password
Latest
AT&T ramps up voicemail security, say hello to your new pin code
Have anything sitting in your voicemail that you'd prefer the rest of the world didn't hear? When's the last time you went about checking it, anyway? AT&T is now on a mission to save its carefree customers from themselves, and beginning today, all new subscribers will be required to set a voicemail password or affirmatively disable the security measure. Ma Bell's new policy is a reaction to the current unauthorized intrusion hubbub in the media, combined with the very real threat of caller ID spoofing. Shockingly, its current customers won't receive similar treatment until early next year, and only when they upgrade their handsets. Of course, you can easily secure your voicemail within the settings, and if you prefer the convenience of retrieving your messages without hassle, you'll still have that option -- much to Rupert Murdoch's pleasure, that is.
Security firm extracts Mac OS user login passwords over FireWire
OMG. Lock up your Mac now! Security firm Passware sent out a PR blast this morning noting that their $995 application Passware Kit Forensic v11 can retrieve Mac OS user login passwords, and they're saying that this "proves Mac OS Lion insecure." The expensive app, which Passware will happily sell you for all of your forensic and password stealing needs, is used to connect a Windows machine running the software to a Mac via a FireWire connection. It can apparently "capture live Mac memory" and extracts passwords regardless of the strength of your password or use of FileVault encryption. While Passware Kit Forensic could be extremely useful for law-enforcement and government officials, as well as network administrators in enterprises, it doesn't seem likely that a common criminal is going to purchase Passware Kit Forensic when they're much more likely to want to wipe the hard drive and sell a stolen Mac for fast cash. Where this is a bit scary is in industrial or governmental espionage. Those are the situations where a thousand-dollar app would be chump change and the information that's stolen could make or lose billions of dollars. In those cases, Passware's president Dimitry Sumin notes "it is important to ensure physical security of the computer. One might also consider using additional encryption software." As for the rest of us with information that isn't too important? There's an easy way to keep yourself safe -- just turn off your computer when it's not in use instead of putting it to sleep, and disable the Automatic Login setting. By doing this, passwords aren't present in memory and can't be recovered using Passware's software. It's interesting that Passware didn't headline their press release with "Passware Proves Windows 7 Insecure..." since the same software easily retrieves passwords from that commonly used OS.
Hotmail adds 'My friend's been hacked!' feature to finger phishers
Hotmail's spent the past few years playing catch up with the competition, but for the most part, it hasn't done anything particularly groundbreaking with its services. Earth shattering might not be the appropriate descriptor for its latest addition, but Hotmail's added a helpful new feature to distinguish plain old spam from the kind that comes form a trusted source. Now, when you get an email from a friend that smells of something sea dwelling -- say a plea for some extra scratch from abroad -- you can select "My friend's been hacked!" from the "Mark as" menu, alerting the powers that be that your friend's account has been hacked. When you mark a missive as junk, you can likewise click a box that reads: "I think this person was hacked!" Once that's done, the spammers are kicked to the curb, and your friend is put through an "account recovery flow" the next time they attempt to log in. On the prevention front, Hotmail will soon roll out a new service that blocks users from selecting common passwords. It might not be enough to coax us over, but maybe this time the other guys could learn a few lessons.
Automated shoulder surfing makes it easier to steal passwords, isn't very tubular, brah (video)
Here's something mildly terrifying to chew on: researchers in Italy have developed a way to automatically harvest anything you type on your smartphone's touchscreen, using only a camera placed over your shoulder. The software, created by Federico Maggi and his team from the Politecnico di Milano, takes advantage of the magnified touchscreen keys you'll find on most iOS, Android and BlackBerry devices. Because these magnifications often pop up in predictable positions, the spying system can recognize and record them with relative ease, with the help of a camera aimed at a targeted display. And it's not like bobbing and weaving around will help evade its watchful eye, since the apparatus can instantly detect sudden movements and adjust its gaze accordingly. Researchers say their tool is capable of accurately recognizing up to 97 percent of all keystrokes and is fast enough to transmit copied passwords in "quasi real-time," which must be music to a lazy criminal's ears. Tiptoe past the break to see the beast in action and spend the rest of your life in an everlasting state of fear.
Mac 101: Using Keychain Access to remember the password you forgot
One of the unsung joys of being a Mac consultant is getting emails from clients with problems that aren't critical enough warrant a billable office visit but still need attention. This morning, I heard from client who needed to add two Macs onto the office AirPort network but couldn't remember the password. Here's how she (and you) can retrieve that password. Most of the time when Mac users are asked to create a password on the Mac, there's a small check box just below asking if you want to "store the password on the keychain." If you're like many Mac users, you're not really sure what that means but you check the box anyway. What it does mean is that the password is then stored in the Mac's keychain, which is Apple's password management system that has been around since the days of Mac OS 8.6. Fortunately, Apple provides an application that you can use to find out what password you used three years ago and have since forgotten. It's called Keychain Access, and it is tucked away in the Utilities folder that resides in your Applications folder. Hint -- if you're not familiar with the Utilities folder, there's a quick way to get to it from the Finder menu bar. Just select Go > Utilities to open a Finder window filled with all sorts of fun apps, from the handy (and dangerous) Disk Utility to the under-appreciated X11. I told my client to launch Keychain Access and then click on the "login keychain" in the list of keychains on the left side of the app window. A list of passwords appears, one of which has a "kind" of "AirPort network password." Double-clicking that entry brings up a dialog similar to the one shown below: See where it says "show password"? A click on the checkbox next to that brings up a dialog that asks for the keychain password, which is generally the administrator password on your Mac. Enter that password and click OK, and you may be asked to enter the password once again. Once that's done, the password should auto-magically appear in the field next to "show password." This trick has worked many times for me when my clients have forgotten a password or misplaced the Post-It Note that they wrote it on. Hopefully it will help out some TUAW readers as well.
Sega's online Pass hacked, 1.3 million user passwords stolen
Let's bid a bitter welcome to Sega, the latest entrant to the newly founded club of hacked online communities. Sega Pass, the company's web portal, suffered a breach of its defenses on Thursday, which has now been identified to have affected a whopping 1.29 million users. Usernames, real names, birth dates, passwords, email addresses, pretty much everything has been snatched up by the malicious data thieves, with the important exception of credit / debit card numbers. We'd still advise anyone affected to keep a watchful eye on his or her banking transactions -- immediately after changing that compromised password, of course. In the meantime, Sega's keeping the Pass service offline while it rectifies the vulnerability; it'll be able to call on an unexpected ally in its search for the perpetrators in the form of LulzSec, a hacker group that boasted proudly about infiltrating Sony's network, but which has much more benevolent intentions with respect to Sega. What a topsy-turvy world we live in!
Google admits sensitive email accounts have been hacked, some users knew months ago (update: US says no government accounts compromised)
The Contagio security blog posted evidence back in February of targeted attacks against government and military officials on Gmail. Today, nearly four months later, Google has finally admitted this is true: hundreds of personal accounts have been compromised by hackers it believes to be working out of Jinan, the capital of China's Shandong province. The accounts include those of "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." The hijackers' aim appears to have been to spy on their targets using Google's automatic forwarding function. But unlike the PSN fiasco, Google insists its internal systems "have not been affected." Instead it seems the hackers used a phishing scam, possibly directing users to a spoof Gmail website before requesting their credentials. Google says its own "abuse detection systems" disrupted the campaign -- but in a footnote right down at the bottom of their official blog page they also credit Contagio and user reports. Update: And in comes China's response, courtesy of Foreign Ministry spokesman, Hong Lei. "Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives." Ok then, that settles that. Update 2: And the saga continues... According to an AP story published earlier today, the Obama administration has stated that the FBI is looking into allegations that hackers broke into Google's email system, but denied that any official government accounts were compromised. A White House spokesman went on to say that government employees are free to use Gmail for personal purposes, and can not be sure who in the administration might have been affected by the attack. Let's just hope they know how to leave the sensitive stuff at the office.
Key pattern analysis software times your typing for improved password protection
The recent pilfering of PlayStation Network passwords and personal info shows that having a strong passcode doesn't always guarantee your online safety. However, key-pattern analysis (KPA) software from researchers at American University of Beirut may be able to keep our logins secure even if they're stolen. You create a unique profile by entering your password a few times while the code tracks the speed and timing of your keystrokes. The software then associates that data to your password as another means of authentication. Henceforth, should the magic word be entered in a different typing tempo, access is denied. We saw a similar solution last year, but that system was meant to prevent multiple users from accessing subscription databases with a single account. This KPA software allows multiple profiles per password so that your significant other can still read all your email -- assuming you and your mate reside in the trust tree, of course.
PSN logins exploited again, Sony takes pages offline
This isn't as bad as it could have been -- Sony's PSN hasn't exactly been hacked again -- but what can only be described as a glaring oversight looks to have forced the company into hastily switching off PSN logins on its websites. The issue? If you legitimately forget your password and need to reset it, previously all you had to do was type in your e-mail address and date of birth, then choose a delightfully cunning new password. Sounds good? The problem is that if you were a PSN member before the hack then both your e-mail address and your date of birth (plus a lot of other frightening stuff) is known to the hackers. So, whoever has the millions of rows of data that were exposed could, in theory, re-exploit any account. Sony was made aware of the issue and those pages are now offline again, which should make the Japanese government feel just a little big smug. Update: Sony has confirmed that there was "a URL exploit that we have subsequently fixed." However, the company indicates there was "no hack involved." So, remember kiddies: exploits are not hacks -- not until someone starts having fun with them, anyway.
PSN back in Europe and Australia, your password email may take some time
The select PlayStation Network services that came back online in North America over the weekend have now shaken off their bonds in a handful of other territories across the globs. Formerly jilted users living in Europe, Australia, New Zealand, Mexico and South America should now have access to online multiplayer, third-party video services and all the other reactivated features that returned this past Saturday. Unfortunately, the flood of people who have made their first priority to change their password have overwhelmed both the PlayStation Network servers and their ISPs, leading to delays for password reset emails. If you requested a password reset and haven't heard back yet, Sony asks that you "please give it a bit of time to reach your email."
Talking Sony and identity protection with LifeLock
As Sony continues to struggle to restore service to both the PlayStation Network and Sony Online Entertainment's MMOs following a hacking intrusion that resulted in millions of customer identities being compromised, players are understandably concerned about how secure their information is with similar companies. Even though Sony promised to provide a year's worth of identity theft protection for affected customers, part of the responsibility for safeguarding against such theft lies with us. As such, we spoke with Mike Prusinski, the Senior Vice President of Corporate Communications for LifeLock, an identity theft protection service. We asked him about what we should be doing to protect our identities online -- and what Sony could have done better in the first place. Massively: What are the most common ways that people have their identities stolen? Mike Prusinski: Though there are no statistics that point to one way over another, consumers get their personal information lost through stolen laptops, hackers, stolen mail, trash, skimming devices, scams (email, phone calls and personal visits), peer-to-peer networks and public websites.
Fiesta Online unveils the Trickster class with a sneaky in-game event
The Fiesta Online team has been hard at work on some special events to celebrate the release of the game's new Trickster class -- but we can't tell you what they are. As is befitting this hard-to-pin-down class, the events associated with it are a bit of a puzzle. There will be a special password-protected event page on the Fiesta Online site later tonight, and the password can only be found while playing the game. We can give you a few hints, however. There will be jester caps available in game as part of the festivities, you can earn special in-game weapons, and the GM team -- particularly GM Trixie -- is feeling a little mischievous. Your job is to find that password once the event begins and use the event page to guide you to the special items and quests. Check out the image above for a sneak peek. For the rest of the details, keep an eye on the Fiesta Online page tonight for all the details, and have fun!
Apple doubles down on in-app purchasing security in iOS 4.3, password now required
As you might recall, a certain game was racking up credit card bills because of its in-app purchases -- something which probably resulted in some angry parents (or as the folks in Finland say, "birds"). In Apple's latest iOS update, a feature has been implemented that requires the user to input their password whenever an in-app purchase is made. Will this new security measure actually prevent those children from purchasing hundreds worth of virtual fruit? A big boon for grown-ups, a big downer for those who no longer have an excuse to explain their Smurfberry obsession.
PSA: Change your old Amazon.com password for better security
Amazon's allegedly got an security flaw where hackers can find your password much easier than they would otherwise, and there's already a fix in place. But get this -- you'll probably need to change your password for the fix to take effect, if you haven't already done so in the last couple of years. According to Reddit users, the Amazon.com login system will actually accept any phrase so long as it begins with your password, such as "password123" when the magic word is simply "password" by itself. That apparently makes it that much easier for a computer to guess your password via brute force methods, no matter how counter-intuitive that seems, so if you simply change it immediately -- and to something other than "password," please -- you'll have much sounder dreams.
The Road to Mordor: Hacked!
"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier. "I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky." So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline. Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.
Xmarks finds new owner, isn't going anywhere
Look at that -- while I was sad to hear that my favorite bookmark syncing service Xmarks would be calling it quits after trying and failing to find a profitable business model, its users stepped in to support the service, and at the beginning of this month, Xmarks announced that it would be acquired by password manager LastPass without any interruption in service. That's great news; the basic syncing service will stay free, and there will now be two premium services available with the company. Premium membership in LastPass will get all of the password manager's features, and premium Xmarks service will enable priority support, syncing with mobile apps and more. Both services are available for US$12 each yearly, or $20 a year for the whole shebang. It sounds like this is a great deal for both companies, and together, the two services should be able to offer up some excellent features to customers both old and new. I'm just glad my current Xmarks service isn't dying; the browser add-ons let me share passwords and bookmarks across all of my Mac and PC browsers quickly and easily. Great to see that one of the most valuable sharing services I use has found a new lease on life. Thanks, Chris!
Mac 101: Securing your passwords after the Gawker breach
Thanks to questionable security practices at Gawker Media (publishing parent of many high-profile websites including Gizmodo and Lifehacker), a number of people are busy scrambling to change their passwords on a lot of different sites today. Gawker stored encrypted passwords on its servers instead of password hashes (and stored those passwords using the deprecated DES standard), so as a result of some weekend hacking, a lot of email addresses and passwords were stolen. Gawker Media is asking anyone who uses its comment system to change their password immediately, and if they used the same email address and password on other websites, they should change those passwords as well. If you have used any of the Gawker sites in the past, you can use Slate's Gawker Hack widget to determine if your email address and password was part of the group that was compromised. Some other sites like LinkedIn are proactively disabling the accounts of users who were included in the data dump, requiring them to reset their passwords before they can get back in. Common sense dictates that for the best security, every website account should have a separate password; you should never use a dictionary word, birthday or family name as your password; strong passwords always need a mix of capitals and lowercase letters, numbers and (if acceptable to the service you're logging into) punctuation/non-alphanumerics. (The number of people who used 'password' or '123456' as their comment login in the Gawker system is truly shocking.) However, our puny human brains don't work well with strong passwords; we just can't remember a lot of passwords that are random gibberish, and even using mnemonics and other tricks for password generation can fill up the ol' brain pretty quickly. There are some ways to generate strong passwords that are associated with just one website -- and keep them recorded securely on your Mac or in the cloud -- so click that Read More link to see how.
Schiller answering questions on Twitter
Last week, we reported that Apple's Phil Schiller has gotten a verified account on Twitter, and since then, his popularity on the short form social networking service has apparently skyrocketed. Rather than just retreat to the shadows, he's stepping up into the limelight, sharing insights and answering questions of all kinds from Apple fans. It's pretty awesome, actually -- he's sharing everything from his favorite apps to why you have to put in your iTunes password every time you install a new app (for security's sake -- Apple wants your approval for every piece of software on your machine). It's cool to see a senior member of Apple not named Jobs getting so hands-on with Apple's customers. TechCrunch has a few other tidbits from Schiller's tweets so far: the @appleincnews account that seems real on Twitter actually isn't, but the @itunes accounts are completely official. And he hasn't yet tried Reeder for Mac, but he is a fan of the iOS version. All in all, it seems like Schiller is really "getting" Twitter -- he's declined to share his Game Center name, so he still wants some privacy, but he is using the service as it's meant to be used, reaching out directly to customers en masse. You never know -- maybe a good word from Schiller to Jobs might get us a verified account for Steve himself.
PSA: FaceTime beta endangers your Apple ID password and security questions
Worried about local hackers? Like leaving your laptop behind in the coffee shop while you take long, leisurely trips to the bathroom? We wouldn't be so self-assured. Turns out there's a gaping security hole in the FaceTime beta, which allows anyone with access to your computer to change your password without knowing it to begin with, as well as peep and edit your security questions and answers. It would be nice if signing out of FaceTime would protect you, but unfortunately the app seems to have a lock-tight memory on your password, so it's easy for anyone to open the app and sign-in again. Hopefully Apple will fix these holes quickly, and until then we recommend uninstalling FaceTime or choosing your friends very wisely.
GPUs democratize brute force password hacking
It seems that the availability of increasingly powerful GPUs, when combined with brute-force password cracking tools, is making it increasingly easy to crack passwords -- even if they're extremely well thought out, with symbols and quirky capitalization and all that. How short is too short? According to computer scientists at the Georgia Tech Research Institute, "a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will increase." A better alternative, he suggested, would be a 12-character combination of upper and lower case letters, symbols and digits. Of course, processors are only getting more powerful and hardware less expensive -- soon even seven-plus character passwords may become the digital equivalent of unlocked doors. And if that weren't bad enough, a recent study by an Internet security company called BitDefender has determined that some 250,000 user names, email addresses, and passwords used for social networking sites are freely available online -- and seventy-five percent of these folks use the same password for their email and social networking. So, when dreaming up fancy new twelve character passwords, make sure you're creating unique passwords for all your various accounts. It would be a shame if your Starsky & Hutch FanFicForum account left you vulnerable to identity theft.
