Tag Archive: hacker community


LinkedIn Security Through Obscurity Is Not Security

Filed under: Infrastructure, Random Ramblings, Security, Software, windows1 Comment
June 7, 2012

Anyone who knows me probably knows this is one of my biggest pet peaves. I see this happening everyday, but from a large site like LinkedIn.. shame on you. As all of you probably know by now, a post was made to a Russian site of more then 6.5 million passwords from LinkedIn attempting to crack the SHA-1 hashed passwords.

Now for all of you who have gotten into encryption / decryption of sensitive data, I am sure you understand the problem here with just hashing a password with SHA-1 encryption without salting. If a hacker is able to determine the algorithm used to hash the password, then the rest is fairly easy. The simpler passwords can be uncovered fairly quickly, leaving the more difficult ones which when broadcasted to a hacker community, will take no time to be uncovered as well.

Salting a password is a process of adding in random bits into a hashed password. This makes it much more difficult for an attacker to decrypt because they would need to not only be able to hash their dictionary passwords, but then they would have to try each of those passwords with a variations of salts. This can fill up their data and computing power quite fast creating a very expensive and difficult task for a hacker. They would need a large budget along with tons of storage space and computing power to be able to break down a salted and encrypted password. Where as with just a SHA-1 encrypted password, an attacker would only have to Hash each password trial once and compare it to the value of the encrypted password they have. Once the value is not matched they can just move on to the next dictionary hashed value instead of salting variations of the same password.

So as you can see that the time and expense to decrypt salted passwords can be astronomical and even a deterrent for a hacker attempting to grab hold of your data. Now with all the problems these days with information being leaked or stolen, you would think that a site like LinkedIn would have been more mindful of the world we live in and not assume that the password obscurity they are using is “Good Enough”. If in fact the hackers have usernames that are tied to these passwords, then the truth of it is most people re use their usernames and passwords. So if a hacker grabs your information for one site, then they could potential try to use that same combination on other sites you may visit. Thinking that the breach that has happened to LinkedIn is focused solely on that site, is ignorant. Don’t fool yourselves, change your passwords everywhere you use it.

My recommendation to you is to alter your passwords. Try not to reuse a password many times. Come up with a methodology of using your passwords so that if you have to reuse them then you can derive a system of which passwords you use where. This will make it more difficult for someone to attempt to reuse your password to gain access to more of your personal information.

Advertisement
Tags: , ,
Comment

Social Engineering Scam Now Using Transportation Authority

Filed under: Infrastructure, SecurityLeave a comment
May 31, 2012

Welcome everyone. I hope all the information on this blog intrigues and informs all those out there trying to stay on top of our fast moving field of computing. One of the things i have been trying to stay on top of is what the latest is out in the hacker community. Good admins cannot be complacent and think their networks are secure and out of harms way. Hackers today are some of the most intelligent and innovative thinkers out there. They will find a way into anyones network if they desire to. Our job is to be up on the latest exploits so that we can readily identify a breach if and when it happens, and by doing this you mitigate your risk and exposure.

One of the new trends out there that i have talked about before is social engineering. The art of exploiting and convincing someone to do something that allows an attacker to have access to your PC or network. Now i know growing up i always thought hackers were socially inept people who stayed in their mothers basements, punching out code and playing video games. However i have been proven wrong, today some of the easiest ways into a system is by using the person who owns it. By preying on the ignorance of the owner of the PC or network, hackers can gain access and have a field day at your expense.

We all would like to think that we are smarter then just opening a door and letting a stranger in, but fact is a lot of us do just that. Obviously we would not just let someone in that calls up or emails and asks for access, but what if that call or email looked official or put a scare into you where you reacted quickly without thinking. This is what social engineering is about. Have you ever received an email from what looked like your bank, saying that your account will be closed down unless you click on the link and verify your information?. Many of us have received them and many of us have read it and gotten so scared that it would happen so you just clicked on the link and gave all your information away on how to get into your bank account. That is scary in and of itself. Now I have read these emails before and stepped back and laughed thinking “who would fall for this?”. Well believe me, many people do.

The latest out there now is starting to happen in Columbia where people are receiving emails from what claims to be the transportation authority. The email claims that the person has committed infractions and provides links for the user to click on. So it builds up the fear in the person to make an otherwise irrational decision and click on the links provided in the email in order to “view” the details of the infraction. In reality what they are clicking on are files that are attached, that once they are clicked on they will install themselves onto your PC then connect back to a botnet and provide information to the hacker. See the link provided here by ISC a leader in security on the web. https://secure.dshield.org/diary.html?storyid=13309

Gone are the days of the standard brute force attacks or attempting to get in to a system from the outside. Why do all that hard work when you can just get the person to open a door for you and let you in?. This is certainly a much easier thing to do sometimes. Especially when people do not know about these scams. Please protect yourselves, ask questions, get involved in the communities out there and educate yourselves. The information is free and extremely valuable. It could save you and your information.

Tags: , , , , , , ,
Comment
%d bloggers like this: