​RFUN is Recorded Futures yearly conference.  It's a 2 day event.  First day was multiple key notes and breakout sessions and second day was talk and training sessions for the tool.  This year it was held at the InterContinental (The Wharf) in Washington, DC. 

​Day 1: 
​Welcome and Featured Speakers all morning. 

Chrisopher Ahlberg (CEO/Co-Founder of Recorded Future - Opening remarks 
Christopher provided some insights into where Recorded Future is going and the current state of the company.  One word "GROWTH", the company has grown 90% since RFUN17!  Congrats to the team at RF!
A couple of points from his talk: 
* In the near future (prior to 2020) your company/business will be judged not just on your earnings but also your on-line/corporate risk reputation.  The corporate risk surface will be made up of many factors(data points) gleamed from incidents, attack surface, company RELATION to other companies with incident issues, company RELATION to supply chain incidents, and overall on-line persona(rep).
** Recorded future is in the 'beta' stage for a new offering which will help companies understand their Corporate Risk Surface.  By analyzing data available to the RF platform they can provide details of where/what/who/how things are affecting this overall rating or score.  

Priscilla Moriuchi from Recorded Future : 
Priscilla discussed the importance of Attribution. 
Key takeaways, with Attribution you need to know:
* How
* Who 
* What was hit
* Risk of future attacks

Operations/Companies cannot be happy with just getting threat/attackers off their networks after an incident.  They need to understand how it happened and fix the root cause of the problem.  To do this you need to understand the environment, assets, and have the ability to  constantly improve your detection, defenses, response capabilities, and have an understanding of who/why someone would want to attack. 

​
Threat Intelligence Awards: 
Shout out to my colleague Danny Chong for his nomination!

​Alexander Schlager from Verizon: 
Discussed the role of Corporate risk and how very soon companies will be evaluated by their Corporate Risk Score along with other metrics used today in deals/purchasing/and every day business activities.   He mentioned the importance of Sector Analysis and understanding that every Sector(Industry) will be affected by threats in different ways and in different attack vectors.   Key takeaway here is Corporate Reputation scores will be influenced by Risk Scores and security incidents.  Supply chain attacks CAN and WILL have an affect on  your Corporate Reputation so you need to be aware of what your partners are doing (and aren't doing). 

Mind Hunter: 
Presentation about different Threat Actors.  Great discussion but not allowed to post about it :) 

Key takeaway:  Don't use/resuse passwords or passwords across platforms/applications. 

Splunk Smarter: Security Operations with Threat Intelligence: 
Rich Dube from the Recorded Future delivery team presented on integrating Recorded Future Threat Intel into Splunk.   Utilizing the watch lists and correlation rules in the Recorded Future Splunk app allows users to have the information needed for better decision making and alerting.  Threat Intel ingestion keeps getting more efficient into the platform and data enrichment is a necessity when doing IR!

Day 2
Good and Bad, Indicators Beget Indicators - Why Not All Indicators are Good IOCs
Adrian Porcescu
Adrian Porcescu from the Recorded Future Professional Services team discussed the use of IOCs and how one size doesn't fits all.  An organization needs to understand their environment and assets to be able to apply good Threat Intel.  An IOC against a company in another industry might be more severe then what you have in your environment.  You need to have the ability to adjust the risk score (or severity) associated to an IOC against the asset it is trying to attack/hit.  Just like IDS rules, if you have a UNIX rule in your rule base with NO unix servers in your environment you will be flooded with false flags and missing some of the important alerts. 

Adrian discussed the importance of chaining IOCs together for a better understanding of what is happening.   One example used was hosts calling out to the DNS server 8.8.8.8.  Which is most cases would be a LOW severity because it is a google dns server, but if you are paying attention to traffic before an after the call you might see some activity related to malware or some other threat.  The 8.8.8.8 IOC on it's own might not be helpful, but together with more log sources and visibility it could be an indicator to something bad. 

Organization 'context' is important: 
* What do they do? 
* What do they have? 
* What are they running? 
* Who do they work with? 

The ability to categorize assets and understand the traffic patterns and behaviors in your environment will be the determining factor in stopping threats.   One example he used was traffic seen in a client environment 'talking' with a vendor service which the client uses as part of their delivery.  It was originally marked as a false alarm but upon further review and after categorizing assets in the environment they could determine the server 'calling' out to the vendor service was not part of the systems that 'should' be using the service.  IR process was followed and the host was removed and examined off line. 

Adrian hit on Discovery and Detection. 

• Discovery using IOC data/context against historical data 
• Detection using IOC data against real time/now data

Both methods are very effective but have totally different uses.  Also that organizations should have some level of maturity models around these methods.  Just like most things in life, how do you know where you are going if you don't have a map...  You need to gather metrics around these activities and study if they are helping your defensive capabilities. 

It was nice to see ARGUS in his presentation.  If you don't know argus check it out: https://qosient.com/argus/ .  It can be used for all sorts of captures/replays of pcap type data.  In Adrians example he was passing a list of IOCs into a filter in argus to see if there had been any traffic in the capture (historical search).  I've used ARGUS a ton in the past and will be starting a new project which includes argus in the near future. keep an eye here: https://github.com/mabartle/bloodhound​

$ ra -nnnr argus.log.1.gz - ‘indicator’
- Argus - next-generation network flow technology, processing packets, either on the
wire or in captures, into advanced network flow data.
- nnn - lookup any address names
- r - read from file
- You can add the logic of you logrotate
​

Threat Intelligence with Automation and Orchestration -
Randy Conner
Randy presented on automating some of their security operations in Service Now with Recorded Future data.  He hit on the high points of Automation and Orchestration and the time/resource savings that can be made.  He provided some great examples of using Threat Intelligence with asset data to drive IR and weed out false positives.  Further driving home one of the important takeaways from the conference that YOU NEED TO KNOW  YOUR ENVIRONMENT.  No level of threat intel will protect you from the 'bad guys' if you don't understand what is in your environment.  Randy discussed some great use cases and showed examples of where automation has saved his organization a ton of time and effort.  By utilizing their CMDB to cross-reference some threats (with CVE numbers) they can quickly identify where/what assets are affected to roll out patches and/or protections quickly. 

A word of caution for anyone entering the 'world' of automation, it isn't just building a playbook and calling it a day.   A lot like software development you need to define what(and why) you are developing a playbook, how it will be tested, how it will be rolled out into production, how(and who) this automation will effect, and how changes will be communicated to the organization overall. 

Intelligence, Vulnerabilities, and Patching
Ryan Miller 

Ryan presented some great information vulnerabilities and exploits.  He showed time lines of some of the heavy exploits used last year and the time it took between the vulnerability and delivery method.  In a lot of cases the vulnerability to exploit time might have been shorter than it took for the vendor to come out with a patch or workaround.   Highlighting the need to have a good knowledge of your environment/assets and the related products/services/applications they use so you can KNOW when a new vulnerability is out and if/when it will affect you.  He stressed the need for dedicated resources within organizations to do vulnerability research and keep up with trends in this area.  He discussed using the Recorded Future platform to gain an insight into new vulnerabilities which are coming out which may not be talked about in the 'normal' channels (dark web).  using this data for tracking/alerting, proactive analysis using mentions/notes from hackers on what exploits might be used, and using this data along with internal data to get a better understanding of trends in your company (like which Vulnerabilities were used the most vs what you have in your environment).   
Take aways: 
* every company should have a dedicated resources to investigate/research vulnerabilities and how it relates to the company environment (hosts, services, applications, etc) 
* Vulnerability management in an organization is paramount, you need to know what has a patch and what is exploitable when the stuff hits the fan.  You don't want to waste a ton of time on an exploit which will have little to no damage within your org. 
* The '30 day standard' for patching is too long in most cases.  You need to have a good patch process which takes into account the priority/severity of new vulnerabilities with what is in the environment. 
* A majority of the time if you patch for the most wide spread vulnerabilities it will protect you from a wide range of attacks.   Bad guys are using readily available exploits not 0 day type attacks. 
* You need to have the internal ability to create your own detection methods against some of these new exploits.  If you have an ear to the web (with tools like recorded future) you can create rules/alerts to trigger in case someone starts hitting you with an exploit against a vulnerability with no patch. 

Until Next Year!
The Recorded Future team puts on a great conference. Every year the venue, events, and talks get better!  It was great seeing everyone!

I attend a lunch and learn for Tenable yesterday in Tysons Corner.   The talk covered their TENABLE.io product mostly with small mentions of their other tools/products: Security Center and Nessus. 
Tenable.IO is there newest product.  It has a faster scanning engine and more integration capabilities (web app scanning).
Here is the high level architecture of the tool.  The product provides all of the functionality of the old nessus scanner and has added multiple things: 

• Active Scanner - Like old Nessus product
• Passive Scanner -  Captures network information across the wire to inventory and alert for changes in the environment (between active scans)
• Agent - Install agent on end points for on demand/scheduled VM scans
• API and SDK to start creating integrations with other systems in your environment
• Third-party sources - System is building 'connectors' to allow other systems to send information into the tenable.io product.  (example they used was AWS.  You enter your creds for AWS environment it will pull and load the CloudTrial logs and provide vulnerability information off of that data) 
• Container Security - Plugin for scanner to detect Containers running on servers/assets

How you can utilize this tool: 

• OPS: Start utilizing scanner during on-boarding process of new devices and changes to understand your environments/assets
• OPS/IT:   Utilize the active scanner to keep a baseline of your network/asset.  Use the passive scanner as a way to keep an eye on things in that environment 'between' active scans. 
• DEVELOPMENT:  If you using Docker or any other Container type technology and want to add another layer of security into your Security Lifecycle. Part of the tenable.io suite allows for scanning of Docker Containers, this could be added to your CI/CD server to run scans against containers every time there is a build and add some additional security to your SDLC process. 
• Research/Intel :  Pull output from tenable.io tool and match it with current threat details in your Threat Management Tool (i use Recorded Future to help with this piece).  If done right it will take the vulnerability information and match it against the 'threats/risks' and provide a good guide on where to start with patching and the timeline needed . 

I attended the IR 2017 conference in Pentagon City this last week.  The vibe at this conference was great.  Everyone I met there was very friendly and open about current security issues and how they are handled.   Here is a round up of some of the talks I attended and my takeaways: 

Day 1
Keynote: 
Eric O'Neil keynote about current security threats.   Ransomware being one of the bigger threats we are facing today.  He shared a story about how they took down Hanssen who was selling American secrets to the Russians. (read more about it here>

Complement to Attack Method - 
Talk was around building a standard for Playbooks/Workbooks for automation.   So no matter what type of platform you are using you could apply the playbook from other tools (Phantom to Cybersponse, Threat Connect, to SIEMPlify).  

Takeaways: 

• Good sites
  • http://www.threathunting.net/ - Good starting point for getting into Threat Hunting. 
  • CAR Mitre - Cyber Analytics Repository (CAR)
  • ​OpenC2 - OASIS Open Command and Control (C2) - Creating a standardized language for the command and control of technologies that provide or support cyber defenses

Building an IR Plan that your Organization will ACTUALLY USE! - Kelly McCracken - Salesforce
Discussed how Salesforce manages their Incident Response and laid out some great advice about building teams and collaboration. 

Takeaways: 

• Define your IR process
• PRACTICE!  Your organization needs to run through your IR process BEFORE there is an actual incident.
• Scenario Planning;  Brainstorm different scenarios(Outage/Exploit/etc) and define what/who/how. 
• One Message up to Management.  Define WHO is sending the message so you don't have multiple messages going to Management from multiple people. 
• Representatives - Define who the point/representative is from each involved team.  Know who is the 'authority'/Incident Commander
• Define Notifications:
  • internal -
    • Develop Communication matrix
    • Who is involved?  team/personnel
    • When will notifications be sent?
    • By who?
    • When will updates be sent and how? 
  • External
    • Check contracts for what is required for notifications to customers/clients.
    • Who approves the notifications?
    • Who develops the notifications? 

​

IR Preparation - Continuously Assessing Global IT Assets - Mark Butler CISO Qualys
Discussion around tracking your assets whether they are on-prem or in a cloud architecture.  Tracking and understanding threats against assets and what threats to worry about is paramount.  

Takeaways: 

• Understanding Vulnerabilities in current environment and the ability to understand the RISK to current assets is vital to getting the correct patch/update out at the right time.
• Asset management is crucial to security.  if you don't know what you have you are open to a HUGE level of attack and uncertainty.   Need to be able to understand active exploits to what assets are at risk. 
• Need to monitor for changes in environment, new assets, changes to asset, etc.

Day 2
Keynote
CyberSecurity IR Social Maturity Handbook Discussion
Presentation around teams, communication, and collaboration.   The speaker and his team have researched the importance of communication and collaboration within a CSIRT atmosphere.  The handbook link is below.  I recommend if nothing else reading the Executive Summary of the Handbook.   Lots of great information and exercises to try with your teams. 

Takeaways: 

• Copy of the handbook here: http://tinyurl.com/CSIRTeamworkRegistration
• Hold weekly discussions with teams to discuss scenarios and how they were handled and identify ways to improve the tools, techniques, communication, and process.
• Have a way to share 'what folks know' in the organization so teams know where to go for Subject Matter Experts and/or for help. 
• Take time to build the team.  Trust can go a long way during an incident. 
• There is a workshop coming up in Arlington VA Nov 16th: 

Accelerating Analysis with Decision Trees - Rodney Caudle
Great presentation on some of the research Rodney has done using Decision trees to help with Incident Response.  Using Root Nodes and Leafs Nodes in a tree to walk through the specific questions which need to be answered,  WHEN, and the choice/decision.  The class was really collaborative, at the end we did a white board exercise discussing a decision tree for  blocking traffic from an attacking IP. (image at bottom of page)
​
Takeaways: 

• Brain storm with your team/organization for different scenarios threat/security/etc and start talking through a decision tree.  It's a great whiteboard activity and you will find holes in your tools/process/techniques which you can improve on. 
• Decisions trees are a good way to document what you would like to do in an Automation Platform. 
• Rodney's SANS paper is available here: www.sans.org/reading-room/whitepapers/incident/investigative-tree-models-33183 
• Create an Objective Statement for playbooks (what/why) to explain what it is used for an value. So you have an easy way to communicate the overall goal of the playbook.   it's also a nice way to define things in layman's terms so anyone from the Sr Analyst down to the Intern can understand what it is doing and why we need it. 

How do I know my SOC is ready for Automation - Karlo Arozqueta
Discussed some of the steps from: Carson Zimmerman book on building a SOC:

• Schmoocon talk: https://youtu.be/u4Zxk6WeVio 
• Ten Strategies of a World-Class - Cybersecurity Operations Center Book

Discussed the importance of training and growing analysts.  Using the right folks to mentor new employees not just folks that have 'free cycles' but the most productive members of the team.

Takeaways: 

• Use different tools to tests your security posture.  One type of tool: 
  • Verodin - Attack automation to audit people, process, and procedure
• Do not forget to do things manually every once in a while even if there is automation.  Need to be able to use the tools if automation platform/process breaks. 
• Teach new analysts a task not a tool.  if they know how to accomplish a task they will pick up the tools and techniques along the way and become a productive member of the SOC faster. 
• Don't be afraid to let folks go if they are not producing, nothing worse than a poor analyst training a new analyst.  Poisoning the well. 
• Make your star Analysts mentors, allow them to train and help new hires.  Don't pair your new hire with someone with 'spare cycles' because they might not always be the best for training. Aim for the most productive folks.
• Define metrics and revisit them over and over again to make sure they are the 'right' ones and are showing showing you the good/bad/ugly. 
• Train your folks!  Get multiple people trained up on your tools/technologies.  Spend the money!
• Use Food and Activities to build your team togetherness/trust.

​
​Effective Use of Threat Intelligence to Speed Incident Response
Travis Farral 

High level discussion about the need for Threat Intelligence in IR.   Also the inclusion of the Intel team when doing IR.  

Takeaways: 

• F3ead: http://smallwarsjournal.com/jrnl/art/f3ead-opsintel-fusion-%E2%80%9Cfeeds%E2%80%9D-the-sof-targeting-process

It's been 6 years since my last Black Hat and I'm glad i made it out this year.  Everything was pretty awesome except maybe the travel out and back, but that's another blog altogether.  Here is my run down of talks and activities I attended: 

Wed:
Keynote:  The Keynote this year was Alex Stamos the Chief Security Officer from FACEBOOK.  The main themes of his talk were collaboration in the industry, inclusion and diversification of everyone and anyone into the Security Field, and getting involved.  One of the highlights was a pyramid visual he used to show how most threats in security are the mundane things like patch management, password management, and basic phishing techniques.  
​


The smallest sliver was 0 Day type attacks, but they get the most attention.  Security is still the same as it was 10 years ago, defense in depth. His keynote is available here starts around the 30 minute mark. 

Orange is the new Purple – Aprils talk about integrating more security discussions into the Software Development process.  Having Red/Blue teams engaged into the process so things like security, logging,  and policy recommendations can be applied.   It was a great talk and an important piece of building products with security built in and not as an after thought.  I worked with April at Digex back in the day and am happy to see all the success she is having.  She is one of the great minds in the Security Field.  Follow her on twitter. 


Splunking Dark Tools – A Pentester Guide to Pwnage Visualization – Pentest framework (DARK TOOLS) which is built in python on top of docker containers to allow Red Teamers to run against thousands of sites/targets easily.  Docker architecture allows it to use more resources and multi-thread work.  Framework is easily extendable.  This takes a lot of the heavy lifting out of the first phases of pentesting.  The way the data is sent into SPLUNK and the visualization provided are of huge value.  I encourage anyone involved in Red Team activities to check out this tool and follow Bryce here.
and on Github: https://github.com/TweekFawkes 


Hacking Server less RunTimes - I sat in on this talk for the first half hour.  The main thing they showed was there are issues in AWS/Cloud environments but they aren't in the infrastructure but what type of code is deployed in the environment and how IT can be exploited.  Example they used was a python script with an old/vulnerable library being used that gets called remotely and executed.  Highlighting the fact that any code which is deployed into a production environment needs to be QA'd and checked for vulnerabilities. 


Vendor Hall - Spent some time walking around the vendor hall.  As the manager of the R&D teams i need to keep an eye on what the trends are in the industry and where we are heading in the near future.   The main themes from this year are:   Proactive hunting, EDR, machine learning, and behavior Analytics.  Each of these sound great but are very involved pieces of the security puzzle.  To utilize machine learning and/or behavior analytics you need to define your implementation strategy and have realistic SET goals on what you are trying to accomplish with this technology.  Machine learning and Behavior Analytics have huge possibilities in security and in many other areas that will affect our daily lives but from what i saw in the hall we still have a ways to go.  Once organizations start building more work process around ML/BA it will be another few years before we see the fruits of these labors. 


What they’re teaching kids these days - Interesting presentation about the different tracks that are offered to College kids when it comes to security.  Most of the standards are set by NSA.  You can read more about it here:  www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense/  


Zero Days, Thousands of Nights - Good talk by Lillian Ablon .  Interesting research around more than 200 zero day software vulnerabilities and their exploits.  She went on to discuss the need to undisclosed vulnerabilities and how different nation-states will use these in good and bad ways. Truth of the matter, there will ALWAYS be undisclosed vulnerabilities and the related zero-days.  


Pwnie awards - https://pwnies.com/pwnies.com/ Went to the annual pwnie award ceremony Wednesday night.  It's a fun atmosphere with awards for achievements and failures of security researchers and the security community.  My favorite category was the Best Song...  Here were some of the creative nominees: Dual Core,  MC Hackudao, Hello (Covert Channel) , Hacking in Song,  Machines in Loving Disgrace.  The last one was actual created by turning the malware of the last 20 years into song, converting it to audio... 


Thurs:
Epocholypse 2038:  What’s in Store for the Next 20 Years - Great talk by Mikko talking about what we will/could see in the next 20 years of security.  One concept he discussed was when EPOCH will run out in year 2038 (03:14:07 UTC on 19 January 2038 to be exact).  It similar to the Y2K issue we had which caused a lot of fuss but the world kept on spinning :)   He also discussed allowing machines to make decisions without human interaction, programs writing programs, and how hard it will be to stop some of these things once they are started.  The next 20 years in Security will be VERY interesting, we all need to be diligent to hold each other accountable. 


Advanced Pre-Breach Planning:  Utilizing a Purple Team to Measure Effectiveness vs Maturity - Presentation around more coordination between Red and Blue Teams when doing assessments.  Allowing the teams to discuss the goods/bads/uglies of the engagement with the customer and providing useful strategies to change how they handle IR.  One important concept he discussed was watching the OPS team while they are working an incident from detection to remediation and seeing how the Analysts think through what they are doing.  Moving away from Run Books in a Binder format to having these types of documents embedded into the IR tools the teams are using.  You should still have a Crisis Management Plan this is the last level of defense when the sh** is hitting the fan.  This worst case scenario, power is out, systems are unreachable, etc.  


Go to Hunt, Then Sleep - This was my favorite talk of the conference.  Rob Lee and David Bianco do a great job discussing Threat hunting in the form of a children's story. It's available here: speakerdeck.com/davidjbianco/go-to-hunt-then-sleep   The main theme of the talk is you need a PLAN to HUNT, it's not a random process to hunt for threats.  I like the mention of using PCR (Producer-Consumer Ratios) it took me back to my days of working with Network Flow information. Give the preso a read!


Quantifying Risk in Consumer Software at Scale – Fuzzing - Presentation around coming up with a way to Quantify products with a Risk Score.  Lot's of discussion around the different apps and platforms, the use of fuzzing techniques.  It's an interesting theory but VERY hard to implement.  And the team presenting is having a hard time with resources getting it going.  if you want to help give them a shout: https://www.blackhat.com/us-17/speakers/Sarah-Zatko.html 


Exploit Kit Cornucopia - Fun presentation on different Exploit Kits.  Presenters went through a few Exploit Kits and how they communicated using legitimate sites(and Ad Servers).  Good advice on paying attention to the URL patterns of these kits, looking for userids embedded.  Good site for tracking EKs: ektracker.com/ 
 
Lies, and Damn Lies: Getting past the Hype of Endpoint Security Solutions - Great presentation on Endpoint Security Solutions (AV/EDR/etc).  The presenters Lidia Giuliano and Mike Spaulding have done extensive testing on multiple products and highlighted the limitations in those products. The biggest take away is a lot of security products are NOT one size fits all, as a consumer you need to know what problem you are trying to fix and what tool will work best for that problem.  Lidia/Mike have made the framework for testing these products and if you are responsible for purchasing decisions at your company you should use this information.  (Update:  here is the github repo: https://github.com/pinktangent/Endpoint-Testing​ ) 


Adventures of AV and the Leaky Sandbox - The last presentation i attended at BH.  The presenters showed how they could ex-filtrate information from an endpoint through the cloud-enhanced AV product.  Essentially the malware is written to encapsulate the exfil'd information within the 'rocket'.  Once the piece of malware is run through a cloud AV/Sandbox environment the exfil'd information is unpacked and communicated to the system of the malware writers choosing.  An interesting way of looking at getting information out of a 'closed' network/system.  Brings up concerns of utilizing cloud based AV/Sandbox technology without proper vetting.  If you are using cloud based AV you should look into this talk and verify with the vendor they are not vulnerable to this type of technique. 

As always Blackhat was a great time.  We are all battling the same issues and this conference allows us to collaborate and share our problems/solutions to make this world a better/safer place!

Good seeing everyone from the Old DIGEX and SILENTRUNNER crews!

Till next time!

Next on my conference agenda is RFUN (www.recordedfuture.com/rfun/ ) 

Bartlett

​

It's been a while.. But now I'm back.

I think every Security "Professional" reaches a point in their career where they burn out..  Where even reading a security article about 0-days, vulnerabilities, social engineering just doesn't do it for you...  Where all the doom and gloom and 'truth' about computer security sets in and takes you over.  There is no real/true computer security, like there is no real security in life.  You can live your life, never leave your house, and feel more secure but live a dull life.   In computer security it is the unspoken fact in security circles that there is no real security.  You will always walk into a situation with a client/customer/etc where they 'think' they have a security plan but it is really just based on 'hope', not backed by strong practices/policies/procedures.  They patch up one infected/compromised machine and move on with business as usual, never really fixing the underlying problem.

But with every new dawn comes a new day.  Now it is time to start talking about the real problems with security and how we can fix them.

With all the social sites getting hacked/compromised lately I wanted to write a quick blog to state one thing, and one thing only:

DO NOT USE THE SAME PASSWORD FOR EVERY SITE YOU USE!!!!

Multiple sites in the last few weeks have reported that the passwords of a LARGE number of users had been compromised.. 

last.fm - http://nakedsecurity.sophos.com/2012/06/07/last-fm-password/

http://www.linkedin.com/  - http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/

http://www.eharmony.com/  - http://nakedsecurity.sophos.com/2012/06/07/eharmony-passwords-stolen/

You are probably asking yourself...  Why should I care??  Why do I need to use a different password for every site I use??  How can I remember a different password for each site???

Why should you care?? 
If a 'bad guy' can get into your account they can ruin your reputation, run charges up on your credit card, clear out your bank account, trick your friends and family by using your account, and the list goes on.

Why do I need to use a different password for every site I use??
Say one of the sites you frequent gets compromised and the 'bad guy' has your username and password.  It doesn't take much searching on the internet to find out who you are and what other sites you use.  How many sites do you use the same email address during registration??  If the 'bad guy' knows the email address and password he could possibly take over your on-line persona. 

If you use a DISTINCT/UNIQUE password for every site you frequent you will not have to worry when one site gets compromised.  Yes, it will still affect you but less then your 'global' password getting snatched and the 'bad guy' having access to every site you visit.

How can I remember a different password for each site???

What I do is create a password using numbers, letters, special characters, and something unique about the site. 

Here are a couple of examples:

$8899fb75! for  facebook.

$8899link75! for linkedin

$8899mail75! for gmail

As you can see the above passwords are similar but different enough to not be used 'site to site' and they are a lot easier to remember.

Cheers

Bartlett