thewayne: (Default)
[personal profile] thewayne
First, Kmart has once again found malware in their store point of sale systems. This is not a first for Kmart, and apparently does not affect online sales or their stores of their partner, Sears. Kmart is my wife's pharmacy, so I expect we'll be getting new cards from our bank in a month or two, which will mean Amazon resets and all the joy that entails.

The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.

Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.

Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.

Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.

When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump -

The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.

Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.

Anyway, you might want to check out this site, it's interesting.

Date: 2017-06-02 02:03 am (UTC)
kraig: Unita2 (pic#325883)
From: [personal profile] kraig
+100 for HIBP. Troy runs a great service and is ethical as hell. You don't need to check if you subscribe, and if you own domains, you can subscribe for alerts for your domains. Sadly, you need to sub for individual subdomains, which means I had to pick a bunch of common ones for my employer and call it good. Regardless though, it's a great service.

Date: 2017-06-02 04:43 am (UTC)
stardreamer: Meez headshot (Default)
From: [personal profile] stardreamer
Apparently my long-standing e-mail address has been hit twice, but my business e-mail and my (relatively new) Gmail address have not been. This could have been worse news if I hadn't recently been shifting important accounts over to the Gmail address; at this point, the old one is used mostly for political e-mail accounts and blog logins. I also use unique passwords for high-value target accounts (Amazon, financial, medical, etc.); the ones I repeat are mostly for accounts no one is likely to consider worth targeting, such as my jewelry suppliers.

Date: 2017-06-02 11:08 am (UTC)
moonhare: (Default)
From: [personal profile] moonhare
Adobe and Dropbox were hit and one of my emails show up in the pwned search.

The OneLogin breech is bad.

I cringe when I see these sites as I can only imagine they are just waiting to be breached. That said, Paypal must be the Holy Grail in the hacker world.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 202122 23

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 24th, 2017 10:58 pm
Powered by Dreamwidth Studios