The 25 Worst Passwords of 2015

Password management company SplashData released its annual round-up of the worst passwords of 2015. The report is based on more than 2 million passwords that leaked online during the year. One trend the company found in 2015 is that while users are coming up with longer passwords, they are simple and not random. Here’s Splashdata’s complete list of the 25 worst passwords for 2015, with their ranking from 2014 in brackets: Top Passwords 2015 Shell 123456 (Unchanged) password (Unchanged) 12345678 (Up 1) qwerty (Up 1) 12345 (Down 2) 123456789 (Unchanged) football (Up 3) 1234 (Down 1) 1234567 (Up 2) baseball (Down 2) welcome (New) 1234567890 (New) abc123 (Up 1) 111111 (Up 1) 1qaz2wsx (New) dragon (Down 7) master (Up 2) monkey (Down 6) letmein (Down 6) login (New) princess (New) qwertyuiop (New) solo (New) passw0rd (New) starwars (New) 12345678910111213141516171819202122232425 123456 (Unchanged)password (Unchanged)12345678 (Up 1)qwerty (Up 1)12345 (Down 2)123456789 (Unchanged)football (Up 3)1234 (Down 1)1234567 (Up 2)baseball (Down 2)welcome (New)1234567890 (New)abc123 (Up 1)111111 (Up 1)1qaz2wsx (New)dragon (Down 7)master (Up 2)monkey (Down 6)letmein (Down 6)login (New)princess (New)qwertyuiop (New)solo (New)passw0rd (New)starwars (New) A Brief History of the Password Problem, Part 4: Worst Passwords of...

23,000 US government emails were dumped on the Dark Web and no one knows where they came from

Last week the US Office of Personnel Management (OPM) owned up to being breached by hackers. No concrete facts have surfaced since, and the extent of the hack’s damage remains unclear. We just know it’s worse than anyone is willing to say. Now databases containing private federal-employee data are being dumped on the Dark Web. One such database includes over 23,000 government email addresses, reports Motherboard. So what’s going on here? The hacker behind the 23,000 .gov emails dump goes by the name of Ebolabad. He has taken credit for the huge OPM breach, posting in broken English “Is not China. Is me I am sell [sic] for highest bid.” Motherboard asked experts to analyze the data Ebolabad posted on the Dark Web forum, and they believed the names and addresses to be real. Another cybersecurity expert, however, told Business Insider that he does not believe Ebolabad’s data trove to be from the OPM. “To me, it would not make sense that this is from the same database,” said Dave Aitel, the CEO of cybersecurity company Immunity. “In particular, the database that the OPM had was a list of all the background information of the federal employees.” What was just posted for sale online, explained Aitel, included passwords. It doesn’t appear that the OPM had access to passwords. “That would,” Aitel went on, “indicate it’s from a forum or some other source.” What, then, should we think about the OPM breach? Even so, for the last week many have characterized the OPM hack as one of the biggest government data breaches to date. On Thursday, the American Federation of Government Employees sent out a letter blasting the OPM for its poor security posture. The letter said: Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees. We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more. Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous. That sounds bad. In short, nothing is safe. This, explained Aitel, is because there are hundreds of government databases that aren’t considered classified. And, when it comes down to it,...

Programmer Site GitHub Says It’s Victim of Service-Denial Attack

(Bloomberg) — GitHub Inc., a U.S. website designed for computer programmers, has been under attack since Thursday in what may be an attempt by China to disrupt efforts to circumvent that country’s censorship policies. The San Francisco-based service, which helps programmers and tech companies share ideas for software development, has experienced its biggest-ever distributed denial of service attack, the company said on its website. “87 hours in, our mitigation is deflecting most attack traffic,” GitHub posted on its status blog shortly after 1 p.m. New York time on Sunday. “We’re aware of intermittent issues and continue to adapt our response.” About three hours later GitHub said its evolving tactics were improving performance. The Wall Street Journal, citing cybersecurity experts it didn’t identify, on Sunday reported the attack may have originated in China and routed overseas users of Baidu, China’s biggest search engine, to overwhelm two GitHub pages that linked to sites banned in China. Roland Dobbins, a senior computer-security analyst with Arbor Networks Inc., said in a telephone interview that the incident appears to be a so-called reflection attack in which traffic is redirected from other sites to overwhelm the victim. He said he doesn’t have any insight on who is behind it and that tracking down a culprit often is less important than a strong defense against the attacks. Those behind the assaults are “basically using other systems to attack” on their behalf, Dobbins...

How to Secure Mobile Messaging App Features

When you send a text or MMS from your phone the normal way, you can’t control what happens to the information once it leaves your device. Wireless carriers are required to save messages for a certain length of time to assist authorities in criminal investigations. The recipient can save the message indefinitely, or send it to someone else without your knowledge or permission. That means those risqué photos, videos or texts you sent to your significant other could come back to haunt you in the future. There are web sites where people post pictures and messages of a private nature sent by their exes as a form of revenge. Relatively innocuous business-related messages could prove damaging if taken out of context later. Even if you don’t have a disgruntled ex or business partner, the recipient’s device could be lost or stolen, or their cloud accounts hacked. Several messaging and social media apps have sprung up in response to these security concerns. But how secure are they? Let’s examine the features you should look for in a messaging app that will keep your private messages under wraps. End-to-End Encryption Encryption uses a public and private key to encode and decode the messages. A secure messaging app should generate and store the keys on the user’s device, not on a server. The keys should only leave the device by action of the user, such as creating a backup or transmitting them to a new device. This means that even if a company is subpoenaed or required to deliver your private messages to the authorities, they technically cannot. In-Transit Encryption Encryption during transmission is important because these apps use a data connection instead of the phone connection. If you or the recipient is on WiFi, the messages could be intercepted and read by a third party. The app should also encrypt stored messages, in case the device is hacked or falls into the wrong hands. Permanent Deletion The digital storage on a smartphone works much like a PC’s hard drive. By default when you delete something, the operating system marks the space as available, but doesn’t actually remove the data until something overwrites the space. A secure messaging app should either remove the information completely, or only store the messages in RAM. Some messaging apps automatically delete the messages once they are read or after a specific length of time. User Friendliness While this isn’t a security feature in itself, it’s still important. Most secure messaging apps require both parties to be...

Advantage Dental of Redmond hacked; 151,000 patients affected

REDMOND — A company with more than 30 dental clinics serving low-income people in Oregon says it’s been hacked, and the intruders got Social Security numbers and other personal information, but not treatment or financial data. Redmond-based Advantage Dental is notifying patients and paying for an identity-theft monitoring service, The Bulletin newspaper of Bend reported Tuesday. An intruder breached its internal membership database in late February and accessed information on more than 151,000 patients, said Jeff Dover, Advantage’s compliance manager. He said malware got a username and password from an employee’s computer for access to the membership database, which is separate from the database that contains financial and treatment information. The intruder accessed the information for three days beginning Feb. 23, and then Advantage workers detected the breach. All Advantage computers are equipped with anti-virus software, but sometimes software does not detect new variations of a virus, he said. “Unfortunately this happened,” he said. “What you can do is be as transparent as you can, take responsibility for it, learn from it and then move on.” No patients have reported the data being used for criminal activity. Dover said Advantage made security changes, including shutting off access to its internal patient database from computers that are not within Advantage clinics or its headquarters in Redmond. — The Associated...