Sure, the bad guys have all of our passwords. As it goes, they mostly don’t need them:
“We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days,” Sigler said.
“Such a short cracking time using a word list from last year’s [common passwords] study shows that passwords were as predictable as ever.
“‘Password1’ was the password we came across most often in this year’s analysis.
Brian Krebs writes about Tennessee Electric suing its bank for negligence when hackers funneled off $325,000 from their account. But what I found more interesting is the process by which the money was stolen and that it was distributed to 50 different “mules” around the US. Fascinating and frightening. It doesn’t sound like a phishing scam but rather malware interception.1
A “cyber”-interception by “cyber”-malware. I kid, I kid. Krebs is the authority here.
Synology is emailing registered users regarding the Synolocker ransomware I mentioned.
The short version:
It impacts older versions of DSM and the hole was patched in 2013.
The long version:
Dear Synology users,
We would like to inform you that a ransomware called “SynoLocker” is currently affecting some Synology NAS users. This ransomware locks down affected servers, encrypts users’ files, and demands a fee to regain access to the encrypted files.
The Synology has a nice option to block IP addresses with more than 5 failed login attempts. This is really just swatting at flies most of the time. It’s a better idea to change the SSH port.1
Login as root, not as admin. This will require an SSH session like this:
:::shell ssh root@your.NAS.ip.address Root uses the same password as the admin account.
Next, edit two configuration files
:::shell DiskStation> vi /etc/ssh/sshd_config DiskStation> vi /etc.
From Om Malik:
Did you know at the time of signing up for Strava, that lovable cycling and running activity tracker is sharing real time user data and selling that to municipalities for 80 cents a year. In what universe does it make sense for the company to do that without asking, and have a company spokesperson blatantly admit to a Forbes reporter that, the default is opt-in — a malaise popularized by Facebook.
From the Graham Cluley blog:
In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered.
John August crowd-sourced a security test on PDF encryption.
For PDF encryption, the consensus seems to be that the latest version of Adobe is pretty effective if you’re using the 128 or 256 bit option and have 8+ random characters. Random, as in not a word in a dictionary.
The post includes some estimates for cracking passwords on PDFs. I’m not familiar enough with the toolkits used by people that actually do this but the numbers are probably relatively accurate.
A cautious person is probably going to methodically change all of their passwords on the Internet this month. It’s common to reuse passwords, even though it’s a bad idea. If you’re in that club, start by resetting those passwords first.
If you use 1Password, it’s easy to get started. You can use the built in Security Audit view in the side panel to show duplicate passwords.
I find it easier to create a new smart folder in 1Password for finding all entries for a given password.
The best place to start, as usual, is with Ars Technica. The take away: the private keys need to be regenerated too.
But what really caught my attention was the first two promoted comments on the Yahoo mail story. In particular this comment makes far too much sense.1 All of the old certificates (even after sites put new certs in place) can be used for man-in-the-middle impersonation.2
IMO SSL/TLS is now completely broken.
Verizon would like to monitor what you are doing with your mobile device and inject their advertising. You can opt out but it’s a pain. I suggest every single customer call them. They’d love that.
Note: if you have a multi-line account, you must indicate your privacy choices with respect to each individual line.
And what are they collecting:
The information we use for this program includes the postal address we have for you and certain consumer information such as your device type and language preference, as well as demographic and interest categories obtained from other companies.
