Skip to content

This Week InSecurity

by Neal O'Farrell on September 24th, 2009

Why Your Boss Might Ask For Your Twitter Password

CBS television stations in Montana reported this week on a decision by the City of Bozeman to ask new hires to not only provide a list of all the web sites they visit frequently, but also provide the usernames and passwords for all those sites.

The reason? Apparently the city believes that as part of its background checks on new employees it should have access to these sites so they can get a better idea of the person they’re considering hiring, what their views are, and who they associate with.

According to the report, the city is asking job applicants for a complete list of personal and business web sites, chat rooms, and social networking sites, as well as accompanying logins and passwords. The city also requests passwords to sites like YouTube, Google, and Yahoo!.

Not surprising that the new policy has come under fire from many quarters including privacy advocates. Read the full story here.

Are Yahoo Passwords Easier To Crack?

A researcher at a company called Breach Security recently exposed a long-standing practice at Yahoo! that makes it much easier for hackers to spend as much time as they want trying to crack your password.

Apparently Yahoo! has two login options for users wanting to access their Yahoo! accounts or email. The standard one that most users see has a number of security features to prevent multiple guesses at passwords. They include a CAPTCHA feature that requires the (usually) human input of a set of presented characters.

This usually thwarts hackers because CAPTCHAs usually block hackers from using automated tools to try thousands of different passwords every minute until they find the right one.

Yahoo! also has lock out features – you get three chances to input the right password, then you’re either locked out or have to contact support for your password.

But the second login option, typically user by Yahoo! partners, uses neither of these security mechanisms. That means hackers can use these login pages to run automated scripts and test potentially thousands of passwords, uninterrupted, until they find yours.

Until Yahoo! fixes the problem, safest bet is to make your passwords as long, random, and complicated as possible, and change them often.  Read more.

New Survey Shows More than Half Of Businesses Don’t Protect Sensitive Information

A survey released this week by research firm the Ponemon Institute found that while most firms focus on protecting credit card information, more than 50% don’t protect what many would consider to be far more valuable information – like bank account numbers, home addresses, and even Social Security numbers.

The survey of 500 companies was designed to determine whether the Payment Card Industry (PCI) data security standards created by the credit card companies to reduce credit card fraud and theft actually worked. The results were pretty disappointing.

  • 71% of the firms said they are still not making data security a priority.
  • 79% of these firms said they’ve been hit by one or more data breaches.
  • The number of breaches and cases of credit card fraud has actually risen since the security standards were launched in 2005.

In the case of smaller firms, less than a third of the firms that should have been complying with the PCI standards actually were. And perhaps most shocking, one in ten of the firms surveyed didn’t even have basic virus protection in place. Read more.

Twitters getting Phished. Again!

Twitter users report receiving messages from users in their network with a link to log in to their Twitter account for more information. The link puts up a bogus Twitter login page instead and steals your Twitter password. Read more.

From → Uncategorized