Not all forms of multi or two factor authentication are “bulletproof”

Details

Category: Cyber Security (Personal)

With most medium and large websites offering two factor authentication for free it is very much in fashion. Let’s travel back well over a decade to see why two factor was introduced. Everyone who has been working at least ten years will have seen the RSA key fob tokens and that was mainly what was available for securing Microsoft Exchange OWA or a VPN then. Disadvantages of the password a decade ago or today are that they are: guessable, written down on paper or saved in electronic clear text format, repeated throughout many websites, shareable, listed in password leak lists online, interceptable (maybe not a word), phishable (also likely not in the dictionary) and more.

After people figured out passwords were not sufficient for securing remote connectivity, RSA was widely used and got very big & rich. The problem with RSA tokens is that people can or do leave them in the laptop bag and possibly with a Post-it note next to them with a password on. RSA codes change every x seconds so it is a little hard to use a code from 5 seconds ago since when you come to use it, it has changed. If you found or stole a laptop with the RSA token then it is a different story since you have you have the laptop and token, and then you just need the username & password which could be in the bag. Yes, this does happen!

Read more …

WhatsApp privacy & security and the terrorist attack on Westminster

Details

Category: Cyber Security (Personal)

Founded nine years ago as a “geeky” technology messaging start-up, now it is possibly the largest smartphone internet messaging app out there. With a lot of post 2000 tech start-ups, security is barely on the release checklist. Why? Because it would delay or totally stop a release due to cost and resources. Very few apps, services or IoT devices have security embedded from the ground up. With WhatsApp, security was bolted on over the years and it has had a number of security scandals to date.

Facebook who themselves do not have the best of privacy reputation now own WhatsApp which means it needs to make money somehow. Security was an afterthought like with many other companies. End to end encryption was only released a year ago and it is automatically transparent to users. What does this mean? The user does not have to switch it on, enter a password or generate an encryption key (and exchange). Nice this may sound but it reduces privacy since everything is handled non-transparently behind the scenes by WhatsApp.

Read more …

Email borne malware: if the majority of burglars came through your front door, wouldn’t you focus protection on that entry method?

Details

Category: Cyber Security (Personal)

Most attacks physical or virtual do come through obvious entry vectors. Take home break ins, 34% come through the front door and that is why people look at reinforced doors, door sensors, PIRs, home alarms and multiple locks. Why bother smashing the windows which could result in getting yourself cut, DNA left or making a noise when you can pick the lock or if you are really lucky find a door not locked?

The virtual world is no different, attacks are not as advanced as you imagine and with anything, people go for the easiest route in. Look at well known attacks dating back six years or so; RSA, Target Corporation, Sony Entertainment and the Ukrainian power grid, they all have something in common, most sources say the breach started off with a seemingly innocent email with a malicious attachment.

Read more …