Evernote hit in hacking attack, users must reset their passwords
Evernote, which makes business and consumer productivity software for things like taking notes and doing research, is forcing all of its 50 million users to change their passwords after detecting a hacker intrusion on its sytem.
The attacker gained access to Evernote accounts' usernames, email addresses and passwords. Although passwords are encrypted, the company "in an abundance of caution" is implementing a password reset, the company said in a blog post on Saturday.
There is no evidence that the malicious hackers accessed user content nor that they got a hold of customers' payment information, according to the company. Read more...
Apple, Amazon, close password door after horse bolts
Apple and Amazon have, in the wake of the grievous p0wnage inflicted on WiReD writer Mat Honan, changed their security procedures and no longer allow password changes to be made over the phone.
Much is being made of how sloppy it was for both companies to allow this to happen.
I can say this with confidence because in 2001, when I worked as a consultant, I was asked into a meeting at which a very large Australian financial institution sought advice on a problem.
The problem was that famous people had been ringing its call centres and telling sob stories about how they'd lost their passwords. The famous people pleaded that, as extremely busy and important individuals, they simply couldn't remember the details of every bank account they had opened. Read more...
Wi-Fi Passpoint standard could end hotspot sign-on hassles
The Wi-Fi Alliance will launch a program to simplify the use of Wi-Fi hotspots in July, making it easier for both users and mobile operators to get off strained cellular networks.
Users of smartphones, tablets, cameras and other Wi-Fi-equipped devices will be able to get onto hotspots without entering usernames or passwords, the group said in a white paper released on Tuesday. The paper outlined the program, called Wi-Fi Certified Passpoint, and said the first phase of certification tests will begin in July. A second phase beginning next year will add more features. Read more...
Should couples share passwords?
Just how much do you trust your spouse or partner? Enough to share passwords? For some, passwords are the final frontier of privacy not only in financial matters, but in social media and email correspondence. But for others, there are no secrets when you're in a relationship — even risking the potential payback should a break-up sever the happy union.
The New York Times tells us about an "intimate custom" writer Matt Ritchel says is happening between teens in love: "sharing their passwords to email, Facebook and other accounts." The desire to be one even extends, the article claims, to couples creating identical passwords and letting each other read private emails and texts. Read more...
Non-U.S. customers kept in dark as Zappos cleans up after data breach
Online shoe and apparel shop Zappos.com is advising over 24 million customers to change their passwords following a data breach, but its website is currently inaccessible to people outside the U.S.
Zappos employees received an email from CEO Tony Hsieh on Sunday, alerting them about a security breach that involved the online shop's customer database.
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," Hsieh said in the email.
Even though he assured everyone that no credit card details had been compromised, Hsieh revealed that the attacker had accessed customer records including names; email, billing and shipping addresses; phone numbers, and the last four digits of their credit card numbers.
The hacker also gained access to password hashes for the accounts registered on the website, prompting the company to reset everyone's access codes. Zappos is currently in the process of emailing its 24 million customers in order to notify them about the security breach and advise them to change their passwords. Read more...
The 25 worst passwords of 2011
"Letmein ... iloveyou, master, superman, dragon; trustno1." And with that you have just read not the opening lines to a bad novel, but six words and phrases that are among the "25 worst passwords of 2011."
The list was compiled by SplashData, which makes various apps, including computer and mobile programs to help keep passwords secure. But with passwords like these below,fuggedaboutit. Here's their list of the worst for the year: Read more...
OS X Lion bugs let hackers view, change local user passwords
The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple's part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.
Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user's encrypted passwords. Ideally, they should be accessible only via high-privilege accounts. Read more...
Morto A worm success a sign of bad password policy
The Morto A worm is having continued success despite its reliance on a list of lame passwords to take over victim machines.
In order for the worm to be effective, the administrative password for a machine under attack has to be one of 37 of the worst passwords ever (see below) that it carries in a weak brute-force library.
Yet the worm, which takes over control of remote computers by guessing the password for Microsoft Remote Desktop, continues to spread, according to security watchdogs. Read more...
Mozilla outs un-Google site sign-in prototype
Mozilla has proposed a new method for signing into websites that avoids both site-specific passwords and existing cross-site sign-in services from corporate behemoths such as Google and Facebook.
Known as BrowserID, Mozilla's prototype is built atop a new "Verified Email Protocol", which uses public-key cryptography to prove that a particular user owns a particular email address. In essence, BrowserID lets you log into a website simply by clicking on a button and choosing an email address you wish to sign in with. Behind the scenes, the website, your browser, and a separate verification service use crypto keys to verify your identity. Read more...
Mobile phones are great for phishers, researchers find
Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.
Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.
Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online. Read more...