I’ve seen several people recently discussing how LastPass protects your LastPass master password and your encrypted site password data (a.k.a., your vault). If what some of those people were saying were true, then LastPass wouldn’t be as secure as I thought it was. This gave me pause, since I use LastPass to store all my passwords, so I decided to do some research to try to understand for myself exactly how it works. Now that I’ve done that, it seems to me that others might benefit from my research, and in any case writing it down will clarify it in my own mind, so here it is.
Archive for the ‘Computer Security’ Category
Those of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.
To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.
I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.
What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.
Don’t use a self-signed SSL certificate for your web site.
Way to go, Incapsula!
The email identity thief who has been using my email address on-line for years, who apparently goes by the name Diallo Mamadou Oury in real life, has just posted this inexplicable comment on my blog. I posted a response, but I somehow doubt he’ll read or respond to it.
I sure wish I knew what the hell he gets out of all this.
I have no idea why Diallo Mamadou Oury, who lives in Dakar, Senegal, insists on using my email address to sign up for services and web sites all over the Internet (previous postings). But since he apparently feels entitled to share my personal information without my consent, I have no compunctions about sharing his. Here’s an email message that landed today in my inbox:
For some inexplicable reason, some guy who identifies himself as Mamadou Diallo, a.k.a. Bouba Diallo, has been creating accounts all over the internet using my email address for over two years now. I’ve written about this several times before.
It’s still going on… I just got email indicating that he created a Yahoo! account (“m.diallo76″) on May 6 using my email address. Needless to say, as has been my practice, I took over the account and closed it.
I wish I knew what the hell was going on here or what the perpetrator hopes to gain by doing this. I’ve wracked my brain but haven’t been able to come up with any ideas for how this might benefit him. Someone purporting to him posted a comment on my blog in November 2012, but it just made things weirder, without shedding any light on what’s going on. That comment probably really was posted by him, since the IP address it came from shows up as Dakar, Senegal in GeoIP lookups, and that’s where he claims to live in the accounts that he creates.
If anybody has any ideas about what might be going on here, I’m all ears.
The privacy of our email is protected by the Electronic Communications Privacy Act, passed in 1986, which requires law-enforcement officials to obtain a warrant to intercept and read private email.
However, the law has a critical flaw: it does not require a warrant for emails “left on servers” for more than 180 days. This made sense when people downloaded their email and deleted it from servers, but it’s completely obsolete in an era when email is left on servers so that people can access it from anywhere on any device.
A coalition of email service providers is seeking a revision of the law to treat email stored on servers the same as email stored on home computers. This revision should be written into law and signed by President Obama as quickly as possible to protect the privacy of American citizens’ email.
Please sign and pass on this petition to help convince President Obama and Congress to fix the ECPA!
For a while now, the web browser vendors and major purveyors of targeted internet advertising have been working on a proposal for allowing users to prevent web sites from tracking their online activity and using it to “customize their web browsing experience,” a.k.a., displaying targeted advertisements which are, theoretically, tailored to the person viewing them.
Web tracking and targeted advertising is big business. In fact, some would say that without it, most of the free web sites you visit every day simply couldn’t exist. Facebook, HuffPo, Reddit, Gawker, etc. all pay the bills by selling advertising that is carefully targeted to individual users based on their past web browsing activity.
“Do Not Track” advocates say that users should have the right to preserve their privacy. Opponents, on the other hand, say that it improves everyone’s web experience by making it more likely that the content and ads they see will be interesting to them, and that (as noted above) without targeted advertising, many web sites simply could not afford to continue offering free content. Advocates respond by saying that whether someone’s web experience is targeted should be their choice, and that if targeted advertising becomes less profitable, web sites will be able to find other successful monetization strategies.
A recent security breach exposed the plaintext usernames and passwords of almost 100,000 members of IEEE, the Institute of Electrical and Electronics Engineers. The usernames and passwords were discovered by a researcher in 100GB of log files inadvertently left open to the public on an IEEE FTP server.
Leaving aside for the moment how incredible it is that the IEEE would employ someone so incompetent as to think it’s OK to put passwords in a log file (well-known best practice in the industry is not only that you don’t log passwords, but you’re even discouraged from logging usernames on login forms, because people so frequently type their password accidentally into the username field), I want to instead comment on this graph that ArsTechnica published in their story about the breach:
(The graph was apparently published by Radu Dragusin, the researcher who discovered the breach.)
More accurately, I want to comment not on the graph itself, but rather on the caption which ArsTechnica published beneath it: “A breakdown of the 18 most common passwords exposed by IEEE suggest [sic] that engineers aren’t much better than lay people at choosing secure passcodes.”
In December 2010, the Wall Street Journal published a similar graph in an article about the breach of passwords for 188,279 users at Gawker. “123456″ was the most common password there as well. That graph showed that approximately 3,077, or 1.6% of the 188,279 Gawker users chose the password “123456″. In contrast, only 271 of the 99,979 IEEE users, or 0.3%, chose that password.
Contrary to ArsTechnica’s caption, it would seem that IEEE users are “much better than lay people at choosing secure passcodes.”
UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.
I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at craigslist.org, and any responses sent to that address would be forwarded on to me.
Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.
I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”
Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at craigslist.org. Some of these responses even used my real name in them. I received six such emails in three days. Yikes!