Tuesday, June 26, 2012

Our password hashing has no clothes

Tuesday, June 26, 2012

In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy.

Then along came those pesky rainbow tables. Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached from other people’s databases) at an amazing rate of knots thus disclosing the original plain text version. Bugger.

So we started seasoning our passwords with salt. Adding random bytes to the password before it was hashed introduced unpredictability which was the kryptonite to the rainbow table’s use of pre-computed hashes. Suddenly, those nice tables of hashes for passwords of common structure became useless because the salted hash was entirely uncommon.

But now there’s an all new threat which has turned the tables on the salted hash – Moore’s law. Of course Moore’s law in itself is not new, it’s just that it has been effected on computer processing power to the point that what was once a very computationally high bar – the manual computing of vast numbers of hashes – is now rapidly becoming a very low bar. Worst of all, it’s leaving our hashed passwords vulnerable to the point that many existing accepted practices make salting and hashing next to useless.

Read more

Tuesday, June 19, 2012

!!16 TIPS FOR RUNNING A SUCCESFULL PHISHING SCAM!

Tuesday, June 19, 2012

Phishing scams are getting tougher to pull off these days. All those damn email client and browser defences are getting in the way of hardworking phishermen and women going about their daily business. But – dear phisherpeople – you’re also not doing yourselves any favours when it comes to crafting a veneer of decency and honesty in your communications, in fact I propose that you’re missing a significant number of opportunities by neglecting some basics.

So let me share some insight, if you will, into a handful of key techniques you might employ to introduce a little professionalism into your craft. They’re not big things, but they do raise the bar a little on the measure of how foolish you need to be to fall for one of these things in the first place.

Tags:

Read more

Thursday, June 7, 2012

I’d like to share my LinkedIn password with you – here’s why

Thursday, June 7, 2012

No really, this is my LinkedIn password:

y>8Q^<6mqKEA4hac

Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach. The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing.

But what’s also astonishing is that this exercise once again demonstrates that we, as users, are continuing to choose outrageously stupid passwords. How do I know this? Take a look at leakedin.org and try something obvious:

Checking the password "Password123"

And here it is:

Password has been cracked

Now try your old LinkedIn password which, of course, you’ve already changed. Don’t worry, the site hashes it in the browser then sends the hash to the server to match against the LinkedIn breach. Still don’t trust it? Is that because you’re concerned about the other places you’ve used that password? And therein lies the problem.

Read more

Tuesday, June 5, 2012

How LogMeIn is enabling scammers to profit

Tuesday, June 5, 2012

There’s a pattern in the following stills from various scammer videos, see if you can spot it.

Here’s one run by Comantra I captured back in Feb:

Scam call 1 - Feb 2012

And here’s another one from when an unknown scammer called me in late April:

Scam call 2 - April 2012

Read more