When you notice a big LinkedIn password breach one day, and then several other sites also announce problems in subsequent days, there seems to be a pattern worth noticing. Here's what I've noticed of late.
Ars Technica reports that the Flame virus uses a previously undiscovered attack on the MD5 cryptographic hash in order to carry out some of its devious work.
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
Taking over Windows Update is game over for a compromised system, and of course it's also an efficient way to keep your bugged system up to date with the latest bugs. Flame is thus suspected of being created by a powerful nation-state, since the crypto needed to do this is beyond the grasp of but a few skilled mathematicians.
Bricklink is reporting that their admin user id was stolen, and a number of accounts were fraudulently merged together. No word yet on how the attacker(s) got access to the key account on the system, and I haven't seen any other reporting about problems at this LEGO trading site.
As a few people noticed, a number of major accounts were merged fraudulently around 12:15 pm EDT today. As a merge is almost impossible to undo, the solution was to do a database rollback to 12:00 PM EDT today. This breach was due to the Admin user ID being stolen.
TheNextWeb writes about problems at last.fm which is reporting a big password leak on the scale of LinkedIn. The last.fm notice reads in part
We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.
Passwords are a weak link in many online systems, and password database security gets short shrift in some growing startups. Perhaps these two tweets from Pinboard's founder Maciej Ceglowski are worth noting to round out the report.
Pinboard @Pinboard Proud to reassure my users that Pinboard passwords are not only hashed and salted, but pan-seared and dusted with a saffron quince reductionPinboard @Pinboard (rightly) exasperated security person asks me to admit that Pinboard uses bcrypt. But there is no known way to make a bcrypt tweet funny