topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 5:16 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: After PSN. Who's next?  (Read 18599 times)

phitsc

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 1,198
    • View Profile
    • Donate to Member

zridling

  • Friend of the Site
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 3,299
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #1 on: May 05, 2011, 05:25 AM »
I don't get it. What am I reading here, could you clarify?

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #2 on: May 05, 2011, 05:29 AM »
It sounds like LastPass is saying they may have had a breach -- PSN is a reference to the recent SONY incident, perhaps?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: After PSN. Who's next?
« Reply #3 on: May 05, 2011, 05:30 AM »
Ouch.

When I worked at ESTsoft, they got around that problem entirely in ALPass Online.

Instead of storing salt and the like, the database had strong encryption and was only ever decrypted on the client. (IIRC) If you ever forgot your password, you were screwed though because YOU were the only one that ever had access to it. As such, warnings were BIG and LOUD. :)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

phitsc

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 1,198
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #4 on: May 05, 2011, 05:50 AM »
I don't get it. What am I reading here, could you clarify?

Yeah, sorry about being a bit woolly here. Like ewemoa said: PSN is Sony's Playstation Network which was hacked a week or two ago. Basically, 77 million user's private data including password and possibly credit card information was stolen.

The message about LastPass just reminded me that, assuming Sony's IT guys are not complete idiots, what could happen to them could happen to others as well.

TheQwerty

  • Supporting Member
  • Joined in 2007
  • **
  • default avatar
  • Posts: 84
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #5 on: May 05, 2011, 08:17 AM »
Briefer version of the LastPass post: They saw an increase in activity on their server network and from one of their databases, but have been unable to identify the cause and are thus treating it as an intrusion.

It's possible that an intruder got the server's salt, users' e-mail addresses and their salted master-password hashes.  This means they could attempt to brute-force the hashes in the hopes of uncovering some passwords, use these to log in, and then would have access to the user's stored passwords.

To prevent this LastPass are forcing all users to reset their master-passwords, while they rebuild/verify the affected machines, and explore the anomaly.


It's nice to see LastPass taking the correct actions as Sony stumbles around for another month.
« Last Edit: May 05, 2011, 08:19 AM by TheQwerty »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #6 on: May 05, 2011, 08:33 AM »
Re LastPass:

I was not forced to change my master password, but I did. It proceeded to re-encrypt everything.
now though, when I log in, I'm getting this message:
-------------------------------------
An error has been encountered while loading your site
Please relogin
------------------------------------
it is recognising the new password - it actually briefly showed my page on one attempt, but with most text not showing & with some weird unicode characters. I dont even know if I have a backup of this stuff :-\ (but I did just recently import most of it from Roboform).
So I suspect a problem with their re-encryption...
Tom

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #7 on: May 05, 2011, 08:46 AM »
Happened to Ashampoo in April, although they took pains to let us know customer credit card information was supposedly not part of what got compromised.

Which data were stolen?

The stolen pieces of information are data of addresses such as name and e-mail address. Billing information (e.g. credit card information or banking information) is definitely not affected, because our shop service contractors are concerned with this data and it is not stored on our system.

This is the letter they sent out to their customers.

OK...who's next?  :-\


superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #8 on: May 05, 2011, 08:57 AM »
This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

phitsc

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 1,198
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #9 on: May 05, 2011, 09:06 AM »
This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

The cloud is just so damn comfortable for certain things, especially for us geeks who are using multiple devices and computers.

But I agree with your concerns. Even if cloud service companies try to do everything to keep our stuff safe, there are still people operating these companies, and people just make mistakes. Also, while one can prove mathematically that encryption is safe, there is still all this technology around it that is not free of bugs.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #10 on: May 05, 2011, 09:12 AM »
This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

The cloud is just so damn comfortable for certain things, especially for us geeks who are using multiple devices and computers.

But I agree with your concerns. Even if cloud service companies try to do everything to keep our stuff safe, there are still people operating these companies, and people just make mistakes. Also, while one can prove mathematically that encryption is safe, there is still all this technology around it that is not free of bugs.
That's why in the previous months I was asking so many questions about how to seamlessly connect to my own server using mapped drive letters.  I was trying to set up my own private cloud.  But it's so freaking complicated and seemingly impossible without enterprise equipment or software.  If I could set up a home server, and I can map folders/drives to other computers with a reliable connection, I don't need cloud services.

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #11 on: May 05, 2011, 09:20 AM »
I guess they should change their motto, huh?

"LastPass. The TWO last passwords you'll ever need" :D

Security breach or not, the PSN and SOE fiascos should be the wakeup call for many companies to thoroughly review their security infrastructure, specially after the several high-profile incidents that occurred during the past months. So props to LastPass for acting when someone cries wolf.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #12 on: May 05, 2011, 09:55 AM »
I guess they should change their motto, huh?

"LastPass. The TWO last passwords you'll ever need" :D


As they will whoever finally succeeds in hacking LastPass. ;D

Sad truth is, something like LastPass is such a visible and high value target for a team of criminal hackers that it's only a matter of time and resources.

Even encryption is becoming less and less effective as advances in hardware and clustering technologies are bringing capabilities that were once the domain of multi-million dollar supercomputers down to the desktop level. Most cryptography will eventually go the way of the dodo bird.

Nobody can even dismiss '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory. One decent computer plus some free software (easily found and downloaded from the web) can get you past 99% of the passwords most people come up with. Even the so-called "strong" passwords. 10 or more characters? Piece of cake! Mix of uppercase, lowercase, numbers and symbols? No problem - got it covered! No "dictionary" words? Don't make us laugh...

Dangerous world out there. Watch where you put your keys. :huh:

---

P.S. I had a client's employee lock him out of a set of company spreadsheets after the employee was informed he might get laid off. Must have thought doing that would get him some job security rather than realizing it's a felony in many places. This employee used a complex 16-character highly randomized password to lock those files.

It took an i3 laptop and some open source freeware less than ten minutes to crack it.

Hayduke Lives!  :Thmbsup:
« Last Edit: May 05, 2011, 10:12 AM by 40hz »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #13 on: May 05, 2011, 09:59 AM »
I was not forced to change my master password, but I did. It proceeded to re-encrypt everything.
now though, when I log in, I'm getting this message:
-------------------------------------
An error has been encountered while loading your site
Please relogin
------------------------------------
it is recognising the new password - it actually briefly showed my page on one attempt, but with most text not showing & with some weird unicode characters. I dont even know if I have a backup of this stuff :-\ (but I did just recently import most of it from Roboform).
So I suspect a problem with their re-encryption...

^ this is sorted now -
NOTE: they no longer store your password, which I guess is safer - but I dont know if it now works as renegade describes:

Instead of storing salt and the like, the database had strong encryption and was only ever decrypted on the client. (IIRC) If you ever forgot your password, you were screwed though because YOU were the only one that ever had access to it. As such, warnings were BIG and LOUD. :)
Tom

phitsc

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 1,198
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #14 on: May 05, 2011, 10:12 AM »
Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #15 on: May 05, 2011, 10:35 AM »
Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

Very cool article!

Interesting read, although some of it seems a bit optimistic, and doesn't quite match what I've seen in the field when it comes to cracking even supposedly random passwords. I'm also guessing the guy who recovered the passwords for my client used something a tad more sophisticated than a simple brute force crack tool when he did.

The security company I'm most familiar with has a 3-man team that can crack or penetrate almost anything they go up against in less than 24 hours. Admittedly, all three have hairy-scary 'spook' and 'black op' backgrounds. But this is exactly the type of team that would be sent to hit something like LastPass. These guys are white hats. But I'm sure there is comparable 'black hat' talent out there looking for work.

Definitely need to learn much more about this topic than I currently do. :)
« Last Edit: May 05, 2011, 10:38 AM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #16 on: May 05, 2011, 11:41 AM »
Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

Very cool indeed, thanks for sharing.

To-Do List:
 Add line "this is fun" to all hacking dictionary files.



nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,119
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #17 on: May 05, 2011, 11:48 AM »
Hmm, I'm now beginning to wonder if any password stored service is safe. This story is going to become increasingly common I suspect. Not good.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #18 on: May 05, 2011, 11:58 AM »
Hmm, I'm now beginning to wonder if any password stored service is safe. This story is going to become increasingly common I suspect. Not good.

My guess would be no ... Unless you're using a copy of f0dder's fskrit from an online file storage.

zridling

  • Friend of the Site
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 3,299
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #19 on: May 05, 2011, 03:07 PM »
PSN is Sony's Playstation Network which was hacked a week or two ago. Basically, 77 million user's private data including password and possibly credit card information was stolen.

Thanks for the follow up. Been following that story, and just as Amazon lost data last month, cloud security is hit or miss. Good thing I don't play online games.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: After PSN. Who's next?
« Reply #20 on: May 05, 2011, 03:46 PM »
Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

Good article. I was glad to see that they addressed the pass-phrase technique, especially as they showed just how good it is. I've heard people poo-poo on it as being useless.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #21 on: May 05, 2011, 05:27 PM »
The article is enlightening. Still, I can not help but think that people start to use common terms or something that is is closely related to them...making the attack that much easier than the suggested years it takes to crack it.

Seriously limiting the amount of logins per time interval and "penalty boxes" are key to the suggestions made in the article. But those are also good to implement in current applied protection schemes.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: After PSN. Who's next?
« Reply #22 on: May 05, 2011, 10:02 PM »
assuming Sony's IT guys are not complete idiots

That's quite an assumption to make. Consider the following evidence:

In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

Also, I don't know exactly how it works, but the way the PS3 was finally hacked was the master key could be figured out because Sony used a static/constant number in the encryption scheme where there should have been a completely random number.
« Last Edit: May 05, 2011, 11:16 PM by Deozaan »

phitsc

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 1,198
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #23 on: May 06, 2011, 01:45 AM »
assuming Sony's IT guys are not complete idiots

That's quite an assumption to make. Consider the following evidence:

In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

Also, I don't know exactly how it works, but the way the PS3 was finally hacked was the master key could be figured out because Sony used a static/constant number in the encryption scheme where there should have been a completely random number.

I think that would be really embarrassing for them. Nevertheless, I'm tempted to assume that if they don't take the security of their main online system more serious, other's don't to so either.

cthorpe

  • Discount Coordinator
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 738
  • c++thorpe
    • View Profile
    • Donate to Member
Re: After PSN. Who's next?
« Reply #24 on: May 06, 2011, 10:41 AM »
Don't know how I feel about this one.  I do think they are taking the right steps, and they even admitted that they are taking the paranoid course of action.  Then again, it's not like they notified their users, as I only found out about this from reading this thread.

I started using LastPass when Roboform reneged on their lifetime update policy.

I tried KeePass, but it kept autofilling the wrong fields in Firefox.

More than once, I accidentally changed my wifi wpa keys because of it, and websites were constantly giving me errors after I filled in forms.

So now I am with LastPass.  My LastPass key is 32 psuedorandom characters that include uppercase, lowercase, numbers, and symbols.  I have my LastPass key stored in a KeyPass database that is protected with an 18 character key that I generated using the first letters of a specific sentence on a specific dvd that was sitting on my desk with uppercase and lowecase letters as indicated in the sentence and random punctuation thrown in.

I am pretty sure my LastPass is pretty well out of reach of brute force cracking at this time.