As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.
Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!
I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.
I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.
The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.
I’m using LastPass, and I’m prettay, prettay paranoid..