Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.
Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.
If you’ve registered domains using the Google Apps for Work service, there’s a good chance your registration (WHOIS) information is now available to unscrupulous persons.
Apparently a software defect in Google Apps started leaking the registration info (names, phone numbers, physical addresses, e-mail addresses, etc.) in mid-2013. The defect was recently discovered by a security researcher. Google acted quickly to stop the leaking, but for many, the damage has already been done.
If your information was leaked, you’ll likely start seeing an increase in spam to associated email addresses. The information may also be used in spear phishing attacks.
Note that while domain registration information is public, most domain registrars (including Google Apps) allow for this information to be hidden or only accessible indirectly. This likely encouraged many registrants to use accurate information, making the leak that much worse.
In the wake of the Snowden revelations, there’s been a lot of new interest in Virtual Private Networks (VPN).
A VPN service works by creating a secure, encrypted network that extends across the public Internet, allowing users to communicate securely with remote systems. VPNs have been used for corporate networks – which are often distributed across many physical locations – for years.
While a VPN service can be set up by anyone using open source software and network hardware, a simpler approach for typical users is to use one of the many VPN service providers currently available.
With so many people now depending VPN services, TorrentFreak wondered just how private those services really are, and came up with a list of questions for VPN providers. For example, some VPN providers keep logs of user IP addresses, which – when handed over to the NSA – could lay bare your supposedly private communications.
You can find the results of TorrentFreak’s investigation on their web site.
Europol, with assistance from Microsoft, Symantec, and Anubis Networks, has identified and seized the servers thought to be at the core of Ramnit‘s infrastructure.
Ramnit began operations in 2010, and has evolved from a simple worm to include advanced features for stealing personal/banking information and self-propagation. In its latest incarnation, Ramnit is capable of compromising infected computers in numerous ways. In 2012, Ramnit was used to gain access to 45,000 Facebook accounts.
Only time will tell whether this crackdown has actually succeeded in ridding the world of this particular piece of malware.
If you’re feeling strong, Ars Technica has a report on the possible futures of the Internet. Tl;dr (aka ‘executive summary’): it’s not looking good; the scenario with the highest probability is this one:
The Internet becomes just like every physical domain of human existence: turf to fight over. Crime, espionage, embargoes, and full-blown nation-on-nation conflicts extend into the Internet.
Bleak.
If you’re like a lot of other typical users, you may believe that nothing on your computer makes it a worthwhile target for malicious hackers. You may even feel that this means you’re relatively safe from hackers. Think again.
To a malicious hacker, the Internet is a vast, mostly untapped ocean of computing resources, ready for them to compromise and put to work in numerous ways to help them and hurt you.
Brian Krebs created and posted the image below to remind people of all the ways their computers can be secretly used for nefarious purposes. Although the post is a couple of years old, it’s still relevant.
Tor is a collection of software that allows its users to access Internet-based resources anonymously. There are a lot of legitimate reasons why a person might want to remain anonymous on the ‘net. Unfortunately, Tor (as well as other proxy and anonymizing services) also allows unscrupulous persons to hide their illegal activities. A recent study shows that a large proportion of attacks against banking sites arrived via Tor.
As a result, major web sites are increasingly blocking access from Tor nodes, in the hope that this will reduce the overall amount of access by those seeking to do damage or obtain private information. The problem is that Tor users with no evil intent are then also prevented from using such sites.
The Tor developers are aware of this problem, and are working to keep Tor relevant by working with site owners to find ways to prevent improper access without blocking Tor completely.
So far there doesn’t appear to be a good, long-term solution to this problem. However, it may be useful to recognize that Tor is just a tool, and like all other tools, it can be used for good, evil, or anything in between. A better approach to security than wholesale blocking is to improve security on the host.
Another new version of Firefox was released yesterday: 33.1.
According to the release notes, new features in version 33.1 include a ‘forget’ button, and the ability to use DuckDuckGo as the default search engine. These changes are in keeping with Mozilla’s push to improve privacy in the browser: the Forget button allows the user to remove cookies and history related to recent browsing, and DuckDuckGo’s search engine does not remember searches.
As usual, there was no formal announcement. There was an associated post on the main Mozilla blog, but that post makes no reference to the new version.
On a more positive note, the What’s New section of the release notes for this version have been pruned down to show only changes in this version, although the link to ‘all changes’ still shows about 3500 Bugzilla items, making it essentially useless.
This month’s ‘Ouch!’ newsletter (PDF) from SANS explains social engineering – the process by which nefarious persons obtain private information by non-technical means.
A must-read for anyone unclear on the concept of social engineering, this issue also provides tips for recognizing this behaviour.
The folks over at Duo Security recently posted a fun infographic about some of the more common network-based attacks. It’s presented in a comic book format, but it includes some useful descriptions of actual events from the past year or so. Highly recommended.
boot13