Sunday, March 2, 2014

Target getting hacked and creating a better password

Dell released a full report on how Target got hacked. They lost around 40 million debit and credit card accounts. Along with this loss, they also lost 70 million Names, home address email addresses and phone numbers. This is a large corporation and because of its size it was targeted by hackers. In order to summarize the report, hackers were able to gain access to Target's internal server by elevating a built-in account on their deployed Point of Sales (PoS) system. Once they gained access they deployed a piece of malware that skimmed memory in the PoS system. Once it skimmed the memory, it could sniff out credit card numbers and drop the data on a server they deployed inside the server. Every once and a while they would dump this credit card data because the server would fill up. It was amazingly fast to how quick it would fill up. They reported that they were dumping the server every few hours or so.

The username and password is as follows: Username: Best1_user  Password: BackupU$r. Pretty simple, right? It has uppercase, symbols and numbers. Although, the problem is that the password is so simple and the password even contains part of the username. As you all may know, a good password contains letters, numbers, symbols and is longer than 8 characters. The problem here is that you aren't supposed to use the username anywhere in the password. Replacing letters like S with $ still counts as using the username within the password. The password should have been a passphrase instead of a pass"word". Something of the nature like "This1IsTheBest_user" would have sufficed.

You can also take things a step further by using letters, symbols, numbers, longer than 8 characters and don't use ANY words from the dictionary. So used made up words from merging different words together. Say you own a Jeep and a Caterpillar tractor, you could use the password "JeCaterepPiller1970!". Lets say 1970 is the year the tractor was made. Now you have a password that meets all of these criteria:

  • Longer than 8 characters
  • Capital Letters
  • Numbers
  • Symbols
  • Not consisting of all dictionary words

Don't forget that you can include periods in the middle between words, which would help you satisfy your symbol requirements. So we can use "Jeep.Caterpiller1970!" and this will suffice as well. Some may argue that you should not use numbers in sequence because most people use their birthyear, which makes the number portion guessable. Some may also use the year they got the dog or the year their Jeep is. (also tractor) Try to avoid this obviousness and use numbers that don't relate to anything you own. Some may even try "Jeep.Caterpiller70!", but this doesn't solve the problem. A hacker can easily figure out your birthyear is 1970 and try 70 at the end of your password.

If you are having issues trying to determine a good password and want to know how well it stands up against a hacking tool, try this website out: http://www.passwordmeter.com/.

If you will notice, this website's password checker is also under the GNU license, so you can download it and use it in your business for free!

I have attached the Dell report from Krebsonsecurity's blog. I would recommend taking a glance/read through his stuff, too.

http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)