Barnes & Noble databases hacked

[j.p.s]

Quote:

Originally Posted by Deskisamess

And as Data wonders...

And whether it is attached to the rest of you or not. (e.g. Minority Report)

[DiapDealer]

Quote:

Originally Posted by Uncle Robin

Bitwarden does ok for me - I doubt there's much about my life that interests Five Eyes enough to bother cracking the 12-25 character passwords it generates for each website I use. Remembering the master passphrase is much easier than trying to decipher the drunken spider's scrawl that would be any handwritten list I might create.

Yep. I use Bitwarden (with biometrics that allow me to avoid having to type the master password on my phone) in conjunction with two-factor authentication (Yubikey wherever possible, otherwise authenticator app) on sites where any sensitive personal data is stored. One can even host the Bitwarden server/database on their own in-house hardware if they're extra particular (I'm not).

But all the precautions in the world might not help when someone gets their hands on hardware (either though outright theft or employee negligence)

I control what I can control, and honestly don't worry a lot about the rest (except for being very particular about the number of sites that I will purchase anything from).

I had an account with B&N a long, long time ago, but I've heard nothing from them about this breach. More than likely, that's because I was registered using an email address that's no longer active, and very probably using a credit card I no longer have. *shrug*

[twowheels]

I tried Yubikey for a while, but found it to be too annoying due to not working in all browsers, on all OSes, so I gave up on that and just use TOTP now.

I use KeePass for my password databases, with multiple databases to segregate the risk a bit if one is compromised. I sync the databases myself, and don't use browser plugins for auto-filling the fields.

This works for me, though a few "security features" of some websites make it very difficult at times, for example sites that won't let you paste into the password field, or sites that accept one long password when changing your password, but then won't let you type the same password when trying to log in, or sites that say "you have to use special characters, but not that one!" meaning that I have to generate a few times to get one that'll pass, or sites that have stupidly short maximum lengths, like 8-12 characters (when NIST suggests 12 as the minimum), or even special character requirements at all, they should just require LONG passwords, without any complexity rules since complexity rules actually reduce the possible entropy and reduce the size of the search space for brute force attacks.

[DiapDealer]

I've not run into any snags with Yubikey yet. Of course I only ever use one browser on only 2 OSes. Plus I rarely have emergencies where I absolutely NEED to easily access all of my stuff away from the home/work environment. Also, Yubikey is typically only one of my 2FA options. If I ever run into an emergency where I need to access my stuff with uncooperative OSes/software, there's still the authenticator app backup.

[GeorgeYellow]

So, more days later and a number of NOOK/BnCloud features are still not working, or working intermittently.

For example, Search on an author like "Patterson" will never complete.

Synchronization still seems to be spotty.

More interesting seems to be the lack of notice - if a service drops and a handful of people notice, will it ever come back?

[fjtorres]

Quote:

Originally Posted by GeorgeYellow

More interesting seems to be the lack of notice - if a service drops and a handful of people notice, will it ever come back?

Hard to tell since the people whose job is to notice--the tech media and trade press--didn't notice until the fifth day. Or noticed but didn't think it was worth reporting. Even then the trade press didn't say a word until after everybody else, down to local TV stations, had reported. They were scooped by Goodereader of all places.

Doesn't speak well of Nook's relevance.

As is, some folks are still waiting to hear from Daunt.
Not the best example of corporate leadership.

[Fiat_Lux]

Quote:

Originally Posted by pwalker8

It's correct that you shouldn't use the same password for different sites. Pass that, most individuals don't need CIA level security.

Back in the 1950's, that would have been the case.

Today, any self-respecting hacker worthy of the name, has a toolchain that is equal to what is available to any TLA.

Defining security threats, and threat models is more important than it has been in the past. However, the starting point should be that the resources that were once exclusive to TLAs with an extremely high budget, are now available to virtually anybody who has the forwithall to utilize them. That means that one needs to assume that the CIA is the least competent threat to one's security, not the most competent.

###

Rephrasing.
If somebody wants to target you, they can get more data about you today, from commercial vendors, than the entire range of Five Eye Intelligence Agencies, plus the Chinese Intelligence Agencies, alongside their puppet states, plus the Russian Intelligence Agencies could have obtained about you, as recently as five years ago.

If your concern is drive-by attacks, the tools used today are from nation-state TLAs.

[Fiat_Lux]

Quote:

Originally Posted by fjtorres

Sensible.

As is, IT thinking on passwords has been evolving and many are rethinking their user system security policies. Biometrics are filtering down to phones and fairly cheap tablets and PCs. Fingerprint readers and, yes, facial recognition, are replacing passwords as the key authentication systems at the user level, even if PIBS and passwords remain as a "security blanket". Even security fobs and keys are coming to PCs.

At the corporate level security fobs, keys, and cards and biometrics are the minimum at most well run places and have been for decades.

There's too much compute power out there for even the hardiest password to be trusted for mission critical security.

The problem with biometric authentication, is that once you've lost that, you not only have no protection, but are assured that you will never be able to protect anything again.

The only long term result of biometric authentication, is that nothing will be authenticated, or securable.

[pwalker8]

Quote:

Originally Posted by Fiat_Lux

Back in the 1950's, that would have been the case.

Today, any self-respecting hacker worthy of the name, has a toolchain that is equal to what is available to any TLA.

Defining security threats, and threat models is more important than it has been in the past. However, the starting point should be that the resources that were once exclusive to TLAs with an extremely high budget, are now available to virtually anybody who has the forwithall to utilize them. That means that one needs to assume that the CIA is the least competent threat to one's security, not the most competent.

###

Rephrasing.
If somebody wants to target you, they can get more data about you today, from commercial vendors, than the entire range of Five Eye Intelligence Agencies, plus the Chinese Intelligence Agencies, alongside their puppet states, plus the Russian Intelligence Agencies could have obtained about you, as recently as five years ago.

If your concern is drive-by attacks, the tools used today are from nation-state TLAs.

The 50's were before my time, but ever since online started, the computer security issue is the same as every day security issues, useless someone has a strong reason to go after you, you just need enough security to discourage the casual thief. So, you hide your valuables and don't leave your car door unlocked, even though someone could break out your window, or pop the lock.

Unless someone has a reason to think that you have something worth stealing, as long as you have a good firewall at home and keep the firmware up to date, you don't have much to worry about. There is simply too much low hanging fruit with people who don't have firewalls or don't keep their firmware up to date. When you are using public WiFi, then VPN is a good idea.

Hackers either go after targets of opportunity (i.e. totally unprotected machines at the airport, Starbucks or some such thing), or machines that might yield significant value, such as a large corporation. It's like a co-worker once commented about someone who bragged about having a gun in every room in case of home invasion. If you have to worry that much, then you live in the wrong neighborhood. People who do that sort of thing usually do it because it makes them feel good, not because it's actually needed.

I've been online since the early 80's. In all that time, I've never been hacked and I've never had a virus. It's just a case of taking normal precautions and not doing something stupid. I've had firewalls since I built my own on a unix box back in the 90's (the firewall on the typical router is fine now) and I've used anti-virus since Norton was state of the art. I don't click on links in e-mails. Just simple stuff.

[DNSB]

Quote:

Originally Posted by pwalker8

I've been online since the early 80's. In all that time, I've never been hacked and I've never had a virus. It's just a case of taking normal precautions and not doing something stupid. I've had firewalls since I built my own on a unix box back in the 90's (the firewall on the typical router is fine now) and I've used anti-virus since Norton was state of the art. I don't click on links in e-mails. Just simple stuff.

I will admit that during my IT career, I have made a few dollars cleaning up computers belonging to those who didn't see why they needed antimalware software since "they were careful about which websites they visited and never clicked on links in emails from unknown persons".

To me, the definition of low hanging fruit was one genius who had a telco modem with two LAN ports. One of them was wired to his wireless router but he decided to plug his computer into the second LAN port bypassing the router since "I thought it would be faster". You can probably guess what happened when an unpatched Windows computer was exposed directly to the Internet.

[DiapDealer]

Quote:

Originally Posted by DNSB

You can probably guess what happened when an unpatched Windows computer was exposed directly to the Internet.

Hung an unused NT server directly on the internet back in the late 90s just as a test. Pretty sure someone was knocking on the door after about 20 minutes. There was a fully functional ftp server (full of warez content) operating inside of 12 hours.

[fjtorres]

Quote:

Originally Posted by Fiat_Lux

The problem with biometric authentication, is that once you've lost that, you not only have no protection, but are assured that you will never be able to protect anything again.

The only long term result of biometric authentication, is that nothing will be authenticated, or securable.

Well, if they cut your finger off you'll have a bigger problem than accessing your PC.
Current biometrics are a transition phase before they get around to DNA and brainwave logins.

No security is perfect.

But unless you're a politician's relative, there's a limit to how far the bad buys will go to steal your credit card info. They prefer low hanging fruit like businesses that don't patch known VPN vulnerabilities for 18 months.

[fjtorres]

Quote:

Originally Posted by DiapDealer

Hung an unused NT server directly on the internet back in the late 90s just as a test. Pretty sure someone was knocking on the door after about 20 minutes. There was a fully functional ftp server (full of warez content) operating inside of 12 hours.

Anything in there worth compromising one's ethics?

Today it wouldn't last 12 seconds with all the robotools scanning out there.

[DNSB]

Quote:

Originally Posted by fjtorres

Well, if they cut your finger off you'll have a bigger problem than accessing your PC.

Perhaps one of those fingerprint scanners that also check blood oxygen level and pulse?

[fjtorres]

Quote:

Originally Posted by DNSB

Perhaps one of those fingerprint scanners that also check blood oxygen level and pulse?

I was thinking of touch typing problems minus the finger.