If You Force People To Constantly Change Passwords They Do Bad Things With Passwords

My own anecdotal experience with this is in 100% of cases where people where to constantly change passwords they either added a digit to the password or wrote the password on a sticky note somewhere in plain site of the computer.

From Ars

The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill. The researchers obtained the cryptographic hashes to 10,000 expired accounts that once belonged to university employees, faculty, or students who had been required to change their passcodes every three months. Researchers received data not only for the last password used but also for passwords that had been changed over time.

By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.

“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

 


“Unlimited”

“Unlimited” you keep using that word, I do not think it means what you think it means.

http://arstechnica.com/information-technology/2016/07/verizon-to-disconnect-unlimited-data-customers-who-use-over-100gbmonth/

Verizon Wireless customers who have held on to unlimited data plans and use significantly more than 100GB a month will be disconnected from the network on August 31 unless they agree to move to limited data packages that require payment of overage fees.

Verizon stopped offering unlimited data to new smartphone customers in 2011, but some customers have been able to hang on to the old plans instead of switching to ones with monthly data limits. Verizon has tried to convert the holdouts by raising the price $20 a month and occasionally throttling heavy users but stopped that practice after net neutrality rules took effect. Now Verizon is implementing a formal policy for disconnecting the heaviest users.



STOP USING NORTON!

In fact sop using all AV, it’s best to just stick with Windows built in free security. You are just as secure, it doesn’t hog resources, and at least you are not paying for the privilege of software that makes you totally vulnerable to comically easy to perform attacks that can take over your computer. This is just the latest and worst example of incredibly sever security holes found in security software.

http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links

Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.

“These vulnerabilities are as bad as it gets,” Tavis Ormandy, a researcher with Google’s Project Zero,wrote in a blog post. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. Ormandy warned that the vulnerability is unusually easy to exploit, allowing the exploits to spread virally from machine to machine over a targeted network, or potentially over the Internet at large. Ormandy continued:

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they’re allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Ormandy said a better design would be for unpackers to run in a security “sandbox,” which isolates untrusted code from sensitive parts of an operating system.

The researcher said one of the proof-of-concept exploits he devised works by exposing the unpacker to odd-sized records that cause inputs to be incorrectly rounded-up, resulting in a buffer overflow. A separate “decomposer library” included in the vulnerable software contained open-source code that in some cases hadn’t been updated in at least seven years. The lack of updates came even though vulnerabilities had been found in some of the aging code and in some cases the disclosures were accompanied by publicly available exploits. A list of additional vulnerabilities is here.

Tuesday’s advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages. Although the software is often considered a mandatory part of a good security regimen—on Windows systems, at least—their installation often has the paradoxical consequence of opening a computer to attacks that otherwise wouldn’t be possible. Over the past five years, Ormandy in particular has exposed a disturbingly high number of such flaws in security software from companies including Comodo, Eset, Kaspersky, FireEye, McAfee, Trend Micro, andothers.

In most cases, the updates disclosed Tuesday will be automatically installed, in much the way virus definitions are received. In other cases, end users or administrators will have to manually install the fixes. People running Symantec software should check the advisory to make sure they’re covered.


Yet Another Reason To Not Buy That Cheap Computer From A Box Store

Ever notice those annoying update centers that come preinstalled on every name brand PC.  They just sit there I’ve never actually seen them update anything, sometimes they give you annoying pop ups for no reason.  Just sitting there in the tray for no reason.

Well one thing they are doing is opening all sorts of security holes.

http://arstechnica.com/security/2016/06/how-pc-makers-make-you-vulnerable-to-man-in-the-middle-attacks-out-of-the-box/

The next time you’re in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it’s vulnerable to man-in-the-middle attacks that allow hackers to install malware.

That’s the take-away from a report published Tuesday by researchers from two-factor authentication service Duo Security. It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus. The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to usetransport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.

“Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain,” the Duo Security report stated. “All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can’t protect you when an OEM vendor cripples them with pre-installed software.”

In short, every single manufacturer was found to use pre-installed updaters that allowed someone with the ability to monitor a PC’s network traffic—say someone on the same unsecured Wi-Fi network or a rogue employee at an ISP or VPN provider—to execute code of their choice that runs with System-level privileges. The updaters are mostly used to deliver new versions of software and bloatware that come pre-installed on new PCs and are separate from Microsoft’s Windows Update, which is widely believed to be secure. The report provides a strong reason why it’s a good idea to wipe newly purchased machines and reinstall Windows minus all the custom crapware. At a minimum, third-party software should be uninstalled or blocked using a firewall.

Update: Lenovo has issued an advisory recommending customers uninstall the Lenovo Accelerator Application, which comes preinstalled on many notebooks and desktop systems running Windows 10. As the image at the top of this post illustrates, the Duo Security report uncovered several major shortcomings in the app’s update mechanism, including its failure to use any sort of encryption when checking for or downloading updates and the failure to validate digital signatures before installing them.