Living Social Hack and AP Twitter Account Hacked

The website, LivingSocial, a daily deals site, was hacked late yesterday.  The original report came from AllThingsD.com, and includes the text of an e-mail the CEO sent to staff and now the public. No credit card data or merchant financial information was accessed, which must mean that they stored them on a separate server.  The cyberattack affected 50 million users (all users except those in Korea, Thailand, Indonesia and the Phillipines, which use different services with separate servers).  The attackers netted millions of user names, birthdates, e-mail and passwords.

The website now greets users with an announcement of the attack, and recommendation that users change their passwords.  The announcement notes that passwords are coded, and the CEO's e-mail says they have been "hashed and salted."  This mean they use an algorithm to code, or "hash" the passwords. Salting means that each user who uses the same password would have their password "hashed" into a different coded version.  However, those with passwords which are too easy may make it easy for the hackers to guess, since the hashing algorithm is known.  Hackers can use an online dictionary and a computer to try to guess multiple passwords in just a few seconds.  But because multiple passwords set to "password" would each have a different hashed version, the hackers will have to devote considerably more time to cracking passwords.

CNN Money Tech reports that a different cyberattack on the Twitter account of the Associated Press.  The hackers in that case planted a false report that President Obama had been injured in two explosions at the White House.   AP suspended their Twitter account, with an announcement that the report was false. However, the attack shows up security weaknesses with Twitter, which had been discussed for some time by security analysts with concern.  Apparently, unlike Facebook and Dropbox, among other sites which offer the option, Twitter does not yet require a "two-step authentication" process.

A two-step authentication, done properly, requires a combination of two out of three types of information:
1.  Who you are (physical ID for instance, or fingerprint scan or facial recognition now on many laptops)
2. What you have (a gadget that generates a code, or a one-time password provided in a list by the website for users, for instance),
3.  What you know (passwords, mother's maiden name for a security question, for example)

For instance, a good two-step authentication procedure might require not only your password, but also an individually created key, which might be stored only on a user's phone. The user sends the secret key along with their password.  A lower tech alternative to the gadget code is the list of passwords provided separately to users. A user would input one of the codes and mark it off the list.  When a user runs low on the number of provided by the website, they request a new list.  As long as the two items are received within a short time (approximately 30 seconds), the system will accept the combination log-in.  The CNN article notes that Twitter had advertised for engineers to develop a two-step security process, but apparently this has not yet been implemented.

Another hack previously compromised Fox News' Twitter account. In that case, the hacked tweet was that President Obama had been assassinated. The recent fake tweet actually caused a brief downturn in the stockmarket. According to the CNN report,  Twitter's response to these and various other hacks on corporate Twitter accounts has been to urge more care.  What they need is to implement better security.

The decoration for this post is from Wikipedia, which notes it was designed in the late 1990's by Dagmar D'Surreal, as a logo for the PhreakNIC annual conference in Nashville, Tennessee. Many thanks to my son, Joe McKenzie, for technical explanations made easy.

GPO-Access Replacement Launching, and Authentication of Law

GPO-Access has had a great run as the portal for the Government Printing Office. It is still up through the end of this calendar year. But the replacement site is already up and running and it looks great. Introducing...... (drumroll, please).......

www.fdsys.gov

It has a full home page. But it works well. There is a banner at the top with a small menu, which frankly all seem to lead back to the old GPO-Access website. There is an old FAQ section, which can be helpful if you have documents questions, and you can put in new documents questions with the same section, and check your existing queries as well.

But if you skip that top banner, and look at the main portion of the page, there are three panels, or columns. The left and right columns are narrower and the center is much broader. The left column offers again to take the reader back to GPO-Access, and divides the readers into Customers, Vendors and Libraries. Then there is a blue box of Quick Links to the most popular (one guesses) URLs:

* US Government Bookstore

* Ben's Guide to Government for Kids (a useful site!)

* FDLP Desktop (for the Federal Depository Libraries)

* Catalog of U.S, Government Publications

* Digitization Registry

(The choices remind the reader that 1) The GPO is the government's bookseller; 2) The Federal Depository Library Program is alive and is run through this site; 3) the GPO is charged with digitizing much of what it has been printing for centuries, and the users will want to know what is now available electronically.)

The right hand narrow column features a changing list of "Latest Resources." Today everything listed are congressional bills and debate transcripts about Wall Street reform and health care reform. But it gives the citation, title and a hot link to pick up the full text of the document. It also offers the entire text of the CFR (Code of Federal Regulations), the Federal Register issues, the Budget for fiscal year 2011, the Economic Report of the President for 2010, and more. Except for your time and disc space, these appear to be free downloads. The large files, such as titles of the CFR can be zipped, or can be delivered in XML, with each file size noted.

The center panel has the main news:

The migration of information from GPO Access into FDsys will be complete in 2010. The migration is occurring on a collection-by-collection basis.

There is a lengthy list of the various titles and the dates for which each is carried. The list is changing day by day, as the migration continues.

The top of the center panel has a search bar, where you can enter a basic search. There is, however, an advanced search function where you can specify the type of material to be searched, up to five search criteria can be laid on the query. There is an excellent Help section, which I believe is the same as from GPO-Access, though I may be wrong. It is a very powerful search engine for frequent users who master the syntax and understand the various tools offered, such as SuDoc numbers and referenced citations, but even the keyword search and simple search seem to work pretty well. There is also an option from the original search bar to Retrieve by Citation, which works easily because the system provides a set of boxes for the user to enter the citation, so you don't have to guess at the correct format. Even more exciting, when I pulled up a CFR citation for 2010, I got a digital version that was "Certified by the Superintendent of Documents [pkisupport@gposupport.gov] United States Government Printing Office, certificate issued by GeoTrust CA for Adobe." This was in a medium blue bar across the top of the screen, with an image of a pen at the right side of the bar. This is exciting, the beginning of Digital Authentication of laws online.