[ale] Fwd: [ NNSquad ] Huge attack on WordPress sites could spawn never-before-seen super botnet

Michael H. Warfield mhw at WittsEnd.com
Sat Apr 13 13:45:28 EDT 2013


On Sat, 2013-04-13 at 11:22 -0400, Charles Shapiro wrote:
> I'm a phan of keepass (http://keepass.info/ ). The android version is
> available on the google play store.  It works for me both places.

Keepass is very helpful in managing massive numbers of different
passwords on different sites.  I used it extensively and dropped
Revelation on Fedora and switched just so I had database compatibility
with my password safe on Android.  It doesn't help with password
complexity (unless you use the password generator which only JUST showed
up in the KeepassX 2.x version - 2.0 alpha4).

Native KeePassX source can be had from here:

http://www.keepassx.org/

It's compatible with KeePass 2.x on Android et al and doesn't need Wine
to run the binaries.

Password reuse between unrelated sites is a higher threat than weak
brute forced passwords.

If you can use 2-factor authentication, you're even better off.
Google-auth is a free implementation of OATH OTP (One Time Password)
supporting both HOTP (hash/HMAC based) and TOTP (time based) that works
as well as (expensive) RSA tokens.  There's also UbiKey, which I
understand Google is looking at for their "secret decoder ring" 2-factor
auth (I have to look at that yet).  With 2-factor auth, they can't brute
force your passwords and, even if they can steal and crack your static
passwords hashes due to weak passwords, it still does them no good
without the 2-factor seed and information.

I've been experimenting with Google Authenticator 2-factor auth to my
laptop for a year now.  It's not bad at all.  Just means I have to have
my smartphone handy when I first log-in.  There's lots of plugins for
lots of systems and packages.

Regards,
Mike

> -- CHS
> 
> 
> On Sat, Apr 13, 2013 at 8:26 AM, Chuck Peters <cp at axs.org> wrote:
> 
> >
> > ---------- Forwarded message ----------
> > From: Lauren Weinstein
> > Date: Fri, Apr 12, 2013 at 9:30 PM
> > Subject: [ NNSquad ] Huge attack on WordPress sites could spawn
> > never-before-seen super botnet
> > To: nnsquad at nnsquad.org
> >
> > Huge attack on WordPress sites could spawn never-before-seen super botnet
> >
> > http://j.mp/ZRZksL  (ars technica)
> >
> >    "The unknown people behind the highly distributed attack are using more
> >     than 90,000 IP addresses to brute-force crack administrative
> >     credentials of vulnerable WordPress systems, researchers from at least
> >     three Web hosting services reported. At least one company warned that
> >     the attackers may be in the process of building a "botnet" of infected
> >     computers that's vastly stronger and more destructive than those
> >     available today. That's because the servers have bandwidth connections
> >     that that are typically tens, hundreds, or even thousands of times
> >     faster than botnets made of infected machines in homes and small
> >     businesses."
> >
> >  - - -
> >
> > Up in the Net!  It's a bug!  It's a phish!  It's SUPER-botnet!
> >
> > --Lauren--
> > Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
> > Co-Founder: People For Internet Responsibility:
> > http://www.pfir.org/pfir-info
> > Founder:
> >  - Network Neutrality Squad: http://www.nnsquad.org
> >  - PRIVACY Forum: http://www.vortex.com/privacy-info
> >  - Data Wisdom Explorers League: http://www.dwel.org
> >  - Global Coalition for Transparent Internet Performance:
> > http://www.gctip.org
> > Member: ACM Committee on Computers and Public Policy
> > Lauren's Blog: http://lauren.vortex.com
> > Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren
> >
> >
> > The Google+ thread is at
> > https://plus.google.com/114753028665775786510/posts/81U47ANqxDn
> >
> > I'll be checking some wordpress sites more, but for the time being I
> > changed the already good passwords using apg -s -a 1 -m 16 -n 4 -E
> > "B8G6I1l0OQDS5Z2!(),.[]{|}"' and found wordpress doesn't like \.  Then I
> > added something one would think wordpress should do by default:
> > https://wordpress.org/extend/plugins/limit-login-attempts/
> >
> > Now I want a password manger that works on the Linux command line, and
> > works on my android Nexus7.  Any suggestions?
> >
> >
> > Chuck
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130413/97ed6988/attachment.sig>


More information about the Ale mailing list