SONY stored Passwords in Password Directory

And in unprotected documents.

Lots of passwords. Lots of documents. Lots of easy access.

Continue reading →

UnNeighborly Security

I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.

I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”

There goes the afternoon.

Continue reading →

Advertisement

Twitter Hacked Again, Change Password

Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.

Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.

Continue reading →

Application Hacking Playground

The Taddong Security Blog has a great list of vulnerable web applications you can play with to learn and test your web hacking knowledge and pen-testing tools, handcuffs not included. In other words, you can enter and stay at the playground without going to jail.

Some of them you download and install on your own systems, some of them you run as virtual machines (VMs) or ISOs on your systems, and others are available on the web for your malfeasance pleasure.

Continue reading →

NFL Sprinkler Interruption a Hack?

NFL sprinkler hack?

When the sprinkler system caused an interruption of the Miami-Seattle NFL game on Sunday, November 25, no one called it a hack. Neither am I.

But if you heard about the event prior to reading this, did it cross your mind that it could have been a hack? What about other unusual events?

If not, and you’re an IT auditor or a security pro, you should at least consider such things, at least briefly. If not, you might want to check your professional skepticism sensor.

Continue reading →

Important update regarding your LinkedIn password = SPAM?

A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:

[see UPDATE below]

Continue reading →

LinkedIn Hack: Don’t Just Change Password, Reconfigure

We all know that LinkedIn was hacked and lost at least 6.5 million hashed passwords, or at least that’s how many were was posted. Besides changing passwords, is anyone thinking about their LinkedIn lock-down/security settings? What about other social media? See further below instructions for locking down LinkedIn, Facebook, Twitter, and Google+.

Continue reading →

Web Hacking 101

If you want to learn about web hacking, Security Monkey* highlights 2 videos and 2 books on the subject.  The videos are very basic and over an hour long, and are free for the viewing.

The videos were presented by Dan Guido at Polytechnic Institute of New York University, a private technology university in Brooklyn, New York.

Continue reading →

WordPress Hacked, Attackers Gain Root

On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”

Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.

This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.

If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:

Continue reading →

5 Security Steps for Non-Big Businesses

Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:

1. Identify key data flows
2. Understand user interactions
3. Examine the network perimeter
4. Assess the servers and workstations
5. Look at the applications

Continue reading →

Computer Security Clockwork

CSO Simson Garfinkel notes that incorrect system time on your servers, clients, and devices (what I like to call “computer security clockwork”) can have the following effects:

• System logs are incorrect.
• Forensic investigations become more difficult.
• Scheduled jobs may occur too early, too late, or not at all.
• SSL certificate validity may be affected.
• Emails may be tagged as spam if they appear to have a future date.
• Electronic locks may open or lock inappropriately.

Continue reading →