STE WILLIAMS

Boffins have sprung the bonnet on the weak crypto behind the keyless entry system in Tesla’s Model S car.

Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at the KU Leuven, a Belgian university – were able to clone a key fob, open the doors and drive away the electric sports car.

The problem was reported to Tesla and resolved in June, when the car maker upgraded the weak encryption that permitted the attack. Last month Tesla added an optional PIN as an additional defence.

Youtube Video

In a statement, Tesla confirmed the fix, adding the researchers involved had earned an unspecified bug bounty for their efforts.

Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles.

None of these options would be possible for any traditional automaker – our ability to update software over the air to improve functionality and security is unique.

Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish.

In addition, we had already been working on several other over-the-air updates to help protect our customers from thefts – last year we introduced an update that allows all customers to turn off passive entry entirely, and this year we introduced PIN to Drive, which allows customers to set a unique PIN that needs to be entered before their vehicle is driven.

Tesla added it plans to add the security researchers to its Hall of Fame.

It was not a key relay attack (PDF), an established way to hack keyless cars, but rather an exploit of DST40, a technology shown to be weak 13 years ago by a group including (PDF) noted cryptographer Matthew Green.

“I really feel like doing further research is redundant at this point, since my 2005 papers are apparently still good enough to pwn Tesla,” Green noted.

The research aimed to probe the resilience of Passive Keyless Entry and Start (PKES) systems, which allow drivers to unlock and start their vehicle once a paired key fob is within range – no additional interaction required.

Tesla was used as a proof of concept. However, other vehicle makers rely on keyless entry tech from the same vendor, Pektron.

“Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. McLaren, Karma, and Triumph use the same system and ignored us,” said a member of the team.

El Reg asked McLaren, Karma and Triumph Motorcycles to comment on the researcher’s criticism. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/tesla_hack/

Promo Worried about today’s IT dangers and how they will affect your organisation? Cybersecurity firm Sophos is inviting IT professionals to a free “See the Future” event in London on Tuesday, 9 October.

Starting at 8.30am, the day’s schedule will include expert talks and breakout sessions covering the latest trends in cybersecurity, from deep learning to ransomware and phishing attacks. Lunch is included.

The main speakers are Sophos CEO Kris Hagerman and Dan Schiappa, the company’s senior vice president and general manager of products. They will also be present during the day to chat and answer questions.

Plus hear from our special guest, magician and hustler Alexis Conran of The Real Hustle on the BBC, as he talks about the psychology of deception – something everyone in cybersecurity has top of mind with ransomware and phishing attacks a daily challenge.

This year’s theme “See the Future” will give attendees an insider’s view into the latest Sophos product developments and planned innovations.

Keynotes and breakout sessions will include a virtual tour of SophosLabs, with a live demonstration of the bespoke systems SophosLabs uses to protect organisations against security attacks.

Among them is the growing menace of crypto-ransomware, which is not only fooling up-to-date anti-spam and web gateway appliances but endpoint antivirus defences as well. Learn to shield your organisation from this shape-changing predator in a new report called Stand Up to Cryptojacking.

Phishing attacks too have seen a meteoric rise in the last year as attackers share their tips and take advantage of malware-as-a-service offerings on the dark web to step up their incursions. Protect your systems with the Sophos Phish Treat toolkit.

Discover how you can futureproof your organisation with Sophos Synchronized Security, a set of best-of-breed products that share a unified interface and exchange real-time information to respond automatically to threats.

Register here to secure your place.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/explore_the_threat_landscape_at_sophos_see_the_future_event/

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September.

This month’s Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion.

Rude guests and ugly images menace Microsoft

In total, Microsoft addressed 61 CVE-listed vulnerabilities this month, including 23 that would potentially allow for remote code execution.

One of the more noteworthy of those bugs is CVE-2018-8475, a remote code flaw that can be triggered simply by viewing an image file in Windows. While no exploits are out, Microsoft warns that details on the vulnerability are already public.

“Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,” explains Dustin Childs of Trend Micro’s Zero Day initiative.

“Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.”

Also raising eyebrows was CVE-2018-0965, a bug in Hyper-V that would let a virtual machine instance achieve remote code execution on the host server simply by running a specially-crafted application within a VM.

Admins will want to prioritize the patch for CVE-2018-8440, an elevation of privilege flaw that is being actively targeted in the wild. The vulnerability can be traced to a flaw in the handling of the Windows Advanced Local Procedure Call (ALPC).

“An ALPC is an internal mechanism normally restricted to Windows operating system components. A lack of permissions checking in the Spooler process allows the elevation,” Childs explained.

“This bug should be on the top of everyone’s deployment list.”

Safari, Edge fans: Is that really the website you think you’re visiting? URL spoof bug blabbed

READ MORE

As per usual, most of the other remote code bugs are in the Edge and IE browsers as well as their respective scripting engines. The two browsers were the recipients of 11 of the 23 remote code fixes, include one (CVE-2018-8440) that has already been made public.

Office also received a number of fixes, including for remote code execution bugs in Word (CVE-2018-8430), Excel (CVE-2018-8331), as well as a cross-site-scripting bug in SharePoint CVE-2018-8426 and a security feature bypass in Lync for Mac 2011 (CVE-2018-8457).

Azure, meanwhile, received a fix for a server spoofing flaw (CVE-2018-8479) and the .NET framework had one remote code execution flaw (CVE-2018-8421) addressed.

CVE-2018-8421 is a bug in Device Guard that puts PCs in danger by allowing attackers to forge file signatures.

“Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute,” Microsoft explained.

Meanwhile, over at Adobe…

This month wasn’t so bad for Flash, as the internet’s broken screen door only needed a single CVE-listed bug patched. Dubbed CVE-2018-15967, the flaw could allow for information disclosure, a refreshing change from the usual parade of remote code execution bugs Adobe delivered in previous months.

Adobe’s only other patch of the day was for ColdFusion. The web app developer suite saw an update for nine CVE-listed flaws, five of which could potentially allow remote code execution. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/11/patch_tuesday_september/

A privilege escalation flaw in McAfee’s True Key software remains open to exploitation despite multiple attempts to patch it.

This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it.

The flaw is an elevation of privilege issue in McAfee’s TrueKey password manager. An exploit can be carried out on a guest account by side-loading a specially-crafted DLL into True Key that would then allow for commands and code to be executed with system-level privileges.

McAfee’s summary of the flaw, published on March 30, lists it as a ‘high’ severity issue that was patched in version 4.20.110 – which was released in April.

Exodus says that the April release didn’t fully fix the bug, however. The researchers explain that McAfee’s patch only addresses one of the libraries (SDKLibAdapter) that would allow the attack to take place, with another DLL (NLog logging library) being left vulnerable to the same side-loading tactic.

“The patch is incomplete because it overlooks this and hence the nlog.dll can be utilized to allow arbitrary code execution just as the McAfee.TrueKey.SDKLibAdapter.dll could be used in versions prior to the patch,” Exodus researchers Omar El-Domeiri and Gaurav Baruah said.

Well, can’t get hacked if your PC doesn’t work… McAfee yanks BSoDing Endpoint Security patch

READ MORE

“Furthermore, any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs.”

Exodus said that it notified McAfee of the issue back in August, prompting a second patch that, unfortunately, also failed to fully remedy the issue.

“We disclosed the failed patch to McAfee and they published an update in response,” the researchers said.

“However, we tested the latest version available (5.1.173.1 as of September 7th, 2018) and found that it remains vulnerable requiring no changes to our exploit.”

To its credit, McAfee acknowledged the issue and said it is still working to fully resolve the flaw.

“McAfee has been working with the researchers to confirm their findings, and has provided customers mitigation guidance to allow them to protect themselves until the company can address the reported issues via automatic product updates,” McAfee told The Register.

In the meantime, McAfee says customers can use the True Key browser extension (which is not subject to the DLL vulnerability) rather than the Windows application. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/11/mcafee_flaw_fix/

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September.

This month’s Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion.

Rude guests and ugly images menace Microsoft

In total, Microsoft addressed 61 CVE-listed vulnerabilities this month, including 23 that would potentially allow for remote code execution.

One of the more noteworthy of those bugs is CVE-2018-8475, a remote code flaw that can be triggered simply by viewing an image file in Windows. While no exploits are out, Microsoft warns that details on the vulnerability are already public.

“Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,” explains Dustin Childs of Trend Micro’s Zero Day initiative.

“Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly.”

Also raising eyebrows was CVE-2018-0965, a bug in Hyper-V that would let a virtual machine instance achieve remote code execution on the host server simply by running a specially-crafted application within a VM.

Admins will want to prioritize the patch for CVE-2018-8440, an elevation of privilege flaw that is being actively targeted in the wild. The vulnerability can be traced to a flaw in the handling of the Windows Advanced Local Procedure Call (ALPC).

“An ALPC is an internal mechanism normally restricted to Windows operating system components. A lack of permissions checking in the Spooler process allows the elevation,” Childs explained.

“This bug should be on the top of everyone’s deployment list.”

Safari, Edge fans: Is that really the website you think you’re visiting? URL spoof bug blabbed

READ MORE

As per usual, most of the other remote code bugs are in the Edge and IE browsers as well as their respective scripting engines. The two browsers were the recipients of 11 of the 23 remote code fixes, include one (CVE-2018-8440) that has already been made public.

Office also received a number of fixes, including for remote code execution bugs in Word (CVE-2018-8430), Excel (CVE-2018-8331), as well as a cross-site-scripting bug in SharePoint CVE-2018-8426 and a security feature bypass in Lync for Mac 2011 (CVE-2018-8457).

Azure, meanwhile, received a fix for a server spoofing flaw (CVE-2018-8479) and the .NET framework had one remote code execution flaw (CVE-2018-8421) addressed.

CVE-2018-8421 is a bug in Device Guard that puts PCs in danger by allowing attackers to forge file signatures.

“Because Device Guard relies on the signature to determine the file is non-malicious, Device Guard could then allow a malicious file to execute,” Microsoft explained.

Meanwhile, over at Adobe…

This month wasn’t so bad for Flash, as the internet’s broken screen door only needed a single CVE-listed bug patched. Dubbed CVE-2018-15967, the flaw could allow for information disclosure, a refreshing change from the usual parade of remote code execution bugs Adobe delivered in previous months.

Adobe’s only other patch of the day was for ColdFusion. The web app developer suite saw an update for nine CVE-listed flaws, five of which could potentially allow remote code execution. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/11/patch_tuesday_september/

A team of hackers finds it’s possible to steal a Tesla Model S by cloning the key fob.

The key to stealing a Tesla Model S is cloning the car’s existing key fob, according to a team of security researchers at the KU Leuven university in Belgium.

At the Cryptographic Hardware and Embedded Systems conference held this week in Amsterdam, the team will present a paper detailing the process of breaking encryption in the wireless key fobs of the Tesla Model S. It took about $600 in equipment to read signals from the fob of a nearby key, and less than two seconds of computation to learn the cryptographic key, which can be used to drive the car.

“We can completely impersonate the key fob and open and drive the vehicle,” says KU Leuven researcher Lennert Wouters in a statement to Wired, which reported on the research. Over nine months, the team learned the Model S keyless system used weak 40-bit cipher encryption for its key fob codes. With those codes, they could try every possible cryptographic key until they found the right one.

Tesla issued an upgraded key fob in response to the findings and says Model S cars sold after June 2018 aren’t vulnerable to this type of attack. It also recently gave drivers the option to set a PIN code to be entered on the dashboard before the car can be driven. However, if the PIN code is not enabled or the key fob isn’t upgraded with stronger encryption, cars are vulnerable.

The research team believes this type of attack might work on McLaren and Karma cars, as well as Triumph motorcycles, all of which use the Pektron key fob system. However, they were not able to
gain access to those vehicles for testing. McLaren reports it’s investigating the problem and, in the meantime, is offering drivers protective key pouches to protect from radio scans.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/the-key-to-stealing-a-tesla-model-s/d/d-id/1332785?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new version of Mirai exploits the Apache Struts flaw linked to the Equifax breach, while Gafgyt targets an old flaw in SonicWall.

Well-known Internet of Things (IoT) botnets Mirai and Gafgyt have resurfaced with new variants targeting vulnerabilities in Apache Struts and SonicWall, respectively.

Researchers in Palo Alto Networks’ Unit 42 detected the new versions of Mirai and Gafgyt, both of which have been linked to massive distributed denial of service (DDoS) attacks since November 2016. They suggest both botnets are veering away from consumer targets and toward the enterprise.

The Mirai samples were found in the first week of September, while the Gafgyt samples were available on and off throughout the month of August. Both were using the same domain.

Mirai is an evolution of the Gafgyt botnet (also known as Bashlite or Torlus), an IoT/Linux botnet, explains Ryan Olson, vice president of threat intelligence for Unit 42. It was originally designed to spread across Linux devices by brute-forcing default credentials so the attacked devices could then be commanded to launch DDoS attacks.

“Neither is more inherently dangerous than the other, though, as we note, these samples of Mirai are notable for how many vulnerabilities they target,” Olson says of the recent findings.

On Sept. 7, Unit 42 discovered samples of another Mirai variant packing exploits targeting 16 distinct vulnerabilities. It’s not the first time the botnet has been seen leveraging multiple exploits in a single sample. However, it is the first time Mirai has leveraged a vulnerability in Apache Struts – the same bug associated with the massive Equifax data breach in September 2017.

The other 15 vulnerabilities all target IoT devices and have previously been seen in different combinations within different Mirai variants, says Olson, who adds that “the Struts addition is the most notable change in this version of Mirai we found.” It’s also worth noting these samples don’t include the brute-force functionality generally used in the Mirai botnet.

Researchers found the same domain hosting the Mirai samples previously resolved to a different IP in August. During that time, the IP was sporadically hosting samples of Gafgyt that included an exploit against CVE-2018-9866, a SonicWall bug affecting older versions of the SonicWall Global Management System (GMS).

Both the Apache Struts and SonicWall exploits are deemed Critical, with a CVSS score of 10. Their effectiveness depends on the number of exposed systems, Olson says. The Apache Struts vuln has been public for a year. The SonicWall bug only affects unsupported versions; the company advises users running GMS software to ensure they’re upgraded to version 8.2 as GMS version 8.1 went out of support in Feb. 2018.

“For either to be effective, an organization needs to be behind on their versions and updates,” he says.

Olson believes the two new variants of Mirai and Gafgyt come from the same actor but couldn’t speak to why they might have chosen to leverage two botnets instead of one.

“Seeing as the samples originated from IPs that resolved to the same domain at different times, and based on some other OPSEC failures, I’m fairly certain these originate from the same actor/group,” says Olson of their starting point. “I can’t pinpoint any advantage one has over the other to explain the choice of using different base source codes.”

For now, it seems the attackers are testing different vulnerabilities to gauge their efficiency at herding the maximum number of bots, giving them greater power for a DDoS, Olson says. A move to the enterprise would allow the botnets access to greater Internet bandwidth than individual home users and connections, he adds – a sign the bots may be targeting businesses.

Related Content:

• New ‘Fallout’ EK Brings Return of Old Ransomware
• Three Trend Micro Apps Caught Collecting MacOS User Data
• The Equifax Breach One Year Later: 6 Action Items for Security Pros
• Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/mirai-gafgyt-botnets-resurface-with-new-tricks/d/d-id/1332789?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CVE-2018-8440, which was publicly disclosed on Twitter in August, has already been used in a malware campaign.

Microsoft today issued 61 security fixes and two advisories as part of its Patch Tuesday update. Seventeen bugs are considered Critical, 43 are Important, and one is ranked Moderate in severity.

One of the bugs addressed today (CVE-2018-8440) was already under active attack following its Aug. 27 public disclosure via Twitter. The vulnerability, which exists within the Advanced Local Procedure Call (ALPC) function in the Windows Task Manager in Windows 7 to Windows 10, enables attackers to escalate privileges and run code within admin privileges.

Shortly after its disclosure, ESET researchers found the flaw being exploited in a campaign by the PowerPool threat group. Attackers modified the source code, which was posted on Twitter in August along with the zero-day, and launched a targeted campaign to breach and persist on machines in Chile, Germany, India, the Philippines, Poland, Russia, the UK, and the US.

“This bug should be on the top of everyone’s deployment list,” wrote Dustin Childs, a member of Trend Micro’s Zero-Day Initiative, in a blog post on the monthly update.

Also worth noting is Windows remote code execution vulnerability CVE-2018-8475, which could let an attacker execute code by getting a target to view an image. CVE-2018-0965 and CVE-2018-8439 are Windows Hyper-V remote code execution vulnerabilities. With both of these, Childs says, a user on a guest virtual machine could execute code on the underlying hypervisor OS. If he or she has the ability to run programs, an attacker who abuses these could potentially affect other guest operating systems.

The patches and advisories released today covered security issues in Internet Explorer, Azure, Windows, ChakraCore, .NET Framework, SQL Server, and Microsoft Office and Office Services.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/microsoft-patches-61-vulns-one-under-active-attack/d/d-id/1332790?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers or assistants, according to a recent survey by IT consultancy Switchfast.

Switchfast surveyed about 600 small businesses about how cybersecurity works, or doesn’t work, for them. It spoke to the C-suite level leaders of the business about their own habits, as well as the habits of their employees. Among its findings was the stat about employee email sharing.

One could imagine that in an SMB, this kind of shared password might be used for a crucial central piece of technology, like team remote fileshare or a customer service email account.

And, of course, it’s very convenient to share passwords. But as Mark Stockley wrote in his article 4 password mistakes small companies make and how to avoid them, there are huge downsides:

1. If something bad happens you can’t tell who did it.
2. It makes your more vulnerable to social engineering.
3. It makes changing passwords too painful to bother with.
4. Everyone with a password can cause maximum damage.
5. You don’t know who else has your passwords.

On top of it all, those shared passwords are often weak – easily guessed, brute-forced, and/or possibly already compromised from an older data breach – so no matter what way you slice it, password sharing is risky for these small businesses and their customers.

Even folks at bigger firms make this easy mistake of reusing passwords: In 2016, Facebook’s Mark Zuckerburg had several of his own social media feeds hijacked, as they all used the same extremely guessable password, “dadada,” which was initially leaked via a LinkedIn data breach.

What’s also quite telling in this survey is that many of the C-level leaders reported bad habits at higher rates than their own employees — for example, 76% of the SMB leaders say they haven’t enabled multi-factor authentication, compared to 69% of SMB employees. (Here’s why 2FA is a good idea.)

In this case, people with higher privilege levels and greater access to sensitive information are doing less to secure that information, which is not great news for these businesses or any customer data they’re dealing with.

Another data point: About half of the SMB C-level leaders (51%) are “convinced” their business is not a target for cybercriminals, while only 35% of their employees are. That’s quite a gap. Do the leaders know something their employees don’t or is their picture of their company’s security not in tune with the on-the-ground realities?

All of this paints a picture of a potential double whammy for small businesses – there’s a lot at stake when a business is small, and the business likely has fewer resources than a larger company to deal with the fallout of a security incident.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0AMu5ri6GbA/

Whiplr is an iOS app that describes itself as “Messenger with Kinks.” Understandably, its kinkster users expect a good deal of care when it comes to the privacy of their accounts.

After all, nobody wants their breathy play/bondage/latex photos to be found and attached to their true identities by just anybody, as writes one reviewer on iTunes:

The app itself is wonderful. … I … love having photos I can keep secret until I wish to share them.

Unfortunately for such users, their secret photos – and their identities – were put at risk.

Engadget recently discovered a security failure when a user was asked to submit their password, username and email address in plain-text format to verify their account.

This is the data the app demanded:

Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):

· The email address you registered with on Whiplr;

· Your username on Whiplr;

· Your password on Whiplr.

Asking people to send passwords in email completely bypasses safe password storage, and leaves them lying around in plain text where anyone with access to either the sender’s sent items or recipient’s inbox could find them.

Worse yet, Whiplr confirmed that it had been storing users’ passwords in plain text. Therefore, any hackers who might have breached Whiplr’s database potentially could have discerned users’ real identities, either through Whiplr itself or through social media if users were in the habit of password reuse.

A breach isn’t the only thing to worry about. If passwords are stored in plain text then they’re visible to any rogue employee who has access to the database.

Whiplr describes itself as “the world’s biggest online fetish community.” It’s not for the hearts-and-flowers type; it’s more for those with “very singular” tastes and a commensurate desire to stay anonymous.

Similar to Tinder, it lets users submit a picture of their face (often hidden or obscured, while some profiles don’t have publicly available photos at all), a nickname and a list of extra-curricular interests in order to instantly be pointed to members in the local vicinity, arranged by distance.

With an undetermined number of kinky identities in hand – iTunes doesn’t divulge how many users the app has – extortion would have been a real threat in the case of a breach. Ashley Madison comes to mind: the adultery dating service’s breach lead to multiple such attempts, in addition to resignations, suicides and divorces.

Services like Whiplr have a duty to store their users’ passwords safely, which means using a proper salt-hash-repeat password storage algorithm. Just ask LinkedIn.

Salting and hashing

In 2012, LinkedIn suffered a massive breach, which led to the leak of millions of unsalted SHA-1 password hashes that were subsequently posted online and cracked within hours.

A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret, it’s just there to make sure that two people with the same password get different hashes. That stops hackers from using rainbow tables of pre-computed hashes to crack passwords, and from cross-checking hash frequency against password popularity. (In a database of unsalted hashes the hash that occurs most frequently is likely to be the hashed version of the notoriously popular “123456”, for example.)

Salting and hashing a password just once isn’t nearly enough though. To stand up against a password cracking attack a password needs to be salted and hashed over and over again, many thousands of times.

Failing to do so “runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data”, as the $5 million class action lawsuit against LinkedIn charges.

Error of judgement

Ido Manor, Whiplr’s data protection officer, told Engadget that the incident was an “error of judgment” in one, specific situation where a user couldn’t be identified via email address. It only happened once, and it’s not going to happen again, he said:

We took steps to make sure this never happens again, just as it has never happened before this incident.

Manor said that Whiplr had previously been able to view unencrypted passwords. But since it was made aware of the error, the app has secured them with “one-way encryption” and is “adding more security measures to protect our users’ data.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k2cQZpuwhM8/