CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Blackberry OS 10 BlackLists Batman and PoohBear

A Blackberry oriented website in the UK was the first to notice an interesting new feature in the most recent developer release of the Blackberry 10 OS. They found what looks like a list of one hundred and six blacklisted passwords. The list would prevent you from using specific words to secure your device.

At first glance this seems like a great idea. People always choose crappy passwords like 'password' or '123456' or 'aaaaaa'. By preventing these words from being used as passwords in the first place you increase your security right? Not really, and actually you probably reduce it a little bit. This list of banned words won't be a secret; anyone with access to the list can remove those words from a dictionary attack. Sure, one hundred and six words won't make a huge difference but it will make figuring out the password just a little bit faster.

One thing this banned list will do is aggravate customers who try to use one of the banned words as the password to their device. According to RapidBerry, the site that published the list, words like 'batman' and 'poohbear' are on the banned list, as well as 'baseball', 'sunshine' and even 'blackberry'. None of those words are even in in the top 100 of the most frequent passwords people use according to the 2012 Trustwave Global Security report. Since these aren't very common words they won't impact many people but why bann them and take the risk of upsetting any customers? If you were going to create a blacklist of words not to be used as passwords you would think that the list would include the most popular passwords like 'Password2', 'P@ssw0rd', 'Welcome2', 'Winter10', or ' Summer11' all of which are in Trustwave's top twenty five found passwords but none of which are in Blackberries blacklist.

To be fair Trustwave's list includes complex passwords or passwords that require uppercase letters, numbers and possibly punctuation. Last years list of common passwords was generated from cracked lists of hundreds of thousands of passwords. (We will have a new list this years in the 2013 GSR made from even more cracked passwords) Cracking passwords with a brute force attack is not difficult, and with a dictionary attack it is even easier. In the case of a mobile device like a Blackberry the most difficult part is actually getting to the password, either by removing the password file from the device or by access the password in some other way so that you can apply your cracking software to it. Cracking the password itself is usually a fairly simple matter.

So why is RIM bothering to have a password blacklist? It will not improve security and may in fact weaken it a little bit. It will frustrate and upset some customers. If this is about security a better idea would be to force a complex password scheme requiring uppercase letters, numbers and punctuation and a minimum character length. So far this is only in a developer release of Blackberry OS 10, hopefully this feature is only present for testing or some other pre-release reason and will be improved or removed before final release.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More