22 August 2014

The Joy of Fraud Fighting

Uri Rivner - BioCatch

77 | posts 312,502 | views 35 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Is your LinkedIn Password Compromised?

11 June 2012  |  5013 views  |  3

The recent LinkedIn accounts compromise in which 6.5 million password hashes were published in the Russian hacker community grabbed a lot of media attention.

In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying. It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist has one.

Unlike other social networks, the vast majority of these 6.5 million accounts represent unique identities of real people. You have one account, it’s not shared with anyone else, and it’s really you – no alias. It is your cyberspace business card, the one digital public face you’re extremely careful not to ruin by posting what you ate five minutes ago and which gossip article you just read. If you use a work-related social network account, it’s going to be LinkedIn. It’s such a great way to collaborate and communicate that you can’t afford not to use it.

All of this makes you feel it’s worth protecting. We don’t really know why, but we sense it’s not a good idea for fraudsters to know our LinkedIn credentials, although it’s not a bank account or a credit card number. And if you haven’t done so already, you’re probably going to change your LinkedIn password in the next few days. And, as a follow-up, you might change the passwords for other Internet applications, because one often uses the same password for at least 3 more sites. It’s bad habit, but one that takes effort to change.

By the way, if you think of it in terms of “passphrase”, it’s better as it lets you pick up a long string of text that may be even easier to remember, but has a much higher entropy.

As an example, the following string is the SHA1 hash of a password that has 9 digits. The first six are a lower case English word and the other three are numbers.

c0d91101de2abe3807ae2a37bc28825f59d264ba

This hash is extremely easy to crack: Use the following free SHA1 decrypting site to see the password. If you're not technical, don't worry, the site is very simple to use.

Note that this site doesn’t really decrypt hashes – but rather searches in a pre-calculated list of hashes that correspond to 8.7 billion passwords. This is called a ‘rainbow table’.

As an interesting side note, the bottom of the decrypting site shows recently successful decryptions, including the geo-location of the person trying to crack the hash. Half use anonymized servers, and the other half come from a particularly interesting distribution of countries, whom I shall not name to avoid generalizations. Yes, they might be academic researchers trying to check some hashes or innocent users who wish to use the site to see if their password can be easily cracked. It doesn’t HAVE to be people who want to de-hash illegitimately obtained passwords. Well, I’m going to quote the Princess Bride here: “Probably some local fisherman out for a pleasure cruise at night... through eel infested waters”. Not really…

If you’re bored, try to decrypt the following hash:

182930b6531d18add5ac7cec49540a45016cb088

You’ll see that you can’t crack it using the website I provided, as it’s not in the 8.7 billion pre-cracked hashes. It’s actually a sentence from the Princess Bride, with each word separated by symbols like !, @, #, $ and %. Very easy to remember passphrase, by the way. 

Is your favorite password something the site will easily crack? Easy to check. Click here, type your favorite password, get a hash, and try it on the previous site. Enjoy!

 

Princess Bride swimming in eel infested waters TagsSecurityOnline banking

Comments: (4)

A Finextra member | 12 June, 2012, 17:06

I used to use SHA1 at an previous employer to compare a hash of username and password with that on the database when a user logged into the system.

I was quite paranoid in those days so I hashed the password, then hashed the username and hash of the password and compared that with the value that was held on the system. That's probably still secure...!

Geek bit of trivia: SHA stands for Secure Hashing Algorithm and it was invented by the US of A's NSA.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 14 June, 2012, 17:46

@UriR:

Great pair of websites. Thanks for profiling them!

After a very quick and dirty test with a couple of passwords, I've jumped to the following conclusion which fellow readers might want to accept on faith or reject outright: Passwords in foreign (i.e. non-English) languages are impossible to crack, though easier to remember (in case you know only a few foreign words).

Christopher Mc Carthy - SunGard - Zurich | 19 June, 2012, 09:29

Use foreign words for a passcode, had not thought of that.

What are your thoughts on this xkcd post - http://xkcd.com/936/ - is it 'better' to use a passcode, or go for a non dictionary password that also contains symbols and numbers?

Uri Rivner - BioCatch - Tel Aviv | 20 June, 2012, 11:44

Yes, it is better to use a passphrase than a password. Using 'brute force' attacks against a long passphrase - say, 20 characters - takes too much time. And you can memorize it better. But lets also understand that if everyone moves to pass phrases, rainbow tables will be calculated for common phrases, and common words used in various combinations.

So for example the following passphrase "Doctor Livingstone I presume" is far better than R9x$k32(; - and far more memorable - from a brute force perspective. On the other hand, it's more likely that a rainbow table entry will be created for such a trivial passphrase (to save you time, evil hackers, the hash for this passphrase is: 8c3561cda2c346758895f42084bff6e2d5369ff4).

So when creating a passphrase, avoid obvious choices such as "Me Tarzan You Jane" or "Live Long And Prosper". But you can 'salt' it easily with some other characters: for example, "Live!Long and Prosper" adds a bit more cracking difficulty and isn't too hard on the memory.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  2200 views  |  1  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  1607 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  15439 views  |  1  |  Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  2808 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

The Dark Side of Security

11 September 2013  |  2082 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services
name

Uri Rivner

job title

Head of Cyber Strategy

company name

BioCatch

member since

2008

location

Tel Aviv

Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strateg...

Uri's expertise

What Uri reads
Uri writes about

Who is commenting on Uri's posts

Ketharaman Swaminathan
Brett King