The DigiNotar breach (“Operation Black Tulip”) is certainly likely to be a watershed in Internet security, and possibly in how we perceive cyberwar. But one lesser point may get lost: how vulnerable we are with a single username password to access all Google accounts. Not only does that single account gain potential access to email and access to other accounts if that email address is used as the default account in the case of a lost password (or if it’s used as the sign-in for other services, a la Chrome web apps), but it also gains access to documents, photos, location information, contact lists and chat records
Forget phishing for your passwords via dodgy emails. Just use Wi-Fi. Internet security company Secure Computing Corporation have today released a report prepared by security consultants Canola/Jones Internet Investigations which “documents the serious risks of password theft that business travelers encounter when using the Internet in hotels, cafes, airports, and trade show kiosks.” The full report is available (in PDF format) here. Posing as a business traveler, the author “found multiple methods available to cyber-criminals that could be used to steal passwords and corporate information”. Wireless access points are especially vulnerable: “Tests conducted at an airport Internet cafe and at a popular chain of coffee
As if you didn’t know it already, (and I’ve posted about this before) your Windows passwords are not safe. According to an article on TechExtreme, some Swiss researchers have published a paper detailing how to crack Windows computers protected by alphanumeric passwords in an average of 13.6 seconds. Their approach can crack 99.9 percent of all alphanumerical passwords in 13.6 seconds, against a previous 101 seconds. The bottom line: When you can, include non-alphanumeric characters in your password, such as a question mark or a plus sign.
Now your Microsoft Windows password can be cracked in 13.6 seconds, a vast improvement over the slow and tedious 101 seconds it took previously. An improved cryptanalytic method uses large amounts of memory–in this case, 1.4 GB–to speed its cracking of keys, says Security Wire Digest. I won’t bore you with how they did it. But the bottom line is that this attack doesn’t pose any practical threat, since only an administrator would be able to encryped password to conduct the attack, and users can resist by using passwords that contain more than just letters and numbers.