I received an email from HaveIBeenPowned this morning – the incredibly useful service that lets you know if your username and password was released in a data breach. This time around it was last.fm – a streaming radio station that was pretty popular a long, long time ago. I went to log into the system and checked my gmail account for email from last.fm to see if I had my membership confirmation email – nothing. I had 1 email from last.fm back in 2008 when I had received a friend request (I am so popular!) – that was actually a spam request.
Obviously I had not used the service for a very, very long time. The data breach occurred in 2012, was known about in 2012 and yet they had done nothing about it then. They had also not done anything about it recently after the data breach was leaked as I had not received an email lfrom them etting me know my account had been breached.
To add insult to injury, the old password was still active and I was able to log in with it. I can understand a small pokey geocaching website not understanding security correctly and leaving passwords the same after a data breach with only a small notification on the website, but even they reacted after I sent them an email to say they need to do something better and at least inform their visitors and ideally change their password. Last.fm really have no excuse as they are big enough that they should know better and all of the accounts should have had their passwords changed once the breach was public or better yet, when they knew about the breach.
Instead, the list of usernames and passwords are still out there for people to search and log in with.
I guess the argument for not changing the account password is to let the subscriber log in with their original password that they know about. If the email address was now invalid and the password was changed by last.fm then the user would not be able to get into their account anymore….on the other hand if last.fm does not change the password, anyone could log into the account,reset the password, have access to all the data (including the persons email address) and the account holder would not be able to gain access. The hacker will not be able to change the email address though as they have put protection in place to prevent the email address being changed without a verification email link being clicked on so I guess that is something…..
This is also yet another reminder to use a password manager to “remember” all of your passwords for each site – don’t use the same one at each location. I highly recommend LastPass (unless you are a user with multiple accounts at Office365). At $12 a year for syncing between all of your devices it is well worth the cost and if you sign up with the link above we both get an extra month for free. I used to use the free KeePass software which is standalone and doesn’t hook into your browser like LastPass but it can also sync between devices (with a bit of finagling.
What do you think – should last.fm have changed users passwords when the data breach went public? Have you signed up for HaveIGotPowned? If not – what are you waiting for – it’s free and a great first response tool to keep your accounts more secure.
We had an interesting ticket come in today where an antispam system had let through a file compressed with the arj format. This immediately brought back memories of compressing files back at university – in the very early 90’s and a format that used to be very popular but nowadays most people, including the rest of our techs had never even heard of.
I am guessing the spammers were hoping that their recipients have winzip, winrar or 7zip installed so they will be able to open the infected file and that as the file format is so old, av scanners will not check them.
Anyone else out there remember Arj files and anyone (dare to admit that they) still use it?
Since I have had my S6 I have not been able to get the Android Device Manager to ring my phone. It locates it accurately on the map and will lock the screen ok, but it just wouldn’t ring. Not much use when you know the phone is *somewhere* in the house.
Today I did a bit of experimentation and discovered that my notifications was set to silent, changed this to a value in the middle by pressing the up volume key, selecting the settings gear and then changing notifications and now the phone rings even if the phone is set to silent.
Hope this helps someone else as it does seem to be a common issue with not many useful solutions.
Also, to turn on the android device manager capabilities on the phone, go to apps, settings, lock screen and security, other security settings, Device administrators, and ensure Android Device Manager is enabled (simple huh?)
Apparently Linkedin now have a feature that allows users to provide their corporate passwords to a third party so the users can then send invites to other people in their office. I really don’t see how this can Be A Good Thing 😉 – Paul Cunningham has a post on ExchangeServerPro on this feature and links to Adam Fowler’s post on how to block LinkedIn to Exchange. This is interesting as we’ve also seen this issue with Verizon doing something that we expect is screenscraping to provide email information to phones. Admittedly this was a while back but we have found it hitting the Exchange server so it will be interesting to see if this successfully blocks the server.
In a meantime, maybe it’s time to not only educate LinkedIn that this is a really bad idea but also your corporate users.
For what it’s worth the solution is to do the following:-
There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed.
Next, you need to add LinkedIn into the BlockList. This is done with the command “Set-OrganizationConfig -EwsBlockList LinkedInEWS“
Update – Never mind – see bottom of article.
Discovered an interesting flaw in the requirement for two factor authentication with gmail today. I like to use the application on my cell phone to ensure that only I have access to my account – and if somehow a keylogger was in place, my password to gmail is not any use as the 2nd factor authentication would also require access to my cell phone.
However, today I logged into google reader first (which doesn’t support 2nd factor authentication) and used my username and password only. I then clicked the gmail tab at the top of the reader – and hey presto I’m into gmail.
Bottom line – don’t think that just because you have enabled 2nd factor authentication you are safe from keyloggers on a pc or network sniffing/man in the middle attacks. I’ve not reported this to Google yet but it will be interesting to see what they say.
Update After signing out AND restarting firefox I was prompted for the 2nd factor password. Interestingly I wasn’t prompted until I restarted the browser – so as usual – always restart browsers once you’ve finished with them.
Troy Hunt has a nice analysis of some of the passwords that were recently stolen from Sony. As usual, most of the characters are pretty easily cracked, although in this case the hackers didn’t need to as the passwords were stored in plain text. The scary thing is how many of the passwords were the same between the Sony site and the Gawker site that was also broken into earlier. Naturally the key (no pun intended) between the sites is the userid is commonly the email address which then also means there is a fairly good chance of having your gmail account broken into. One of these days I’ll break this information up into a password guide for users to show then how it “really could happen to them” and the risk it generates to the company as well as their personal information. I’m actually surprised at the number of people who use their work email address for things like Facebook and other social applications. After all, work email address’s are not exactly permanent nowadays and definitely not private. It would also be really interesting to take all of our email address’s from our clients and run them against the login id’s from this database to see if anyone was in the database. Alternatively checking previous web site history viewing would give a clue if people were using this site (but would be a very painful and time consuming process). The only problem is the time it would take and the fact that only a subset of the data was made available for download to the general public.
I registered for PodcampOhio 3 months ago but for some reason it was not in my calendar so it’s a good job they reminded us about it on the blog.
It will be nice to take the dellmini with me next week instead of having to lug the normal laptop around. The only annoying thing is the mouse movement and smaller keyboard so I’ll have to type slower. I’m debating on loading OneNote onto the machine (restricting me to just one OS for the day or just using Onenote WebApp(but that assumes web access is always available)
If you’re going – don’t forget to say hello.
I guess I should have got my act together and submitted a session on “securely logging into your WordPress blog at conferences without needing an SSL certificate”. The most embarrassing thing is that I worked out how to do this last year before the conference and said my instructions were coming soon!
This afternoon I received spams from fellow colleagues at work from their gmail account. Emails went to both my personal gmail account and to my work accounts. It looks like the emails are in the sent items, which is rather worrying as it means the spammer sent mail from the account rather than forging the headers to make it look like it came from the account. I know for a fact that the password was secure on at least one of the accounts so a weak password is not the culprit. A quick (ironic) google search shows that several people are twittering this in the past couple of hours (mine came in at 3.43pm (and I had another at 7.30pm).
Google’s standard answer is to change your password, which doesn’t really help when there is obviously a back door that is letting people into the account in the first place. The solutions provided are as follows:
If your account has been compromised/hacked/stolen you will need to check at least all of the following things:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and secondary e-mail address]
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it’s disabled and empty]
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]
Keeping account secure: https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account: https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
If your account is compromised: http://mail.google.com/support/bin/answer.py?hl=en&answer=50270
Ciao is also reporting similar issues today.
It would be interesting to see if any of the compromised accounts were on the Google Apps servers as this probably has greater repercussions for Google’s business model as people will trust Google even less. It will certainly raise questions at work on Monday as to whether we would recommend moving some clients to Google Apps. Even if you haven’t been hacked (check your sent items, filters and your frequent contacts for spam messages) I would still highly recommend you change your password NOW and ensure it is a complicated, non-dictionary based one.
Thanks to Digging into WordPress (a blog I’ve just started reading), it’s possible to easily remove the WordPress version from the header information on a WordPress site. This (slightly) helps security in that the version of wordpress is no longer transmitted to the web browser. It would be nice if this was a toggle switch in WordPress’s admin panel though.
To implement the change, just edit the functions.php file in the Theme and add the following line.
remove_action ('wp_head', 'wp_generator');
One thing to watch is that if you upgrade your theme this change is likely to be undone. I’ve actually created a draft post in WP where I keep my theme changes listed so that they appear in the dashboard and I have a record of what changes are made to the design.
On another theme related post, I have now enabled comments on all the posts on the blog as I had issues where posts that had the enable discussion enabled were not allowing comments to be made on them. Hopefully akismet will continue to do a good job of trapping the spam. I didn’t get any help from the WordPress Support forums so this was my workaround.
The blackberry is rapidly becoming my thirdparty authentication tool – the ability to run programs on it to generate secure passwords is very handy – I have another post on this coming up shortly.