For anyone who has ever forgotten a password, Facebook has help

Facebook

If you've ever forgotten an important password, Facebook has an innovative solution for you. On Thursday, engineers with the social network rolled out a new(ish) feature that helps users regain control of an account after being locked out of it.

The concept behind Trusted Contacts is the same idea behind giving a trusted friend or neighbor a copy of your house key. If you lose yours, you can always count of one of them to help you get back inside. The Facebook feature actually requires the help of multiple separate trusted friends designated in advance. If a user forgets her password or is otherwise locked out of an account, she can request that Facebook send different one-time security codes to up to five friends. Once the user supplies three of the security codes sent, Facebook will reset the account password.

"So your trusted contacts can be sure it's you trying to access your account, it's best to talk to them over the phone or in person," a Facebook blog post published Thursday advises. "Someone else can impersonate you through e-mail, chat, or text messages, or hack and read your messages."

Read 3 remaining paragraphs | Comments

Why you should take hacked sites’ password assurances with a grain of salt

Eric Bangeman

Reputation.com, a service that helps people and companies manage negative search results, has suffered a security breach that has exposed user names, e-mail and physical addresses, and in some cases, password data.

In an e-mail sent to users on Tuesday, officials with the Redwood City, California-based company said the passwords were "highly encrypted ('salted' and 'hashed')," a highly vague description that can mean different things to different people. "Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access," the e-mail added unconvincingly.

It's unfortunate that companies make such assurances, because they may give users a false sense of security. As Ars has been reporting for nine months, gains in cracking techniques means the average password has never been weaker, allowing attackers to decipher even long passwords with numbers, letters, and symbols in them. Even Ars' own Nate Anderson—a self-described newbie to password cracking—was able to crack more than 45 percent of a 17,000-hash list using software and dictionaries he downloaded online.

Read 5 remaining paragraphs | Comments

Defense contractor pwned for years by Chinese hackers

QinetiQ, a UK-based defense contractor, has its fingers all over some of the US Defense Department's most sensitive systems. The company's subsidiaries provide robots, diagnostic systems, intelligence systems for satellites, drones, and even "cyber-security" to the US Department of Defense. The parent company, which was created as a privatized spinoff of the British Defense Evaluation and Research Agency—what was the UK's equivalent of the US Defense Advanced Research Projects Agency—is often cited as the inspiration for James Bond's "Q."

But for at least three years, QinetiQ was apparently unintentionally supplying its expertise to another customer: China. In multiple operations, hackers tied to the People's Liberation Army have had the run of QinetiQ's networks, stealing sensitive data from them and even using them to launch attacks on the systems of government agencies and other defense contractors. Emails uncovered by the hack of security firm HBGary revealed that Chinese hackers had the run of the company's networks starting in 2007.

Bloomberg's Michael Riley and Ben Elgin report that in one effort that lasted for over three years, "Comment Crew"—the group tied to the recent hacking of the New York Times and other news organizations, plus a host of attacks on other defense contractors and technology businesses—managed to gain access to "most if not all of the company's research." The company was notified on multiple occasions by government agencies of ongoing breaches, starting with a report from the Naval Criminal Investigative Service in December of 2007 that "a large quantity of sensitive information" was being stolen from two computers at the company's US subsidiary, QinetiQ North America (QNA). A month later, NASA informed QNA that one of the company's computers was being used in a cyberattack on its network.

Read 1 remaining paragraphs | Comments