The Register: Cracking the passwords of some WPA2 Wi-Fi networks just got easier . “The folks behind the password-cracking tool Hashcat claim they’ve found a new way to crack some wireless network passwords in far less time than previously needed. Jens Steube, creator of the open-source software, said the new technique, discovered by accident, would potentially allow someone to get all the information they need to brute force decrypt a Wi-Fi password, by snooping on a single data packet going over the air.”
PRNewswire: Practice what you preach? 45% of Infosec professionals reuse passwords across multiple accounts, Lastline research says (PRESS RELEASE). “Lastline Inc., the leader in advanced threat protection, today announced the results of a survey conducted at Infosecurity Europe 2018, which suggests that 45 percent of infosec professionals reuse passwords across multiple user accounts – a basic piece of online hygiene that the infosec community has been attempting to educate the general public about for the best part of a decade.”
EurekAlert: Decade of research shows little improvement in websites’ password guidance . “Leading internet brands including Amazon and Wikipedia are failing to support users with advice on how to securely protect their data, a study shows. More than a decade after first examining the issue, research by the University of Plymouth has shown most of the top 10 English-speaking websites offer little or no advice guidance on creating passwords that are less likely to be hacked.”
Krebs on Security: Sextortion Scam Uses Recipient’s Hacked Passwords. “Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.”
From Digital Information World, and filed in our “Are you freaking kidding me,” department: Body Heat Gives Away Passwords. “A recent study made by researchers from the University of California suggested that it was possible for hackers to steal one’s password by analyzing the heat left by one’s fingers on his/her keyboard. This news was both intriguing and shocking at the same time.”
I mentioned this in an earlier issue so let me put this up-top: It does not appear that iPhones are vulnerable to brute force password attacks. From a BetaNews article: “One hacker thought he had cracked it. Security researcher Matthew Hickey proudly boasted at having discovered a delightfully simple method for brute-forcing entry into an iPhone — he even posted a video of his hack in action. But there’s no need to panic. Apple explains that ‘incorrect testing’ renders Hickey’s method worthless.”
ZDNet: A hacker figured out how to brute force iPhone passcodes. “A security researcher has figured out how to brute force a passcode on any up-to-date iPhone or iPad, bypassing the software’s security mechanisms.”
UPDATE: It appears that the security researcher was mistaken.