Wednesday, September 10, 2014

A List of 5 Million 'Gmail Passwords' Leaked, But There's No Need to Panic

It might be time to change some of your passwords — again. But if you've used a Gmail password that's unique from other accounts, you might not have to worry.

A list of almost 5 million combinations of Gmail addresses and passwords was posted online on Tuesday. But the passwords seem to be old, and they don't appear to actually belong to Gmail accounts. Instead, it seems that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak's victims as well as security experts.

For example, someone might have signed up for a website with the username "myaddress@gmail.com" and the password "mypassword." The list exposed this week makes it look like "mypassword" is the password for the Gmail account itself, but the user's actual Gmail password might be totally different.

The list was posted on a Russian Bitcoin forum on Wednesday, and US media started reporting on it overnight.

We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.

A Google spokesman told Mashable that the company has "no evidence that our systems have been compromised," and security experts seem to agree that the passwords are either old Gmail passwords obtained through phishing, or are passwords that were actually used on other sites.

Matteo Flora, a computer security expert, reviewed the dumped file and found that around 60 email addresses were in his address book. After he alerted those people, 30 of them told him that the password either was never used for their Gmail accounts or was very old, Flora told Mashable.

Chester Wisniewski, a senior security adviser for security firm Sophos, told Mashable that he expects many of these accounts not to be valid. "There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals," he said.

Several Reddit users also confirmed that they found their email addresses in the leak, but that the associated password has never been their Gmail password.

"The password that I generally use for other services is shown in this list and not my gmail password," wrote a Redditor nicknamed InternetOfficer. "This proves that the hackers hacked into some other service where gmail address (or other email addresses) are used and got the password of that service not gmail password."

"The password it shows (or at least the first two characters) is NOT from a password I've ever used on Gmail," wrote another Redditor, "but it does match a password I've used on bullsh*t I absolutely don't care about."

Some hints in the dump seem to point to several different sites that could have been compromised.

Both Flora and some Reddit users have noticed that some email addresses are followed by a "+" sign and the name of a website. (If you add "+" and a word to your Gmail address, like "myaddress+mashable@gmail.com," emails to that address can automatically be archived in a folder with the word you choose.) This might indicate which websites have been compromised. Some of the sites that have been identified this way include friendster, filedropper, xtube and freebiejeebies.

Even if this dump is simply a collection of old passwords belonging to minor sites, the issue is always the same: password reuse. If you tend to reuse your passwords, check this website to see if your Gmail address is on the list.

If it is, change your passwords, and choose long ones that combine special characters and numbers. Password managers can help you keep track of your accounts.

"And stop being silly and use the same password for everything," Flora said.

Also, as usual, enable two-factor authentication on services that provide it, including Gmail. That way those accounts are more secure, even in the event that someone steals your password.

Oh, and don't freak out.

"Ignore the man behind the curtain, keep your PC up to date, use a strong password and a second factor whenever possible," Wisniewski said. "Keep calm and move along."

(Source: Mashable)

Tuesday, September 2, 2014

My Experience with the GIAC GSEC Exam (Part 2)

In the first part of my experience with the GIAC GSEC exam, I promised I would let you all in on how the exam went.  The following is to be my post exam report.

Let’s Get It Started…

So we left off last time with the idea of having practice exams to get a good feel for where you stand in your general knowledge of the topic objectives and having a good detailed index.  Next, we answer the question, how do we even get this exam setup in the first place?  To do this, head over to the SANS webpage, log in to your account, and under Certification Attempts, you’ll be able to schedule your exam at your nearest PearsonVUE testing facility.  Luckily for me, my favorite testing center, ComputerMinds, was able to accommodate me for a morning slot.  The process was really easy in my opinion and wasn’t too difficult to navigate.  The only problem I had with the PearsonVUE page was that I couldn’t schedule the exam on the Saturday I wanted.  I had to settle for a Friday.  I think this had something to do with either it being too far into the future or that it was Labor Day weekend.  I shrugged that issue off and chalked it up to some bad juju.  I was ready to take my exam and looking forward to closing out this journey.

Even the TSA Gets a Pat Down

The morning of my exam arrives and I’m awaken to the hellish sounds of the alarm clock.  I knew I’d be fighting rush hour traffic and awful construction on the way so I tossed down a couple granola bars and started driving to the testing facility.  In my excitement for taking the exam, I may have misjudged my arrival time and showed up two hours early.  Luckily for me, my favorite certification instructor was there and we caught up on lost time.  He eventually had to start his MCSA class and I was stuck in an empty lobby with a cup full of coffee in hopes to keep my mind alert during the upcoming security onslaught.

In no time, the lovely proctor showed up.  She gave me the option to start early as there was an available seat in the time slot an hour before my scheduled exam time.  I thought it over and agreed just as a line of the regularly scheduled testers walked in.  One by one they were escorted into the testing room.  Finally there was only me and someone I’ve never seen there.  I asked what exam he was taking and surprisingly, it was for a TSA exam.  Who knew there was an exam to be a TSA agent?  Anyway, the proctor du jour came back and went through the usual “sign these forms to take the test routine” and went so far as to make him raise his pant legs to make sure there were no “prohibited materials” anywhere on his person.  I had to get my dig in by informing him that we have to get our turn to search ‘em sometime in our lives… might as well be now.  We all had a good laugh and in he went.  Minutes later it was my turn.

He Gets to Take What?!

There I was… in the hot seat and ready to go.  My testing cubicle was a little cramped to fit all the allowed material, but I managed.  Wait! Allowed material? Yes, during the GSEC exam, you are allowed to have any printed material with you.  No electronic funny stuff here.  Just good ol’ paper and ink, or toner if you prefer.  My space was limited so I stacked my books in heaps of three to the right.  So books 1-3 are in one pile, and 4-6 are in another.  I had my index to the left of me.  This pretty well emulated how my practice exam sessions were setup.

I felt sorry for the other testers that opted out of ear plugs.  I always take them whether I need them or not.  It is just far more comfortable that way for me while I test.  I think the woman sitting next to me was a little frustrated even though she did opt in for the ear plug option.  When I hit my 15 minute break and stepped outside to stretch my legs, the proctor informed me that the woman thought I was cheating when she noticed me flipping through my index several times.  The proctor went on telling me that this woman got a bit upset, exclaiming “He gets to take what?!”  With a little bit of distraction, I went back in and continued the exam.

This exam is all about mental endurance.  Even that 15 minute break is not enough to help out with the “attention deficit ‘oh squirrel’” I started getting towards the end.  I had to continue to mention to myself that it will be over soon and to keep alert and focused on the task at hand.  I eventually came down to the last question and saw that I had passed my exam.  I also had a little over an hour and a half left on the clock.

Post-Exam Technicalities 

After I got the joy of knowing I had passed the exam I had been dreading, something very different happened compared to all other certification exams I’ve taken.  Where is my printed score report?  I didn’t really notice this at first.  I was just having a good time with the proctor and gathering up my things from the lockers.  Turning on my phone, I saw I had an email from SANS informing me that my score report is online and I have the option to get my certification framed.  I asked the proctor and she told me that GIAC exams don’t get a printed score report.  I’m glad she knew that so I wouldn’t have to call and raise hell with the GIAC people.  I found this very strange, but it makes sense in this day and age of “going paperless.”

I fell short of the 90% needing to get on the GIAC advisory board.  This was a goal that I kind of wanted to accomplish.  Those that do get the 90% or better get invited to a board with other certified professionals to discuss issues related to GIAC and SANS.

Walking into the Sunset…

And so ends my exam day.  I didn’t ride off into the sunset on a horse (you need 90% or better for that), but I went home feeling good knowing that the next GIAC exam will be better.  It gives me another goal to accomplish in the future.  It was an amazing journey; one that will not be soon forgotten.