Healthy Passwords News

Lastpass Adds Windows Phone 7 App Features

Thu, 01 Dec 2011 08:37:11 -0500

Lastpass just added a security improvement feature to their Windows Phone 7 app. Users can now enable a "pin code prompt". Enabling this requires a pin after switching to another app and returning to lastpass.

All previous lastpass security remains unchanged. According to the lastpass blog: You can enable the pin code prompt in your app settings so that when multitasking back to the LastPass app, you're prompted to enter your 4-digit code. This provides an extra layer of security that's more manageable on your Windows Phone 7, since you won't have to re-enter your master password each time you reopen the app.

To enable the pin code prompt, login to the LastPass app to view your LastPass vault. Tap the ellipses (three dots) at the bottom of the screen to expand the menu options. Tap the "set pin code" option, and enter a 4-digit pin code. The next time you multitask away from and back to the LastPass app, you'll enter this pin code to regain access.

They also report that if you've enabled Google Authentication and are using it to login to the LastPass mobile app, they've improved support for switching apps when entering the Google Auth login code.

UN Hack Exposes More Weak Passwords

Wed, 30 Nov 2011 07:57:33 -0500

Credit word cloud to worldle.net

On Monday, the hactivist group TeaMpoiSon posted 857 usernames and passwords for members of the United Nations Development Programme (UNDP), Organisation for Economic Co-operation and Development (OECD), UNICEF, World Health Organisation (WHO) and other groups.

The top ten passwords used were:

Note: This small list of 857 usernames, email and passwords was so small several passwords hit the top ten that were probably from users with multiple accounts or admins. We've removed these from the list.


12345
PASSWORD
123
samurai
sn
test
undp
welcome
111
114

We checked both pwnedlist and shouldichangemypassword.com this morning and neither found emails on this list. We notified both sites of the list so they can load them.

Update

Eweek Europe is reporting:
UNDP spokeswoman, Sausan Ghosheh, told the BBC that the hacked server, which goes back to 2007, contained old data and no active passwords. “The UNDP found [the] compromised server and took it offline. Please note that UNDP.org was not compromised.” Reference: eWeek Europe. The eWeek article also quotes a US security expert, whom we agree with. This list exposes email addresses and passwords. Most people admit to reusing passwords at many sites.

25 Worst Passwords of 2011

Fri, 18 Nov 2011 16:13:52 -0500

According to PCWorld, a recent survey from SplashData compiled the 25 worst passwords of 2011. This was determined by analysis of publicly disclosed breach data.

password
123456
12345678
qwerty
abc123
monkey
1234567
letmein
trustno1
dragon
baseball
111111
iloveyou
master
sunshine
bailey
bailey
passw0rd
shadow
123123
654321
superman
qazwsx
michael
football

Finland Citizens Urged to Change Online Passwords

Mon, 14 Nov 2011 10:46:15 -0500

The Finnish NBI (National Bureau of Investigation) is urging all Finns to change all passwords after a major leak this weekend. Over 100,000 email addresses and 15,000 passwords were leaked on Saturday. Officials fear more passwords will be leaked.

According to The Helsingin Sanomat, the Finnish computer publication MikroPC reports that some of the information has leaked from discussion forums operating on a phpBB2 platform.

This highlights an important consideration for users everywhere. Certain platforms are more "vulnerable" to hacking than others. Canned third party web platforms such as PHPBB, Wordpress, Joomla, Drupal, and many more are evolving daily. The teams working on these projects do a great job quickly patching vulnerabilities, but the websites running them must apply the patches on a regular basis, or they are left vulnerable.

Many small niche blogs and websites are run by by small staffs or individuals in their spare time. If one of these sites requires you to register with email and/or password, always use a junk email account and password for registration.

Steam Breach - Lots of Personal Data, little worry of password compromise

Fri, 11 Nov 2011 00:12:51 -0500

Steampowered.com, the website of over 1100 games has reported a breach:

The bad news is they are reporting an entire database compromise including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.
The good news is passwords were salted and encrypted, making it very difficult to obtain the password, and credit card data was encrypted.

The following announcement was sent to users

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening 
of Sunday, November 6. We began investigating 
and found that the intrusion goes beyond the
Steam forums.

We learned that intruders obtained access to 
a Steam database in addition to the forums. This 
database contained information including user 
names, hashed and salted passwords, game purchases, 
email addresses, billing addresses and encrypted 
credit card information. We do not have evidence 
that encrypted credit card numbers or personally 
identifying information were taken by the intruders, 
or that the protection on credit card numbers or 
passwords was cracked. We are still investigating.

Sophos' recommendation to users is perfect, we're going to Copy and Paste it: ( Credit: Sophos report on Steam breach

Change your Steam password, just in case. If you were using a weak password before, take this opportunity to choose a decent one.
Keep an eye on your credit card statement and report any unexpected transactions.
Consider not storing your credit card data on Steam's servers. You don't have to. You can choose to enter it every time you need it instead.
Consider enabling Steam Guard. If you do, Steam will email you every time you (or someone else) logs in from someone else's computer.
Send an email to Steam asking why they encrypted credit card data and passwords, but apparently not the rest of its users' personally identifiable information.

If Steam truly did salt passwords, passwords changes may not be necessary. It's better to be safe than sorry.

New Website May Find Your Insecure Password Before Most Hackers Do

Fri, 04 Nov 2011 23:04:54 -0400

A new site, pwnedlist.com, now has spiders crawling the web looking for breached or vulnerable password lists. The site was created by Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint.

According to the site's "learn" page, the site does not keep any email data submitted through queries (no phishing). The little they reveal about site architecture is great. We are big fan of Amazon Simple DB (SDB) and feel it's the one the least vulnerable database platforms a website can use.

For the truly skeptical, the site enables users to submit their email as an SHA-512 hash See what are hashes and rainbow tables.

We tested a known bad email from a recent hack and it did not show up in the database. In fairnmess, the same address was not found in shouldichangemypassword.com either.

The sites domain was registered in June 2011 under a proxy service, which is very common and does not raise any flags. The founder is a well respected and active member of the security community. All timelines on personal and business twitter feeds correlate properly. We started this article on November 1st, and submitted some questions to the website. In the three days that followed we've received no response, but at least dozen publications have reported on pwnedlist.com, including Brian Krebs and Kaspersky Labs.

Every indication points to pwnedlist.com being a great resource.

Related Stories

Kaspersky Labs ThreatPost has the only real interview with founder, Alen Puzic as of 04-Nov-2011.

Brian Krebs has a good article geared toward the more technical crowd.

Lying about your Name or Age on the Internet May Get Difficult

Tue, 01 Nov 2011 23:05:59 -0400

A new service promises to accurately verify your name and age. While this may not seem important for adults, for minors, this could be a huge advancement, although the site's terms requires persons to be 18 or older for verification. Update 1-Nov-2011 Tru.ly co-founder, David Gordon told us that a new API version will be implemented for parental verification to setup minor accounts.

The site is currently in "beta", which means it's allowing public testing, but not quite ready for production.

Tru.ly uses "verification partners" to authenticate your identity. This is done by matching your submitted information with that in a national database of government and public data. In order to become verified, specific pieces of information must match. They report to use proprietary technology to flag users who may be trying to conduct fraud.

At this time the site asks for

Email
Legal First Name
Legal Last Name
Last Four SSN digits
Birthdate
Permanent street addresss
Permanent zip code

According to their website, Tru.ly's goal is to provide users with a single, verified identity on the internet. The service enables verified users to generate their own QR code enabling users to provide an ID without divulging details. How this will be accomplished is not stated. Tru.ly also promises a browser plugin to see what profiles are verified on social networks. The plug in also has very limited details. Update 1-Nov-2011 We asked co-founder David Gordon about this, and he told us: "We didn't see much traction on it so we took it down and will plan on relaunching it with a larger audience."

Should you trust tru.ly with your identity? We're not sure yet. We see no warning flags. No single piece of required information is highly sensitive alone, yet combined, they compromise more than many may wish to entrust to an internet company. 1-Nov-2011 Update We asked co-founder David Gordon about this and he said: "We use a high level SSL certification. user personal identifiable data is never stored on tru.ly servers. Third party accreditation is in process."

To our knowledge tru.ly is the first company to offer such a service. A March 2011 estimate by ComScore surmised that 3.6 million of Facebook’s 153 million monthly visitors in the United States are under 12. Facebook's terms of service require a minimum age of 14. A large component of tru.ly's offering is an API (Application Programming Interface), businesses can use to verify someone's identity. If Facebook, twitter, gambling, and adult content sites begin using the service, the internet may become a much safer place for kids.

One complication with kids is raised when reviewing the tru.ly terms of service. According to those terms, you must be at least 18 to be verified. This leaves a four year gap between the Facebook policy and the tru.ly policy.

Bloggtoppen.se 90000 Passwords Revealed

Wed, 26 Oct 2011 07:09:44 -0400

Popular Swedish blogging site Bloggtoppen.se suffered a security breach compromising 90000 user passwords. The attackers allegedly publicly announced the password file details using a compromised Twitter account William Petzall, a former scandalized politician.

The passwords were encrypted using an unsalted MD5 hash. (For more on hashes see See what are hashes and rainbow tables.) This means that users who had a strong password are less vulnerable than users using weak passwords. Strong passwords have mixed case, special characters, 10+ character length, no dictionary words. (See qualities of a strong password) According to analysis by dlitz.net, the most common password from the file was "super123".

#1  (995): super123
#2  (141): hejsan
#3  (118): 123456
#4  (111):
#5  (102): hejhej
#6  (96) : bajskorv
#7  (93) : sommar
#8  (69) : hemligt
#10 (60) : blomma
#11 (54) : dinmamma
#12 (52) : cocacola
#13 (51) : stockholm
#14 (50) : johanna
#15 (45) : kalleanka
#16 (44) : sverige
#17 (43) : mammapappa
#18 (43) : amanda
#19 (43) : losenord
#20 (43) : apelsin
#21 (41) : qwerty
#22 (41) : sommarlov
#23 (40) : hundar
#24 (39) : smulan
#25 (38) : iloveyou
#26 (38) : lösenord
#27 (38) : password
#28 (37) : abc123
#29 (35) : internet
#30 (35) : fotboll
**Analysis credit: https://www.dlitz.net/blog/2011/10/most-common-losenord/

According to a notice at the site:

Blog Top is closed until further notice due to system maintenance alleged hacking.
Unknown perpetrators have come across the user database with user names, email addresses
 and hashed passwords, which means that if you, the user has used the same login 
information for other services on the web so likely these accounts to be hijacked. We 
recommend all users to immediately change passwords on all accounts use the same login 
information here.

Further information will come when we have had time to investigate and resolve the 
interference.

If you ever had an account at Bloggtoppen.se, and reuse passwords at multiple sites, start changing passwords. Always start with your email password and work back from there. Follow Healthy Password rules when creating your new passwords.

Order and Chaos Online Hacked

Thu, 20 Oct 2011 09:48:54 -0400

According to TouchArcade.com, online gaming site, Order and Chaos, has been hacked.

Users of all versions, including facebook and mobile, are reporting compromised accounts.

If you have ever used this site, or the Gameloft live service, and share passwords, change your passwords. Start with email and work back from there. As always, remember to follow healthy password rules

iPhone 4s Siri Bypasses Password Security

Thu, 20 Oct 2011 09:01:43 -0400

Graham Cluley of Sophos exposed a new iPhone vulnerability in a blog post yesterday.

The vulnerability is with the new voice assistant Siri. Siri will respond to any stranger while the phone is locked and bypasses some password security.

Strangers can Compose and send email, compose and send text messages, and change calendar entries.

Fixing the problem is easy by navigating to "Settings/General/Passcode Lock" and changing the Siri setting to OFF.

A New Way to Steal Smart Phone Passwords

Tue, 18 Oct 2011 09:54:19 -0400

Researchers from Georgia Tech have found a way to triangulate your passwords by using your smart phone's accelerometer. The accelerometer is a sensor that enables your phone's screen to re-orient itself when you turn the phone. According to an article in MIT Technology Review, it is possible for malware to determine your password with 80% accuracy when the password is entered with the device laying on a flat surface.

You don't need to worry yet, but in the near future, it may be "smart" to only enter passwords into your smart phone while holding it in your not-so-steady hands.

Fake Android Netflix App Steals Credentials

Thu, 13 Oct 2011 20:13:02 -0400

A new credential stealing fake Android Netflix app is floating around. The app looks nearly identical to the real one. Instead of taking you to content, the app will just ask you to authenticate.

If you've recently installed the netflix android app and failed to see your content, get to netflix right away an change your credentials. Also change passwords at any other sites sharing that password. Always start with your email and work down from there.

Credit: Symantec.com

Netflix customers that are looking for a legitimate Android Application developed by Netflix, Inc. can find it on the official Android Market. Downloading from trusted sources is part of practicing good security for your mobile device.

BlueHomes.com breached over 150,000 plain text passwords exposed

Wed, 12 Oct 2011 23:23:56 -0400

Over 150,000 plain text passwords and usernames were breached from popular European properties site, bluehomes.com. The hacker posted a link to the dump on pastebin yesterday. The hacker claims the dump contains more than 500,000 passwords, but our best estimate is more like 150,000

*Wordcloud credit wordle.net
*Note: pure numeric passwords were omitted.

In addition to usernames and passwords, the dump also includes over 80 megabytes of sensitive customer, employee data, and infrastructure data.

Patch Tuesday Again

Wed, 12 Oct 2011 19:54:37 -0400

Windows users need to remember to check that windows last night or sometime in the next day or two. This patch Tuesday Apple released an iTunes patch for Windows. To get the iTunes patch, run iTunes.

The best reference for seeing what's included in patch Tuesday is Krebsonsecurity.com

Corporate users may not see update notifications. For more on how to update your Windows system, see http://www.healthypasswords.com/content.How_to_Check_Windows_Update.html .

WineHQ breach exposes contributor usernames and passwords

Wed, 12 Oct 2011 10:08:51 -0400

WineHQ is a website supporting Wine. Wine lets user run Windows software on other operating systems. With Wine, users can install and run these applications just like they would in Windows.

According to thinq.co.uk, "This means that they have all of those emails, as well as the passwords," Jeremy White of project organiser CodeWeavers confirms in his mailing list post. "The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.

This breach will impact a narrow band of technical users, who hopefully know better than to share usernames and passwords between sites.

Sony breach impacts 93000 users

Wed, 12 Oct 2011 09:55:42 -0400

Sometime between October 7 and October 10, The Sony Playstation Network detected a high volume of unauthorized logins. Sony locked about 93,000 accounts whose IDs and passwords were successfully breached.

Sony sent email notifications and password reset procedures to breached account holders. Sony reports that no credit card data was taken

If you have been notified by Sony, or hold a playstation network account, change your password and any other site passwords sharing the same user/password. Always start by changing with your email. Email is always the first target after any breach.

Update 2011-10-12 16:30 GMT

According to recent reports, the usernames and passwords used against the Sony network were not obtained from Sony, but from another source.

In an April breach, Sony was criticized for taking weeks to notify users. In this case, Sony may have notified users with too little information. Sony appears to be a target and not a source. Playstation users should still take precautions and change passwords. Hopefully Sony will provide the email addresses to security experts, who can bounce the attempted logins against known breach lists to determine the source.

References

Playstation blog entry

Only 38% of account holders know how their account was compromised

Fri, 07 Oct 2011 16:15:45 -0400

According to recent research by commtouch, a leading messaging and Web security technology company, few account holders ever find out how their account was compromised. A more alarming 23% of compromised account holders did nothing to remedy the problem.

How was your account compromised?

62% - Not sure
15% - Clicked Facebook Link
15% - Public WiFi
4% - Clicked on an Email Virus

Only one in eight compromised email accounts resulted in the classic "I'm stuck in a foreign country please send money" message to friends.

What was done with your Hacked account?

54% - Send Spam
23% - Not Sure
12% - Scams
8% - Phony facebook post

How did you hear your account was hacked?

54% - Friends told me
31% - Noticed Myself
15% - Official Email from Provider

How did you fix your hacked account?

65% - Changed Password
31% - Ran Anti-Virus
23% - Did Nothing

Unijobs.com.au hack exposes over 600 passwords

Fri, 07 Oct 2011 09:10:10 -0400

The popular Australian university job website, UniJobs.com.au was hacked.

The usernames (email addresses) and hashed passwords ( what are password hashes)are posted on pastebin at http://pastebin.com/Nrd8MaKD yesterday.

The post included MD5 hashes and plain text password for cracked passwords. Most of the passwords in the list appeared to be the initial system generated passwords. They were mostly six digit passwords using mixed case letters and numbers. There were several dozen real passwords in the list. These are the people who are probably vulnerable to other compromised accounts.

The post only showed 629 of the 780 cracked, but that appears to be where the cracking was at when the post occurred. Most likely the rest of the list has been cracked by now.

Because these posts quickly disappear from pastebin, we have posted just the email addresses here .

Associated Press-MTV poll finds 3 in 10 teens and young adults impersonated online

Thu, 06 Oct 2011 09:54:37 -0400

According to the Associated Press, a new Associated Press / MTV poll found that 3 of 10 teens reported being impersonated or monitored online.

In the AP-MTV poll, two-thirds of those who had been hacked said at some point they've changed their password in response to digital abuse. 46 percent have altered their email address, screen name or phone number, and 25 percent have deleted a social networking profile.

The poll cites several cases where roommates or friends impersonated each other as pranks. In two cited cases, the incidents were considered harmless and fun. In other cited cases, the intent appears cruel.

In our opinion the 3 in 10 number may not translate the same for adults. Adults don't typically room together in dorms, or hang out in friends bedrooms where access to open browser sessions or saved logins are as easy. For most adults, the biggest equivalent risk is leaving a laptop open or an unlocked desktop at work. The lesson everyone should take away from this poll is to not save logins for convenience and follow healthy password practices.

Why Would Anyone Want My Password?

Wed, 05 Oct 2011 09:37:37 -0400

We talk to a lot of different people about passwords every day. Most users always say, "Who would want my password?". We then explain how most people share passwords and a compromised email can compromise other more important accounts. Sadly, most people don't get it until it happens to them.

Image Credit: Krebsonsecurity.com

This recent report from Brian Krebs shows how your compromised information get's sold. These types of online market places exist for every type of credential: Credit Cards, Online Payments, Email Accounts, Social Networking accounts, and more.

Don't wait until it's too late. Create a password strategy, review and adjust it twice a year.

Passmywill.com figures out when you die

Mon, 03 Oct 2011 13:20:35 -0400

A new website from Russia, passmywill.com, will keep all your encrypted passwords and monitor your social networking feeds to figure out when you expire.

This Techcrunch Interview with founder, Danil Kozyatnikov gives more details on the service.

Any service offering to keep all your online credentials should be viewed skeptically. According to the interview, the site only keeps your encrypted data. But their website raises some security flags in our opinion. We briefly looked at the site and found a few warning signs.

The site does not use a secure connection, yet it's suggesting that users enter social security and credit card numbers.
The site suggest users use a social security number or credit card number as an encryption key. We didn't dig into the page to see if that data stayed local or went back to the server, but as a general rule, unless you are applying for credit you should never put your social security number into a web page.
The site asks you to save a plain text email body to send when you die and it again suggest using social security or credit card.

ElcomSoft Password Recovery Tool Recovers Blackberry Passwords

Fri, 30 Sep 2011 06:44:38 -0400

According to a press release by Elcomsoft Co. Ltd. on 9/29/2011, their Phone Password Breaker software may be able to recover your blackberry password.

Blackberry normally only allows ten tries before wiping data. ElcomSoft exploits a user-selectable "Security Password" option to encrypt media card data. This encrypts the media card in the blackberry using the same password as the phone. The software may then bypass the blackberry operating system and directly use a brute force attack against the memory card instead of the phone. According to Elcomsoft, a typical 7 character password can be cracked in less than an hour.

According to the elcomsoft website , the password recovery tool also works on Apple iOS platforms including iPhone, iPad and iPod Touch devices of all generations released to date, including the latest iPhone 4 and iOS 4.3.

North American Home users may purchase the software for $79.00. A Professional license is $199.00

UKChatterbox Users Urged to Change Passwords

Wed, 28 Sep 2011 11:36:39 -0400

The popular UK chat site, UKChatterbox.co.uk , is urging users to change passwords.

The site reports:

The UKChatterbox website has recently been the target of several attacks intended to disrupt services, and as part of an ongoing security update, all UKChatterbox users are being asked to change their passwords as a precautionary measure.

UKChatterbox has not disclosed any breaches, but the mere fact they are suggesting the change, means you should treat your previous password as if a breach had occurred.

Change any other sites using the same password
Create a password unique to this site
Create a strong password

Council on Government Ethics Laws COGEL.ORG Breached

Tue, 27 Sep 2011 19:44:52 -0400

The council on Governmental Ethics Laws (cogel.org) was breached today. The entire drupal database was posted on pastebin today. We have not analyzed the database, but it is supposedly the entire sites content. If you have an ID at COGEL.ORG, change your password at any sites sharing the same password.

Middle School Sleep-over Facebook Hijacking

Sat, 24 Sep 2011 09:36:51 -0400

A lohud.com article from Kent, NY hit home the need to teach kids password safety.

The most important lessons kids learn are usually from parents and grandparents. What kid hasn't learned to not take candy from a stranger by the time they are four? At what age are kids taught to not share passwords? Are kids ever taught to log out of Facebook before a sleep-over? Kids are rarely taught these things. Because parents and grandparents do not understand password security, and schools rarely put much more than the qualities of a strong password into their curriculum. Kids are left to learn passwords the hard way. As this 10 year old girl learned the hard way.

According to Kent Police, on September 9th, a 10 year old girl hosted a sleep over for about 10 5th and 6th grade girls. An 11 year old accessed the girls facebook account, changed the password, sent out salacious comments and signed the girl up for dating services.

The incident was discovered the next day when the victim's father, who monitors her Facebook activity, got a message that his daughter's password had been changed, then started getting angry phone calls from other parents about the posts. Because the 11-year-olds also signed up the victim for dating services, so she was getting messages from men, police said.

The details of how the password was obtained is unclear. It's most likely that the girl had set the checkbox to save the password, granting access to anyone with physical access to the computer.

Parents take note that the minimum age to join facebook is 13.

Lastpass Offering Students Free Six Month Premium Service

Fri, 23 Sep 2011 20:07:30 -0400

Lastpass just announced on their blog six month free premium use to University Students. For a limited time, students with a valid university email address can go to lastpass.com/edu to upgrade their LastPass account.

Full details can be found at http://blog.lastpass.com/2011/09/free-6-months-premium-for-all.html

Fire Someone Lately? Change Your Password!

Thu, 22 Sep 2011 10:39:25 -0400

walyou.com details an individual with 50,000+ twitter followers who fired one his ghost writers. He did not change the Twitter password, and the fired ghost writer started tweeting embarrassing comments after having a few drinks.

Microsoft Patents Sketch Based Passwords

Wed, 21 Sep 2011 09:44:04 -0400

Yesterday Microsoft was awarded patent United States Patent #8,024,775 for sketch based passwords. This patent had been applied for in 2008, Two years after first revealing their first incarnation of picture passwords.

According to the patent abstract, this patent covers: "A graphical password authentication method is based on sketches drawn by user. The method extracts a template edge orientation pattern from an initial sketch of the user and an input edge orientation pattern from an input sketch of the user, compares the similarity between the two edge orientation patterns, and makes an authentication decision based on the similarity."

This patent covers more than what has been revealed in the latest Windows 8 UMPC development. For more information on picture passwords, see Microsoft Improves Picture Passwords in Windows 8

OS-X Lion Gets A Second Black Eye

Tue, 20 Sep 2011 09:57:07 -0400

CNet details a new vulnerability in the newest OS-X verstion, Lion. This vulnerability allows anyone with terminal access to your OS-X instance (Locally or remotely) to change any password on the system by issuing a simple command:

dscl localhost -passwd /Search/Users/USERNAME

Protecting your system is impossible, but you can greatly deter access by disabling SSH access, disabling auto-login, enabling screensaver and sleep passwords, and disabling guest accounts. The original CNet article has details on most of these

OS-X's first black eye was obtained by Exposes all Enterprise LDAP Resources. This vulnerability is also related to LDAP changes made in Lion.

Patch Tuesday Again

Wed, 14 Sep 2011 09:28:37 -0400

Windows users need to remember to check that windows updates sometime over the next day or two. The number of updates varies by OS. Most users will see three or more updates available. One Windows 7, 64 bit system with office 2010 at our office, showed the following update notification:

Corporate users may not see update notifications. For more on how to update your Windows system, see http://www.healthypasswords.com/content.How_to_Check_Windows_Update.html .

Mixed Case Facebook Passwords work With or Without Caps Lock

Wed, 14 Sep 2011 08:36:50 -0400

Emil Protalinski at ZDNET made an interesting discovery the other day when logging into facebook. He found that his mixed case password still worked when caps lock was on.

After breaking the story, Emil Protalinski interviewed Fred Wolens at the Facebook PR security team and confirmed this is by design. He learned there three possible combinations to authenticate with facebook:

Your original Password
Your original password with the first letter capitalized (this covers mobile devices which automatically change the first letter to upper-case)
Your original password with the case reversed (this covers accidental caps-lock use)

According to Wolens, this doesn't impact security. We disagree. To put this into simple, but less precise terms, if your mixed case password only uses letters, this can make it twice as easy to crack. As you add numbers and special characters, it keeps getting harder, but still will remain much easier to crack.

Microsoft Improves Picture Passwords in Windows 8

Tue, 13 Sep 2011 20:09:19 -0400

According to slashgear.com, Microsoft will be introducing picture based passwords. This really isn't new, but is different than what was released in 2008 as part of the Origami Experience 2 (now called UMPC [Ultra Mobile PC]) on Windows Vista.

Like the older incarnations, it only works with touch screens. You may configure your own image and then draw with your finger on top of the image in a pattern only you know. If you used the original version you touched a series of points rather than drawing a continuous line. Note: We're not sure if the line method was available with the Windows 7 version of UMPC. If you know, please comment!

Our sample picture was used for our Lastpass review. We overlaid it with a possible picture password. In real life, you will select a picture and use your finger on the touch screen to trace a pattern over the picture.

We started by tracing from the bottom corner to the top corner of the black Amazon FOB then traced down to the key-press area of the YubiKey (Lastpass) and finally stopped at the LED of the IronKey.

Picture passwords are not new. The National Institute of Standards and Technology, released NISTIR 7030 in July 2003. This specification has become dated and was much more simplistic than the current picture password implemented by Microsoft.

Microsoft has not revealed details behind this authentication method, but it has the potential to be a very strong and secure system. The biggest drawback right now is lack of hardware support. Touchscreen devices have recently taken a huge leap thanks to tablet devices like the IPAD, but Microsoft does not have a large installed base of touchscreen devices.

This type of authentication is one step closer to the tried-and-true signature used since the feather quill, but only gets you onto the tablet. It won't help you to log in to your favorite website yet.

Google Urges Iranians to Change Passwords

Fri, 09 Sep 2011 10:46:12 -0400

Google has urged iranian users to change their Google passwords. This is in direct response to the compromise of Dutch SSL certificate authority DigiNotar. The fake credentials were used to deploy man-in-the-middle attacks against Iranian users.

Compromised accounts may have had forwarding enabled or also accessed any sites your google ID is entrusted to. To learn more about checking your account settings, see How to See if Somone is Using Your GMail and How to Check your GMail Forwarding for more details on protecting your Google accounts.

Source: http://googleonlinesecurity.blogspot.com/2011/09/gmail-account-security-in-iran.html

Myjob.ie customers urged to change passwords

Fri, 09 Sep 2011 10:10:46 -0400

According to RTE, Ireland's national public broadcaster, after two arrests this week, the website MyJobie.com emailed customers asking them to change their passwords. myJobie.com says their website was not the primary source of the breach.

If you are a Myjobie user and you share that password at other sites, change all shared passwords.

If your email password was used at the breached site, start by changing it first. Email is the first target, and holds the keys to many other sites.(See A Big Risk with Online Email.)

California Updates Data Breach Law

Tue, 06 Sep 2011 20:12:19 -0400

According to California Newswire, California Gov. Jerry Brown signed into law a bill defining data breach protocols. The bill (SB-24) will go into effect Jan 1, 2012.

Most states have laws requiring consumer notification. This law will go one step further by mandating notification of the California State Attorney General for breaches affecting 500 or more people. Firms affected by data breaches must provide information including:

The name and contact information of the entity reporting the breach.
A list of the types of personal information believed to be the subject of the breach.
The estimated date and date range of the breach.
Whether notification was delayed as a result of a law enforcement investigation.
A general description of the breach.
Information on the credit reporting agencies involved.

A good summary of the bill can be found at http://www.eweek.com/c/a/Security/California-Updates-Data-Breach-Law-to-Require-More-Incident-Details-194955/.

Mobile APP Network Forum Hack Exposes 15000 User Accounts

Tue, 06 Sep 2011 16:15:20 -0400

According to Hacker News, the Mobile App Network forum was hacked. The usernames and hashed passwords were shared on Pastebin in two parts. Part 1 | Part 2

If you have an account at the mappn.com, change your password.

SWGalaxies.net Breach Exposes 21 Thousand Plain Text Passwords

Tue, 30 Aug 2011 21:41:42 -0400

According to Venturebeat.com, swgalaxies.net, a Star Wars Galaxies fan site, was hacked today. The hackers posted 21,000 plain text usernames and passwords.

If you've ever had an account there, or reuse passwords, it's time to change your passwords. For more password ideas, see Healthy Password Ideas for some good password ideas.

How to Avoid the Mordo Worm

Tue, 30 Aug 2011 19:13:17 -0400

Last week the Mordo Worm hit the news. We originally passed on linking this story because we felt our readers would be unlikely targets. Disabling the vulnerability is so easy it doesn't hurt to just do it. This worm only targets Windows. Protecting yourself from this worm is easy. Just avoid simple passwords for your computer login.

If you want to be absolutely sure you're protected, disable remote access. Disabling remote access varies slightly by Windows version, but they are all very similar. Here's the process in Windows 7

Click on the start menu, then right clicking on "My Computer" or "Computer" then selecting "Properties".
Find remote settings and click on it. In XP, this is a tab on the top of the dialog
Deselect "Allow Remote Assistance Connections to the Computer" and Select "Don't Allow connections to this computer".

If you need these instructions for a different Windows version, just leave a comment and we'll be happy to put the other screens together.

2011-09-06 - Update: If you require Remote Desktop Access, you can increase security by changing your default RDP port from 3389 to a different port. See Ghacks.net - Improve PC Security by Changing the RDP Port

OS-X Lion Exposes All Enterprise LDAP Resources

Fri, 26 Aug 2011 17:26:51 -0400

The new version of OS-X (Lion) has a major authentication vulnerability. Once logged into an LDAP server (Servers commonly used for business Single Sign On: SSO), the user can access any device on the network without any password. For businesses, this is an enormous security risk. For most home users, this is not an issue.

This means a user authenticated to LDAP running OS-X Lion, can probably look at any network share or computer hard drive on the corporate network. After the initial login, Lion users can log into any other LDAP resource with any password.

According to The H Security, Apple has been informed of the problem and has successfully reproduced it.

Apple has known of this problem for over a month and has not yet issued a patch.

Patching more than Windows, Flash, Adobe

Thu, 25 Aug 2011 10:42:15 -0400

Hopefully many of our readers are better at patching the biggest vulnerabilities such as Windows, Flash, Adobe and Java. This advisory from Secunia reminded us that vulnerabilities are abound and when the masses get good at patching the big vulnerabilities, the criminals will move to other low hanging fruit.

Secunia Advisory SA45676 warns of an HP Easy Printer Care Active-X vulnerability that probably has a very wide installed base. If you are concerned about it, just uninstall it.

Presently there is no patch for this vulnerability. Keeping up with patches goes beyond the biggest vulnerabilities. The easiest way to keep track of patches is by using third party utilities. We regularly recommend Secunia's PSI and Qualys BrowserCheck. For more on these utilities see Patching Popular Software Vulnerabilities

Twitter Petition is a Phishing Scam

Fri, 19 Aug 2011 09:23:36 -0400

According to Sophos security, a new Twitter phishing scam has been making it's rounds. The scam claims Twitter will begin charging for service in October and asks users to "Sign a petition" to keep the service free.

Following the link will require a fake Twitter login, where your password will be stolen.

Source: Sophos Naked Security Blog

University of Wisconsin Exposes 75000 SSNs

Thu, 11 Aug 2011 10:03:06 -0400

Less than a year after suffering a breach of 60,000 Social Security Numbers, The University of Wisconsin just suffered another breach losing 75,000 more Social Security Numbers.

According to a University FAQ, On May 25, 2011, the University of Wisconsin shut down an imaging system after finding suspicious programs on a server.

The University reports to have launched an investigation with the help of a national security expert.

On June 30, 2011 investigators found that a database was included on the system. The database stored names and social security numbers on 75,000 staff members and students of UW-Milwaukee. According to the university, the system also contained other files containing personal data; however, "based on forensic analysis, they believe it extremely unlikely that hackers actually accessed any of the other files".

The university’s investigators theorize the motive was not identity theft, and could find no evidence of attempts to download names or social security numbers. The university is not offering free monitoring or any type of help to affected individuals.

Legitimate Company Representatives will Never Ask for Your Password

Wed, 10 Aug 2011 12:40:54 -0400

A blog post by Microsoft's hotmail manager, Dick Craddock, shows a sample phishing email using his name, picture, and signature. Craddock brings up a good point. No legitimate company will ever ask for your password. When systems housing passwords are created, they build in mechanisms for administrators to reset passwords, so asking a user for their password is not necessary. They simply need to reset it.

The only common example of a person needing your password is maybe a local support person who's sitting at your desk fixing a problem. Even then, they should slide the keyboard over and ask you to type it. Asking someone their password is like asking them their weight. It's personal and they may not want to share it.

According to Craddock, hotmail account hijacking is on the rise. They credit the rise to new security procedures implemented by hotmail over the past months. The new procedures make it too difficult to create fake accounts, so spammers are finding it easier to hijack existing accounts.

Don't fall for this type of ploy. The first warning sign is them asking for your password. Beyond that, them asking for your username and date of birth conveniently gives them some added information to compromise your other accounts after hijacking your email.

If a legitimate company ever asks for personal information such as address, date of birth, phone numbers, social security numbers or account numbers in email, don't send it. Look up the company number from another source and then call and give the information verbally to a company representative. Think of email as you would a postcard. Everyone who touches the email between you and the recipient can read the contents. If you would't put it on a postcard, don't put it in an email.

Citigroup Japan Breach Exposes 92,408 Customer Records

Wed, 10 Aug 2011 10:06:21 -0400

In a press release dated August 5, 2011, Citigroup Japan announced that certain personal information of 92,408 customers had allegedly been obtained and illegally sold to a third party.

The compromised information includes account numbers, names, addresses, phone numbers, date of birth, gender and the date the account was opened. The breach only affects Citigroup Japan cardholders

Citigroup JP says they are taking necessary precautions to notify customers. If you ever had a Citigroup Japan account, be prepared for spear phishing attacks in coming months.

Facebook Implementing new Mobile Password Reset Option

Tue, 09 Aug 2011 19:26:36 -0400

Facebook's security blog just posted an mobile password reset announcement

According to their blog: "If you ever forget your password or get locked out of your account, we want to make it easy to get back on Facebook. We are testing improvements to resetting your password from your mobile device. You can now choose the email address where you want to receive recovery links, and we are offering additional ways to confirm your identity. We will roll this out slowly to gather feedback from people as they use this."

Firefox Spam Scam Steals Passwords

Tue, 09 Aug 2011 17:28:40 -0400

According to Sophos Security, a new spam email tricks users to install a password stealing trojan . The email body is:

Subject: New version released.

Message body:

Important notice
A Firefox software update is a quick download of 
small amounts of new code to your existing Firefox 
browser. These small patches can contain security 
fixes or other little changes to the browser to 
ensure that you are using the best version of Firefox
available. Firefox is constantly evolving as our 
community finds ways to make it better, and as we 
adjust to the latest security threats. Keeping your 
Firefox up-to-date is the best way to make sure that 
you are using the smartest, fastest and . most 
importantly . safest version of Firefox available. A 
Firefox update will not make any changes to your 
bookmarks, saved passwords or other settings. However, 
there is a possibility that some of your Add-ons won.t 
be immediately compatible with new updates.

For security reasons please update your firefox version 
now

All popular browsers (firefox, internet explorer, opera, chrome, and Firefox) update themselves, so you not have to download updates.

Today is Patch Tuesday for Windows Users

Tue, 09 Aug 2011 16:49:23 -0400

The second Tuesday of every month is when Microsoft sends security updates through Windows Update. Be sure to leave your computer on or see How to Check Windows Update" if you'd rather not wait.

To see the details behind these, Brian Krebs at KrebsonSecurity.com creates a nice summary anyone can understand. See it at http://krebsonsecurity.com/2011/08/22-reasons-to-patch-your-windows-pc/

Researchers Find Lastpass Vulnerbility on Chrome OS

Mon, 08 Aug 2011 09:58:56 -0400

According to Information week, a White Hat team lead by Matt Johansen and application security specialist Kyle Osborn found a LastPass vulnerability on the new Google Chrome Operating System. This exploit allowed the researches to steal the local Crypto key and database for the users Lastpass netting all their userids and passwords. Lastpass has since changed application behavior making the exploit more difficult, but other exploits may still be possible. Read the full article at informationweek.com

Edited: 2011-08-08 - 09:58AM EST Original Article

Google Chrome now has Print Preview

Thu, 04 Aug 2011 17:10:52 -0400

From the off the password topic, but very cool department

Today Google pushed an update to Chrome which includes a much anticipated preview. Hopefully the days of printing 20 pages of comments for a one page article are over!

Change.GOV website hacked

Fri, 29 Jul 2011 22:24:04 -0400

According to hacker news on 7/26, 60804 names, employer, City, state, zip and donation amounts were leaked via twitter. No passwords were leaked.

Google Expands Two-Step Authentication to 40 Countries

Thu, 28 Jul 2011 23:01:42 -0400

In an online security blog entry today, Google announced expansion of the two-step authentication program to more than 40 countries.

Google two-step verification is a form of multi-factor authentication. Multi-Factor Authentication not only requires a username and password, it also requires something you have or something you are. Googles offering uses voice or text phone messages. Impersonating a user without the device is not possible. Multi-factor devices include key chain tokens, voice or text phone messaging, USB devices, printed cipher grids, and biometric readers.

For step-by-step instructions on setting up two-step authentication, see Healthy_Passwords_How_To_Setup_Google_2-Step_verification.html

Mac OSX Passwords Less Secure Than You Think

Thu, 28 Jul 2011 20:48:52 -0400

According to the latest passware newsletter #058, their forensic version can read the OSX lion or Snow Leopard keychain from it's firewire port. This option is only available in their forensic version, which retails for $995.00.

The mac keychain saves passwords (for websites, network shares, wireless networks), private keys, certificates, etc.

According to Passware, the security risk is averted by turning off the computer instead of putting it to sleep, and disabling the "Automatic Login" setting. This way, passwords will not be present in memory and cannot be recovered.

How to Disable Auto Login

Go into system preferences by clicking on the system preferences icon from the bottom of the desktop.
If the small padlock icon is locked, unlock it by clicking on it then entering an administrator username and password.
Click on Login Options
Uncheck Automatically log in as. Be sure you know your password before doing this.

We have always found keychain to be annoying in safari. If you wish to disable it for Safari, follow these steps

Diable Keychain for Safari

Start or switch focus to Safari.
Select Preferences from the Safari menu. The Preferences dialog will appear.
Click on AutoFill
Disable all autofill options.
Click the red X to close the window.

When Did You Last Change your iTunes Password?

Tue, 19 Jul 2011 13:20:53 -0400

A recent article by Global News, suggested recent iTunes account hijacking. They state: "more and more users are noticing unauthorized purchases on their iTunes accounts and seeing online credits from their gift cards disappear"

We have been searching for instances of iTunes hacks, but can only find rumors. In early July, Anonymous hacked iTunes, but the information they posted did not include user account information. In all likelihood users who find their iTunes accounts hacked may have had their email / password compromised at another site, and never bothered changing all their passwords.

If you rarely purchase from iTunes, you may forget they hold your payment details. iTunes, like most other sites, don't require regular password changes. If you don't remember the last time you changed your iTunes password, now is a good time to change it.

Toshiba America Consumer Products Hacked

Mon, 18 Jul 2011 11:31:58 -0400

According to the Wall Street Journal, the Toshiba America Consumer Products (TACP) website (tacp.com or tacp.toshiba.com) was hacked. Toshiba has notified customers, but they did not say if they notified affected customers or all customers.

The information stolen was registration information on over 7500 customers. According to a 4-traders.com release, "To date, TAIS’s investigation has confirmed data theft of e-mail addresses and passwords affecting 681 customers." Toshiba reports no credit card or social security information was taken.

Stevens Institute of Tech Hacked - Plain text user names and passwords compromised

Mon, 18 Jul 2011 11:18:22 -0400

Acording to SecurityPro News, Last Thursday, the Stevens Institute of Technology was hacked by @p0keu. At least part of its database leaked on PasteBin containing 31 records with the full names of users, email addresses, and plain text passwords.

IOS Password Snooping App

Fri, 15 Jul 2011 21:05:06 -0400

Here's an interesting article on PCWorld.com abount IOS password entries. The on-screen keyboard lights up when keys are pressed making it impossible to hide a password as you type it. An app has been made to use your ipod's camera to record another users keyboard entry to steal their password.

PCWorld - July 15, 2011 - iPad App Reads Passwords, Exposes Flaws in Asterisk Protection

Mozilla Announces BrowserID - Single Password Authentication

Fri, 15 Jul 2011 10:08:18 -0400

Yesterday Mozilla, the same organization that produces FireFox, announced a new authentication service called BrowserID. This is a service similar to OpenID, (See What is OpenID), but slightly different.

Rather than a user proving they have control of a website, as OpenID does, BrowserID uses email. According to Mozilla: "a very simple web-centric binding to a well-understood identity token. Specifically: this proposal defines a way for a user to prove to a website that they control an email address."

As promising as OpenID has been, it's use of a website has proven too difficult for most users. Our first thought was that email is too insecure as a means for authentication, but as Mozilla points out, a user may choose an email provider which offers more security. For example, if you use an email provider offering multi-factor authentication (See What is Multi-Factor Authentication), you end up with a very secure solution.

It's ironic that every scheme to end passwords creates another password. One key difference between authentication providers like BrowserID or OpenID and password managers is that they truly eliminate a password for each configured site. You still have profiles at those sites holding your personal data, but those sites will just keep your ID and not require a separate password. Password Managers (lastpass, keypass, 1password, etc) actually just create a new password and let you forget about all the others, but behind the scenes you still have a huge keychain with all your passwords. Mozilla's offering permanently removes keys from your keychain for every configured site.

Hotmail Improves Password Security

Thu, 14 Jul 2011 21:31:14 -0400

Ken Klein, Healthy Passwords

Today Microsoft announced two new Hotmail security features.

First, they will begin restricting common passwords such as 123456, monkey, password, and many more. According to Microsoft's Dick Craddock:

"If you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password."

Second, they have added a new option, "My Friend's been Hacked!", to the "Mark As" Menu. When a user starts getting strange email from a friend, they simply select this option. Microsoft's system will be alerted. Microsoft has made agreements with other email providers. According to Microsoft's Dick Craddock:

"We did the work to enable other email providers like Yahoo! and Gmail to receive these compromise reports from Hotmail including those submitted by you, and those providers will now be able to use the reports in their own systems to recover hacked accounts."

These innovative steps by Microsoft are inching it towards better security. If they can add a Multi-Factor Authentication, they could be the one of the most secure webmail provider today.

Keep up the good work, Microsoft!

Booz Allen Hamilton - Learning Systems and Human Nature

Wed, 13 Jul 2011 09:17:46 -0400

According to Reuters, Booz Allen's recent breach was for a "learning management system for a government agency". This implies only test data was leaked.

Credit: Troy Hunt http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

Even if these were usernames and passwords from a test system, unless the test participants were explicitly told to create false emails and passwords, human nature will prevail. Breach after breach repeatedly demonstrates that people reuse the same passwords over and over. Recent analysis by Troy Hunt comparing the Gawker breach to the several LulzSec breaches showed a 92% occurrence of password reuse.

If you had any dealings with Booz Allen Hamilton or work for a government agency that contracted Booz Allen Hamilton, you should change your passwords. A little more than 66,000 of the compromised emails have been added to the shouldichangemypassword.com breach database. You can go there and enter your emails to see if they were part of the breach.

90000 Military Passwords Stolen from Booz Allen Hamilton

Tue, 12 Jul 2011 07:06:36 -0400

On Monday, July 11, 2011 the hacker group Antisec announced they had infiltrated Booz Allen Hamilton and stolen over 90,000 email addresses and passwords.

In their announcement, they said: “We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).”

Their comment about non-salted md5 hashes, means these passwords will be decrypted and viewable very quickly. A non-salted md5 hash is just one step above plain text password storage. Not what one would expect of such a company. To learn more abount hashes and salting see Healthy Passwords Explains hashes and salting.

If you or someone you know may have been affected, they can start by changing all email passwords. Once those are secure they need to start with highest risk sites and move down the list by priority. See Password Strategies for more ideas on securing your passwords.

2011-07-12 Update

According to Daniel Grzelak, founder of ShouldIChangeMyPassword.com, "Looks like Booz Allen Hamilton kept password histories so not only do users need to change their passwords, they need to be something new".

Many people cycle through passwords adding unique numbers or letters to slightly change it every month. People who use this strategy may need to re-architect their base password to prevent compromise.

ShouldIChangeMyPassword.com just posted 69,691 records. See our article for instructions

Solutions for Big Business Twitter Breaches

Thu, 07 Jul 2011 17:14:28 -0400

Ken Klein, Healthy Passwords

The 3rd Twitter password breach this week illustrates weakness in business Twitter use.

July 4, 2011 - Fox News Twitter Account Hijacked
July 5, 2011 - Paypal UK Twitter Account Hijacked
July 7, 2011 - Hennepin Co. Library Twitter Account Hijacked

Twitter lacks delegate functionality. This forces businesses into insecure practices such as:

Account access by multiple individuals.
Using weak passwords so multiple individuals may remember them.
Infrequent password changes so no updater is locked out.

Until Twitter can address the problem, business account holders must take steps to protect their brand. Here are a few possibilities:

Have account updaters create Lastpass accounts. Have one person create and change the password daily. That one person can share the password with the "delegates" through Lastpass, which allows the others to use the password without having to see the password. Lastpass offers multi-factor authentication, so this solution solves the problem on two fronts.
Create one person, ideally a helpdesk manager role, responsible for daily password changes. Create a list of authorized users. When a user needs to update twitter, they will call the helpdesk or password keeper to get the password of the day.
Limit updates to no more than three people, which is enough to cover a 24x7 rotation. Change the password daily or weekly.

Our business is passwords and we don't normally recommend password managers for highest risk accounts, but in this circumstance, LastPass uniquely meets all the requirements for a perfect stop-gap Business Twitter solution.

A Twitter breach to a large business like Fox News or Paypal may be more damaging than losing bank account passwords. It's time for management to recognize these risks and implement processes to prevent losses.

Facebook and Skype Offer Video Calling

Wed, 06 Jul 2011 16:36:41 -0400

Ken Klein, Healthy Passwords
July 7, 2011 5:00PM EDT

Facebook announced new options for communicating with your friends today. There are three major components, the biggest being video chat. They are also rolling out a new group chat and chat interface.

The new video chat added to Facebook is powered by a Skype plug-in, which is supposed to work on all browsers. When a user clicks on the icon for Video chat, it will download the plug-in and connect to the other user. No Skype account is required. The demonstration made the process look very easy to use.

Facebook software engineer Philip Su said "Video chat has been around for years now, but it's still not an everyday activity for most people. Sometimes it's too difficult to set up, or the friends you want to talk to are on different services. So a few months ago, we started working with Skype to bring video calling to Facebook. We built it right into chat, so all your conversations start from the same place. To call your friend, just click the video call button at the top of your chat window."

When you click to call a friend, the friend will see the call coming and choose to accept or reject the call. Once accepted they will see a video screen showing you, and you will see them. You will both be able to talk and hear each other using your microphone and speakers. The user will, of course, require a webcam, microphones and speaker.

No mentions were made about security settings around these new features and whether users can turn control the ability for other users to make video calls. It sounds like video calls will only be available for users you have in chat groups.

Chat groups have been part of facebook for about six months. According to Su, "Now when your friends can't figure out what movie to see, you can just add them to a chat and decide together". They have enhanced it to allow ad-hoc groups to chat instead of predetermined groups. The new group chat rolls out today.

A new chat design is being integrated where if a users browser screen is wide enough, a new side bar will show your chat users on the right side of the screen

In another part of the same press conference, related another new feature. See: Facebook Becomes a Message Hub

Facebook Becomes a Message Hub

Wed, 06 Jul 2011 16:10:51 -0400

Ken Klein, Healthy Passwords
July 6, 2011 4:30PM EDT

One of the big announcement from Facebook today is a new messaging system. Facebook is integrating seamless messaging between IM, Email, SMS, Facebook and other formats. To communicate with a facebook user, you won't have to be on facebook. Likewise, a facebook user will be able to send a facebook message to a non-facebook user.

The system is being deployed in waves, so you may not see it for several weeks or months. Once you migrate to the new system, you will have the ability to receive email to YourScreenName@facebook.com. These emails will come into your facebook in one new feed. The feed will be organized by individual and will show a chronological history of every message with that person.

A key feature stressed by the Facebook team was automatic message segregation through the social hierarchy. For example, your main feed will show messages from friends. There will be other feeds for non-friend items. As you receive messages, you can move non-facebook users to your main feed so they will be treated as friends.

The innovative part of this announcement is the variety of inputs which facebook will aggregate into your feeds. To a facebook user on the new system, an SMS, IM, email, or other supported messages will look like a facebook message to the receiver. When the facebook user replies, it will respond via the same messaging system the user sent the message in. For example, if my friend sends me a text message to myScreenName@fb.com, and I reply, they will receive an IM back from me. I will not need to know how the message was sent to reply.

In another part of the same press conference, related another new feature. See: Facebook announces Video Conferencing

Hackers Create their Own URL Shortening Service

Tue, 05 Jul 2011 16:44:09 -0400

According to Symantec's May message labs report, For the First Time, Spammers established their own fake URL-shortening services. These services first use a commercial shortener to then link to their own shortener which finally points to a malicious site.

According to Symantec, once the user has arrived at the site, they will be bombarded with attacks probing for vulnerabilities.

We did a short experiment to see how bit.ly would react to a tinyurl. Bit.ly handled it well. Although, we suppose that an unknown URL shortner may not invoke a warning as our test did.

We used TinyUrl.com to create http://tinyurl.com/3bzuc8v from http://www.healthypasswords.com/
We then used bit.ly to create http://bit.ly/qSQEk1 from the tinyurl url.
We tried the second short url, which issued the following warning from bit.ly

Tumblr Phishing Scam Compromises Passwords

Wed, 29 Jun 2011 21:11:59 -0400

According to eWeek, security researchers at GFI Labs analyzed a Tumblr Phishing scam. If you don't know what phishing is, see What is Phishing.

Tumblr is considered a micro blogging service. This means users can post their writings, pictures, videos, favorite sites, and audio for other to see. It's a cross between traditional blogs and twitter. It's like a personal multimedia hub allowing you to publish your works. Like Twitter, users follow other Tumblr users. To learn more about Tumblr, see What is Tumblr

According to the GFI researchers, "Once a user has been compromised, the scammers hijack the user's Tumblr site and turns it into the fake login page. The account then "follows" other users. When users see a new follower and click on the name to see more information, they are shown the fake login page, restarting the attack cycle all over again."

If you are a Tumblr user, we searched Tumblr a bit and found several references to the attack. Tumblr user "Positrons" had this post about it

Gained a new follower today. When I clicked their url to go to their page it said ‘this page has adult content blardy blah, please reenter your credentials’ so I did, email and password to tumblr. Then I looked at the url and it was ‘tumblrsecurity.com’ whenever you clicked any buttons like ‘about’ or whatever it lead to ‘this page does not exist’ I believe I may have just become the victim of a scam. At least I changed my password.

Tumblr user "Positrons"

GFI and everal other Tumblr user posts indicated it was a confirmation for adult content that was the phishing page that stole their password.

LastPass and ID Watchdog Announce Joint Venture to Deliver Credit Information

Tue, 28 Jun 2011 14:53:17 -0400

Ken Klein, Healthy Passwords
June 27, 2011 3:00PM EDT

A press release by ID Watchdaog, Inc of Denver, CO (TSXV:IDW) (OTC:IDWAF) announced an agreement with Lastpass to distribute credit alerts through the lastpass service.

According to the release: "Once the product integration is complete, LastPass customers will be able to routinely monitor their credit report with credit alerts distributed directly through the LastPass application at no additional cost to them."

Lastpass has already built a very secure offering, requiring a unique password only known by the account owner, and not saved anywhere in the system. If the account owner loses their password, the only option is to lose all vault data.

From a security standpoint, Laspass account owners can feel confident knowing they hold the only key to their password vault. If however, the owner fails to protect their account by using poor passwords or allowing malware to install keyboard loggers, they could further compromise their security by combining credit information with password information.

A big plus to the venture is multi-factor authentication. Lastpass offers several forms of multi-factor authentication, which could make the offering more secure than other credit monitoring services that only use email alerts or standard password authentication.

Until Lastpass and ID Watchdaog announce more details of their offering everything is speculation.

Email May Be Your Most Important Password

Tue, 28 Jun 2011 11:45:06 -0400

Ken Klein, Healthy Passwords
June 28, 2011 11:40 AM EDT

Did you know your email account may be the most important account you have?

When hackers get your email login, they can sit back and watch your email. If they are patient, they will see what banks you use and what friends you correspond with. They will slowly learn your daily habits. When the time is just right, they can strike.

The classic email hack is when someone gets access and immediately send email to every person in the address book. They impersonate you, claiming to be out of the country traveling, robbed and asking for a wire transfer. Most of your friends and associates won’t fall for this trick any more.

When a smart criminal gains access to email, they don’t immediately act. They sit back and watch a while. Most people book travel online and get the details in email. If they wait to they see you’re on vacation. They can then easily send the email to all your friends and sound very credible. They know where you went, when you left, when you got there. If your friends know you just went to Aruba and the next morning they see an email from you saying you were robbed, are stranded, and need a wire-transfer, they’re likely to run to western union right away.

When you lose your password and click “forgot my password”, how is the account reset? For most things they send a temporary password to your email account. If someone has your email account, they can easily start forgetting passwords and getting access to your important things. Luckily, most financial institutions have stopped using email as a primary password reset. But many other sites still use it.

If you want an easy way to secure your email, try using 2-step authentication. It’s only offered by a few email providers. Google is the biggest. We have step-by-step directions at Healthy Passwords.

Do you have a story to share or good idea on this topic? Please share if you do.

###

Are You Trading Convenience for Security

Sat, 25 Jun 2011 15:58:43 -0400

Ken Klein, Healthy Passwords
June 25, 2011 4:00 PM EDT

You’re at a website and want to participate. You have a choice to create a new account or use Facebook to login. Which do you choose?

If you’re like most people, you pick the easier way. According to research by unsubscribe.com users use Facebook to login at third-party sites, every three days. This grants long-term access to more than you think.

From an authentication (user name / password) perspective, fewer logins means fewer places your email and password are stored. Using one password is better than leaving breadcrumbs all over the internet waiting for the next big breach, isn’t it?

Logins using social network accounts just swaps risk. Every time a social network ID, such as Facebook, is used to authenticate at another site, the user provides long-term access to their social networking data. The amount of access varies, but it’s not uncommon to grant access to:

Your Posts
Your Favorites
Your Friends
Your Important Dates

By granting access to third parties you legally give corporations access to your data. Besides being a dream for marketers, this type of access can also add additional cross site scripting vulnerabilities to your linked social network account while on the third party site. Most apps only can access your data while you’re at their site, but some apps require “Access My Data at Any Time”.

It’s a tough decision. Businesses are being compromised at alarming rates. A recent New York Times Blog Post sites a new Ponemon Institute survey of 581 security professionals broadly agreeing that cyber attacks are getting more frequent, more severe, and harder to detect and stop. Ponemon also shows that many breaches are caused by human error. Too much access increases risk.

Most people use a single password for multiple logins, exposing them to potential loss. Creating an account at every site you contribute to multiplies this risk. On the other hand, Facebook and Twitter have adequate staffing to secure user credentials. They’re not infallible, but they are less likely to lose your password than many other sites. What’s a good balance?

Two options are: Login using the social network credentials, and revoke access after your done (instructions for this are at Healthy Passwords). Use a password manager to generate unique passwords. We don’t advocate using password managers for high risk sites, but they can be a good tool for low to moderate risk sites. Just be sure to look at password manager reviews before choosing one.

Wireless Router Freeloaders Can Get You in Trouble

Fri, 24 Jun 2011 20:10:34 -0400

Ken Klein, Healthy Passwords
March 24, 2011 (Last Updated 6/24/2011)

A few months ago, there were two stories where innocent persons were arrested because someone else used their wireless access point. Police seem to have finally wised up and do a little research before busting down doors now, but you still need to be careful. This is a listing we keep updated.

Locking down your wireless network is one of the most important things you can do to keep your home safe. Following is an excerpt from page 65-66 and 127-129 of Healthy Passwords about wireless security:

Microsoft Phone Scam Gets More Believable

Thu, 23 Jun 2011 10:42:23 -0400

According to a recent article in the Idaho Press-Tribune, virus phone scammers may be making their phone ploy much more believable.

Dale Dixon, the president/CEO of the Better Business Bureau, received a call from a user who was working on his computer when a fake virus warning popped up. He recognized it as a scam and turned off the computer. His phone then rang and someone with a foreign accent, claiming to be from Microsoft Support, was calling to help fix the problem for a fee.

Dale then spoke to the owner of a local computer repair company, who told him they have been hearing of this same thing.

It will be interesting to see if this truly is a new level of the old scam, or just a creepy coincidence. It is possible for this to work: If the malware first mines your computer and finds a phone number, it can alert the "Call Center" telling them when to call you. This will of course most likely be immediately after the fake pop-up appears on your screen.

No legitimate company monitors for viruses and calls when they happen. If you get a pop-up like this, get your computer checked by a local professional you trust. The best way to find a good local computer repair person is by asking friends and other business who they use. Don't trust ads in the paper. If you do try someone from an ad, do a little research first. It's worth the time to drive to their office and see what it looks like. Also keep in mind the the big box electronics store technical support does not always have the best trained personnel.

Wordpress Proactively Finds Tampering, Resets all User Passwords

Tue, 21 Jun 2011 21:20:06 -0400

Wordpress.org just released a blog entry describing suspicious comments about cleverly disguised backdoors in three word press add ons. As a proactive measure, they reset all wordpress passwords.

We applaud WordPress for their diligence!

Dropbox Security Flaw Allowed Open Access to All Accounts

Mon, 20 Jun 2011 20:14:59 -0400

According to a post on pastbin by Christopher Soghoian, a Washington, DC Security and Privacy Researcher, for a four hour period yesterday, any dropbox account could be accessed using any password.

According to Geek.com, Dropbox found out because a friend of Christopher Soghoian accidentally fat fingered their password and noticed it. That person tried it again then tried a different person's account with the same result. Had that person not contacted dropbox's helpdesk, the problem may have gone on for much longer.

DropBox has posted a blog response detailing the incident.

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.

If you're not familiar with Dropbox. It is an online file backup, sharing service. Once you create a Dropbox account, you can copy files to your Dropbox from one computer and they will automatically synchronize across multiple devices and be available in a web Dropbox via browser.

Sega Pass Website Breached

Sat, 18 Jun 2011 08:58:21 -0400

On Thursday, June 16, 2011, Sega shutdown public access to it's Sega Pass network. Sega sent emails to it's users explaining breach including:

emails addresses
dates of birth
encrypted passwords

In the announcement, Sega said "To stress, none of the passwords obtained were stored in plain text."

Encrypted passwords are much better than other recent breaches at Sony and Writerspot, where the passwords were stored in plain text. Coming days will reveal the strength of the encryption used. If weak, publicly known, hashing algorithms were used, we may still see posted password lists in the near future.

It's time for companies to wise up. They should store usernames in a different place than passwords and join the two using meaningless keys. This makes it much harder to compromise a system, since the attackers must compromise two different systems to join the data. See It is Time for Website Login Credential Compliance Programs for ideas websites can use to improve authentication security.

June 20, 2011 - Update

According to Reuters, 1.3 million customers had data stolen

It is Time for Website Login Credential Compliance Programs

Fri, 17 Jun 2011 11:30:00 -0400

By Ken Klein, Healthy Passwords
June 17, 2011 11:30AM EST

Yesterday's posting of 66,000 stolen email and passwords by a prominent hacker group illustrates a huge problem. Password reuse is as bad as leaving your credit cards laying on your car dashboard.

It's time to talk about reforming website regulation around authentication. In 2004 the Payment Card Industry Security Standards Council (PCI SCC) was formed to combat this same problem with credit card data. Because a handful of large card issuers had a big stake in the problem, getting them to join forces and create standards was easier than any state sponsored or voluntary effort.

If a website accepts credit cards as payment, they must meet the PCI requirements. These are enforced by annual questionnaire for low volume vendors and audited by third parties for large volume vendors.

The high level requirements set by the standard include a few common-sense practices such as:

Storing cardholder data on the non-public side of a firewall.
Encryption of cardholder data across open public networks.
Business policies restricting cardholder data access.
Regularly testing security systems and processes.

There are many more, but the key is first having a set of standards then auditing for compliance.

The nature of the web has been innovation. Web entrepreneurs don’t have to create business plans, find investors, lawyers, and accountants before starting their business. They just need a credit card, 5.99 a month and a developer. For the technically inclined, starting a web business is easy. They can cobble together a website that looks as good as any other. If they happen to time it right, or hit a niche that others missed, they can take off and before you know it, they have collected a few hundred thousand email addresses and passwords that are ripe for hacking.

The proper way doesn’t have to take a big budget. It does however, require knowledge. Secure sites architect a secure solution before they start building the site. They think about how “authentication” (usernames and passwords) will happen and they think about how to secure them.

PCI works for credit cards because card issuers can revoke a sites ability to accept their when sites fail to comply. There is no such luxury for the authentication problem.

The best way to solve this problem is for users to ask websites about their security before giving any information. The questions you should ask are:

Is your login screen completely hosted on an encrypted connection?
Do you store username/email and passwords on the same server the website runs on?
Do you hash or encrypt passwords?
Do you separate the authentication pairs (username / password) onto different systems, making one compromised credential useless without the other?
Do you outsource authentication. If so, do they adhere to the previous four rules?

Sending an email and waiting for a response that may never come is not practical when the site has something you need. If enough people start asking questions, sites will begin to feel threatened if they cannot answer them, and start fixing their problems.

The best option for you is this: If you visit a site that wants your username and password. Send them the email asking the five questions. Then use a junk email account that you use for nothing important or even create an email account just for that site. Use the junk email and an appropriate junk password counterpart. If they are compromised, you will not be jeopardizing anything. You also will reduce your primary inbox spam.

And the winner once again is 123456

Thu, 16 Jun 2011 13:02:26 -0400

LulzSec Disclosed 66000 user emails and passwords. We just crunched the numbers and here are the top ten results:

Password -> Count
123456 -> 569
123456789 -> 184
password -> 133
romance -> 88
102030 -> 68
mystery -> 67
ajcuivd289 -> 62 (55 used a lower and 7 used AjcuiVd289)
shadow -> 62
tigger -> 62
123 -> 55

Note: Case sensitivity was not considered in this comparison.

Slots one two and three are expected. Lulzsec did not specify where this data came, and many times passwords can be derived by the context of the site they are for. Looking at this data, it looks like many of the passwords may have come from a source related to books and reading. In the top ten, only romance and mystery fit that theme, but going through the long list, there were many other indications leaning this way.

One very strange password in the top 10 was ajcuivd289. Going through the source, this is legitimately listed for 62 different emails (note: 7 of these used the mixed case variant of AjcuiVd289).

We tried doing some google searches for ajcuivd289 to see what it may be, and surprisingly, this led to the discovery of many sites which have google indexed password lists. We won't disclose those here, but we suggest anyone using that password to change it.

Password Length

Password length was decent. 67% of the passwords in the file were longer than six characters and 50% were at least eight characters. Here's the breakdown on password length:

31% -> 6 characters
26% -> 8 characters
17% -> 7 characters
10% -> 9 characters
6.5% -> 10 characters

Complexity

Password complexity was very bad in this data.

From worst to best
numbers only --> 20%
letters only --> 44%
numbers and letters --> 35%
letters and special characters --> 1%
Numbers, letters, and special characters --> 1%

Phone Virus Scams

Thu, 16 Jun 2011 12:15:01 -0400

This was a story we originally posted in early April. Around mid May we stopped seeing these stories in the US news, but they continued main in the Ireland, the United Kingdom, Australia, and New Zealand. This week, Microsoft released a study on this subject. You can view the study titled, Microsoft Survey Reveals Extent of Emerging Internet Phone Scam, here.

Microsoft surveyed 7,000 computer users in the U.K., Ireland, U.S. and Canada. Here are some details from the Survey:

The survey showed that across all four countries, 15 percent of people had received a call from scammers. In Ireland this rose to 26 percent.
Of those who received a call, 22 percent, or 3 percent of the total survey sample, were deceived into following the scammers’ instructions, which ranged from permitting remote access to their computer and downloading software code provided by the criminals to providing credit card information and making a purchase.
The vast majority (79 percent) of people deceived in this way suffered some sort of financial loss. Seventeen percent said they had money taken from their accounts, 19 percent reported compromised passwords and 17 percent were victims of identity fraud. More than half (53 percent) said they suffered subsequent computer problems.
Across all four countries surveyed, the average amount of money stolen was $875 (U.S.), ranging from $82 (U.S.) in Ireland up to $1,560 (U.S.) in Canada. The average cost of repairing damage caused to computers by the scammers was $1,730 — rising to $4,800 in the U.S.

We will continue to update this post whenever we see a news related to this.

Original Healthy Passwords Post

This is a daily story hitting local newspapers all over. A person receives a phone call from someone claiming to be from Microsoft, McAfee, Norton, or some other legitimate sounding company. They tell the user they have a virus and they will remove it for them over the phone. If the victim falls for it, they will stay on the phone while the person sits down at the computer and gives them access. Once they have access, they install malware and viruses and try talking the user into paying them for their service.

Don't ever fall for this type of scam.

References:
09/01/2011 - NZ - Tauranga
8/23/2011 - CA - Woodstock
8/22/2011 - CA - North Eastman
8/22/2011 - AU - Gladstone
8/18/2011 - CA - Winnipeg
8/17/2011 - CA - Waterloo - Trial Subscription Expired This one is a bit different: According to the article, the caller cautions that a three-month trial has expired and requests payment via credit card to continue the service. He or she then asks residents to go online and visit the company website to download the update, which police say allows the perpetrators to access computers remotely.
8/16/2011 - US - FL - Pensacola
8/16/2011 - US - Alabama - Fairhope
8/12/2011 - UK - Hertfordshire
8/11/2011 - CA - Orangeville
8/6/2011 - AU - Cowra, Albury
8/4/2011 - US - ID - Bonneville County
8/3/2011 - CA - Saskatchewan
8/2/2011 - UK - Dorset
7/31/2011 - CA - BC - Nelson
7/19/2011 - CA - BC - White Rock
7/16/2011 - US - Illinois - Galesburg - This article adds a detail no others have, which is the caller directs the victim to go to ammyy.com to download the remote support application.

Scammers have been using Ammyy.com

Ammyy.com may be a legitimate site, although a quick google search for it reveals more references to scams than legitimacy. Also keep in mind that scammers could just as easily use gotomypc or logmein or any other reputable remote control software.

7/16/2011 - US - Virginia - Ashburn
7/15/2011 - US - Texas - San Antonio
7/14/2011 - CA - Alberta - Calgary
7/14/2011 - US - Colorado
7/13/2011 - CA - Saskatchewan
7/9/2011 - US - New York - Albany - This one sounds a little different than the Microsoft scammers with India accents. These scammers pretend to be from computer support companies in New York.
7/8/2011 - CA - BC - Comox Valley
7/8/2011 - CA - Manitoba - Phone Scammers At Work Again
7/7/2011 - NZ - Whangarei - Northern Advocate - Virus scammers leave couple at risk
7/4/2011 - CA - Ontario - Another phone scam hits Norfolk County.
7/4/2011 - UK - London - Microsoft scam in our area
6/29/2011 - US - Virginia - Sheriff’s Office warns of telephone scam
6/26/2055 - Canada - Bendigo - Phone scammers targeting Bendigo
6/25/2011 - Canada - Brampton - Fraud Bureau Warning Residents of Computer Scam
6/24/2011 - Canada - Phone scam leads to computer hacking
5/12/2011 - US, Oklahoma Oklahomans Hit By Scam Targeting Computers With Viruses
4/22/2011 - UK, Strath - Beware of 01764 phone scam
4/14/2011 - US, Columbus IN - Sheriff warns of computer-virus scam
4/12/2011 - UK - Users warned of Windows Support Centre scam
4/8/2011 - CA - Strathmore man falls victim to Virtual PC Doctor
4/7/2011 - UK - Warning over computer virus phone scam
4/7/2011 - AU - Fake company scams residents
3/30/2011 - US - Contact 17 Investigation - New computer hacking scam

This Symantec video details one phone scam type. Symantec contacted a suspected illegitimate online support service. Most of the incidents documented in this article involve you being called by the perpetrator

If you receive one of these calls, please leave a comment below.

It is Monthly Patch Time Windows Users

Thu, 16 Jun 2011 09:50:47 -0400

Ken Klein
2011-06-16 9:50 EST

The Information Technology world knows that the second Tuesday of every month is "Microsoft patch Tuesday". By Thursday, you should have been prompted to update Windows. If you did not get prompted, you should check your settings. See how to check for Windows Update for more details.

For details on what's in the patches this month see Brian Krebs KrebsOnSecurity - Microsoft Patches Fix 34 Security Flaws

Adobe also released a large patch for Acrobat and Reader. KrebsOnSecurity, has a great explanation. The important thing about this update from Adobe is it includes a new updater, which will automatically take care of future updates. If you use Secunia PSI and/or Qualys Browser Check, you should have been warned first there when your browser came up this morning. See Patching Popular Software Vulnerabilities For more information on these.

Phone Apps expose user passwords

Sat, 11 Jun 2011 11:54:18 -0400

Ken Klein
June 11, 2011 14:05PM EST

According to Security firm viaForensics many popular iPhone and Android apps have major security flaws in the way they store user data. You can look at their listing at viaforensics.com/appwatchdog/.

Browsing through the listings on 6/11/2011, the two worst one's we could find are listed. According to viaForensics, they both store unencrypted password data.

Android Mail (Exchange) - The password is stored without encryption on the device.
Android Mail (Hotmail) - The password is stored without encryption on the device.

Computer repairman accused of taking nude pictures of women remotely

Fri, 10 Jun 2011 11:28:11 -0400

Ken Klein
June 10, 2011 18:11 EST

The Los Angelos Times reported on a computer repairman allegedly arrested for collecting nude pictures from his customer's laptop webcams.

This is a bit far-fetched for most people, but webcam jacking can happen to anyone infected by malware. There have even been incidents where rental stores use stealth rootkits to monitor their rented laptops by snapping webcam photos. See AJC story: Aaron's franchisee denies it spies on computer customers

Webcams are on almost every model of laptop sold. There is a very easy solution to this problem. Simply get a small peice of cardstock and tape it over your camera using painters tape. When you want to use the webcam, remove the tape. Be sure to use cardstock where the camera lens is to keep from gumming up the lens with adhesive. Painters tape is best because it comes off easier. If your worried about your laptop finish, be warned that the adhesive could leave a mark on the plastic.

RSA to Replace SecureID Tokens

Tue, 07 Jun 2011 06:50:06 -0400

Ken S. Klein
June 7, 2011 11:47AM EDT

An open letter to customers from RSA announced RSA will replace tokens due to the security breach they incurred in march. (See Healthy Passwords News - Hackers Steal Secure Token Data - 2011-03-18.

If you are an normal, non-technical user, you only need to pay attention to this story if:

You use an RSA branded secure token.
You are a Citizen of a Country that uses RSA security and are highly concerned with national security matters.

If you use RSA tokens, the best advise is to ensure you are working on a clean system and then get a new token issued. The breach at Lockheed Martin was only possible because the attackers were able to install a key logger on a machine. Once they had the key logger, they only needed a user to authenticate using their token on the compromised machine. This gave them the user's password information to reuse the same credential using their own security key based off the stolen algorithms. If you're running anything older than Windows 7, upgrade to windows 7. The likelihood of getting a keylogger on Windows 7, is much lower than any previous Windows version.

If your companies corporate infrastructure group has not yet approved Windows 7, chances are good that they have already locked down your account in a manner to deter keyloggers. You can help them by only using your work machine for work and avoiding personal surfing or social networking. The last thing any employee wants to be is the one who caused a network breach. Don't play where you work!

The RSA open letter from June 6th confirms the May Lockheed Martin breach as a direct result of the March RSA breach. This possibility was reported by Network World on May 26th, citing Robert Cringely who learned of an RSA security token replacement at Lockheed Martin.

If RSA was a large provider of consumer based tokens, a ten day delay would be disturbing. Considering that RSA is provider of large government , government contractor, and corporate tokens; withholding this fact makes sense. It gave RSA time to redistribute new hardware to it's most sensitive customers.

Regardless of this breach, we still advise the use of multi-factor authentication as the most secure form of authentication. Hopefully the multi-factor key-masters will do a better job of guarding their keys in the future.

Adobe Flash Security Advisory

Mon, 06 Jun 2011 19:54:26 -0400

Every computer user needs to pay attention to this update. Nearly every computer has a copy of flash installed. Flash is is a required integral component used by many websites. Criminals know that most people don't update Flash on a timely basis, so they target any vulnerabilities as quickly as possible.

The easiest way to update flash is by using a third-party patching tool like Qualys Browser Check and/or Secunia PSI. Learn more at Healthy Passwords - Patching Popular Software Vulnerabilities . Here is the Adobe advisory issued 6/5/2011:

Oracle to Fix Several Security Flaws -- Protect Yourself by Updating

Mon, 06 Jun 2011 16:13:37 -0400

Ken Klein
June 6, 2011 4:23 PM EST

Java vulnerabilities are the primary method used by malware to steal from you. Popular crimeware kits target Java for two reasons:

Many don't know they have Java on their computer, so they don't update it.
Many computers have multiple Java versions including very old versions. Old versions have many more vulnerabilities than newer ones.

Oracle announced its June Critical Patch Update will be released on Tuesday, June 7, 2011. It will contain 17 new security fixes for security vulnerabilities in Oracle Java SE.

The easiest way to keep Java up to date is by using a third party utility such as Secunia PSI or Qualys Browser Check. To learn more about these, see Healthy Passwords - Patching Popular Software Vulnerabilities

Thousands Attend Birthday Party Due to Improper Facebook Security Settings

Sun, 05 Jun 2011 15:23:28 -0400

A Teenage girl from Germany accidentally posted a birthday party invitation with the security settings of "Everybody". More than 1,500 guests showed up and around 100 police officers, some on horses, were needed to keep the crowd under control.

Many say they don’t care who sees their photos. Why does anyone want your family pictures, birthdays or other information? Most people don't care about those things. But increasingly there are incidents where criminals "mine" personal data solely for the purpose of planning a physical crime. In this case, no crime was intended, but the end result was still devastating for a sixteen year old girl.

If you leave your FACEBOOK wide open, messages to your friends and family are visible. Do you really want the creepy guy down the street to know you’re going on vacation?

Another misconception is "Friends of Friends". You only need one family member or friend who friends every person in the world to suddenly open your information up to thousands of strangers.

New Phone App for Android Makes Stealing Sessions Easy

Thu, 02 Jun 2011 19:48:02 -0400

There's a new Android Phone App for stealing your facebook, twitter, Amazon and other web sessions. It's called FaceNiff. The scary part of this is it works on secured WiFi Networks, not just open ones.

This YouTube video shows how it works:

How can you protect yourself?

You can also ensure that you only use secure sessions to access web apps while on public WiFi networks. The most secure way is by using VPN or some similar service. See http://www.healthypasswords.com/ThirdPartyRatings.html#vpn for more details on VPN. This utility will not work if the WiFi network is configured for WPA/EAP, but EAP is more commonly used in business WiFi.

If you have your own home or small business wifi using WPA/2, only a person with the shared key has the ability to use this utility. Someone walking by cannot steal your session without the WPA key.

Fake Linked In Invitations Lead to Malware

Thu, 02 Jun 2011 17:54:12 -0400

Trusteer, a leading security firm, released a warning for Spear-Phishing email attacks disguised as linked in invitations.

The fake email invitation is nearly identical to the real email invitation.

Fake Invitation

Real Invitation

If you click on the fake invitation you are directed to a malware site trying to look like salesforce.com. The url they send you to is salesforceappi.com. If you visit this site, there is a very good chance you will get infected.

If you've recently accepted a linked in invitation, look at your browser history to see if you can find salesforceappi in the history. If you find this URL in your history, you need to get your computer cleaned. That may take some time, and even a visit to a local professional, so in the meantime do the following:

Print your browser history in chronological order from the time of visiting salsforceappi.
If you don't already have a live CD, download and create one. See http://www.healthypasswords.com/LiveDistroList.html
Boot from your live CD and start going down the list of sites you visited after salsforceappi. Pick the highest risk sites first and start changing passwords. While doing this, check balances.
Go to any online email accounts and change your password. Be sure to check forwarding, POP, and IMAP settings while there. See How to See if Somone is Using Your GMail
If you use your computer for business, contact your employer's IT or Loss Prevention department and explain the situation. If you have access to financial accounts, be sure they take action and change passwords accordingly.
Until the computer is cleaned or re-installed, don't be tempted to use your computer without the Live CD. The malware installed by this site is particularly hard to remove, and most likely includes a keylogger. If you're computer is running windows Vista or XP, consider this a good opportunity to do a clean install of Windows 7 and maybe even just upgrading to a new hard-drive.
If your employers IT department or your local computer professional thinks you are over-reacting, refer them to this Trusteer communication http://www.trusteer.com/blog/linkedin-spam-emails-download-malware

Facebook Vacation Burglary

Sat, 28 May 2011 22:36:49 -0400

Ken S. Klein
May 28, 2011 22:45 EST

The Billings Gazette just reported a story that jumped off the page for us. Great Falls burglary victims rue sharing travel plans on Facebook. Here's a paragraph out of Chapter 2 of our Password Book, Healthy Passwords:

If you feel compelled to broadcast every move you make via social networking or messaging sites, do not be surprised if someone visits your home after you tell everyone that you are having a wonderful weekend away. Likewise, you should not tell the world that just part of your family is away and a few vulnerable ones are home alone.

IPOD, IPHONE, IPAD Decryption Tools on Market

Wed, 25 May 2011 17:16:19 -0400

Ken Klein, Healthy Passwords
May 25, 2011

ArsTechnica has reported on a Russion security firm selling IOS decryption tools on the open market. Presently they are only selling to law enforcement.

The good news is that to use the tool, they must have possession of your device (iPhone, iPad, or iPod). The tool employs a brute-force approach to breaking the encryption, so if you use a very long complex password, it may still be virtually impossible to get in.

Symantec / Verisign Personal Identity Portal Beta

Tue, 24 May 2011 19:49:57 -0400

By Ken S. Klein, Healthy Passwords
May 24, 2011 8:00PM EST

Symantec recently acquired Verisign’s VIP authentication service. Verisign launched the service in 2009. Symantec’s offering folds the older VIP service into a new “Personal Identity Portal” promising one-click sign-in for all websites. This offering from Symantec has five basic features:

OpenID provider support.
One Click sign-on via a new cloud based password manager service.
Your own customizable PIP page.
Online File Vault to store your sensitive documents securely.
Several multi-factor authentication offerings.

Pip Account Protection

Setting up your PIP account involves going to PIP.verisignlabs.com, entering a username, password, and email address. Only the OpenID is created from the basic signup.

OpenID

Users login to PIP once and then access any configured OpenID compatible website without passwords while they remain logged into PIP. If every site supported OpenID, users would only use a password to login once per day.

As promising as OpenID sounds, it’s adoption rate has been slow. A site can only be a provider or consumer of OpenID credentials. Many large sites, such as PIP, Google and Yahoo have chosen to be providers rather than consumers. That means that if a user creates an OpenID on PIP, they can’t use OpenID to login to Google or Yahoo.

Some consumer sites like Facebook have chosen to implement it in strange ways. For Facebook, you need to go into your profile and link your OpenID with Facebook. Facebook then uses browser cookies to login a user when they go to the Facebook login page. Different browsers behave differently with their cookies resulting in people who can never get OpenID working with Facebook. Because of the many issues around OpenId, PIP added one-click sign-on.

One Click Sign-on

Symantec’s one-click sign-in is a free cloud based password manager service. Symantec is marketing this as a bridge for sites without OpenID support. It is a very basic password management service. An extra password is required to use and access one-click. This password is not stored anywhere. If you lose the password, Symantec will not be able to recover your one-click information. Some of it’s limitations are:

It only stores username, password and one large notes field per site. Many other password managers allow complex databases to store much more about sites than just password data.
It only allows one credential per site, and You cannot add a site more than once. For users who have multiple accounts at a site, this will limit functionality.

Your own Customizable PIP Page

The page used for OpenID is also available for anyone to see. This doesn’t mean anyone can see your usernames and passwords. Symantec let’s you add links to your websites and social networks so others can find you from this page. Symantec states that the page will be indexed by popular search engines, so if you have a struggling website, a link from verisignlabs.com may or may not help your search engine ranking.

Online File Vault

Symantec is including a free secure file vault for your sensitive documents. The offering allows user 2 gigibytes of space. The only limitation on the vault is you must configure your pip account for a Verisign VIP credential in order to use it, which is a very good thing to do.

VIP Credentials

VIP Credentials enable multi-factor authentication. This is the most secure way to login. If an attacker gains access to your VIP account username and password (for example, through a successful phishing attack), they still will not be able to login without the device. Symantec offers three varieties of multi-factor authentication: Browser Certificates, Phone Apps, and keychain token / FOB. A fourth option for Ironkey USB devices is not promoted on the PIP site, but is promoted by IronKey.

Browser Certificates - According to Symantec, A browser certificate is a unique digital ID that VeriSign installs in your browser or user certificate store. PIP uses Browser Certificates to limit access to your account to only the computers and browsers you authorize. This greatly reduces risk for a compromised account. Browser certificates are free and require no special hardware on your machine. They are only supported on Firefox, Internet Explorer, and Safari. These are not as secure as a hardware token, since anyone who gains physical access to your computer and browser may still impersonate you.
Phone Apps – Phone apps are a form of multi-factor authentication that runs on your phone or PDA. VIP supports Android, BlackBerry, Iphone, iPad, iPod Touch, Windows Mobile, and Other phones. According to Symantec, “VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson”

We tested this using a plain old Verizon BREW-enabled clamshell phone. To find the software, we had to use the phones browser and go to m.verisign.com. It then instructed us to use the phone’s search for software feature to search for “VIP Access”. We found the application, and were able to download and install it with just a few button presses on the phone. We then added VIP Access application to a shortcut key. The application works great. Running it displays the number just as the tokens do.
The process for using a keychain token / FOB is identical to the phone, except instead of a phone you order a little device with a small LED display. Hardware Tokens range from $30.00 for a keychain FOB to 48.00 for wallet card.

The process for using an Ironkey requires plugging the device into the computer, logging into the ironkey, then running the VIP application on the ironkey. The device must be registered the same as any other device.

Facebook Dislike Button Scam

Tue, 17 May 2011 15:53:45 -0400

By K. Klein, Healthy Passwords
May 17, 2011 3:00 PM EST

Sophos Security recently reported on a Facebook threat in the form of a dislike button. You receive a Facebook message about something. Partway down the message is text describing a new dislike "Thumbs Down" feature. To use the new feature, you must enable it by clicking the link. When you click the link, you’ve unwittingly sent the same message to all your friends by allowing a malicious script to post the same message to your profile. The good news is the malicious script appears to do no more than replicate the original message.

There are two things you can do to protect against this type of scam.

Modify your facebook security settings to limit who can send you messages.
Modify your behavior to understand that facebook system change notices will not come to you in messages from friends. They will come from Facebook directly.

Even if you modify your security to limit messages to friends only, you will only be as strong as your weakest direct friend. If your cousin friends everyone and clicks on everything, then you may still get these types of scams. Changing it will, however, limit your exposure.

If you’d like to modify who can send you Facebook messages and email:

Go to the Account drop-down menu at the top of any Facebook page and select "Privacy Settings."
Select "View settings" in the "Basic Directory Information" section.
Change the setting for "Send me messages." Your options include Everyone, Friends and Friends of Friends.

Only emails from people that fall within the message privacy setting you choose will be delivered to your Facebook Messages. For example, if you select the "Friends Only" setting, you will not receive messages from email addresses that are not confirmed to be one of your friends. Instead, those senders will receive automatic bounce-back replies.

For step-by-step instructions with screenshots see How To Restrict Messages to Only Friends

Is it Time To Replace Your Battered Email Box?

Fri, 13 May 2011 23:11:44 -0400

By: Ken Klein, Healthy Passwords
May 13, 2011 10:30 PM EST

Rural residents go through the new mailbox ritual every few years. It usually happens around graduation time or July Fourth. A car drives down the street while geniuses with baseball bat in hand destroy your mailbox.

The digital equivalent of the Battered mailbox may have just happened. According to the Privacy Rights Clearinghouse database, it started in early April 2011. First, Epsilon, a very large email provider lost millions of user account information. Then on April 14, Wordpress, the engine driving much of the blogging world, was hacked revealing 18 million usernames and passwords. Five days later on April 19 the Sony Playstation network (PSN) was hacked losing another 77 million customers information, Sony failed to report this until April 27.

Rural residents are constantly looking for the better mailbox. I personally use one that requires a key. Not only does it keep snoopers out, it is much stronger. Mine has already survived a baseball bat and a garbage truck. The email equivalent to this type of box is one using multi-factor authentication.

Multi-Factor Authentication not only requires a username and password. It also requires a hardware device. Someone cannot impersonate you without the device. Multi-factor devices include key chain tokens, voice or text messaging, USB devices, and printed cipher grids. You can learn more about multi-factor authentication at http://www.healthypasswords.com/multi-factor-authentication.html.

If your web email is your only email or the email you have linked to password resets, you need the most secure email possible. Think about it. If someone compromises your email, they can sit back and watch your emails until they know the sites you use most often. Then when the time is right, they simply login to your account and request a password reset.

If you read your mail in Thunderbird, Outlook Express, or Outlook, it usually uses something called POP or IMAP. If you use outlook for work, there’s a good chance it uses an exchange server and will be more secure than POP or IMAP. POP or IMAP can be unsecure. Most POP or IMAP mail travels through the network as plain text. If you use a laptop and your email is running while on an open WiFi network, it’s not very difficult to see your email. This can include your username and password. If you use this type of email, contact your email provider or ISP and request instructions to set is up using secure protocols. If they don’t offer it, then look for a new email provider.

Many banks no longer use email for password resets. If you want to see how yours handles it, just go to it and click the "forgot password" button. Just remember to check other accounts such as Facebook, Myspace, Twitter, Turbotax online, iTunes, Amazon, and all the various cloud based services.

If you determine you are vulnerable, it is time to change to a more secure email provider. At this time, Google is the only webmail offering free multi-factor authentication. We have assembled instructions for setting up GMail 2-Step Authentication at www.healthypasswords.com/gmail-2step-setup.html. Yahoo mail offers it through a third party, but there is a monthly fee involved.

To make an easier transition to secure email, temporarily forward existing email to the new account. This process varies by provider. For Yahoo, you can upgrade to mail plus for 19.99 a year and either download your email to a local client or setup forwarding. Hotmail offers free forwarding. Be sure to setup forwarding so it does not keep a copy of the email in your account. Only use forwarding at as a short-term measure. If your old account is compromised, forwarding can be disabled.

Too Much Java Can Be Bad

Thu, 12 May 2011 07:46:14 -0400

By: Ken Klein, Healthy Passwords
May 11, 2011 8:21 PM EST

Recent reports of another Java based worm abound. This worm can take over your computer giving perpetrators access to see your screen, move your mouse, turn on your webcam, or do many other things. This program can conceivably affect Mac and Linux users.

This is a good reason to improve your online security. Ask yourself, do I need Java on my computer? Most people don't know. There is one way to find out: Remove it. Any program needing it will either install it again, or tell you. In the process you will eliminate older insecure versions.

To uninstall java from windows, follow this procedure: Oracle's Uninstall Procedures for Windows .

Java notoriously leaves older, less-secure copies behind. The safest way to find old copies of Java is by using Secunia PSI. See Healthy Passwords, Patching Popular Software Vulnerabilities Article for more information on Secunia PSI. You will also find a YouTube video there showing how to install and use PSI.

Mac users have no easy way to remove Java. In October 2010, Apple announced they will remove Java from future versions of OS-X, but the details are incomplete. At this time, java is still part of OS-X.

Ken Klein is Author of Healthy Passwords, a book teaching non-technical people how to make strong, memorable passwords. Learn more at http://www.healthypasswords.com/

Google Images Malware

Mon, 09 May 2011 11:39:04 -0400

Several news agencies have reported Google images installing malware. This doesn't mean Google is trying to infect your computer. It means that criminals have figured out a way to distribute malware using compromised websites and Google. The best explanation of this is from Brian Krebs. You can read the article at krebsonsecurity.com.

The article may be confusing for non-technical people, so the best thing to take away from it is just stay away from Google images until Google gets this under control. If you click on an image and a virus scanner pops up, turn off your computer. You want to be sure it doesn't just hibernate or sleep. You can turn off you computer by holding down the power button for a few seconds until it turns off. Any unsaved work will be lost if you do this. You can try saving unsaved work by holding down ALT and pressing TAB until the program with unsaved work is in focus.

This same technique may be floating around more places than just Google images. Right now the safest way to protect yourself is to do all your web browsing using live-cds. For most people, live-cds are impractical for all but the most sensitive browsing. To learn more about Live-CD use, see Healthy Passwords - Bonus Materials - Live CD Distributions

The next best thing is to use Firefox 4 with an add-on to choose when javascript is allowed to run. Do the following:

Download the latest Firefox browser from mozilla.org.
Add the No Script Addon
Install Qualys Browser Check. This is a utility that keeps your browser patched with the most important third-party security updates. You can learn more about this at Healthy Passwords - Patching Populate Software Vulnerbilities

If you did this properly, the first time you run Qualys browser check you will get an error saying javascript is disabled. This is good. It confirms you did the first and second steps correctly. Select the option to allow java script After updating everything cautiously proceed to google images. Try to refrain from Bin Laden or Charlie Sheen types of images, as they are the most likely to be trouble right now.

Update 5/18/2011

Sophos.com just posted this video showing how a bad google image can translate to problems for OS-X users. For the full article, go to Sophos Article on Fake AV and OS-X

LastPass Discloses Network Anomaly Advices Users to Change Passwords

Thu, 05 May 2011 14:23:44 -0400

Today LastPass disclosed a "network anomaly" urging users to change their master password.

If you use Lastpass, be sure to change your master password immediately. Also, be sure to follow all the rules and make an incredibly strong new master password. If you have not yet signed up for their Multi-factor authentication device, do so immediately. This will make it nearly impossible to access your account without the hardware device.

Managing your browsers Form Data

Mon, 02 May 2011 23:13:35 -0400

This article, Edit Your Browser's AutoFill or AutoComplete--and Protect Your Credit Cards from PCWorld.Com tells how to manually manage the saved form data. Saved form data is how websites automatically populate forms with previous entries. This data is not kept by the website, but is instead kept by your browser (Internet Explorer, AOL, Firefox, Chrome, Safari, or Opera).

This data leaves behind bits of data which can be used against you. It is convenient to have your browser recall addresses, phone numbers, cities, and states, but most people would rather not have their browser remember more sensitive information.

The PCWorld.com article will explain how to selectively remove form data for Firefox, Chrome, or Internet Explorer. If you use another browser, you’ll have to dig through the help.

Everyone concerned about security should take a good look at this article and prune any sensitive information, such as credit card numbers, bank account numbers, cvv numbers, and social security numbers.

Keeping this information on your computer is asking for trouble. It may not be an eastern-bloc attacker that uses the information; it could just as easily be your kids ordering something you’d never allow.

Skype Virus Removal Hoax

Sun, 01 May 2011 19:51:41 -0400

A new variation of the phone scam where someone calls to tell you you have a virus and they will fix it, may have come to skype. Instead of someone calling, it may be a pre-recorded message. The domain reported here was HelpHs.com, but this will probably change every few days. This Domains.com article explains it. You can also reference this Healthy Passwords Phone Virus Scams article.

Play Station Owners: Time to Change Your Passwords

Wed, 27 Apr 2011 10:11:47 -0400

Between April 17th and April 19th, a network breach of the Sony Play Station Network occurred. According to Sony, this potentially impacts 77 million users.

If you own a Play Station, stop and think about this. Look up your Play Station username and password. If the password is the same as any other sites, immediately change the other site passwords. Start with your email accounts. If an intruder gets into your email, they can easily look at your past items to find the financial institutions, social networking, and shopping sites. They can then go to those other sites, reset your password, and then begin clearing your accounts.

According to the Sony Playstation.com website:

"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained."

Sources: http://us.playstation.com/support/answer/index.htm?a_id=2185

Malware Changing your Router

Tue, 26 Apr 2011 19:42:40 -0400

We've written about this before, but this is the first time we've seen it in the news for a while ( Source Atlanta Journal Constitution Article). If someone compromises your router, they could be redirecting all your traffic to other sites. The article does a great job explaining how this works. The one thing they don’t mention, is how this ploy can be used to steal your login credentials for banking or other sensitive sites

This can be done by changing your router configuration for something called DNS. DNS is the process that converts site names from something humans understand to something computers understand. Say for instance you enter www.bigbank.com in your browser, this is normally translated to a numerical address like 10.10.10.10, which is the real site address for bigbank.com. If they setup a fake bank to look just like your real bank at 20.20.20.20, when your browser asks to go to bigbank.com, your roter will now tell your browser to go to 20.20.20.20 instead of 10.10.10.10. When you get there and try to login, you'll get an error message. At the same time, they just got your banking password.

All the security software in the world may not protect you from this type of ploy. An alert user may notice that the site they went to was perhaps not using a secure session. Or, if the site is a known bad site, and you were using a third party website rating tool like WOT or Site Advisor, you may get a warning. Other than that, most people are fooled by this type of ploy.

Preventing this from happening to you is not very difficult.

If your router was supplied by your internet service provider (ISP), you’ll have to call them for help. Don’t try upgrading their equipment. Also keep in mind that many ISPs have old equipment with known administrator credentials, so they may be just as big of a security risk as any off-the-shelf router.
If your router is older than five years. Buy a new one. This will get you the latest security protocols as well as the latest firmware. It will also give you the ability to plug the old one back in if the new one fails
If you’re upgrading your older router, first find or download your exact model of router’s installation instructions. Make sure you know the default admin username and password. Also, ensure you know your internet service providers settings. It is probably a good idea to go through and print out every option you can find in the old routers configuration screens.
Find your routers reset to factory default button. It is usually a small hole in the back of the router. You stick a sharp pencil or toothpick in the hole to depress the hidden button for 30 seconds and your router will reset to factory defaults. (read your manual to be sure)
Access the router’s configuration pages through a browser and set it up again. This time, be sure to change the default admin password and update the firmware from the configuration utility.
Once everything is working, document your routers settings. It’s ok to write the username and new password on the router with a marker even. Another idea is to put the configuration print outs you made in an envelope and tape them to the router (Just be sure not to cover any vents).

Over the years I have tried a few dozen router brands. Throughout that time most have been very similar. There is one notable exception, and that is the Apple Airport. I’ve only used the extreme model, but the regular model uses the same basic setup. The nice thing about this product is the software setup. You don’t need to use a web-browser at all. The utility is a stand-alone application that walks you through all the necessary setup. The most important part is that the software will automatically update the firmware as soon as it is available using the same apple update utility that iTunes or OS-X uses. Very few people ever wake up and say, “Gee, I think I’ll check for router firmware updates today”. Apple has eliminated the need to remember to check for firmware updates every few months. As soon as a firmware update becomes available, your apple updater will tell you and walk you through the update.

Mobile Devices are Increasing Malware Targets

Mon, 25 Apr 2011 23:09:09 -0400

The number of articles written about smart phone attacks increases every week. This article by Brandon Bailey of the San Jose Mercury News does a good job at explaining the situation.

According to the article, Android is the biggest target right now because it has the largest installed base. Android is made by Google and they have a way to keep applications from getting to sensitive data. The problem is that Android relies upon the phone's owner to correctly allow or deny access during the installation process. For example, if you install an application that has no reason to make calls, and the install prompts you to allow phone calls, don't grant it rights to call phones. The mere fact that it asks to make calls, is a warning sign for an app like a game. Theres a good chance that your next bill could be littered with 900 toll calls.

Understanding all the prompts from Android may be confusing to the average user. If you don't understand something, don't just grant it. Stop, and search your help until you understand what it is asking to do. If it seems at all questionable, go back to the reviews and user instructions to understand why it may need that authorization. You can always deny something and the worst case may be the application will fail to work properly all the time. After you understand what it is trying to do, you can always go back and change the permissions later.

A Big Risk with Online Email

Sat, 23 Apr 2011 19:07:01 -0400

I just read a really good article by Jon Gunnells on the Observer and Eccentric about online security and passwords. The writer makes a very good point. If you use an online email for your userid at other websites, someone who compromises your email account can just go to any website and say they forgot their password. In most cases the site uses your email as positive authentication that you are who you say. Think about this a bit. Once they have your main email, they will see notices from many of the sites you use and know exactly where to go.

My main email account has always been a type that doesn't have web access by default. These are called POP or IMAP. Most people use this type of account for work, but most people use gmail, yahoo, or some other web mail provider for their main personal email account.

The same risk exists for pop or imap, but it's a lot less likely that someone will hijack these types of accounts. If your primary email is a web-based email service, and you routinely use that email as a login for other online accounts, you need to treat your email as the highest risk type of site. Use a very strong password and change it monthly.

A new secure password idea

Sat, 23 Apr 2011 11:10:56 -0400

The quest for secure ways to remember strong passwords recently took a new turn. This Network World article explains how researchers have devised a password storage and retreival system using CAPTCHAs.

CAPTCHAs are the images with twisted or stretched word images you are forced to enter when submitting web forms. They are meant to ensure only a human is submitting the form.

The idea is that you take a password and split it into two parts. One part is weak and easy to remember. The second part is strong. What happens is a CAPTCHA is created for the strong part and encrypted in a way that only the weak part can decode.

The interesting part of this is when a program takes a password list and attempts to decrypt it; every attempt seems to succeed to the attacking computer. The problem is that it returns an image which can only be interpreted by a human.

To use this system a user would do the following:

Create a strong password either manually or by using a password generator. For example apple_83tNf&)_sKb
They would pick an easy part of the password to remember such as apple.
They then go to a website or run a program where they paste in apple_83tNf&)_sKb and then say the apple is the easy part, which will be the key.
When they need to remember the password, they will run the program or go to the website and somehow select the site they need the password for. They will then enter the easy part and it will return the CAPTCHA. By combining the two they have the correct password.

Personally, this seems like a lot of steps to go through to retrieve a password. The creators plan to have it commercially available in a month. It will be interesting to see if this system makes any traction.