Is your password in harm’s way?

A virtual safe deposit box is meant to hold your most precious information. So, it’s prudent to ask your service provider exactly how they store your information? In light of the recent security breach at RockYou.com, where 32 million passwords were exposed, your provider should, at the very least, publish a security policy clearly stating how information is stored.

Your provider should encrypt (hash) passwords that are stored in a database. Passwords can be further disguised through a technique called salting, where additional data is stored with the password prior to hashing. If the database is hacked, the passwords will be unreadable. Salting the passwords makes it far more difficult for a password cracker program to decipher your password.

A more secure approach would be to use OpenID or RPX for authentication. This way, passwords are stored off-site. Some OpenId providers, like MyOpenId, also offer SSL certificate sign in and two-factor authentication.

Additionally, your service provider should prevent their database from being hacked by guarding against SQL injection attacks. This security breach allows a hacker to enter database commands into an input box. If successful, this technique reveals details about the database, which allow the hacker to steal information. Input data should be sanitized using tools such as AntiXSS. Another defensive strategy is to query the database exclusively through stored procedures and disallow the use of Dynamic SQL.

Make sure to change your password often. If you suspect a security breach, change your password immediately and contact your service provider. Learn how to create strong passwords and avoid phishing attempts. Once your information is compromised, you will not get a second chance.

James Bell

Sources

RockYou Hacker: 30% of Sites Store Plain Text Passwords
by Jolie O'Dell

One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.
by MG Siegler

RockYou Hack: From Bad To Worse
by Nik Cubrilovic

LBS technology to revolutionize home inventory services

Location Based Services (LBS) will soon provide powerful solutions that provide real-time tracking of personal property. Small inexpensive devices, known as S5 tags, periodically transmit their location through a rapid-response wide area network. Location information passes to a telemetry server, which in turn, is sent to an application through the Internet.

These tags incorporate the necessary electronics, battery compartment, antenna elements and external housings to allow the device to act as a self-contained transmitter. In addition to location information, a tag can also transmit other information, such as temperature, meter readings, running hours, fluid levels and more.

Battery life is estimated at 4 years and individual tags are priced at under $10. On-going service is about $1 per month per tag.

A tag can be inconspicuously attached to your personal property. If your property is lost or stolen, it’s location can be instantly determined, greatly reducing recovery time.

James Bell

Sources:
S5 Technology
S5 Wireless

S5 Tracking Chips Will Run for Four Years, Cost $2, Weigh Nothing
Gizmodo.com

Subpoena wielding authorities get full contents of Yahoo! account for $80

Cryptome has assembled a set of "Lawful Spying Guides" which spell out a company's requirements for divulging your account information. According to the Yahoo! Compliance Guide for Law Enforcement, with a subpoena (and $80) you can get the entire contents of a person's Yahoo! account. The document does not mention anything about estate planning legal documents, so my assumption is that having a will or power of attorney is not good enough. Make sure to consult a legal professional for exact details on your specific situation.

James Bell