Excuse Me United States, Your Password is Showing

A recent analysis of a new variant of a widespread ransomware attack illustrated just how sophisticated, yet simple, breaching computer security has become. The attack, known as “Emotet,” hit the Pennsylvania city of Allentown, breaking through firewalls, evading the latest antivirus software, and costing the city more than $1 million at last count. The city cannot process financial transactions, and its police department cannot access key crime databases. Although the city is working to fix its systems, the end is still not in sight.

Security research firm Fidelis Security has published its analysis of Emotet, and one feature is especially noteworthy because it demonstrates the adage that in security, people are always the weakest link. Emotet spreads through local area networks by “brute forcing” attacks using common passwords. How common? The ones used by this particular strain of malware are listed below. If your password is one of those listed, it means that you are in the vulnerable majority of business computer system users. In fact, according to one security expert, if you use one of these as your password, you would be better off just using your own name instead!

123, password, Password, letmein, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, qwerty, love, iloveyou, princess, pussy, master, monkey, abc123, 99999999, 9999999, 999999, 99999, 9999, 999, 99, 9, 88888888, 8888888, 888888, 88888, 8888, 888, 88, 8, 77777777, 7777777, 777777, 77777, 7777, 777, 77, 7, 66666666, 6666666, 666666, 66666, 6666, 666, 66, 6, 55555555, 5555555, 555555, 55555, 5555, 555, 55, 5, 44444444, 4444444, 444444, 44444, 4444, 444, 44, 4, 33333333, 3333333, 333333, 33333, 3333, 333, 33, 3, 22222222, 2222222, 222222, 22222, 2222, 222, 22, 2, 11111111, 1111111, 111111, 11111, 1111, 111, 11, 1, 00000000, 0000000, 00000, 0000, 000, 00, 0987654321, 987654321, 87654321, 7654321, 654321, 54321, 4321, 321, 21, 12, super, secret, server, computer, owner, backup, database, lotus, oracle, business, manager, temporary, ihavenopass, nothing, nopassword, nopass, Internet, internet, example, sample, love123, boss123, work123, home123, mypc123, temp123, test123, qwe123, pw123, root123, pass123, pass12, pass1, admin123, admin12, admin1, password123, password12, password1, default, foobar, foofoo, temptemp, temp, testtest, test, rootroot, root, fuck, zzzzz, zzzz, zzz, xxxxx, xxxx, xxx, qqqqq, qqqq, qqq, aaaaa, aaaa, aaa, sql, file, web, foo, job, home, work, intranet, controller, killer, games, private, market, coffee, cookie, forever, freedom, student, account, academia, files, windows, monitor, unknown, anything, letitbe, domain, access, money, campus, explorer, exchange, customer, cluster, nobody, codeword, codename, changeme, desktop, security, secure, public, system, shadow, office, supervisor, superuser, share, adminadmin, mypassword, mypass, pass, Login, login, passwd, zxcvbn, zxcvb, zxccxz, zxcxz, qazwsxedc, qazwsx, q1w2e3, qweasdzxc, asdfgh, asdzxc, asddsa, asdsa, qweasd, qweewq, qwewq, nimda, administrator, Admin, admin, a1b2c3, 1q2w3e, 1234qwer, 1234abcd, 123asd, 123qwe, 123abc, 123321, 12321, 123123, James, John, Robert, Michael, William, David, Richard, Charles, Joseph, Thomas, Christopher, Daniel, Paul, Mark, Donald, George, Kenneth, Steven, Edward, Brian, Ronald, Anthony, Kevin, Mary, Patricia, Linda, Barbara, Elizabeth, Jennifer, Maria, Susan, Margaret, Dorothy, Lisa, Nancy, Karen, Betty, Helen, Sandra, Donna, Carol, james, john, robert, michael, william, david, richard, charles, joseph, thomas, christopher, daniel, paul, mark, donald, george, kenneth, steven, edward, brian, ronald, anthony, kevin, mary, patricia, linda, barbara, elizabeth, jennifer, maria, susan, margaret, dorothy, lisa, nancy, karen, betty, helen, sandra, donna, carol, baseball, dragon, football, mustang, superman, 696969, batman, trustno1

As always, security begins with user education—teaching those who use the technology how best to defend against threats. It also means teaching the sobering fact that there is no lock that cannot be picked by an adversary willing to spend the time and money to do so. Computer security is more difficult because the bad guys are able to pick the locks from literally anywhere, and the cost to attack a system may be very low because using code from others is simple and easy.

What does this mean for critical systems, such as those that tally our votes and that run our electric grid? It means that we may always be playing catch-up. It means that we must not only continuously invest in improving security of the hardware and software, but that we must continue to educate those who manage and operate the systems. Government and private sector officials must also communicate to the public that these systems are being monitored and their security is being improved constantly in response to the threats encountered because an additional target of foreign “threat actors” is public confidence in the systems themselves.

In his testimony before the Senate Armed Services Committee on February 27, Admiral Mike Rogers, who heads both the National Security Agency and US Cyber Command, stated that he has yet to be given the order to safeguard our elections from interference by Russia. “President Putin has clearly come to the conclusion that there’s little price to pay and that therefore ‘I can continue this activity,’” said Admiral Rogers, who will retire in April. “Clearly what we have done hasn’t been enough.”

Admiral Rogers was asked during the hearing whether he had the authority and the ability to disrupt the Russian cyber campaign. Admiral Rogers replied, “I don’t have the day-to-day authority to do that.” “So you would need, basically, to be directed by the president,” stated Rhode Island Senator Jack Reed. “Have you been directed to do so?” “No, I have not,” replied Admiral Rogers.

It appears that while the U.S. badly needs to play catch-up, some parts of our government have yet to take the field. With mid-term elections months away, and a general consensus among our intelligence agencies that Russia is continuing the same campaign that many believe helped put the candidate more sympathetic to the Putin regime in the White House, Americans and their allies have a right to ask if and when the orders will be given to Admiral Rogers and his agencies to defend the informational foundations of representative government.

Tags: , , ,

Hacking Hotels . . . and Their Guests

Travelers have come to depend on WiFi networks in hotels, and businesspeople have come to expect high speed wireless access in both private rooms and public spaces, including lobbies, meeting rooms, and even the hotel gym. Predictably, cyberspies and cybercriminals have inhabited some of these virtual spaces as well. Hotel lobbies are often seen to sprout open networks with identifiers intended to trick users into logging on. (“FreeOpenWiFi,” “Hilt0n,” and “MarriottL0BBY” have all been seen in the past month.) Security firm FireEye, however, has recently documented a new and more dangerous threat in the hotel space: a hacking campaign attributed to the Russian government sponsored, GRU-affiliated group known as “Fancy Bear” or “APT28.” (One of the two Russian groups known to have penetrated the Democratic National Committee in 2015-6.)  This campaign, evident in hotels in Europe and the Middle East, is potentially more dangerous than prior exploits, and may spread rapidly to other regions. Travelers need to be aware of the dangers, and need to take immediate steps to protect sensitive information.

The activities of these Russian-sponsored hackers are widespread and sophisticated. The name “APT” is an abbreviation of “Advanced Persistent Threat,” and is the term used in the cybersecurity community to denote an actor that is especially thorough and patient in the infiltration of computer systems and exfiltration of information. Fancy Bear has been implicated in cyber attacks against the World Antidoping Agency, the Dutch government, and against political parties in this year’s French and German elections. Information stolen in these hacks has been distributed through WikiLeaks, other web sites, and by transmitting it to media outlets such as Sputnik, RT, and others.

Briefly, the new campaign is initiated by an email “spearphishing” campaign using an attached document that appears to be a room reservation form in a Microsoft Word document file. Once opened by hotel staff, that document installs malware onto the target Windows computer that then uses exploits stolen from the U.S. National Security Agency (EternalBlue) to move laterally to infect other computers in the target network. The malware, known as GAMEFISH, is capable of stealing logon credentials and other information from the network, and communicating this information over the internet to command and control servers controlled by unknown actors. Because GAMEFISH can attack the very computers that control the hotel wireless network, it may be able to steal information from guest computers simply using that network, even if those computers are never directly attacked or compromised. This information may then be used to attack the guest computers directly, perhaps even at a remote location and time.

This threat is by no means the only hotel-based hacking to be seen. For some time, networks in Russian and Asian hotels have been infected with computer worm and virus files of various types. During the Iranian nuclear talks in 2014-15, Duqu 2.0 malware was seen in the networks of the hotels that hosted the delegations and the talks themselves. It was believed that Duqu was an information stealing worm, capable of turning on computer microphones and cameras covertly, as well as stealing computer files. According to the Guardian, this worm is related to Stuxnet, and was thought to be used by the government of Israel as a way of gaining intelligence about the nuclear negotiations.

Because guests cannot be sure that hotel systems have not been compromised, it is advisable that such systems be avoided if possible, in favor of data carried over cellular networks which, while not immune to attack, are at least monitored more closely than commercial wireless systems in hotels. Even then, care should be exercised, and secure communications should be avoided because it is not possible to guarantee the security of cellular communications. Governments use devices called “stingrays” to intercept cellular signals. Not only can they listen to voice communications, but they are able to see text messages and in some instances, spy on data communications as well. While the sale and use of stingray devices is severely restricted in the United States, the same cannot be said for the rest of the world, and thus, care is necessary.

If a hotel network must be used, access should only be through a virtual private network (VPN), preferably one that is operated under private and trusted control, or a reputable commercial service. Virtual Private Networks are a type of data transmission service that ensures that all data flowing from a secured device goes only to a known computer system, and is encrypted from “end-to-end” as it flows to and from that trusted system. Once the encrypted information reaches the trusted VPN “server,” it may then be forwarded onward over the internet, if the VPN is configured to do so. In this manner, the VPN impedes eavesdropping on data communications because the secure link is the first thing set up during an online session.

For more information about commercial VPN services, see https://www.pcmag.com/article2/0,2817,2403388,00.asp

We all seem to depend more every day on the electronic devices in our pockets and bags, and we carry ever-greater amounts of personal and business information in them. Governments and criminals know this, as well, and have set traps for the unwise and the unwary. Hotels are just the latest venues made dangerous for us and our data. The savvy traveler will now ask, first and always, whether access to a particular system is really worth the risk involved, if it must be done over connections that are likely to have been compromised. It may be better, after all, to forego checking one’s accounts, and just to relax and have an aperitivo.

Tags: , , , , ,