Password leaks, con’t.: don’t forget Last.fm and eHarmony

This is getting ridiculous, but to help boost awareness….

Lifehacker is reporting that eHarmony and Last.fm have also had password leakage recently.  If you use those services, it’s a good idea to be proactive and reset your password.  The Lifehacker article also recommends a password management tool called LastPass and some other solutions.  If you’re not using them, they might be worth a look.

Several million LinkedIn passwords leaked

There have certainly been worse data leak stories, but  Aaron Souppouris at The Verge is reporting that a user in a Russian forum claims to be in possession of details for roughly 6.5 million LinkedIn accounts, including passwords, that were intercepted.  As proof of their claim, the hashed passwords were published online.  LinkedIn is investigating, and reports are trickling in that lend veracity to the statement.

The good news is that the passwords were hashed with SHA-1, but you should still be concerned.  If you have a strong password (it’s not “Linkedin”, is it?), the hash should buy you enough time to change your password, just in case.

The polarization of opinions on Flame

The Flame malware attacks continue to generate some interesting reactions on the web.  One the one hand, they seem to be all over the place, and, yet, I am having a hard time disagreeing with most of them.  Probably a good sign that we still may not know enough, or what we know hasn’t been analyzed enough to gain much consensus.  Or simply the fact that, as they say in management, the 10,000 foot view can be very different than the view when you’re on the ground.

In Parmy Olson’s Disruptors blog for Forbes.com, talks about 3 takeaways about Flame; one of them being that what is happening now between governments will likely be an indicator of what corporate espionage will look like soon (if not already), and another being that some adversaries of nations will be forced to go low tech (a la bin Laden, a tactic we have seen repeatedly already in cases of terrorism and asymmetric warfare).

Meanwhile, Johannes Ullrich posted a diary entry at the ISC (Internet Storm Center) on Flame is almost derisive toward Flame and the attention it is receiving.  His analysis of the toolset is that it is fairly clumsy compared to some malware tools available.  It seems a lot of network administrators are asking how to detect whether they have Flame infections, and perhaps this is what sparks the author’s rant.  He has a good point we should all keep in mind: focusing on a single, obscure threat is no way to design a network defense strategy.  Granted, I can understand that these admins are probably going to be asked by an executive about Flame, because it is receiving enough media attention to cross into general awareness.

Last, but certainly not least, there is a longer article on Wired by Mikko Hypponen, the Chief Research Officer at information security company F-Secure, titled “Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet“.

I’m still mulling all this over, but I’m planning to come up with an opinion piece down the line.

NY Times: Stuxnet confirmed as joint US/Israeli project

Just when I thought FLAME would push Stuxnet out of the spotlight, the New York Times is reporting that the Stuxnet was a joint venture between the US and Israel to attack the Iranian nuclear program.  I’m not surprised about the parties involved, it was speculated that this was the case from early on; but I am surprised that they were able to get anything official on it.  This information is apparently being adapted from a book by David E. Sanger, called Confront and Conceal being published next week.  It will be interesting to see if the revelation withstands scrutiny, or whether this is a marketing ploy to bump book sales.

Late to the game, but… Flame? Whoa.

I’ve been occupied elsewhere, so I’m just coming up to speed on the latest computer malware (should we be considering these things to be super malware? ), Flame.  Wired’s Threat Level has a great article on it, written by Kim Zetter, for catching up on it.  Dark Reading has some additional perspective on how this malware has existed undetected for possibly several years in an article by Kelly Jackson Higgins.

Flame seems to be a very robust piece of software that uses a broad set of tools to conduct its mischief and mayhem; its distribution seems to be very targeted, and there are indications that it may be another piece of “state sponsored” code.  I keep wondering if you really need a state to sponsor such projects, or if any sufficiently organized and motivated group with the right talent and resources could do something similar?  Is it really more a difference of approach?  Consider the difference between phishing and spear phishing.

All that is scary enough, but the one quote that sends shivers down my spine is this one from Zetter’s article:

The researchers say they don’t know yet how an initial infection of Flame occurs on a machine before it starts spreading. The malware has the ability to infect a fully patched Windows 7 computer, which suggests that there may be a zero-day exploit in the code that the researchers have not yet found.