Category Archives: Password Control

Breaches, Hacks, and Lessons to be Learned

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.


wps_clip_image-30209

Seems every new day brings news of yet another database breach or two. There was a time when I followed news of these hacks and breaches with interest but they are now so frequent that, unless one is personally involved, it has all become rather mundane.

However, the whole situation begs a couple of important questions and, at the same time, re-enforces the critical nature of how we choose and manage our passwords.

Important Questions

1) Why are companies/site owners not treating users’ data with the utmost care?

I don’t know about you but I am fed up with the lax way in which companies and site owners treat sensitive data which is entrusted to their care.

In today’s internet world, database breaches are a matter of fact yet site owners continue protecting sensitive data using outdated and weak security protocols. Only just recently a new breach came to light involving 40 million passwords extracted from over 1000 sites associated with a Canadian company called VerticalScope. What security protocol did the sites employ to hash and encode users’ passwords… MD5… a known weak and insufficient algorithm.

2) When will governments legislate to ensure that companies/site owners are accountable?

Surely it is incumbent upon these companies/site owners to protect their patrons’ data with the best and most effective security protocols available. However, as many (if not most) seem apathetic to this most basic of duties, then perhaps it’s time for legislators to consider introducing serious punitive measures for  those who fail to do so.

By the way: in response to news of the breach mentioned earlier, VerticalScope’s vice president of corporate development Jerry Orban was quoted as saying:

“We are reviewing our security policies and practices and implementing security changes related to our forum password strength and password expiration policies across certain forum communities.”

How many times have we heard that pathetic  response – I believe it’s commonly referred to as shutting the stable door after the horse has bolted. Message to site owners: perhaps these steps might be better implemented before a breach rather than after.  Duh!

Lessons to be Learned

wps_clip_image-5330

How many times have you read the following advice regarding passwords:

· Choose strong passwords and use a different password for each log-in/account.

· Change passwords for critical accounts, such as banking,  PayPal, etc., frequently.

· If two-factor authentication is available, use it!

If there’s one lesson to be learned from all these breaches and hacks it is the absolute need to follow these basic principles. Remember, if you use weak passwords and/or the same password across multiple accounts, if one account is hacked all the rest are at serious risk.

Too many people just glide along ignoring the dangers until it actually happens to them, however, this is surely a lesson better learned from other people’s mistakes rather than from our own.

2 Comments

Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Safety, Password Control, Safe Surfing

WordPress Password Fiasco

imageFair or not – “You don’t know what you don’t know” is a throwaway phrase, often used to describe a typical Internet users range of knowledge as it applies to security risks. What’s worrisome about relying on the truth of this statement is – it can be applied much more broadly – it doesn’t just apply to casual computer users. It applies equally to you – and, to me.

Virtually on a daily basis, another previously unknown (or, undisclosed), vulnerability in an application, operating system, website, cloud service, or in an Internet protocol is discovered by “security researchers”. Here’s today’s, from my Daily Net News column.

Improper SSL Implementations Leave Sites Wide Open to Attack – Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack.

I’ll venture a guess and suggest – you didn’t know about this. Nor, did I. More to the point perhaps, what needs to be asked is – did cyber criminals know?

What about this one from two days ago?

 Kaspersky: 12 different vulnerabilities detected on every PC – Researchers from Kaspersky have sampled their customer base, and found out that on average, every PC has 12 different vulnerabilities.

The vulnerabilities described are not self inflicted – instead, they are specified, or unspecified, vulnerabilities in Flash, Adobe Reader, Java, and Adobe Shockwave. There’s no need to wonder if cyber criminals are aware of these vulnerabilities – they most assuredly are.

WordPress Password – I didn’t know, that I didn’t know.

More than once, I’ve made the point here, there are certain companies which put forward unrealistic assertions that their Web operations are inviolate – they can’t be hacked. One of those companies is WordPress.com.

So, I was hardly taken by surprise when I received the following email from WordPress, yesterday. Not surprised – but, pretty pissed at the approach taken by WordPress to describe a potentially devastating circumstance for WordPress bloggers who run popular sites.

Hello Bill Mullins,

We recently found and fixed a mistake that we’d like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

Please change your password using this link or copy and paste the URL below into your web browser:

https://wordpress.com/wp-login (I have removed certain parameters here)

If the password you used when you registered on WordPress.com was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the WordPress.com Store:

pc21d064ae

If you have any questions, please reply to this email and one of our Happiness Engineers will get back to you as soon as possible.

Thank you,
The WordPress.com Team

Some salient points:

Why on earth would WordPress send an email that has all the hallmarks of a phishing scam – quote: “to be on the safe side we are resetting your password since your account is among those affected”. Huh – you’re going to reset my password? So there was zero chance of me clicking on the password reset link. The only secure method was a password reset from this blog’s Dashboard.

“A mistake in one of our systems” – At the desk I’m sitting at, I tend to call this type of “mistake” a vulnerability.

“In the future, remember that it’s good practice to always use unique passwords for different services.” Yeah, sure WordPress is just about the last organization I’d take advice from in terms of password control!

Offering a 15% discount on WordPress products “to say we’re sorry”, is ill advised and inappropriate. This “bad news” – “good news” approach, is out of bounds.

Finally, referring to support staff as “Happiness Engineers”, makes me wonder what these people smoke after breakfast. It’s a little late for ‘60s terminology, it seems to me.

I titled this article “WordPress Password Fiasco”, not because WordPress found itself in an unknown vulnerable position, which by extension applies to me as well – but because the manner in which a serious situation was handled, is appalling. At a minimum, WordPress has an obligation to disseminate news of this potential breach widely on the Internet. This is not business as usual.

Consider the number of serious breaches that occurred in the last year, which initially were classified by the victimized organization as inconsequential. Until, that is, information slowly leaked, that in many cases, the penetrations were disastrous. Think Sony.

I’m hopeful, that months from now, I won’t have to replace “Think Sony” with -“Think WordPress”. But, then again – “I don’t know what I don’t know”.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

10 Comments

Filed under Email, Internet Security Alerts, Opinion, Password Control, Point of View, Tech Net News, WordPress

Weak Password Control – A Self Inflicted Injury

imageOver the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

15 Comments

Filed under cybercrime, Don't Get Hacked, downloads, Freeware, Interconnectivity, Internet Safety, Online Safety, Password Control, Software, System Security, Windows Update