2FA: The Illusion of Security

Companies wanting to improve user security have frequently turned to 2nd Factor Authentication. Authentication is commonly viewed as confirming one of 5 factors; 2nd factor authentication simply means relying on a combination of two of these factors: A knowledge factor - something the user knows, such as a password, a PIN or some other type of shared secret. [...]

By |2020-01-20T13:47:39-08:00January 20th, 2020|Authentication Circus|Comments Off on 2FA: The Illusion of Security

Draft registration cards released for 500,000 strong bot army

ZDNet broke a story today about the largest list of username/passwords for servers, home routers and  IOT devices, ever published. Technically this dump is not people who signed up to be drafted into combat but a DDOS-as-a-Service provider list of Telnet credentials for more that 515,000 devices is a pool of resources that any hacker COULD enlist into [...]

By |2020-01-20T10:48:54-08:00January 20th, 2020|Identity Bizarre|Comments Off on Draft registration cards released for 500,000 strong bot army

Phones Replace Security Keys for Google 2FA

Google says IOS users can say goodbye to their Yubico security keys and use their iPhone as a physical 2FA key when logging into Google services in Chrome.  Google already let Android phones work as physical keys, so now everyone can take advantage of this functionality. Google Prompt already allowed users to complete out of bounds 2FA [...]

By |2020-01-15T21:17:05-08:00January 15th, 2020|Good Acting|Comments Off on Phones Replace Security Keys for Google 2FA

The Danger of Storing Authentication Credentials

Krebs On Security recently posted some details of the recover efforts of yet another company recovering from a devastating ransomeware attack.   @briankrebs points out that one of the under-appreciated vectors of these attacks is to deploy trojan software to steal passwords from all of the infected network endpoints. The result of this oversight may offer attackers [...]

By |2020-01-13T12:03:55-08:00January 13th, 2020|Bad Acting, Good Acting, Security Theater|Comments Off on The Danger of Storing Authentication Credentials

Carrier Authentication for SIM Swap Request

Princeton University Department of Computer Science and Center for Information Technology Policy just released a draft report entitled An Empirical Study of Wireless Carrier Authentication for SIM Swaps which examines the authentication procedures for the top five pre-paid wireless carriers in the U.S.  Their findings, not surprisingly, is that all five carriers used insecure authentication challenges that could [...]

By |2020-01-13T11:15:11-08:00January 13th, 2020|Authentication Circus, Security Theater|Comments Off on Carrier Authentication for SIM Swap Request

FBI Recommends Separate WiFi Network for IOT Devices

Here is some really great advice that almost no one will follow.  The FBI warns users to keep IoT Devices on a separate WiFi Network. Isolating IoT devices on their own network is the best course of action for both home users and companies alike, this wasn't the FBI's only advice on dealing with IoT devices. [...]

By |2020-01-14T09:40:00-08:00January 13th, 2020|Security Theater, UX Funhouse|Comments Off on FBI Recommends Separate WiFi Network for IOT Devices