Information Technology

An analysis of password habits worldwide has revealed we are still performing poorly when it comes to strong credential management. 

While the idea of using passwords such as QWERTY, 123456, and PASSWORD might seem like a joke these days, they are still commonly found in data dumps of stolen credentials published online. Major online service providers now often enforce strong passwords with lower-case and capital letters, numbers, and special characters and may also encourage and enforce multi-factor authentication (MFA).  However, businesses may not impose the same standards. In addition, ghost and forgotten accounts, hardcoded credentials, and the re-use of username and password combinations are still common problems today.  On Wednesday, Nordpass published its annual study of password use across 50 countries, the “Most Common Passwords” report, an evaluation of a database containing 4TB of leaked passwords, many of which originated from the US, Canada, Russia, Australia, and Europe.  According to the researchers, the most common passwords in 2021, worldwide, were: 123456 (103,170,552 hits)123456789 (46,027,530 hits)12345 (32,955,431 hits)qwerty (22,317,280 hits)password (20,958,297 hits)12345678 (14,745,771 hits)111111 (13,354,149 hits)123123 (10,244,398 hits)1234567890 (9,646,621 hits)1234567 (9,396,813 hits)Among the findings, the researchers also found that a “stunning” number of people like to use their own name as a password (“charlie” appeared as the 9th most popular password in the UK over 2021, as it happens). 

“Onedirection” was a popular music-related password option, and the number of times “Liverpool” appears could indicate how popular the football team is — although, in Canada, “hockey” was unsurprisingly the top sports-related option in active use.  Swear words are also commonly employed, and when it comes to animal themes, “dolphin” was the most popular choice internationally.  Aside from variations of numbers and PC keyboards, in some lists, other local password options made the top 10, including the surname “Chregan” in South Africa; the city “Barcelona” in Spain, and the name “Tiffany” in France.  NordPass’ report can be accessed here.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the past months, we’ve published a lot of useful information about VPNs. But this article is unique. In this article, we’re going to do our best to help you save a few bucks. Below are the latest and greatest Black Friday and Cyber Monday VPN deals we’ve been able to scour from around the net, from the VPN vendors themselves, and from the secret whispers of VPN aficionados pumping as much caffeine into their veins as possible to keep up with their need for bits, all day and all night.Keep in mind that VPN vendors are aggressive marketeers even outside of the silly season. But when the floodgates open up, they’re getting even more enthusiastic. So while there are some not-bad Black Friday and Cyber Monday “deals” presented in this article, keep in mind that most VPN vendors are constitutionally incapable of resisting the urge to offer regular deal promotions, and you might just find good deals during other times during the year.Terms and conditionsBe very careful about the terms of the deal. VPN vendors have decided to jump on the bandwagon of one of the most reprehensible tactics used by the web hosting business: listing price by month but charging by year, followed by massive jumps in prices when your service automatically renews. PureVPN, for example, promotes their offering as $2.04 per month, but they actually charge you for 24 months, or $49. Then, when 24 months pass by, they slam you with a $70 bill, bringing your monthly bill from two bucks to nearly six, a three-fold increase. IPVanish’s monthly rate jumps from the $3.80/mo promo price to $7.50 per month — and your card gets hit for $90 all at once.One of the best ways to take advantage of these promo deals but not get slammed later is to make a calendar entry the month before renewal so you know to cancel the service before you get slammed. Since there’s nothing to lock you into a VPN service (they all do basically the same stuff), you can jump onto the next service with a good deal when renewal time comes around.So, I’ve listed these in order of cheapest per month to most expensive but beware of the surge with all those caveats.

Pay now: $50 for three years

How they pitch it: 3-yrs plan for $1.39/mo + 3 months FreeMoney-back guarantee: 30 daysAuto-renew: Yes, the price skyrockets to $47.83 per yearThey say you need the coupon code BLACKFRIDAY, but I just went to their site and hit their big Black Friday banner. The deal here is good on a per-month basis, but put that renewal date in your calendar for three years from now. Otherwise, you’ll be slammed paying three times more when it renews.This is a middle of the road VPN with support for just Windows, Mac, iOS, and Android. But it has one thing going for it: you can use it on all your devices. There’s no 5 device limit, like is the case for many other vendors.

Pay now: $49 for 24 months

How they pitch it: $2.04/mo for 24 monthsMoney-back guarantee: 31 daysAuto-renew: Yes, the price balloons to $70 per yearThese folks are running one of those annoying countdown clocks on their page as if they won’t take your order after the deadline. They’re also trying to virtue signal by offering a 31-day money-back guarantee while everyone else is offering 30. Whether 30 or 31 days, it’s on you to test your purchase to be sure it does what you need.PureVPN allows 10 devices, and it supports a pretty wide range of devices. Beyond that, it offers the usual features, ranging from kill switch to split tunneling and even a fixed IP as an upsell for business buyers. Back in 2018, we ran an article about IP leaks, but all indications are they’ve fixed those problems since then.

Pay now: $59.76 for 27 months

How they pitch it: $2.21/mo for 24 months + 3 free monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price might bump upThe Surfshark marketing folks are going to town with the large fonts and Black Friday animations. They have a countdown clock, an announcement about a price drop where the word “drop” actually drops, and even a spinning, flashing, 200 point “Ultimate”. So, they really want you to buy.Our review: Surfshark VPN review: It’s cheap, but is it good?It looks like your bill will double once the promo runs out. They say, “59.76 billed now, then annually starting after 27 months.” So keep that in mind and make a note in your calendar if you want to cancel.

Pay now: $38 for 12 months

How they pitch it: $3.20/mo for 12 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price explodes to $90/year!!The most important thing is to watch out for that automatic billing hit. $90 a year is a big jump, and it’s among the most expensive we’ve seen for any services that bill for more than one month.Our review: IPVanish review: A VPN with a wealth of optionsThat said, I gave it a pretty positive review. Although some conditions apply, the service offers unlimited connections, and they have quite a lot of clients they support. I was pretty bullish on the features but wasn’t entirely sure I’d want to use the service if I was hiding from a government or otherwise wanted to secure my privacy completely.

Pay now: $79 for 24 months

How they pitch it: $3.29/mo for 24 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price might bump upNord is also rocking a countdown clock. The VPN vendors love this kind of involvement device because it helps create a sense of urgency among prospects. It’s kind of Marketing 101, applied to service sales.As you can see, I’ve spent quite a bit of time getting to know the service and the company. The deal they’re offering isn’t the best, but six simultaneous connections are generally pretty workable. Overall, the company’s performance was consistent among the VPNs I’ve tested, and you could do worse than choosing this vendor.Also read:

Pay now: $120 for 24 months

How they pitch it: $4.99/mo for 24 monthsMoney-back guarantee: 30 daysAuto-renew: Yes, the price jumps to $160 for 2 yearsHere’s a note for US-based customers who might be confused. When you click into the company’s promo page for Black Friday, you’re taking to Euros-based pricing. Hit the little USD menu item under the middle deal to get dollar-based pricing. Interestingly, they charge the same digits (5.99) in both Euros and dollars, but €5.99 is about $6.82, so you’re actually saving money if you buy with dollars.As for how many simultaneous connections they allow, I have no idea; I’ve looked all over their site and sent out a query to the company but haven’t heard back. I’ll update this if I find out. Beyond that, the company has been working hard on a speed upgrade, which we reported earlier this year.

I get a lot of questions about VPNs, and I’ve answered many of them in the articles below. They’re definitely worth your time if you’re on the fence about what a VPN can do for you.

zdnet recommends More

The Belarusian government has been accused of at least “partial responsibility” for Ghostwriter attacks in Europe. 

While cybersecurity companies often err on the side of caution when it comes to the attribution of threat groups, Mandiant says that it has “high confidence” that Ghostwriter, also linked to UNC115 activities, is a cybercriminal outfit potentially working on behalf of the country’s government. Sanctions were placed on Belarus earlier this year after the forced diversion of a commercial plane into Belarus airspace to arrest a passenger, a dissident journalist called Roman Protasevich. Now, in retaliation, the country’s President Alexander Lukashenko has been accused of engineering a migrant crisis to destabilize the EU. However, it seems that retribution may go further, with the attribution of Ghostwriter to the ruling government. The European Council has previously accused Russia of Ghostwriter involvement.  According to the cybersecurity researchers, Russian interference cannot be “ruled out,” but other indicators suggest that Belarusian interests are at the heart of the operation, in which government and private sector entities in Ukraine, Lithuania, Latvia, Poland, and Germany are commonly targeted.  In addition, Ghostwriter has also been involved in attacks against Belarusian dissidents, media, and individual journalists. 

UNC1151 — active since 2016 — and Ghostwriter once focused on promoting anti-NATO material through phishing, spoofing, and hijacking vulnerable websites. However, from 2020, the groups expanded their operations in attempts to influence Polish politics and to steal sensitive information via credential theft.  UNC1151 also targeted Belarusian media outlets and opposition members ahead of the 2020 election, a disputed landslide win. No attacks have been recorded against Russian or Belarus state entities.  “Additionally, in several cases, individuals targeted by UNC1151 before the 2020 Belarusian election were later arrested by the Belarusian government,” Mandiant says. Many of Ghostwriter’s campaigns are focused on narratives that are anti-NATO. Since mid-2020, the group has spread content accusing NATO of corruption, the military of spreading COVID-19, and of corruption in Lithuanian and Polish politics. The EU has also been criticized in recent campaigns.  “Ghostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian state television as fact,” the researchers added. “We are unable to ascertain whether this is part of a coordinated strategy or if it is simply Belarusian state TV promoting narratives that are consistent with regime interest and being unconcerned with accuracy.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation-states. Knowledge about vulnerabilities and exploits can command a high price on underground forums, because being able to take advantage of them can be very profitable for cyber criminals. That’s especially if this involves a zero-day vulnerability that’s not known about by cybersecurity researchers, because attackers know potential victims won’t have had the chance to apply security updates to protect against it.For example, in the weeks after Microsoft Exchange vulnerabilities were disclosed earlier this year, cyber criminals rushed to take advantage of them as quickly as possible, in order to benefit from the ability to carry out attacks before the security patches were widely applied. Zero-day vulnerabilities are usually deployed by well-resourced, nation-state backed hacking operations – but analysis by cybersecurity researchers at Digital Shadows details how there’s increasingly chatter on dark web message boards about the criminal market for zero-days. “This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits,” said Digital Shadows.”States can purchase zero-day exploits in a legal way from companies that are solely dedicated to creating these tools,” Stefano De Blasi, threat researcher at Digital Shadows told ZDNet. “However, when these tools are developed by cybercriminals outside of the law, it is likely easier to identify clientele from the cybercriminal world; there is however only a handful of cybercriminal actors who could afford the cost of a zero-day exploit”. 

SEE: A winning strategy for cybersecurity (ZDNet special report) Vulnerabilities like this can cost even millions of dollars, but that’s a price that could be affordable for a successful ransomware group which makes millions from every successful ransomware attack – and they could easily make what they spend back if the vulnerability works as intended by providing a reliable means of infiltrating networks. But there’s another method of making money from vulnerabilities being explored, and it’s one which could place them into the hands of less-sophisticated cyber criminals – something known as “exploit-as-a-service”. Instead of selling the vulnerability outright, the cyber criminal who discovered it can lease this out to others. It potentially starts making them money quicker than it would if they went through the complex process to sell it, and they could continue to make money from it for a long time. They also have the option of eventually selling the zero-day if they tire of leasing it. “This model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis,” said the report. Selling to government-backed hacking groups is still the preferred option for some zero-day developers for now, but a growing interest in exploits like this on underground forums indicates how some cyber criminal groups are approaching the level of state-backed operations. “The rise of the exploit-as-a-service business model confirms that the cyber criminal environment is consistently growing both in terms of sophistication and professionalization. Some high-profile criminal groups can now compete in terms of technical skills with state-sponsored actors; many prominent ransomware groups in particular have now amassed enough financial resources to purchase zero-days advertised in illicit environments,” De Blasi explained. The nature of zero-day vulnerabilities means defending networks against them is a difficult task but cybersecurity practices like applying critical security updates as soon as they’re released can stop cyber criminals having a lengthy window to take advantage of vulnerabilities. Organisations should also have a plan for what to do if they discover they’ve been breached. “Well drilled and documented incident response strategies can provide crucial in responding to any attacker that may have gained access to a target’s environment,” said De Blasi.MORE ON CYBERSECURITY More

Embracing the concept of DevSecOps, Palo Alto Networks on Tuesday rolled out Prisma Cloud 3.0, bringing a number of updates to the platform focused on the security of the entire application development lifecycle. That includes infrastructure as code (IaC) security and agentless security.  Palo Alto launched Prisma Cloud in 2019 as a comprehensive cloud security suite designed to govern access, protect data and secure applications consistently. Offering a comprehensive, integrated security platform has become all the more important in the wake of the COVID-19 pandemic when workforces are increasingly dispersed, Palo Alto’s chief product officer Lee Klarich told reporters. Prisma Cloud attempts to offer consistent network security across campuses, branches, remote offices and anywhere else. People are not just working from home but “increasingly working from anywhere,” Klarich said. “How do we safely enable that construct that is increasingly becoming the norm?”Comprehensive cloud security starts in the app development phase, Palo Alto contends. With Cloud Code Security, the company is adding IaC scanning and code fixes directly into developer tools across the development lifecycle. This will help catch misconfigurations in code templates that can lead to thousands of alerts in runtime. Meanwhile, Prisma Cloud is unique in offering both agentless and agent-based security built into the same platform, with rules and results managed from a single UI. Agentless Security provides visibility into an organization’s cloud workload and application risks — it’s meant to complement existing agent-based protection. Prisma Cloud 3.0 also expands Cloud Infrastructure Entitlement Management (CIEM) to Microsoft Azure. This builds on already existing functionality available for Amazon Web Services (AWS).Palo Alto on Tuesday also unveiled its next-generation CASB (Cloud Access Security Broker) to help organizations safely adopt new SaaS applications. It automatically secures new applications, including collaboration tools. It protects sensitive data in real-time using machine learning, natural language processing and optical character recognition. 

Palo Alto also announced the first specialization for its NextWave Managed Service Program. The new specialization focuses on  Cortex XDR, Palo Alto Network’s extended detection and response service that natively integrates network, endpoint and cloud data.The NextWave Managed Service Program (MSP) includes close to 300 partners worldwide that help Palo Alto customers get the most out of their investments. The program provides partners with the tools, training, incentives and resources to promote the adoption of Palo Alto Networks-based managed services. With the Cortex eXtended Managed Detection and Response (XMDR) specialization, customers should get help streamlining security operations center (SOC) operations and mitigating cyber threats. To achieve the new specialization status, partners must have Cortex XDR-certified SOC analysts/threat hunters on staff and be available around the clock.  More

ZDNet Recommends

The US Department of Homeland Security, a key cybersecurity agency, has just announced a new system that will help it recruit, develop and retrain cybersecurity pros in the federal government. The DHS’s new recruitment system, dubbed the Cybersecurity Talent Management System (CTMS), launches amid a tight labor market for cybersecurity professionals who are in extremely high demand and can therefore command big salaries.DHS is just one federal department, but it plays a special role in responding to major cyberattacks on US critical infrastructure. It hopes the new system will help it hunt for and can keep talent for mission critical-critical roles, with the aim of hiring 150 priority roles across 2022.See also: A winning strategy for cybersecurity (ZDNet special report).”CTMS will enable DHS to fill mission-critical cybersecurity positions by screening applicants based on demonstrated competencies, competitively compensating employees, and reducing the time it takes to be hired into the department,” it said. The first roles to be filled using CTMS will be “high-priority” jobs at CISA and the DHS Office of the chief information officer. Then in 2022, DHS Cybersecurity Service jobs will be available across several DHS agencies with a cybersecurity mission, says DHS. The CTMS salary range has an upper limit of the vice president’s salary ($255,800 in 2021), plus an extended range for use in limited circumstances, which has an upper limit of $332,100 in 2021.

DHS is currently recruiting for a variety of cybersecurity roles, including incident response, risk analysis, vulnerability detection and assessment, intelligence and investigation, networks and systems engineer, forensics, and software assurance. The CTMS “fundamentally re-imagines how the Department hires, develops, and retains top-tier and diverse cybersecurity talent,” says secretary of Homeland Security, Alejandro N. Mayorkas. “As our nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies. This new system will enable our department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission.”See also: Tech skills: Four ways you can get the right mix.The Biden-Harris administration made cybersecurity a priority at an early stage, for example, by appointing the US’s first deputy national security advisor for cyber, Anne Neuberger, who led federal investigations into the SolarWinds and Exchange attacks. DHS, in particular its Cybersecurity and Infrastructure Security Agency, or CISA, was given an elevated cybersecurity role too, via Biden’s cybersecurity executive order.  More

Emotet, once described as “the world’s most dangerous malware” before being taken down by a major international police operation, is apparently back – and being installed on Windows systems infected with TrickBot malware.Emotet malware provided its controllers with a backdoor into compromised machines, which could be leased out to other groups, including ransomware gangs, to use for their own campaigns. Emotet also used infected systems to send automated phishing emails to increase the size of the botnet – before it was taken out in January this year.  

ZDNet Recommends

Dismantling the botnet was one of the most significant disruptions of cyber-criminal operations in recent years, as law enforcement agencies around the world – including Europol and the FBI – worked together to gain control of hundreds of Emotet servers that controlled millions of PCs infected with malware. A specially crafted killswitch update created by investigators effectively uninstalled botnet from infected computers in April. SEE: A winning strategy for cybersecurity (ZDNet special report)But now researchers from a number of cybersecurity companies have warned that Emotet has returned. Another malware botnet, TrickBot – which became the go-to for many cyber criminals following the January takedown – is being used to install Emotet on infected Windows systems. “We observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification,” Luca Ebach, security researcher at G Data, a German cybersecurity company, wrote in a blog post. “Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet,” he added. 

Cybersecurity researchers from AdvIntel, Crypolaemus and others have also confirmed that this does look like the return of Emotet, which appears to be using a different encryption technique to the one that was previously seen. Currently, Emotet isn’t attempting to redistribute itself, instead relying on TrickBot to spread new infections – but it does indicate that those behind Emotet are trying to get the botnet up and running again. “The relationship between this new variant and the old Emotet shows code overlap and technique overlap,” James Shank, chief architect of community services and senior security evangelist at Team Cymru, a cybersecurity company that was among those that helped disrupt Emotet in January, told ZDNet in an email.   “It will take some time to see how Emotet rebuilds, and whether it can become the ‘world’s most dangerous malware’ again. You can be sure that those that helped to take it down the first time are keeping watch. It doesn’t come as a surprise that Emotet resurfaced. In fact, more may wonder why it took so long,” he added. SEE: This mysterious malware could threaten millions of routers and IoT devicesCybersecurity researchers have provided a list of command and control servers network administrators can block to help prevent Emotet infections. In order to protect systems from falling victim to Emotet, Trickbot and other malware loaders, it’s recommended that security patches are applied when they’re released to prevent cyber criminals exploiting known vulnerabilities, and that users are made aware of the dangers of phishing emails. MORE ON CYBERSECURITY More

Researchers have revealed a new type of Rowhammer attack on DRAM devices that can reliably bypass mitigations implemented by vendors after the first such attacks emerged in 2014. 

ZDNet Recommends

Data in Dynamic DRAM (DRAM) is stored in grids of memory. Rowhammer attacks work by rapidly and repeatedly reading data in one memory row to cause an electrical charge in adjacent memory rows in order to modify or corrupt data. SEE: A winning strategy for cybersecurity (ZDNet special report)The latest Rowhammer attack seeks to bypass Target Row Refresh (TRR) mitigations that the DRAM industry added to modern RAM cards in response to the first Rowhammer attack in 2014. The researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm ran their attack – via a fuzzer called Blacksmith, available on GitHub – against various proprietary TRR implementations in 40 DRAM devices. The technique allowed them to quickly discover ways to cause bit flips in all of them. “This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network,” the group said.”All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed,” they warned.

The 40 devices were from memory vendors Samsung, Micron, SK Hynix, as well as two more vendors that didn’t agree to have their names published in the research.      “TRR aims to detect rows that are frequently accessed (i.e., hammered) and refresh their neighbors before their charge leak results in data corruptions,” the researchers explain in a new paper. While TRR for the most part works when detecting even multiple aggressor rows being hammered frequently, the researchers note that past Rowhammer attacks “always access aggressors uniformly”.  TRR in this sense does create a cost problem for attackers because the space to search for non-uniform patterns that can bypass the mitigation is “huge”, the researchers explain. Their answer was to run the Blacksmith fuzzer for 12 hours on sampled DDR4 DRAM devices in order to discover and build non-uniform patterns that expose weaknesses in TRR implementations designed to look for various uniform patterns. “Thereafter, we swept the best pattern (based on the number of total bit flips triggered) over a contiguous memory area of 256 MB and report the number of bit flips,” they explain in a blogpost.SEE: This mysterious malware could threaten millions of routers and IoT devicesThe technique enabled them to use these non-standard patterns to trigger bit flips in all 40 DRAM devices. In some cases, the technique uncovered several thousand bit flips within seconds.This type of Rowhammer attack targeting TRR is likely to get more powerful in future. The group says it is working with Google to fully integrate the Blacksmith fuzzer into an open-source FPGA Rowhammer-testing platform. The researchers’ findings are being tracked as CVE-2021-42114. The researchers have discussed their findings with Intel and Google, which separately this week launched a new open-source Rowhammer Tester platform. More