Twitter - 55,000+ user accounts leaked with passwords
This morning several websites were reporting that over 55,000 twitter accounts have been compromised, and the username and passwords leaked. The accounts have been posted to PasteBin. According to AirDemon, accounts attributed to celebrities were attacked in the process.
The attack seems to have been a relatively simple brute force attack. The PasteBin data suggests that accounts in question had relatively short passwords, and were weak in that they included at best alphanumerics [upper case/lower case letters and numbers] and only rarely any special characters. Statistics show a vast majority were under 10 characters in length. Critics point out that a strong password policy and educating users could easily avoid releases of information like these. Even with strongly secured password databases, generally recommend passwords in excess of 12 characters, and having a mixture of upper/lower-alphanumerics and special characters.
Good passwords are difficult to come up with, and often somewhat unwieldy to use. Passwords always balance the line between security and convenience, but releases such as this would seem to suggest that some strong complexity validation built into the Twitter login system could have prevented such an easy breach. Most of these passwords probably should not have been allowed. As for the creation of “good” passwords, there are a number of password generators available. Users may wish to consider one of several password storage tools. For instance, KeePass comes with a built in password generator and a strong encryption pedigree. It also allows users to control the database (never off device) and read it from a number of operating systems. Other tools exist, but please do research into them, recently many of such password banks claiming “military grade” protection were found to be easily compromised.
Rather than linking the 5 pages here, as others have done ad nauseam, please visit the article sources for their own take on the events. All this said, I would take this report with a strong grain of salt. These accounts were definitely poorly managed and low hanging fruit. Often Celebrity accounts are verified and be easily recovered by the owner. Additionally, many boards seem to suggest a number of the accounts exhibit spambot characteristics. Finally, the database reveals a number of blocks where accounts use the same password, suggesting the same user farming accounts for any of a number of possible purposes.
Debug flag blunder exposes passwords system wide on OSX …
In the latest security update to OSX 10.7[.3], apple seems to have accidentally turned on a debug log function that stores it’s log outside of encrypted area. Among the various system-wide parameters logged in this file are passwords passing through the password entry subsystem, essentially most system passwords and website credentials.
User who had begun using FileVault encryption prior to Lion, who have not uplifted their file-structure to FileVault 2 (whole disk encryption) are vulnerable. The hiccup is also a bit worse than is seems as the storage area is accessible with the system is booted from an external device using firewire disk mode. The passwords stored also likely give attackers enough information to then elevate to encrypted areas of the drive. This information is also likely to be available remotely using existing “will-not-be-fixed” vulnerabilities for remote access to the file-system.
The article goes on the postulate that any business that has decided to include OSX device in its network, likely is relying on this encryption scheme. The update shipped February 1st, 2012 and apple was notified on Feb 6th, 2012. At the time of the writing of the article Apple has not responded to either the initial report or to follow up inquiries.
One of the few pieces of good news here is that the log file gets rewritten every few weeks so not necessarily the entire 3 months of information is available (period back up cases aside). Users are advised to change passwords upon release of a patch to ensure no backup copies of this log fall into a position to compromise their systems.
http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963
Wrist Communicator
That person on the bus may not be late for his appointment after all. SMS Technology Australia has started production on its M500 line of GSM watches. The M500 is a classy looking square faced watch that runs on quad mode GSM technology. It features a 1.5 inch color touch screen, 128 MB of memory for contacts and files, and full sms support. While it does play MP3/AAC and MP4 video, my strong suspicion is these are use with contact identifying queues. USB support for recharging and utilizes U disk Technology. Communication is apparently through Bluetooth to a wireless headset.
All in all, I think that the phone looks rather nice, but I am not sure how many people will be hopping on this fashion item. Additionally, SMS recently announce the M501 Ladies watch.
Apple bleeding you dry.
This morning’s “USA Today” (Ugh I know … its what the hotel left on the doorstep) is running a story on the front page about blood banks trying new techniques to get donors in the door. One of the options some blood banks are thinking of raffling off iPods. The article doesn’t go on to say whether Apple will be donating these ipods, or if they come through the normal supply channel. However, given Apple’s interesting methods for measuring sales metrics in the past; I wonder how many times each of these iPods will be counted.
Christopher Dawson discusses his Anti-Mac bias!
Christoper Dawson, one of ZDnet’s educational bloggers, wrote last night about his Anti-Mac bias. Much like Mr. Dawson, I’ve faced the stigma of being “the wrong expert” when my friends ask me about what Laptop or desktop they should consider buying, and I rarely have Mac’s on the list.
Dawson points out that while Mac’s are great at what they do, it’s often overpowered for the average user. When looking at the starving college student or simply us overworked and underpaid s.o.b.’s, the economics simply don’t make sense. A high school or college student looking for a computer to write his homework on needs a word processor that can print. A $600 dollar laptop can handle that. Granted many people don’t want to hear this; to you I have to say be honest with yourselves and whoever you might be asking to buy you the device. If all you want is something to write papers, then say it. If you are wanting something to write papers, make movies and do all kinds of other activities, then say it.
For those that talk about needing Mac to work on creative challenges that Windows and Linux don’t fill; I am afraid I can’t really buy that argument. Especially not for the low end. Mr. Dawson points to a specific example of a friend who deals a lot with digital photography for work. Due to various issues, including her work environment she ended up going with a much cheaper PC based solution to adequately fill her needs when her old Mac was no longer up to the challenge. I am not too sure I buy it for the upper end either. Applications like Cinelerra and Maya are available free for Linux, and many have for-gone Mac for Linux shops that are cheaper to develop and operate.
Finally for those that like to remind me, that Mac is now simply a very advanced GUI running on top of BSD, I’ll say that it’s a very crippled version of BSD. When trying to trouble shoot network issues with a friends Mac in Terminal, I ended up frustrated in about 10 minutes of trying get the commands to work with the switches I am used to. I ended up booting off a copy of OliveBSD that I happened to have on the top of the pile of CD’s on my desk and booting off that to get back various switches to the networking tools missing from Tiger.
In short if you are willing to use the Mac, say that you are getting it because you want a Mac. If you are a starving student you won’t win any points crying that you don’t have enough money to by that 17” Macbook that you need to write up your composition class assignment. Know what you are getting your PC for and play to it.
Links :
