Here is what LinkedIn is doing in order to "protect our members": "transition from a password database system that hashed passwords ... to a system that both hashed and salted the passwords". Well, this is great security innovation. They don't even talk about two factor authentication. Many online companies, who take security seriously, already implemented two factor authentication a long time ago . Social networks are not exception: both Facebook and Google have two factor authentication mechanisms.
Two factor authentication and online companies (Google, Facebook and others): http://bit.ly/KMohVO Original post about LinkedIn stolen passwords: http://bit.ly/LzGWzu LinkedIn blog about implementing salted passwords: http://bit.ly/L0iPNd Since I have an active LinkedIn account, recent LinkedIn security breach became a personal issue for me and I decided to investigate it by myself in order to find out whether my account could be compromised. I have downloaded the file, which is -- according to the article published on Russian security news site -- claimed to be a file with stolen LinkedIn passwords, and tried to search for my LinkedIn password (of course, the old one - I changed it as soon as the first information about the breach was posted yesterday), but I could not find it. Here is the explanation of what I have done. First of all, the structure of the password file is weird: it contains 160 bits (20 bytes = 40 ASCII HEX chars) entries separated by dots (0A), but some entries apparently contain 5 leading zeros (i.e. they contain only 140 bits of information). Since there is no such hash function that would produce 140 bits, I tried to hash using SHA1 (which produces 160 bits) and just remove the 5 leading chars from the resulting ASCII HEX string. As I said, my password still did not go through, so I tried to hash some mostly used password dictionary entries -- such as "password" and "abcd1234" -- and I did find (using WinHex - the file size is 245MB) the matching entries for both of them in the file, which means that the file apparently does contain more than 6 million hashed passwords (some of them are left padded with 5 zeros though). However, my findings still do not prove the fact that these passwords are related to LinkedIn. They even do not demonstrate that this file contains any real passwords: it can be a rainbow table. But I still recommend you to change your LinkedIn account password. Just in case. Here is an example of hashed password from the "LinkedIn password file": password: [password] SHA1: [5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8] "LinkedIn password file" entry: [1e4c9b93f3f0682250b6cf8331b7ee68fd8] Interesting blog article about Flame spreading. It demonstrates Flame's level of sophistication.
http://bit.ly/Kajttg According to the CloudFlare blog, the hacker was able to compromise the password recovery and two factor authentication systems and eventually gained access to one of CloudFlare customer's account: "Google reports that they discovered a "subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts. We've now blocked that attack vector to prevent further abuse." Technical details about bypassing either Google password recovery or two factor authentication systems are unclear. CloudFlare blog: http://bit.ly/K7QTCg Google two factor authentication: http://bit.ly/KD1cmi Moxie Marlinspike and Trevor Perrin have submitted a proposal to the Internet Engineering Task Force (IETF). The draft document describes a new way of server certificate validation based on the trust accumulated and shared by multiple clients. The proposed TLS protocol extension is called Trust Assertions for Certificate Keys (TACK) and based on public key cryptography, however, it does not use the Public Key Infrastructure (certificates and certificate authorities). The text of the proposal: http://bit.ly/JieksQ The article in InfoSecurity magazine: http://bit.ly/L0jWtj How to know whether your mobile phone is being tapped? It is difficult if your phone is bugged with FlexiSpy. On Android phone, you can install Symantec Norton Mobile Security which claims to be able to remove the spyware. There is another popular mobile spy software called SpyMobile. They support virtually any mobile OS - iPhone, Blackberry, Android, Windows Mobile and Symbian - which means they can be installed on almost any device. If this application is installed on your mobile phone, it is running in silent mode so there is no way to know whether your phone is bugged.
However, this software should be somehow manually installed and initially configured on your phone, and there are "secret" default keystroke sequences that should be keyed in order to activate the management console. To check if SpyMobile is installed on your phone, you need to try these sequences. If nothing happens, you are lucky. If you see the SpyMobile login screen, you are not. Windows Mobile and Symbian: #123456789* Android: *12345# iPhone: **54321 Blackberry: #10001* FlexiSpy: http://www.flexispy.com/ SpyMobile: http://www.spymobile.biz/ Symantec Android.Flexispy: http://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99&tabid=3 Symantec Norton Mobile Security: http://us.norton.com/mobile-security Mobile spyware review: http://www.spyphonereview.com More information on signs of bugged phone: http://www.makeuseof.com/tag/6-signs-cell-phone-tapped/ I just discovered two product offers from Comodo. Both offers look like useful security services (both are offered for free) - for website and computer owners. First one is a web based scanner called SiteInspector that performs daily checks on your website for malicious software injections. It is offered for free for 365 days, The sample report looks like this (I tested it on my personal website): http://siteinspector.comodo.com/public/reports/2433373 The second service is personal firewall which can be also downloaded and installed for free. The user interface is more friendly and understandable than one provided by standard Windows firewall. It filters inbound and outbound network connections based on pre-loaded built in "white list". If somthing that is not on teh list is trying to open connection, it will ask you if you want to allow it, disable it, or if you are not sure - send request to Comodo. So far it looks pretty stable and has very small memory footprint. Click to set custom HTML Read my new article about protecting your Internet privacy from insecure wireless and corporate firewall: Click to set custom HTML I just signed up for Diaspora* account to see how “The Anti-Facebook” really looks like. Diaspora* project is still in alpha but there are already several working pods so I used one of them. If you are not familiar with Diaspora* concept: rather than using centralized social networking website like Facebook, they allow users maintaining their own mini websites (they call them “pods”), so in order to enter the Diaspora* network you either need to set up your own website or use one of existing pods hosted by independent providers. The pod which I randomly selected from the list which I found on wiki (for some reason the official Diaspora* website does not provide any information on how to sign up for the account) claims they are in beta... Doesn’t it sound weird that the product is in alpha but one of its service providers is already in beta? Anyway, eventually I managed to sign up. Discussion about bugs and design is out of scope of this article. Much more important is the idea behind decentralized hosting od social network accounts: privacy. You do not give up your privacy to social network owner such as Facebook which sells information about you to third parties. Sounds very reasonable and promising! However, what happens in reality? If you are not a computer geek, who intends to participate in development of new social network project, I doubt you will have enough time, motivation, technical capabilities, and which is most important - knowledge - to maintain your own pod website. Therefore, in order to join Diaspora* you will have to open account in one of existing pods. Instead of giving your information to at least well known and somehow responsible Facebook, you will have to trust the same data to one of randomly selected unknown hosting providers? Note that Diaspora* is all about open source so there is no any licensing or other controlling mechanism, and literally everyone can set up new Diaspora* pod and start maintaining user accounts which in fact means - owning user information! The idea of decentralization and “privatization” of social networks is great, but this particular implementation is practically not there yet... So who is next? By the way, you can find me on Diaspora* at sgomzin@privit.us Click to set custom HTML |
Books
Recent Posts
Categories
All
Archives
March 2023
|