Happy Friday folks! This past week (now being called “Breach Week”) was chock full of breaking news in the security world. Check out some of the biggest headlines below.
Flame Malware: “Microsoft Update and the Nightmare Scenario” by Mikko Hypponen. In this F-Secure blog post, Mikko Hypponen discusses what makes the Flame malware so powerful – its ability to spread via phony Microsoft Updates. Mikko reports that Flame has been running man-in-the-middle attacks on Microsoft Update or the Windows Server Update Services system to install infected files on host computers. The infected files misleadingly appear to be signed with Microsoft Certificates. In response, Microsoft released a security update to remove the three certificates that had been compromised. Read the post for Mikko’s full analysis and some screenshots of Flame’s certificates.
CloudFlare Breach: “CloudFlare’s Post Mortem” by Adam Shostack. This blog post on The New School of Information Security takes a look at CloudFlare’s disclosure that they had been victims of an attack via Google Apps/Gmail. The attack used a flaw in Google’s account recovery system to bypass their 2-step verification process and access customer email information. Adam’s post offers an excellent recap of the lessons to be learned from this incident. For one, CloudFlare set an excellent example of the benefits that disclosure can have for a company that has suffered a breach. This breach also shows some of the difficulties associated with multi-factor verification. Adam ends his post with some account security advice for companies and users.
LinkedIn Breach: “What to do if your LinkedIn password is hacked” by Donna Tam. This article for CNET features some excellent password security advice from Jeremiah Grossman and Veracode CTO and co-founder Chris Wysopal in the wake of a breach that stole 6.5 million user passwords from LinkedIn. Both provide insights on different ways users can ensure that their passwords are safe and manageable. Donna also references LinkedIn’s communication disclosing the breach and reminds readers to make it a practice to change their passwords often.
eHarmony Breach: “Users of dating website eHarmony told their passwords have been stolen” by Graham Cluley. This Naked Security post from Graham Cluley reports on yet another data breach of the past week, this one affecting users of online dating site eHarmony. The incident seems similar to the LinkedIn breach, with 1.5 million user passwords being leaked as hashes. eHarmony has not released much information about the breach itself, but (much like LinkedIn) they did disclose the breach in a blog post that assured users that the compromised passwords were reset and provided some tips for how users can improve the security of the passwords they use. Cluley ends his post by emphasizing that any users that utilize their eHarmony password for other sites need to change them as soon as possible and that it is never safe to repeat passwords.