Defense in Depth

(Credit: Eskenzi PR)

What would it take to get you give up your office network password to a total stranger? In London, women were more likely than men to give over their password for a piece of chocolate, says researchers for Infosecurity Europe.

The survey was conducted among 576 office workers contacted outside the Liverpool Street Station in London. The good news is that, overall, just 21 percent of those questioned would give up their password, with 45 percent of women saying yes versus 10 percent of men. Last year, 64 percent of people surveyed said were prepared to give away their passwords for a chocolate bar.

However, when the researchers also asked the office workers for their dates of birth to validate that they had participated in the survey, 61 percent complied with the request. "Our researchers also asked for workers names and telephone numbers so that they could be entered into a drawing to go to Paris. With this incentive 60 percent of men and 62 percent of women gave us their contact information", said Claire Sellick, event director for Infosecurity Europe.

And more than half the people questioned use the same password for multiple accounts. Most people in the survey used only one (31 percent), two (31 percent) or three (16 percent) password(s) at work, and 43 percent rarely or never change their password. Half in the survey said they knew their colleagues' passwords. And when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58 percent said they would.

The report is conducted as part of the media campaign that precedes the annual Infosecurity Europe security conference, which takes place next week at the Grand Hall, Olympia, London, and runs from April 22 to 24, 2008.

On Wednesday, VeriSign invited companies to join their VeriSign Identity Protection (VIP) Network by announcing the VIP Quick Start. As encouragement, vendors who sign up between now and September 30 will receive 5,000 free tokens to distribute to their customers. The customers can then use the tokens on any of the participating VIP sites.

VIP is part of a two-factor authentication process created by VeriSign. Customers are given tokens or cards that display a digital password that's time-synced with a server on the corporate bank end. When one goes to access the site, you simply enter the digital code displayed on the token or card. The code is then refreshed. This extra step in using one-time passwords is designed to prevent Internet identity theft, phishing, and online financial fraud.

The news on Wednesday is that many sites, including the initial dozen or so that have been testing the program, will now offer the use of the VeriSign tokens or cards, so that if you register with Charles Schwab, you can use the token on eBay as well.

Fran Rosch, vice president of identity and authentication services at VeriSign, likened the experience to using an ATM. "You can go to any ATM, even one that isn't your own bank's, and still withdraw cash so long as your bank card includes one of the ATM network logos (for example, Plus or Star)." With the VIP token, a customer need only to see the VeriSign Identity Protection logo to use the token on that site.

At next week's RSA 2008 conference in San Francisco, VeriSign will hand out tokens to participants who register with VeriSign at the show, while supplies last.

In looking for a program to back up his Gmail account, programmer Dustin Brooks found a commercial program that instead copies username and password information, according to a blog on Codinghorror.com.

Over the weekend, Brooks said in an e-mail to CodingHorrror.com that he was looking for a program that would archive his Gmail account onto his local hard drive. He signed up for a program called G-Archiver distributed by Mate Media of Miami, Fla. Brooks says that after installing the program, it didn't do all he was looking for so he decided to reverse engineer the source code using a program called Reflector for .Net.

Inside the source code Brooks found the program author's e-mail address and account password for Gmail. Thinking that was a little strange, Brooks used the hardcoded information to open John Terry's Gmail account. There, Brooks alleges he found 1,777 messages, all of which had username and passwords for people who signed up for the G-Archiver, including his own. In other words, whenever anyone signed up for the program, as Brooks had, a copy of his or her username and password was sent to John Terry's Gmail account.

Hardcoding e-mail addresses isn't new. In a presentation at Black Hat D.C. 2008 a few weeks ago, researchers Nitesh Dhanjani and Billy Rios reported that phishing site creators frequently hardcode e-mail addresses into the code in order to receive copies of the personal information submitted independent of where the Web form is being sent.

Brooks says upon realizing what each of the e-mails contained, he then deleted all the mail and emptied the trash. He then changed the author's password, and reported jterry79@gmail.com's abuse to Google.

On the CodingHorror.com site this morning, Brooks wrote "Granted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for Google checkout. I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well. The only e-mails in this account were usernames/passwords. This wasn't a personal account used for other things."

A number of sites have since removed G-Archiver from their download collection, including CNET Download.com. Attempts to contact Mate Media have so far gone unanswered.

Whenever you type an address into an Internet browser, that address is instantly resolved into the site's numerical Internet address by a DNS server located somewhere in the world. On Tuesday, Symantec announced that online criminals have started to remotely redirect your home network router's DNS server so that whenever you type in a financial institution or other trusted site, your browser will instead be redirected to a bogus or phishing Web site.

The practice, called pharming, usually attacks the DNS servers directly, but this latest attack brings it all home (if you are using broadband connectivity). Fortunately, the routers and institutions affected by this current attack are limited to one country, Mexico, but Symantec warns that word of this real-world attack could bring similar attacks elsewhere.

Last year, researchers at Symantec and the University of Indiana reported that remotely changing a home router's DNS server was theoretically possible. The theoretical attack used Javascript on a specially crafted Web page, and affected only wireless routers. The attack in use today uses e-mail, and it can affect non-wireless routers as well.

According to a blog by Zulfikar Ramzan, a researcher at Symantec, "the attackers embedded the malicious code inside an e-mail that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the e-mail also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router's DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker's Web site."

The best way to prevent becoming a victim is to change your network router's default password. Default router passwords are not a secret and are available on the Internet, so if you haven't ever changed your network router's password, now is a good time. Syamntec's Ramzan further recommends performing a hard reset of your router first, just in case you are already compromised.

If choosing a router password intimidates you, Ramzan also points out that if you ever do forget your new password, you can always do a hard reset on the box in the future (something a remote hacker can't do) and choose a new password later.