The Problem With Biometric Authentication

NIST is working on new authentication standards, and there are some surprising changes coming out of this effort.  One of the issues that NIST is dealing with is the use of biometrics for authentication.  But there are problems with biometrics.  Here they are from the NIST Special Publication 800-63b.  Emphasis is mine.

“5.2.3. Use of Biometrics

For a variety of reasons, this ...

Continue Reading →
0

Passwords Are On Life Support

Passwords are not dead – not yet.  But they are on life support.  They are no longer enough to truly secure anything on their own.

I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.

What makes this so disheartening for me is that I have been telling everyone to increase their password length ...

Continue Reading →
0

Credential Stealing Malware in PDF Attachments

On Wednesday we talked about a phishing exploit that used malware to provide remote access and steal the personal information of the victims.  Today we continue the story with a similar exploit, called “Fareit” to “ferret out” the user credentials and other personal information the victims.

This exploit uses a phishing email to send the target either a PDF attachment or a Word attachment.  The PDF variant uses Windows Powershell to install.  The ...

Continue Reading →
0

MongoDB Ransomware Hack – What Did We Learn?

Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers.  As many as 46,000 servers are vulnerable to this attack.

A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB.  He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems.  Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were ...

Continue Reading →
0

The Russians Are Coming!

Cybersecurity professionals are in agreement.  The Russians appear to have been actively engaged in influencing the outcome of our recent Presidential election.  Specifics include compromising and taking over Hilary Clinton’s chief of staff, John Podesta’s personal Gmail account.  This spear phishing exploit used a “near-miss” domain name of “accounts.googlemail.com”  to trick John into clicking on a link and and entering his email credentials.  The real domain name is accounts.google.com.

There was also a ...

Continue Reading →
0

Facebook Searches Dark Web For Stolen Passwords

facebookThis actually is in the “good news” department.  The some security folks at Facebook are scouring the Dark Web, looking for rainbow tables of user names and passwords in order to find Facebook users who may be reusing the same password on multiple sites.  As we have discussed here many times, password reuse creates a serious security vulnerability.  If the cyber-crooks have your password for one site, they will try it on other ...

Continue Reading →
0

You Just Got An Email From A Friend – But It Was A Phish

Email_thumb2One of the hardest types of phishing emails to defend against are those that come from the email account of a friend or trusted business associate, such as your dentist, lawyer, realtor.  The sender’s email address is not spoofed, because the malefactor has tricked them into providing their email address password.  The bad guys are actually logged into  your friend’s email account,  and now they are trying to do the same thing to you.

If ...

Continue Reading →
0

Password Policy Improvements

password2On Monday we attacked the utility of current password policies and standards.  Today we will offer up an array of improvements.

To be truly effective from a security perspective, password policies need to be designed to withstand both online and offline password cracking methods. We discussed offline methods in our post last month, so we will not do more than recap them here. ...

Continue Reading →
0

Current Password Policies Don’t Work

good-passwordMost corporate password policies are a waste off time and do not add anything extra to providing secure authentication.  Many of these policies were put in place to meet the standards of various compliance bodies (PCI-DSS, HIPAA, etc.)  But basically these policies are not keeping up with the state of the art in password cracking, as we discussed last November in our post on Continue Reading →

0
Page 2 of 8 12345...»