![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
First, Kmart has once again found malware in their store point of sale systems. This is not a first for Kmart, and apparently does not affect online sales or their stores of their partner, Sears. Kmart is my wife's pharmacy, so I expect we'll be getting new cards from our bank in a month or two, which will mean Amazon resets and all the joy that entails.
https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/
The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/
Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.
Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.
Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.
When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.
The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.
Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.
Anyway, you might want to check out this site, it's interesting.
https://haveibeenpwned.com/
https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/
The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/
Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.
Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.
Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.
When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.
The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.
Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.
Anyway, you might want to check out this site, it's interesting.
https://haveibeenpwned.com/
