How secure is icloud and other cloud options, and should we be complacent?

[crowd pleaser]

I use hotmail and gmx,

last night, just before going to bed I got a load of 'failed delivery' messages, many for old defunct email addresses. I check the 'SENT' box in Outlook nothing showing, ditto for the iPad and iPhone. I go direct into Hotmail and there is the multi message's in the 'sent' folder. All had the subject of Hi or Hello followed by the 1st name, the 'bot' had used BCC so there were made to look individual communications, so pretty sophisticated.

Ok, genius level not required, I now know my email account has been tampered with but fortunately not on my laptop or apple devices, i immediately change the password, and send warning emails to recipients.

When I checked the message content it was a link to a web site, now that site may very well have viruses or worms, but I'm guessing this attack is being used to increase hit rates and so site revenue's from advertising, If so this is the first time it's come to my attention.

To their credit the Hotmail software did spot the suspicious activity and froze my account, but this was after 15 hours, i had to again replace my password to regain access.

I had a very tricky password, so the fairly clever way this was done brought into focus the possibilities of more sensitive data being accessed in iCloud (or other cloud storage options), tbh given Sony's and other big name sites recent security problems, it severely unsettles my confidence in this new and growing mode of storage.

For me the NAS drive remains my preferred backup option.

 

[Skull One]

If your tricky password has anything close to a real word in it, it isn't secure. You need a minimum of 10 characters in a random order. The characters should consist of at least 2 numbers and hopefully the system storing the password respect case sensitivity. This gives you 8.39 to the 17th power of combinations. And even if they did a brute force attack at 100 combos a second, would require a minimum of 88.7 million years (for those doing the full math that is 1/3 rd the total time, I am allowing the hacker to get "lucky").

Anything short of that is simply asking to be hacked

 

[thewitt]

There is actually no reason to add upper case or numbers to passwords. Lower case alpha is fine. It's interesting if you exclude real words however, since that exclusion actually reduces the number of truly random combinations....

Humans decided to add upper case and numbers to passwords in an attempt to obfuscate passwords because users refuse to use random characters -since they cannot remember them

Thus we use passwords like Four5quare and think we are safe.... Where kfpnxeoshr is several orders of magnitude safer...

 

[Skull One]

There is actually no reason to add upper case or numbers to passwords. Lower case alpha is fine. It's interesting if you exclude real words however, since that exclusion actually reduces the number of truly random combinations....

I'll address both of those points.

1) You couldn't be more wrong about numeric and lower vs upper. Every top level security official in IT, DoD and Cryptography will tell you that as a fact.

2) The leading cause of password failure is caused by dictionary based attacks. Which is why using multiple numeric characters is recommended.

Look I know the reality of password hacking. If someone does a truly random password using only 6 characters using 62 different characters for each position, at 100 attempts a second it would take 16 years to try every combo. Which means it will take roughly 5 years getting lucky. Long before then an intrusion detection system will have fired off.

But here is the reality. People don't use a different password for every website and other critical login. They use one because as you pointed out they simply can't remember enough to make them all different. So only ONE site they use has to be compromised. The hacker downloads the user list with all the passwords. Lets say the person that stores that password list only uses MD5 hashing to encrypt the password (btw, that is the leading way on most non-critical websites). Now all they have to do is figure out what the rules were set at for the password that was created. Then real damage can be done. Lets look at the numbers.

First we have removed the intrusion detection system. Second we have removed the number of tries per second that were a limit of how fast the internet could do the data. We are generating the raw MD5 hashes and then testing to compare to the existing batch we have stolen.

So instead of 100 a second it ramps up to around 1,000,000 a second on current i7 quad cores. That means my last example doesn't take 5 years to fail. It fails in 17 hours trying every possible combo. So using only your 10 character long password with only lower case with no numerics now fails in 4.47 years. If they want it to fail even faster all they have to do is add 10 computers to the process. Now your password fails in 163 days no matter what. If they get lucky it fails in a mere 54 days.

Now where does put my 10 character long password using 62 different characters using ten million guesses a second? It will take 2,661 years to try every combo. Or 887 years if they get lucky. That means they have to throw well over 1000 of these systems at the problem before my password gets in to even remote trouble.

The math proves your statement as completely bogus. And we didn't even have to bother asking the experts.

Just a heads up. I am DoD trained on cryptography. Now granted it was back in the late 80s so my training is now a minimum of 21 years out of date. But I am pretty sure the rules haven't changed much. Only the power of the computers now being used to hack and newer algorithms being used to protect.

 

[Thomasjtsi]

I'll address both of those points.1) You couldn't be more wrong about numeric and lower vs upper. Every top level security official in IT, DoD and Cryptography will tell you that as a fact. 2) The leading cause of password failure is caused by dictionary based attacks. Which is why using multiple numeric characters is recommended.Look I know the reality of password hacking. If someone does a truly random password using only 6 characters using 62 different characters for each position, at 100 attempts a second it would take 16 years to try every combo. Which means it will take roughly 5 years getting lucky. Long before then an intrusion detection system will have fired off.But here is the reality. People don't use a different password for every website and other critical login. They use one because as you pointed out they simply can't remember enough to make them all different. So only ONE site they use has to be compromised. The hacker downloads the user list with all the passwords. Lets say the person that stores that password list only uses MD5 hashing to encrypt the password (btw, that is the leading way on most non-critical websites). Now all they have to do is figure out what the rules were set at for the password that was created. Then real damage can be done. Lets look at the numbers.First we have removed the intrusion detection system. Second we have removed the number of tries per second that were a limit of how fast the internet could do the data. We are generating the raw MD5 hashes and then testing to compare to the existing batch we have stolen.So instead of 100 a second it ramps up to around 1,000,000 a second on current i7 quad cores. That means my last example doesn't take 5 years to fail. It fails in 17 hours trying every possible combo. So using only your 10 character long password with only lower case with no numerics now fails in 4.47 years. If they want it to fail even faster all they have to do is add 10 computers to the process. Now your password fails in 163 days no matter what. If they get lucky it fails in a mere 54 days.Now where does put my 10 character long password using 62 different characters using ten million guesses a second? It will take 2,661 years to try every combo. Or 887 years if they get lucky. That means they have to throw well over 1000 of these systems at the problem before my password gets in to even remote trouble.The math proves your statement as completely bogus. And we didn't even have to bother asking the experts. Just a heads up. I am DoD trained on cryptography. Now granted it was back in the late 80s so my training is now a minimum of 21 years out of date. But I am pretty sure the rules haven't changed much. Only the power of the computers now being used to hack and newer algorithms being used to protect.

Skull One, all I can say is.... WOW!!!

 

[crowd pleaser]

+1

Oops! should i have encrypted that ?

Stunning explanation and unexpected, with my sincere many thanks, if only my maths teacher had been anywhere near as clear, i'd be more educated on the subject.

I've worked in an electronic security field for most my life, so appreciate strong passwords, i had used 9 characters including numeric, upper lower case text. I used real words (in my trade) which were readable to the eye in a graphic sense but were spelt wrong by transposing characters example z for 2, @ for a.

My guess is due to the processing power and time needed in your examples, the web sites sentry software stopping multiple attempts, they must have another way other than breaking a password by sequenced tries, in your example if the traditional code breaking.

Please excuse my lack if knowledge, with most sites both GMX and Hotmail you have to enter your user name and password from the web, so that is open to theft via a key logging program.

Outlook stores user name and password in a 'known to hackers' place somewhere, for a 'bot' to discover and say feed back an encrypted file, the hacker then uses software at his leisure free of any multi attempt site detection, to break it.

so which is the safest option to access mail and cloud services with?

i'm with BT who supply 'Netsecure' software suit free, made by McAfee. the BT 2wire router has the firewall enabled.

All if the above seems a heck of a lot of effort just to post a link to a site to all my contacts, perhaps done as a joke or demonstration of 'because i can' nerds self hero worship, i don't even know if it was malicious or not - this time!

While i was previously fairly confident of my security, this problem has made me very sensitive, and the reason for me starting the thread.

 

[Skull One]

so which is the safest option to access mail and cloud services with?

The answer to that question is very frightening.

There isn't one.


All they can do is try to close all the "obvious" electronic holes. But here is the reality. An employee from the company can be the weakest link and no matter how much training you give them, they can fail. The best example I can give you is to overload the employee in question with a con. Use a three man team. Two people in person, one person on the phone. The first guy starts an "issue". Just as the issue comes to a head, you have the phone caller dial in and now add pressure. The third person walks up and says the exact words used by everyone else in the office to ask a simple and very innocuous question on the surface but because it is a key piece to a larger puzzle, it doesn't register to the person being asked. They answer. You now have one more piece of info to work with for your hack. It is called social engineering at its finest. And sadly, I have seen the affects of it first hand.

I am not trying to scare you off of computers. But you can only do your part in the security chain. Strong passwords. After that you are at the mercy of the weakest link from then on out. Humanity.

 

[crowd pleaser]

Perhaps the one way log in's are in their last throws.

I'm thinking on the lines that we will need a small device like banks use, before you are allowed to do anything you 1st have to respond by entering a code generated from that site into the device, then enter the corresponding confirmation code back to the site.

That I think could stop these sort of intrusions and misuses performed either by direct server attempts, key logged and worm attempts of info stolen from a pc in their tracks.

maybe more attractive to serious and business users who really need better security, as many more lazy won't care for the extra inconvenience.