News

Cloudflare reports on the state of applications security. It claims that 6.8% of Internet traffic is malicious. And that CVEs are exploited as quickly as 22 minutes after proof-of-concepts are published.

News articles.

A text pops up on your phone. It’s your pal, and the text says, “What’s the password again?” It might be for a video streaming app, a delivery service, or a music site. But is it really OK to share passwords?

The answer to that question takes a couple of forms.

For starters, that app, service, or site you’re sharing has terms of use. Those terms might allow for sharing. Others might not. From that standpoint, sharing might break those terms.

Secondly, sharing passwords with someone outside your household carries security risks. And that’s what we’ll focus on here.

How many people share passwords?

One set of research found that 79% of Americans surveyed said they shared passwords. Video streaming came in at 35%, delivery services at 29%, and music streaming at 9%.[i]

Yet that same research revealed something else. Only 7% of Americans said they worried about getting hacked despite all that password sharing.

What are the risks of sharing passwords?

The broader use a password sees, the more vulnerable it is. And that has a couple of dimensions to it.

The first is the more obvious of the two. Reusing passwords across accounts can lead to identity theft and fraud. Say a hacker gets a hold of a password on the dark web or directly through a data breach. If it’s reused across accounts, all those accounts could get compromised. The same is largely true of passwords that have little variation between them. When not unique, a hacker can figure out the variation with relatively little effort.

The second is a bit more subtle. Sharing passwords with people outside the household means those passwords get used on devices outside of the household. The question then is, are those devices secure? Do the people who own them use online protection software to keep themselves safer online? If not, those passwords could get exposed. One example — a friend logs into a streaming site on unprotected Wi-Fi. A hacker monitors the traffic, skims the password, and sells it on the dark web.

So, for several reasons, sharing passwords is not OK. And it brings up an important point about passwords in general. We have a lot of them. Yet each one must be secure.

I have too many passwords! Help!

So, we’ve mentioned some of the security risks around passwords. Primary among them, weak and reused passwords.

It’s no wonder people go the route of easy-to-remember passwords they use again and again. According to Pew Research, American adults feel overwhelmed by the number of passwords they have to keep track of. Depending on the age group, that feeling ranges from 61% to 74%.[ii]

That sense of overwhelm takes shape in another interesting way. Increasingly, people are doing something about it. Faced with creating strong and unique passwords, more people let a password manager do the work for them. In 2019, only 20% of Americans surveyed said they used one. In 2023, that number leapt up to 32%.[iii] A solid 12% rise that now covers nearly a third of all Americans.

So, for anyone bogged down by passwords, a password manager offers an excellent solution.

And a safe one at that.

A password manager like ours helps you protect your accounts from hackers by securely creating and storing strong and unique passwords. The very kind of passwords that hackers hate. While you’re online, it auto-fills your info for faster logins. Best of all, you only have to remember a single password.

The last word on sharing (and re-using) passwords

Don’t.

For one, sharing passwords might break the terms of use for the app, service, or site in question. Next, it can bring security issues with it as multiple people use it on multiple devices — ones that might or might not be secure.

On a related note, re-using passwords across several accounts increases your risk of getting hacked even more. Whether they’re weak and memorable or variations on a common theme, passwords like these make life easier for hackers.

As always, each of your accounts calls for a strong and unique password. And if you’re like the many who have dozens and dozens of accounts, a password manager can make that easy. And highly secure, too.

[i] https://www.thezebra.com/resources/home/dangers-of-sharing-passwords/

[ii] https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/

[iii] Ibid.

 

The post Do You Share Passwords with Friends and Family? appeared first on McAfee Blog.

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses.

When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain.

But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about the domain and can’t resolve queries to find it. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing.

The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain without accessing the true owner’s account at their DNS provider or registrar.

If this threat sounds familiar, that’s because it is hardly new. Back in 2019, KrebsOnSecurity wrote about thieves employing this method to seize control over thousands of domains registered at GoDaddy, and using those to send bomb threats and sextortion emails (GoDaddy says they fixed that weakness in their systems not long after that 2019 story).

In the 2019 campaign, the spammers created accounts on GoDaddy and were able to take over vulnerable domains simply by registering a free account at GoDaddy and being assigned the same DNS servers as the hijacked domain.

Three years before that, the same pervasive weakness was described in a blog post by security researcher Matthew Bryant, who showed how one could commandeer at least 120,000 domains via DNS weaknesses at some of the world’s largest hosting providers.

Incredibly, new research jointly released today by security experts at Infoblox and Eclypsium finds this same authentication weakness is still present at a number of large hosting and DNS providers.

“It’s easy to exploit, very hard to detect, and it’s entirely preventable,” said Dave Mitchell, principal threat researcher at Infoblox. “Free services make it easier [to exploit] at scale. And the bulk of these are at a handful of DNS providers.”

SITTING DUCKS

Infoblox’s report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains, as we saw in 2019 with the GoDaddy attacks.

“Hijacked domains have been used directly in phishing attacks and scams, as well as large spam systems,” reads the Infoblox report, which refers to lame domains as “Sitting Ducks.” “There is evidence that some domains were used for Cobalt Strike and other malware command and control (C2). Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.”

Eclypsium researchers estimate there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019.

“As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account,” Eclypsium wrote.

The security firms said they found a number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.

For example, Infoblox found cybercriminal groups using a Sitting Duck domain called clickermediacorp[.]com, which was a CBS Interactive Inc. domain initially registered in 2009 at GoDaddy. However, in 2010 the DNS was updated to DNSMadeEasy.com servers, and in 2012 the domain was transferred to MarkMonitor.

Another hijacked Sitting Duck domain — anti-phishing[.]org — was registered in 2003 by the Anti-Phishing Working Group (APWG), a cybersecurity not-for-profit organization that closely tracks phishing attacks.

In many cases, the researchers discovered Sitting Duck domains that appear to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed.

The researchers say Sitting Duck domains all possess three attributes that makes them vulnerable to takeover:

1) the domain uses or delegates authoritative DNS services to a different provider than the domain registrar;
2) the authoritative name server(s) for the domain does not have information about the Internet address the domain should point to;
3) the authoritative DNS provider is “exploitable,” i.e. an attacker can claim the domain at the provider and set up DNS records without access to the valid domain owner’s account at the domain registrar.

How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years. The list includes examples for each of the named DNS providers.

In the case of the aforementioned Sitting Duck domain clickermediacorp[.]com, the domain was originally registered by , but it appears to have been hijacked by scammers by claiming it at the web hosting firm DNSMadeEasy, which is owned by Digicert, one of the industry’s largest issuers of digital certificates (SSL/TLS certificates).

In an interview with KrebsOnSecurity, DNSMadeEasy founder and senior vice president Steve Job said the problem isn’t really his company’s to solve, noting that DNS providers who are also not domain registrars have no real way of validating whether a given customer legitimately owns the domain being claimed.

“We do shut down abusive accounts when we find them,” Job said. “But it’s my belief that the onus needs to be on the [domain registrants] themselves. If you’re going to buy something and point it somewhere you have no control over, we can’t prevent that.”

Infoblox, Eclypsium, and the DNS wiki listing at Github all say that web hosting giant Digital Ocean is among the vulnerable hosting firms. In response to questions, Digital Ocean said it was exploring options for mitigating such activity.

“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has delegated authority to our DNS infrastructure with their registrar, and they have allowed their ownership of that DNS record in our infrastructure to lapse, that becomes a ‘lame delegation’ under this hijack model. We believe the root cause, ultimately, is poor management of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acknowledge the opportunity to adjust our non-authoritative DNS service guardrails in an effort to help minimize the impact of a lapse in hygiene at the authoritative DNS level. We’re connected with the research teams to explore additional mitigation options.”

In a statement provided to KrebsOnSecurity, the hosting provider and registrar Hostinger said they were working to implement a solution to prevent lame duck attacks in the “upcoming weeks.”

“We are working on implementing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) record will be used to verify whether the domain truly belongs to the customer. We aim to launch this user-friendly solution by the end of August. The final step is to deprecate preview domains, a functionality sometimes used by customers with malicious intents. Preview domains will be deprecated by the end of September. Legitimate users will be able to use randomly generated temporary subdomains instead.”

What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

[Side note: Infoblox observed that many of the hijacked domains were being hosted at Stark Industries Solutions, a sprawling hosting provider that appeared two weeks before Russia invaded Ukraine and has become the epicenter of countless cyberattacks against enemies of Russia].

Both Infoblox and Eclypsium said that without more cooperation and less finger-pointing by all stakeholders in the global DNS, attacks on sitting duck domains will continue to rise, with domain registrants and regular Internet users caught in the middle.

“Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface,” the Infoblox report concludes.

The OneDrive campaign uses social engineering to trick users into executing a PowerShell script

According to eSentire, around 400 GenAI account logins are sold daily on the dark web, including credentials for GPT, Quillbot, Notion and Replit

The ICO found that the Electoral Commission did not have appropriate security measures in place, allowing hackers to access the personal details of 40 million UK voters

Picus Security claims just 12% of simulated attacks trigger an alert

Guardio Labs found that attackers exploited a configuration setting in Proofpoint’s email protection service, allowing outbound messages to bypass email protections

Health savings specialist HealthEquity reveals over four million customers were impacted in a recent breach

402 healthcare IT/cybersecurity leaders share their latest ransomware experiences, revealing fresh insights into the realities facing the healthcare sector today.