Time to change your passwords (... or not)

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 17, 2014 3:51 pm

Hopefully he was easy to identify because of the amount of traffic he had to generate to get the info. Which, with some luck, should be a much better deterrent than anything else.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Mon May 12, 2014 12:25 pm

Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Mon May 12, 2014 7:00 pm

Damned if you do, Damned if you Don't

https://vivaldi.net/blogs?view=entry&id=27907

Heartbleed is a very serious issue, and getting the word out to all affected parties is necessary, but I am starting to think that the press coverage, with all its hype and incorrect statements about issues surrounding the problem (such as "change your passwords immediately!" before the servers are patched, and "Heartbleed related certificate revocation will slow down secure surfing") has, at least to some extent, become counter-productive.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Wed Aug 20, 2014 3:51 pm

Apparently there was a third victim

And not because they had vulnerable web servers, they had vulnerable Network Gear.

He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.

Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Swift » Wed Aug 20, 2014 8:42 pm

It seems to me that the reports of some new company or organization getting hacked and a hundred million billion passwords being stolen is becoming almost a daily occurrence. The most recent one is this health care system.

I don't know about the rest of the non-computer experts out there, but if anything, all these stories are having the opposite effect on me. It is making me care less and less about cyber-security and changing my password. Part of that is because it seems to me that I would be needing to change all my passwords on an almost daily basis. And given that I have literally dozens and dozens of passwords, that isn't possible.

Second, it seems like it is inevitable. If these hackers keep stealing the info on a couple of million accounts on a regular basis, odds are they are going to get me eventually.

And lastly, it seems like it actually doesn't matter what I do, since I can't do anything about it. Take the hospital system example. I have to give hospitals information such as my Social Security number, credit card info, date of birth, etc. if I wish to be treated at that hospital. I have no control over what they do with that info, or how securely they protect it. Am I suppose to pick hospitals based on the cyber security rating? That might be a little bit of a challenge in the middle of my heart attach.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Wed Aug 20, 2014 9:47 pm

Yep, the reported incidents are getting more and more common.

And no, you shouldn't have to worry about it. Passwords are a crummy method of authentication though.

Usually there are three methods of authentication:

- Something the User knows (passwords, security questions etc.)
- Something the User has (Security Tokens, Code Cards)
- Something the User is (retinal scan, fingerprints etc.)

All of them have varying problems and all of them are hackable. You might have heard the term "Two Factor Authentication" that is merely a way to authenticate you that implements two of the three methods mentioned above.

A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked, the hackers stole information that would allow them to hack their way into institutions that used their products, and one of the companies that got hacked as a result was Lockheed (might have heard of them? Big time US Defense Contractor, they make fighter jets and stuff like that....).

No, you shouldn't have to choose a Bank or a Hospital or a particular service because of some "Cyber security rating". And no, I have no answers, and No, nothing I say here will make you feel any better or make you change your mind. It sucks, period.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Swift » Thu Aug 21, 2014 2:10 am

Sigma_Orionis wrote:A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked,

They are who our corporation uses for our security tokens

No, you shouldn't have to choose a Bank or a Hospital or a particular service because of some "Cyber security rating". And no, I have no answers, and No, nothing I say here will make you feel any better or make you change your mind. It sucks, period.

I didn't expect you would (have the answers). It is nice at least to get a confirmation from someone in the biz.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby geonuc » Thu Aug 21, 2014 10:12 am

Swift wrote:
Sigma_Orionis wrote:A couple of years ago, I remember posting about a company that was supposed to be considered the "gold standard" for non password-based authentication RSA SecureID, being hacked,

They are who our corporation uses for our security tokens



Some nuclear utilities too.
User avatar
geonuc
Resident Rock Hound
 
Posts: 3429
Joined: Mon May 27, 2013 11:16 am
Location: Not the Mojave

Re: Time to change your passwords (... or not)

Postby SciFi Chick » Thu Aug 21, 2014 4:24 pm

It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?
"Do not speak badly of yourself, for the warrior that is inside you hears your words and is lessened by them." -David Gemmel
User avatar
SciFi Chick
Information Goddess
 
Posts: 3240
Joined: Mon May 27, 2013 4:04 pm

Re: Time to change your passwords (... or not)

Postby Swift » Thu Aug 21, 2014 5:36 pm

SciFi Chick wrote:It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?

That isn't my assessment (but what do I know). My guess is that this isn't someone who wants to steal $20 out of your bank account, its a criminal organization who wants to steal $20 out of millions of bank accounts. Or better yet, sell the information to another organization that wants to do that.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Aug 21, 2014 6:19 pm

Yup, security experts have been warning about stuff like that for years.

and BTW RSA's behavior regarding their hacking was inexcusable.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby SciFi Chick » Thu Aug 21, 2014 9:25 pm

Swift wrote:
SciFi Chick wrote:It seems like, on a scale like this, we're probably dealing with terrorists that would like to cripple us technically, more so than someone who wants to steal $20 out of my bank account. Does that sound like a reasonable assessment?

That isn't my assessment (but what do I know). My guess is that this isn't someone who wants to steal $20 out of your bank account, its a criminal organization who wants to steal $20 out of millions of bank accounts. Or better yet, sell the information to another organization that wants to do that.


That works too. I'm actually okay with having small amounts stolen. I don't like it, but shit happens. It's the idea of having my poor, sad bank account cleaned out completely that I can't handle.
"Do not speak badly of yourself, for the warrior that is inside you hears your words and is lessened by them." -David Gemmel
User avatar
SciFi Chick
Information Goddess
 
Posts: 3240
Joined: Mon May 27, 2013 4:04 pm

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Aug 29, 2014 10:21 pm

In this BBC article the author muses using biometrics.

If you ask me, the least bad of all options are passphrases combined with another method, most probably Biometrics, security tokens or cards sound like they will be hard to implement on a very large scale.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby SciFiFisher » Sat Aug 30, 2014 4:51 am

Sigma_Orionis wrote:In this BBC article the author muses using biometrics.

If you ask me, the least bad of all options are passphrases combined with another method, most probably Biometrics, security tokens or cards sound like they will be hard to implement on a very large scale.



The US DOD and the VA use a user ID, Password, and a smart chipped ID card. They make you set up an underlying user name and password for the system. for daily logging in you have to use your smart chipped ID card and a "pin" which is usually a 6 letter phrase or number series. The ID card is linked to your user name on the system. If they don't all match up they deny access.

In spite of this both systems have had data stolen. Usually in the form of a laptop that some idjit decided to leave in a car so it could be stolen. Both systems have also had virus intrusions and hacker attacks. The weak link is usually someone who decides that it should be ok to download that sweepstakes prize claim form that will let them claim the £1,000,000 that uncle Wallybongowallawanga left them in Nigeria. :lol:
"To create more positive results in your life, replace 'if only' with 'next time'." — Author Unknown
"Experience is a hard teacher because she gives the test first, the lesson afterward." — Vernon Law
User avatar
SciFiFisher
Redneck Geek
 
Posts: 4889
Joined: Mon May 27, 2013 5:01 pm
Location: Sacramento CA

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Mon Sep 01, 2014 12:25 pm

Two factor authentication can't protect against layer 8 stupidity :P

I've installed RSA Security authentication systems twice, they work in a manner similar to what you mention, the expensive versions require you to use both the code given by the token and a PIN. The code is modified when a user enters his PIN. In the cheap version, the user PIN is entered as part of the code given by the token. the token changes the code every minute. I've seen that used by Banks for their corporate customers, for us rabble they issue a card with coordinates and use a challenge response system to get the values of the coordinates, it's basically the "el cheapo" version of it.

The thing is that at least some manufacturers integrate the biometrics to the user hardware, if you use a lot of websites that are password protected and (in the unlikely case) that they want to provide support for two factor authentication, I doubt very much that all those will issue cards (let alone tokens). I think that even if it was possible from a financial point of view, integrating the token functionality into the user hardware would be unpractical.


Edited for Clarity
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Nov 14, 2014 12:04 am

Bad year for Secure Communication Protocols all around

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Microsoft stuff has a bug that at first blush looks very similar to Heartbleed

Patching as I write this, MEH!
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby SciFiFisher » Fri Nov 14, 2014 12:50 am

Sigma_Orionis wrote:Bad year for Secure Communication Protocols all around

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Microsoft stuff has a bug that at first blush looks very similar to Heartbleed

Patching as I write this, MEH!


Order more glue? :P
"To create more positive results in your life, replace 'if only' with 'next time'." — Author Unknown
"Experience is a hard teacher because she gives the test first, the lesson afterward." — Vernon Law
User avatar
SciFiFisher
Redneck Geek
 
Posts: 4889
Joined: Mon May 27, 2013 5:01 pm
Location: Sacramento CA

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Fri Nov 14, 2014 2:29 am

A couple of cans of Raid would be more useful (rather hard to find these days on the glorious socialist land of the spiritually enlightened idiots), you damned evil imperial imperialist capitalist gringo of the evil imperial imperialist capitalist gringo empire :P
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Previous

Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 13 guests