Tuesday, June 16, 2015

What I'm Reading 6/16/2015 - LastPass Hacked Change Your Master Password

Dark Reading - OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data -
What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.
OPM is claiming both that the encryption of the data wouldn't have mattered because there were valid credentials used in the hack and that encryption would be too difficult to accomplish.  Both are valid excuses, kind of, but sometimes things are difficult and they just have to be done.

Hacker News - Stanford study finds walking improves creativity -
The study found that walking indoors or outdoors similarly boosted creative inspiration. The act of walking itself, and not the environment, was the main factor. Across the board, creativity levels were consistently and significantly higher for those walking compared to those sitting.
Probably has some caveman root relating to killing and eating large prehistoric animals.

Infosec Institute - The Seven Steps of a Successful Cyber Attack -

1.  Recon
2.  Scan
3.  Access / Escalate
4. Exfiltrate / Extract Data
5.  Sustain / Maintain Access
6. Assualt
7. Obfuscate / Hide Access

LifehackerLastPass Hacked, Change Your Master Password Now -

LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. 

It's a pain in the ass but just do it. Also:




This isn't perfect. There is no perfect password but if you use the XKCD scheme and throw in a couple numbers (not on either end but in the middle somewhere) and a special character on each end you will meet everyone's password requirements and have all sorts of entropy.

Bruce Schneier beleievs that the XKCD model is dead, and he may be right, but it's easy to explain and its better than P@55w0rd

Steve Gibson also has ideas on a good password 


Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...