). Any password relating to these major events, even if you think it’s unique, should be avoided at all costs.

Presidential elections are also likely to have an influence on password choices, as the ever-changing political climate takes hold.

In particular, Brazil is holding elections during 2022, so as tempting as ‘Bolsonaro’ may be as a new password for your accounts, don’t do it. The US is also holding mid-term elections, which will be a hot topic of debate and most probably a key driver for politically driven password inspiration in 2022.

Top Tips For Unhackable Passwords

Creating a password that’s strong enough to protect your accounts and easy enough for you to remember can feel like a tricky task. But strong passwords really are important for keeping your private information secure and fighting off hackers.

Here are some top tips for creating unhackable passwords.

• • Keep passwords long: All passwords should be at least 12 characters long – the longer the password, the tougher it is to crack.
  • Choose unique words: Avoid picking words that are easy to guess (such as those that fall into all of the categories we’ve identified). And don’t choose words or numbers easily linked to you, such as your date of birth, address, or nickname.
  • Use a mixture of characters, letters, and symbols: Passwords that use a mixture of characters, letters, and symbols are harder to guess. You should also use a combination of upper and lowercase letters. Don’t just add ‘123’ to the end of a word, as that’s just as easy to guess as the word itself.
  • Create new passwords for different accounts: Don’t use the same password across each account. If a hacker manages to guess the password, they get access to everything, rather than just the one account. To make passwords easier to remember, you could choose a similar word but add something unique to it, such as new numbers or symbols.
  • Switch it up: Make sure you regularly change your passwords to minimize the risk of your accounts being compromised. Aim for at least every 3 months, and don’t recycle old passwords.

Human-generated passwords tend to have commonalities, so it’s always safer to opt for a password generator. This generates passwords for you based on a random sequence of letters, numbers, and symbols, which are (nearly) impossible to crack and completely unique.

Without a password manager, these random passwords can be difficult to remember though. Ideally, you should opt for a password manager that can be downloaded as an app or in your browser, such as the CyberGhost Password Manager. This automatically stores passwords for you in an encrypted vault and enters them as needed to log in to your accounts, even across different devices.

Another thing to consider is using a VPN to add another layer of protection while you’re browsing the web.

Even if a hacker can’t guess your password, they may be able to intercept your web traffic and get access to your device. This is especially risky on public Wi-Fi networks, which can be unsecured and rife with hackers looking for opportunities to harvest your credentials.

With access to your device, hackers can easily find your stored passwords, steal your information, and subject you to several cybersecurity threats. However, a VPN encrypts all of your web traffic, adding a layer of security to help prevent cybercriminals from finding you online or hacking your device.

You can add yet more security by using multi-factor authentication. This means that any cybercriminal trying to access your account will also have to enter a second piece of information alongside your password, such as a one-time code sent to your cell phone or an answer to a secret question.

Beyond password managers and two-factor authentication, you should still be taking steps to secure your passwords.

The Bottom Line: Strengthen Your Passwords to Strengthen Your Privacy

Stronger passwords might mean it takes you a few seconds longer to log in to your account, but it’s worth it to protect your information and to keep cybercriminals away.

You might just save yourself from a risky data breach exposing your confidential information. After all, identity theft and fraud are very much real. Data breaches are increasing around the world and hackers are finding new, clever ways to harvest our credentials. We really can’t afford to be lazy with our passwords.

So, even if your dog, Charlie, is your one and only, the reality is his name is being used as a password for millions of other accounts. Maybe it’s time to let Charlie rest and dig out the password manager instead.

Source: The Worst Passwords in the Last Decade (And New Ones You Shouldn’t Use) – CyberGhost Privacy Hub

A team of researchers at France’s Research Institute of Computer Science and Random Systems created an anti-malware system centered around a Raspberry Pi that scans devices for electromagnetic waves. As reported by Tom’s Hardware, the security device uses an oscilloscope (Picoscope 6407) and H-Field probe connected to a Raspberry Pi 2B to pick up abnormalities in specific electromagnetic waves emitted by computers that are under attack, a technique the researchers say is used to “obtain precise knowledge about malware type and identity.”

The detection system then relies on Convolution Neural Networks (CNN) to determine whether the data gathered indicates the presence of a threat. Using this technique, researchers claims they could record 100,000 measurement traces from IoT devices infected by genuine malware samples, and predicted three generic and one benign malware class with an accuracy as high as 99.82%.

Best of all, no software is needed and the device you’re scanning doesn’t need to be manipulated in any way. As such, bad actors won’t be successful with their attempts to conceal malicious code from malware detection software using obfuscation techniques.

“Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors,” researchers wrote in the paper.

Keep in mind that this system was made for research purposes, not to be released as a commercial product, though it may inspire security teams to look into novels way of using EM waves to detect malware. The research is currently in its early stages and the neural network will need to be further trained before it could have any practical uses.

[…]

Source: Raspberry Pi Can Detect Malware By Scanning for EM Waves

Oscilloscope used costs loads of money and needs to be mounted at 45o to the processor. Lots of work needed to turn this into a viable system.

Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set of measures proposed by the Dutch Olympic Committee (NOCNSF) to deal with any possible interference by Chinese state agents, the paper said citing sources close to the matter. NOCNSF spokesman Geert Slot said cybersecurity was part of the risk assessment made for the trip to China, but declined to comment on any specific measure. “The importance of cybersecurity of course has grown over the years”, Slot said. “But China has completely closed off its internet, which makes it a specific case.”

Source: Dutch Athletes Warned To Keep Phones and Laptops Out of China – Slashdot

While many of the groups that took part in last year’s siege on the U.S. Capitol turned to Facebook and Telegram groups to plan their part in the attack, the Oath Keepers—a far-right org that’s best described as somewhere between a militia and a rag-tag group of wannabe vigilantes—are alleged to be bigger fans of the encrypted chat app Signal, instead.

In court filings that were made public this week following the arrest of 10 Oath Keeper members and the group’s leader Stewart Rhodes for their alleged role in the Capitol riots, authorities claim that they were able to access multiple invite-only chatrooms where group members coordinated their role in the riots. Authorities describe detailed meetings discussing everything from combat and firearms training to the uniforms Oath Keeper members were going to wear the day of. What’s less clear is how these encrypted chats were divulged in the first place.

[…]

While it’s clear that these docs lay out some pretty horrific chats happening over Signal, it’s less clear how authorities were able to access these chats in the first place. Law enforcement has clashed with this particular app for years while trying to glean information on suspects that use it, and Signal often publicly brushed those attempts off.

In 2018, Signal’s developers told Australian authorities that it wouldn’t be able to comply with the country’s new Assistance and Access Law even if it wanted to because each message’s encrypted contents are protected by keys that were “entirely inaccessible” to the people running the app. More recently, authorities in California tried multiple times to get the company to budge on the issue and comply with the state’s subpoena requests, only to be met with the same responses each time.

“Just like last time, we couldn’t provide any of that,” Signal’s team wrote in a blog post at the time. “ It’s impossible to turn over data that we never had access to in the first place.” Heck, even recent FBI training docs that were obtained via Freedom of Information Act requests reveal that the agency can’t access people’s chats on the app!

[…]

It’s possible that one of the Oath Keeper members that was privy to these chatrooms cooperated with authorities and handed the details over.

[…]

Another theory is that authorities gained access to these chats by gaining access to one of the defendants’ locked devices

[…]

Source: DOJ Say Evidence Against Oath Keepers Came From Signal Chats

Or  they infiltrated the group and were invited into the chatroom…

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.

CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.

That’s the third new version of the tool in the last ten days.

In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.

• CISA issues emergency directive to fix Log4j vulnerability
• Over Log4j? VMware has another critical flaw for you to patch
• As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

But version 2.15.0 didn’t address another issue – CVE-2021-45046 – which allowed a remote attacker with control over Thread Context Map (MDC) to cook up malicious input using a JNDI Lookup pattern. The result could be remote code execution, thankfully not in all environments.

Version 2.16.0 fixed that problem.

But it didn’t fix CVE-2021-45105, which the ASF describes as follows:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

Vendor-agnostic bug bounty program the Zero Day Initiative has described the flaw as follows.

When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server.

[…]

Source: Bad things come in threes: Apache reveals another Log4J bug • The Register

UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.

British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.

In both Firefox and Chrome, F12 opens the “view page source” developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site’s 1.7 million monthly sellers.

PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.

The bug bounty policy specified €500-€5,000, PTP added, and “after the issue was fixed, [it was] informed that no reward was payable because – ‘This is a Responsible Disclosure report, meaning that receiving a reward is a bonus in itself.'”

In a blog post about the kerfuffle, a PTP rsearcher said: “After I queried which of their rules I’d broken on responsible disclosure, they changed their mind and paid the minimum.”

[…]

Source: Gumtree users’ locations were visible by pressing F12 • The Register

Smartphone payment provider LINE Pay announced yesterday that around 133,000 users’ payment details were mistakenly published on GitHub between September and November of this year.

Files detailing participants in a LINE Pay promotional program staged between late December 2020 and April 2021 were accidentally uploaded to the collaborative coding crèche by a research group employee.

Among the leaked details were the date, time, and amount of transactions, plus user and franchise store identification numbers. Although names, addresses, telephone, credit card and bank account numbers were not shared, the names of the users and other details could be traced with a little effort.

The information – which covered of over 51,000 Japanese users and almost 82,000 Taiwanese and Thai users – was accessed 11 times during the ten weeks it was available online.

[…]

Source: LINE Pay leaks around 133,000 users’ data to GitHub • The Register

Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers.

The Finland-headquartered infosec firm said it had found “exploitable” flaws in the HP printers that allowed attackers to “seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of other objectives such as stealing or changing other data” – and, inevitably, “spreading ransomware.”

“In all likelihood, a lot of companies are using these vulnerable devices,” said F-Secure researchers Alexander Bolshev and Timo Hirvonen.

“To make matters worse, many organizations don’t treat printers like other types of endpoints. That means IT and security teams forget about these devices’ basic security hygiene, such as installing updates.”

Tricking a user into visiting a malicious website could, so F-Secure said, result in what the infosec biz described as a “cross-site printing attack.”

The heart of the attack is in the document printed from the malicious site: it contained a “maliciously crafted font” that gave the attacker code execution privileges on the multi-function printer.

[…]

The vulns were publicly disclosed a month ago. The font vulnerability is tracked as CVE-2021-39238 and is listed as affecting HP Enterprise LaserJet, LaserJet Managed, Enterprise PageWide, and PageWide Managed product lines. It is rated as 9.3 out of 10 on the CVSS 3.0 severity scale.

[…]

F-Secure advised putting MFPs inside a separate, firewalled VLAN as well as adding physical security controls including anti-tamper stickers and CCTV.

Updated firmware is available for download from HP, the company said in a statement.

[…]

Source: 150 HP multi-function printer types vulnerable to exploit • The Register

UK lawmakers are sick and tired of shitty internet of things passwords and are whipping out legislation with steep penalties and bans to prove it. The new legislation, introduced to the UK Parliament this week, would ban universal default passwords and work to create what supporters are calling a “firewall around everyday tech.”

Specifically, the bill, called The Product Security and Telecommunications Infrastructure Bill (PSTI), would require unique passwords for internet-connected devices and would prevent those passwords from being reset to universal factory defaults. The bill would also force companies to increase transparency around when their products require security updates and patches, a practice only 20% of firms currently engage in, according to a statement accompanying the bill.

These bolstered security proposals would be overseen by a regulator with sharpened teeth: companies refusing to comply with the security standards could reportedly face fines of £10 million or four percent of their global revenues.

[…]

Source: The UK Just Banned Default Passwords and We Should Too

Also interesting: The Worst Passwords in the Last Decade (And New Ones You Shouldn’t Use)

As much as 38 percent of the Internet’s domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com.

The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. He showed that, by masquerading as an authoritative DNS server and using it to flood a DNS resolver with fake lookup results for a trusted domain, an attacker could poison the resolver cache with the spoofed IP address. From then on, anyone relying on the same resolver would be diverted to the same imposter site.

A lack of entropy

The sleight of hand worked because DNS at the time relied on a transaction ID to prove the IP number returned came from an authoritative server rather than an imposter server attempting to send people to a malicious site. The transaction number had only 16 bits, which meant that there were only 65,536 possible transaction IDs.

Kaminsky realized that hackers could exploit the lack of entropy by bombarding a DNS resolver with off-path responses that included each possible ID. Once the resolver received a response with the correct ID, the server would accept the malicious IP and store the result in cache so that everyone else using the same resolver—which typically belongs to a corporation, organization, or ISP—would also be sent to the same malicious server.

The threat raised the specter of hackers being able to redirect thousands or millions of people to phishing or malware sites posing as perfect replicas of the trusted domain they were trying to visit. The threat resulted in industry-wide changes to the domain name system, which acts as a phone book that maps IP addresses to domain names.

Under the new DNS spec, port 53 was no longer the default used for lookup queries. Instead, those requests were sent over a port randomly chosen from the entire range of available UDP ports. By combining the 16 bits of randomness from the transaction ID with an additional 16 bits of entropy from the source port randomization, there were now roughly 134 million possible combinations, making the attack mathematically infeasible.

Unexpected Linux behavior

Now, a research team at the University of California at Riverside has revived the threat. Last year, members of the same team found a side channel in the newer DNS that allowed them to once again infer the transaction number and randomized port number sending resolver-spoofed IPs.

 

Further Reading

DNS cache poisoning, the Internet attack from 2008, is back from the dead

The research and the SADDNS exploit it demonstrated resulted in industry-wide updates that effectively closed the side channel. Now comes the discovery of new side channels that once again make cache poisoning viable.

“In this paper, we conduct an analysis of the previously overlooked attack surface, and are able to uncover even stronger side channels that have existed for over a decade in Linux kernels,” researchers Keyu Man, Xin’an Zhou, and Zhiyun Qian wrote in a research paper being presented at the ACM CCS 2021 conference. “The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound and dnsmasq. We also find about 38% of open resolvers (by frontend IPs) and 14% (by backend IPs) are vulnerable including the popular DNS services such as OpenDNS and Quad9.”

OpenDNS owner Cisco said: “Cisco Umbrella/Open DNS is not vulnerable to the DNS Cache Poisoning Attack described in CVE-2021-20322, and no Cisco customer action is required. We remediated this issue, tracked via Cisco Bug ID CSCvz51632, as soon as possible after receiving the security researcher’s report.” Quad9 representatives weren’t immediately available for comment.

The side channel for the attacks from both last year and this year involve the Internet Control Message Protocol, or ICMP, which is used to send error and status messages between two servers.

“We find that the handling of ICMP messages (a network diagnostic protocol) in Linux uses shared resources in a predictable manner such that it can be leveraged as a side channel,” researcher Qian wrote in an email. “This allows the attacker to infer the ephemeral port number of a DNS query, and ultimately lead to DNS cache poisoning attacks. It is a serious flaw as Linux is most widely used to host DNS resolvers.” He continued:

The ephemeral port is supposed to be randomly generated for every DNS query and unknown to an off-path attacker. However, once the port number is leaked through a side channel, an attacker can then spoof legitimate-looking DNS responses with the correct port number that contain malicious records and have them accepted (e.g., the malicious record can say chase.com maps to an IP address owned by an attacker).

The reason that the port number can be leaked is that the off-path attacker can actively probe different ports to see which one is the correct one, i.e., through ICMP messages that are essentially network diagnostic messages which have unexpected effects in Linux (which is the key discovery of our work this year). Our observation is that ICMP messages can embed UDP packets, indicating a prior UDP packet had an error (e.g., destination unreachable).

We can actually guess the ephemeral port in the embedded UDP packet and package it in an ICMP probe to a DNS resolver. If the guessed port is correct, it causes some global resource in the Linux kernel to change, which can be indirectly observed. This is how the attacker can infer which ephemeral port is used.

Changing internal state with ICMP probes

The side channel last time around was the rate limit for ICMP. To conserve bandwidth and computing resources, servers will respond to only a set number of requests and then fall silent. The SADDNS exploit used the rate limit as a side channel. But whereas last year’s port inference method used UDP packets to probe which ports were designed to solicit ICMP responses, the attack this time uses ICMP probes directly.

“According to the RFC (standards), ICMP packets are only supposed to be generated *in response* to something,” Qian added. “They themselves should never *solicit* any responses, which means they are ill-suited for port scans (because you don’t get any feedback). However, we find that ICMP probes can actually change some internal state that can actually be observed through a side channel, which is why the whole attack is novel.”

The researchers have proposed several defenses to prevent their attack. One is setting proper socket options such as IP_PMTUDISC_OMIT, which instructs an operating system to ignore so-called ICMP messages, effectively closing the side channel. A downside, then, is that those messages will be ignored, and sometimes such messages are legitimate.

Another proposed defense is randomizing the caching structure to make the side channel unusable. A third is to reject ICMP redirects.

The vulnerability affects DNS software, including BIND, Unbound, and dnsmasq, when they run on Linux. The researchers tested to see if DNS software was vulnerable when running on either Windows or Free BSD and found no evidence it was. Since macOS uses the FreeBSD network stack, they assume it isn’t vulnerable either.

Source: Linux has a serious security problem that once again enables DNS cache poisoning | Ars Technica

If there’s one thing we learned it’s that no one learns anything. Here’s the top 9

Source: Top 200 Most Common Password List 2021 | NordPass

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions.

These cookies.sqlite databases normally reside in the Firefox profiles folder. They’re used to store cookies between browsing sessions. And they’re findable by searching GitHub with specific query parameters, what’s known as a search “dork.”

Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that “credentials exposed by our users are not in scope for our Bug Bounty program.”

Marlin then asked whether he could make his findings public and was told he’s free to do so.

“I’m frustrated that GitHub isn’t taking its users’ security and privacy seriously,” Marlin told The Register in an email. “The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they’d done, they’d s*** their pants.”

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. “But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well,” he said, adding that he’s alerted the UK Information Commissioner’s Office because personal information is at stake.

[…]

Source: Thousands of Firefox users accidentally commit login cookies on GitHub • The Register

The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.

It would force browsers to support a specific kind of authentication certificate — Qualified Web Authentication Certificates (QWACs) — but as Mozilla points out, that would be disastrous for security:

At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.

As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).

As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.

Source: EU’s Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework | Techdirt

it’s also one of the few apps that offer end-to-end encryption by default. This means that no one other than you the other party can read your conversations. Even WhatsApp can’t read your conversations because it doesn’t have the key to un-encrypt your chats.

This was all true, except for one scenario: WhatsApp chats backed up to iCloud were all unencrypted, so if anyone got their hands on your iCloud backup, they could read all your messages pretty easily. But now, WhatsApp has an optional feature to protect your WhatsApp backups with the same two-factor authentication using a password or a secure key.

How to enable end-to-end encryption for WhatsApp backups over iCloud

Before we begin, you should know that WhatsApp end-to-end encryption depends on a password or a 64-digit secure key. If you lose your password, you won’t be able to restore your chats, so make sure you use a secure yet recognizable password. If you use something complicated, make sure to save it on your password manager (it can be iCloud Keychain or a third-party service like Bitwarden).

To get started, first update your WhatsApp application to the latest version. WhatsApp is slowly rolling this feature out to its two billion users, so if you don’t see it yet, try again in a couple of days.

Open WhatsApp, and from the “Settings” tab, go to “Chats.” Here, select “Chat Backups” and tap the “End-to-End Encrypted Backup” button. Tap the “Turn on” button and from the next screen, choose the “Create Password” option.

Source: Why You Should Encrypt Your WhatsApp Backups in iCloud