![Guess your password? No want if it’s stolen already! [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2023/01/featured-s3-ep118-1200.png?w=775 "Guess your password? No want if it’s stolen already! [Audio + Text] – Naked Security")
Guess your password? Crack your password? Steal your password? What if the crooks have already got one in all your passwords, and may use it to determine all of your others as nicely?
DOUG. LifeLock woes, distant code execution, and an enormous rip-off meets huge hassle.
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
And Paul, I’m so sorry… however let me want you a belated Happy ’23!
DUCK. As against Happy ’99, Doug?
DOUG. How do you know? [LAUGHS]
We dovetail instantly into our Tech History section.
This week, on 20 January 1999, the world was launched to the HAPPY99 worm, often known as “Ska”.
Paul, you had been there, man!
Tell us about your expertise with HAPPY99, when you please.
DUCK. Doug. I believe essentially the most fascinating factor for me – then and now – is what you name the B-word…
…the [COUGHS APOLOGETICALLY] “brilliant” half, and I don’t know whether or not this was right down to laziness or supreme cleverness on the a part of the programmer.
Firstly, it didn’t use a pre-generated checklist of e-mail addresses.
It waited until *you* despatched an e-mail, scraped the e-mail deal with out of it, and used that, with the consequence that the emails solely went to folks that you just’d already simply communicated with, giving them a larger believability.
And the opposite intelligent factor it had: it didn’t hassle with issues like topic line and message physique.
It simply had an attachment, HAPPY99.EXE, that if you ran it within the foreground, confirmed fireworks.
And then you definitely closed it; appeared like no hurt finished.
So there have been no linguistic clues, similar to, “Hey, I just got an email in Italian from my Italian buddy wishing me Happy Christmas, immediately followed by an email in English wishing me a Happy 1999.”
And we don’t know whether or not the programmer foresaw that or, as I mentioned, whether or not it was simply, “Couldn’t be bothered to work out all of the perform calls I want so as to add this to the e-mail…
…I do know to create an e-mail; I do know so as to add an attachment to it; I’m not going to hassle with the remaining.”
And, because of this, this factor simply unfold and unfold and unfold and unfold.
A reminder that in malware programming, as in lots of issues in life, typically… much less is much more.
DOUG. Alright!
Well, let’s transfer on to a happier topic, a kind-of sort-of distant code execution gap in a well-liked cloud safety library.
Wait, that’s not happier… however what occurred right here?
Popular JWT cloud safety library patches “remote” code execution gap
DUCK. Well, it’s happier in that the bug was not revealed within the wild with a proof-of-concept.
It was solely documented some weeks after it had been patched.
And luckily, though technically it counts as a distant code execution [RCE] bug, which prompted numerous drama when it was first reported…
…it did require that the crooks primarily broke into your residence first, after which latched the door open from the within for the subsequent wave of crooks who had come alongside.
So it wasn’t as if they may simply present up on the entrance door and get instantaneous admission.
The irony, in fact, is that it includes a well-liked open supply toolkit referred to as jsonwebtoken, or JWT for brief.
A JWT is mainly like a session cookie on your browser, however that’s extra geared in direction of a zero-trust strategy to authorising packages to do one thing for some time.
For instance, you may need to authorise a program you’re about to run to go and do value lookups in a value database.
So, it’s essential authenticate first.
Maybe it’s important to put in a username, possibly to place a password… and then you definitely get this entry token that your program can use, and possibly it’s legitimate for the subsequent 100 requests, or the subsequent 20 minutes or one thing, which implies that you don’t have to completely reauthenticate each time.
But that token solely authorises your program to do one particular factor that you just arrange upfront.
It’s an excellent thought – it’s a regular approach of doing web-based coding nowadays.
Now, the concept of the JWT, versus different session cookies, is that in a “zero-trusty” form of approach, it consists of: who the token is for; what issues it’s allowed to do; and, in addition to that, it has a cryptographic keyed hash of the info that claims what it’s for.
And the concept is that that hash is calculated by the server when it points the token, utilizing a secret key that’s buried in some super-secure database someplace.
Unfortunately, if the crooks may break into your residence upfront by jimmying the lock…
…and if they may get into the key database, and if they may implant a modified secret key for a selected person account, after which sneak out, apparently leaving nothing behind?
Well, you’d think about that when you mess up the key key, then the system simply isn’t going to work, since you’re not going to have the ability to create dependable tokens anymore.
So you’d *assume* it might fail secure.
Except it seems that, when you may change the key key in a particular approach, then subsequent time the authentication occurred (to see whether or not the token was right or not), fetching the key key may trigger code to execute.
This may theoretically both learn any file, or completely implant malware, on the authentication server itself…
…which clearly can be a really unhealthy factor certainly!
And provided that these JSON net tokens are very extensively used, and provided that this jsonwebtoken toolkit is among the widespread ones on the market, clearly there was an crucial to go and patch if had been utilizing the buggy model.
The good factor about that is that patch truly got here out final 12 months, earlier than Christmas 2022, and (presumably by association with the jsonwebtoken group) the corporate that discovered this and wrote it up solely disclosed just lately, a few week in the past.
So they gave loads of time for folks to patch earlier than they defined what the issue was in any element.
So this *ought to* finish nicely.
DOUG. Alright, allow us to keep as regards to issues ending nicely… in case you are on the facet of the nice guys!
We’ve obtained 4 international locations, hundreds of thousands of {dollars}, a number of searches, and several other arrested, in a reasonably huge funding rip-off:
Multi-million funding scammers busted in four-country Europol raid
DUCK. This was an excellent, old school, “Hey, have I got an investment for you!”.
Apparently, there have been 4 name centres, a whole lot of individuals questioned, and 15 already arrested…
… this rip-off was “cold-calling people for investing in a non-existing cryptocurrency.”
So, OneCoin once more… we’ve spoken about that OneCoin rip-off, the place there was one thing like $4 billion invested in a cryptocurrency that didn’t even exist.
OneCoin scammer Sebastian Greenwood pleads responsible, “Cryptoqueen” nonetheless lacking
In this case, Europol talked about cryptocurrency *schemes*.
So I believe we are able to assume that the crooks would run one till folks realised it was a rip-off, after which they’d pull the rug out from underneath them, run off with the cash, begin up a brand new one.
The thought was: begin actually small, saying to the the individual, “Look, you only have to invest a little bit, put in €100 maybe, as your first investment.”
The thought was that individuals would assume, “I can just about afford this; if this works out, *I* could be the next Bitcoin-style billionaire.”
They put within the cash… and naturally, you understand how the story goes.
There’s a unbelievable trying web site, and your funding mainly simply retains inching up some days, leaping up on different days.
Basically, “Well done!”
So, that’s the issue with these scams – they simply *look* nice.
And you’re going to get all of the love and a focus you want from the (huge air quotes right here) “investment advisors”, till the purpose that you just realise it’s a rip-off.
And then, nicely… you possibly can complain to the authorities.
I like to recommend you do go to the police when you can.
But then, in fact, regulation enforcement have the tough job of attempting to determine who it was, the place they had been based mostly, and getting them earlier than they simply begin the subsequent rip-off.
DOUG. OK, now we have some recommendation right here.
We have given this recommendation earlier than – it applies to this story, in addition to others.
If it sounds too good to be true, guess what?
DUCK. It IS too good to be true, Doug.
Not “it might be”.
It IS too good to be true – simply make it so simple as that.
That approach, you don’t must do any extra analysis.
If you’ve obtained your doubts, promote these doubts to the equal of a full-blown reality.
You may save your self numerous heartache.
DOUG. We’ve obtained: Take your time when on-line speak turns from friendship to cash.
And we talked about this: Don’t be fooled as a result of a rip-off web site appears well-branded {and professional}.
As a reformed net designer, I can let you know it’s not possible to make a foul trying web site these days.
And one more reason I’m not an internet designer anymore is: nobody wants me.
Who wants an internet designer when you are able to do all of it your self?
DUCK. You imply you click on the button, select the theme, rip off some JavaScript from an actual funding website…
DOUG. …drop a few logos in there.
Yep!
DUCK. It’s a surprisingly straightforward job, and also you don’t must be a very skilled programmer to do it nicely.
DOUG. And final, however definitely by no means least: Don’t let scammers drive a wedge between you and your loved ones…
…see Point 1 one about one thing being too good to be true.
DUCK. Yes.
There are two ways in which you could possibly inadvertently get into a very nasty state of affairs together with your family and friends due to how the scammers behave.
The first is that, fairly often, in the event that they realise that you just’re about to surrender on the rip-off as a result of family and friends have virtually satisfied you that you just’ve been scammed, then they may exit of their strategy to poison your opinion of your loved ones with the intention to attempt to lengthen the rip-off.
So they’ll intentionally drive that wedge in.
And, virtually worse, if it’s a rip-off the place it appears such as you’re doing nicely, they may give you “bonuses” for drawing in members of your loved ones or shut buddies.
If you handle to persuade them… sadly, they’re happening with you, they usually’re most likely going to carry you accountable since you talked them into it within the first place.
So bear that in thoughts.
DOUG. OK, our final story of the day.
Popular id safety service LifeLock has been breached, kind-of, but it surely’s sophisticated… it’s not fairly as easy as a *breach* breach:
Serious Security: Unravelling the LifeLock “hacked passwords” story
DUCK. Yes, that’s an fascinating approach of placing it, Doug!
DOUG. [LAUGHS]
DUCK. The cause that I assumed it was vital to write down this up on Naked Security is that I noticed the notification from Norton LifeLock, about unauthorised login makes an attempt en masse into their service, that they despatched out to some customers who had been affected.
And I assumed, “Uh-oh, here we go – people have had their passwords stolen at some time in the past, and now a new load of crooks are coming along, and they’re knocking on the door, and some doors are still open.”
That’s how I learn it, and I believe that I learn it accurately.
But I immediately began seeing headlines at the least, and in some case tales, within the media that invited folks to assume that, “Oh, golly, they’ve got into Norton LifeLock; they’ve got in behind the scenes; they’ve dug around in the databases; they’ve actually recovered my passwords – oh, dear!”
I suppose, within the gentle of latest disclosures by LastPass the place password databases had been stolen however the passwords had been encrypted…
…this, when you simply comply with the “Oh, it was a breach, and they’ve got the passwords” line, sounds even worse.
But it appears that evidently that is an outdated checklist of potential username/password mixtures that some bunch of crooks acquired one way or the other.
Let’s assume they purchased it in a lump from the darkish net, after which they set about seeing which of these passwords would work on which accounts.
That’s often called credential stuffing, as a result of they take credentials which can be thought to work on at the least one account, and stuff them into the login kinds on different websites.
So, ultimately the Norton LifeLock crew despatched out a warning to prospects saying, “We think you’re one of the people affected by this,” most likely simply to folks the place a login had truly succeeded that they assumed had come from the improper form of place, to warn them.
“Somebody’s got your password, but we’re not quite sure where they got it, because they probably bought it off the Dark Web… and therefore, if that happened, there may be other bunches of crooks who’ve got it as well.”
So I believe that’s what the story provides as much as.
DOUG. And we’ve obtained some methods right here how these passwords find yourself on the darkish net within the first place, together with: Phishing assaults.
DUCK. Yes, that’s fairly apparent…
…if someone does a mass phishing try in opposition to a selected service, and N folks fall for it.
DOUG. And we’ve obtained: Keylogger adware.
DUCK. That’s the place you get contaminated by malware in your laptop, like a zombie or a bot, that has every kind of remote-control triggers that the crooks can fireplace off at any time when they need:
And clearly, the issues that bots and zombies are likely to have pre-programmed into them embrace: monitor community visitors; ship spam to a large checklist of e-mail addresses; and activate the keylogger at any time when they assume you’re at an fascinating web site.
In different phrases, as an alternative of attempting to phish your passwords by decrypting otherwise-secure net transactions, they’re mainly what you’re typing *as you hit the keys on the keyboard*.
DOUG. Alright, pretty.
We’ve obtained: Poor server-side logging hygiene.
DUCK. Normally, you’d need to log issues just like the individual’s IP quantity, and the individual’s username, and the time at which they did the login try.
But when you’re in a programming hurry, and also you by accident logged *every thing* that was within the net kind…
…what when you by accident recorded the password within the log file in plaintext?
DOUG. All proper, then we’ve obtained: RAM-scraping malware.
That’s an fascinating one.
DUCK. Yes, as a result of if the crooks can sneak some malware into the background that may peek into reminiscence whereas your server is working, they are able to sniff out, “Whoa”! That appears like a bank card quantity; that appears just like the password subject!”
7 varieties of virus – a brief glossary of latest cyberbadness
Obviously, that form of assault requires, as within the case we spoke of earlier… it requires the crooks to interrupt into your residence first to latch the door open.
But it does imply that, as soon as that’s occurred, they will have a program that doesn’t really want to undergo something on disk; it doesn’t want to look by means of outdated logs; it doesn’t have to navigate the community.
It merely wants to observe specific areas of reminiscence in actual time ,within the hope of getting fortunate when there’s stuff that’s fascinating and vital.
DOUG. We’ve obtained some recommendation.
If you’re within the behavior of reusing passwords, don’t do it!
I believe that’s the longest working piece of recommendation I can bear in mind on report within the historical past of computing.
We’ve obtained: Don’t use associated passwords on completely different websites.
DUCK. Yes, I assumed I’d sneak that tip in, as a result of lots of people assume:
“Oh, I do know what I’ll do, I’ll select a very sophisticated password, and I’ll sit down and I’ll memorize X38/=?..., so I’ve obtained a sophisticated password – the crooks won’t ever guess it, so I solely must do not forget that one.
Instead of remembering it because the grasp password for a password supervisor, which is a trouble I don’t want, I’ll simply add -fb for Facebook, -tt for Tik Tok, -tw for Twitter, and that approach, actually, I’ll have a special password for each web site.”
The downside is, in an assault like this, the crooks have *already obtained the plaintext of one in all your passwords.*
If your password has complicated-bit sprint two-letters, they will most likely then guess your different passwords…
…as a result of they solely must guess the spare letters.
DOUG. Alright, and: Consider turning on 2FA for any accounts you possibly can.
DUCK. Yes.
As at all times, it’s a bit little bit of an inconvenience, but it surely does imply that if I am going on the darkish net and I purchase a password of yours, and I then come steaming in and attempt to use it from some unknown a part of the world…
…it doesn’t “just work”, as a result of immediately I want the additional one-time code as nicely.
DOUG. Alright, and on the LifeLock story, we’ve obtained a reader remark.
Pete says:
“Nice article with good tips and a very factual approach (smileyface emoticon).”
DUCK. I agree with the remark already, Doug! [LAUGHS]
But do go on…
DOUG. “I guess people like to blame companies like Norton LifeLock […], because it is so easy to just blame everyone else instead of telling people how to do it correctly.”
DUCK. Yes.
You may say these are barely harsh phrases.
But, as I mentioned on the finish of that exact article, we’ve had passwords for greater than 50 years already within the IT world, although there are many providers which can be attempting to maneuver in direction of the so-called passwordless future – whether or not that depends on {hardware} tokens, biometric measurements, or no matter.
But I believe we’re nonetheless going to have passwords for a few years but, whether or not we prefer it or not, at the least for some (or maybe even many) of our accounts.
So we actually do must chunk the bullet, and simply attempt to do it in addition to we are able to.
And in 20 years time, when passwords are behind us, then we are able to change the recommendation, and we are able to give you recommendation on the way you shield your biometric info as an alternative.
But in the intervening time, this is only one in numerous reminders that when crucial private information like passwords get stolen, they will find yourself having an extended lifetime, and getting extensively circulated among the many cybercrime group.
DOUG. Great.
Thank you, Pete, for sending that in.
If you will have an fascinating story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can e-mail suggestions@sophos.com, you possibly can touch upon any one in all our articles, or you possibly can hit us up on social: @NakedSecurity.
That’s our present for in the present day – thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth reminding you, till subsequent time, to…
BOTH. Stay safe!
[MUSICAL MODEM]