Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Hacking. Show all posts

Why Passkeys Are the Future of Digital Authentication

 

Passwords have been a fundamental aspect of digital security for years, but they come with significant drawbacks. They are not only a hassle to remember but also vulnerable to various hacking techniques. Passkeys have emerged as a robust alternative, offering a more secure and user-friendly approach to account authentication. This new method utilizes your device, such as a smartphone or laptop, as an authenticator, employing either a PIN or biometric verification like fingerprint or facial recognition. 

The primary advantage of passkeys is that they eliminate the need for passwords entirely. This reduces the risk of phishing attacks, as there is no password for hackers to steal or guess. Additionally, passkeys are tied to the user’s device, making unauthorized access much more difficult. Without passwords to remember, users can enjoy a more streamlined and secure login experience. Major tech companies are already supporting the adoption of passkeys. For instance, setting up passkeys on a Google account involves visiting the Google Passkeys page and configuring the passkey with your device. Microsoft accounts can similarly be secured with Windows Hello or a PIN. Apple integrates passkeys with iCloud Keychain, making it easy for users to transition. These companies are not alone. Other platforms like Amazon, Adobe, Discord, eBay, GitHub, LinkedIn, Shopify, and WhatsApp have also embraced passkeys. 

This widespread support highlights the growing recognition of passkeys as the future of digital security. One concern with passkeys is the potential for losing access if the device is lost. Fortunately, most major tech companies allow passkeys to be synced across devices or securely stored in the cloud with end-to-end encryption. This means that users can restore their passkeys on a new device if their original one is lost. 

However, if a hardware security key is lost and not backed up, access to accounts could be permanently lost. Despite these concerns, device-based authentication is inherently secure. Modern devices are equipped with advanced security measures that make unauthorized access extremely difficult. Even if a device is stolen, the thief would need to bypass biometric or PIN verification to access sensitive information. Passkeys are stored in a Trusted Platform Module (TPM), ensuring that they are securely protected. In summary, passkeys represent a significant advancement in digital security. 

They offer a more secure, user-friendly alternative to traditional passwords, addressing many of the vulnerabilities associated with password-based authentication. As more services and devices adopt this technology, passkeys are poised to become the standard for secure online access. This shift not only enhances security but also simplifies the user experience, making it easier for individuals to protect their digital identities.

The Race Against Time: How Long Does It Take to Crack Your Password in 2024?

In the ever-evolving landscape of cybersecurity, the battle between hackers and defenders rages on. One of the fundamental elements of this battle is the strength of passwords. As technology advances, so too do the methods and tools available to hackers to crack passwords. 

In 2024, the time it takes to crack a password depends on various factors, including its length, complexity, and the resources available to the hacker. Gone are the days when a simple six-character password could provide adequate protection. With the increasing computational power of modern machines and the prevalence of sophisticated hacking techniques, such passwords can be cracked in mere seconds. In 2024, the gold standard for password security lies in lengthy, complex combinations of letters, numbers, and symbols. 

So, how long does it take for a hacker to crack a password in 2024? The answer is not straightforward. It depends on the strength of the password and the methods employed by the hacker. For instance, a short, simple password consisting of only lowercase letters can be cracked almost instantly using a brute-force attack, where the hacker systematically tries every possible combination until the correct one is found.  

However, longer and more complex passwords present a significantly greater challenge. In 2024, state-of-the-art hacking tools utilize advanced algorithms and techniques such as dictionary attacks, where common words and phrases are systematically tested, and rainbow tables, which are precomputed tables used to crack password hashes. These methods can significantly reduce the time it takes to crack a password, but they are still thwarted by sufficiently strong passwords. 

The concept of password entropy plays a crucial role in determining its strength against cracking attempts. Password entropy measures the randomness or unpredictability of a password. A password with high entropy is more resistant to cracking because it is less susceptible to brute-force and dictionary attacks. In 2024, experts recommend using passwords with high entropy, achieved through a combination of length, complexity, and randomness. 

To put things into perspective, let's consider an example. A randomly generated 12-character password consisting of uppercase and lowercase letters, numbers, and symbols has an extremely high entropy. Even with the most advanced cracking techniques available in 2024, it could take billions or even trillions of years to crack such a password using brute-force methods. 

However, the human factor remains a significant vulnerability in password security. Despite the availability of password managers and education on password best practices, many people still choose weak passwords or reuse them across multiple accounts. This behavior provides hackers with ample opportunities to exploit security vulnerabilities and gain unauthorized access to sensitive information. 

The time it takes for a hacker to crack a password in 2024 varies depending on factors such as password strength, hacking techniques, and computational resources. While advances in technology have empowered hackers with increasingly sophisticated tools, the key to effective password security lies in employing strong, unique passwords with high entropy. By staying vigilant and adopting best practices, individuals and organizations can fortify their defenses against malicious cyber threats in the digital age.

Protecting Goa's Seniors from Increasing Cyber Threats

Cybercrimes have increased alarmingly in recent years in Goa, primarily targeting elderly people who are more vulnerable. The number of cybercrime incidents in the state has been continuously increasing, according to reports from Herald Goa, raising concerns among the public and law enforcement.

Data from the Goa Police Department indicates a concerning rise in cases of cybercrime against senior citizens. Scammers frequently use sophisticated techniques to prey on this group's lack of digital literacy. To acquire unlawful access to private data and financial assets, they employ deceptive schemes, phishing emails, and bogus websites.

In an interview with Herald Goa, Inspector General of Police, Jaspal Singh, emphasized the need for enhanced awareness and education regarding online safety for senior citizens. He stated, "It is crucial for our senior citizens to be aware of the potential threats they face online. Education is our strongest weapon against cybercrime."

To address this issue, the Goa Police Department has compiled a comprehensive set of cybercrime prevention tips, available on their official website. These guidelines provide valuable insights into safeguarding personal information, recognizing phishing attempts, and securing online transactions.

Additionally, experts advise seniors to be cautious when sharing personal information on social media platforms. Cybercriminals often exploit oversharing tendencies to gather sensitive data, which can be used for malicious purposes. Individuals must exercise discretion and limit the information they disclose online.

Furthermore, the importance of strong, unique passwords cannot be overstated. A study conducted by cybersecurity firm Norton revealed that 65% of individuals use the same password for multiple accounts, making them vulnerable to hacking. Senior citizens are encouraged to create complex passwords and consider using password manager tools to enhance security.

The increasing number of cybercrimes in Goa that target senior folks highlights how urgent the problem is. It is essential to give priority to education, awareness, and preventative security measures to combat this expanding threat. Seniors can use the internet safely if they follow the advice for prevention and stay educated about potential risks. 

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended FastCompany.com while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.



Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 

Experts Named the Most Popular Passwords of Russians

 

Passwords consisting of simple sequences of letters and numbers became the most popular passwords in Runet in 2021. Combinations qwerty123, qwerty1 and 123456 take top lines of the rating, the fourth place goes to a11111 and fifth place to 123456789. It is noted that among Cyrillic passwords, the most common are "password", "love", "hello" and "natasha". 

Analysts have studied 35.5 billion unique pairs of logins and passwords, including 250 million new ones. According to their data, only 3.5 percent of passwords can be called complex, and 16.5 percent are long. 

According to Alexei Drozd, head of information security at SerchInform, users risk losing access to their pages and personal accounts on various resources using easy passwords in the absence of two-factor authentication. He warned that it's especially dangerous if fraudsters gain access to a person's main mailbox. Then attackers will have an opportunity to take possession of more information, resetting the password from other services. 

For example, passwords are checked for security every time users enter them to access Yandex services: a database of 1.2 billion compromised credentials is used for this purpose. The same check is carried out in VKontakte. Google said that they are advised to think up a password length of at least 12 characters, such as a quote from a movie or a line from your favorite poem. 

Sergei Ivanov, Director of Product Strategy at T1 Group, said that the most common password-guessing technique is called brute force, which has long been used by cybercriminals. It is when anthologies of popular passwords and word directories are attached to the software code. He specified that a combination of six Latin letters of the same case can be found in 31 seconds, assuming the search speed of 10 million passwords per second. It would take only 95 minutes to crack a password consisting of six symbols (letters in different registers and numbers). If the password contains 10 symbols, it will take 2.5 years.

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks

 

Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

This Aspiring Hacker was Caught in a Quite Embarrassing Manner

 

The US Department of Justice (DoJ) has arrested a Ukrainian citizen for using a botnet to hack people's passwords. He was caught by his alleged messages to vape shops in Ukraine, including an invoice with his home location. 

Glib Oleksandr Ivanov-Tolpintsev is accused by the Department of Justice of deploying a botnet to break passwords of targeted individuals, which he subsequently sold on the dark web. According to his indictment, Ivanov-Tolpintsev made over $80,000 from the operation. 

The press release from the DoJ reads, “During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week...Once sold [on the dark web], credentials were used to facilitate a wide range of illegal activity, including tax fraud and ransomware attacks.” 

On October 3, 2020, Polish police arrested Ivanov-Tolpintsev in Korczowa, Poland, and he was extradited to the United States to stand prosecution for these offenses. 

Amateur Blunders 

According to an IRS affidavit, investigators tracked down Ivanov-Tolpintsev by looking at the contents of the Gmail accounts he used to conduct his dark web activities. 

Many digital receipts from online vape shops were sent to one of these accounts, revealing Ivanov Tolpintsev's name and contact information. 

Furthermore, Ivanov-normal Tolpintsev's email account was set as the recovery address for these accounts. Exploring the contents of his regular account showed a plethora of personally identifying information, including passport scans and Google Photos photos.

The government was able to assemble enough evidence to convince a court to order Ivanov Tolpintsev's arrest and extradition because of his carelessness in separating his criminal digital identity from his physical one. 

Although the investigators haven't revealed much about Ivanov Tolpintsev's botnet case but the case highlights the dangers of depending solely on a password to protect an account. 

Since breaking and auctioning passwords on the dark web may lead to significant attacks like the one on the United Nations, security experts have been urging to implement multi-factor authentication (MFA) systems.

Weak passwords is one of the main reasons for computer hacking in Russia

 According to Sberbank Bi.Zone branch cybersecurity specialists, most users use passwords that are too simple, which cybercriminals can easily guess in 46 percent of cases.

In addition, according to a study of the Russian payment system "Mir Plat.form", less than a third of Russians (28%) use different passwords on the Internet, and the data of other Russian citizens are under threat.

For example, most Russians are used to using the same or similar passwords for different sites. At the same time, 76% of them remember passwords, 40% use auto-save, 29% write them down on paper and 18% save them on their devices in text form.

Digital security experts believe you should use different passwords for different sites and services. Moreover, it's safer to remember them than to write them down or use auto-save. According to them, most break-ins occur because of the leakage of a single password and brute-force it to other services.

Yandex confirmed that the repeats are dangerous, if the attacker finds out the password, he will try to enter with it in social networks, in the mail services, and in online banks.

Yandex added that they monitor the appearance of various databases of stolen passwords on the Internet and, if they suspect that a person may use the same combination of characters, they send him in advance to a mandatory change of login data.

The press service of the Vkontakte said that their system will not allow the use of a combination of letters, numbers and signs, which has already been used before when changing credentials.

Specialists urge Internet users to be more responsible in choosing a password to avoid losing important information, money and not to become a victim of blackmail. The most secure password is a combination of upper and lower case letters and digits in random order, with punctuation symbols added.


Here's a Quick Guide to Safeguarding Credentials

 


Safeguarding your authentication credentials is your best defense towards preventing your identity from falling into wrong hands. A recent report from Nordpass disclosed that people still use easy-to-remember passwords which however can also be hacked with very little effort. More than 2 million people use very simple passwords for example: ‘1234567’, notably, it won't take more than a second to break. 

People use passwords to gain access to an organization's resources and for recreational purposes as well, however, if the protection of passwords is taken lightly, one might end up falling into the hands of unscrupulous cybercriminals. Password stealing is easier than most of you think as hackers have multiple tools at their disposal, here are the ways by which one can ensure the prevention of the same. 

1 Minimum password length and complexity: Longer passwords with alphanumeric and special characters are considerably harder for hackers to break. For example letters, numbers, and special characters, “while it has been seen that few passwords are very secure against brute-force attacks, but the goal is here to increase entropy to protect password without making overly complicated passwords. 

According to the Open Web Application Security Project (OWASP), password with less than 10 characters can be hacked very easily. However, the question that arises is what length is considered secure but not too long? According to OWASP 160-character passwords considered to be a reasonable length. 

2 Multi-factor authentication (MFA): You must have seen many online shopping apps have started asking for extra authentication to verify your identity, more than just a username/email and password. For example, code on your phone, face or fingerprint scan etc. However, for big IT companies, it is very essential to use multi-factor authentication such as behavioral biometrics, building device reputational controls, IP tracking, and challenge-response protocols into their systems. 

3 Password managers for employees: It can be easy to go way for the companies if companies start having a password manager. This is a very easy and productive way that can ensure whether employees are using complex passwords or not. 

4 “Zero Trust” Security model:  This Network security model implies trusting no one, not even known users or devices without verifying or validating. This security model has been introduced by an analyst at Forrester Research. Although the theory employed is not entirely new, this security model has gained prominence nowadays in digital transformation and the effects can be easily seen on business network security architecture.

100,000 Most Hack-able Passwords and Tips to Steer Clear of Them!




Keeping a password is an essential requirement and it stands a high stand in keeping a person’s private life, Private.

The need emerges from the necessity of keeping your stuff (any sort) locked away from people who don’t need to see it and from people who got no business of seeing it.

Hence, looking and raking for that almost perfect password is super necessary. Especially with all these hackers and cyber-cons always round the corner.

One thing to always keep in mind is that if a password is even mildly easy for a user to keep in mind, it is super easy for a hacker to hack.

Per the UK’s Cyber Security Center Breach analysis, the password, “123456 was found to be used 23 million times during breaches.

That password was followed by a “12345678 in the list, which was found to be used around 7 million times in the breaches.

The most horrendously obvious password used are, “123456” and “password”.

Other passwords on the list were, “ashley”, “michael”, “qwerty” and “1111111”.

The following is the link to the top 100,000 most hack-able passwords.



A Few Tips!

1.    A strong password should have at least six characters which include a combination of upper cases, lower cases, symbols and number.

2.  If your passwords happen to match with the ones in the list change them as soon as possible.

3.  The very first step to take could be thinking of difficult to guess passwords by combining memorable plus random words.

4.  The more creative the password the safer the account it protects.


5.  Complexity is a must.

6.  Enforce strong password policy on every account possible.

7.   Check the password regularly and use 2FA (Factor Authentication) for major sites, accounts especially emails etc.

8.  All the passwords should be unique for all the different sites and accounts.

9.  All the default passwords must be changed because the IT department always has a list.

Other ways of protecting include using a password manager for less important websites and accounts.