Orig­i­nally posted by Rich Pasco

Very often, I receive junk mail (spam) with a “From:” address of one of my con­tacts, for exam­ple a friend or fel­low team mem­ber. The mail might con­tain an adver­tise­ment for Via­gra or replica Rolex watches, a sad story about being robbed while on vaca­tion (and please wire money), or just a link to a web site which could down­load mali­cious soft­ware onto my com­puter. In such cases, I delete that e‑mail with­out click­ing on the poten­tially dan­ger­ous link.

Just as often, a friend or fel­low team mem­ber con­tacts me stat­ing that junk mail is going out in their name and ask­ing what to do about it. Here is what I reply:

Hacked or Spoofed?

It is impor­tant to know whether your mail is hacked or spoofed. Let’s define these terms:

HACKED — Mail is actu­ally being sent from your account by some­one logged in to your server as you.

SPOOFED — Mail is being sent from some­where else with your address being forged onto its “From:” line.

Con­tinue Read­ing at www.richpasco.org

Cul­ture web­site Boing­Bo­ing has pub­lished a great arti­cle explain­ing how pass­words can get cracked.  Lot’s of easy to under­stand exam­ples and best prac­tices to keep you safe. (more…)

Recently two major cor­po­ra­tions have released infor­ma­tion about secu­rity fail­ures. Retailer Tar­get released infor­ma­tion that it’s point of pur­chase sys­tem had be hacked with esti­mates of up to 70 mil­lion cus­tomers’ per­sonal data stolen by hack­ers.  Star­bucks was dis­cov­ered to have been stor­ing users pass­words and infor­ma­tion unen­crypted in plain text in their iPhone app.  The take­away from both of these instances is your per­sonal data is never secure and you must share it with caution.

Secu­rity breaches seem like every day events in out mod­ern times.  Rather than tune them out let them serve as reminders to take secu­rity seriously.

To be more secure online:

• never click on links in email unless you are con­fi­dent they are safe, do not trust an email came from the address given
• wire­less or pub­lic net­work allow for com­mu­ni­ca­tions to be lis­tened in on — check you have a secure SSL con­nec­tion to the web­site you are vis­it­ing before send­ing any infor­ma­tion (for instance log­ging in)
• assume poor secu­rity, always

One point I can­not stress enough: if you are using your email to log into a ser­vice with a pass­word you com­monly use you are at extreme risk.

Inter­net secu­rity is a con­tin­u­ing con­cern. This hack­ing attack is of inter­est to peo­ple who have reg­is­tered copies of Adobe Pho­to­shop, Light­room, or other prod­ucts.  Your account at Adobe may have been com­pro­mised.  If the pass­word you used at Adobe is the same as you have used else­where then those accounts are also com­pro­mised. (more…)

In the past week I have received emails from 2 friend’s Yahoo email accounts — sent by hack­ers!  The emails con­tained a link which, had I clicked it, would have done who knows what.

The hack­ing attack which was used to take con­trol of my friends email accounts used a secu­rity vul­ner­a­bil­ity at Yahoo to copy an access cookie that had been issued from Yahoo.  This access cookie gave the hack­ers full access to the email account until the cookie expired. This attack did require my friends to click on a link, either in a web­site or in an email. (more…)

Twit­ter announced on Fri­day Feb­ru­ary 1st they had been hacked in a sophis­ti­cated attack.  Twit­ter said 250k accounts may be affected and have emailed those users.  The stolen data included accounts, emails, addresses, and pass­words. Whether or not Twit­ter con­tacted you it is prob­a­bly a good idea to change your pass­word, both for your Twit­ter account and for any other login that uses the same pass­word. It is not a dif­fi­cult mat­ter to find more logins asso­ci­ated with the same email address, espe­cially for pop­u­lar ser­vices like Google, Face­book, etc.

Wired — Twit­ter Hacked

A 6+ mil­lion pass­word list has been released to the wild which is strongly sus­pected to have orig­i­nated at LinkedIn.  The pass­words are not matched to any account names in this list, but it would be dan­ger­ous to assume some­one does not have them as well.  It is very impor­tant you change your pass­word at LinkedIn.  Since that account is asso­ci­ated with your email you will want to change that pass­word every­where you have used it.  LinkedIn is sus­pected as many of the pass­words in the list con­tained the a vari­a­tion of ‘linkedin’.

One part of this inci­dent that makes it inter­est­ing is that the pass­words were stored using a pro­tec­tion called hash­ing which con­verts the pass­word in a way which is sup­posed to be dif­fi­cult to reverse — but as of this writ­ing likely over 75% had been extracted.

To pro­tect you accounts you should:

• choose long com­pli­cated pass­words includ­ing cap­i­tal let­ters, num­ber, and punctuation
• avoid words
• not use the same pass­words for dif­fer­ent accounts

You can read the entire story at arstech­nica