Murphys Monday Musing

Hello, all! Murphy here, with some of the latest info in security. I’m a full time dog, part time IT tech and I’m always digging around for interesting cybersecurity stuff to tell you guys about. I hope you think this stuff is a real treat (see what I did there?) Lets chew on the newest attack on Office365 users and how to keep your account safe!

There’s a new threat for Office365 email users, and you don’t have to click on a bad link to launch it… in fact, all you need to do is open the email in your browser/Outlook/phone. It has to do with your passwords, and here’s how it works….

Office365 email logs into Microsoft servers, so your password is transmitted through encryption… meaning your password is converted into garbled random characters called “hashes” that are then converted back to characters on the Microsoft servers. But now phishers are using hidden pictures with links in emails that normally won’t render. That’s normal– if you’ve ever seen an email with a box with an X in it, you know it either can’t find the graphic or your settings block them. What happens in the background is your email software/browser/phone can be told, “hey, can you try logging in again to see if we can get this graphic?” But your password is encrypted so what’s the big deal, right? Well… turns out hackers can use pretty cheap servers to “guess” what your hashes mean. A simple password  of 6-10 characters (even if you use funky characters and symbols) can be un-hashed in a few minutes/hours.

This weakness goes back to an old internet-traffic process called NetBIOS, and most residential internet providers block this by default… but business level internet packages often do NOT block this kind of internet traffic. Sometimes, businesses can’t block this kind of traffic because of how their servers and systems are set up, trying to keep older legacy systems running instead of upgrading.

Hackers/phishers know this, can target organizations using Office365, and using a simple method of embedding a “white” or “clear” boxed graphic with a link behind it, they just sit back and watch the “hash-hidden” login attempt come across. They copy the hashes and run it through their server(s) to try to crack the hashes.

How can you protect yourself? LONG passwords!! Something that only makes sense to you (don’t crib song lyrics or team names) but is easy to remember– something only you understand such as: “iSawAnotherDogTodayatTheParkanditWasG8!” (many corporate password policies require capitals and special characters so throw in a number and a ! or * etc.) The secret that hackers don’t want you to know is it is MUCH harder to crack a long password than a funky character short one. Randomness of characters won’t protect you anymore. Hackers don’t want to waste their time on passwords that take too long to crack. They’re looking for quick and easy access. It has to do with how encryption works, but essentially that password above would take months and months for typical servers to crack it (this one is mine though, and you can’t take it).

As more and more of us move to cloud systems like Office365, take precautions because now you don’t have to even click on a link to get your account password compromised… so make those passwords a bit longer, read up on our password blog if you haven’t yet, and get some professionals involved to ensure things like older systems are DMZ’d, and NetBIOS traffic is properly locked down.