Storing passwords

I’ve been searching for different ways to store all these precious passwords that I’ve scattered throughout the web. I’ve gone from storing all my passwords in a file on my computer and setting the permissions to that file so only I can read and write. But that felt like I was putting all my eggs in one basket which I am the sole protector of. How much time do I really put into security each day, you might ask. Well, the answer is as you would guess; not much.

So my next attempt of solving my password security issue was to never write down my passwords, but to create an algorithm stored in my brain that generates passwords. Every time I needed to login to a website, I would run through my algorithm and figure out what my password should be. It required a bit more brain processing cycles, but it worked. However, the downfall to that methodology is changing passwords when needed. Everything worked fine until some website got hacked and their user credentials stolen. I would have to change my password for that website which would require me to come up with another algorithm. Then I had two algorithms to remember and know which algorithm to use for each site I visited. Over time, that methodology got complicated and took up brain power that could have been used toward dreaming what cool thing I could buy on Amazon.

So fast forward to the present, I just setup an account at LassPass to store all of my passwords. It solves some of my issues of remembering passwords and processing algorithms in my head to generate passwords. They spend their days on security to make sure my passwords are safe. It has a Google Chrome extension that will automatically login when I visit sites where I have accounts. Although I’ve not tried this feature yet, but they have the ability to change my passwords on my accounts easily so I can do that often. Using new passwords frequently is a good security practice to fend off breaches.

Now I can get back to applying my brain power towards buying stuff on Amazon.

Citibank web security

Big security hole at Citigroup website

Many may have read about the recent hack into the Citibank’s website that leaked 200,000 user account. At first, one would imagine that it must have been a sophisticated job. Well, the news is just out on how the hacker broke in. It is something anyone could have done by just looking at the URL after they have logged into Citibank and replace the account number with another number to gain access to someone else’s account. It is pure negligence on the part of Citibank’s development team.

I wonder how many people are now looking at their own URLs to determine how much they are revealing.

Find out who sold your email to marketers

Here is a website that can help if you are wondering how your email was released to the public for spam. This spam tracking site finds out if you sign up for anything online that requires an email address, what is your likely hood of leaking this information out to marketers.

It would be wise to take check out any website on www.spamleak.com before giving away your valuable email information.

Google face recognition

Google is moving into added face recognition on photos in the future. They are already crawling the web and finding images all over the place. With this new feature they can link a person whose images had been posted on various website. Depending on how this information will be served up to the public, it can shave away a layer of anonymity on the internet.

Phishing attacks on Yahoo Messenger

Hackers have used phishing techniques via email to obtain personal information from their victims. A new form of phishing attack surfaced. Attackers now use Instant Messaging (IM) to gain access to your personal information. This new attack on Yahoo IM delivers an IM message to the user that appears to be coming from someone they know. The message contains a link to a site that looks like Yahoo which requests the user to login. Once the user logs in, the login name and password are captured allowing the hacker to gain access to the user’s account.

This was written up in March 2005 by CNET and I just received one of these phishing messages recently.
Phishing Yahoo Messenger

Myspace.com hacked

myspace.com is a very popular community site where people can post information about themselves and create a network of friends with other members on the site. Earlier this week, someone hacked the site by injecting code into a profile that will make a HTTP request in the background when someone views the profile. The HTTP request is written to add the hacker’s profile as the Hero to the viewing member’s profile. Each newly added Hero also contains the script to do the same essentially creating a worm on the site. Of course, it grew exponentially as the hacker realized later in a posting and it quickly brought down the site.

Website email scripts hacked

Many webmasters have noticed strange activities in their server logs recently. It seems that bots or viruses are testing their email scripts for vulnerabilities. In many cases they do exist. The bots hack the sites by entering data into the email script and sending emails to whomever they wish in effect making your website a spam site.

Issue:
The problem this poses to you is that your website might be blacklisted by other services like AOL, Yahoo, etc. When their users get spam, they can easily click a button to tag it as spam and have it reviewed by the email service provider. If enough emails from your IP address where your website is hosted are tagged as spam, the email service provider will notify your ISP that the IP address will be blacklisted if action is not taken. Your ISP will usually suspend your account at this point and your website will be down.

Solution:
Make sure your email scripts on your website are secure. Create some checks and balances when the script tries to send an email. Make sure your script checks that the email being sent is legitimate based on data you have in your system or business logic. For instance, if you know your website only sends emails to people who are in your database, then check for it.