Password SecuritIEEE | TechSNAP 77

Password SecuritIEEE | TechSNAP 77

A big password leak from a major industry player, mobile security takes a big hit, we cover a couple of the major vulnerabilities affecting our favorite gadgets, and more Java troubles.

Plus moving from Apache to Nginx, and a big batch of your questions.

All that and so much more, on this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!


Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

  • Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Virgin Mobile USA customers may be at risk

  • Virgin Mobile customers in the USA access their customer portal using their mobile phone number and a 6 digit pin
  • In addition to the obvious lack of security of using such a limited keyspace, it seems that the Virgin portal does not implement any type of lockout or intrusion detection
  • Specifically, they do not block an IP after 100s of failed attempts, meaning an attacker can quickly run through the entire 1 million possible passwords and gain access to any account
  • Kevin Burke, the researcher who discovered the flaw, said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concerns were dismissed
  • Later, a fix was applied to the portal, blocking users after 4 failed attempts, however it relied on a browser cookie to keep track of the number. In additional to how easily this mitigation is evaded, most attack scripts don’t keep cookies anyway
  • Virgin’s portal now correctly blocks an IP address after 20 failed attempts
  • Virgin uses a 404 error instead of 503 or another more proper error code
  • Additional Coverage

Security Explorations finds another Java 0-day, for Java SE 5, 6 and 7

  • Security Explorations, the Polish research firm that found the previous Java exploits, has now topped 50 different vulnerabilities reported to Oracle, and the 50th one is the worst to date
  • The flaw affects fully patched Windows 7 machine, using all major browsers
  • Oracle has produced a comprehensive status report regarding upcoming Java Critical Patch Update. The company claims to have fixes for all, except two issues (29 and 50) integrated and undergoing testing for release in the October 2012 Java SE CPU. Oracle is still evaluating fixes for Issue 50 and will provide further update on whether a fix for it will be also included in the October 2012 Java SE CPU
  • Additional Coverage

IEEE passwords exposed via FTP site

  • A researcher found a log file on a publically accessible IEEE FTP site
  • The file contained logs from 01/Aug/2012:20:46:28 +0000​ to 18/Sep/2012:08:47:17 +0000
  • The log contained around 375 million lines, 400,000 of which contained plain text passwords, 17k of which were password reset requests
  • A total of 99,979 unique usernames were found
  • 7 of the top 10 passwords were all numeric, variations of 123 – 1234567890
  • Other popular passwords included ieee2012, IEEE2012, password, library and ADMIN123
  • 38% of users use gmail, 7.6% use yahoo
  • It does not appear that the IEEE actually stores usernames and passwords in plaintext in its authentication database, but it is unclear why or how the passwords were included in the access logs
  • The IEEE acknowledged the breach
  • And issues a notice to its members, encouraging them to use strong passwords when they are forced to reset thier password
  • Additional Coverage

Your Android phone could be remotely erased by a malicious website


Book: Nginx HTTP Server

It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions

Have some fun:

What I wish the new hires “knew”


HALL of SHAME: Secret Microsoft policy limited Hotmail passwords to 16 characters

Question? Comments? Contact us here!