Finally, Twitter has implemented 2-factor authentication of their accounts. It is made possible with SMS messages. When you log in to your twitter account, in addition to username and password, you will be prompted for 6-digit code which is sent to your mobile phone. Similar technology is used by some other companies (for example, Facebook and Bank of America). This is not the best solution (what if you are located in out of service zone?) but it is better than nothing. There are more robust solutions, which also use mobile phone, implemented, for example, by Google or PayPal. They utilize software tokens: different smartphone apps (Google Authenticator and VeriSign VIP accordingly) that, however, do the same: display new temporary code every minute. Such app generates the numbers based on preset initialization vector and mathematical formula, which does not require any server connection. Therefore, the phone device with such app can be used offline, the same way as classic hardware token like RSA SecurID.
0 Comments
National Security Agency has unclassified the document which previously was a secret guide to search engine hacking including Google and Yahoo. In fact, this is the full-size book (640 pages) called Untangling the Web: A Guide to Internet Research.
Interesting quote from the introduction: "We pay for the benefits of the Internet less in terms of money and more in terms of the currencies of our age: time, energy, and privacy." I agree with the following quotes in this article:
"Facebook thinks it's more important to people than it actually is" "The Facebookification of the mobile web is a threat to openness, to choice, to privacy - but only if you care about those things" There is a new Mastercard which has LCD screen and keyboard. It looks like the plastic becomes smarter and closer to POS terminal in its functionality which I guess will bring new security issues...
Sounds like an attempt to implement "security through obscurity" principle:
Give social networks fake details, advises Whitehall web security official: "When you are putting information on social networking sites don't put real combinations of information, because it can be used against you." "When you put information on the internet do not use your real name, your real date of birth" Finally...
New York Times: Panetta Warns of Dire Threat of Cyberattack on U.S. "Defense Secretary Leon E. Panetta warned Thursday that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government." Words that most people understand:
Free, Unlimited, Service, File, Versioning, Folder, Hard Disk, Computer, Mobile, Web, Access, Sharing, Sync, Protected, Safe Words that many people don’t understand but can stand, get used to, and even like: Cloud, Drive, Failure, Secure, Backup, Storage, Application, Privacy, Encryption. Words that normal people don’t understand and don’t want to understand, although they use these things every day: Server, Client, File Server, Network, Balancing, Local, Port, IP, Address, DNS, Domain, Subdomain, Cache, Node, Peer, Cluster, Redundancy, HTTP, SSL, TLS, SSH, SFTP, AES, Compression, Cryptography, Symmetric, Asymmetric, Public Key, Private Key, Connection, RAID [Update] NFC Phone/RFID credit card hack at DefCon XX: are PCI PTS certified terminals vulnerable?8/1/2012 This is an update to the original post from 07/31/2012.
I have got an answer from Eddie Lee - the author of this hack - regarding the pinpad types (our conversation is actually published here at Forbes.com): "Hi Slava, I’ve personally tested replay on live Vivopay and Verifone systems. My impression is that the readers do very little, if any, verification. I’m not sure which readers are PCI PTS certified (and contactless), so I don’t know if I’ve actually used one of those readers…certainly, there are a large number of existing/deployed readers that are still vulnerable. From my experience, there is little difference between the readers, so I would not be surprised if most/all systems are vulnerable to replay. Regardless, it would still be possible to skim and spend in proxy mode." Interesting quotes and notes from Black Hat 2012 Day One:
Jeff Moss: "I fear Google more than I do the government." "The best money you can spend [on security] is on your employees." According to Microsoft, Windows 8 uses enhanced mitigation techniques which are supposed to eliminate some threat types completely. 64 bits version is more secure than 32 bits. (I will follow up with more details later on). Interesting analysis of most frequently used passwords - thanks to recent Yahoo security breach:
"• 2,295: The number of times a sequential list of numbers was used, with "123456" by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up. • 160: The number of times "111111" is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative "000000" is used 71 times. • 780: The number of times "password" was used as the password. Apparently, absolutely no thought went into security in these instances." The question is - why were they allowed to set up such a password by the Yahoo software in the first place? BTW - have you changed your Yahoo password after the breach? |
Books
Recent Posts
Categories
All
Archives
March 2023
|