over 1.2Billion usernames and passwords compromised by Russian criminal gangs

Discussion in 'Technical' started by sec_monkey, Aug 6, 2014.

  1. sec_monkey

    sec_monkey SM Security Administrator

  2. Dunerunner

    Dunerunner Brewery Monkey Moderator

    I hope it was all my old user names....

    Seems I have to change most of the important ones every month....
    Motomom34 likes this.
  3. Brokor

    Brokor Live Free or Cry Moderator Site Supporter+++ Founding Member

    "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

    Nice angle.
    Last edited: Aug 7, 2014
  4. Falcon15

    Falcon15 Falco Peregrinus

    Dude. I am broke, unemployed, and have mediocre credit. No worries here. Maybe they will have pity on me.
    VisuTrac likes this.
  5. AmericanRedoubt1776

    AmericanRedoubt1776 American Redoubt: Idaho-Montana-Wyoming Site Supporter+

    Try lastpass.com password vault with its password generator and password audit combined with its Yubikey multi factor USB key. I love it. Also good info in Boston T. Party's (Kenneth Royce's) One Nation Under Surveillance book -- has great section on passwords and computer security that is still up-to-date. One Nation, Under Surveillance -- Privacy From the Watchful Eye: Boston T. Party, Kenneth W. Royce: 9781888766110: Amazon.com: Books

    For all browsing use Tails-Tor: AmRD: Everything is Broken Charles Carroll Society

    This can help too:
    AmRD: American Redoubt Darknet (ARD) an Introduction | Charles Carroll Society

    I just love the latest version of TAILS. Finally running tails 90% of the time compared to Win7 with a VPN. The tails tor net is SO much faster than when I tried it 18 months ago on tor with Win 7.

    This is a good router based VPN instead of running it at the local client. That way the Android and iOS users get a bit greater privacy level ---- Strongvpn.com with their vpn pre-configured on the routers they drop ship from Sabai Technology.
    Get a VPN Router and have multiple devices on one strongvpn account | StrongVPN.com
    Last edited by a moderator: Jan 25, 2015
  6. sec_monkey

    sec_monkey SM Security Administrator


    Security breach

    On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic.[17] Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decommissioned the "breached" servers so they could be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers and, temporarily, administrators were asking users to refrain from changing their password until further notice, having judged that the possibility of the passwords themselves being compromised to be trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[18] There have been no verified reports of customer data loss or password leaks since these precautions were taken. In comment 6, Joe Siegrist committed to a third-party audit, saying one "is certainly prudent". However, no audit results have been published to date.

    XSS vulnerability
    In February 2011, a cross-site scripting (XSS) security hole was discovered, reported by security researcher Mike Cardwell, and closed within hours.[19] There was disagreement over severity. Cardwell stated that people should be "very concerned." The company reported that a log search showed no evidence of exploitation (other than by Cardwell). However in addition to closing the hole, LastPass took additional steps to improve security, including implementing HTTP Strict Transport Security (HSTS), as Cardwell had suggested, implementing X-Frame-Options, and a Content Security Policy-like system in order to provide defense in depth.[19][20]
  7. DarkLight

    DarkLight Live Long and Prosper - On Hiatus Site Supporter

    Personally I use KeePass which is:
    Local to the device (see below);
    Available on Windows, Mac, Linux, Android and IOS;
    Has a password generation facility;
    Can be secured by password and keyfile;
    Can be sync'd between devices.

    I do not use it to auto populate information on web sites although I seem to recall that capability being present. I do NOT store it in the cloud, rather I manually copy from device to device. I store usernames, passwords and site addresses there.

    Wherever possible I use an additional form of security (2FA), but sadly a number of places don't yet provide that ability.
    AmericanRedoubt1776 and melbo like this.
  8. DarkLight

    DarkLight Live Long and Prosper - On Hiatus Site Supporter

    There's another utility I use on Windows called PWGen. Free and generates any number of passwords (not using a salt) of any length and any complexity using an extremely configurable ruleset.

    Writing this on my phone so no links. Sorry.
    AmericanRedoubt1776 likes this.
  9. melbo

    melbo Hunter Gatherer Administrator Founding Member

    AmericanRedoubt1776 likes this.
  10. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    I generate passwords like I do math....
    With my mind.

    Just sayin'
    AmericanRedoubt1776 likes this.
survivalmonkey SSL seal        survivalmonkey.com warrant canary