Surviving the Week 6/8/2012

LinkedIn confirms hack, over 60% of stolen passwords already cracked

Linkedin, one of the most popular professional social engineering sites has confirmed a compromise of the user’s password. LinkedIn has confirmed a loss of 6.5 million user passwords. Some of the common passwords in use are – ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’, ‘redsox’, ‘sophos’, ‘mcafee’, ‘symantec’, ‘kaspersky’, ‘microsoft’ and ‘f-secure’. LinkedIn hashed the passwords with SHA-1 and they have also confirmed to use SALTing to store passwords. It is advisable to change your linkedin password immediately.

http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

Other major sites are discovering (or finally going public with) their
passwords have also been stolen.  Sites like Lastfm.com and eHarmony.com
are the latest to jump on the bandwagon.  Maybe they think this could
turn out like TJMaxx.

Data correlation tools are in every good data breach toolbag.  If you
have accounts across different major sites and the profiles from these
sites are stolen and correlated, what could be learned about you?  Do
you use the same password, if so, I could assume you to have a paypal
account and a high potential of the same password or even passwords that
are “close” to each other.

If you’re not using a password manager, I suggest you begin.  There are
a lot of options.  On Windows, I’ve been a KeePass, http://keepass.info/
user for years.  With writing this, I discovered Password Gorilla,
https://github.com/zdia/gorilla/wiki/ that looks interesting as it’s
cross platform.  mSecure is interesting, but pricey across
multiple platforms, https://msevensoftware.com/  A few readers have responded and added that 1Password is a good option as well, https://agilebits.com/onepassword

Chrome XSSAuditor bypass with leading comment

XSS has been listed in top two security vulnerabilities for quite some time now. Most modern browsers now come with XSS protection and lot of applications rely on these client side protection provided by browsers. From time to time, it has been observed that these client side (browser) validation can easily been bypassed. The following link demonstrates 10 methods to bypass Chrome XSSAuditor.  Rather than relying on browsers, applications still need to fix the problem at their core. Test your application using NTOSpider to find out whether your application is vulnerable to XSS -

http://code.google.com/p/chromium/issues/detail?id=130594

Seven Web Server HTTP Headers that Improve Web Application Security for Free

We see vulnerabilities in most of the applications we test. There are some basic protections which the HTTP protocol provides which most applications do not implement. Following is a very comprehensive list of HTTP headers which provides protection against web application attacks.

http://recxltd.blogspot.co.uk/2012/03/seven-web-server-http-headers-that.html

 

One thought on “Surviving the Week 6/8/2012”

  1. It’s good to see someone mentioning that users not only change their LinkedIn password, but also change it for any account that uses the same password, or even a similar password.

    It’s also important to point out that users should aim to create a single point of failure, meaning that when one password compromised, it only fails in that one point, not across a multitude of platforms. This can even be achieved by creating three different tiers of password: a weaker one you use for less important accounts (throw-away accounts with little information behind them), a more secure password for moderately important accounts, and a different highly-secure passwords for high-value accounts (bank log-ins, etc.).

    Port80 also develop tools Web app security and some of the things mentioned in the last link (like cache control), which – for those interested in learning more – we have some additional presentations on: http://www.port80software.com/support/tutorials.asp

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>