Main security threats

Brute force

../_images/password-breaking-time-calculator.png

Fig. 1 Time to brute force a password as a function of length and complexity. Credit: http://www.yourdestinationnow.com/2020/07/brute-force-password-guessing-picture.html

../_images/password-cracking.jpeg

Fig. 2 Same as Fig. 1. Credit: Hive Systems with data sourced from https://HowSecureIsMyPassword.net

Exemple of hacked passwords

mt8CIe0Qhh

eisenach!

123avier123

avier123a12345678910

Kraz2kriz

alaska2.

12345678910

04DI32609

ag.53yf

Kraz2kriz

firebird14

04IE69422

../_images/top-passwords-2015-19.png

Fig. 3 The 2019 annual SplashData password survey revealed the most common passwords from 2015 to 2019.

Credential stuffing

Traffic Interception (http, unsecured Wi-Fi)

../_images/w3techs_survey_certificate.png

Fig. 4 Percentage of websites using security certificates. Source https://W3techs.com

Social engineering

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information (source Wikimedia).

Phishing exemple

../_images/phishing_link.png

Fig. 5 Always hover over the link to reveal its destination before clicking.

../_images/phishing_from.png

Fig. 6 Check the email address of the sender (not just the displayed name).

../_images/phishing_to.png

Fig. 7 Also check if the email was sent to you or to lists of people that are totally irrelevant.

Checking a email header

../_images/show_header_of_mail.png

Fig. 8 Show the raw header of an email on the Zimbra webmail.

../_images/phishing_header_of_mail.png

Fig. 9 Carefully inspect the origin of the email.

Signal spam

../_images/signal_spam.png

Fig. 10 Take the time to report any malicious emails as spam. This will help the community fight them.

Risks

Mail

If your APC email is compromised, the attackers will

  1. send a massive amount of SPAM from it => the mail servers of IN2P3 will be blacklisted :(

  2. target email attacks with links or attachments to infect a professional computer => then rebound towards the interior of the IT park to infect more machines and potentially do a lot of harm

Commercial websites

If your password has been hacked, the attackers will try it on every commercial website, like Amazon, Ebay etc., to buy something on your behalf.