Current Password Policies Don’t Work

good-passwordMost corporate password policies are a waste off time and do not add anything extra to providing secure authentication.  Many of these policies were put in place to meet the standards of various compliance bodies (PCI-DSS, HIPAA, etc.)  But basically these policies are not keeping up with the state of the art in password cracking, as we discussed last November in our post on Continue Reading →

0

Adult Site Breach Exposes Weak Hashing

affThe site Adult Friend Finder, the “world’s largest sex and swingers site” recently exposed 412 million user credentials due to poor, or in some cases, non-existent password hashing practices. The biggest group losses were:

  • 339 million users of AdultFriendFinder.com
  • 62 million users of webcam site cams.com
  • 7.1 million users of Penthouse.com
  • 1.4 million users of stripshow.com

As we discussed last week, the reason that the Yahoo breach went unreported is ...

Continue Reading →
0

How Are Passwords Cracked?

password1The answer to this question is complicated, but not impossible to understand.  The first thing to know is that most passwords are not cracked by guessing, or trying thousands of possibilities one at a time on a typical login screen.  Most systems will lock the account after a certain small number of failed attempts, like 5 or 6. This makes the kind of password ...

Continue Reading →
1

Cybersecurity Top 10

cybersecurity_436x270As we approach year-end, many small and medium sized business owners and managers are coming to the realization that their best intentions for creating a cybersecurity program in their organization have fallen short.  This was the year, you promised yourself, that we get a handle on computer and network security.

Well it is not too late to get a start, and here is a short ...

Continue Reading →
0

Additional Notes from the Cyber Security Summit

cyber-security-summit-2016On Monday we looked at the some of the primary attack vectors used by cyber-criminals.  Here are the rest of the attack vectors that Kevin Thompson from FireEye shared at the Cyber Security Summit.  Many of these are significant twists on old exploits, or more sophisticated exploits.

  • Attacks using legitimate services.
    • Social networks – make friends or connections, gather information.
    • Cloud storage services to host malware downloads.  Link looks legitimate, its from Google Docs or DropBox.
    • Comment ...
Continue Reading →
0

National Cyber Security Awareness Month

US-CERTOctober is National Cyber Security Awareness Month.  This was released by US-CERT, and I thought it was worth posting.

“October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about cybersecurity. In partnership with DHS, the National Cyber Security Alliance (NCSA) has released the first in a series of tips focused on helping people protect their online activities and increasing ...

Continue Reading →
0

NIST Recommends New Password Rules

NISTThe National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well.  Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines.   Here are some of the recommended changes, so far.  We approve, and in many cases have been ...

Continue Reading →
0

BEC – How Cyber-Attackers Can Rip Off Your Company

ic3We warned our readers about the FBI alert regarding the Business Email Compromise scam on July 6.  Cyber-criminals have successfully bilked US companies of over 3 billion dollars since January 2015.  Typically this exploit starts by the attacker gaining knowledge of the CEO’s or other highly placed executive’s user credentials to their email account.  This is most often done using a spearphishing email, but could also be accomplished ...

Continue Reading →
0

NIST Nixes TFA Via SMS

NISTHoly acronyms Batman!  What the heck does this headline mean?  Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods.  The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems.  NIST is recommending that all companies ...

Continue Reading →
0

Which Is Better – SMS or App-based TFA?

google-authenticatorI am a firm believer in, and user of two-factor authentication (TFA or 2FA).  Heck, if there was three-factor authentication I would probably sign up.  The two most popular authenticator apps are Authy and Google Authenticator.  I primarily use Google Authenticator wherever I can.  I use SMS when Authenticator isn’t an option, or won’t work.  I had trouble, for instance, getting Facebook to work and ...

Continue Reading →
0
Page 4 of 8 «...23456...»