Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/28/2010
01:25 PM
50%
50%

Social Networks' Threat To Security

Weak passwords and insecure personal information could put your company's data at risk.

Not Their Business

Don't hold your breath waiting for social network operators to help. All the major sites--Facebook, MySpace, Twitter, LinkedIn--have the same minimum password length of six characters. And password complexity checks are few and far between. Facebook and LinkedIn have no complexity checks. For MySpace, some complexity checking is enabled; however, users can enter a password of "123456." Twitter has a basic complexity check based on a static word list that's viewable through the HTML source of the login page. You can't use "password1," but "1password" is OK.

Most social networks have implemented Captchas to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks don't use Captchas for the mobile versions of their Web sites, most likely because they're a nuisance for mobile users.

On Facebook, after three failed login tries, the user is presented with a Captcha. Solve it and you get three more attempts. Facebook's mobile Web site has no Captcha protection; however, after 10 failed login attempts, the account is locked for a period of time, after which the user can try a single login again. This could be scripted to create a slow brute-force attack.

MySpace allows 10 failed login attempts, after which the user is presented with a Captcha. The MySpace mobile Web site uses an identical control. Twitter allows three failed login attempts and then presents a Captcha. Twitter's mobile site has no Captcha protection in place, so user accounts can be brute forced. LinkedIn users only get one failed login attempt before being presented with a Captcha. The LinkedIn mobile site has a Captcha presented at first login. Before you feel warm and fuzzy toward LinkedIn, however, remember it lacks in other areas, such as password complexity checks.

Bottom line, there is little consistency among social networks regarding common security controls.

20 Most Common Passwords
1: 123456
2: 12345
3: 123456789
4: password
5: iloveyou
6: princess
7: rockyou
8: 1234567
9: 12345678
10: abc123
11: Nicole
12: Daniel
13: babygirl
14: monkey
15: Jessica
16: lovely
17: Michael
18: Ashley
19: 654321
20: qwerty

You can help employees mitigate many of these risks by simply following basic password creation and management guidelines. Encourage them to choose complex passwords that contain letters, numbers, special characters, and are at least 12 characters. Longer is always better. Passwords shouldn't be able to be guessed simply by looking at the personal information on the user's social network profile.

Encourage the use of a unique password for every Web site and internal service. Push the use of passphrases over passwords. Passphrases are generally easier to remember and harder to brute force. For example, take a phrase like, "I have three favorite authors at the library." Either use the entire phrase or break it up to be: "[email protected]"

That brings us to our top recommendation: Encourage employees to use a password manager. There are some very good and easy-to-use systems available, many of them free. You need a complex password to open the application, which then auto-generates complex and unique passwords and stores them securely. Two popular password managers are KeePass (free) for Windows, Linux, and OS X, and 1Password (commercial) for Windows and OS X systems. Both can be used on mobile devices like the iPhone. It's important to make clear that you're not talking about the password managers in Web browsers.

Finally, ensure users regularly review the privacy settings on their social network profiles. Social networks in general initially set privacy settings to defaults that let anyone view information. Visit SocialMediaSecurity.com for guides and other information on how to properly configure these settings.

Tom Eston is a senior security consultant for SecureState, which provides attack and penetration testing services. Write to us at [email protected].

Continue to the sidebar:
Easy-To-Find Brute-Force Tools

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Digitized COVID-19 Prevention
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-21034
PUBLISHED: 2020-04-09
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
CVE-2020-1895
PUBLISHED: 2020-04-09
A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.
CVE-2020-5263
PUBLISHED: 2020-04-09
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the er...
CVE-2020-9499
PUBLISHED: 2020-04-09
Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.
CVE-2020-9500
PUBLISHED: 2020-04-09
Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.