With all the excitement about state-sponsored superworms, cyberspying by government agencies, and legislation designed to take away all our freedoms in the cause of making sure Bono gets his royalties, we shouldn't overlook the fact that hackers are going about their business as usual.
Today's examples range from the potentially serious to the ridiculous. Let's take the fun stuff first.
Mitt Romney's hotmail account was reportedly hacked by someone who correctly answered the security question: "What is your favorite pet's name?" Now, as everyone knows, Mitt Romney's favorite pet is his dog, Seamus. He loves him so much that lets him have the privileged view from the car roof when the family goes on holiday.
Joking aside, there is a lesson to be learnt here. There's no sense to having a security question, the answer to which is common public knowledge. The account address must have been easy to guess -- mittromney@hotmail.com -- and answering the security question allowed the hacker to create a new password. Such are the iron defenses to the private thoughts of one of our leading statesmen.
The purloined emails were used by The Wall Street Journal to illustrate Romney's active and enthusiastic support for healthcare reform during his Massachusetts governorship -- an episode his presidential campaign has sought to play down. This hardly counts as a major revelation, and the most damaging effect of the hack might be reminding people how Seamus likes to travel.
Altogether more grim is the breaking news that some 6.5 million LinkedIn emails have been posted to a Russian hacker site. Although confirmation of the hack is not yet official, some users have confirmed finding their passwords in the list. The passwords are hashed, but unsalted, and it's thought that many easier ones may be easy to decrypt.
This is the continuation of a bad week for the company, following the revelation that the calendar feature of the LinkedIn mobile app grabs, not only meeting dates, but copious information about the subject of the meeting and the attendees -- including their email addresses -- and transmits it over clear, unencrypted channels. Emphasizing that the calendar is an opt-in feature, LinkedIn has insisted that it does not retain this data on its servers, and that it's sent securely over SSL.
The calendar disclosure is trivial, however, in comparison to the apparent password catastrophe, with some commenters advising us all to "change our passwords right now." I don't know: I guess if a hacker wants to access my LinkedIn account and enhance my resumé, they're welcome.
="what's worse than a password system which forces you to create a password you can't possibly remember?
=" how does LinkedIn/eHarmony/whoever allow thousands of password guesses without noticing?
~~
it has long been know that enforcing "3 strikes \ out" rule on password access solves the problem-- although creating a new problem: too many help desk calls for locked passwords
the answer is known: you generate a new, 1-time password and e\mail it to the customer. the customer logs on by clicking the link from the 1-time password message to the create new password page. Remember: you really should be using Secure Mail of some type,-- I prefer Outlook\PGP or Thunderbird\ENIGMAIL because these use public key encryption directly under your control.
if you are using 3 strikes and out you don't need essoteric passwords as much,-- just stay clear of the top 100 or so...
however,-- that ain't all there is to it,--
if you have malware in your computer you have to get rid of that first
if you have not run a software audit you don't know if you have malware or not
if the host has been hacked, oh well
RAINBOW TABLES
if the host has been hacked the hacker may have taken the passwords from the host database. these should be encrypted, using SHA-1 or MD5\salted
the attacker may have a "rainbow table". a rainbow table is a reverse look-up: the attacker presents the hash of the password and the table returns a character string value for that hash. this has been used with good effect against MD5; not so much against MD5\salted or SHA-1. yet
Hacker tools such as rainbow tables can be had for cash on the Dark Net where Hackers live
Today's Suggested Reading is pretty heavy going. Although the essay is a little dated the content is still very insightful: we suffer more from hacking that what we should.
ACCESS AUDIT
In all cases where password protection is used when the customer logs on the system should show: PRIOR LOGON INFO: Date,Time,System_ID
not everyone will watch this infor like they should but enough people will so that a compromised system can be identified more quickly
Your password may not be stored in your email, but it's where you can reset your passwords for other sites, it tells a hacker which sites to attack, it gives them much of the data to guess your questions, etc.
Agreed. I hate it when online banking sites force me to choose a new password every month or pick passwords that are annoyingly long with mandatory inclusion of punctation and numbers.
But I suppose I don't understand how dictionary attacks work nowadays -- how does LinkedIn/eHarmony/whoever allow thousands of password guesses without noticing?
It's surprising that password systems still allow dictionary words and common passwords like 12345... but I think that just shows that users don't care about security.
Recall that the same thing happened with Sarah Palin.
On the other hand, this blizzard of questions I'm getting subjected to ("What's your favorite song? Who was your kindergarten teacher?" Christ, I don't know!) isn't useful either.
the Internet\Computer Community could of course make provision for each of us to generate an x.509 certificate
and you could then install your x.509 certificate in your various devices giving you single logon --- but --- exact identification to any service you logged onto using your certificate...
we cannot tolerate malware
let's suppose for a moment that we have established Commercial Computers separate from experimental\development computers
the difference being that the software on a commercial computer is controlled and not modified without authorization. risky practices such as RPC have been abolished
the implication would be that when you log on using an x.509 certificate you are positively identified ...
think about this
Now Susan, I know it's Sunday, but here is our Suggested Reading for today
Freedom of the Press is essential to our well-being. Unfortunately we do have thugs who will use improper methods to silence viewpoints they don't like.
The Internet has give us all unprecendented Freedom of Expression
Let's Keep it that way
Remember when you review public key cryptography (x.509 certificates use public key cryptography )it is incumbent on you to verify signatures: either directly of via a Certificate Authority. existing procedures have taken shortcuts in this, assuming the individual's responsibility for him\her -- and -- allowing way too many certicates to acquire automatic approvals. Public key cryptography is not broken: it just isn't properly used.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Cybercriminals don't hesitate when they see an opportunity to spread malware. Not even when it means exploiting as horrific an event as the Boston Marathon bombing.
The Murdoch/News International scandal has all the elements of the digital age, from phone-hacking through embarrassing emails to agile digital reporting.
President Obama may soon earn the badge as "Mayor" of the White House, thanks to his joining the mobile check-in service, FourSquare. Let's all sigh in unison, shall we?
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
