06-25-15 05:43 PM
37 12
tools
  1. Have_a_nice_day's Avatar
    A gentle reminder for anyone who thinks storing their passwords in the cloud is handy. You're right it is handy, but also dangerous. I didn't read the article but from the news article (in Dutch) I understood that Keychain has a serious leak.

    Here's a link to the paper: https://drive.google.com/file/d/0Bxx...NMSGswSGs/view

    Posted via CB10
    phuoc likes this.
    06-17-15 02:22 PM
  2. katiepea's Avatar
    Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X ? The Register

    friendlier read

    Apple has simply made too many API's in attempts to make everything user friendly. Every new door you create makes your service less secure, and they have a lot of doors. iOS is probably the least secure platform, as in, your data staying with only you, on the market today.
    lift, BCITMike, raino and 1 others like this.
    06-17-15 02:45 PM
  3. BCITMike's Avatar
    Not sure why this surprised the researchers.

    Every time I hear Cook say they've never given backdoor access to NSA, I just think it's because they've never had to ask.

    Posted via CB10
    lift, anon(2313227), tryfe and 3 others like this.
    06-17-15 03:05 PM
  4. lift's Avatar
    Just another day for Apple.
    06-17-15 03:12 PM
  5. Soulstream's Avatar
    When was the last time a Google server was hacked? Cause it really seems, the Google guys know better security than Apple.
    06-17-15 04:38 PM
  6. nabollocks's Avatar
    When was the last time a Google server was hacked? Cause it really seems, the Google guys know better security than Apple.
    Your kidding right?

    Posted via CB10
    06-17-15 04:44 PM
  7. Soulstream's Avatar
    Your kidding right?

    Posted via CB10
    Not really. Apple was hacked last year as well, when jennifer lawrence naked photos were leaked. I actually do not remember the last time such an incident happened to google services. If you do have an article to the last major hack on google servers, please give me a link.
    06-17-15 04:48 PM
  8. veggielasagna's Avatar
    When was the last time a Google server was hacked? Cause it really seems, the Google guys know better security than Apple.
    Its not a value target like Blackberry only poor and people stuck in the past use them. LOL
    06-17-15 04:48 PM
  9. Have_a_nice_day's Avatar
    I did not intend this as an Apple bash. I just believe that storing sensitive important information in the Cloud - any cloud service - is unwise. Today this happens to Apple (well so far it's a leak that was unveiled) tomorrow to Google, and then Dropbox, etcetera. Cloud services are very convenient, but it is not the most secure place to store this kind of information. It was only meant as a reminder of a real threat.

    Posted via CB10
    Supa_Fly1, JRF_1986 and gritsinct like this.
    06-17-15 05:15 PM
  10. LazyEvul's Avatar
    This issue has nothing to do with storing important information in the cloud - though yes, it's worth reminding everyone that appropriate precautions need to be taken if you want to do so. But this exploit is client-side, not server-side - even if you only use OS X Keychain offline, it can still be compromised.
    gritsinct likes this.
    06-17-15 05:50 PM
  11. Prem WatsApp's Avatar
    When was the last time a Google server was hacked? Cause it really seems, the Google guys know better security than Apple.
    That's probably the case, ... with Google (Linux geeks) it's more of a privacy issue than a security one.

    I'm sure my data makes it to their servers securely when using an Android, but I'm not sure what THEY are doing with it once they have it, lol... :-)

    (Even if BlackBerry had the same flaws, I guess it's currently security-through-obscurity, haha...)

      Pastaporto aglio e olio... Mmmhhh!  
    06-17-15 06:08 PM
  12. Supa_Fly1's Avatar
    I did not intend this as an Apple bash. I just believe that storing sensitive important information in the Cloud - any cloud service - is unwise. Today this happens to Apple (well so far it's a leak that was unveiled) tomorrow to Google, and then Dropbox, etcetera. Cloud services are very convenient, but it is not the most secure place to store this kind of information. It was only meant as a reminder of a real threat.

    Posted via CB10
    Agreed! This news comes less than 24hrs after a Password app and service available for both iOS and Android and OSX where breached!! And it's a MAJOR service and provider out there.
    06-17-15 06:59 PM
  13. Smitty13's Avatar
    This is just another reminder to people out there: Anything and everything stored in the cloud is now out of your hands and in the hands of server administrators as well as anyone else who can breach their security.

    I cannot stress enough that people should use an encrypted offline password database solution (my personal preference is KeePass) first and foremost.

    If it becomes an absolute necessity to store these databases in the cloud, yes, they are encrypted as is offline and secure for most intents and purposes, but why not add another layer of security and add that encrypted database to a larger encrypted volume (E.g. Veracrypt [a TrueCrypt fork]) or even add another round of encryption and obfuscation with another program (E.g. Cryptomator, Boxcryptor, etc.)

    It never hurts to be proactive on these sorts of things!
    Last edited by Smitty13; 06-17-15 at 08:05 PM. Reason: Link edit
    06-17-15 08:04 PM
  14. Centerman66's Avatar
    Posted on CB10 using my Z30 STA 100-5 on OS 10.3.2.2204
    06-17-15 08:14 PM
  15. BCITMike's Avatar
    Not really. Apple was hacked last year as well, when jennifer lawrence naked photos were leaked. I actually do not remember the last time such an incident happened to google services. If you do have an article to the last major hack on google servers, please give me a link.
    Not sure what nabollocks is referring to, but the first thing that came to mind was the unencrypted internal traffic between google servers were being tapped so that NSA had full access to everything, including emails in your draft box that doesn't leave Google servers and go out over the public pipes.

    When the Snowden leaks came out, Google went apetish and enabled encryption on all their servers and encrypted internal inter-server traffic. But I think most admins would think they could run internal traffic inside their building unencrypted for performance and troubleshooting reasons without thinking the NSA is snooping everything. So I don't fault them for being unencrypted in the first place and I give them kudo's for turning it on everywhere as fast as they could after finding this out.

    Google and BlackBerry time and time again work on processes and methods to be secure, whereas Apple, not so much (finger print scanner aside).

    It's been said by various people/groups, that Microsoft learned from their security mistakes 10+ years ago while Apple was ignoring all that because they were small fish and not targets. Now that iOS/OSX is no longer a small fish, they are going through this large security learning curve that Microsoft has much more experience in. So BlackBerry and Microsoft think of it from the ground up, Apple, feature first, security later (IMO).

    One thing that sticks in my mind, is how Apple handles their cloud. The Cellubrite guys even admit they reverse engineered iCloud (and they shouldn't have been able to. Though, in their industry, boasting like this is marketing), and there are deleted files in the cloud the user cannot access that someone with the right knowledge/hardware can. Not to mention the brute force attacks and the numerous warnings from security testers about this and the open discussions of iCloud hacking on hacking forums. Apple just ignores these issues until they are shamed in public and then quickly put on a charade like they are working on it quickly. How many jailbreaks were done by kids under 21? Not to say under 21's are not smart, just that experience plays a large part in testing due to all the different unknown methods of attack, such a young person isn't even well aware of all the types of attacks and yet finds flaws themselves in days...

    In my books, Google in responsible for Android security, and we know that has various holes and exploits. But Google's handling for its own services, seems to be night and day better than Apple's (2 factor authentication, location detection lockout, recovery options, etc).
    06-17-15 08:19 PM
  16. BCITMike's Avatar
    This is just another reminder to people out there: Anything and everything stored in the cloud is now out of your hands and in the hands of server administrators as well as anyone else who can breach their security.

    I cannot stress enough that people should use an encrypted offline password database solution (my personal preference is KeePass) first and foremost.

    If it becomes an absolute necessity to store these databases in the cloud, yes, they are encrypted as is offline and secure for most intents and purposes, but why not add another layer of security and add that encrypted database to a larger encrypted volume (E.g. Veracrypt [a TrueCrypt fork]) or even add another round of encryption and obfuscation with another program (E.g. Cryptomator, Boxcryptor, etc.)

    It never hurts to be proactive on these sorts of things!
    There is another thread on CB asking what killer features BB needs to increase marketshare. There is probably a small percent of people who would buy BlackBerry if there was native encryption/decryption amongst the big providers Gdrive, Box, Dropbox, OneDrive, etc. Having to use another app is a bit of a hassle and a turn off, building it in would make it more usable.
    Perhaps they could charge a few bucks a month and the cloud provider shares some of the profit so there is incentive to make it great and support it.
    06-17-15 08:28 PM
  17. notafanofyou's Avatar
    Is it any wonder why apples market shares drops by the day. It's just a matter of time before they are 1% market share. A horrible outdated product sold at a premium? No thank you and never again. Fool me once shame on you.

    Posted via CB10
    06-17-15 09:06 PM
  18. Smitty13's Avatar
    There is another thread on CB asking what killer features BB needs to increase marketshare. There is probably a small percent of people who would buy BlackBerry if there was native encryption/decryption amongst the big providers Gdrive, Box, Dropbox, OneDrive, etc. Having to use another app is a bit of a hassle and a turn off, building it in would make it more usable.
    Perhaps they could charge a few bucks a month and the cloud provider shares some of the profit so there is incentive to make it great and support it.
    I definitely agree in that I would love to see BlackBerry implement a native solution to this rather than depending upon another platform to achieve this. As it stands, KeePass databases (which BlackBerry has an excellent app for) is sufficient on it's own for keeping most malicious people at bay.

    I argue that people should not take a lax view on things in regards to the cloud and add another round of encryption/security to it. I think if BlackBerry could find a way to implement offline encryption onto files pre-cloud upload, that would be great. If done correctly (and by that I mean all keys stay with the user) it could be a security game changer.
    06-17-15 09:07 PM
  19. Prem WatsApp's Avatar
    I definitely agree in that I would love to see BlackBerry implement a native solution to this rather than depending upon another platform to achieve this. As it stands, KeePass databases (which BlackBerry has an excellent app for) is sufficient on it's own for keeping most malicious people at bay.

    I argue that people should not take a lax view on things in regards to the cloud and add another round of encryption/security to it. I think if BlackBerry could find a way to implement offline encryption onto files pre-cloud upload, that would be great. If done correctly (and by that I mean all keys stay with the user) it could be a security game changer.
    On-device encryption, yes...

    With an extra separate password, not the device password or the BBID. Otherwise (like when they have encrypted files from a microSD card, the device password is potentially extractable!) the whole device could be compromised!

    :-D

      Pastaporto aglio e olio... Mmmhhh!  
    06-17-15 09:42 PM
  20. Smitty13's Avatar
    On-device encryption, yes...

    With an extra separate password, not the device password or the BBID. Otherwise (like when they have encrypted files from a microSD card, the device password is potentially extractable!) the whole device could be compromised!

    :-D

    •   Pastaporto aglio e olio... Mmmhhh!   •
    I have to agree here too. If this were to ever be implemented it must not only be user generated keys but those keys must remain offline and in the hands of the user only. Period. That is absolutely the only way you are going to get some semblance of security. Heck, while I am dreaming up things that will never come to fruition, how about BlackBerry makes this fictitious encryption scheme open source for an audit too? :P
    06-17-15 11:32 PM
  21. jasonvan9's Avatar
    Please correct me if im wrong, but the Password Keeper app for BB10 from BlackBerry is what some of you are describing as ideal for cloud backups, or just personal backups...

    First, I need to set a password separate from my device or BBID to login to the app to even start using it..

    once I put my passwords into the app, I can choose to store in the cloud (or not, its user choice) but this part im not sure if they're encrypted in the BlackBerry cloud..

    Also if I do a password export for my own personal backup, the file that is exported is encrypted, and on import of that file I need to re-input that unique password to put them onto my new device.

    With these processes, I feel 100% confident that my passwords will not fall into devious hands



    Posted via CB10
    Last edited by jasonvan9; 06-21-15 at 01:15 AM.
    06-20-15 04:05 PM
  22. Smitty13's Avatar
    Please correct me if im wrong, but the Password Keeper app for BB10 from BlackBerry is what some of you are describing as idle for cloud backups, or just personal backups...

    First, I need to set a password separate from my device or BBID to login to the app to even start using it..

    once I put my passwords into the app, I can choose to store in the cloud (or not, its user choice) but this part im not sure if they're encrypted in the BlackBerry cloud..

    Also if I do a password export for my own personal backup, the file that is exported is encrypted, and on import of that file I need to re-input that unique password to put them onto my new device.

    With these processes, I feel 100% confident that my passwords will not fall into devious hands



    Posted via CB10
    I'm not entirely sure not having used it, but does the BlackBerry Password Keeper not use encryption keys derived from your device and not use user generated keys?

    Posted via CB10
    06-20-15 04:45 PM
  23. jasonvan9's Avatar
    I'm not entirely sure not having used it, but does the BlackBerry Password Keeper not use encryption keys derived from your device and not use user generated keys?

    Posted via CB10
    It does not say where the encryption happens or where they are derived from, I do know that the export file it generates is an encrypted file.

    Posted via CB10
    06-21-15 01:16 AM
  24. ZeBB45's Avatar
    I personally wouldn't trust anything beginning with i

    Q10 - 10.3.2.2204/SR .2134  < α∂∂ιт > 
    06-21-15 05:43 AM
  25. Smitty13's Avatar
    It does not say where the encryption happens or where they are derived from, I do know that the export file it generates is an encrypted file.

    Posted via CB10
    I did a quick search but wasn't able to find anything definitive. To make a long story short. Yes, the exported file is encrypted with Password Keeper, but the crux of what we are getting at is are the encryption keys used derived from the user or the device? If it is user managed then from a security standpoint this is excellent. The general sentiment with encryption handling outside of the direct control of a user is you are not sure where the keys are stored and how secure they are.
    06-21-15 10:50 AM
37 12

Similar Threads

  1. Replies: 5
    Last Post: 06-25-15, 12:33 PM
  2. How do I recover my BlackBerry e mail address password?
    By yasheen omaram 10 in forum BlackBerry Bold 9930/9900
    Replies: 6
    Last Post: 06-23-15, 08:45 AM
  3. Heavy games unable to install from Google Play store
    By ajlanjaved in forum Android Apps (Amazon Store & APK Files)
    Replies: 7
    Last Post: 06-21-15, 07:35 PM
  4. BBID password reset odd behavior
    By gariac in forum BlackBerry 10 OS
    Replies: 2
    Last Post: 06-18-15, 01:59 AM
  5. Play store
    By Lamarcus Clay in forum Ask a Question
    Replies: 2
    Last Post: 06-16-15, 02:29 PM
LINK TO POST COPIED TO CLIPBOARD