Guest fountainhall Posted May 6, 2011 Posted May 6, 2011 I have often thought about using one of those password manager sites where I can access all my passwords by clicking on to one link. Now - no chance! The latest password/personal details glitch - or even hacking - has hit LastPass, one of these very passport storage sites. LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a "traffic anomaly" on one of its database servers. In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem. "After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted. Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said . . . LastPass is a service that lets users store their usernames, passwords and form-fill data online. The service then automatically fills in the information when the user visits a site that requires the information . . . Such services are designed to let people create strong and unique passwords for each site they use without having to worry about remembering each one of them. Users tend to use the same passwords for multiple sites because of this worry. With services such as LastPass, users need to only remember one master password for logging into the service . . . The reason that LastPass is requiring everyone to change their master password is because of the potential for the intruders to use brute-force methods to guess at weaker master passwords, the company noted. "Unfortunately, not everyone picks a master password that's immune to brute forcing." According to LastPass, the incident has accelerated its decision to implement stronger authentication measures. The company is also rebuilding the servers that were compromised and all source code underlying the Web site have been verified against the original repository to ensure no tampering was done. http://www.computerworld.com/s/article/9216455/LastPass_alerts_users_about_potential_master_password_breach What I fail to understand is that the company was clearly aware of "brute-forcing", yet it seems to have accepted users with passwords which could be compromised by such actions. Quote
Guest voldemar Posted May 6, 2011 Posted May 6, 2011 I have often thought about using one of those password manager sites where I can access all my passwords by clicking on to one link. Now - no chance! The latest password/personal details glitch - or even hacking - has hit LastPass, one of these very passport storage sites. http://www.computerworld.com/s/article/9216455/LastPass_alerts_users_about_potential_master_password_breach What I fail to understand is that the company was clearly aware of "brute-forcing", yet it seems to have accepted users with passwords which could be compromised by such actions. At the moment the only reliable way to protect one's privacy is digital security device. Several years ago hackers compromised the website of one of the Singapore banks . It forced the government to demand that all local banks use digital security device to protect internet banking for customers. As a result, even CITIBANK Singapore (CITIBANK notoriously known for the weak protection of the customers) is using it... It looks like that it is only a matter of time before hackers will figure out how to overcome this protection layer. I noticed that HSBC HK introduced recently new type of digital security device. Unfortunately, it is much larger in size... Quote
Guest fountainhall Posted May 6, 2011 Posted May 6, 2011 I noticed that HSBC HK introduced recently new type of digital security device For access to HSBC accounts, you need the usual log-in name and password plus a special code number generated by a small device they give you. I have no idea how these code numbers work, but I have two for separate accounts. Even if I press them at exactly the same moment, they come up with different code numbers! HSBC certainly 'feels' more secure than Citibank! Quote
bkkguy Posted May 6, 2011 Posted May 6, 2011 It looks like that it is only a matter of time before hackers will figure out how to overcome this protection layer. the same way they do most other things - hack the systems of the companies that provide the security devices. RSA, which provides SecurID devices to may banks, large businesses and government departments around the world, had its systems compromised in March Caution urged in wake of RSA security breach bkkguy Quote
Guest Posted May 6, 2011 Posted May 6, 2011 I assume you mean card readers. These are a damn nuisance. Anyone going on a long holiday would need to carry the flipping things in order to login and make banking transactions. Quote
Guest voldemar Posted May 7, 2011 Posted May 7, 2011 the same way they do most other things - hack the systems of the companies that provide the security devices. RSA, which provides SecurID devices to may banks, large businesses and government departments around the world, had its systems compromised in March Caution urged in wake of RSA security breach bkkguy Well, it is good to know but even if they stole the pseudorandom generator, they need to know what kind of" seed" is used in my device and my password and id. Of course, if they get this information from my bank data base, I am in trouble. So far, I have not heard of a single case where accounts using these devices were compromized. By the way, it is perhaps the reason why HSBC start introducing new devices which are based on different technology. The danger, of course, if they can compromise computer using standard tools and then guess what is the "seed" by observing several pseudorandom numbers generated by my device when I login. I hope it is not that easy... Only RSA knows that for sure.. Quote
