CyberTheft Alert: STOLEN Credentials


by Karl Denninger, Market Ticker:

Someone has one or more “older” discussion forum or similar systems out there that have had their password file stolen, said file was not hashed, it was in “unix” format (e.g. “login:password”) and it’s circulating.  I’ve been getting a series of spam emails that all are of the form “I turned your webcam on and recorded you watching porn; send me $x to this bitcoin address or I’m going to release it” bull****.  Oh well, I don’t watch porn…… so sorry, so sad for the fear merchants.  But recently a few of them included in Unix format my email address and a very old, only-used-for-insecure-forums, password — in plain text.

If you have used the same password on various online forums in the past if that same password is in use anywhere else change it right now.

The Market Ticker has always hashed passwords (using the internal Postgres functions to do so, which have gotten stronger over time as their algorithm support has improved.)  But there are more than a few out there that do not hash, but instead store passwords!  Most of those have been fixed by now, but it used to be trivial to know if that was the case because you could ask the system to send you your password to your email address and instead of getting a link to reset it (since the system doesn’t know what it is — only the hash of a correct entry) you’d get the password in your email!

In addition you should be extraordinarily skeptical of any browser plug-in or alleged “VPN” provider; anything that can “get in the middle” of your communications can be very bad news.  Browser plug-ins are especially dangerous since they can potentially hook the input and steal passwords, as are “custom” keyboards and similar on phones (which by definition must process what you type.)

Good “digital hygiene” is to never use “external” sign-on (e.g. use your Twatter account to log in somewhere else) and always generate a random, high-quality password for each place you log into.  You cannot control the security of some third-party site so the best you can do is make damn sure that if or when they screw the pooch the damage stops with that one site and can not propagate somewhere else.

This means you need some sort of good “password safe” (because there’s no possible way for you to remember a dozen or more good, secure passwords) and its security is paramount.

I personally like KeePass because it can use a composite key — both a key file and a password, and it is multi-platform.  Steal either the password or the key file and you have nothing; you need both.  It is of course very, very important that the key file never be put on any sort of “cloud” storage, EVER — you must physically copy it to the devices that need it, and only the devices that need it.  If you suspect any of those devices are compromised you re-generate it and replace it.  Of course the risk with this approach is that you had damn well better never lose the key file yourself but the risk with the key file being lost is easily remedied by putting it on a USB key and then sticking THAT in your safe deposit box at the bank.  Now if you manage to lose your operating copy (e.g. your computer’s disk crashes) you still have it.

Read More @