Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Wikipedia
BBC Cyber Attacks CyberCrime Cybersecurity Online Protection Wikipedia

Survivors Call for Enhanced Online Protection, Wikipedia Rejects Age Checks

 


A Wikipedia organization has warned that the website could become inaccessible to UK readers if it fails to comply with online safety legislation. 

The Online Safety Bill includes some requirements regarding verification and age-gating. Wikipedia has stated that these measures are incompatible with their open-source nature, which is why the Wikimedia Foundation believes there needs to be a change. As far as their content is concerned, they will not restrict the age range of users. 

Wikimedia's vice president of global advocacy, Rebecca MacKinnon, made the controversial statement to the BBC. In this statement, she stated that such verification would "violate our commitment to collecting minimal data about our readers and contributors" regarding such verification. 

As a result of the law, which will come into force in 2024, companies that offer tech services will be required to ensure users are protected from harmful or illegal content. Furthermore, it requires that services likely to be accessed by children undergo age verification to comply with the law. 

Wikimedia UK says certain Wikipedia material is expected to trigger age verification at some point in the future. This includes content about sexuality that is educational. If one complies with this regulation, it would require reworking a major portion of the technical system.  

A government spokesperson said that these requirements would target only those services with the highest risk to children in terms of safety. Moreover, Wikipedia argues that it is unlikely to fall under the most strict regulations established under the bill. A foundation suggests a similar approach to that used by the EU Digital Services Act, according to the foundation. A centralized moderation model driven by employees and a volunteer community model implemented by Wikipedia can be distinguished from each other by this feature.  

Wikimedia figures worry that the website could be blocked due to non-compliance with the law, while the government has assured them that only high-risk services will be subject to age verification. 

In the interview, Rebecca MacKinnon from the Wikimedia Foundation further stated that the bill would violate the organization's commitment to collecting minimal information about readers and contributors. At present, Wikipedia users have no obligation to provide any information. They do not need to create a profile or verify their identity to access the content. 

Ofcom will enforce the revised regulations on websites that do not comply with them. In addition, it will impose heavy fines for breaking the revised rules. 

It is to combat this issue that Wikipedia is advocating for an 'encyclopedia exemption' under which public goods and knowledge created by the public can be protected from censorship, centralized moderation, and the kind of users that come with centralized content platforms. 

In response to updated legislation that calls for platforms to prevent underage visitors from entering their services, the foundation announced it would not restrict its sites based on their age.  

Despite the government's assurances, only the most high-risk content will be moderated and access may be restricted to those 18 years and older, which only adds to the increased concerns. In the case of Wikipedia, since it is community-run and all the information can be accessed, it will not be governed by large corporations or regulated by governments in the same way as Google.
Read more »
malware
Atomic macOS Malware BleepingComputer Credit Card Stealer Crytocurrency Google Chrome macOS malware

Atomic macOS Malware: New Malware Steals Credit Card Credentials in Chrome


A brand-new malware has apparently been targeting macOS. The malware, according to BleepingComputer, is named “Atomic” and was being sold to cybercriminals in darknet markets for $1,000 a month. 

A victim management UI that is simple to use and gives malicious actors access to very sensitive information, such as keychain passwords, cookies, files from local computers, and other information that may put victims in serious trouble, is provided by this ill-intentioned subscription.

What is Atomic Capable of? 

While Atomic is an information-stealing malware, it can drastically make its quarries much poorer. When cybercriminals buy Atomic, they receive a DMG file with a 64-bit Go-based malware program that can steal credit card information from browsers. This covers Yandex, Opera, Vivaldi, Microsoft Edge, Mozilla Firefox, and Google Chrome. 

After gaining access to a victim's Mac, Atomic may show a bogus password window asking users to enter their system passwords. As a result, attackers can access the target's macOS computer and cause havoc. 

Moreover, due to the activities of Atomic, cryptocurrency holders are particularly vulnerable. More than 50 well-known cryptocurrency extensions, including Metamask and Coinbase, are intended targets of this macOS malware. 

Atomic, unfortunately, has a tendency to go unnoticed. Only one malicious software detection was made by 59 anti-virus scanners. 

How can you Protect Yourself from Atomic macOS Malware? 

Thankfully, Atomic will not be hiding in any official macOS services. Atomic is disseminated by phishing emails, laced torrents, and social media posts by nefarious buyers. Some even use the influence of black SEO to lure Google users into downloading malicious software that poses as legitimate software. 

In case you are a crypto holder, it is best advised to use a well-known crypto hardware wallet in order to protect yourself from digital-asset thieves. Moreover, it has also been advised to not use software wallets, since that way valuable virtual currencies are majorly exposed. 

It has also been recommended to online users to remove their credit card information from Google Chrome by navigating to Settings > Autofill > Payment Methods. Tap on the three-dotted icons next to your credit cards and click on "Turn off virtual card." Go to pay.google.com, select Payment Methods, and then click "Remove" next to your credit cards to take things a step further.  

Read more »
UK
Cyber Security Fake Reviews New Bill Safety Subscription Traps UK

Fake Reviews and Subscription Traps to be Banned Under New Bill in UK

 

As part of the modifications planned under new rules, buying, selling, or hosting bogus reviews would become unlawful. The UK government's new Digital Markets, Competition, and Consumer Bill intends to benefit consumers while increasing competition among large technology corporations. 

The bill, which was filed on Tuesday, prohibits people from obtaining money or free items in exchange for writing flattering reviews. Firms would also be required to notify customers when their free subscription trials expire. Furthermore, the bill seeks to end the current market dominance of the tech titans.

Since 2021, the law has been in the works. Its creators have stated that they want to oversee the way a number of large tech businesses dominate the market - though none have been expressly named yet, and will be chosen following a nine-month assessment phase.

It makes no difference where they are located, and corporations headquartered in China will be included if they are judged to be in scope. The newly established Digital Markets Unit, which will be part of the Competition and Markets Authority (CMA), will thereafter be given special powers to open up a specific market based on the circumstances.

This may involve asking Apple to allow iPhone and iPad users to download apps from various app stores, or compelling search engines to share data. The CMA will be authorized to levy fines of up to 10% of global revenue for non-compliance, depending on the infraction, and will not need a court order to enforce consumer law.

The EU Digital Markets Act was created to address similar competition difficulties with large digital corporations.

The UK bill is fairly broad, and the CMA will have to:
  • deal with the large, worldwide issue of big tech's market dominance 
  • help customers manage subscriptions, and potentially extend the "cooling off" period so they can be stopped after one payment is made 
  • ensure platforms take "reasonable steps" to verify that product and service evaluations are authentic.
After successfully forcing Meta, Facebook's parent company, to sell the graphics animation firm Giphy after ruling that it would harm competition, the CMA demonstrated that a UK regulator can be effective when tackling what are likely to be predominantly US-based behemoths. Meta was disappointed, but it did comply.

According to Reed Smith lawyer Nick Breen, the expanded powers granted to the CMA under the new bill mean that "no one has the luxury of taking this lightly." The trade organization techUK's Neil Ross expressed hope that it would feature "robust checks and balances" as well as a fast appeals mechanism.

"The new laws we're delivering today will empower the CMA to directly enforce consumer law, strengthen competition in digital markets, and ensure that people across the country keep hold of their hard-earned cash," said Business Minister Kevin Hollinrake.

Following parliamentary approval, the new rules will be implemented as soon as possible, according to the Department of Business and Trade.


Read more »
User Security
AI Tool Artificial Intelligence Malicious Campaign Online Crime Technology User Security

How AI is Helping Threat Actors to Launch Cyber Attacks

 

Artificial intelligence offers great promise, and while many tech enthusiasts are enthusiastic about it, hackers are also looking to this technology to aid their illicit activities. The field of artificial intelligence is interesting, but it may also make us nervous. Therefore, how might AI support online criminals? 

Social engineering 

Every week, social engineering, a form of cybercrime, claims countless victims and is a big issue worldwide. In this technique, the victim is coerced into complying with the attacker's demands through manipulation, frequently without being aware that they are the target. 

By creating the text that appears in fraudulent communications like phishing emails and SMS, AI could aid in social engineering attempts. It wouldn't be impossible, even with today's level of AI development, to instruct a chatbot to create a compelling or persuasive script, which the cybercriminal could then employ against their victims. People have taken notice of this threat and are already worried about the dangers that lie ahead.

In this way, by correcting typos and grammatical errors, AI might potentially assist in making hostile communications appear more formal and professional. Therefore, it might be advantageous for cybercriminals if they can write their social engineering content more clearly and effectively. Such errors are frequently described as potential indicators of malicious activity. 

Analysing stolen data

Data is worth as much as gold. Sensitive information is currently regularly sold on dark web markets, and some dangerous actors are willing to pay a very high price for the information if it is sufficiently valuable. 

But data must first be stolen in order for it to appear on these marketplaces. Small-scale data theft is undoubtedly possible, particularly when an attacker targets single victims. However, larger hacks may lead to the theft of sizable databases. The cybercriminal must now decide whatever information in this database is worthwhile. 

A malicious actor would spend less time deciding what is worthwhile to sell or, on the other hand, directly exploit by hand if the process of identifying valuable information were to be expedited with AI. Since learning is the foundation of artificial intelligence, it might someday be simple to use an AI-powered tool to detect sensitive information that is valuable. 

Malware writing 

Some people would not be surprised to learn that malware can be created using artificial intelligence because this is a sophisticated form of technology. A combination of the words "malicious" and "software," malware refers to the various types of malicious software used in hacking. 

Malware must first be written, though, in order to be used. Cybercriminals aren't all skilled programmers; others just don't want to spend the time learning how to write new programmes. AI may prove useful in this situation. 

It was discovered that ChatGPT might be used to create malware for nefarious activities in the early 2023. An AI infrastructure supports OpenAI's wildly popular ChatGPT. Despite the fact that this chatbot is being used by hackers, it can perform many important tasks. 

In one particular instance, a user claimed in a forum for hackers that ChatGPT had been used to write a Python-based malware programme. Writing malicious software could be efficiently automated with ChatGPT. This makes it easier for novice cybercriminals with limited technical knowledge to operate. 

Instead of writing sophisticated code that poses serious hazards, ChatGPT (or at least its most recent version) is only capable of producing simple, occasionally problematic malware programmes. This does not preclude the employment of AI to create malicious software, either. Given that a modern AI chatbot is already capable of writing simple malicious programmes, it might not be long before we start to notice more heinous malware coming from AI systems. 

Bottom line 

Artificial intelligence has been and will continue to be abused by cybercriminals, as is the case with the majority of technological advancements. It's absolutely impossible to predict how hackers will be able to progress their attacks utilising this technology in the near future given that AI already has certain dubious skills. Cybersecurity companies may also use AI more frequently to combat similar threats, but only time will tell how this one develops.
Read more »
Vulnerabilities and Exploits
Cyberattaccks Cyberattacks Cybersecurity LockBit ransomware Ransomware Vulnerabilities and Exploits

Ransomware Clop and LockBit Attacked PaperCut Servers

 


A Microsoft spokesperson stated in a statement that recent attacks that exploited two vulnerabilities in the PaperCut print management software are likely associated with an affiliate program for the Clop ransomware. 

PaperCut Application Server was updated last month with two vulnerabilities that could allow remote attackers to execute unauthenticated code and access information.

CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: This vulnerability affects all PaperCut MF/NG versions 8.0 or later on all OS platforms, as well as the application server. It impacts both the application server and the site server. 

CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: A vulnerability in PaperCut MF or NG versions 15.0 or later is present on each application server platform, causing unauthenticated information disclosure.

It was notified last week that a vulnerability had been exploited in the wild by Trend Micro, and PaperCut sent an alert out to users. Customer servers must be updated as soon as possible to ensure security.

“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” a tweet by Microsoft Threat Intelligence reads.  

Last week, Microsoft Threat Intelligence identified “Lace Tempest” as one of the threat actors exploiting these bugs, according to a report about BR11 and TA505. 

FIN11, an organization involved in the acceleration of the Accellion FTA extortion campaign, is linked to the infamous Clop ransomware gang. Dridex is reportedly another example of malware linked to TA505 and responsible for Locky. 

Fortra's file-sharing software GoAnywhere has been exploited before by crypto-ransomware campaigns associated with the Clop ransomware affiliate. The affiliate also utilized the Raspberry Robin worm widely distributed in the cybersecurity community post-compromise to perform post-compromise activities.

PaperCut NG and PaperCut MF have flaws that affect both solutions. A remote code execution attack can be conducted on a PaperCut Application server using CVE-2023-27350 by an unauthenticated attacker, while a remote code execution attack on PaperCut MF or NG might also allow an unauthenticated attacker to steal information about users stored in PaperCut MF or NG, such as their names, full names, e-mail addresses, department information, and credit card numbers.

In addition to accessing hashed passwords retrieved from internal PaperCut accounts, attackers exploiting this vulnerability can also retrieve passwords retrieved from external directory sources, such as Microsoft 365 and Google Workspace (although they are not able to access password hashes retrieved from external directory sources such as Microsoft 365 and Google Workspace). 

There have previously been reports indicating that Lace Tempest, also known as DEV-0950, is a Clop affiliate. Lace Tempest has been detected using GoAnywhere exploits and Raspberry Robin malware as part of ransomware campaigns. PaperCut has been targeted since April 13 due to software vulnerabilities. 

Clop has Targeted This Target

It appears that the exploitation of PaperCut servers fits the overall pattern we have seen over the last three years about the Clop ransomware gang. 

Although the Clop operation continues to encrypt files and send them to victims in attacks, BleepingComputer has reported that the operation prefers to steal data from victims. This is so that it can be used to extort them for ransom. 

In 2020, Clop, a Chinese threat actor, exploited one of Accellion's zero-day vulnerabilities, the Accellion FTA, from which he stole data from approximately 100 companies as part of this new shift in tactics.

A zero-day vulnerability in the GoAnywhere MFT secure file-sharing platform has recently been exploited by the Clop gang to steal data from 130 companies due to zero-day vulnerabilities.
Read more »
Security Guidelines
Arrests Cyber Attacks Data Safety Security Security Guidelines

DOJ Prioritizes Disruptions Over Arrests in Cyberattack Cases

 

The Department of Justice is requesting its prosecutors and investigators to focus less on prosecutions and more on disruption and protection when it comes to cyberattacks, according to US Deputy Attorney General Lisa Monaco, who spoke to attendees at the RSA Conference. 

Monaco agreed that there should be a "bias towards action to disrupt and prevent, to minimize harm if it's ongoing [...] and to take that action to prevent the next victim." That will not always result in a prosecution, Monaco said, adding that it's difficult for a prosecutor to say.

"We're not measuring our success only with courtroom actions and courtroom victories." This transition is necessary because nation-states are increasingly collaborating with criminal organizations to facilitate global cyberattacks. 

"We took a hard look in the Justice Department and said, 'how can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she said. "We needed to pivot to disruption and prevention. We needed to put victims at the center of our approach." 

"We took a hard look at the Justice Department and said, 'How can we maximize our tools and what we can bring to this fight from a Justice Department perspective?'" she explained. "We needed to shift our focus to disruption and prevention.We needed to prioritize victims in our approach." 

Monaco cited the Department of Justice's response to the Colonial Pipeline attack as an example. In that case, oil pipeline operators paid ransomware operators in the hopes of unlocking their affected systems. According to Monaco, the DOJ used existing tools—a forfeiture warrant—to locate Colonial's contribution in the blockchain and return that money to the company.

The Hive organization was notorious for attacking over 1,500 individuals and demanding $100 million in ransom. Monaco said that shutting down the Hive group saved another $130 million in ransom payments.

Throughout the discussion, Monaco emphasized the DOJ's desire to collaborate with the industry in a non-adversarial manner. Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency (CISA), then asked her if the prosecution of former Uber CSO Joe Sullivan had violated that trust. In that case, Sullivan concealed payments made to attackers who got data from Uber's internal systems through a bug bounty payout scheme. The move was not made public until a year later after Uber's leadership changed. Sullivan was found guilty of obstructing justice in 2022.

Although other companies had made ransom payments in the past, including during the Colonial Pipeline attack, Monaco said Sullivan's case was unique because his actions were "intentional acts as was proved at trial and as the jury found," he said. "Very, very different from and not a mistake made by a CISO or compliance officer in the heat of a very stressful time."

Sullivan's sentencing is set for May 4, according to Krebs and Monaco.


Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
Security
Cloud Security Cyber Security Data Data Safety Entertainment Industry Media Industry Safety Security

The Media & Entertainment Industries' Major Public Cloud Security Issues

 

As reported by Wasabi, media and entertainment (M&E) organizations are swiftly resorting to cloud storage to improve their security procedures. While M&E organizations are still fairly new to cloud storage (69% had been using cloud storage for three years or less), public cloud storage use is on the rise, with 89% of respondents looking to increase (74%) or maintain (15%) their cloud services.
On average, M&E respondents reported they spend 13.9% of their IT spending on public cloud storage services. Overdrawn budgets due to hidden fees, as well as cybersecurity and data loss worries, continue to be issued for M&E organizations.

“The media and entertainment industry is a key vertical for cloud storage services, driven by the need for accessibility to large media files among multiple organizations and geographically distributed teams,” said Andrew Smith, senior manager of strategy and market intelligence at Wasabi Technologies, and a former IDC analyst.

“While complex fee structures and cybersecurity concerns remain obstacles for many M&E organizations, planned increases in cloud storage budgeting over the next year, combined with a very high prevalence of storage migration from on-premises to cloud; clearly shows the M&E industry is embracing and growing their cloud storage use year on year,” concluded Smith.

In the previous year, more than half of M&E organizations spent more than their planned amount on cloud storage services. The fees accounted for 49% of M&E firms' public cloud storage expense, with the other half going to actual storage capacity utilized. Understanding the charges and fees connected with cloud usage has been identified as the most difficult cloud migration barrier for M&E organizations.

Since M&E organizations rely substantially on data access, egress, and ingress, M&E respondents reported the highest occurrence of API call fees when compared to the global average. The respondents reported a very high incidence of cloud data migration, with 95% reporting that they migrated storage from on-premises to the public cloud in the previous year.

M&E respondents who plan to expand their public cloud storage budgets in the next 12 months identified new data protection, backup, and recovery requirements as the primary driver, compared to the global average, which rated third. More than one public cloud provider is used by 45% of M&E organizations. One of the major reasons M&E organizations chose a multi-cloud strategy was data security concerns, which came in second (44%) behind different buying centers within the organization making their own purchase decisions (47%).

The following are the top three security concerns that M&E organizations have with a public cloud:
  • Lack of native security services (42%)
  • Lack of native backup, disaster and data protection tools and services (39%)
  • Lack of experience with cloud platform or adequate security training (38%)
“Organizations in the media and entertainment industry are flocking to cloud storage as their digital assets need to be stored securely, cost-effectively and accessed quickly,” said Whit Jackson, VP of Media and Entertainment at Wasabi.

Read more »
Social Media
Advertising Android Cyberattacks CyberCrime iOS MAID Privacy Social Media

Your Details are Hidden on this Secret ID on Your Phone

 


The amount of people who want to exploit your private information is staggering, from social media platforms to email providers. It is imperative to remember not only online stores but personal services as well. 

Many online businesses rely heavily on your information, and they pay no attention to customer privacy. You are unknown to most advertisers and marketers. In addition, a Mobile Advertising ID (MAID) identifier is assigned to your behavior, and a history of your activities is gathered. 

With this tiny bit of information, your location, your shopping history, or your recent online searches can be accessed. There were very few factors you could control until recently to block your MAID from marketing campaigns. As a result of Apple's decision, iOS users now can choose who targets them through the app. 

Criminals, however, are likely to generate much greater profits if they can match the ID with the individual. A MAID's ability to defraud you Most companies or advertising agencies would not be able to find out who the MAID belongs to if he or she was not attached to a company. 

In this collection, there are numerous data sets, and there should be no personally identifiable information (PII) included in the collection. Vice's Motherboard wrote about one company that offers the tracking of MAIDs with the PII associated with each of them. 

The use of mobile phones in everyday life poses a considerable amount of privacy risk, which is a major concern. Your MAID can be linked to the following information that can be provided by the company:
  • Full name
  • Physical address
  • Phone number
  • Email address
  • IP address
There should be a red flag raised for everyone after it was revealed that data brokers are capable of integrating advertising IDs with mobile phone numbers.
Read more »
Software
Botnet Cloud Network Cyber Security Google Malicious actor Software

Google Takes Down Cryptbot Malware Infrastructure

Google has taken down the infrastructure and distribution network linked to the Cryptbot info stealer, a malware that was being used to infect Google Chrome users and steal their data. The move comes after the tech giant filed a lawsuit against those using the malware to carry out illegal activities.

Cryptbot is a type of malware that steals sensitive information from infected devices, including usernames, passwords, and credit card details. The malware is typically spread through phishing emails and malicious websites, and can be difficult to detect and remove once it has infected a device.

Google's lawsuit targets the infrastructure and distribution network behind the Cryptbot malware, with the aim of disrupting its operations and reducing the number of victims. By taking down the infrastructure, Google hopes to make it harder for cybercriminals to distribute the malware and infect new devices.

The move is part of Google's ongoing efforts to protect its users from cyber threats and keep its platform safe and secure. In recent years, the company has invested heavily in developing advanced security measures to detect and prevent malware and other malicious activities.

However, cybercriminals are constantly evolving their tactics and finding new ways to exploit vulnerabilities in systems and software. This means that companies like Google need to stay vigilant and proactive in their efforts to protect their users.

In addition to taking down the Cryptbot infrastructure, Google is also urging Chrome users to take steps to protect themselves from malware and other cyber threats. This includes keeping their software up to date, using strong and unique passwords, and being wary of suspicious emails and websites.

Google's efforts to disrupt the Cryptbot malware operation are an important step in the fight against cybercrime. By targeting the infrastructure and distribution network behind the malware, the company is helping to reduce the number of victims and make the internet a safer place for everyone.

Read more »
User Safety
AI Tool Cyber Security Online Security Password Cracker User Privacy User Safety

This AI Tool Can Crack Your Password in Sixty Seconds; Here's How to Protect Yourself

 

Even though ChatGPT may be the AI that everyone is thinking about right now, chatbots aren't the only AI tool that has emerged in recent times. DALL•E 2 and Runway Gen 2 are just two examples of AI picture and video creators. Sadly, some AI password crackers exist as well, such as PassGAN. 

PassGAN is actually not that new, at least not in the grand scheme of things. The most recent GitHub update was six years ago, and it made its debut back in 2017. In other words, this isn't a brand-new hacking tool developed in response to the ChatGPT revolution. But when it was recently put to the test by cybersecurity research company Home Security Heroes, the results were startling. PassGAN can break any — yes, any — seven-character password in six minutes or less, according to the Home Security Heroes study. It can quickly crack passwords of seven characters or fewer, regardless of whether they contain symbols, capital letters, or numbers. 

Modus operandi 

PassGAN combines Password with the Generative Adversarial Network (GAN), much like ChatGPT combines Chat with the Generative Pre-trained Transformer (GPT). In essence, the deep learning model that the AI is trained on is GAN, similar to GPT.

In this case, the model's objective is to provide password guesses based on real-world passwords that it has been given as input. In order to train PassGAN, a popular tool for studies like these, Home Security Heroes used the RockYou dataset that resulted from the 2009 RockYou data breach. PassGAN was given the data set by the organisation, and it then generated passwords in an effort to properly guess sample passwords. 

In the end, it was possible to quickly break a wide range of passwords. Home Security Heroes then had an AI tool trained on actual passwords that could instantly crack passwords after using PassGAN to train on the RockYou dataset. 

Should I be alarmed about PassGAN?

The good news is that, for the time being at least, you don't really need to panic about PassGAN. Security Editor for Ars Technica Dan Goodin claimed in an opinion piece that PassGAN was "mostly hype." This is because while the AI tool can fairly easily crack passwords, it doesn't do it any more quickly than other non-AI password crackers. 

In example, Goodin quotes Yahoo Senior Principal Engineer Jeremi Gosney, who claimed that using standard password-cracking methods, they could quickly accomplish similar results and decrypt 80% of passwords used in the RockYou breach. For his part, Gosney characterised the study's findings as "neither impressive nor exciting." And after taking a closer look at the results, you might not be as impressed as you were when you first heard that "50% of common passwords can be cracked in less than a minute." These passwords rarely include capital letters, lowercase letters, digits, and symbols and are primarily made up of numbers with a character count of seven or less. 

This means that all it takes to fool PassGAN is a password of at least 11 characters, made up of a mixture of uppercase and lowercase letters, numbers, and symbols. If you can do that, you can make a password that PassGAN will need 365 years to figure out. If you make that number 11 characters long, it becomes 30,000 years. And the finest password managers make it simple to create these kinds of passwords. 

But let's say you don't want to use a password manager because you don't trust that they won't be vulnerable to data breaches, like the LastPass compromise in August 2022. It's a legitimate concern. Fortunately, using a passphrase—a password created by combining several words—will likely still be enough to fool PassGAN. Home Security Heroes estimates that it would still take PassGAN on average 890 years to crack a 15-character password made up entirely of lowercase letters. That timeline could jump to a staggering 47 million years if only one capital letter were added, long after our AI overloads have already dominated the world. 

However, always keep it in mind that no password is ever completely secure. Despite your best efforts, data breaches might still leave you exposed, and by pure dumb luck, a password cracker might guess your password earlier than planned. But as long as you follow the best practises for password security, you have nothing to worry about with PassGAN or any other rogue actor.
Read more »
Subscribe to: Comments (Atom)