Month: August 2017

Paper problems

A timely reminder that good information security practices don’t necessarily have anything to do with computers:

The health insurer Aetna is facing criticism for revealing the HIV status of potentially thousands of customers after it sent out a mailer in which information about ordering prescription HIV drugs was clearly visible through the envelope’s clear window.

For example, in a letter sent to a customer in Brooklyn, the window revealed considerably more than the address. It also showed the beginning of a letter advising the customer about options “when filing prescriptions for HIV Medic … .”

It’s funny; usually those envelope letter windows are considered best practice because it lowers the risk of address/letter screw ups. In this case, though..

haveibeenpwned.com Database Made Public

Troy Hunt, the guy that runs the extremely useful haveibeenpwned.com, has released his working password database in the form of SHA-1 hashes.

What this is: an extremely useful tool for people working in security as they can hash passwords in use and see if it’s in this existing list, and thus, probably in a dictionary file somewhere and vulnerable to a dictionary attack.

What this is not: a usable password list useful for crackers, because everything is in SHA-1 hash form.

Troy deserves all the credit in the world for doing a public service for free, and props to Cloudflare for offering to host a 6GB file (also for free).