Security News #0x12: LeakedOut
This week we come to you from Orlando, FL, site of the sixteenth Colloquium on Information Systems Security Education.
- The big news this week has been the leaking of password hashes from a range of sites.
- First up is LinkedIn, which had 6.5 million password hashes posted online, some 60% of which have reportedly already been cracked. Phobos Technologies has more details, as does Chris Shiflett.
- A second list of roughly 1.5 million is from eHarmony; Ars Technica provides some early details, while the Los Angeles Times fills in some of the blanks.
- If you want to see the process of finding the passwords for so many hashes, you might want to take a look at Errata Security and their take.
- The NSA is looking to hire for a number of cyber-security related positions at Fort Meade, including:
- Cyber Security made the Washington Post again this week, now with a discussion of Shodan.
- The New York Times discussed Flame and cyberwar.
- Flame, of course, has been in the news. It has been widely reported that is uses a Microsoft certificate to sign code, allowing it to perform a MitM attack against Windows Update.
- Firefox fixed a number of vulnerabilities this week.
- There is a new Metasploit module for XP3 systems with Visio installed. The attack exploits CVE 2011-3400, and allows remote code execution through Internet Explorer.
- Those of you who have gone through my class, know that I love ModSecurity. Well, the first four chapters of Ivan Ristic’s book ModSecurity Handbook are now available online.