infosec

Home/Tag: infosec

That LiveJournal thing.

Denise has a pretty good write-up of the LiveJournal password breach over at Dreamwidth.

Specifically:

We’ve seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we’ve learned from our users who we’ve spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn’t use it for several years, but we can’t say for certain. Because of that uncertainty, it’s best if you treat any password you’ve ever used on LiveJournal in the past as compromised, since we can’t tell for certain when the alleged breach happened.

(It’s worth noting Firefox, for example, leans towards the 2017 date. Regardless, assume compromise.)

Also, LiveJournal’s official response—specifically the claim the data are “falsified”—is… interesting. More specifically specifically, what they seem to be claiming is that someone has taken account details from other breaches and attributed them to LiveJournal. Given that I know I, personally, use a LiveJournal-specific email address and I still got a breach noticed from Have I Been Pwned? this is, to put it bluntly, full of shit.

Anyway, tl;dr:

  • change your password at LiveJournal and any other place you may have used the same password
  • don’t reuse passwords
  • activate multifactor where possible, particularly high-value accounts like email addresses and anything financial1
  • use a password manager.2
  1. Also, preference hard tokens over soft tokens/apps over SMS codes. []
  2. I use 1Password, which is nice but kinda expensive; LastPass and KeePass are more affordable options. []
2020-05-28T10:09:03+10:0028th May, 2020|Tags: infosec, livejournal|

Secwashing.

Interesting look at how Google’s “auto-delete” feature is essentially useless for protecting user privacy.

(Spoiler alert: it’s got to do with the value of user data over time. Basically, by the time Google allows you to auto-delete data from its services, it’s already extracted most of the value from those data.)

2019-12-03T10:51:52+11:0017th March, 2020|Tags: google, infosec, privacy|

Kinda sorta.

Have you ever been in that situation where you kii-ii-ii-inda know your password, but not exactly? Like, you know it’s probably the name of a Naruto character but you can’t remember exactly which one, and that it’s got some 1337-speak in it but you can’t remember exactly where?

Well. There’s now an app (script) for that.

Of course the actual real-world use of this script will be password hacking based on recon about a target’s life. So if you know someone has three kids and a wife—or that they love Naruto—and you know their names and birthdays and anniversaries, you plug those values into this and… bam. Quicker than rainbow tables.

(And this is why you never base your passwords on things like your pets, hobbies, and/or family members, kids!)

2019-10-30T08:58:56+11:0025th February, 2020|Tags: infosec, tech|

Everyone grade.

Before the Internet revolution, military-grade electronics were different from consumer-grade. Military contracts drove innovation in many areas, and those sectors got the cool new stuff first. That started to change in the 1980s, when consumer electronics started to become the place where innovation happened. The military responded by creating a category of military hardware called COTS: commercial off-the-shelf technology. More consumer products became approved for military applications. Today, pretty much everything that doesn’t have to be hardened for battle is COTS and is the exact same product purchased by consumers. And a lot of battle-hardened technologies are the same computer hardware and software products as the commercial items, but in sturdier packaging.

Through the mid-1990s, there was a difference between military-grade encryption and consumer-grade encryption. Laws regulated encryption as a munition and limited what could legally be exported only to key lengths that were easily breakable. That changed with the rise of Internet commerce, because the needs of commercial applications more closely mirrored the needs of the military. Today, the predominant encryption algorithm for commercial applications — Advanced Encryption Standard (AES) — is approved by the National Security Agency (NSA) to secure information up to the level of Top Secret. The Department of Defense’s classified analogs of the Internet­ — Secret Internet Protocol Router Network (SIPRNet), Joint Worldwide Intelligence Communications System (JWICS) and probably others whose names aren’t yet public — use the same Internet protocols, software, and hardware that the rest of the world does, albeit with additional physical controls. And the NSA routinely assists in securing business and consumer systems, including helping Google defend itself from Chinese hackers in 2010.

Bruce Schneier on encryption.

Some of you may recall that one of my Minor Fic Bugbears is any mention of “military grade encryption” because, well. This.

Also see: Any time any politician starts talking about adding in things like key escrow of backdoors into “consumer-grade” encryption (which is what Schneier’s full article is about). In the most generous interpretation, they want to take everyone back to Cold War-era export restrictions on encryption technology. Which… ye-ee-eah. Probably not gonna happen, hey.

2019-10-23T08:13:38+11:001st February, 2020|Tags: infosec|

You have been pwned.

Robert Graham from Errata Security gives a basic walk-through of just how easy it (potentially) is to “hack” people’s accounts.

“Hack” is in scare quotes here because there’s no actual hacking going on; Graham is just cross-referencing data sets, specifically looking for a target’s email address in the Have I Been Pwned database. HIBP doesn’t display hacked passwords/hashes directly, but it does provide details of which datasets an email is found it. Anyone with access to the original dataset—and they’re not that difficult to obtain, for someone motivated to look—basically then has a user’s password1 and can potentially use it to breach someone’s other accounts.

The point of this, incidentally, is to point out how trivial this stuff is, and to stress the importance of tactics such as enabling multi-factor authentication and not reusing passwords2 across websites. Nothing is foolproof, but the low-hanging-fruit here is very low hanging, so… y’know. Go do something about that, maybe?

  1. Or, more accurately, the potential to obtain the user’s password. []
  2. Or email addresses! []
2019-03-25T09:59:47+11:0012th September, 2019|Tags: infosec|

The oldene dayes.

*dons flat cap* In my day, you knew a site was hacked because you’d be greeted with green-on-black text stating the site was “0wned” by the “hackersaurus” and their “l33t crew”. You’d also get a few animated GIFs of skulls, and if you were really lucky, a picture of a big ol’ arse. But now… now it’s all stealthy crypto bullshit.

Jake Archibald on hacking.

This entire article is about what happens when packages (y’know, those bits of other people’s code you include in your code) go bad, which is also an interesting topic asides from the quote above that made me lol.

It’s called a supply chain attack, incidentally, and they’re getting more and more common. I mean, why hack one thousand apps when instead you can hack just one and get auto-updated into the thousand that use it as a dependency?

2019-01-17T08:37:09+11:001st June, 2019|Tags: infosec, tech|