Tuesday, May 31, 2016

YAPF (Yet Another Password Fail)

   It's another week and password problems are in the news again!

   In the July 10, 2012 edition of this blog I wrote about the 2012 LinkedIn password breach.  A month earlier, LinkedIn confirmed that a Russian attacker exploited a website vulnerability and downloaded 6.5 million encrypted passwords.  You can read my old post to see why that's a problem.

   Well, some gifts just keep on giving!  Now, nearly 4 years later, a newly posted password dump from this same breach was advertised for sale on a dark web site.  Except that information on over 167 million accounts were for sale!  Of those, over 117 million had both the email and password.  Slightly different math!!!

   So why is this a problem?  Actually it's an old problem and a new problem.  Here are the key issues:
  • Poor password choices - once again, this latest set of stolen passwords shows weak passwords - the top five found passwords were: 123456 (used on over 1 million accounts!), linkedin, password, 123456789 and 12345678
  • Password reuse - since people have accounts on so many sites that need passwords, they tend to reuse them.  The one million people who used 123456 as their LinkedIn password likely reuse that on other sites.
  • Back to Work - are some of these same poor password choices being made on work systems?  Or are some work passwords being used on sites like LinkedIn and potentially included in this breach?

Tuesday, May 17, 2016

National Betty White's Password Day

   So apparently May 5, 2016 was World Password Day.  Who knew?  Not me... I missed this one.  But Betty White didn't!  Here's a great video:

   It's not exactly clear to me how May 5 was chosen.  I thought that was Cinco De Mayo!  Apparently this is the 3rd annual World Password Day on the first Thursday in May.  However, for years before that, Feb. 1 has been National Change Your Password Day.

   I don't know about the date change but I definitely support the name change.  The point here is that changing your password is not the key thing to do... I've written about this plenty of times before... when it comes to passwords, size matters!  And multi-factor authentication is a great choice for your personal accounts.

   But don't take it from me... Let's hear from Betty White!

Tuesday, May 3, 2016

Secrets Your Phone Told Me

   You may remember that earlier this year we were all talking about the standoff between the FBI San Bernadino attack.  This specific problem was "solved" when the FBI said they were able to decrypt the phone and no longer needed Apple's help.  The assumption by many is that the FBI purchased an exploit used to break into the phone.
and Apple about the decryption of an iPhone used by one of the shooters in the

   This leads us to an important consideration and question... can any phone be hacked?  Is any information on your smartphone really private?

   We have become completely dependent upon our phones.  According to a 2015 Pew Research Center study, in the US over two-thirds of the population uses a smartphone.  We keep all of our personal information on there: passwords and accounts, photos and videos, credit card data, tax data; we shop and set many preferences (travel, food, dating, real estate); we track our workouts, our weight our food and all our movements.  Today's smartphone is the key to far more information about you than you can imagine!

   We can, of course, watch TV on our phone.  And on 4/17/2016, 60 Minutes aired a show about smartphone security and privacy.  You can view it here.

   In the episode, they talked about the SS7 (Signaling System 7) protocol and how it works.  SS7 was designed in 1975 and it is the protocol that allows phone systems to pass calls between them.  For mobile, it handles maintaining connections as you move between cell towers, for example as you are driving down the road (using hands-free calling of course! :-).  This particular exploit is not new at all.  In fact, this has been a topic at the Black Hat Briefings and other security conferences for years.

   But all this aside, there is no need for exploits or vulnerabilities to track people or glean personal information through their phones.  Disclosing this information is simply how phones and apps work!  Let me explain...