A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password.
But there was one important question I left unanswered and that was how people choose their passwords. We now know that structurally, passwords almost always adhere to what we would consider “bad practices” but how are these passwords derived in the first place? What’s the personal significance which causes someone to choose a particular password?
What do you think of when you see this little guy on a webpage:
You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit.
The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleading.
Excellent post, read more at troyhunt.com
What’s JailbreakMe? It’s an easy way to jailbreak an Apple iOS device using a PDF (related) vulnerability.
It’s done with a “drive-by” style exploit.
All somebody needs to jailbreak their (newer) iPad/iPhone/iPod is to visit jailbreakme.com and to touch the free/install button. The German Federal Office for Information Security has issued a warning about this. They’re concerned about the potential for targeted malicious attacks using trojanized versions of the JailbreakMe exploit.
Election fraud and accusations of rigged voting might be as old as US election systems themselves, but some may wonder, if a hacker can gain access to the election voting system, how secure are elections anyway?
The AntiSec movement is definitely rolling along, but Anonymous is pointing to a recent hack that could raise some serious questions over the integrity of voting in Florida. It seems that a hacker who uses Twitter obtained parts of the Florida voting database which has been subsequently posted to Paste2. It appears that the hacker in question wanted to show that voting fraud can easily happen today and dumped parts of the Florida database to prove it.
The NHS has signed a deal with Zscaler – a cloud-based security and bandwidth management company.
A document seen by IT Pro detailed a Zscaler webinar stating the NHS was a customer, even though no formal announcement has been made.
Zscaler’s product offering sends all customer traffic through the cloud, analyses it and then allows organisations to add policies on both security and bandwidth management.
No further details on the contract have been officially released.
Its key protection areas include email, web security and data loss prevention. The last area will be important for the NHS, which has seen data leave its premises and go missing numerous times.