We warned our readers about the FBI alert regarding the Business Email Compromise scam on July 6. Cyber-criminals have successfully bilked US companies of over 3 billion dollars since January 2015. Typically this exploit starts by the attacker gaining knowledge of the CEO’s or other highly placed executive’s user credentials to their email account. This is most often done using a spearphishing email, but could also be accomplished ...
Holy acronyms Batman! What the heck does this headline mean? Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods. The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems. NIST is recommending that all ...
Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes. Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.
The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password. ...
Continue Reading →
Actually there are way more than ten ways, but here are some I see all the time. We can play this like a game, so go ahead and give yourself a point for each one of these that apply to you. This game scores like golf – low score wins.
Maybe you like the idea of two-factor authentication, but the Google Authenticator smartphone app seems too cumbersome. Or maybe you are not a smartphone owner, because you don’t like the idea of a phone that can track your location to within a few feet, and keeps sharing all your personal data with the apps on your phone. So you own a flip phone ...
Google Authenticator is my favorite go-to app for setting up two-factor authentication. But what if you want to remove an account from Google Authenticator?
I set up two-factor authentication for Facebook and the Authenticator app did not work. So I tried again, and ended up with two accounts on the Authenticator list, neither of which worked. This pushed other working accounts down far enough ...
Continue Reading →Hardening and securing WordPress websites is one of my specialties. We have reported previously on three of the best WordPress security plugins, Sucuri, Bulletproof, and WordFence. I can tell you that each of these plug-ins performed admirably against the continuous barrage of brute force and password reset attacks that my sites have endured. Security appeared to be strong, but I wanted more.
I have been deploying two-factor authentication (TFA) everywhere I can, in order to overcome the inherent weakness of password ...
Continue Reading →
The Apple OSX platform has long held the cache of being invulnerable to attack. Cyber-criminals have be crafting more exploits to target Macs, iPhones, and iPads, especially since 2012. The reason for this, as explored in a recent article on SiliconBeat, is that Apple users tend to have more disposable income. If you willingly pay more to have “the best” or ...
If I can get your user name and password, I can easily break into and use your computer and network resources just as if I were you. Bruce Schneier wrote an article recently that discussed this issue. Many of the largest exploits are started with stolen credentials, the user name and password that we all use to access our computer, network, and ...
Computer breaches can happen many ways, but the two most common are stolen credentials, and phishing emails. Credentials, your user name and password, sometimes are stolen from a web server breach, and then sold online on the criminal marketplaces. Or sometimes you are tricked into giving them up on clever fake websites. Phishing is one way that credentials are stolen. The links in phishing emails often will direct the unwary user to the fake web page with the helpful web ...
Continue Reading →