US-CERT just released more information about the Grizzly Steppe cybercrime group who has been fingered for hacking the DNC and US voter registration databases. The short report, titled Enhanced Analysis of GRIZZLY STEPPE Activity, makes interesting reading, especially if you are interested in finding out more about state-sponsored political espionage. See pages 4-7 for the main story.
The Grizzly Steppe group is certainly ...
Continue Reading →
I will start out by admitting that I hate Domain Privacy. But I just read a story in Naked Security on February 9th that is causing me to reevaluate my opinion. It turns out that the new White House press secretary, Sean Spicer, has a personal website at www.seanspicer.com. The website has been turned into a private site, but the WHOIS ...
I read an interesting article on Naked Security the other day about how Hamas had used Facebook and social engineering tactics to trick Israeli soldiers into installing surveillance malware. The malware allowed Hamas to track the soldiers using the phone’s GPS, and to turn on the microphone and video to actually listen in and and watch their targets. Hamas undoubtedly picked up the ...
As a regular reader of this blog, you are probably using a long, unique, 20 character password with two-factor authentication, and a password manager to keep it all straight. But let’s say that you fall for a phishing scam, and give away the password to your email account. The attacker can now use your email account to request password reset emails from your other online accounts, and you have yourself one ...
Facebook has added USB key security to it’s two-factor authentication options. Previously, Facebook users could add the additional security of two-factor authentication to their account by using the Facebook app to receive a six digit one-time passcode, or by having the code sent to their smart phone via SMS text message. Facebook now supports the open-source Universal 2 Factor (U2F) standard established by the FIDO Alliance, such as the Yubikey from ...
If you are an Apple user, Apple released a number of updates released late in January that will fix security vulnerabilities in several platforms and services. It was reported by US-CERT on January 23rd.
The release for Mac OSX Sierra is large, at 105 GB, and fixes many holes that would allow and attacker to remotely execute malware. This is something you should fix ...
Continue Reading →
NIST is working on new authentication standards, and there are some surprising changes coming out of this effort. One of the issues that NIST is dealing with is the use of biometrics for authentication. But there are problems with biometrics. Here they are from the NIST Special Publication 800-63b. Emphasis is mine.
For a variety of reasons, ...
Continue Reading →
Passwords are not dead – not yet. But they are on life support. They are no longer enough to truly secure anything on their own.
I just read an sobering, eye-popping article on NetMux that discussed easy ways to crack passwords that are longer than 12 characters.
What makes this so disheartening for me is that I have been telling everyone to increase their password ...
Continue Reading →With Valentine’s Day around the corner, I thought this post from Pinterest was an interesting origin story.
On Wednesday we talked about a phishing exploit that used malware to provide remote access and steal the personal information of the victims. Today we continue the story with a similar exploit, called “Fareit” to “ferret out” the user credentials and other personal information the victims.
This exploit uses a phishing email to send the target either a PDF attachment or a Word attachment. The PDF variant uses Windows Powershell to install. ...
Continue Reading →