The Indelible Bonobo Experience

Renaissance Monkey: in-depth expertise in Jack-of-all-trading. I mostly comment on news of interest to me and occasionally engage in debates or troll passive-aggressively. Ask or Submit 2 mah authoritah! ;) !

Yahoo has disclosed a breach of it Yahoo Mail database, prompting users to reset passwords late last week. (via Ydr)
In a notice posted on the Yahoo website, the search engine giant reported “a coordinated effort” to gain access to its email accounts.
"Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise," the company says. "We have no evidence that they were obtained directly from Yahoo’s systems.
"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails."
Yahoo said it is resetting passwords on impacted accounts and is using two-factor authentication to allow users to do the reset. Users who were affected will get a prompt to change their passwords, and the company also sent out email and SMS notifications.
"Two-factor authentication has again shown to be an effective barrier to account compromise," Cabetas says. "Any users with two-factor authentication in force wouldn’t have been compromised by this attack campaign. Yahoo has offered two-factor authentication since December 2011."

Yahoo has disclosed a breach of it Yahoo Mail database, prompting users to reset passwords late last week. (via Ydr)

  • "Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise," the company says. "We have no evidence that they were obtained directly from Yahoo’s systems.
  • "Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails."
  • Yahoo said it is resetting passwords on impacted accounts and is using two-factor authentication to allow users to do the reset. Users who were affected will get a prompt to change their passwords, and the company also sent out email and SMS notifications.
  • "Two-factor authentication has again shown to be an effective barrier to account compromise," Cabetas says. "Any users with two-factor authentication in force wouldn’t have been compromised by this attack campaign. Yahoo has offered two-factor authentication since December 2011."
Police need to have a special wiretap warrant to access a suspect’s daily batch of text messages from their wireless provider, the Supreme Court of Canada decided Wednesday, in its latest ruling on privacy protection in the age of cellphones and digital communication. The ruling recognized that text messages are a type of private electronic communication, so police need to meet a higher standard when seeking a judge’s permission to access them than simply asking for a routine search warrant. (via What powers do police have for online surveillance? - Technology & Science - CBC News)
The case worked its way up to Canada’s top court as wireless provider Telus Corp., which opts to keep a database of text messages within its network for 30 days, argued it should not have to hand over clients’ text messaging logs daily when police ask for them using a general search warrant.
Telus based its case on the argument that seizing the messages would be an “interception,” which would require a wiretap warrant.
Wiretap warrants are more difficult for police to obtain than general search warrants because private communications are afforded special privacy provisions in the Criminal Code. The decision affirms that there is no practical difference between texting and a traditional phone conversation, which would also require a wiretap warrant to be intercepted.
Canadian law allows the police to legally intercept Canadians’ private communications without their knowledge or consent only through an intercept authorization warrant, said Abby Deshman, the director of the Canadian Civil Liberties Association public safety program.
Typically, police can apply for three types of warrants: a standard search warrant (which can include searching a computer and printing out data), a production order (which compels someone to hand over information stored in a physical space or on an electronic device) or a general warrant (which can be a little more wide-ranging).
In February, federal Justice Minister Rob Nicholson introduced a new bill, C-55, which would give police the right to intercept private communications without a warrant in emergency situations, like immediate harm to an individual or national security.
Police powers were also expanded last month when the Court of Appeal for Ontario ruled that officers have the right to search a person’s phone — as long as it is not password protected.

But if police want to intercept a private communication they must apply for a wiretap authorization and meet a higher standard, including:
having tried other investigative procedures;
demonstrating that other investigative procedures have failed or are likely to fail;
showing the urgency of the case makes it impractical to use only other investigative procedures.
If granted, interceptions are time-limited, and the person whose communication was intercepted will eventually be notified.

Police need to have a special wiretap warrant to access a suspect’s daily batch of text messages from their wireless provider, the Supreme Court of Canada decided Wednesday, in its latest ruling on privacy protection in the age of cellphones and digital communication. The ruling recognized that text messages are a type of private electronic communication, so police need to meet a higher standard when seeking a judge’s permission to access them than simply asking for a routine search warrant. (via What powers do police have for online surveillance? - Technology & Science - CBC News)

  • The case worked its way up to Canada’s top court as wireless provider Telus Corp., which opts to keep a database of text messages within its network for 30 days, argued it should not have to hand over clients’ text messaging logs daily when police ask for them using a general search warrant.
  • Telus based its case on the argument that seizing the messages would be an “interception,” which would require a wiretap warrant.
  • Wiretap warrants are more difficult for police to obtain than general search warrants because private communications are afforded special privacy provisions in the Criminal Code. The decision affirms that there is no practical difference between texting and a traditional phone conversation, which would also require a wiretap warrant to be intercepted.
  • Canadian law allows the police to legally intercept Canadians’ private communications without their knowledge or consent only through an intercept authorization warrant, said Abby Deshman, the director of the Canadian Civil Liberties Association public safety program.
  • Typically, police can apply for three types of warrants: a standard search warrant (which can include searching a computer and printing out data), a production order (which compels someone to hand over information stored in a physical space or on an electronic device) or a general warrant (which can be a little more wide-ranging).
  • In February, federal Justice Minister Rob Nicholson introduced a new bill, C-55, which would give police the right to intercept private communications without a warrant in emergency situations, like immediate harm to an individual or national security.
  • Police powers were also expanded last month when the Court of Appeal for Ontario ruled that officers have the right to search a person’s phone — as long as it is not password protected.

But if police want to intercept a private communication they must apply for a wiretap authorization and meet a higher standard, including:

  • having tried other investigative procedures;
  • demonstrating that other investigative procedures have failed or are likely to fail;
  • showing the urgency of the case makes it impractical to use only other investigative procedures.

If granted, interceptions are time-limited, and the person whose communication was intercepted will eventually be notified.

A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members’ usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server. Radu Drăgușin claims the collection of nearly 100,000 credentials had been accessible on the FTP server for at least one month before his discovery. Among those exposed are employees of Google, Apple, IBM, Oracle, Samsung, NASA and Stanford University to name a few. In addition to the username-password combinations, discovered last Tuesday, all visitor activity on the site for logged-in members was publicly available as well.

Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server | threatpost

  • The IEEE is a professional association “dedicated to advancing technological innovation and excellence for the benefit of humanity.” It is the keeper of the 802.11 wireless networking standard. According to their website, the group boasts 400,000 members from more than 160 countries. Drăgușin reported the flaw to the IEEE and they fixed the problem.
  • Drăgușin writes that the noticeable failure in this incident belongs to the IEEE’s Web administrators who did not restrict access to the webserver logs on both ieee.org and spectrum.ieee.org. The FTP directory in question contained 100GB worth of logs. Until Monday when the issue was resolved, anyone who happened upon ftp://ftp.ieee.org/uploads/akamai/ could view these webserver logs, which documented more than 376 million HTTP requests.
  • This is a serious gaffe for a professional association of scientists and engineers, in whose membership is a fairly large number of computer science professionals. As serious as the gaff is, it resulted from an honest albeit careless mistake made by whomever established the access permission settings. The real problem here, and the reason Drăgușin says the problem is only partially solved, is the fact that the IEEE was storing usernames and passwords in plain-text. It almost goes without saying at this point that best practices call for the storage salted, cryptographic hashes of passwords. Drăgușin goes on to criticize the IEEE for keeping passwords with the logs at all, because it makes them available to any employee with access to the logs.
  • You can find Drăgușin’s complete analysis here, but the top five most popular passwords were: “123456,” “ieee2012,” “12345678,” “123456789,” and, yep, you guessed it, “password.”