Discover how mastering email communication can boost business efficiency, avoid common pitfalls, and ensure secure, respectful online interactions.
Turkey Revenge
The turkeys are pissed this Thanksgiving they are seeking revenge.
Germs Infest 60% of Americas Phones
60% of Americans sleep with their phones, harboring germs. Cleaning regularly with UV sanitizer or alcohol wipes can help keep your phone and bed germ-free.
Smartphone Sanitizing: A Practical Guide
Securely erase personal data from your old smartphone before recycling. Protect your identity from hackers—easy steps to follow.
Why Soft Skills Matter in Today’s Job Market
Boost your career with essential soft skills like communication, teamwork, and emotional intelligence. Learn why they’re crucial for workplace success.
What the FREAK !
Earlier this month news broke that Google, Apple, and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. In fact, the origin of the FREAK back goes back to the 1990s and government meddling.
Paul Dirkin at Sophos’ Naked Security blog explains that FREAK is a risk to all users. It is a risk because an attacker can trick you and the server into settling on a much weaker HTTPS encryption scheme than from the 1990s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption. Export grade encryption is a ghost from an earlier U.S. Gooberment attempt to break encryption. In the ’90s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for every day, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.
No one should be using export-grade keys anymore – indeed, no one usually does. But many clients and servers still support them according to Sophos. Somehow, in 2015 it never seemed to matter that the 1990 code was still lying around.
If attackers can watch the traffic flowing between vulnerable devices and websites they could inject code that forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months to crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s (AMZN) cloud in 2015. It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.
Now that your security is compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).
Additionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export-grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,” With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third-party.
The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov. University of Michigan computer scientists J. Alex Halderman and Zakir Durumeric, told InfoSecurity that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.
The good news, according to Sophos: Users of Chromium/Chrome and Firefox are OK.
The bad news – the bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug is known to exist in:
- OpenSSL‘s TLS implementation (before version 1.0.1k), which includes Google (GOOG) Android‘s “Browser” browser, and therefore probably Samsung‘s (005930) derived browser known as “Internet.”
- Apple (AAPL) SecureTransport puts OS X software at risk, including Safari.
- Microsoft (MSFT) Windows Schannel TLS library puts Windows software including Internet Explorer at risk.
You can check to see if your browser is vulnerable to the FREAK attack on a UMich page here.
You can also check on your favorite website on this UMich page.
rb-
“Export grade” encryption was largely abandoned by 2000 because it was a bad idea. silly idea. It hurt the US software industry and Americans who bought an inferior product. It is still a dumb idea in 2015. As the Gooberment wants to cripple the latest generation of encryption by putting backdoors into encrypted messaging. They seem to have won with Google. Google has dumped plans to encrypt communications by default in Android.
In the short term, if you are worried, use another browser Firefox or Chrome.
Related articles
- Apple’s App Stores Out of Order (blogs.barrons.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Anthem Data Breach Hits BCBSM Users
The recent cyber-attack on the second-largest health insurance company in the U.S., Anthem Insurance was allegedly pulled off by Chinese hackers. Now the attack, which I covered here has spread to Michigan. Emily Lawler at MLive is reporting that Michigan residents are caught up in the national healthcare insurance data breach.
The Anthem health insurance company compromised data includes an estimated 80 million people, of which 636,075 Blue Cross Blue Shield of Michigan users. According to the article, some of the compromised information could have come from BCBSM customers. A BCBSM spokesperson told MLive there was a “strong possibility” some BCBSM customer data had been caught up in the data breach.
BCBSM is an affiliate of the compromised company, so the Michigan firm shared critical customer information with Anthem. The affiliation allowed the attackers to gain access to Michigan BCBSM users. Ms. Lawler cites information from Anthem’s initial investigation, which found that compromised Michigan personally identifiable information (PII) that could have been compromised includes names, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information.
Reassuringly (snark) BCBSM and Michigan’s Department of Insurance and Financial Services have been monitoring the data breach and its potential effect on Michiganders. BCBSM External Affairs Manager Stephanie Beres told MLive numbers from Anthem say 636,075 Michigan residents are impacted. That includes 410,990 Anthem members, and 225,745 customers of Blue Cross Blue Shield, Ms. Beres said.
rb-
Anthem is sending letters to those impacted their oopsie who will offer two years of free credit monitoring and identity theft repair. According to Anthem’s website AllClear ID will provide credit monitoring services. Those who think they may be affected are encouraged to visit a website Anthem has set up to distribute information about the hack, www.anthemfacts.com.
Related articles
- Connecticut bill requires insurers to encrypt personal data (newsday.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2015, Anthem, Blue Cross and Blue Shield, China, Cyberwarfare, Hack, Michigan, PII, Security
Michigan Phone Spying Stalled
Warrantless cell-phone spying legislation has stalled in the Michigan House. MLive reports that House Bill 4006 has been pulled from the agenda for the second time in as many weeks. In a flash of rationality, Gideon D’Assandro, a spokesperson for the Republican majority, said new questions about jurisdiction and proposed immunity for wireless providers have popped up. D’Assandro told MLive, “… There’s still questions.”
The legislation, sponsored by Republican Rep. Kurt Heise of Plymouth Township, has prompted push back from some conservative lawmakers and privacy proponents in the state Legislature after advancing out of committee last month. “It’s been a heated discussion, a passionate discussion, just about the civil liberty issues that are all wrapped up in this,” said Rep. Cindy Gamrat, R-Plainwell.
My concern is … we’re setting precedent authorizing government to access our technology devices, such as phones or computers or GPS in cars. Where do you end up drawing the line?
State Rep. Todd Courser, R-Lapeer, said he understands the value that location information could offer in some emergencies but made clear that he could not vote for the bill in its current form. He told MLive,
I think we also need to make sure we’re giving people the constitutional protections that are supposed to be afforded by our founding fathers.
In typical goobermental double-speak, Heise, the sponsor of the bill to legalize NSA-style phone snooping in Michigan told MLive that allowing warrantless access to private citizens’ phones could actually strengthen civil liberty protections. Heise even told MLive he does not think that notifications for cell phone owners who the State of Michigan snooped is necessary.
Warrant-less access to private citizens phones could actually strengthen civil liberty protections
Of course, law enforcement groups and Verizon (VZ) indicated support for the proposal to gain even more access to citizens’ private information. As now written, the snooping does not require a warrant. All a police officer needs to access a private citizen’s phone records, is to have a note signed by a supervisor.
rb-
Get hold of your House Rep (contact info here) and tell them to keep NSA-style warrant-less phone spying out of Michigan and vote this bill down.
Stop the slide down the slippery slope, despite what the Koch Bros. and ALEC want.
Of course, the cops can just call their friends at Homeland Security and get the data and end-run the Constitution.
Related articles
- Spies Can Track You Just By Watching Your Cell Phone’s Power Use – Without You Knowing They Are Doing So (gunnyg.wordpress.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2015, Michigan, Mobile phone, Politics, Privacy, Spying, Warrantless
New Authentication ‘Fingerprints’ How You Move
We all know that passwords are hideous things. They take up to much time and are not that effective. In fact, Gartner (IT) says that password resets represent 30% of help desk calls. Readers of Bach Seat know that the most common hacked passwords change very little from year to year.
Generating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year (as I most recently covered here). Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.
So where there is chaos this is profit. A new area of research is to replace passwords with a users’ behavior. Mark Stockley at Sophos’ Naked Security blog, reports that researchers at West Point are working to get rid of passwords. The Cadets are working to produce a new identity verification system based on users’ behavior, described as a next-generation biometric capability. The research is being developed as part the active authentication program run by DARPA.
Th
e article explains that authentication has traditionally relied on users producing one or more of the following: something you know (such as a password or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.) The technology that West Point is working on called, behavior-based biometrics, adds another factor to the mix: something you do.
According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analyzing how the user handles a mouse or how they craft the language in an email. The contract document, reported by Yahoo Finance, describes the technology as a “cognitive fingerprint.”
…when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint’
Cognitive fingerprints will offer significant advantages over existing forms of authentication. According to Sophos, the new technology has several advantages over passwords because they do not:
- Require specialized hardware required by biometrics and
- Rely on users remembering strong passwords, something humans are naturally bad at.
Cognitive fingerprints should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.
Nancy Gohring at FierceITSecurity recently wrote about a similar approach to user behavior authentication. Alohar Mobile, now owned by Alibaba, has figured out a way to use the sensors in mobile phones to create a profile of the unique way that you walk, using that “fingerprint” for authentication. Sam Liang, Alohar’s founder, and CEO has claimed, “We have a system that allows the payment system to use the location tracking and the motion sensor to authenticate and detect fraud.”
According to Ms. Gohring, Alohar’s patent describes a host of unique biometric pattern patterns the firm can collect from the phone’s accelerometer and gyroscope to identify the person using the phone. They include:
- The speed/cadence/pace at which the mobile user normally walks
- The ‘bounce’ of the mobile device in a person’s pocket, bag or purse as they walk or run
- The motion pattern when a person reaches for their mobile device in a pocket
- How the user moves the device to their ear
- Even the angle they hold the mobile device.
After collecting data about a user’s movements, the system would create a profile of the user. When the person tries to use the phone to buy something in a store, the system would compare the user’s profile against the recent movements of the person using the phone, making sure they match. If they don’t, the retailer can ask the user for other forms of identification. The system could work similarly for e-commerce transactions.
The patent describes other uses for the profiling system beyond authentication. The article claims the inventor describes a scenario where if a user often goes to an elementary school or a daycare center, the service could send targeted advertising or information about kid-related events to the user.
In the future, Mr. Liang hopes to be able to collect even more data from more kinds of devices, like fitness trackers and health monitors. He told FierceITSecurity, “In the future, the phone will be able to tell, are you happy or depressed based on the way you walk, the speed you move around, the way you swing the phone,” he predicted.
rb-
Biometrics has been waiting in the wings as the Next Big Thing in authentication for years. Transparent, behavior-based biometrics like those being developed by Alohar and West Point could give the nudge that’s needed to push biometrics into the mainstream, but Sophos’ Stokely argues there are two major obstacles to the widespread adoption of biometrics.
- You can’t change your biometrics – How do you change yourself if your biometric password is compromised?
- For all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.
Behavior-based biometrics will happen invisibly, while convenient but it will require us to be comfortable ceding that feeling of control too, says Mr. Stockley.
Behavior-based biometrics will draw the ire of privacy advocates for its invisible, seamless identification and roots in the military, as it may allow for wider monitoring of society.
Related articles
- Qualcomm Technologies releases ultrasonic-based 3D fingerprint authentication solution (biometricupdate.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2015, Alohar Mobile, Authentication, Biometrics, Cognitive fingerprints, DARPA, Multi-factor authentication, Password, Security, user behavior, West Point
Net Neutrality – We Win
Let the lawsuits begin!
In addition to the lawyers, lining up to squash Net Neutrality, Michigan’s own Fred Upton—who holds personal investments in AT&T, Comcast, and Verizon—has introduced anti-Net Neutrality legislation that eliminates the FCC’s authority to regulate internet service providers and could crush the agency’s ruling and allow AT&T (T), Comcast (CMCSA) and Verizon (VZ) to rule the Internet at our cost to grow their profits.
rb-
I have already seen an ad on BrightHouse cable from Broadband For America, (whose membership page is empty) claiming that the FCC ruling will force them to raise taxes. Here come more imaginary “Regulatory re-capture” profits fees.
For right now, this is a rare win for the 99% in post 9-11 ‘murica. Just follow the money.
Related articles
- Cable-Money Recipients: Stop FCC From Protecting Net Neutrality (popularresistance.org)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.