Fresh Off The Block


Jun
16
2015

LastPass Hacked: Users Encouraged to Change Master Passwords

What happens when a service designed to keep your passwords safe gets hacked itself?

LastPass Logo

Password-management service LastPass announced today that it “discovered and blocked suspicious activity” on its network on Friday that caused user email addresses, authentication hashes, password reminders and server per user salts to be compromised.

While the news suggests that some user’s email addresses may now be known to criminals and that hackers may now have useful hints to passwords for other sites you may be using, LastPass says that there is no evidence that any data from any user’s vault was taken; or that any accounts were logged into illegitimately before the hack was detected. This means that any of the passwords actually stored on the server have not fallen into the wrong hands, so there should be no need to reset passwords for every site you stored data for. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult.

Nevertheless, when it comes to LastPass itself, it is highly recommended you change your Master Password right now to ensure those vaults can’t potentially be accessed later. Although the company’s official recommendation is that you only need to change your master password if it’s weak or use that password on multiple sites, in any case of hacking, being paranoid is often the best approach. The company also recommends that users who don’t have two-factor authentication enabled on their accounts do so now, which sounds like sound advice.

What Our Visitors are Talking About


Latest CommentsOn Twitter Right Now
  • “Unlock” Dialogue for Clone System tool in Aomei Backupper 2.5 by William Sims
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Gamer Repulic's Dorthea
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Sherman Moya
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Microsoft gets 561 million euro fine for missing browser ballot “oversight” | The Sanitarium.FM
  • Valve’s Steam Gaming Computer: What we know so far by Valve's Steam Gaming Computer: What we know so far | The Sanitarium.FM
  • Tweet to @TMWeb to have your comments appear here!

    Previous Articles


    Feb
    16
    2014

    Hackers steal Usernames, addresses, encrypted passwords and more details of Kickstarter users, change your password now!

    An undisclosed number of Kickstarter users have been emailed with advice to reset their passwords after the company was made aware of a data breach that may have led to the disclosure of personal information.

    Some time in the last 24 hours, Kickstarter updated their website to display a banner on the top of its site for logged-in users, advising them to change their password and providing a link to do so. The advice comes following a statement by Kickstarter – which was emailed to an undisclosed number of users – stating the company was made aware “by law enforcement officials” of hackers breaching their servers to steal account-related information. The advice also recommended users consider using tools such as 1Password or LastPass, which as well as offering storage to let you remember all your passwords, also include password generators to come up with randomised, highly-secure passwords (might I also recommend KeyPass, which does the same but also contains a meter telling you how “secure” any password you type in is likely to be?)

    The following is the full text of the email as sent out by Kickstarter – I’ll leave the explaining to them as it puts it better than I could myself:

    “On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

    No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.

    While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

    As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.

    To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

    We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

    Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

    While it’s disappointing to hear of any type of hack where data is stolen – and a sad reflection of the state of the world today that not even a website that exists to give those with ideas but no money to make them real, the chance to connect with their potential market and get the funding they need, is safe from being hacked – it’s reassuring to see a company own up to the breach so quickly and waste no time in attempting to secure their service better and protect their users. I hope more companies learn from this example.

    Digiprove sealThis informative article has been Digiproved © 2014
    Acknowledgements: Quoted Portions come from a Kickstart more...
    Some Rights Reserved
    May
    23
    2013

    Twitter is introducing new security measures in light of recent hackings

    Micro-blogging site Twitter says it is bringing in an optional two-step login process for its users to improve the security of each account, following recent high-profile breaches within the social network.

    The news comes after a number of high-profile Twitter accounts were illegitimately accessed, including those of major news organisations such as the Financial Times and the Associated Press (AP), the latter causing widespread panic when hackers sent a fake news tweet claiming US President Barack Obama had been injured. This followed an attack against Twitter itself in February, which led to 250,000 users having their passwords stolen.

    Mr. Jim O'Leary (product security head of Twitter) explained the new two-factor authentication system thusly:

    "You'll need a confirmed email address and a verified phone number. After a quick test to confirm that your phone can receive messages from Twitter, you're ready to go."

    A message containing a verification code would then be sent to the account holder's mobile phone that can be used to log in. However, he also reminded Twitter users of the importance of strong passwords:

    "Of course, even with this new security option turned on, it's still important for you to use a strong password and follow the rest of our advice for keeping your account secure."

    However, Kim Dotcom – owner of Mega.co.nz file sharing site, itself the spiritual successor of the controversial former file upload website MegaUpload – is threatening a patent lawsuit over the Social Network's newfound use of two-factor authentication. Extending the threat to Google, Facebook, Twitter, Citibank and other companies that have implemented the system, he claims the use of mobile devices to offer a second layer of security for website logins infringes a patent describing an SMS-based two-step-authentication process he filed with the US Patent Office in 1998 and was granted in 2000; with Dotcom claiming registrations also exist in twelve other countries.

    "I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now cause of what the US did to me."

    The BBC reports that he is not alone in these claims, however:

    A New Jersey-based firm called Strikeforce is currently suing Microsoft over its use of two-factor authentication tech based on a patent it filed in 2004.

    And another British company, SecurEnvoy, recently announced it had been granted patents for a "business grade" SMS-based two-factor authentication process.

    However, let's look beyond the arguments and focus on the security. Will you be turning on two-factor authentication for your Twitter account?

    Digiprove sealThis informative article has been Digiproved © 2013
    Acknowledgements: Quoted segments: BBC, Jim O'Leary, @ more...
    Some Rights Reserved
    Sep
    23
    2011

    All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

    The following post was originally published by Ashraf, founder of dotTech.org, on the dotTech website. It has been reprinted here – with only minor edits as required for compatibility with the software used by Technically Motivated – under the terms of the Creative Commons Attribution-Noncommercial licence – the licence attached to the original work at the time of our redistribution. Technically Motivated make no claim of ownership to the below content nor make any guarantee for its validity or accuracy.

    A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

    Without going into too many technical details (because, well, I myself don't understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST "cracks HTTPS" using a two step process. The first step involves sniffing network to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

    BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

    Read the rest of this entry »

    Apr
    05
    2011

    Zelda Fan Builds Chest That Plays Chest Opening Tune

    Now this is awesome! Every Nintendo fan worth his salt knows the Zelda “what’s in the chest” tune, and if you’re like me, simply hearing that tune gets you all excited, because it always gives you the feeling that something good is about to happen to you.

    Maybe you’ve wondered why opening real chests doesn’t give that same sort of excitement? Maybe you’d like the same “something good” feeling in real life? Well, sculptor Zachariah Perry Cruse understood that Pavlovian feeling and built a real life chest that, when opened, plays the tune. Being the good guy that he is, Cruse posted instructions so anyone could go ahead and build their own Pavlovian box that will provide an immediate uplift in spirits, because, you know, you’re about to get the Hookshot or compass, but in real life.

    Cruse used plywood to build the chest, poster board and nails to get the details down, painted the chest with wood stain, used a sharpie to pen in the details and used glue to hold the box together. Opening the chest’s lid triggers a switch connected to the MP3 player that plays the tune, and he suggests the tune be the only MP3 on the player in order to avoid other songs playing whenever the chest is opened.

    If you’d like to see it for yourself, and/or read the instructions on how to make it, check out this post on the Instructables website. If you’ve tried it already, or want to, why not leave a comment here to tell us what you think?

    Jan
    26
    2011

    Zuckerberg’s Facebook page hacked

    In what can only be described as irony on a high level, Mark Zuckerberg – owner of Facebook – had his own Facebook page hacked on Tuesday, to promote an alternative business plan for the social network site.

    Unknown pranksters defaced the page with a message suggesting that Facebook ought to allow ordinary users to invest in the site in a “social way”, rather than getting its financing from the banks. The message suggested the idea of using “micro-payments”, which is a system that allows people to make small regular payments to a service, which can add up to a substantial amount when others join in. The post, which was appended with the hacker tag #hackercup2011, gained the thumbs up (“like”) of more than 1800 people before the social network restored the boy-droid page to normal.

    It’s unclear how the hack took place, but weak password security by the team of minions maintaining the page is the most likely explanation – and suggestions that this may have been the case have caused mass ridicule and laughter all across the internet. Screenshots of the Zuckerberg hack can be found in a blog post by net security firm Sophos here.

    The incident follows a similar hack on the profile of French President Nicolas Sarkozy earlier this week. A badly worded update posted by miscreants falsely suggested Mr Carla Bruni would not seek re-election next year.

    Digiprove sealThis informative article has been Digiproved © 2011
    Dec
    31
    2010

    Hackers expected to focus on Google and Apple in 2011

    As it assesses the forthcoming threat vectors for 2011, IT security giant McAfee is predicting that Internet TV platforms, in particular Google TV and Apple TV, will be high among the list of targets for emerging threats in 2011. In fact, McAfee say that its list comprises 2010’s most talked about platforms and services, including not just Apple TV and Google TV but also Google’s Android, Apple’s iPhone, foursquare, and the Mac OS X platform. These are all expected to become major targets for cybercriminals as they get more popular.

    Focusing on potential privacy leaks from TVs, McAfee says that new Internet TV platforms were among some of the most highly-anticipated devices in 2010. Due to the growing popularity among users and “rush to market” thinking by developers, McAfee expects an increasing number of suspicious and malicious apps for the most widely deployed media platforms, such as Google TV. McAfee believes that these apps will likely target or expose privacy and identity data, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps, eventually raising the effectiveness of botnets. With Internet-enabled TVs getting close to matching smartphones or low-powered computers in their technical abilities, it’s only a matter of time before they are exploited in some way, and many of the possible vulnerabilities of connected TV and IPTV services have only just begun to emerge. It is likely we’ll learn more about the risks as time progresses.

    Digiprove sealThis informative article has been Digiproved © 2010
    Dec
    20
    2010

    Google Search results now include security alerts to warn of suspected hacked websites

    Google has started putting security information in its search results to warn both users and web-masters when it appears a website might have been hacked. The firm added the notification to its search results at the end of last week, and said that it is looking to help people avoid compromised sites. This, it added, could be the result of a hack by a third-party for the purposes of spamming visitors.

    Google is alerting users by adding a line under the search result that says, “This site may be compromised.” Clicking that link will take them to information about what that might mean. Clicking the link as normal will take the user through to the website, infected or otherwise.

    “When a user visits a site, we want her to be confident the information on that site comes from the original publisher,” wrote Gideon Wald, associate product manager at Google. Wald explained that Google is using automated tools to produce its information about hacked sites, and added that as well as updating its own search results it will also inform the web-master in question, or at least try to.

    Web-masters who are worried about being tarred by Google’s insecurity analysis can take some consolation that Google will remove the tag from their results once the problem is fixed, and within no more than a couple of days. He added, in response to said website owners: “Together, we can make the web a safer place.”

    Digiprove sealThis informative article has been Digiproved © 2010
    Dec
    12
    2010

    It’s a cyber war, and WikiLeaks is the cause

    Folks, we could be at the verge of the very first global war on technology. Or at least, that’s what the hackers want us to think.

    The battle centres on Washington’s fierce attempts to close down WikiLeaks and shut off the supply of confidential US government cables. For those of you who haven’t kept up with the latest news, WikiLeaks is a well-known whistleblower site that encourages people to post secret documents they’ve managed to get their hands on, so they can be made public and the information contained within made known to everyone – and the people responsible are kept completely anonymous. Lately, WikiLeaks is responsible for leaking the content of a long chain of confidential documents and communications between the US government. Naturally, the US are a little pissed off about it. Mike Huckabee, a former Arkansas governor, said those who passed the secrets to WikiLeaks should be executed. Sarah Palin demanded the founder of WikiLeaks be hunted in the same way an al-Qaeda operative would be pursued.

    Recently, the founder of WikiLeaks, Julian Assange, was arrested in Britain, after British authorities received an arrest warrant from Swedish prosecutors eager to question him on unrelated allegations of rape. News of his arrest, even on unrelated charges, pleased the US authorities. “That sounds like good news to me,” said Robert Gates, US secretary of defence. The US now want Assange to answer to the actions of those using his website to leak the government cables, and his role in helping the leaks get widespread, and have made calls for Assange to be extradited to the US to face charges of espionage.

    Yet even as Assange prepared to appear in a London court last week, an unlikely alliance of defenders had begun plotting to turn on the forces circling WikiLeaks. They were beginning to attack Amazon, which had been persuaded to sever links with WikiLeaks by Joe Lieberman, who heads the US Senate’s homeland security committee; they also hit every domain name system (DNS) that broke WikiLeaks.org’s domain name: Mastercard, Visa and Paypal, which stopped facilitating donations to the site, and the Swiss post office which froze WikiLeaks’ bank account. Read the rest of this entry »

    Digiprove sealThis informative article has been Digiproved © 2010