The Long List of Password Breaches



Over the past few years one cannot follow technology news without feeling that the rate of account credential theft including passwords, encrypted or not, and personally identifying information has been accelerating. I’ve written several articles on ways to mitigate risk and make it very easy to respond when such a theft happens.

The process starts with using a password database manager like KeePassX or LastPass (and if one chooses an offline solution like KeePassX it’s wise and not inconvenient to use encryption and cloud syncing to make things easier without sacrificing security). It continues with gathering up one’s online accounts and changing the passwords to unique, random, and strong passwords using the password database software.

In fact it was news that Kickstarter was hacked and account credentials were compromised today that prompted me to begin this list. It took me all of a minute to lock my account back down with a new 100-character random password and no other account was ever at risk. Therefore my primary motivation in making this list is to provide a long list of reasons to adopt password security practices such as mine. They honestly make one’s life simpler (memorize one or two strong passwords versus memorizing and inevitably forgetting tens or hundreds of weak ones) and it’s far easier to respond to these increasingly common account credential thefts.

I’ll be doing my best to keep this list up to date including filling in gaps by researching past incidents.

The Long List of Password Breaches

Feb 15th, 2014

Last updated on Feb. 26, 2014: added the massive cache reported by Hold Security

from here

Replace TrueCrypt


Candidate alternatives


tc-play is a Free implementation of TrueCrypt based on dm-crypt, licensed under the 2-clause BSD license. It is in Debian sid (tcplay), and would serve as a full replacement of TrueCrypt… once a proper GUI available.

tc-play allows to create TrueCrypt volumes.

version 2 added an ability to save and restore TrueCrypt volume headers to external header files.This feature can be used to change a TrueCrypt volume password.


Cryptsetup 1.6 supports reading the TrueCrypt on-disk format, so if/when udisks and friends are adapted (if needed), then we could as well avoid shipping any additional software at all. It is part of Debian Jessie.

Once unlocked on the command-line, the TC volume shows up in Nautilus, but no udisks / GNOME Disks / Nautilus integration is here to enable the user to graphically activate a TC volume.

Upstream (udisks) feature request:

cryptsetup 1.6.4 does not support creating TrueCrypt volumes.


zuluCrypt is a front end to cryptsetup and tcplay, it make easy to manage Truecrypt volumes through a GUI, but it’s not packaged in Debian yet (RFP #703911).

  • It uses cryptsetup to unlock TrueCrypt volumes and LUKS volumes.
  • It uses cryptsetup to backup and restore LUKS volume headers.
  • It uses cryptsetup to add and remove keys in LUKS volumes.
  • It uses tcplay to create TrueCrypt volumes.
  • It uses tcplay to backup and restore TrueCrypt volume headers

zuluCrypt now has a hidden volume like functionality using cryptsetup.

zuluCrypt can open LUKS volumes with a detached header.

Last edited Thu 29 May 2014 09:05:21 PM CEST

from here

Data Retention Directive Invalid, says EU’s Highest Court


April 8, 2014 | By Danny O’Brien

Today the European Court of Justice declared the EU’s Data Retention Directive invalid, declaring that the mass collection of Internet data in Europe entailed a “wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data.” The Directive ordered European states to pass laws that obliged Internet intermediaries to log records on their users’ activity, keep them for up to two years, and provide access to the police and security services. The ECJ joins the United Nations’ Human Rights Committee which last month called upon the United States to refrain from imposing mandatory retention of data by third parties.

The decision is a victory for the human rights activists that have fought hard to have the original Europe-wide law—rushed through the European Parliament in 200—re-considered. Digital Rights Ireland, who first launched a lawsuit against the Irish Government against their implementation of the Directive, and AK Vorrat Austria, who organized to reject data retention in Austria, both pursued the issue for many years in the face of concerted opposition from their own governments and officials.

While the decision comprehensively rejects the current directive, some states may put up a fight to keep their laws, while others could take this opportunity to become champions of their citizens’ privacy. The Finnish Minister of Communications, Krista Kiuru, has already declared a full review of Finnish law in the light of the decision, saying that “if [Finland] wants to be a model country in privacy issues, Finnish legislation has to respect fundamental rights and the rule of law.” The German and Romanian data retention laws have already been declared unlawful by their national constitutional courts. Governments advocating retention, like the UK, may argue that they can still maintain their existing data retention laws, or there may even be an attempt to introduce a whole new data retention directive that would attempt to comply with the ECJ’s decision.

However the data retention regime unwinds in Europe, this decision sends an important signal to other countries in the world who are considered the same path as the EU. Brazil’s online activists have been fighting hard to keep data retention out of their flagship Internet Bill of Rights, the Marco Civil. The law, which is about to be considered by the Brazilian Senate, would require ISPs to record personal data for one year, and other service providers log keep private information on their users for six months. New laws requiring mandatory data retention by companies in the United States have also been championed by the Obama administration’s Department of Justice, and have been proposed by the Whitehouse as a “solution” to the NSA spying scandal. As the ECJ’s decision shows, the indiscriminate recording and storage of every aspect of innocent civilians’ online lives is a travesty of human rights, no matter where that collected data is housed.

from here

NSA inquiry: what experts revealed to MEPs


[12-02-2014 – 14:13]
Conclusion time: after months of investigating mass surveillance by the NSA in Europe, the EP inquiry has finished penning its findings. The inquiry was launched last year in the wake of revelations by NSA whistle-blower Edward Showden and involved more than 15 hearings with representatives of EU institutions, national parliaments, the US Congress, IT firms, NGOs and journalists. The civil liberties committee votes on the draft report on 12 February. Read on to discover what MEPs found out.

At the first hearing in early September journalists stressed the need for democratic scrutiny over the work of security services. “[Mass surveillance] technologies can be used for purposes other than to fight terrorism,” warned Jacques Follorou, of the French daily Le Monde. Reporters also spoke of the importance of protecting whistle-blowers and journalists that make such stories public.

In a statement for the inquiry, NSA whistle-blower Edward Snowden said he disclosed secret NSA document with the aim of launching a public debate on the balance between security and human rights. “Public debate is not possible without public knowledge (…) the surveillance of whole populations, rather than individuals, threatens to be the greatest human rights challenge of our time,” he said . Glenn Greenwald, the journalist Mr Snowden spoke to, later told MEPs that “most governments are beneficiaries of Snowden’s choice”.

Two former NSA employees and one former MI5 officer testified in the hearings, with ex-NSA senior executive and whistle-blower Thomas Drake saying he had never imagined “that the US would use the ‘Stasi guidebook’ for its secret mass surveillance programmes”. US congressman Jim Sensenbrenner, chairman of the subcommittee on crime, terrorism, homeland security, and investigations, told MEPs that abuses by the NSA had been carried out outside congressional authority. “I hope that we have learned our lesson and that oversight will be a lot more vigorous,” he said.

Questions were raised during the hearings whether the surveillance had violated various EU-US agreements, including one on the transfer of financial data for identification of terrorist activities (TFTP agreement), or another agreement on the data protection standards that US companies should meet when dealing with Europeans’ private data (Safe Harbour agreement).

Microsoft, Google and Facebook managers invited to speak denied giving unfettered access to their servers. Experts suggested setting up a European “privacy cloud” – a secure data storage to protect internet users’ privacy.

The hearings also looked into surveillance activities in EU countries, including Denmark, Belgium and the UK. “The Parliament inquiry was already looking not just into the NSA allegations, but also to our own backyard. We knew that the national oversight arrangements in many member states are inadequate to citizens,” said Claude Moraes, a British member of the S&D group in an interview in November.

NSA snooping: MEPs table proposals to protect EU citizens’ privacy

Committees Committee on Civil Liberties, Justice and Home Affairs [12-02-2014 – 20:11]

The European Parliament should withhold its consent to an EU-US trade deal unless it fully respects EU citizens’ data privacy, says an inquiry report on US National Security Agency (NSA) and EU member states surveillance of EU citizens, approved by the Civil Liberties Committee on Wednesday. It adds that data protection rules should be excluded from the trade talks and negotiated separately with the US.

The text, passed by 33 votes to 7 with 17 abstentions, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information”, adding that “the fight against terrorism can never be a justification for untargeted, secret or even illegal mass surveillance programmes”.

“We now have a comprehensive text that for the first time brings together in-depth recommendations on Edward Snowden’s allegations of NSA spying and an action plan for the future. The Civil Liberties Committee inquiry came at a crucial time, along with Snowden ́s allegations and the EU data protection regulation. I hope that this document will be supported by the full Parliament and that it will last beyond the next European Parliament’s mandate”, said rapporteur Claude Moraes (S&D, UK), after the vote.

Data protection must be excluded from trade talks

Parliament’s consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the US “could be endangered as long as blanket mass surveillance activities and the interception of communications in EU institutions and diplomatic representations are not fully stopped and an adequate solution for data privacy rights of EU citizens, including administrative and judicial redress is not found”, MEPs say.

Parliament should therefore withhold its consent to the TTIP agreement unless it fully respects fundamental rights enshrined in the EU Charter, the text adds, stressing that data protection should be ruled out of the trade talks.

MEPs call for the “immediate suspension” of the Safe Harbour privacy principles (voluntary data protection standards for non-EU companies transferring EU citizens’ personal data to the US). These principles “do not provide adequate protection for EU citizens” say MEPs, who urge the US to propose new personal data transfer rules that meet EU data protection requirements.

The Terrorist Finance Tracking Programme (TFTP) deal should also be suspended until allegations that US authorities have access to EU citizens’ bank data outside the agreement are clarified, say MEPs. The EU-US data protection framework agreement to be struck in spring 2014 must ensure proper judicial redress for EU citizens whose personal data are transferred to the US, they add.

Digital “new deal”

The EU needs a “digital new deal”, to be delivered by the joint efforts of EU institutions, member states, research institutions, industry and civil society, say MEPs, noting that some telecoms firms have clearly neglected the IT security of their users and clients. MEPs also urge member states to accelerate their work on draft EU data protection reform legislation so that it can be passed by the end of this year.

Trust in US cloud computing and cloud providers has been damaged by surveillance practices, MEPs note. They propose that Europe should develop its own clouds and IT solutions to ensure a high standard of personal data protection. They note that by 2016, the cloud market is likely to be worth $207 billion a year, double its 2012 value.

EU whistleblower and media protection programme

The resolution urges the European Commission to examine whether a future EU law establishing a “European whistleblower protection programme” should also include other fields of EU competence “with particular attention to the complexity of whistleblowing in the field of intelligence”. EU member states are also asked to consider granting whistleblowers international protection from prosecution.

MEPs also cite the UK’s detention of David Miranda and seizure of material in his possession under the UK Terrorism Act and its demand that the Guardian newspaper hand over or destroy such material. They see these acts as “possible serious interference with the right of freedom of expression and media freedom”, as recognised by the European Convention on Human Rights and the EU Charter.

EU countries should check their own secret services

The UK, France, Germany, Sweden, the Netherlands and Poland should clarify the allegations of mass surveillance – including potential agreements between intelligence services and telecoms firms on access to and exchange of personal data and access to transatlantic cables – and their compatibility with EU laws, it says.

Other EU countries, in particular those participating in the “9-eyes” (UK, Denmark, France and the Netherlands) and “14-eyes” arrangements (those countries plus Germany, Belgium, Italy, Spain and Sweden) are also urged to review their national laws and practices governing the activities of intelligence services, so as to ensure that they are subject to parliamentary and judicial oversight and public scrutiny and that they comply
with fundamental rights obligations.

MEPs deem bilateral “anti-spying” arrangements concluded or under negotiation between some EU countries (the UK, France and Germany) and the US as “counterproductive and irrelevant, due to the need for a European approach to this problem”.

Next steps

The full Parliament will vote on the resolution on 12 March in Strasbourg.

The Civil Liberties Committee inquiry into mass surveillance of EU citizens began in September 2013. A total of 15 hearings have been held since then.

In the chair: Juan Fernando López Aguilar (S&D, ES)


BXL: (+32) 2 28 44301
STR: (+33) 3 881 73661
PORT: (+32) 498 98 39 85

Isabel Teixeira NADKARNI
BXL: (+32) 2 28 32198
STR: (+33) 3 881 76758
PORT: (+32) 498 98 33 36

from here (complete report)

E-Mail Tracking


The usage of HTML emails offers many tracking features for the sender. By using such tracking features like webbugs the sender may get information about the time you opened the mail, your IP address, used software and a list of forwarded recipients.

The tracking features are not blocked at all by webinterfaces. Even if you see a message about blocked tracking elements the protections is not safe but only partially. You may use the E-Mail Privacy Test for testing the webinterface of your preferred email provider. Open the test page and send a mail to your mail account. Read the received message in a new browser tab (in most cases you will find it in the spam folder) and go back to the E-Mail Privacy Test page. You will see a list of not blocked tracking features (red marked):

E-Mail Tracking Elemente


The result depends on the configuration of your browser too, but JonDoFox can’t protect you against all possible email tracking features. We highly reommend the usage of Thunderbird + TorBirdy for email communication to stay privat.

from here

Mixmaster Remailer


If you want to write an anonymous e-mail without valid reply address (may be for whistleblowing porposes), you do not need an e-mail account. You can use the remailer network Mixmaster. A mixmaster mail goes around the world over some random remailers to hide your traces an will achieve by the recipient within a fem hours.

  1. Mixmaster uses a Tor Hidden Service vor email delivery to the mixmaster network. You have to start Tor with “Vidalia (TorGUI)” first.The statistics about running remailers are updated at startup automatically.
  2. You will see an simple command interface. Press the key [m] to write an new mail.

    Mixmaster Start

  4. At the next step you have to enter the recipient address and a subject of the message.

    Mixmaster 2

  6. Now you can edit the message text, press the key [e].

    Mixmaster 3

  8. It will open the editor. Important note: insert a blank line after the header lines with To: and Subject:. If the text was ready save the message and close the editor.

    Mixmaster 4

  10. If the editor was closed you are back in the mixmaster interface. You may attach a file to the message, encrypt the message using OpenPGP and afterwards send the mail to the local mixmaster pool by pressing the key [m].

    Mixmaster 5

  12. At least you have to send the messages from the local mixmaster pool to the remailers. Press the key [s] and quit mixmaster with [q].

    Mixmaster 6

from here



New documents provided by Snowden/Greenwald show the elite of nations collaborating with the NSA.

  • The “five spying eyes” are the well known inner circle of USA, Great Britain, Canada, Australia and New Zeeland, based on the UKUSA agreement.
  • First level friends are Denmark, Netherlands, Norway and France. Together with the inner circle we have to talk about “The 9 spying eyes”.
  • Second level friends are Germany, Belgium, Italy, Spain and Sweden. (It is little bit strange to call Sweden a second level friend, because the FRA is spying for the NATO. 70% of international Internet traffic of Russia is routed over Sweden and scanned by FRA for spying purposes in cooperation with NSA.)
  • Third level friends are all cooperating intelligence services in Middle East and Afghanistan, 41 countries at all.

Germany has long protested at its exclusion from 9-Eyes and were a little grumpy at not being invited to join the group. Now, using the scandal following the disclosure of Merkels phone tap, the German intelligence service want to became a part of the inner circle. Official it is called “No-spy-agreement”, but such an agreement covered by a second secret cooperation agreement forms the basis for entering the inner circle. The partners of the inner circle have to collect large scale of information, pre-processing and send relevant results to the NSA/GCHQ data pool. In this case NSA and GCHQ may stop or reduce the spying in Germany.

Some German politicians are ready to go this way. By an internal paper of CDU/CSU (link only in German) the surveillance of Internet should be extended in NSA-style. German intelligence services should be improved to watch directly at Internet exchange nodes like DE-CIX.

from here

Information leaks by search plug-ins


If you were using the JonDoFox profile for Firefox you will find search plug-ins installed by default and search plug-ins installed by JonDoFox in the list of search engines:

search plug-ins


The search plug-ins installed by default are not very privacy-friendly and may leak information about the used browser and/or operating system. It is possible to discover the user-agent send by JonDoFox as a fake and use minor differences to discriminate between JonDonym users. Some examples of search URLs by using default installed plug-ins:

Google (Windows, Ubuntu, FreeBSD):


DuckDuckGo (Ubuntu, FreeBSD):


Amazon (Windows, Ubuntu, FreeBSD):


Conclusion: Do NOT use the search engines installed by default but use the JonDoFox search plug-ins. You may disable unwanted search plug-ins by “manage search engines” dialog.

manage search plugins


from here

With Tor Mail gone, how will the Dark Web communicate?


In the recent fall of Freedom Hosting, a hosting service used by much of the Dark Web, the list of casualties is long. One death in particular has already cast the widest shadow of all: Tor Mail is gone.

Long considered the most trustworthy and popular email service on the Dark Web, users have rapidly fled since Freedom Hosting, which maintained Tor Mail’s previously hidden servers, was compromised and destroyed, and its alleged owner, Eric Marques, was arrested in Ireland.  Now, many wonder if Tor Mail’s servers are sitting in a National Security Agency (NSA) office, their contents being read and documented at this very moment.

Dissidents, whistleblowers and journalists have long used Tor Mail. Edward Snowden and Julian Assange are major Tor cheerleaders. But alongside them are some of the most prominent pedophiles and most profitable drug dealers on Web. Nothing about Tor Mail’s demise is certain at this point. We don’t know if its servers have fallen into the hands of criminals or the U.S. government.

Here’s the catch: In theory, it shouldn’t even matter if an NSA agent is browsing through each email at this very moment. Smarter, more careful users of Tor Mail have never sent a clear text email. Software such as PGP (Pretty Good Privacy) takes 15 minutes to master and provides virtually unbreakable encryption, placing emails out of even the NSA’s reach. It’s a breeze. Any cybercriminal worth his weight in stinky California marijuana would take the time to use it, right?


“I post my PGP key everywhere and beg my customers to use it but the majority don’t….. including for some pretty big orders!,” wrote popular ecstasy vendor DrMDA.

“Something like 80 percent of SR users don’t use PGP,” wrote astor, a longtime Silk Roader.

Some vendors, such as prescription drug salesman RxKing, explicitly refuse to deal in PGP, saying it gives a false sense of security.

Sometimes it’s not laziness or complacency, it’s simply a giant mistake.

If you have ever purchased GHB (known as liquid ecstasy or, more commonly, the date rape drug) from the popular Silk Road vendor BlueGiraffe, you may have a bit of worrying to do

BlueGiraffe’s newly hired assistant—yes, top vendors have assistants and entire teams behind their operation—mistakenly emailed the address of every single customer he’s had in over a year of business in clear text. It’s not encrypted, it’s imminently readable, and it’s potentially in the hands of law enforcement right now. Keeping such records is against the rules on Silk Road.

“Though I will never meet any of you in person, you are like a great family that I love and care for very much,” wrote an extremely apologetic BlueGiraffe. “And I have done the worst thing and compromised your safety. I am so sorry.”

Now, despite easy-to-use technology that would have rendered them virtually immune to oversight, thousands of Tor Mail users are perspiring, wondering when the knock on their door will come.

The big question across the Dark Web is what will succeed Tor Mail. Here are the early contenders:

  • BitMessage is a decentralized, encrypted and peer-to-peer messenger. This program has seen a surge in popularity since the Snowden leaks.
  • TorChat is an easy-to-use anonymous messenger designed to fit nicely into the Tor environment. It has been widely used across the Dark Net spectrum since before Tor Mail’s fall.
  • PrivNote is a Clear Net messenger service that deletes notes once they’re read. Silk Road vendor RxKing prefers this service, but others refuse to use it, citing multiple security concerns.
  • SMS4TOR is a Tor-friendly version of PrivNote that has gained considerable traction thanks to its base a Tor hidden service.
  • I2P-Bote uses the I2P anonymizing software to provide a decentralized, encrypted, verified email service. The service is only in alpha and, due to its reliance on I2P, will probably not be widely adopted.
  • Privatdemail is an email service with a focus on privacy (as opposed to anonymity). Here’s a fun fact: You apparently can’t email Israel because the servers are located in an Arab country that forbids it. That policy will not inspire confidence, but even so, Privatdemail is already in use.
  • RiseUp is an email service built for “liberatory social change.” Users must apply and be approved for accounts, proving that they are activists fighting for positive change, which is whatever RiseUp’s founders deem it to be. In exchange, RiseUp keeps minimal logs, encrypts your data and defends your communications unlike many corporate email services.
  • Nym is a remailer that allows you to send encrypted emails without them being traced back to you, the sender.
  • Mixmail is a remailer similar to Nym but is much easier to use. It strips out identifying factors like an IP address, making a quick, anonymous email an easy proposition.
  • Jabber is a popular open-source, decentralized messaging system. It’s widely used by journalists already, particularly in the Middle East.
  • is a currently-in-development tool that promises to allow encrypted and decentralized video and text chat reminiscent of Skype—only without Microsoft allowing the American government to listen in as they do.

Even when Tor Mail was the de facto king of Dark Web communication, it was not ubiquitous. Now that trust is in short supply, other services have seen an influx of users in the past week.

Many people have wondered if and when another simple and trustworthy Tor email service will pop up. It’s a major market opportunity that comes with serious risk. Hushmail, a Canadian service that was once upon a time the encrypted email darling of the Dark Web, came under immense pressure from the American government and eventually turned over clear text emails to law enforcement in 2007.

What comes next is anyone’s guess. The only sure thing is that any smart user wishing to maintain privacy ought never to fully trust any service and should always encrypt their communications. Anything less is asking for trouble.

from here