Skip to content

On Passwords & PC / Information Security From Karadala

April 20, 2014

I no dat, U R Computer & Internet savvy,

 

May B some of U R actually working in Software environment,

 

May U R facing D “Hackers” menace (or) Exposed 2 such threats,

 

Is so read on ….

 

And forward this to those who need to know about all this ….

 

Will you ?

 

Eh!!!

Please read the attached articles with some care.  A serious flaw has been discovered on the basic structure of internet security protocols which can have major implications for the security of your personal and financial data.

 

And yes the second article is on how to develop robust passwords.

Despite all that, “At some point, you will get hacked — it’s only a matter of time,” warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”

Welcome to one of the major stress producers of the 21st century.  Ye can try to alleviate it but you can never really completely get rid of it totally.   Like death and taxes, this is one more thing that will be there with you always.  A very good day to ye all.

 

Have a nice day now,

 

Nagendra

 

 

Security

Flaw Found in Key Method for Protecting Data on the Internet

By NICOLE PERLROTH

April 8, 2014, 5:08 pm  |  191 Comments

http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?hp

http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/

Updated, 10:24 p.m. | A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.

The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.

Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw.

The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue. “This is a good reminder that there are many risks online and it’s important to keep a watchful eye around what you’re doing, just as you would in the physical world,” said Zulfikar Ramzan, the chief technology officer of Elastica, a security company.

The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security.

Because attackers can use the bug to steal information unnoticed, it is unclear how widely the bug has been exploited — although it has existed for about two years. On Github, a website where developers gather to share code, some were posting ways to use the bug to dump information from servers. The Finnish security researchers, working for Codenomicon, a security company in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol — which encrypts sessions between consumer devices and websites — called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”

“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”

Organizations were advised to download immediately the newest version of the OpenSSL protocol, which includes a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords.

Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.

Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various “honey pots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.

Actual victims may be out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Mr. Chartier said. “That’s what makes it so vicious.”

Mr. Chartier advised users to consider their passwords compromised and urged companies to deal with the issue quickly. “Companies need to get new encryption keys and users need to get new passwords,” he said.

Security researchers say it is most important for people to change passwords to sensitive accounts like their online banking, email, file storage and e-commerce accounts, after first making sure that the website involved has addressed the security gap.

By Tuesday afternoon, many organizations were heeding the warning. Companies across the web, including Yahoo, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr, which is part of Yahoo, wrote on its site. “This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”

Steve Lohr and Vindu Goel contributed reporting.

 

April 8, 2014, 5:08 pm 

Screenshot via heartbleed.com

On Monday, several security researchers, including from Google, uncovered a majorvulnerability called “Heartbleed” in the technology that powers encryption across the Internet.

The tiny padlock icon that sits next to many web addresses, suggesting protection of users’ most sensitive information — like passwords, stored files, bank details, even Social Security numbers — is broken.

A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.

On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.

Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers.

The bug allows attackers to access the memory on any web server running OpenSSL and take information like customer usernames and passwords, sensitive banking details, trade secrets and the private encryption keys that organizations use to communicate privately with their customers.

What makes the Heartbleed bug particularly severe is that it can be used by an attacker without leaving any digital crumbs behind.

“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”

Three security researchers at Codenomicon’s offices in Oulu, Finland, first discovered the bug last Thursday. The researchers, Antti Karjalainen, Riku Hietamäki and Matti Kamunen, immediately alerted the Finnish authority that is charged with responsibly disclosing security bugs. As it turned out, a security researcher at Google, Neel Mehta, had also discovered the bug and the Google security team had been working on a fix.

On Monday, the open-source team that oversees OpenSSL issued a warning to people and organizations about the bug, and encouraged anyone using the OpenSSL library to upgrade to the latest version, which fixes the problem.

Security researchers say it is impossible to know for sure whether an attacker used the bug to steal a victim’s information, but they found evidence that suggests attackers were aware of the bug and had been exploiting it. Researchers monitoring various “honeypots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.

But actual victims are out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Mr. Chartier said. “That’s what makes it so vicious.”

Security researchers are warning organizations to get new private encryption keys as quickly as possible, and warning people to start changing their usernames and passwords immediately, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s security team wrote on their site. “This might be a good day to call in sick and take some time to change your passwords everywhere— especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”

Mr. Chartier advised users to consider their passwords gone. “Companies need to get new encryption keys and users need to get new passwords immediately,” he said. “And do it quickly.”

 

 

Business Day

Personal Tech

November 7, 2012

November 7, 2012

How to Devise Passwords That Drive Hackers Away

By NICOLE PERLROTH

http://www.nytimes.com/2012/11/08/technology/personaltech/how-to-devise-passwords-that-drive-hackers-away.html?pagewanted=all

http://www.nytimes.com/2012/11/08/technology/personaltech/how-to-devise-passwords-that-drive-hackers-away.html?pagewanted=all&pagewanted=print

Not long after I began writing about cybersecurity, I became a paranoid caricature of my former self. It’s hard to maintain peace of mind when hackers remind me every day, all day, just how easy it is to steal my personal data.

Minh Uong/The New York Times

Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’sWeb camera with a piece of masking tape — a precautionthat invited ridicule from friends and co-workers who suggested it was time to get my head checked.

But recent episodes offered vindication. I removed the webcam tape — after a friend convinced me that it was a little much — only to see its light turn green a few days later, suggesting someone was in my computer and watching. More recently, I received a text message from Google with the two-step verification code for my Gmail account. That’s the string of numbers Google sends after you correctly enter the password to your Gmail account, and it serves as a second password. (Do sign up for it)The only problem was that I was not trying to get into my Gmail account. I was nowhere near a computer. Apparently, somebody else was.

It is absurdly easy to get hacked. All it takes is clicking on one malicious link or attachment. Companies’ computer systems are attacked every day by hackers looking for passwords to sell on auctionlike black market sites where a single password can fetch $20. Hackers regularly exploit tools like John the Ripper, a free password-cracking program that use lists of commonly used passwords from breached sites and can test millions of passwords per second.

Chances are, most people will get hacked at some point in their lifetime. The best they can do is delay the inevitable by avoiding suspicious links, even from friends, and manage their passwords. Unfortunately, good password hygiene is like flossing — you know it’s important, but it takes effort. How do you possibly come up with different, hard-to-crack passwords for every single news, social network, e-commerce, banking, corporate and e-mail account and still remember them all?

To answer that question, I called two of the most (justifiably) paranoid people I know, Jeremiah Grossman and Paul Kocher, to find out how they keep their information safe. Mr. Grossman was the first hacker to demonstrate how easily somebody can break into a computer’s webcam and microphone through a Web browser. He is now chief technology officer at WhiteHat Security, an Internet and network security firm, where he is frequently targeted by cybercriminals. Mr. Kocher, a well-known cryptographer, gained notice for clever hacks on security systems. He now runs Cryptography Research, a security firm that specializes in keeping systems hacker-resistant.Here were their tips:

FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one. “The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,” said Mr. Kocher. Hackers will often test passwords from a dictionary or aggregated from breaches. If your password is not in that set, hackers will typically move on.

NEVER USE THE SAME PASSWORD TWICE People tend to use the same password across multiple sites, a fact hackers regularly exploit. While cracking into someone’s professional profile on LinkedIn might not have dire consequences, hackers will use that password to crack into, say, someone’s e-mail, bank, or brokerage account where more valuable financial and personal data is stored.

COME UP WITH A PASSPHRASE The longer your password, the longer it will take to crack. A password should ideally be 14 characters or more in length if you want to make it uncrackable by an attacker in less than 24 hours. Because longer passwords tend to be harder to remember, consider a passphrase, such as a favorite movie quote, song lyric, or poem, and string together only the first one or two letters of each word in the sentence.

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

STORE YOUR PASSWORDS SECURELY Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast.Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password. Mr.Kocher takes a more old-fashioned approach: He keeps password hints, not the actual passwords, on a scrap of paper in his wallet. “I try to keep my most sensitive information off the Internet completely,” Mr. Kocher said.

A PASSWORD MANAGER? MAYBE Password-protection software lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you in to sites as long as you provide one master password.LastPassSplashData and AgileBits offer password management software for Windows, Macs and mobile devices. But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.” Mr. Grossman said he did not trust the software because he didn’t write it. Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked.

IGNORE SECURITY QUESTIONS There is a limited set of answers to questions like “What is your favorite color?” and most answers to questions like “What middle school did you attend?” can be found on the Internet. Hackers use that information to reset your password and take control of your account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney’s Hotmail and Dropbox accounts using the name of his favorite pet. A better approach would be to enter a password hint that has nothing to do with the question itself. For example, if the security question asks for the name of the hospital in which you were born, your answer might be: “Your favorite song lyric.”

USE DIFFERENT BROWSERS Mr. Grossman makes a point of using different Web browsers for different activities. “Pick one browser for ‘promiscuous’ browsing: online forums, news sites, blogs — anything you don’t consider important,” he said. “When you’re online banking or checking e-mail, fire up a secondary Web browser, then shut it down.” That way, if your browser catches an infection when you accidentally stumble on an X-rated site, your bank account is not necessarily compromised. As for which browser to use for which activities, a study last year by Accuvant Labs of Web browsers — including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer — found that Chrome was the least susceptible to attacks.

SHARE CAUTIOUSLY “You are your e-mail address and your password,” Mr. Kocher emphasized. Whenever possible, he will not register for online accounts using his real e-mail address. Instead he will use “throwaway” e-mail addresses, like those offered by 10minutemail.com. Users register and confirm an online account, which self-destructs 10 minutes later.Mr. Grossman said he often warned people to treat anything they typed or shared online as public record.

“At some point, you will get hacked — it’s only a matter of time,” warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”

Ed Ou for The New York Times

Nicole Perlroth, technology reporter for The New York Times, covers cybersecurity and privacy for the Bits blog and for print. Before joining the San Francisco bureau of The Times in 2011, she was a deputy editor at Forbes where she covered venture capital and Web start-ups and produced the Midas List, the magazine’s annual ranking of top tech deal makers. Her reporting has ranged beyond technology to topics like food, bioethics and education. Ms. Perlroth is a graduate of Princeton University and Stanford University’s Graduate School of Journalism.

Advertisements

From → Articles

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: