InfoSec links July 24, 2014

"Severe" password manager attacks steal digital keys and data en masse - Dan Goodin - ars technica

I’ve never liked the idea of putting my passwords in the cloud and that’s essentially what you’re doing with these web based password managers. The fact that research has determined them to be vulnerable does not sway me to put my passwords online.

Automobile Industry Accelerates Into Security - Kelly Jackson Higgins - Dark Reading

Automobile security is about to become a major thing. Unlike a computer, if a car is hacked it could mean life or death for someone. I’ve read several articles recently that give encouraging signs that some automobile makers are taking car security seriously.

Security Firm Manages To Access Deleted Data On Used Android Devices - Red Orbit

iPhone users carry on. According to this article, old Android phones do not exactly wipe the drive when a reset to factory defaults is initiated. Apparently, all that does is delete or erase the index file, so the phone can’t find the old data. Forensic tools on the other hand are very capable of finding the old data. Great if you realize you need something; not so great if you don’t need anything. The workaround is to enable encryption on the device, then do a factory reset. Encrypting the drive will make it so that when the index file is deleted the data becomes unreadable because the encryption key is lost.

This post first appeared on Exploring Information Security.

InfoSec links June 9, 2014

Complexity as the Enemy of Security - Brian Krebs - Krebs on Security

The Syrian Electronic Army (SEA) has been at the center for several high profile hacks. They've hacked major news websites such as Time, CNN and The Washington Post. More recently they got into the RSA Conference site after they were called coachraoches by Ira Winkler. They accomplished this by a third-party content provider. This past weekend I went to BSides Asheville and Paul Coggins had an interesting talk on cloud networks and how "third-party" service providers could be the weak point in a network's infrastructure. The more entities you add the bigger the attack surface and the more potential vulnerabilities that may be out there.

Which of your favourite websites are terrible at passwords? - Lisa Vaas - Naked Security

Strong passwords are something that's preached pretty regularly by the infosec community. Typically, it's preached at users, but it should also be preached at websites that offer you to create accounts. Match.com tops the list of sites that allow weak passwords such as:

  • Qwerty

  • 123456

  • 111111

  • and many others

They also don't lock accounts after a certain number of attempts or limit how long a password can be. Seriously, why would you limit someone from creating a longer password? or not allow you to use special characters?

They Hack Because They Can - Brian Krebs - Krebs on Security

Highway signs are being hacked again for....well because they can be hacked and because the security on these types of signs is awful. The prankster appears to be a foreign script kiddie who enjoys defacing websites, according to Krebs. The methods used to perform the hack appear to be trivial at best.

This post first appeared on Exploring Information Security.