Tuesday, March 6, 2012

Hackers Get Into Protected Systems Because Passwords Are Tooo Easy To Guess

SAN FRANCISCO (CNNMoney) -- The number one way hackers get into protected systems isn't through a fancy technical exploit. It's by guessing the password.

That's not too hard when the most common password used on business systems is "Password1."

There's a technical reason for Password1's popularity: It's got an upper-case letter, a number and nine characters. That satisfies the complexity rules for many systems, including the default settings for Microsoft's (MSFT, Fortune 500) widely used Active Directory identity management software.

Security services firm Trustwave spotlighted the "Password1" problem in its recently released "2012 Global Security Report," which summarizes the firm's findings from nearly 2 million network vulnerability scans and 300 recent security breach investigations.

Around 5% of passwords involve a variation of the word "password," the company's researchers found. The runner-up, "welcome," turns up in more than 1%.

Easily guessable or entirely blank passwords were the most common vulnerability Trustwave's SpiderLabs unit found in its penetration tests last year on clients' systems. The firm set an assortment of widely available password-cracking tools loose on 2.5 million passwords, and successfully broke more than 2.1 million of them.

Verizon came up with similar results in its 2012 Data Breach Investigations Report, one of the security industry's most comprehensive annual studies. The full report will be released in several months, but Verizon (VZ, Fortune 500) previewed some of its findings at this week's RSA conference in San Francisco.

Exploiting weak or guessable passwords was the top method attackers used to gain access last year. It played a role in 29% of the security breaches Verizon's response team investigated.

Verizon's scariest finding was that attackers are often inside victims' networks for months or years before they're discovered. Less than 20% of the intrusions Verizon studied were discovered within days, let alone hours.

Even scarier: Few companies discovered the breach on their own. More than two-thirds learned they'd been attacked only after an external party, such as a law-enforcement agency, notified them. Trustwave's findings were almost identical: Only 16% of the cases it investigated last year were internally detected.

So if your password is something guessable, what's the best way to make it more secure? Make it longer.

Read More From CNN Money

Movie Theatre No Longer Allowing Children In "R" Rated Films Even If Accompanied By A Parent

CHICAGO (WBBM) – It’s an unprecedented move in the Chicago area. Starting Saturday, the Classic Cinema chain will no longer allow children under age six into “R” rated movies. This includes theatres in 13 locations and 100 screens.

“Our reaction from the public has been about 98 percent positive,” said Classic Cinemas’ marketing manager Mark Mazrimas.

An email went out to all subscribers of the family-owned, independent Classic Cinemas, which stated they would be changing their “R” rated policy, excluding all children under age six. In addition, children ages six to eleven will be subject to pay full price, adult fares.

The decision came about following the holidays when Classic Cinemas were showing “The Girl With the Dragon Tattoo,” and parents had brought their small children to the theatre.

Mazrimas said Classic Cinemas wants to give movie-goers a distraction-free environment and young children tend to get bored with R rated films and can act-out.

“R” rated films are limited to those aged 17 and up, unless they are accompanied by a parent or guardian.

Read More From CBS Chicago

WWII Medal Of Honor Recipient Dies At The Age Of 92

Mother Shielding Children From Tornadoes Loses Legs