Assault on the Hash (or how to make secure your passwords)

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases – you’ll have to update your algorithm to generate hashes even slower.

See also.

*A modern server can calculate over 300MB of hash data per second!

How To Use Your iPhone to Stalk Yourself

It looks like the privacy hippies were finally right about something, your mobile phone really is a pocket sized tracking device.

Turns out that as of iOS 4.0, iPhones have been tracking your physical movements and logging it along with the phone’s backups.

A small team of researchers have discovered these logs in iTune’s backup files, they’ve released a handy little app that collects all the data from your user folder and plots it on a map. iPhoneTracker.app and further information available here.

Here is the visualization of everywhere I’ve been since Sept 28, 2010:

You can see lots of activity in and around Winnipeg (including trips up to the Gimli and Victoria Beach), a flight to Toronto and subsequent travel around southern Ontario and a road trip to Minneapolis. It’s fascinating.

I’m not sure if this is a terrifying privacy hole or a neat little hidden feature. I’m leaning towards neat feature, since the data is stored locally on your computer and can be encrypted automatically by iTunes.

At this point in time a method for disabling the “feature” does not exist. I expect Apple will be responding in short order.

Facebook Security Still Lacking

In October I blogged about a Firesheep, a Firefox plugin that highlights the inherent vulnerabilities in the way that Facebook and other websites handle sessions. TL;DR – Install the extension and with a click of a button you can capture un-encrypted Facebook sessions of any user using a WiFi network you’re connected to (read the full post for all the details). For research purposes, when a friend of mine was at Pearson a few months ago he fired up Firesheep and instantly had access to several dozen Facebook accounts.

This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!

Sad.

I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.

Facebook Now More Secure

In a blog post today Facebook detailed some of their new security improvements:

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Enabling this option will effectively prevent you against Firesheep and similar account hijacking methods. I think it’s fairly safe to assume this feature is a direct response to Firesheep, even if it seems to have taken them 4 months to roll out. Though, it could also be a response to Zuckerburg’s account hack yesterday.

I’m going to go one step further than Facebook and say, you should absolutely enable this option as soon as it’s available to you.

Gawker Hacks [update: no Digsby]

If you missed it, Gawker Media’s username/password database was hacked and paswords decrypted! This is very very bad. Lifehacker, has a comprehensive post about the compromise.

They only left out one little piece of info, your password may have been exposed even if you’ve never logged in to a Gawker site. Multi-IM client Digsby is owned by Gawker and Digsby username/passwords are also in that database! Seriously, this is bad. No more blogging after midnight…This was totally incorrect, my apologies. I didn’t read the email very well (or possibly at all). Thanks for the comments from the Digsby team. I incorrectly made the connection based on the password Gawker had on file; it was an old password I was sure I had only ever used for IM clients.

Again, if this is the first you’ve heard this, here are the important links: