Plaintext Password Storage

Today I received via snail mail my annual season ticket holder renewal for the Washington Capitals.   As also seems to be traditional, my PIN (really a password) was included on the invoice.   This makes it easier for people to renew online without having to get their password reset.   Passwords provide authentication.   That is to say, …

Continue reading ‘Plaintext Password Storage’ »

Gawker Media Security Breach

Gawker Media has experienced a data confidentiality breach that has disclosed passwords on all Gawker Media sites including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, and Deadspin. If you have an account at a Gawker website, you should change the password immediately.   If you use the same password on other websites those passwords should be changed as well. Be aware …

Continue reading ‘Gawker Media Security Breach’ »

Webmail Account Compromises

A couple of my friends had their webmail accounts compromised and I got pharma spam  from them over the weekend.   One had a Hotmail account and another a Yahoo account.   I’m not sure whether they should be mocked more for using accounts at those domains or for getting compromised. Restoring Access If this happens to you and you’re really …

Continue reading ‘Webmail Account Compromises’ »

Thanks for Nothing Google

Yesterday I wrote about the importance of using good passwords because people are trying to bruteforce your email and social networking accounts.  Today I logged into GMail and received a dire red letter message. “your email has been accessed from the United States.”     Upon reviewing the Gmail account activity log, I see access to …

Continue reading ‘Thanks for Nothing Google’ »

Yes, You really do need a good password

Mark Kellner, a technology reporter at the Washington Times, bravely owns up to using crappy passwords.   Most users think they have nothing to hide and nothing of value.   “Who would possibly be interested in me” they ask.   So “why”, they ask, “should I bother with a good password.” Kellner’s Gmail account was compromised by an …

Continue reading ‘Yes, You really do need a good password’ »

On Password Changes

Cormac Herlye’s paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users raises some interesting issues about security policy. Sadly I see this research paper not as causing people to challenge assumptions, but instead its ammunition for the anti-IT/anti-security forces. They’re the ones who want to argue about …

Continue reading ‘On Password Changes’ »

iPhone (in)security in the enterprise – Followup

Back in November I wrote a summary of several concerns we have about the iPhone in the enterprise. Four months later lets take a look at see what’s changed. One of the other guys at work took that list of concerns to our AT&T rep, who then took them to a unnamed, untitled Apple contact. …

Continue reading ‘iPhone (in)security in the enterprise – Followup’ »

BitLocker vs Third Party FDE

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product. This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was …

Continue reading ‘BitLocker vs Third Party FDE’ »