Why We Cannot be Trusted to Make Our Own Passwords

Let’s start this article off with a prediction. I’m going to predict that the last password you used had the number 1 in it? No, what about the number 2? If you answered yes then you're in the ~30% of people that use a tailing 1 or 2 in their passwords. What about letters, does your password include the letter e, the letter t? If it does then you’re also in the high percentage of people where e’s and t’s are their most used letters.

People are predictable. We follow patterns, schedules and do what we know and are comfortable with. There is already some great research out there on why we do the things we do. Whether it’s movement dynamics in crowds or looking at how we create traffic jams without a bottleneck. The real question, for us, comes down to how we can use these principles in computer security.

Passwords are one of the most intrinsic parts of our online lives. Some great teams, from Troy Hunt with Have I Been Pwned to the people at WPengine and their research on ten million passwords, have been doing great work in both correlating and analyzing the passwords we use day to day.  

Let’s take a step back and look back at our earlier prediction. Benford's law is a principle which defines that lower digits are more likely to be used over larger ones. From bus numbers to Twitter followers, we can see Benford's law put into practice in our day to day lives.

We can also see this in password security. In a study by WPengine of ten million passwords they concluded that the top three trailing numbers for passwords came down to 1 (23.84%), 2 (6.27%) and 3 (3.86%). This matches quite closely to the premise behind Benford's law.

Next we have letters. In a similar way to how Benford's law predicts the occurrence of numbers, frequency analysis can be used to predict the occurrence of letters. If we perform frequency analysis on the English language we can see that the most common letters are: e, t, and a.

Looking back at the WPengine research, and their ten most common password list, we can see that the letter e alone shows up in 60% of the passwords.

There is a great quote from Steve Davidson in his book The Crystal Ball that states: "Forecasting future events is often like searching for a black cat in an unlit room, that may not even be there."  This is the same for predicting passwords. All in all there are around: three quadrillion, twenty five trillion, nine hundred and eighty nine billion, sixty nine million, one hundred and forty three thousand and forty possible password permutations for an eight character password. That being the case, we’re probably not going to be guessing anyone’s full password any time soon.

We’re not going to give up there however. Even though it’s unlikely that someone's going to guess a password right off the bat there are still a plethora of ways that passwords can get compromised. This includes social engineering and OSInt to data breaches and password complexity.

The tried and tested advice still stands: create strong or random passwords, use a password manager (if that’s what works for you) and don’t make predictable passwords.

Phishing in the Deep End: The Growing Threat of Attacks Beyond Email

Phishing has long posed a threat to businesses thanks to attackers who convince users to open harmful email attachments and executable links. As a result, companies have strengthened malware blocking protections and added secure email gateways, while training employees to be more alert about phishing emails. But the landscape is changing yet again. 

In turn, hackers have increased their levels of sophistication through attacks that no longer rely on suspicious emails or attachment files at all, but instead are penetrating corporate networks via phony websites, fake ads, rogue apps, or realistic browser pop-ups, extensions and plug-ins.

Users who mistakenly click on these new delivery formats may be opening their companies up to costly data breaches or extortion attempts through backdoor ransomware payloads.

Recent findings from Ponemon Institute show that 77% of current attacks which compromise organizations are launched via file-less techniques designed to evade detection and bypass standard endpoint solutions. Cyber-criminals are turning more and more to such methods which exploit the human attack surface, taking advantage of the blind spots of current security solutions that evade existing safeguards. 

This problem is also exacerbated from the increased use of personal cellphones, laptops and tablets which employees adopt for work-related tasks. When employees access the internet for personal reasons on such dual-use devices, they may expose their corporate networks to phishing attacks which can lead to disastrous outcomes for their companies.

This new generation of threats doesn’t target the device, the software or the network, instead the primary target has now become the unsuspecting person using these systems, and the delivery method is no longer a malicious PDF, word doc, or zip file.

For example, one alarming new trend involves the injection of obfuscated malicious JavaScript code into compromised websites that redirect users to Tech Support Scams. The nefarious methods used to compromise these sites make it difficult for experts to identify the JavaScript injection hack because its tracks are buried within several layers of code. 

In examining the source code on such compromised websites, researchers found a suspicious encrypted script that uses numbers to hide the suspicious content within the eval() function. In that eval(), it deploys the JavaScript from CharCode() method to convert all the numbers into  characters which get embedded into the website. By decoding the numbers back into characters, the researchers were able to retrieve the hidden content beneath these numbers, which contained a hidden link to another site. When that URL was opened, it redirected users to a scam page. 

This scam page played a very loud audio warning based on text-to-speech, saying that your computer has been infected with a virus, so the user is urged to call Tech Support immediately to remove the virus. This scary notice was amplified by an additional message which warns users not to turn off their computers because doing so will cause sensitive financial data and credentials to be stolen:

This is an unfortunate example of where current security shortcomings fail to recognize a new type of threat. Firewalls are only effective when there is a known malicious URL to block, but the hackers have become skillful at quickly propping up new unidentified web pages and then taking them back down within hours to avoid detection.

Because these risky sites are so short-lived, there is no way for security indexing bots to track all of them. Since databases and threat feeds can’t keep pace either, standard firewalls are unable to block the risky sites.

Likewise, anti-virus and malware protections only help when there is a file to examine, it has become more critical to detect and block phishing attacks before any malicious files can penetrate the user environment.

Security professionals have begun to recognize this risk, but their organizations lack any defenses to effectively guard against phishing attacks beyond email, so they remain increasingly vulnerable to this new wave of socially engineered attacks.

There is only one solution to this growing problem – detecting and blocking phishing attacks before the user can reach the page behind the link and start the kill chain from which bad things happen.

Security professionals and IT practitioners need to start thinking differently about how the social engineered threat landscape is changing and what they need to do to address this growing threat. The solution for more powerful, real-time phishing threat detection lies at the intersection of computer vision, optical character recognition, natural language processing, and state-of-the-art machine learning to achieve truly adaptive threat detection capabilities to catch these sneaky new script and HTML-based attacks.