Tag Archive for Security

| June 25, 2015
Comments Off on Emoji Passcodes Replace PIN at ATM

Emoji Passcodes Replace PIN at ATM

Emoji Passcodes Replace PIN at ATMFollowers of the Bach Seat know that passwords are evil. I have written about dumb passwords again, again and again. Now a firm in the UK wants us to replace our ATM PINs with Emoji passcodes. The Verge brings us the latest theory to get users to use passwords better than “123456,” “password,” and “12345678.” EMOJI. Yes, those Japanese pictographs that anybody over 15 loves to hate. 

users just don't care about their passwords Intelligent Environments, a UK firm that makes digital banking software figured most users just don’t care about their passwords. So they created what it’s calling the “world’s first emoji-only passcode.” The world’s first emoji-only passcode offers a choice of 44 emoji that can be used to create a four-character PIN. The company told Verge the 44 emojis can create 3,498,308 possible permutations for non-repeating emoji passcodes. That compares to just 7,290 for a traditional non-repeating PIN.

Replace your ATM PIN with an emoji

The firm believes that everyone loves emojis, so why not replace those pesky digits with emojis?  Intelligent Environments is betting that forcing people to use emoji instead of numbers would also stop them from choosing weak PINs. Weak PINs are based on memorable events — birthdays and weddings for example — that might be easily guessed.

The company quotes Tony Buzan, inventor of the Mind Map technique. He adds that the idea, “plays to humans’ extraordinary ability to remember pictures, which is anchored in our evolutionary history.” Memory expert Buzan explains, “Forgetting passwords is because the brain doesn’t work digitally or verbally. It works imagistically.”

The author points out while it is a clever idea, certainly, but don’t get too excited yet. This is not the first PIN replacement we’ve seen. Implementing these ideas is always far more difficult than just coming up with them.

Intelligent Environments presser

Password dressIntelligent Environments’ press release is also a little too heavy on the hyperbole (it claims that “64 percent of millennials regularly communicate only using emojis” — really? Only using emoji?) and a little too light on actual industry support. Intelligent Environments’ managing director David Webber told BBC News that the company hadn’t patented the idea, meaning any bank that wants to introduce emoji PIN codes can do so. Although, there’s always the chance that security wouldn’t be increased as everyone picked what is objectively the best emoji passcode ever: four smiling poops.

rb-
There is some research that says this makes sense. But then there is the problem of getting systems to accept the emoji PIN. There are still websites out there that can’t handle a passphrase of more than 12 text characters, what is it going to do with emoji? Also, remember that there are still lots of ATM’s out there quietly running Microsoft’s Windows XP operating system more than two years after Redmond stopped updating the software.

The kids think they are so cool with their newfangled emoji. What about old-school?

: )

:-O

(-_-)

(^_^)

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| June 16, 2015
Comments Off on Michigan Cell-Phone Spying Legislation Stalled

Michigan Cell-Phone Spying Legislation Stalled

Michigan Cell-Phone Spying Legislation StalledA warrantless cell-phone spying bill recently introduced in the Michigan House has stalled – for now. MLive is reporting that House Bill 4006 has been pulled from the legislative agenda a second time. The bill would require cell phone companies to disclose call location information when requested by a law enforcement officer. The bill would grant legal immunity to cell phone companies for making the disclosures.

Michigan Cell-Phone Spying Legislation StalledIn a flash of rationality, Gideon D’Assandro, a spokesperson for the Republican majority, said new questions about jurisdiction and proposed immunity for wireless providers have popped up. D’Assandro told MLive,… There are still questions.

The legislation, sponsored by Republican Rep. Kurt Heise of Plymouth Township, has prompted push back from some conservative lawmakers and other privacy proponents in the state Legislature after advancing out of committee. “It’s been a heated discussion, a passionate discussion, just about the civil liberty issues that are all wrapped up in this,” said Rep. Cindy Gamrat, R-Plainwell. “My concern is … we’re setting precedent authorizing government to access our technology devices, such as phones or computers or GPS in cars. Where do you end up drawing the line?

Cell-phone spyingState Rep. Todd Courser, R-Lapeer, said he understands the value that location information could provide in some emergencies. However, made clear this week that he could not vote for the bill in its current form. He told MLive, “I think we also need to make sure we’re giving people the constitutional protections that are supposed to be afforded by our founding fathers.

In typical goobermental double-speak, Republican Heise told MLive that allowing warrantless access to private citizens’ phones could actually strengthen civil liberty protections. Heise told MLive said he does not necessarily think that a 48-hour notification for cell phone owners is warranted.

SpyOf course, law enforcement groups and Verizon Communications indicated support for the proposal. Of course they do, they get even more access to citizens’ private information. MLive states that as now written, the snooping does not require a warrant. All a police officer needs to access a private citizen’s phone records, is to have a note signed by a supervisor.

rb-

Well, maybe they don’t need to bother with any legislation to spy on us. Recent reports are that the goobermint has new ways to collect our personal data without a warrant. Stingray? FBI Spy planes? So much for the Constitution.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| June 2, 2015
Comments Off on Millennials Riskiest With Your Data

Millennials Riskiest With Your Data

Around half of the workforce will be millennials by 2020, but today they represent a bigger threat to your data. A recent report by endpoint security and management products producer Absolute Software (ABT) concludes that millennials take the most risks with your data. The report says they pose a greater risk to corporate data security than other user demographics.

Boomer vs. millennialThe findings between generational mobile security behaviors are likely to be counter-intuitive to many who assume younger generations to be more knowledgeable and more aware of security threats in mobile tech use than older generations according to FierceBigDataStephen Midgley, VP of Global Marketing at Absolute Software said;

We conducted this survey with the intention of helping enterprises better understand the current attitudes that employees have towards data security and privacy.

The presser from Absolute Software says that:

  • 64% of millennials use their employer-owned device for personal use, as opposed to 37% of baby boomers
  • Shrug it off50% of respondents believe that security is not their responsibility
  • 35% of millennials change their default settings, compared to 8% of baby boomers
  • 27% of millennials access “Not Safe For Work content, compared with only 5% of baby boomers
  • 25% of millennials believe they compromise IT security, compared with only 5% of baby boomers

rb-

The author concludes that these findings underscore why data trumps instinct or gut feeling given its counter-intuitive results. Corporate hiring and training programs and policies often focus on wComing soon to your workplacehat companies think of different worker demographics rather than on how those workers actually work. Armed with useful data such as this, hiring and training practices can be better aligned with the realities.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| May 26, 2015
Comments Off on Another Hole in Internet Armor

Another Hole in Internet Armor

Another Hole in Internet ArmorAnother hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

Diffie-Hellman key exchangeResearchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

prime numberTo prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPN attackThere is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

patch for Firefox4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

  1. If you have a web or mail server, they recommend  – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
  2. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
  3. If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way. 

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| May 26, 2015
Comments Off on Mobile Malware FUD?

Mobile Malware FUD?

Mobile Malware FUD?Just last week, I wondered out loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?

mobile threatsThe author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise are overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.

• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
hit by lighting• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better chance of getting hit by lightning than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.

Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.

Walled gardenThese reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cybercriminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?

The truth of the matter is that mobile users tend to get their apps from high-quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread.

remotely wipe devicesThe article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out as many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.

rb-

What do you think?

Is mobile malware over-hyped FUD?

View Results

Loading ... Loading ...

 

Related articles
  • Your BYOD implementation checklist (powermore.dell.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »