Your daily round-up of some of the other security stories in the news
Porn site database hacked
Free-to-join porn site xHamster has almost certainly suffered a breach of more than a third of a million entries from its authentication database.
The good news, if you like to find silver linings, is that authentication databases usually consist of what’s needed to check that you’re a registered user and not much more, so personal information such as phone numbers, dates of birth, postal addresses and so on are typically not included.
The bad news is that the stolen xHamster data apparently includes usernames, email addresses and unsalted password hashes created with a single iteration of the MD5 algorithm.
Many reports are focusing on the insecurity of MD5 itself as a risk here, but the key problem is the ease with which crooks can try out passwords hashed with just a single iteration of any well-known hashing algorithm.
If you’re storing password hashes, use a time-consuming salt-hash-and-stretch technique such as PBKDFD2, bcrypt or scrypt to slow down password-guessing attacks.
If you’re picking passwords, choose a completely different one for each site, so that one hacked account doesn’t open up your whole online life. Paul Ducklin
Obama urges Trump to adopt cyber recommendations
President Obama has called on Donald Trump to take up the recommendations of 100-page report on bolstering America’s cybersecurity capabilities. The report, the result of nine months of work by Obama’s Commission on Enhancing National Cybersecurity, makes a number of recommendations, from shoring up IoT security to creating a “culture of cybersecurity” among government officials.
The report is purely advisory, which means that Trump could ignore it – and certainly thus far he hasn’t been forthcoming on his approach to cybersecurity. Launching the report, Obama called on Trump to adopt its recommendations, saying : “Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change both in the United States and around the world.”
Lawmakers exempt themselves from snooping law
UK citizens are now subject to potentially much greater surveillance than ever before, thanks to the new Investigatory Powers Act, which became law last week. One small consolation is that some of the most intrusive surveillance, such as citizens’ internet browsing history, which ISPs will routinely collect, won’t be available to law enforcement without a warrant, which has to be authorised by the secretary of state.
Unless you happen to be an MP, in which case there are greater protections in place: any such warrant would have to be approved not only by the secretary of state, but also by the prime minister. That rule also applies to members of the Scottish and Welsh assemblies, and to MEPs. What was that about some of us being more equal than others?
Catch up with all of today’s stories on Naked Security
Wilderness
“…ensure that cyberspace can continue to be the driver for prosperity, innovation, and change both in the United States and around the world.” He just can’t get off his ‘change’ horse, can he?