04-11-2018, 11:10 AM
You need to be a bit careful in where you place your trust.
Dashlane checking the so-called "Dark web" is largely marketing hype. What it means in practice is checking known pastbin/dumps to see if a password with the same hash has turned up associated with a given email address or login ID.
Unfortunately, this only works for known dumps, i.e. just like HaveIBeenPwned etc. check. The bad guys don't publish these lists very quickly, even on the Dark Web - why would they? They are a source of income for them.
It can take years (if at all) for a compromise to become public and for the plaintext of a password to be available - if the compromised site used salting and a decent hash, then Dashlane (or any other) won't help.
Also, it's not just about passwords - identity theft is potentially more valuable,
Having an "on access scanner" means little - it just means that any image that's loaded gets "scanned" first. But what does "scanned" really mean? Basically, just running the virus scanner over an image before it's executed.
This is all good and dandy IF AND ONLY IF the scanner is capable of finding an issue.
Nearly all domestic scanners are deterministic - they test for a known result, e.g. the signature of a known virus. The problem is, that a lot of modern compromises, are almost impossible to identify as they hide extremely well - it would be careless for any serious threat not to have been tested by its developers against all the most common AV? No?
So, in the trade, deterministic scanners are toast - we don't use them as by definition, they can't protect against serious threats like zero-day or out-of-band (non-application) attacks and they are as leaky as a sieve.
All modern stuff uses behavioural analysis - the tools look at what the image or a host is trying to do and then assess whether that's normal or risky behaviour. There are many tools that claim this sort of protection - we've found that only a select few are any good. The good ones also tack in genuine AI (the hack ones claim AI capabilities but generally that's marketing hype too - a tiny fraction get it right). The really good tools model what passes for normal behaviour on both a user and device level and then do a lot of real-time statistical modelling to decide whether a calculated risk is significant enough to warrant intervention.
All this adds up to a false sense of security; You think you're covering all the bases, but you're not because you're coming at it from the recipients' point of view, not the bad guys'.
I don't want to be too downbeat - at a domestic level, good luck to you. However, the days of traditional AV are numbered.
PS. There is no such thing as "maximum entropy" - by definition, entropy (randomness) tends to a maximum (when the universe ends), but the entropy in a password is not easy to calculate - it's an information theory concept, not an absolute. Simple calculations for the number of bits of entropy in a string are normally used, e.g.
So, a simple 8-character upper- & lower-case plus numbers password would have 8*ln(26+26+10)/ln(2) bits of entropy, i.e. about 47 bits of maximum genuine randomness vs. the 64 bits in the actual password. Every extra bit of entropy doubles the theoretical maximum effort required for a brute-force attack. However, using common words or phrases and simple substitutions like "3" for "e" etc., reduce the entropy considerably - randomness should be unpredictable - the moment predictability is introduced, the entropy decreases.
Note: log2(x) = ln(x)/ln(2) where "ln(x)" means "take the natural logarithm of x".
You can see how this works if each of the 8 characters were truly fully random, i.e. could have any of 256 possible values (0..255). The entropy bits then would be ln(256)/ln(2) which just happens to be 64, as you would expect (8 characters * 8 random bits per character).
So, just in the password case, you only get the maximum possible entropy bits available for a given password length if every byte can truly take a value between 0 and 255.
Dashlane checking the so-called "Dark web" is largely marketing hype. What it means in practice is checking known pastbin/dumps to see if a password with the same hash has turned up associated with a given email address or login ID.
Unfortunately, this only works for known dumps, i.e. just like HaveIBeenPwned etc. check. The bad guys don't publish these lists very quickly, even on the Dark Web - why would they? They are a source of income for them.
It can take years (if at all) for a compromise to become public and for the plaintext of a password to be available - if the compromised site used salting and a decent hash, then Dashlane (or any other) won't help.
Also, it's not just about passwords - identity theft is potentially more valuable,
Having an "on access scanner" means little - it just means that any image that's loaded gets "scanned" first. But what does "scanned" really mean? Basically, just running the virus scanner over an image before it's executed.
This is all good and dandy IF AND ONLY IF the scanner is capable of finding an issue.
Nearly all domestic scanners are deterministic - they test for a known result, e.g. the signature of a known virus. The problem is, that a lot of modern compromises, are almost impossible to identify as they hide extremely well - it would be careless for any serious threat not to have been tested by its developers against all the most common AV? No?
So, in the trade, deterministic scanners are toast - we don't use them as by definition, they can't protect against serious threats like zero-day or out-of-band (non-application) attacks and they are as leaky as a sieve.
All modern stuff uses behavioural analysis - the tools look at what the image or a host is trying to do and then assess whether that's normal or risky behaviour. There are many tools that claim this sort of protection - we've found that only a select few are any good. The good ones also tack in genuine AI (the hack ones claim AI capabilities but generally that's marketing hype too - a tiny fraction get it right). The really good tools model what passes for normal behaviour on both a user and device level and then do a lot of real-time statistical modelling to decide whether a calculated risk is significant enough to warrant intervention.
All this adds up to a false sense of security; You think you're covering all the bases, but you're not because you're coming at it from the recipients' point of view, not the bad guys'.
I don't want to be too downbeat - at a domestic level, good luck to you. However, the days of traditional AV are numbered.
PS. There is no such thing as "maximum entropy" - by definition, entropy (randomness) tends to a maximum (when the universe ends), but the entropy in a password is not easy to calculate - it's an information theory concept, not an absolute. Simple calculations for the number of bits of entropy in a string are normally used, e.g.
Code:
log2(number-of-characters-you-can-select-from)*passwordlengthSo, a simple 8-character upper- & lower-case plus numbers password would have 8*ln(26+26+10)/ln(2) bits of entropy, i.e. about 47 bits of maximum genuine randomness vs. the 64 bits in the actual password. Every extra bit of entropy doubles the theoretical maximum effort required for a brute-force attack. However, using common words or phrases and simple substitutions like "3" for "e" etc., reduce the entropy considerably - randomness should be unpredictable - the moment predictability is introduced, the entropy decreases.
Note: log2(x) = ln(x)/ln(2) where "ln(x)" means "take the natural logarithm of x".
You can see how this works if each of the 8 characters were truly fully random, i.e. could have any of 256 possible values (0..255). The entropy bits then would be ln(256)/ln(2) which just happens to be 64, as you would expect (8 characters * 8 random bits per character).
So, just in the password case, you only get the maximum possible entropy bits available for a given password length if every byte can truly take a value between 0 and 255.
sıʌǝɹq ɐʇıʌ `ɐƃuol sɹɐ
ʞɔıu
ʞɔıu
