Sophos blogger Chester Wisniewski blogs about Allegations made that FBI had planted backdoors in the cryptographic implementations of OpenBSD dating back as far as 2000. Quoting:

OpenBSD is the poster boy of secure operating systems, which is why it was an enormous surprise when allegations were leveled yesterday that the FBI had planted backdoors in the source code for OpenBSD as far back as 2000.

It makes you wonder where else the US and other governments have planted such back-doors using their “secret agent” developers (this sounds funny to me, but back to the point).  A lot of open source projects depend on the contributions of the community, but no one does background checks on the contributors.  Reputation is one key factor.  A lot of these open source projects are used by industry and government bodies world wide.

This of course does not leave out companies as  big as Microsoft where source code is not even available, where we blindly trust them, and where if the US government had asked them to plant such back doors, they would not be able to even admit it.

Some food for thought.

Read more here:
http://nakedsecurity.sophos.com/2010/12/16/allegations-suggest-openbsd-has-us-crypto-backdoor/

Linked.com was doing what i was about to blog about! amazing. Well i was about to comment on how easy it is to completely unregister from a site and whether or not they do unregister you.  I was also about to suggest that a monthly or bi monthly mandatory password reset should be enforced by sites.  Given the Gawker events that are taking place the last 2-3 days (if not longer) people like me who had forgotten that they had even registered on the website would have been saved from having to remember their passwords there by a few simple steps:

1. Remind the user that he has an account there and is inactive
2. Remove him if he doesn’t respond to an email asking them to confirm their existence within the next 2 weeks, for example
3. Mandatory password resets every 1-2 months
4. better encryption of passwords (use hashes please!!! and ones that are not known to be reverse-engineered! e.g. md5
5. Encrypt your backups!

I just received the following LinkedIn email

LinkedIn

Dear Beitis,

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

1. Go to the LinkedIn website
2. Click on “Sign In”
3. Click on “Forgot Password?” and follow the directions on the website

Thank you,
The LinkedIn Team

Now i ‘m guessing that either linked is taking measures to protect its people, or there have been security related incidents linking to Gawker. I need to actually download the dumb myself and find out what my password was (great, more fun…). I hope that its not because my password from Gawker was the same as the linkedin one (i hope not but tested it and it doesn’t seem to be the case).  Unless Gawker is forcing people to reset passwords without telling them, just by not accepting their current ones.

Interesting.  Well if you are running a web site, DO protect your fun base/users.  Also make sure you encrypt your backups!!!! they might stolen too!

Thanks LinkedIn.com !

Security Certifications for organizations verifying their secure infrastructure are needed. Gawker had horrible security. Something needs to be done about this.

And tip of the day: stop logging in to Gawker Sites, they might have planted code monitoring activity and new passwords

Gawker Media group has been associated with a major security breach.  I noticed news of this yesterday, but it was only today when i received an email from the group that carried out the attack, that i started becoming concerned.

A group managed to get hold of user details (including emails and passwords) of users registered with the Gawker group.  The group runs websites such as Gizmodo.com and lifehacker.com .  All very successful blog based sites with millions of funs world wide.

Please make note that the group managed to get access to Gawker systems weeks or months ago.  It was when the attack was carried out that they realized it although they had hints of this long before.

The attackers are a grouped called “Gnosis“, and are not related (according to what they say) with 4Chan group recently associated with the Wikileaks related attacks against payment sites who refused to receive money on behalf of Wikileaks.  Gawker provoked 4Chan in the recent past and has provoked groups making claims of its security. (read more in the links below).  Only foolish people make such claims. Gnosis released the dumb with around 200 000 unencrypted passwords in plain text.

A group, called Hint, decided to take advantage of the publicly available database dumb to market itself (no surprise there).  It actually sent me the following email this morning (not just me but all of the users who’s credentials they have compromised).

Hi there,

Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes’ coverage is here

In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.

-The Team at Hint

What we should pay attention to here is this fact: Gawker WAS aware of the attack but instead of timely notifying its users it did nothing until the group that carried out the attack warned the users.

Also, one can’t help but wonder if part of the code base of the website was also compromised and if users trying to change their passwords (or even remembering them) are feeding them back to the group or someone else.

Gawker group: BAD BAD BAD.

This incident also made me wonder how many other websites i have registered to but forgot about it all together.  I couldn’t even remember what password i used here.  Do all of you remember what sites you are registered to with what passwords? or how they are managing your personal information and credentials? (if they are even encrypted or hashed somehow).  They might even be stored in plain text with not only attackers hoping to get them but even the admins themselves. You have no idea do you? Neither do I but it is time for some house keeping.

Issues of trust lurking here.  Gawker has gone into the not-so-trusted-in-terms-of-security group.

In their defense Gawker did send an email out, although delayed.  Quoting:

This weekend we discovered that Gawker Media's servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you're a commenter on any of our sites, you probably have
several questions.

This Weekend? come on guys! on the bright side they are now maintaining a FAQ section trying to guide users to changing all their passwords.  You can find it here: http://lifehac.kr/eUBjVf.  Forbes also has the whole story here : http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/ .

I wonder how many of you use the same passwords in different websites (or all!).  Reading the forbes article, Gawker guys seem very arrogant indeed.  Hard to take them serious when they don’t seem to get security right (or at all, if you have a look at what their employees did) or even appreciate their own user base.

Disappointing.

Update:

Apparently uses of breached credentials have already taken place via a twitter spam attack: http://www.readwriteweb.com/archives/twitter_spam_attack_tied_to_gawker_security_breach.php . Sophos also blogs about what happened in 2 posts (and don’t worry, not Graham that does the investigation!!):
http://nakedsecurity.sophos.com/2010/12/13/gawker-gizmodo-lifehacker-password-change/
http://nakedsecurity.sophos.com/2010/12/13/acai-berry-spam-gawker-password-hack-twitter/
http://www.mediaite.com/online/exclusive-gawker-hacker-gnosis-explains-method-and-reasoning-behind-his-actions/
http://www.readwriteweb.com/archives/twitter_spam_attack_tied_to_gawker_security_breach.php

Hi Guys!!!

added a new link section called Jobs – Cyprus , and it lists recruitment sites in Cyprus.  If you are looking for a job in Cyprus then this is the place to start!!

Although not much of a book reader, as my attention span seems to be rather limited when it comes to reading stories, a friend (Stephanos) posted on Google buzz he was buying a new book called Life Without Limits: Inspiration for a Ridiculously Good Life .  Quoting from the Amazon website:

Glancing at this book’s cover, it takes a moment to register that the smiling young man staring back has neither arms nor legs. That’s fitting, since Vujicic’s story is about how, despite extreme disabilities, he wants to be seen as a normal person. Readers might find extraordinary a better word, as they learn how Vujicic, born limbless (but with a tiny foot), lives what he calls “a ridiculously good life.” By learning to be a help and resource to others, and choosing to dwell on the positives in his life, including a supportive family and friends, he has overcome the despondency natural to a young person in his predicament and become a source of inspiration for those he meets as a speaker and those who see his videos on YouTube. Although much of his account is straightforward biography, he also devotes considerable space to sharing his faith in God and offering practical suggestions for making one’s life happier and more productive. The underlying message is, “I’m happy; why aren’t you?” That’s a pretty good question, as readers will see after only a few pages. –Ilene Cooper

You will wonder why i posted this.  The answer is simple, we always complain about how bad we have it but never think that it’s actually not that bad and we should stop nagging about our lives. I will actually buy this book and read it.

Thumbs up for this guy for being so optimistic!!

Links:

http://press.lifewithoutlimbs.org/