jm + passwords   21

Online security won’t improve until companies stop passing the buck to the customer
100% agreed!
Giving good security advice is hard because very often individuals have little or no effective control over their security. The extent to which a customer is at risk of being defrauded largely depends on how good their bank’s security is, something customers cannot know.

Similarly, identity fraud is the result of companies doing a poor job at verifying identity. If a criminal can fraudulently take out a loan using another’s name, address, and date of birth from the public record, that’s the fault of the lender – not, as Cifas, a trade organisation for lenders, claims, because customers “don’t take the same care to protect our most important asset – our identities”.
cifas  uk  passwords  security  regulation  banking  ncsc  riscs  advice 
11 weeks ago by jm
A Cute Internet Star Flirts. All He Wants Is Your Password. - The New York Times
whoa.
Mr. Johnson’s fans are not naïve. Handing over their passwords to some strange, cute boy actually constitutes a minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression — the closest digital simulation yet to a teenage crush.


(via Adam Shostack)
via:adam-shostack  passwords  authentication  security  teens  rebellion 
july 2016 by jm
The problems with forcing regular password expiry

The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another  vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis. CESG now recommend organisations do not force regular password expiry.
cesg  recommendations  guidelines  security  passwords  expiry  uk  gchq 
april 2016 by jm
CNBC "How Secure Is Your Password" tester form is a spectacular security shitshow
It not only runs over HTTP, it also sends your password to a bunch of third-party ad trackers. omgwtfbbqfail
fail  wtf  funny  cnbc  clowns  inept  security  passwords  http  ad-trackers 
march 2016 by jm
Amazon Echo security fail
Ughhhh.
Amazon Echo sends your WiFi password to Amazon. No option to disable. Trust us it's in an "encrypted file"
amazon  echo  wifi  passwords  security  data-privacy  data-protection 
january 2016 by jm
Privacy Security Talk in TOG – 22nd April @ 7pm – FREE
Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice. Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday.

Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project.

Per Thorsheim as founder/organizer of PasswordsCon.org, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.
privacy  security  runa-sandvik  per-thorsheim  passwords  tor  truecrypt  tog  via:oisin  events  dublin 
april 2015 by jm
Real World Crypto 2015: Password Hashing according to Facebook
Very interesting walkthrough of how Facebook hash user passwords, including years of accreted practices
facebook  passwords  authentication  legacy  web  security 
march 2015 by jm
3D Secure and Verified By Visa to be canned
Yay.
Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme.
The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise online purchases, as applied by Verified by Visa and MasterCard SecureCode, towards a next-gen system based on more secure biometric and token-based prompts.


(via Gordon)
via:gsyme  verified-by-visa  3d-secure  mastercard  visa  credit-cards  authentication  authorization  win  passwords 
november 2014 by jm
Nik Cubrilovic - Notes on the Celebrity Data Theft
tl;dr: a lot of people are spending a lot of time stealing nudie pics from celebrities. See also http://www.zdziarski.com/blog/?p=3783 for more details on the probable approaches used. Grim.
apple  privacy  security  celebrities  pics  hacking  iphone  ipad  ios  exploits  brute-force  passwords  2fa  mfa  find-my-iphone  icloud  backups 
september 2014 by jm
LastPass Sentry Warns You When Your Online Accounts Have Been Breached
This is a brilliant feature. It just sent a warning to a friend about an old account he was no longer using
lastpass  security  passwords  hacking  accounts 
april 2014 by jm
Fingerprints are Usernames, not Passwords
I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings.  We could each conveniently identify ourselves by our fingerprint.  But biometrics cannot, and absolutely must not, be used to authenticate an identity.  For authentication, you need a password or passphrase.  Something that can be independently chosen, changed, and rotated. [...] Once your fingerprint is compromised (and, yes, it almost certainly already is, if you've crossed an international border or registered for a driver's license in most US states), how do you change it?  Are you starting to see why this is a really bad idea?
biometrics  apple  security  fingerprints  passwords  authentication  authorization  identity 
october 2013 by jm
IPMI: Freight Train To Hell
'Intel's Intelligent Platform Management Interface (IPMI), which is implemented and added onto by all server vendors, grant system administrators with a means to manage their hardware in an Out of Band (OOB) or Lights Out Management (LOM) fashion. However there are a series of design, utilization, and vendor issues that cause complex, pervasive, and serious security infrastructure problems.

The BMC is an embedded computer on the motherboard that implements IPMI; it enjoys an asymmetrical relationship with its host, with the BMC able to gain full control of memory and I/O, while the server is both blind and impotent against the BMC. Compromised servers have full access to the private IPMI network

The BMC uses reusable passwords that are infrequently changed, widely shared among servers, and stored in clear text in its storage. The passwords may be disclosed with an attack on the server, over the network network against the BMC, or with a physical attack against the motherboard (including after the server has been decommissioned.)

IT's reliance on IPMI to reduce costs, the near-complete lack of research, 3rd party products, or vendor documentation on IPMI and the BMC security, and the permanent nature of the BMC on the motherboard make it currently very difficult to defend, fix or remediate against these issues.'

(via Tony Finch)
via:fanf  security  ipmi  power-management  hardware  intel  passwords  bios 
february 2013 by jm
Authentication is machine learning
This may be the most insightful writing about authentication in years:
<p>
From my brief time at Google, my internship at Yahoo!, and conversations with other companies doing web authentication at scale, I’ve observed that as authentication systems develop they gradually merge with other abuse-fighting systems dealing with various forms of spam (email, account creation, link, etc.) and phishing. Authentication eventually loses its binary nature and becomes a fuzzy classification problem.</p><p>This is not a new observation. It’s generally accepted for banking authentication and some researchers like Dinei Florêncio and Cormac Herley have made it for web passwords. Still, much of the security research community thinks of password authentication in a binary way [..]. Spam and phishing provide insightful examples: technical solutions (like Hashcash, DKIM signing, or EV certificates), have generally failed but in practice machine learning has greatly reduced these problems. The theory has largely held up that with enough data we can train reasonably effective classifiers to solve seemingly intractable problems.
</p>


(via Tony Finch.)
passwords  authentication  big-data  machine-learning  google  abuse  antispam  dkim  via:fanf 
december 2012 by jm
Lessons in website security anti-patterns by Tesco
Troy Hunt, an Aussie software architect working on a .Net security product called ASafaWeb, does a great job extensively deconstructing Tesco's appalling website security on their shopping site. In the process, he gets this wonderful tweet from their customer-care account:

"@troyhunt Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers."

As he says, this is a clear demonstration that Tesco is in the first stage of the four stages of competence -- "unconscious incompetence": "The individual does not understand or know how to do something and does not necessarily recognise the deficit." ( http://en.wikipedia.org/wiki/Four_stages_of_competence )
tesco  security  passwords  web  http  https  ssl  funny  dot-net  shopping  uk  customer-care 
july 2012 by jm
zen.org Communal Weblog » Digital Legacy
Elana Kehoe on dealing with Brendan's digital legacy: "What to do when you are next of kin to a geek?" A lot of good advice here, and plenty of things I need to think about...
brendan-kehoe  digital-legacy  wills  legacy  passwords  accounts  tips 
may 2012 by jm
Schneier on Security: Internet Worm Targets SCADA
'Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.'
wow  malware  worms  passwords  security  schneier  policies  defaults  from delicious
july 2010 by jm
Trojan torrent sites - why you should never reuse passwords
'for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.'
passwords  security  torrents  warning  twitter  accounts  from delicious
february 2010 by jm

related tags

2fa  3d-secure  abuse  accounts  ad-trackers  advice  amazon  antispam  apple  atms  authentication  authorization  backups  banking  big-data  biometrics  bios  birthday  brendan-kehoe  brute-force  celebrities  cesg  cifas  clowns  cnbc  credit-cards  customer-care  data-privacy  data-protection  datavis  date-of-birth  defaults  digital-legacy  dkim  dot-net  dublin  echo  events  expiry  exploits  facebook  fail  find-my-iphone  fingerprints  funny  gchq  google  guidelines  hacking  hardware  heartbleed  http  https  icloud  identity  inept  intel  ios  ipad  iphone  ipmi  lastpass  legacy  machine-learning  malware  mastercard  mfa  ncsc  passwords  per-thorsheim  pics  pins  policies  post-its  power-management  privacy  rebellion  recommendations  regulation  riscs  runa-sandvik  schneier  security  shopping  ssl  teens  tesco  tips  tog  tor  torrents  truecrypt  tv  tv5monde  twitter  uk  verified-by-visa  via:adam-shostack  via:fanf  via:gsyme  via:oisin  via:securitay  visa  warning  web  wifi  wills  win  worms  wow  wtf 

Copy this bookmark:



description:


tags: