Security Week 22: Microsoft against passwords, legal issues with Tor, crypto-fiber attacks Amazon customers

Google buries passwords, but Microsoft doesn't. Let me remind you that in the previous issue I talked about a bright future in the form of the Google Abacus project - a controversial but very progressive system for identifying a user by his behavior (aka I remember all your cracks ). Almost at the same time, Microsoft joined the conversation about passwords, but it came out ( news ), so to speak, from the standpoint of traditionalism and orthodoxy. Specifically, a post on the Active Directory developer blog is dedicated to fighting not all passwords, but only bad ones.

Microsoft can be understood: it works in the corporate software market, and there innovations take root deadly slowly (past the trembling tortured hands ; what do I have today with song associations ?!). Obviously, with or without an abacus, we will deal with passwords for a long time. So, according to a Microsoft representative, typical approaches to ensuring the strength of passwords, such as requirements for password length, the presence of special characters and regular replacement, do not work. Moreover, they simplify the task of hacking: fenced off from all sides by policies, users set and update their passwords in an extremely predictable way. If, for example, the fence is set higher (set a threshold of at least 10-15 characters), employees start repeating the same word several times in a row. Not OK.

As a long-term office worker of the Word, I can not disagree. Bravo! But I am not sure that the solution offered by the company will please me as an employee. Microsoft works with a huge number of accounts in a bunch of user and corporate services, and decided to use information about how these records are trying to hack (10 million attacks per day!). As a result, we get the function Dynamically Banned Passwords. Being implemented in a corporate environment, this feature will not allow an employee to set a password, about which it is known that he (1) is weak and that (2) the villains have already tried (possibly successfully) to crack the same (or similar) password somewhere else.

So imagine and imagine: it is time to enter a new password, and begins. Less than 15 characters can not, without special characters can not be, several identical numbers in a row can not. And now in some cases it’s just not possible and that's it! Bad password, think better, network worker! More creative! Brighter! Sharper! Fortunately, this feature is currently available only to Azure cloud service clients, and then in the form of a limited beta test. From the point of view of security, this is the right idea: it will not solve all the problems, but theoretically it can prevent the scenario when an employee first breaks his personal account somewhere and then logs into the company’s network with the same password. For this, it is advisable not to be limited to collecting expertise within the services of one company, even if it is large. But cooperation between players in the information security industry is another story.
')
The American court refused to accept as evidence the data collected by hacking Tor
News

After the end of the legal battles between Apple and the FBI, the topic of information security in the context of legal proceedings went into the background, but not for long. A much longer process in the criminal case on the possession of child pornography this week received an unexpected development. However, let's start from the beginning. A 62-year-old suspect was arrested last year in Seattle. According to the prosecution, he downloaded child porn from the Playpen website, available only in darkwebe using the Tor browser. At some point, the FBI took possession of the site’s servers and deployed an exploit to them, which made it possible to find out the real address of the computers of several dozen users. The rest was a trick.

But during the trial, something went wrong. Lawyers for the accused demanded to disclose technical information about the exploit (in terms of the FBI, this is called the network investigation technique, network investigative technique). The cause was found original, but reinforced: if it comes to hacking the computer (how else could it be possible to reveal the real IP?), Then this means remote control of the computer without the knowledge of the owner. And if so, then maybe he did not himself shake a crime, but they helped him? No, of course not the FBI (in no case), but a hacked computer is generally accessible to everyone with a minimal set of skills. And darkweb is such a place, it's generally dangerous there, you know.

The FBI refused to disclose details, which is quite expected. Let me remind you that in the Apple vs FBI case the public also didn’t know exactly how the terrorist’s iPhone was hacked. It is logical: if every time telling how , then hacking the device for investigative purposes will be more and more difficult. And it's not about child pornography and a particular suspect: a trial is another in a series of attempts to determine where the investigation ends and the cybercrime begins. Should government agencies share exploits with software developers so that they can close holes? Earlier this question was asked by the FBI Mozilla developers, since their code is used in Tor, and it is likely that the vulnerability is on their side. And tens of millions of innocent users may be exposed to it.

As a result, the situation is the opposite of the Apple / FBI case: the FBI is demanding something here, but the organization does not want to give it. The judge apparently did not have the opportunity to press the FBI, so the decision was made: if the FBI does not disclose the details, then the evidence collected by the exploit will not be accepted.



We continue to follow the developments.

Amazon clients are attacked by infected crypto-spam inside
News

If somewhere in the depths of the network cybercrime there is a plan for the distribution of crypto-fiber, then it was clearly written by the manager, not the techie. From a technical point of view, encryption Trojans remain in the mass rather primitive, and the main danger lies in the methods of distribution. Here and criminal-to-criminal trading networks, where you can get custom encryption zanedorogo, and "affiliate programs", and of course competent copywriting in phishing - the main way to penetrate the victim's computer.



This week is news about creative. Comodo researchers have documented a large-scale spamming of Amazon customers. The message mimics the standard newsletter online store: "Your order has been sent." The sender is forged, the body of the letter is empty, in the attachment the infected Microsoft Word document. In general, we must try to get infected, but the scale of the attack and, alas, the carelessness of users, guarantee - there will be victims. The buyback from Locky is between $ 200 and $ 500. You can read about the technical features of the Trojan here .

What else happened:
Zero-dey for Windows sell for 90 thousand dollars. In Russia, they also want to trade exploits.

Two vulnerabilities in Google Chrome.

Arrests of cyber-robbers in Russia: news and research by experts of the Laboratory.

Antiquities:
Advent Family

Non-resident viruses, encrypted, start-up .COM- and .EXE-files. .EXE files are affected as standard, for .COM files they change the first 23h bytes of the beginning to the transfer codes to the virus body.

They are not activated if the line "VIRUS = OFF" (for "Advent-2764") or "SYSLOCK = @" (for "Advent-3551") is present in ENVIRONMENT. “Advent-2764”, beginning in mid-November, appears as a congratulation “MERRY CHRISTMAS!” Complete with simple pictures appearing to the accompaniment of equally simple music. “Advent-3551” replaces the line “Microsoft” with “Macrosoft” in the disk sectors.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 21.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.