LinkedIn confirms hack, over 60% of stolen passwords already cracked
Linkedin, one of the most popular professional social engineering sites has confirmed a compromise of the user’s password. LinkedIn has confirmed a loss of 6.5 million user passwords. Some of the common passwords in use are – ‘linkedin’, ‘linkedinpassword’, ‘p455w0rd’, ‘redsox’, ‘sophos’, ‘mcafee’, ‘symantec’, ‘kaspersky’, ‘microsoft’ and ‘f-secure’. LinkedIn hashed the passwords with SHA-1 and they have also confirmed to use SALTing to store passwords. It is advisable to change your linkedin password immediately.
Other major sites are discovering (or finally going public with) their
passwords have also been stolen. Sites like Lastfm.com and eHarmony.com
are the latest to jump on the bandwagon. Maybe they think this could
turn out like TJMaxx.
Data correlation tools are in every good data breach toolbag. If you
have accounts across different major sites and the profiles from these
sites are stolen and correlated, what could be learned about you? Do
you use the same password, if so, I could assume you to have a paypal
account and a high potential of the same password or even passwords that
are “close” to each other.
If you’re not using a password manager, I suggest you begin. There are
a lot of options. On Windows, I’ve been a KeePass, http://keepass.info/
user for years. With writing this, I discovered Password Gorilla,
https://github.com/zdia/gorilla/wiki/ that looks interesting as it’s
cross platform. mSecure is interesting, but pricey across
multiple platforms, https://msevensoftware.com/ A few readers have responded and added that 1Password is a good option as well, https://agilebits.com/onepassword
Chrome XSSAuditor bypass with leading comment
XSS has been listed in top two security vulnerabilities for quite some time now. Most modern browsers now come with XSS protection and lot of applications rely on these client side protection provided by browsers. From time to time, it has been observed that these client side (browser) validation can easily been bypassed. The following link demonstrates 10 methods to bypass Chrome XSSAuditor. Rather than relying on browsers, applications still need to fix the problem at their core. Test your application using NTOSpider to find out whether your application is vulnerable to XSS –
Seven Web Server HTTP Headers that Improve Web Application Security for Free
We see vulnerabilities in most of the applications we test. There are some basic protections which the HTTP protocol provides which most applications do not implement. Following is a very comprehensive list of HTTP headers which provides protection against web application attacks.