Archive for the ‘passwords’ Category

Digital exchange loses $137 million as founder takes passwords to the grave

February 2nd, 2019
Black-and-white photo of a human skull in a graveyard.

Enlarge (credit: Jakub T. Jankiewicz / Flickr)

A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers’ assets following the sudden death of its founder, who was the only person known to have access the the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it’s tied up in disputes with third parties.

The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX’s sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn’s disease in India in December at the age of 30.

Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a “cold wallet,” meaning a digital wallet that wasn’t connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars (Ars has reported on three such thefts here, here, and here.)

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, cold wallet, cryptocurrency, encryption, passwords | Comments (0)

Monster 773 million-record breach list contains plaintext passwords

January 17th, 2019
Monster 773 million-record breach list contains plaintext passwords

Enlarge (credit: Getty Images)

Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever—a list that includes almost 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.

According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller lists taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed "Collection #1," the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks. These attacks use automated scripts to inject credentials from one breached website into a different website in hopes the holders reused the same passwords.

The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, breaches, credentials, Have I been pwned, passwords | Comments (0)

New Windows 10 build silences Cortana, brings passwordless accounts

January 4th, 2019
New Windows 10 build silences Cortana, brings passwordless accounts

The latest Insider build of Windows 10, 18309, expands the use of a thing that Microsoft has recently introduced: passwordless Microsoft accounts. It's now possible to create a Microsoft account that uses a one-time code delivered over SMS as its primary authenticator, rather than a conventional password.

In the new Windows 10 build, these passwordless accounts can be used for logging into a machine locally. The initial sign-in will use SMS, and it will then prompt you to configure biometric or PIN authentication. Your face, fingerprint, or PIN will be used subsequently. This capability is in all the editions, from Home up to Enterprise. A few previous builds had constrained it to Home only.

While SMS-based authentication has security issues of its own, Microsoft seems to feel that it's a better bet for most home users than a likely insecure password. Removing the Windows login password is part of the company's broader efforts to switch to using a mix of one-time passwords, biometrics, and cryptographic keys.

Read 3 remaining paragraphs | Comments

Posted in Cortana, microsoft, passwords, security, Tech, Windows | Comments (0)

What was the name of your first exploit? Win 10 security questions open backdoor

December 5th, 2018
What was the name of your first exploit? Win 10 security questions open backdoor

Enlarge (credit: Microsoft)

Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.

Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.

“Durable, stealthy backdoor”

The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, microsoft, password reset, passwords, security questions, Windows | Comments (0)

Hack on 8 adult websites exposes oodles of intimate user data

October 20th, 2018
One of the hacked websites, wifelovers.com, as it appeared on October 12.

Enlarge / One of the hacked websites, wifelovers.com, as it appeared on October 12. (credit: Internet Archive)

A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn’t know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn’t had time to examine a copy of the database that he received on Friday night.

Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.

Read 15 remaining paragraphs | Comments

Posted in Biz & IT, Data breaches, passwords, personal information | Comments (0)