How LinkedIn’s password sloppiness hurts us all
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in
2013) and I made short work out of the first LinkedIn password dump, cracking
more than 90 percent of the 6.4 million password hashes in just under one week.
Following that effort, I did a short
write-up ironically titled The Final Word on the LinkedIn Leak.
But those 6.4 million unique hashes posted on a
Russian password-cracking forum in June 2012 only accounted for a fraction of
the total LinkedIn database. This second
dump, on the other hand, contains 177.5 million password hashes for 164.6
million users, which aligns perfectly with LinkedIn's user count in the second
quarter of 2012. After validating
the data that I received with several individuals, I concluded that this does
appear to be a nearly complete dump of the user table from the 2012 LinkedIn
hack.
Also for my Ethical Hacking students. Should Computer Security managers be
monitoring sites like this? (Perhaps a
business opportunity for someone who would push this information to managers?)
Just as Chris Vickery has tried to focus attention that
there are still tens of thousands of misconfigured databases exposing PII and
other information that should be protected because port 27017 is open, now
TeamGhostShell is also calling attention to the problem – plus other open
ports and issues.
… This project
will focus solely on this poorly configured MongoDB. I’d like to mention exactly how easy it is
to infiltrate within these types of networks but also how chilled
sysadmins tend to be with their security measures. Or should I say, lack thereof.
In a lot of
instances the owners don’t bother checking for open ports on their newly
configured servers, not only that but they also don’t concern themselves
with establishing a proper authentication process. (Just a simple username/password)
… ZDNet,
ably assisted by Lee Johnstone, provides some comments and analyses of the
data dump.
Another common security risk. Excel (and many other common applications)
makes this type of error simple to commit, difficult to “see.”
Penn State University recently reported
an incident to the New Hampshire Attorney General’s Office that involves a
now-defunct club.
According to their report,
the university was notified on April 13 that a historical document uploaded to
the Undergraduate Law Society‘s web site was a spreadsheet
that contained two fields – SSN and DOB – that were not visible on casual
inspection, but could be “unhidden” in Excel. The records therefore exposed the
SSN and DOB of 379 individuals. Upon notification, the university immediately
took the site offline while they investigated.
… They do not
explain why the web site of a defunct organization was still online.
PSU notes
that although it has no responsibility for what clubs post on their web sites,
[Oh really? Bob] in response
to this incident, they have started working more closely with student
organizations about the importance of protecting personal information, and are
encouraging organizations to use the Identity Finder software to locate and
then remove personal information.
No government agency would listen to an employee (or
contractor) 92 levels below the head of the agency.
By Jason Leopold, Marcy Wheeler, and Ky Henderson report:
On the morning of May 29, 2014,
an overcast Thursday in Washington, DC, the general counsel of the Office of
the Director of National Intelligence (ODNI), Robert Litt, wrote an email to
high-level officials at the National Security Agency and the White House.
The topic: what to do about
Edward Snowden.
Snowden’s leaks had first come to
light the previous June, when the Guardian’s Glenn Greenwald
and the Washington Post’s Barton Gellman published stories
based on highly classified documents provided to them by the former NSA
contractor. Now Snowden, who had been demonized
by the NSA and the Obama administration for the past year, was publicly
claiming something that set off alarm bells at the agency: Before he leaked the documents, Snowden said,
he had repeatedly attempted to raise his concerns inside the NSA about its
surveillance of US citizens — and the agency had done nothing.
Read more on Vice.com.
[From the
article:
The trove of more than 800 pages [pdf at the end of this
story], along with several interviews conducted by VICE News, offer
unprecedented insight into the NSA during this time of crisis within the
agency. And they call into question
aspects of the US government's long-running narrative about Snowden's time at the
NSA.
Not what I expected from France.
Nicolas Rase & Kristof Van Quathem write:
On May 12, 2016, The French High
Court (“Cour de Cassation”) rendered a short decision stating that the right
to be forgotten does not supersede the freedom of press. In this case, two brothers took legal action
against a famous French daily newspaper.
The two individuals requested
that their respective names be removed from search results displayed by the
newspaper’s website search engine (not a third party search engine such as
Google Search or Bing). The newspaper’s
search engine indexed a link to an article published in 2006 which reported on
a sanction imposed by the Council of State on the two brothers.
The High Court ruled that
requiring a media organisation to remove information contained in its
articles (the names and surnames of individuals) from its archive or to limit
access to such articles by de-indexing links from its search engine exceeds the
restrictions that may be imposed on the freedom of press.
Read more on Covington & Burling Inside
Privacy.
(Related)
Moroğlu Arseven writes:
The Turkish Constitutional Court
has recently published a decision where it held that an employer monitoring an
employee’s institutional email account and using correspondence in court did
not violate the employee’s constitutional rights. The court
held that the employer had monitored these accounts prudently and with just
cause, since it was done to verify allegations that the employee had breached
corporate regulations. It
noted that monitoring had not gone beyond verification purposes and content of
the correspondence was not made public.
Read more on Lexology.
…it depends on where you live. Or where the hack occurs?
Bethany Rupert of King & Spaulding provides
additional coverage of an appellate ruling I had previously
noted on this site:
On May 20,
2016, the U.S. Court of Appeals for the Eighth Circuit affirmed
breach-of-contract claims brought by Minnesota-based State Bank of Bellingham
(“Bellingham Bank”) against BancInsure Inc. (“BancInsure”), an insurance
company that refused to provide coverage when the bank suffered losses after a
criminal third party hacked the bank’s computer system and transferred funds to
a foreign bank account.
[…]
The case
is State Bank of Bellingham v. BancInsure Inc. n/k/a Red Rock
Insurance Co., case number 14-3432, in the U.S. Court of Appeals for
the Eighth Circuit.
Read more on JDSupra.
(Related) Could a
breach bankrupt you?
Lyle Adriano reports that some of P.F. Chang’s
breach-related costs are not covered by its insurance:
A federal court ruled that Chubb
Ltd. does not have to reimburse P.F. Chang’s for costs the
restaurant chain charged by its credit card processor under its cyber policy.
[…]
The Federal Court ultimately
concluded that on several counts that Federal Insurance is not obligated to
reimburse the charges, rationalizing that Bank of
America did not suffer from P.F. Chang’s data breach and therefore did not
suffer a “privacy injury” the policy could cover.
“The court agrees with Federal;
(Bank of America) did not sustain a privacy Injury itself, and therefore cannot
maintain a valid claim for injury against Chang’s,” said the ruling.
Read more on Insurance
Business America.
When I see stories like this one, I feel particularly
concerned for small and medium-sized businesses who really may have no idea
what their policies don’t cover and could be totally wiped out by the costs of
a breach if their insurer doesn’t cover some things. If you carry cyberinsurance for breach costs,
do you know if your policy would cover reimbursement to your card issuer? If you don’t know for absolute sure, this
might be a good time to check.
My Computer Security students discussed the security
requirements of these Apps last week. Could I order 50 chicken sandwiches and have
them delivered to my favorite law professor?
Why Is Chick-fil-A’s App Number One in the App Store?
In late 2014, Taco Bell became the first major fast-food
chain to roll out an order-ahead
app. Finally, a Fourth Meal habitué
could pay ahead, skip the line, join a rewards program, and creatively
customize their Nachos Bell Grande without enraging a line of people behind
them. Shortly after a very involved launch,
Taco Bell even threw free Doritos
Locos Tacos at mobile-app users. Despite
all the fanfare, the Live Más app, while popular, was never the No. 1 free app
in the Apple universe. Because, really,
what fast-food ordering app would be?
Earlier this week, Chick-fil-A, the sometimes maligned and beloved chicken chain,
introduced its One app, which offered
all of the things that Taco Bell’s app does, plus the immediate promise of a free chicken sandwich just for downloading the app.
In just three days, the app has been downloaded over a
million times and has led the most downloaded free app iTunes tally board
since Wednesday, muscling out the likes of Facebook, Snapchat, Instagram, and
the (frankly, weird-sounding) multiplayer snake-battle game slither.io.
… “82
percent of millennial parents say they would do almost anything to avoid long
lines at fast food restaurants when they are with their children,” the company noted in a press release
announcing the launch of the app. “In
fact, nearly half (48 percent) said they would rather not eat at all than stand
in a line.”
My dad was a fight fan.
He said Ali was the best he had ever seen. Good enough for me.
Muhammad Ali
by Sabrina I. Pacifici on Jun 4, 2016
David Remnick, Editor, The New Yorker – The Outsized Life of Muhammad Ali:
“Ali, who died Friday, in Phoenix, at the age of seventy-four, was the most
fantastical American figure of his era, a self-invented character of such
physical wit, political defiance, global fame, and sheer originality that no
novelist you might name would dare conceive him.
No comments:
Post a Comment