Tag Archive for Sophos

| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| May 2, 2013
Comments Off on Ellen Spoofs Password Infomercial

Ellen Spoofs Password Infomercial

Ellen Spoofs Password InfomercialGraham Cluley at Sophos’s Naked Security Blog recently blogged about a crazy password infomercial and day-time TV talk show host Ellen DeGeneres’ reaction to the late-night advert. The infomercial that caught the talk show host’s attention proves that you can always rely on late-night TV to try to sell you anything.

Ellen DeGeneresEllen DeGeneres recently focused some attention on a product that claimed to solve a computer security problem experienced by many inner-webs users – how to remember your passwords. Here’s the link to the video below about the “Internet Password Minder”:

As one of the customers featured in the infomercial breathlessly explains:

"I don't have to worry anymore about security or identity theft... I now have all my passwords in one place. It's great"

Apparently, this is not a put-up by the “Ellen” show. As Ellen amusingly asks, wouldn’t it be cheaper to save money and write all your passwords on a $5 bill? You could even keep the (patent-pending – don’t steal the idea!) $5 bill password minder in your wallet if you liked – much more convenient than the book-sized Internet Password Minder!

hard-to-crack passwordSophos offers a video explaining how to generate a tough, hard-to-crack password that is still easy to remember. If you can’t remember your passwords and have difficulty juggling different passwords for different websites, then Sophos recommends password management software like KeePass, 1Password or LastPass. I have covered the password issue many many many times before.

Mr. Cluley pointed comment on Ellen’s website from someone who claims to be the woman in the infomercial who no longer worries about identity theft.

rb-

I don’t watch The Ellen Show (I work during the day), but I know my mom does so a hat-tip to Ellen for raising awareness of password security issues with her large TV audience in an amusing way.

Those of us charged with keeping our clients and parents safe from the cyber-malcontents on the Intertubes, need all the help we can get, even if is from as unlikely a source as Ellen DeGeneres. Maybe now mom will stop asking me to change all of the passwords to something easier.

Do you think that Ellen’s spoof of the password infomercial helps the cyber-security cause?

 

Do you think that Ellen's spoof of the password infomerical helps or hurts the cyber-security cause?

View Results

Loading ... Loading ...

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| April 25, 2013
Comments Off on Microsoft Ending Windows XP & Office 2003 Support

Microsoft Ending Windows XP & Office 2003 Support

Microsoft Ending Windows XP & Office 2003 SupportTwo of Microsoft’s (MSFT) flagship services are going to no longer have any support as of April 8th, 2014: Windows XP and Office 2003. Microsoft is warning suggesting that companies who have not migrated from Windows XP and Office 2003 start the process soon. MSFT released the OS more than a decade ago (October 2001 to be precise).

Microsoft Windows 7 logoOn their blog, Naked Security, Sophos says that Windows XP still holds a 39% market share on the desktop. What if you are still using XP or Office 2003? Microsoft simply says it means you should “take action.” There will no longer be any security updates or assisted support options, online or otherwise, through Microsoft.

The lack of any security updates means there will be “unchecked security and compliance risks” as well as a lack of support and updates that keep the software compatible with the newest technologies.

Sophos logoSophos speculates that one of the security implications of the bad guys holding onto new Windows XP exploits until MSFT stops patching XP. There’s certainly the potential for a lot of havoc if 39% of the PCs get infected by new internet-propagating worms that target Windows XP systems. Even an increase in Internet Explorer 8 browser exploits that could open the doors wide for all kinds of malware infections.

It can take up to 18 months for the average medium to large business to install new programs, roll out all the updates, and import all customer data. Firms may need to upgrade their PCs and retrain their staff to use newer, more dependable Microsoft products.

MalwareMicrosoft says this move comes after they introduced their Support Lifecycle policy in 2002. All of Microsoft’s products get 10 years of support – 5 Mainstream and 5 Extended – and once those ten years are up, the company encourages all users to move on to more recent products that will often fit the needs of an individual and a company more closely.

rb-

state mandated testingIn my world, we have started to migrate off of XP to Win7, due to state-mandated testing requirements. Does anyone else see the irony in the fact that the Gates Foundation is a backer of large-scale multi-state standardized online testing that forces school districts in 22 states to migrate off of WinXP, a known entity that most people have long gotten their ROI out of the perpetual licenses to a new OS Win7 (Win8 HA) that they are pushing as a subscription?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| November 22, 2011
7 comments

Apple OS X Security Update

Apple OS X Security UpdateThe magical virus-proof Apple operating systems have had a rough couple of weeks. Apple (AAPL) released security updates for OS X Lion and Snow Leopard, iOS, Numbers for iOS, and Pages for iOS. UK-based security company Sophos says that the OS X patch addressed 75 known vulnerabilities. Most of the vulnerabilities could lead to arbitrary code execution, while others lead to denial of service or privilege escalation. The bug fix weighs in at a whopping 880MB with recovery download.

Apple OS X LionNext Apple released a gargantuan update to iTunes for Windows that fixes 79 vulnerabilities. Sophos reports that the patch fixes 73 holes that could cause remote code execution in WebKit, used to render HTML content. Other fixes resolve remote code execution bugs.

Despite the huge patches, cyber-criminals have figured out how to disable the rudimentary anti-virus protection XProtect Apple has built into Mac OS X by enhancing an existing trojan horse Flashback. The Flashback trojan leaves the Mac vulnerable by preventing XProtect from receiving security definition updates. Sophos makes the point that Mac malware writers are eager to infect Apple computers because of the potential financial rewards.

Sophos logoThe Mac malware authors are not resting on their laurels. Within days, of spotting Flashback in the wild, Sophos reported that Tsunami, a new backdoor trojan horse for Mac OS X, had been discovered. Sophos indicates that the new Mac malware may be a port of Kaiten, a Linux backdoor Trojan horse that uses an IRC channel for instructions.

Code like this is used to commandeer compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic. ESET notes that as well as enabling DDoS attacks, the backdoor can enable a remote user to download files, such as more malware or updates to the Tsunami code.  The malware can also execute shell commands, giving it the ability to essentially take control of the affected Mac.

Tsunami, a new backdoor trojan horse for Mac OS XOnly a few more days passed before the DevilRobber (Miner-D) Mac OS X Trojan horse was discovered. DevilRobber was embedded in hacked versions of Mac OS X image editing app GraphicConverter version 7.4 distributed via file-sharing torrent sites such as PirateBay. Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.

Sophos reports that in addition to Bitcoin mining, Miner-D also spies on its victim by taking screen captures and stealing usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), Safari browsing history, and .bash_history. To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that.

DevilRobbe Mac OS X Trojan horse was discovered.DevilRobber was recently been updated according to F-Secure researchers. F-Secure researchers point out that the newly discovered Trojan is the third iteration of the malware and that it poses as the popular image-editing app PixelMator.

Help Net Security says this version of DevilRobber has new features that the original version is lacking. It tries to harvest the shell command history, the system log file, and the contents of 1Password, the popular software for managing passwords. Unfortunately, its Bitcoin mining and stealing capabilities are still there, as well.

rb-

safe computing.So despite Apple’s continued instance that their machines do not need anti-malware software, standard malware prevention techniques apply to Macs. Clearly, Mac users like their Windows cousins should practice safe computing. Some of the safer computing practices for Mac and Windows users include

  1. Never open an email attachment unless you are POSITIVE about the source.
  2. Do NOT click on any pop-up that advertises anti-virus or anti-spyware software especially a program promising to provide every feature known to humanity.
  3. Use an AntiVirus program. A free one is better than none. There are several free versions that work well, like Microsoft Security Essentials which is also free has had good reviews.
  4. Keep your OS and AV updated. Make sure that you install those important updates. An out-of-date antivirus program does not help in detecting new infections.
  5. Use a personal firewall. Use a firewall between your DSL router or cable modem and the computer will protect you from inbound attacks. A software firewall on the computer can protect you from both inbound and outbound attacks.
  6. Do NOT download freeware or shareware unless you have must. These often come bundled with spyware, adware, or fake anti-virus programs. Be especially wary of screensavers, games, browser add-ons, peer-to-peer (P2P) clients, and any downloads claiming to be “cracked” or free versions of expensive applications.
  7. Avoid questionable websites. Some sites may automatically download malicious software onto your computer.
  8. Browse responsibly. Sometimes you might not even have to download and install something but just open a website in your browser for a rogue program to infect your computer. So be careful where you go when you are browsing.
  9. Pay attention to your incoming e-mails. Some of them can contain viruses or content pointing to malicious sites. Don’t click on links provided by false institutes that invite you to change passwords or similar.
  10. “Phishing” describes scams that attempt to acquire confidential information such as credit card numbers and passwords by sending out e-mails that look like they come from real companies or trusted people. If you happen to receive an e-mail message announcing that your account will be closed, that you need to confirm an order, or that you need to verify your billing information, do not reply to the e-mail or click on any links. If you want to find out whether the e-mail is legitimate, you can go to their website by directly typing their address into your browser or by calling them.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| April 6, 2011
Comments Off on BP Data Spill

BP Data Spill

Data breachNational Public Radio (NPR) reports that British Petroleum‘s (BP) problems in the U.S. now include a data spill as well as the oil spill. BP is paying compensation amounting to $4,000,000,000 to victims of its mishap incident disaster in the Gulf of Mexico last summer. Now BP has lost the personally identifiable information (PII)  on approx. 13,000 of its victims are seeking compensation for oil spill damages. NPR reports that names, addresses, phone numbers, and social security numbers, were lost opening these people to identity theft.

BP Gulf of Mexico oil spillBP spokesman Curtis Thomas told NPR that the oil giant mailed letters to roughly 13,000 people whose data was stored on the missing computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored. The company also reported the missing laptop to law enforcement, he said. The laptop was password-protected, but the information was not encrypted, Mr. Thomas said.

The employee lost the laptop on March 1 during “routine business travel,” said BP’s Thomas, who declined to elaborate on the circumstances. “If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said. Asked why nearly a month elapsed before BP notified residents about the missing laptop, Mr. Thomas said, “We were doing our due diligence and investigating.”

Matt O’Brien, the part-owner of Tiger Pass Seafood, a shrimp dock in Venice, La., who said he had filed a claim with BP, told an AP reporter this was the first he had heard about the possible compromise of his personal information by BP. “That’s like it’s par for the course for them.” Mr. O’Brien said of BP, “They can’t seem to do nothing right.”

Once again, 13,000 lives are disrupted because a single laptop that was not encrypted, was lost or stolen “during routine business travel.” SophosNaked Security blog pointed out in 2008 that laptops are easy to lose. The security vendor cited a survey that found that 12,000 laptops are lost every week at U.S. airports alone.

In that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two-thirds having taken no measures to secure their data. Clearly, some companies still aren’t taking proper measures.

rb-

As BP again has demonstrated, we all need to lift our game, As Sophos says, even if your organization is willing to take risks with your own data, firms have a clear moral duty not to take risks with data you keep about other people.

During these economic times, many organizations are saving a few pennies by doing as little as possible about encryption-related security. Why not consider the value of encryption to your business, instead of considering only the cost?

What do you think?

Oil spills, Data spills, Outrageous gas prices – Is BP out to get the U.S.?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , ,
« Older Entries   Recent Entries »