68 Million Exposed in Old Dropbox Hack By Ionut Arghire on August 31, 2016 In an email response to a SecurityWeek inquiry, IT security expert Sorin Mustaca said that the surprising fact is that the 2012 hack of Dropbox didn’t emerge earlier, along with the other mega-breaches. He also notes that the use of the SHA1 hashing algorithm with salting improves the security of these passwords. “Fortunately, Dropbox was using the SHA 1 hashing algorithm (today this is not considered “strong” anymore) and it was using salting even in 2012 – an operation that many other services don’t do even today. Many are using legacy systems which make use of MD5 without hashing – I guess that the ‘never change a running system’ is still applied literally in many websites,” Mustaca said. To stay protected, he says, users should create unique passwords for each of the services they use, never reuse passwords, and enable two-factor authentication wherever it is available. Service providers should never store passwords in plain text or encrypted, but should use a strong hashing function with a solid salt. For consumers: – Create a unique password for each service you use. Read my free eBook in…
You probably have read on news portals that Dropbox was hacked and that some user accounts were compromised. Here is the alleged list of leaked user information. Dropbox is saying that the data is not valid. Apparently, Dropbox was not hacked. The company is clearly stating this on their blog. Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens. Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account. I can only confirm and support this suggestion. In the “Improve your security” free eBook is explained how to enable two-factor authentication for several services, including Dropbox and Google Mail.
The Heartbleed problem is long fixed, at least on the major website around the world. But, the effects of this problem are by for not gone. I received at least 10 emails in the past week asking me nicely to change by password. Last week, a major vulnerability called “Heartbleed” surfaced for the OpenSSL encryption used on many websites. This vulnerability affected many websites that we use every day, including Google, Yahoo and Amazon. This also included Leanpub. When we learned of this last week, we took immediate action to address the issue. We have no evidence of any Leanpub customer data being accessed, and we do not store your credit card information on our servers. However, due to the nature of this specific vulnerability, it would be extremely hard to prove that no unauthorized access had occurred. So, you should change your password on Leanpub, as well as on many websites you visit. So, the big question is: should we change all our passwords? Yes, we should do that! But for reasons which have nothing to do with Heartbleed. It is important to change your password regularly, once every few couple of months. The more important…
I have published the first article in this series in the Avira Techblog here :http://techblog.avira.com/2011/01/31/improve-your-security-1-complex-passwords-arent-always-better And, as a confirmation of what I wrote, I found this article on CIO Magazine: Apple and Google will kill password If I could only offer them a hand 🙂 Actually, I could do something in this direction by creating a tool inside Avira Premium Security Suite which manages all passwords for a user in a safely manner.
Recently I’ve had the exam for the CompTIA Security+ Certification. While practicing for the exam, I’ve had the following question. Q:When setting password rules, which of the following will lower the level of security of a network ? A: Complex passwords that users can not remotely changed are randomly generated by the administrator and given to users Why ? Very simple, actually 🙂 Because the users will write these passwords on stickers and hang them on their monitors 🙂 So, IT guys, please make your life simpler and let the users to change the passwords. There you must definitely enforce some policies !
Together with Dirk Knopp I published an update to the Opera Unite – Everybody is becoming a Web server which is called : Potential Threat through Opera Unite, Part II. I have written some details about the P2P networks and about how Opera is using the concept. I am thinking now to build a honeypot running Windows and Opera Unite without any passwords.