Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/28/2010
01:25 PM
50%
50%

Social Networks' Threat To Security

Weak passwords and insecure personal information could put your company's data at risk.

Not Their Business

Don't hold your breath waiting for social network operators to help. All the major sites--Facebook, MySpace, Twitter, LinkedIn--have the same minimum password length of six characters. And password complexity checks are few and far between. Facebook and LinkedIn have no complexity checks. For MySpace, some complexity checking is enabled; however, users can enter a password of "123456." Twitter has a basic complexity check based on a static word list that's viewable through the HTML source of the login page. You can't use "password1," but "1password" is OK.

Most social networks have implemented Captchas to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks don't use Captchas for the mobile versions of their Web sites, most likely because they're a nuisance for mobile users.

On Facebook, after three failed login tries, the user is presented with a Captcha. Solve it and you get three more attempts. Facebook's mobile Web site has no Captcha protection; however, after 10 failed login attempts, the account is locked for a period of time, after which the user can try a single login again. This could be scripted to create a slow brute-force attack.

MySpace allows 10 failed login attempts, after which the user is presented with a Captcha. The MySpace mobile Web site uses an identical control. Twitter allows three failed login attempts and then presents a Captcha. Twitter's mobile site has no Captcha protection in place, so user accounts can be brute forced. LinkedIn users only get one failed login attempt before being presented with a Captcha. The LinkedIn mobile site has a Captcha presented at first login. Before you feel warm and fuzzy toward LinkedIn, however, remember it lacks in other areas, such as password complexity checks.

Bottom line, there is little consistency among social networks regarding common security controls.

20 Most Common Passwords
1: 123456
2: 12345
3: 123456789
4: password
5: iloveyou
6: princess
7: rockyou
8: 1234567
9: 12345678
10: abc123
11: Nicole
12: Daniel
13: babygirl
14: monkey
15: Jessica
16: lovely
17: Michael
18: Ashley
19: 654321
20: qwerty

You can help employees mitigate many of these risks by simply following basic password creation and management guidelines. Encourage them to choose complex passwords that contain letters, numbers, special characters, and are at least 12 characters. Longer is always better. Passwords shouldn't be able to be guessed simply by looking at the personal information on the user's social network profile.

Encourage the use of a unique password for every Web site and internal service. Push the use of passphrases over passwords. Passphrases are generally easier to remember and harder to brute force. For example, take a phrase like, "I have three favorite authors at the library." Either use the entire phrase or break it up to be: "[email protected]"

That brings us to our top recommendation: Encourage employees to use a password manager. There are some very good and easy-to-use systems available, many of them free. You need a complex password to open the application, which then auto-generates complex and unique passwords and stores them securely. Two popular password managers are KeePass (free) for Windows, Linux, and OS X, and 1Password (commercial) for Windows and OS X systems. Both can be used on mobile devices like the iPhone. It's important to make clear that you're not talking about the password managers in Web browsers.

Finally, ensure users regularly review the privacy settings on their social network profiles. Social networks in general initially set privacy settings to defaults that let anyone view information. Visit SocialMediaSecurity.com for guides and other information on how to properly configure these settings.

Tom Eston is a senior security consultant for SecureState, which provides attack and penetration testing services. Write to us at [email protected].

Continue to the sidebar:
Easy-To-Find Brute-Force Tools

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...