Level 1
Dropbox, Part 1
If you were with Dropbox back in 2012, you might recall the global request for everyone to update passwords. There was quite a bit of speculation at that time as to the reason (there's always a reason) though the prevailing thought was a data-breach of some type. The only question was the method of the breach. This last week, it was confirmed that 68 Million account were compromised including all "secure" file and documents. 68,000,000 user names and password pairs went on sale on the Darknet this week. The take-away, don't recycle your passwords. Using the same password on multiple sites is a significant risk, and Dropbox's breach is the perfect example of why. Password guidelines: Don't use words found in the dictionary and longer passwords are better. 'newpassword' is very week. 'nwpssrd.............' is considerably stronger (though too repetitive to be considered strong).
Level 2
Dropbox, Part 2
IIRC, Dropbox uses an algorithm to identify duplicate documents. If you upload a file that they identify as something they already posses, Dropbox simply places a pointer in 'your' Dropbox to the original file, thus saving them a fair amount of storage space. With 68 million users, I would imagine that the data storage and cost savings is significant. While data-depupe is a regular practice with data heavy organizations, and at first blush it's easy to see how the decision was made to leverage this technology. The greater the number of users, the higher the probability that there will be several versions of the same file in storage. Where things begin to make me nervous, and you should be thinking about this too, is that Dropbox is creating a digital signature of every file that you have. From a high level, your data is being examined. Are they looking at your files, No, but they are poking at them. Where does that sit with you?
The PC (or Mac) is Locked, so it's safe, right?
Turns out that credentials are easily comprised. Circulating this week is an account of how ~ $200 worth of HW and SW, the login credentials can be stolen from a locked Win or Mac machine. Using Hak5 Turtle and USB Armory (both running Linux) its possible to either crack or downgrade pilfered authentication hashes regardless of the complexity of the plaintext password. Essentially, Hak5 Turtle and USB Armory can be configured to present themselves as a DHCP server, making the USB device capable of receiving network traffic. The device can then catch authentication tokens. To be noted that it's possible to create a similar setup with a RaspberryPi Zero, reducing the cost to less than a lunch.
Ransomware - it our new reality. *sigh*
New - Kaspersky has identified a new version of the RAA ransomware and the implications are scary. It arrives in e-mail (like they all seem to), it's written in Jscript, and appears as a password protected zip. The file format slips past anit-virus software and looks legit to end users.
2016-10-14
MDux |
|
No comments:
Post a Comment