Lessons From LastPass Breach

Password management firm LastPass admited to being PWNED by hackers.  If you are a customer, your data was potentially breached and so us “Paranoid Androids” will be spending a significant amount of the holidays changing passwords and double checking our MFA settings.  The bad guys apparently got away with a massive stash of customer data, including password vault data that could be compromised by brute-forcing or guessing master passwords.  So much for the “Zero Knowledge” strategy, or is this it working? Is this as bad as it could get in terms of password manager security? I guess the only thing that could compromise your passwords quicker would be an attacker literally looking over your shoulder (known as shoulder surfing) while you type your username and password in. But, well now, let’s look on the bright side, as long as you have diligently respected the power of keyspace and dutifully used…

Read more

Security Of The Alexa Top Sites

Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…

Read more