Search This Blog

Friday, June 29, 2012

(I) Skype Supernodes are dead...Long live thousands of Linux servers hosted by M$




Yup, Microsoft updated Skype in May to do away with the Supernodes concept which had hijacked many a computer to relay Skype info.

Even more interesting is Microsoft is using LINUX servers to be the the Supernode servers. Hosted in their many data enters around the world, yes Linux, not Windows.... Have no fear, I am sure Microsoft will port the code to the next version of Windows server.. Just guessing...

The importance of this change means all those people who had their computer hijacked by the Skype Supernode formula and thus suffered performance issues can now fix and avoid the issue by upgrading Skype to the latest version.

In addition corporate users and and administrators can relax a bit knowing Supernodes will stop consuming computer CPU when Skype is installed and meets the Skype Supernode criteria and not freak out us InfoSec folks seeing all this traffic on a users system.

arsTechnica article on the new Skype Supernodes

#InfoSec #Skype

Thursday, June 7, 2012

(I) How you can mitigate the LinkedIn and e-not-so-Harmony breaches -LastPass





Be aware that hackers create scripts to use compromised credentials to attempt logging in to other websites, it is easy to do... Presidential candidate Mitt Romney had his Email account hacked and the hackers tried the same credentials on his Dropbox account and low and behold they were the same... 2 birds with one stone... Popped and pwned... And WHY password reuse is a bad, VERY bad idea! This occurred with the Gawker hack as well in late 2010.

Use the LastPass LinkedIn tool to see if your account is within the hacked credentials:

LastPass LinkedIn hacked account tool website

While checking my own LastPass vault for any threat due to the LinkedIn breach, I stumbled upon 2 bugs that I worked with LastPass to verify, one that is due to FireFox ver 13 ( don't upgrade), the other with their Security Challenge); but I also found a way to use LastPass to check and remediate your credentials when a cloud provider is breached.

First off I am assuming like most users that you indeed use the same 'name@email.com' username and 'password' for multiple websites. It goes without saying you should never use the same password for multiple websites since most usernames these days are your email address, but many people do, so we will roll with it for this example.

I was curious in my own LastPass vault of 170+ logins if I had any username/password combos that matched my LinkedIn credentials or if any were in fact duplicates...

I recalled the LastPass Security Challenge I have blogged about before (found here)

LastPass Security Challenge website

And recalled it showed you sites that had the same password grouped by similar password and it nicely shows you the username for each within a grouping.

So how do you use this to check and remediate?

First: Install and use LastPass of course
Second: Run the LastPass Security Challenge by either selecting the "LastPass icon-Tool-Security Check" or by using this URL:

Third: Once the Challenge completes, scroll down to the 'Sites with similar passwords' area, and there will probably be several since you reuse passwords and you will see all sites with the same password grouped together (the password is NOT visible unless you select 'Show'.

Review the list(s) to see if a username (your email) from a site (LinkedIn, eHarmony, Zappos, Gawker, etc.) that was compromised matches other sites where you are using the same password. If you are... Visit the site, change your password (use the LastPass unique generator) and update your vault!

You can quickly go through all similar credentials and change them to hopefully something unique so you don't have this issue in the future when another service you use gets popped, and they will, bet on it!

* NOTE: LastPass ignores case and spaces in the challenge evaluation so some passwords may be grouped as similar when they could be very different. They do this since some sites convert to one case and strip spaces.

Again, LastPass rocks ! And allows you to quickly remediate any username/password issues you might have after a breach of a Cloud provider you might use!

Want to know if an email address you use has a known password from one of the many breaches? Check it using the following website:

Pwned List website

Put in your email(s) and see if it shows up.. If so, you have a LOT of passwords that need changing.

#InfoSec #LastPass

Wednesday, June 6, 2012

(W) Chase banking users beware !!!



I recently received the following email and informed my Brother-In-Law NOT to take action as banks like Chase would NEVER send a generic email with links that are cryptic... Or would they?


I had my Bro-In-Law go into a local Chase Bank Branch and ask the manager about it and verify it. Turns out the Bank manager also had never seen such an email.
It was a notification from Adeptra Fraud prevention service used by Chase informing my Bro-In-Law that his Debit account account (yup.. debit) was used to purchase computer equipment in Honduras of all places and to approve the purchase or report it as fraud.

Really Chase and Adeptra, I mean REALLY ??? WTF !

He did call Chase after my warning and indeed it was fraud and thus a victim of Card Skimming as Brian Krebs writes so much about. His debit card number was skimmed somewhere and thusly used for nefarious charges by Honduran ne'er-do-wellers. He cancelled his card and got a refund very quickly. Remember Debit unlike Credit Cards are linked directly to your Checking account! If you get skimmed you might have an issue paying your mortgage and car payment before your case is resolved and you only have a few days to detect the fraud or the bank might not believe you.

Banks should NEVER send this type of email with links or telephone numbers. Rather they should tell you to call or visit your local branch (a number you should know) and ask to be transferred to the Fraud department, no email, no telephone, just URGENT - CONTACT US!!!

There are lawsuits over Wire Transfer Fraud where affected bank users felt their bank communication methods conditioned them to click on links in emails. This IS and always WILL BE a very BAD practice. Financial and Health organizations should never do this in emails.

Remember these Tips when using your Debit/ATM card.

1. When you use your Debit Card on a device that is outside or portable ATM or bad part of town... bad things can happen.
2. Be careful when you use your Debit Card and NEVER let it leave your sight when used, preferably never let it leave your hand.
3. If you need cash.. Go to a WalMart or Grocery store and buy a pack of gum and get Cash Back. These units are less likely (not impossible) to be modified with skimmers.
4. Contact your financial institution if you ever get an email with links to verify it is REAL.

Brian Krebs BLOG on Skimmers

#InfoSec #Fraud #Skimming

(I) Funny video on what people think about Computer Security




I laughed my pASSword off watching this. Describe Computer Security in one word...

Hilarious... maybe not so much after the LinkedIn breach.

YouTube video on describing Computer Security

#InfoSec

(W) Warning - LinkedIn Hacked ! Change your password NOW




Well, yet another large Cloud service provider has fallen and 6.5 million usernames and passwords have been popped as we say.

If you use the email address and password for your LinkedIn account for other websites... you may be in for some compromised accounts in the near future... Change all web logins you have that are the same email and password as LinkedIn immediately !!!

Graham Cluley from Naked Security gave a nice summary of how to change your LinkedIn password:

Naked Security Blog on Changing LinkedIn password

Why is this a problem ?

Most users of Internet Cloud Services reuse the same password for multiple websites, if not most or all websites. In late 2010 Gawker was popped and their user credential database taken. Providers like Facebook, Twitter, Hotmail, Yahoo, Google, LinkedIn and others locked/reset their users accounts that were found in the Gawker breached data. Because they know like we do in InfoSec that people reuse passwords across the InterWebbings and these providers did not want a massive user accounts compromise to deal with, so the accounts were locked and/or passwords reset.

Time will tell if the LinkedIn breach results in the same account lockout across the net, it should as those of us with LinkedIn accounts, CLEARLY use all the InterWebbings has to offer.

Want to protect yourself from this type of breach? Use a password manager solution like LastPass. Let LastPass remember your logins and use the Password Generator LastPass offers to create ridiculously good passwords. You now need only remember your master password to gain access to your vault and thus all your logins... and don't forget to add Google Authenticator or YubiKey for 2 factor authentication to further protect your vault from nefarious ne'er-do-wellers. Both solutions are FREE !

LastPass website

More on the LinkedIn breach HERE

More details about the LinkedIn hashes

#InfoSec #LinkedIn #Breach